Awareness and Security is dedicated to cybersecurity education, online privacy, and digital protection. Discover security tips, threat analysis, hacking awareness, account protection methods, and practical guides designed to help users stay safe in the modern digital world.
- Details
- Written by: khalil shreateh
- Category: Awareness and Security
- Hits: 165
Cybersecurity Awareness
The parking meter looks normal. The restaurant menu looks normal. The QR code taped over the real one looks normal too — and that's exactly the problem.
This article explains why quishing became viable only once QR scanning was built directly into phone cameras and normalized through contactless menus and check-ins, removing the friction that once made scanning a random code feel unusual. It walks through the real-world settings where malicious QR codes actually appear — stickers placed over legitimate parking and payment codes, swapped restaurant table codes, fake delivery notices, and QR codes embedded as images inside phishing emails specifically to slip past filters built around scanning link text. It also covers why many email and web filters still struggle to detect this variant, the physical and contextual warning signs worth checking before scanning any public code, and a concrete, practical set of habits — for both individuals and organizations distributing physical QR codes — that restore the verification step this format quietly removed from everyday phishing awareness.
Read more: Quishing: How a Sticker Over a QR Code Became a Serious Phishing Threat
- Details
- Written by: khalil shreateh
- Category: Awareness and Security
- Hits: 74
It started as a harmless coupon finder or PDF converter. Then it got sold, updated silently, and quietly turned into a data collection tool — without ever asking your permission again.
When you install a browser extension, you make a single trust decision at one moment in time. What almost nobody accounts for is that the extension you approved doesn't stay frozen at that moment — it keeps updating, silently, in the background, often for years, and each update operates under the permission grant you gave once and never revisited.
Read more: The Browser Extension You Installed Two Years Ago Might Be Reading Everything You Type
- Details
- Written by: khalil shreateh
- Category: Awareness and Security
- Hits: 52
Cybersecurity Awareness
This attack doesn't guess your password. It already knows it — from a breach at a completely different company you've probably never connected in your mind.
Most people picture password attacks as a hacker sitting at a screen, guessing combinations one at a time until something works. That image is almost entirely wrong for the attack that actually does the most damage today. Credential stuffing doesn't guess anything. It takes a password that is already known to be correct — because it leaked from an unrelated breach — and simply tries it somewhere else.
Read more: Why Reusing One Password Puts Every Account You Own at Risk
- Details
- Written by: khalil shreateh
- Category: Awareness and Security
- Hits: 58
Cybersecurity Awareness
SIM Swapping: The Silent Attack That Turns Your Own Phone Number Against You
Your phone number was never meant to be a security key. Attackers figured that out long before most carriers did — and they're using it to drain bank accounts in minutes.
A single convincing phone call to a mobile carrier's support line, backed by personal details scraped from data breaches and social media, is often all it takes to move your number onto a SIM card they control. From that moment, your phone goes silent while they race through password resets on your email, banking, and cryptocurrency accounts, intercepting every SMS code along the way. This article walks through exactly how SIM swap attacks unfold step by step, why cryptocurrency wallets and email accounts remain the most targeted assets, the early warning signs most victims miss until it's too late, and the concrete steps — from authenticator apps to carrier-level PIN protection — that remove your phone number as the weak link in your entire security setup.
Read more: SIM Swapping: The Silent Attack That Turns Your Own Phone Number Against You
- Details
- Written by: khalil shreateh
- Category: Awareness and Security
- Hits: 106
Cybersecurity Awareness
The Voice on the Phone Isn't Real: Inside the Rise of AI Deepfake Social Engineering
Attackers no longer need to guess your password — they can now clone your boss's voice, your daughter's face, or your CEO's video call in seconds. Here's how, and how to fight back.
For all of human history, a familiar voice or face was proof enough. Generative AI has quietly ended that era. This deep dive explains how deepfake technology works, real attack case studies, and the zero-trust verification framework individuals and organizations need to adopt immediately.
Read more: The Voice on the Phone Isn't Real: Inside the Rise of AI Deepfake Social Engineering
- Details
- Written by: khalil shreateh
- Category: Awareness and Security
- Hits: 142
Session Hijacking in 2026: How Attackers Steal Your Identity Without Your Password
You change your password regularly. You enable two-factor authentication. You think your accounts are safe. But what if an attacker doesn't need your password at all? In 2026, session hijacking has become one of the most common and effective techniques used by cybercriminals — and most users have never heard of it.
This article breaks down exactly how session hijacking works, what attackers are after, and — most importantly — how you can defend yourself and your web applications against it.
A password alone no longer protects you. Here's what attackers are really after — and how to stop them.
Read more: Session Hijacking: How Attackers Steal Your Identity Without Your Password
- Details
- Written by: khalil shreateh
- Category: Awareness and Security
- Hits: 346
By Khalil Shreateh | Cybersecurity Researcher & Bug Bounty Hunter (Meta/Facebook)
As a security researcher who has spent years identifying vulnerabilities for some of the largest platforms, I can tell you one thing with absolute certainty: the threats you read about in the news are just the tip of the iceberg. In 2026, the attack surface is larger than ever, but the vast majority of breaches still come down to a handful of predictable, preventable mistakes.
