Different Types of Hacks: The Most Common Hacking Techniques
Hackers today employ a diverse range of different types of hacks to achieve the ultimate goal of gaining illegal access to sensitive information, and today, we will discuss the top three techniques leveraged by hackers to bypass security controls and infiltrate your personal information and that of your organization, along with some tips on how to stay safe.
1. Password Attacks
One of the oldest types of hacks is a password attack, which is used to bypass the need for authorized login credentials. Finding weak passwords is one thing you’d learn in a basic ethical hacking course. Password attacks can be subdivided into two main categories:
- Brute-force attacks
- Dictionary attacks
As the name suggests, this attack refers to trying all possible combinations to get the password. Something that is certain about a brute-force attack is that it can break any password given enough time. However, the problem is the time. So, for example, if your password takes 1,000 years to break, then for all practical purposes, you can consider the password to be secure.
How to Determine Whether Your Password Can Resist a Brute-Force Attack
There are two criteria that determine how hard it is to break a password using brute force, and you can use these to prevent these types of hacks. The first and perhaps most important factor is the password length. The longer the password, the harder it is to break. So, for example, if your password consists of just numbers and you’re using, let’s say, three digits, then it’s effortless to just cycle through all the combinations (0–999). Therefore, it is always recommended to select longer passwords to make them harder to break.
The second important criteria is the type of characters used. So, for example, if you’re using just numbers, then you have just 10 possible combinations at every digit of your password from zero to nine. For example, suppose you have a password with N digits, and at every digit, you can select alphabet letters from A–Z. Then you have 26 possible combinations for every digit because each can be anything between A and Z.
So now, let’s say if you have a password length of 1 character, then you have 26 possibilities.
If you have a password length of 2, then you have 26², and so on and so forth. So as you can imagine, the longer the password you use, the harder it is to break.
Now, let’s say you add numbers as well. You can use A to Z, but you can also use numbers from 0–9. So then your possible combination for every digit becomes 10 digits plus 26 letters which equal 36. This makes your password much stronger. Furthermore, if you can add uppercase and lowercase alphabets, you’ll have 62 possible combinations per digit.
So it’s always a good idea to select a password with a combination of uppercase and lowercase letters, numbers, and special characters, such as ‘#’ or ‘$,’ to exponentially increase the search space.
Password Attacks (Dictionary Attacks)
Let’s have a look at dictionary attacks, which are yet another interesting variation of password hacks. The problem with brute-force attacks is that they’re not always feasible because you have to try so many different combinations.
In a dictionary attack, you do something more intelligent. You play on human psychology and try the words in a dictionary because people tend to use these words. Another interesting thing is that people often select common patterns of passwords, so a dictionary attack includes both harder to guess and more common words in the dictionary.
Based on research, these are the top 10 most common passwords:
So as you can see, they are very simple, and there are a lot of people who still use these passwords. As a result, there’s a very high probability of a hacker discovering a password in a short amount of time, particularly when compared to the brute-force approach. The problem with brute force is that you have such a big search space that you may have to try billions of combinations. But in a dictionary attack, a dictionary contains a limited number of words. And the password patterns the system tries are also limited.
Therefore, hackers have a better chance of stumbling upon a weak password using a dictionary attack than they would with a brute force attack.
2. Denial of Service Attacks and Distributed Denial of Service
A denial of service or DoS attack is any attack that causes services to be either slow or unavailable to legitimate users, making these types of hacks particularly dangerous for companies with websites. Denial of service attacks use a distributed network of bots and involve techniques such as crashing web or database servers so that users can no longer access them. A hacker can cause overloading of the web or database servers through bogus requests or by choking the network bandwidth using bogus traffic like sending thousands of frivolous messages. Whichever approach the hacker uses, the basic aim is the same — either to deny legitimate service to users or make it so slow that the site becomes infeasible or impractical to use.
Denial of service attacks sometimes originate from a single source or IP address, making them easier to detect and block. That enables you to simply detect and blacklist the IP address by configuring your security tools. You simply add rules in your firewalls that block the specific malicious IP address. However, there is another variation of the denial of service attack, which is called DDoS, or distributed denial of service. This involves launching attacks from multiple IP addresses simultaneously. This type of attack is much more complex and harder to stop.
How a DDoS Attack Works
In a distributed denial of service attack, the attackers send a flood of packets, such as pings or bogus dispute requests, in order to overwhelm the network. So if you look at the diagram below, we have two legitimate users trying to access a web server, but this malicious attacker is sending fake messages in bulk from five different locations in order to overwhelm the server. In contrast to denial of service attacks, which, again, are easier to detect and block because they originate from a single IP address, in a distributed denial of service attack, you have multiple IP addresses that are used simultaneously to launch the attack. Multiple IP addresses make the attack much harder to block.
