Home Upgrade Search Memberlist Extras Hacker Tools Award Goals Help Wiki Follow Contact

HF Rulez the UniverseHF Rulez the Universe
Warriors Owner
safe upgrade trust scan

Staying Safe on Hack Forums

Posted 09-13-2022, 06:14 PM
[Image: I56l7zY.gif]

Staying Safe on Hack Forums

[Image: g3FK62G.gif]


The purpose of this guide is to help new and old members be safe on HF. In order to try and minimize lost/stolen accounts and increase basic account security, here are some important tips to assist you with your time on Hack Forums.

Table of Contents
  • Introduction
  • Passwords
    • Unique Password
    • Complex Password
    • Change Your Password
  • Upgrade Your Account
    • Enable Two-Step Authentication
    • Trust Scan
    • Enable Country Lock
    • Self Ban
  • Verify Secret
  • Discord Authorization
  • Check URLs
    • Phishing
  • Check Downloads
  • Don't Share Personal Information
  • Save Your Credentials
  • Conclusion
  • Resources

[Image: g3FK62G.gif]


This is one of the easiest/most underutilized ways to ensure more protection on your account. The majority of individuals use the same login credentials through various sites and forums; this goes without saying as a big no-no. If one site gets hacked and accounts get dumped, you can bet your account will be in there too. Now, if you’re using the same login credentials on Hack Forums as you use on another site, well, someone can login if they please. It’s not very hard to find information on someone and see what sites they are registered to. The safest route is to create a UNIQUE AND COMPLEX password for your Hack Forums account.

Unique Password
What is a unique password? This is simply a password you don’t use on other sites and something that is not very common. A lot of people use simple passwords such as their dog’s name followed by a number, a sport player, or my favorite, 12345. This is NOT unique in anyway possible. Pick a password that you don’t use on other sites and not as simple as your dog’s name. Always create a new password for each site you register on.

Complex Password
What makes a complex password? The string you use contains numbers, letters (upper and lower), symbols, and consists of 10+ characters. Now, one of the best ways to do this is to NOT form a word, but rather a randomized string containing the above parameters. The easiest way to do this is to use the built-in generator on HF and create a random password. For each site you’re registered on, do this same method to ensure the password is unique and complex. Make sure you write these down because chances are you won’t remember them.
  • Example of a weak password: football15
  • Example of a strong password: x&h}n!869cE1C

Change Your Password
Another thing to consider when securing your Hack Forums account is to change your password. It's recommended to change your password to another unique and complex password every 90 to 180 days. Doing so allows less time for the individual who is trying to compromise your account to try and gain access and makes them have to try and crack it again. This is a quick and simple tip to ensure more security.

[Image: g3FK62G.gif]

Upgrade Your Account

If you really want to increase your account security, it is highly suggested that you upgrade your account to receive additional security measures. To upgrade your account, head to the upgrade page. Here are the security measures that you will receive once you upgrade:

  • Two-Step Authentication
  • Country Lock
  • Trust Scan

  • Two-Step Authentication
  • Country Lock
  • Trust Scan
  • Self Ban

Enable Two-Step Authentication
Two-step authentication is a process where you’ll receive a unique authentication code either sent to your phone or your computer upon your login to verify that it is actually you attempting to sign in (ideally no one should be able to sign in if they don’t have access to your devices). Every 30 seconds, a new authentication code is generated to ensure you don’t receive the same code each time. There are a couple authenticators out there, Google Authenticator and Authy, you’re going to want to install Authy as it supports backups across multiple devices.

Google Authenticator does not support backups, so it’s not recommended. If you need help setting up your two-step authentication, follow this guide by xadamxk. Install Authy on your smartphone AND computer to enable backups. For example, if you lose your phone or it locks/bricks, you’ll be able to access your HF account using your computer; then once you get your phone back, you can download Authy again, input your validation key, and vice versa. Just make sure backups are enabled and you write down your validation key.

If you are transitioning over from Google Authenticator to Authy, Omniscient created a thread to tell you how to do so. You can find that post here. This is a crucial step in securing your account and I highly recommend that you upgrade your account to receive the feature or turn it on if you are already upgraded. People don’t do this enough and this is how accounts get stolen majority of the time. Once you enable it, I strongly recommend NOT to disable it for any reason.
  • To enable Gauth, go here.

Trust Scan
Ub3r and L33t members receive access to the Trust Scan feature. The Trust Scan gives you access to statistical data to help determine if a user can be somewhat trusted. When dealing with links and downloads, I always recommend doing a Trust Scan on the individual who posted the link and/or download. The reason being is you can see if they have their:
  • Security features turned on
  • Last Gauth/2FA Validation
  • Country Lock
  • Number of Unique Country Logins
  • Number of Unique Login IP's
  • Number of Unique ISP's
  • Matching registration and last IP
  • Matching region of registration and latest IP
  • Matching country of registration and latest IP
  • Latest IP Matching Other Members
  • Contract Disputes
  • Legacy Dispute DB
  • Password Reset in Last Week
  • Last Password Change
  • Last Email Change
  • Last Username Change
  • Username Changes
  • Special Characters in Username
  • Last Login IP Change Date
  • Account Age
  • Discord
  • Last Discord Verification

Trust Scan Example (Click to View)
Doing so allows us to help determine if that particular user has had their account potentially compromised. If the user seems sketchy and potentially compromised, I advise not interacting with the user. There is no definite way to determine if they are compromised using the Trust Scan, but it’s just an additional tool to help judge. Still be cautious, you can never be too safe.
  • To Trust Scan, go here.