I wrote this guide to cut through the noise. This isn't a theoretical cybersecurity textbook—it's a practical breakdown of the 8 most dangerous threats I see actively exploited today, illustrated with real cases (many of which I have analyzed personally), and paired with the exact defense strategies I recommend to businesses and individuals. Let's get started.
Read more: 8 Critical Cyber Threats in 2026 and How to Defend Against Them
- Details
- Written by: khalil shreateh
- Category: Awareness and Security
- Hits: 601
Why Your Online Privacy Is Worth Protecting Right Now
Every time you sign up for a website, you hand over a piece of your identity. It might feel harmless — just an email address here, a name there — but the reality of what happens to that data after you click the register button is something most people never think about. The website stores your information in a database. That database may be sold to advertising companies, leaked in a data breach, or mined by third-party data brokers who build detailed profiles about millions of people and sell them to whoever is willing to pay.
The result, at its mildest, is a flooded inbox full of spam newsletters you never asked for. At its worst, your real name, email address, and browsing habits are circulating in marketing networks and potentially in places far less reputable. The fact that this is technically legal in many jurisdictions does not make it any less of a problem for ordinary users who just wanted to download a file or read one article.
- Details
- Written by: khalil shreateh
- Category: Awareness and Security
- Hits: 15404
Facebook Account Security: A Bug Bounty Hunter's Guide to Stopping Account Takeovers in 2026
By Khalil Shreateh — Bug Bounty Hunter (Meta/Facebook) & Information Security Researcher
Over the years, I have reported dozens of vulnerabilities to Meta's bug bounty program. While I focus on finding technical flaws in Facebook's code, the vast majority of account takeovers I analyze aren't caused by zero-day exploits—they are caused by a handful of predictable, preventable user errors. Attackers are lazy. They go for the lowest hanging fruit: reused passwords, missing two-factor authentication, and social engineering.
This guide goes far beyond Facebook's standard help page. I am going to show you exactly how attackers bypass these defenses, how to lock your account down properly, and—most importantly—how to recover it if you are already compromised.
- Details
- Written by: khalil shreateh
- Category: Awareness and Security
- Hits: 303
Web Security Forensics: Using Chrome DevTools to Hunt Vulnerabilities (Bug Bounty Guide )
By Khalil Shreateh — Bug Bounty Hunter (Meta/Facebook) & Cybersecurity Researcher
Here is a secret most developers don't realize: the exact same Chrome DevTools you use to debug CSS are the primary weapon attackers use to map your application's attack surface. I have spent years hunting vulnerabilities for Meta and other Fortune 500 platforms, and I can tell you with certainty that the Network and Security panels are my most-used tools—even more than Burp Suite for initial reconnaissance.
This guide isn't a rehash of Google's documentation. I am going to show you how I use DevTools to find IDORs, bypass CORS restrictions, spot weak TLS configurations, and exfiltrate hidden API endpoints during a live penetration test. If you are a developer, this will show you how hackers see your app. If you are a bug bounty hunter, these are the workflows that catch the bugs others miss.
Read more: Web Security Forensics | Chrome DevTools Bug Bounty Guide
- Details
- Written by: khalil shreateh
- Category: Awareness and Security
- Hits: 257
By Khalil Shreateh — Bug Bounty Hunter (Meta/Facebook) & Offensive Security Researcher
During a recent penetration test for a financial services client, I found myself staring at a hardened Linux server. NX was enabled. ASLR was fully randomized. Stack canaries were present. By all textbook metrics, the system was "secure." Forty-five minutes later, I had a root shell. The weapon? Return-Oriented Programming (ROP).
ROP is the great equalizer in modern exploitation. It doesn't inject a single byte of new code—it weaponizes the application's own legitimate instructions against itself. This guide isn't a theoretical lecture. It is the exact methodology I use to chain gadgets, defeat ASLR, and escape sandboxes during bug bounty hunts and red team engagements. Understanding how attackers think is the prerequisite for building controls that actually stop us.
Read more: ROP Exploitation: A Bug Bounty Hunter's Guide to Bypassing Memory Protections
- SQL Injection, Defensive Strategies & OWASP Guidelines
- A Comprehensive Cybersecurity Awareness and Research Guide
- Network and System Security: A Comprehensive Cybersecurity Awareness and Research Guide
- Understanding Error-Based SQL Injection in ASP/ASPX Applications: A Security Awareness Guide
- XSS Protection for Developers: A Complete Guide to Securing Web Applications
- HTML5 Modern Day Attack and Defence Vectors
- Securing a PHP Endpoint Called via AJAX: Direct Access, CSRF, and Rate Limiting
- Why Is My WhatsApp Account Banned? And How Do Hackers Steal It? — Cybersecurity Expert Answers
- When Your Eyes and Ears Lie: A Practical Guide to Detecting Deepfakes and Protecting Yourself from AI Deception
- How to Tell If Your PC Has a RAT (Remote Access Trojan) — A Practical, Human Guide