For example, if you have attacks coming from different IP addresses, it would be very difficult to detect and block all those IP addresses at the same time. In addition, one of the most significant challenges involves separating your legitimate users from fake ones because you also have real users who are also trying to access your Web server. It’s difficult to differentiate between the two because it’s hard to tell whether a certain computer has a genuine IP address or is part of a big network attacking your web server.
The Role of Bots in a DDoS Attack
Generally speaking, these types of attacks are not very easy to execute because not only are the IP addresses different, but they’re also usually dispersed around the world. So these attacks are often executed using bots. Hackers are usually secretive people; they don’t want their original IP addresses, or sources revealed. So what they do is hack a number of systems on the Internet, and then they create a network of bots. They then exploit this network to launch attacks on the destination or the victim. In this way, they not only hide their identities but they also have an easily scalable attack method since they can have thousands of bots in the network launching attacks.
The way this works is via malicious code secretly installed on systems and servers. These systems become bots or robots. This network of bots is controlled by the hacker, who sits behind the scenes. They hide their identity and use an army of bots to launch attacks.
How Hackers Form a Network of Bots
This is how attackers create their malicious bot networks: The hacker hacks different systems, usually by installing malware delivered through emails or when users visit malicious websites infected with links to malware. Once the malware is there, these systems are converted into bots. Often the users are not even aware of it.
Why DDoS Attacks Are So Dangerous
DDoS attacks are dangerous because, first of all, the identity of the hacker is unknown. So even if you’re able to trace the attack and abort it, the identity of the hacker would still be hidden.
Secondly, these types of attacks are easily scalable. It’s not uncommon to have thousands of bots in one network. This gives the hacker the ability to scale up the attack, even to the point of bringing down powerful Web servers. Now, the results of denial of service attacks creating border bottlenecks are severe:
- You could lose the ability to serve your legitimate users, which is bad for business.
- You may not be able to serve employees. If your server is down, your employees may not be able to log in and carry on their regular activities.
The ultimate result can be a significant financial loss. Cybersecurity company Kaspersky did some research, and they discovered that the average denial of service attack causes damage of around $1.6 million to companies.
Another important factor is reputational damage from being unreliable. Even if there isn’t significant financial damage or if you are a big corporation that can absorb financial losses, you could still suffer reputational damage from not being able to conduct business.
How to Strengthen Your Cybersecurity to Mitigate DDoS Attacks
One way to counter these types of attacks is to use load balancing. In a distributed denial of service attack, you have malicious traffic of different types coming from many sources. So what you can do is increase the capacity of your back end as well as its number of servers. In that way, your back end is both scalable and capable of handling more load. Then, instead of all the attacks being able to focus on one server, you have multiple servers available to absorb the load. In this way, the load gets distributed. This gives your organization a cushion, enabling it to take steps to mitigate the attack without losing your site.
However, back-end infrastructure has limited scalability. So if it’s a very big attack, it will still eventually overrun your network. But you do get a cushion of time in which you can devise a counter-strategy.
Detecting DDoS Attacks Using Pattern Analysis
A better way to detect a distributed denial of service attack is by examining its patterns.
We can observe any abnormal behavior using analysis techniques such as machine learning. But before you detect abnormal behavior, you first have to define what is normal behavior. Normal behavior is determined by observing the traffic patterns in your network. For example, a very simple normal behavior could be that, on average, in a given day, your corporate network receives, say, 5 GB of incoming traffic and generates 10 GB of outgoing traffic.
So if you see that you are getting 100 GB of traffic, this obviously represents a deviation from the norm. Similarly, you can incorporate multiple statistics. For example, if you usually receive your traffic from certain regions of the world, but you suddenly see a lot of traffic from a new region of the world, you can also use this as a trigger.
3. Social Engineering and Phishing
Humans are the weakest link in the security chain. You can have the best security systems and tools implemented in your organization, but if your employees or the people using those tools are not properly trained, you remain at a high risk of a data breach. Targeting the humans behind the computers is called social engineering. When social engineering is done via email, it is called phishing.
In fact, more than 80% of successful data breaches and hacks start with successful phishing scams.
How Social Engineering Works
Social engineering basically exploits humans to get them to take specific actions that benefit the hacker. For example, the hacker could get someone to share their passwords by calling and posing as an IT representative. Or the hacker could infect a USB drive and leave it for someone to find. Then, when the USB is plugged into your system, it exposes you to an attack. The infected USB has malware on it that has been designed to run as soon as someone plugs it into your corporation’s network. In this way, the hacker has bypassed all the security boundaries and directly entered the bad code into your system.
Also, users can be incentivized to click on malicious links and email attachments. They may be told they’ve earned a reward, are eligible for a promotion, or have qualified for a coupon. It’s no surprise that these types of attacks often become more prominent when you have major shopping seasons, such as during Christmas or other holidays.