Enable Country Lock
If you are a L33t or Ub3r member, you also receive access to the Country Lock security feature. It’s exactly as it sounds, it locks your account to only be accessible from your country code. If you enable the feature, you will not be able to access your account if you are in a different country. You CAN unlock your country as long as you are in the country you locked it in the first place. So if you plan on traveling somewhere and you have this enabled, make sure you disable the country lock before you do so if you want to access your account. I do recommend enabling this feature because of database dumps that happen on other sites (even though you shouldn’t have the same login credentials), but this restricts only your country code to allow you to login, limits access, and decreases chances of your account getting compromised.
  • To Country Lock, go here.

Self Ban
If you are an Ub3r member, you can invoke a self ban. If you are going on vacation somewhere, have to study for finals, or something comes up and you don’t want to access your account, you can ban yourself. Why would you want to do that? If you’re banned, you won’t be able to login, meaning that no one else can login either, even if they have your information. The bans go from three days, one week, two weeks, one month, two months, three months, and six months. It’s a safe feature to use to make sure no one can access your account while you’re away. Just another perk of upgrading.

If you do invoke self ban, there is no unbanning yourself until the specified time is up. Don’t bother contacting staff because they will not assist.
  • To Self Ban, go here.

[Image: g3FK62G.gif]

Verify Secret

A unique security feature that HF has is something called "Verify Secret". What is this exactly? Essentially everyday each user gets a randomly generated secret code associated with their account. If you are communicating with a member on a different service (Discord, Skype, email, etc.), you want to make sure you are actually communicating with that member. The verify secret feature lets you validate that you're actually talking to the right person. You will head over to the verify secret tool, input the UID of the user you think you are talking to, and click verify. Both you and the other user will receive an identical verification code secret. You'll ask the user to navigate to the same page and have them validate their secret. If they give you a secret that is mismatched, then you aren't talking to the correct person. This is a great feature just to validate you are talking to the right person.

Verify Secret Preview (Click to View)
  • To Verify Secret, go here.

[Image: g3FK62G.gif]

Discord Authorization

Discord is a common service used for instant messaging. A lot of HF groups use it, HF has it's own official Discord, and people send direct messages with it. As convenient as Discord is, this is also a prime area where you will be targeted with imposters, scammers, and people actively trying to steal accounts. It's strongly recommended that you do all communication with other members on HF itself rather than another platform. However, there are times where you will want to use it. When talking to members, make sure you verify your secret with them to make sure it's actually them. On the trust scan, there's a spot where it shows if the user has authorized/linked their HF account with their Discord account - this is EXTREMELY important. When dealing with a member, make sure that their Discord is actually verified and of course you will want to do the same yourself. A tutorial was created on how to verify your discord, which can be found here: Discord Authorization and Integration. To reiterate, it's strongly recommended that you do all communication on HF but if you want to use Discord, make sure you validate the user's Discord is verified, along with verifying a secret with them. A simple flow of how to be safe using Discord is:

User reaches out to you on Discord -> Check their Discord ID # on Discord (to learn how, navigate here) -> Head over to their HF profile and check the trust scan -> Validate Discord ID # on trust scan matches the ID # with the user you are talking to -> If it matches, request to verify secret -> If it matches, resume communication.

*If the user you are talking to does not have their Discord validated on HF, request they do so immediately and stop all communication until it is completed.*

[Image: g3FK62G.gif]

Check URLs

Always check links before you click on them. This part is common sense. If an individual posts a link, it’s always smart to hover over the link to see the full address before you go clicking on it. If it’s a shortened link, I’m not going to say don’t click on it, but be extremely cautious that the individual posting it IS trusted. Use the Trust Scan if you have access to it to see if they have their security features enabled and to make sure they aren’t matching someone else’s IP because you don’t know if they have already been compromised or not. In the end though, really trust no one.

If you click on a malicious link, it could potentially compromise your account. Even if you have an antivirus enabled, some links can surpass the antivirus and still steal information. Be smart online because it only takes one mistake and all of your information can be stolen. Hover over links to see the true address, verify if the user is trusted, and just be careful. Too many people are careless with a link and click away, evidently getting their data stolen, even their HF credentials.

