With high-value targets like user credentials, email accounts, and credit card details being stored on personal devices and transmitted freely over the internet, attempts to gain access to these prizes continue at an astonishing pace.
Hacking – looking to gain unauthorized access to information by modifying the features of a system or network, or exploiting its vulnerabilities – is one way to achieve this. And there are several ways in which hackers can target devices and networks.
In this article, we’ll be looking at some of the most common hacking techniques, and steps that you can take to avoid them.
Common Hacking Techniques
1. Bait and Switch
It’s been a favorite gag of carnival and street hustlers for centuries: Offer your mark something that they’re sure to want, then swap it out for something different when they’re not looking. In the digital realm, this trick has several variations.
One of the most common is a scam perpetrated by cyber-criminals on websites (preferably big, high-profile ones) that sell advertising space to third parties. Attackers can acquire sidebars or pop-up panels by registering with a verifiable email address and links to a legitimate-looking site – which is the one that the site administrator gets redirected to. But when the ad goes live, site visitors clicking on the link may be sent to a page that’s been booby-trapped with malware.
Another variant is the direct appeal to users, with an irresistible download of some fantastic widget or app – which runs malicious code on your website or device once it’s installed.
If you want great products, software, or desktop/web page gadgets, your best bet is to obtain them from reputable sources (approved app stores, recognized brands and vendors, etc.). And if you’re selling advertising space, due diligence should be your watchword.
2. Cookie Theft
The cookies (little text files) stored in your system or browser cache when you visit various websites can hold a wealth of information about you – including personal and financial data, user credentials, and passwords.
Cookies may be stored as plain text, or with varying degrees of encryption (depending on the website). And the use of browser add-ons has made the decades-old practice of cookie theft a richer and easier prospect for hackers.
Once stolen, cookies may be read or decrypted to reveal your information, or used to impersonate you online (e.g. if they contain your passwords). Cookie theft may also operate in conjunction with a fake WAP attack (see below), or a hijacked session.
Avoiding public or unprotected private networks is your safest bet. Using a VPN (Virtual Private Network) to encrypt and tunnel the connection on your phone or mobile device is also advised. And periodically clearing your browser and system caches will reduce the number of cookies you have available to steal.
3. Denial of Service/Distributed Denial of Service (DoS/DDoS)
A classic technique used to bring down systems or networks, by overloading them with login attempts, data requests, repetitive tasks, etc.
Attacks range from the fairly basic (configuring a system to continually bombard a site or server with requests), to the orchestrated (infecting a multitude of systems with malware to form a “botnet” that proceeds to flood a target network with unmanageable traffic), to the specific and sophisticated (buffer overflow attacks which allow hackers to gain access to personal information by filling online form fields with excess data, so they freeze up).
Systems infected by malware are a common vector for DoS and DDoS attacks, so exercising caution when downloading files or opening email attachments is a basic first step. Having an up to date anti-malware package installed is the next.
If your website hosts an online form, a cloud-hosted security service which uses unified threat management (UTM) technology can be a hedge against overflow attacks.
A passive technique used by hackers to listen in on a network connection and observe and record as much high-value information as possible. Packet sniffing, interception of data transmissions, and other monitoring techniques may be used – but the success of this kind of attack depends on the hackers themselves not being detected or observed.
Unsecured networks are again the greatest gift to eavesdroppers. Users of public WiFi should connect via a VPN. Corporate networks may deploy Intrusion Detection Systems (IDS) and/or Intrusion Prevent Systems (IPS) to guard against eavesdropping.
One of the simplest and oldest hacking techniques, keylogging allows attackers with basic software to record to a log file the strokes you make on a keyboard (or in more sophisticated cases, the clicks and movements of a mouse). These log files may hold sensitive data like passwords and user names.
Virtual (on-screen) keyboards – which scramble or encrypt your text input as you click on each key – are a guard against this kind of attack. That’s why so many banking and online commerce websites use them. They’re also available as apps for personal use, and well worth having.
One of the greatest weapons in the hacker’s arsenal is malicious software of all kinds. Viruses, Trojans (innocent-looking files and programs that deliver a malicious payload later on), worms (for continuous network infiltration), and ransomware can all deliver a handsome pay-day – if you allow them onto your system.
Numerous methods exist to induce unsuspecting users to do just that (some of which are described below).
To avoid becoming infected, exercise caution and due diligence when dealing with email messages and attachments. Disable pop-up windows in your browser, to eliminate the temptation to click on them. Restrict your downloads of software to approved app stores and reputable manufacturers. And keep your anti-malware and security software regularly updated.
7. Phishing and Related Phenomena
Using specially crafted email messages to induce a recipient into divulging personal or financial information is the basis of a phishing attack – and hackers have improved on the technique by using social engineering to add an element of increased urgency into their lures.
A not-to-be-missed financial deal or software download. A court summons from the power company, over that unpaid bill. An alert from the police, regarding your recent browsing activity. Any or all of these can be the bait that lures you to a spoofed website where an online form harvests your credentials, or malware is pushed onto your system in a “drive-by download.”
Beyond the caution and due diligence already discussed, a dose of common sense is also advised. If you’re unsure about a message, call or visit the office or person who supposedly sent it, to verify.
Security awareness training is a good idea for corporate users – as well as the posting of security intelligence, to keep workers advised of the latest threats and scams observed in the wild.
8. Watering Hole and WAP Attacks
Setting up a fake wireless access point or WAP (like a spoofed WiFi hotspot) is a great way for hackers to gain a captive audience whose data streams can be monitored, intercepted, or hijacked for various purposes.
Likewise, setting up a bogus but attractive website (like a spoofed social media platform) in a “watering hole” attack is a great way to assemble a herd of unwitting victims in one place – where you can harvest data, or spread a malware infection to the maximum number of recipients.
A Virtual Private Network (VPN) remains your safest option when using wireless access. Caution and a fully updated security and anti-malware suite are your safeguards against watering hole attacks.
9. “Man in the Middle” (or “MITM”) Attack
Unsecured network connections expose users to this particular tactic, which involves intercepting the data stream between sender and recipient (of an ongoing communication or file transfer). An attacker effectively establishes two connections: One between themselves and a server/sender, and another between themselves and the client/recipient. They can then read or modify the data being passed through their proxy connection.
The objective may be to observe and record a confidential transmission such as an exchange of login credentials or the transfer of intellectual property. Or the attacker may insert malicious code into the data stream, compromising or infecting either or both systems involved in the exchange. If undetected, such attacks may persist for an extended time period.
Secure connections are key to avoiding MitM attacks, and using a reliable VPN is a way of ensuring the required encryption strength and point to point security.
- Avoid the use of free Wi-Fi hotspots
- Avoid automatic connections
- Ignore unexpected communications
- Don’t jailbreak your mobile devices
- Avoid using apps from untrusted sources
Share this Post