Furthermore, social engineering can use unexpected approaches. For instance, you could get a simple phone call with someone posing as customer support or a banking agent. They then ask you to divulge your sensitive credentials in order to “reactivate your account.” So a useful safety tip is to always hang up and call the official phone number.
A social engineering attack could even involve a physical visit. These types of hackers may masquerade as legitimate people. For example, an apparent courier could be delivering mail within your organization, all the while creating fake badges and security cards to gain unauthorized access.
Social Engineering via Phishing Attacks
Perhaps the most popular attack method for social engineering is through email. This is known as a phishing attack. These attacks can lead you to malicious websites, or the email itself can contain a harmful link. Attackers may try to trick their victims into clicking the link by tempting them with promises of prizes or other rewards.
At times, the attacker may try to trick the victim into thinking there’s an imminent problem, such as an account that has been hacked, and they need to provide their details in order to remedy the situation.
Social engineering hackers particularly exploit human psychology by making themselves look like legitimate, trustworthy people whose emails you should respond to. For instance, they can send an email that looks like it was sent from a manager within your company or its CEO. You could also receive a fraudulent email from your IT manager or your financial institution. In these kinds of attacks, the hacker typically tries to pressure you into fixing a problem, such as one with your computer, an online account, or your bank account. Attackers can even pose as someone from a hospital saying there’s a need to address an urgent health matter.
They also often employ intimidation or convey a sense of urgency. The attack may include urgent language from a doctor, who says you need to respond right away, or your CEO may make a request that needs to be fulfilled immediately. In many cases, time is of the essence. Their goal is to try to get you to give them sensitive information quickly.
In other types of attacks, the hacker may leverage people in your social network. For example, they may pose as a friend who’s overseas and needs financial help. They may be trying to get you to share your credit card information and then use it to make purchases or sell the info to someone else.
Social engineering is all about exploiting human psychology for malicious purposes.
Be mindful that phishing is one of the most popular hacker techniques. More than 80% of successful attacks occur due to phishing. The user receives a fake email from an apparently legitimate email address that appears to come from a legitimate institution such as a bank or their organization, and it asks the user to click on a link or open an attachment that then downloads malware onto your computer or leads right to a malicious website that can capture sensitive information.
How to Detect Phishing Emails
Cybersecurity specialists are trained to detect phishing emails very quickly. At the very least, you should be able to detect a suspicious email you can later investigate to check if it’s a phishing email or not.
One sign would be an email from a company you never subscribed to. They may also have significant grammatical errors. At times, a link embedded in the email can be used to detect malicious intent. If you hover over it, you can tell where it leads, and if the address is suspicious or belongs to a website you didn’t expect, it’s probably a phishing email. Similarly, you should always double-check the domains of sites you visit, especially after clicking a link in an email, by checking the URL in your browser’s address bar.
How to Prevent Phishing Attacks
Here are some effective ways to prevent phishing attacks:
- Ensure all employees follow internal cybersecurity protocols.
- Make users aware of the different kinds of phishing attacks. This could involve education via presentations or seminars.
- Let employees know about the consequences of phishing.
- Share sample phishing emails, complete with indicators that differentiate them from normal emails.
- Ask users to report any suspicious activity to the IT department.
A more advanced form of a phishing attack is called whaling. The fundamental difference between whaling and phishing is that phishing is more generic in nature, and phishing emails are sent en masse. They’re sent to a lot of people with the hope that even if a small subset of them click on the links, the attack could be successful. But whaling emails are very specific and targeted, and they leverage specific information.
For example, there may be a meeting or visit coming up. Information about the meeting is included in the email, making it look like it’s a legitimate communication. For instance, the accounting department of Snapchat received an email that appeared to be from the CEO asking for employee payroll information. Similarly, the toy giant Mattel was hit by a whaling attack when the executive in charge of finance received an email that appeared to be from a new CEO.
Sometimes an attacker merely installs a small portion of the malware, known as a dropper. That enables them to gain a foothold. Once the dropper is in place, it opens up a back door, initiating a remote connection to a malicious server. This server then sends the larger, more sophisticated malware to the system, which proceeds to compromise the confidentiality of your data. This kind of assault can also set the stage for a denial of service attack that makes your servers unavailable to your employees and client while also resulting in reputational damage.
This list of different types of attacks comprises some of the most popular hacks employed by hackers. You can learn the mitigation strategies mentioned and use them to address attacks and help protect you, your system, your employees, your clients, and your business from harm. One way to defend an organization against hackers is to use ethical hacking tools. Regardless of the approach you use, by preparing ahead of time and knowing what to look out for, you can stay one step ahead of attackers and protect your organization’s system.
Top courses in Ethical Hacking
Ethical Hacking students also learn
Empower your team. Lead the industry.
Get a subscription to a library of online courses and digital learning tools for your organization with Udemy Business.