[Image: wYGGAW0.png]
What is phishing? This is an attempt to steal someone's login credentials by providing a fake duplicate of a site the individual is trying to steal from. Once the individual submits the information, it gets stored on a server that the attacker has access to, allowing them login to your account that their discretion. These are relatively easy to spot, but can sometimes be challenging as they could look exactly like the real site.

How to spot a phishing attempt? The first thing you want to do is note where the link is coming from. Is some sketchy user posting links around or is the user relatively trusted? Either way, you should be cautious at all times. Before you go blindly clicking on links, as stated above always hover over the link to view the true address. A phishing link can be masked by a real looking link. For example, hover over this link: https://hackforums.net. The link is displayed that it's going to Hack Forums, but when you hover over it, you can see it is actually Google. The next tip is to fully analyze the link you are interested in visiting. A relatively sneaky attempt at phishing could have just one letter or character out of place in comparison to the real site. A great example is something as simple as this: Just one simple character could be rearranged or added to the fake site, so analyze the whole URL before clicking or using your credential login.

The next thing to note is that if you do happen to be on a fake phishing site and you input your credentials to try and sign in, you will NOT be able to login, instead you'll be receive the "Invalid Username/Password" error. If this is the case and you are 100% sure your login credentials are accurate that you used, get off of the fake site, type in the real https://hackforums.net URL, and IMMEDIATELY change your password. From there, warn others about the link you were on and report it to staff.

The fake site can look exactly identical to the real site visually. It all comes down to the URL. So remember to:
  • Observe where you are about to click the link from
  • Always hover over the link to view the true address
  • Analyze every aspect of the URL to look for misspellings or out of place/added characters

[Image: g3FK62G.gif]

Check Downloads

I feel like I shouldn’t have to mention this, but people don’t do this. No matter what you are downloading, whether it’s on Hack Forums or some other site, ALWAYS verify the download link (see the Check URLs section) and ALWAYS scan the download. Even if you believe the user or download is trusted, you never know when someone “snaps” and decides to put malicious content in the download. Read other comments on the download to see if anyone has any feedback. If it looks alright, then scan the download with your antivirus and then upload and scan the file to the built-in HF virus scanner.

If the file comes off as clean, you’ll probably be alright. RATS, bots, key loggers, or other malicious software can steal your information with no problem, so make sure your downloads are valid and clean.

[Image: g3FK62G.gif]

Don't Share Personal Information

This goes without say. No matter who you’re talking to, don’t give away your personal information. If you decide to give out your information, individuals may be able to figure out what your password is (even though your password should be unique and complex). Don’t share your account information either. It’s against the rules and you can almost guarantee yourself a closed account. Be careful with who you trust and what you say; it’s common sense, protect yourself.

Remember, the staff at Hack Forums will NEVER ask you for your login credentials. Don't dish out your information if someone is pretending to be staff. If someone is impersonating a staff member, report it immediately.

[Image: g3FK62G.gif]

Save Your Credentials

1. Always, always, always save and backup your information. If you’re using Authy, make sure you enable backups in case one of your devices messes up or you lose it, this way you have a backup plan. Write down and save your validation key. In case you lose a device, you can still input your key into a different device to regain access.

2. Instead of saving all of your login credentials on your computer, take out a pen and paper and physically write them down. If you save your login credentials virtually and your desktop gets compromised by a RAT or some malicious software, they’ll see your login information wherever you stored it. The best bet is to write them down on a piece of paper and keep that paper by your computer or in a safe location that you know where it’ll be. If you decide not to write down the credentials physically, you should encrypt your credential strings and then decrypt when you need them, but I do advise writing them down in case you forget your password or if you have malicious software on your computer.

3. Another tip is to use an encrypted USB thumb drive/external SSD to back all of your information up. Computers can crash without warning and if you have a unique and complex password saved on your computer, chances are you're going to lose them. Transfer the text file with your HF login credentials onto an external drive for backup purposes in case you have a malfunction on your computer. Always keep backups. Encrypt them if you save them on your computer, physically write them down with a pen and paper, and store them on your external drive.

4. As well as physically writing information down, you could also screenshot and print. If you don't feel like physically writing down your HF credentials, simply take a screenshot or use a text document and print your credentials out. Once printed, again, store them in a safe location and somewhere easily accessible to you. It's not a bad idea to do all four of these steps to ensure that you have backups of backups.

[Image: g3FK62G.gif]


In a nutshell, make sure you use a different unique and complex password for every site online, upgrade your account and enable the security features, check URLs before clicking, check downloads before downloading, don’t share your personal information, and save all of your information. It only takes one mistake to lose or have your Hack Forums account stolen. Be smart, be proactive, and stay safe.

[Image: g3FK62G.gif]


Some useful resources to help you with staying safe on HF in various areas are:

- https://hackforums.net/showthread.php?tid=5873062

- https://hackforums.net/showthread.php?tid=5377222

- https://hackforums.net/showthread.php?tid=6146173

- https://hackforums.net/misc.php?action=help&hid=15
09-13-2022, 06:28 PM
Gooooood thread. Hope some people see this