The development of Internet technologies has brought many growths and business opportunities, as well as new hacking methods to match.
From private social media users to small businesses and large corporations, the range of victims for the modern hacker is vast.
It is in your best interest therefore, to get an idea of the possible dangers that lurk on the World Wide Web, as well as to have the right information to mitigate those security threats. This post sheds some light.
Top Hacking Methods
Here are the top hacking methods:
1. Social Engineering
Social engineering is the process of manipulating a potential victim to divulge important information or to take certain actions that will grant the attacker the needed access. There are many ways to approach social engineering, such as calling the victim on the phone and requesting sensitive information. This method is called vishing and is often used to collect banking information from unsuspecting victims, who believe a real bank employee is on the other end.
Another popular method is phishing, and just like the telephone method, it includes impersonations. Here, it could be a fake banking website that looks 100% like the original bank’s website. The victim receives an email or text with a link to the fake site, requesting him to urgently update his details for security purposes. However, all the information entered on the fake site is copied by the attacker and used to empty the victim’s account.
Other methods include the hacker becoming friends with the victim and gradually gaining access to the needed information, or impersonating an authority figure, such as a government employee, a boss, or a security agent to intimidate a victim into divulging information.
The ways to avoid becoming a victim of social engineering include not trusting strangers, always checking to make sure you are on the right website with “https://” and never give out your passwords or PIN codes, no matter what.
Another dangerous hacking method is eavesdropping. It is dangerous because there are so many ways to go about it and there’s no limit to the amount of information the hacker can gain.
Example methods include sniffing a network’s packets to extract information using network analyzer software such as Wireshark. Another way is to install a tiny app on the victim’s computer or smartphone that logs every keystroke or captures all text communication.
Other eavesdropping methods include man-in-the-middle attacks that let a hacker relay information to two parties, while they believe they are communicating directly. For example, GSM networks automatically link to the strongest signal, so by spoofing a particular network’s GSM tower, all mobile phones in that area automatically link to the hacker and pass their information through his system.
3. Session & Cookie Hijacking
Browsers and apps communicate with servers using sessions. To get into a session with a server, the user must first identify himself using a login/password combo, and possibly 2-factor authentication. When the user’s identity is verified, then the server starts a session with the user’s browser, during which no further verification is required until the user logs off.
One small issue here is that the server will store a cookie on the authenticated user’s machine or add a session ID to the URL, saying something like this user is good to go, you get the drift. But the problem is, if a hacker can steal those cookies or session ID, then he gains access to that restricted environment that the victim had to authenticate to get into. He can then make posts, transfer money, or do whatever else he likes.
Now, there are many ways to achieve this:
- Session Sniffing – The hacker can use network sniffers like Wireshark to intercept session and cookie information.
- Session Fixation – The attacker sends a link to a victim that contains a session ID. If the victim logs in and the system fails to generate a new session ID, then the hacker can use the same session ID to log on as well. The solution here is for the system to always generate a new session ID after each login.
- Session Donation – A hacker logs into a legitimate site, then sends a link with the session data to a victim, asking him to update information. The victim will see that he is logged in and if he fails to notice that it is not his account, then he can input sensitive information, which the hacker can later steal. One solution is to always log out when you are done.
4. XSS & CSRF
As referenced above already, XSS stands for Cross-Site Scripting, while CSRF stands for Cross-Site Request Forgery. You should note here that XSS goes beyond ordinary cookie theft, as it is all about running a script on a page that the victim trusts while connecting with other, less trusted websites.
A victim does not need to be logged in, be authenticated, or take any action to fall for an XSS attack, which is usually automatic. For CSRF, however, the victim has to be logged in on a particular website and additionally take action, such as clicking on a button.
Take, for instance, Victim-Bob is logged on to his bank’s website, then something distracts him, and he lands on a website offering a Free Vacation to Macau, all he needs is to click the button. Once he clicks it though, the website submits a money transfer request to his bank, and since he has an active session with the bank, it might go through.
All the attacker’s website needs is to create a form directed at the bank with the right fields, such as:
<form action=”bank-URL.com” method=”POST”>
<input type=”hidden” name=”amount” value=”50”>
<input type=”hidden” name=”recipient_account” value=”1234567890”>
<input type=”submit” value=”Win a Trip To Macau”>
5. Hotspot Honeypot
Ever used free WiFi to access the web? Hope you used a VPN (Virtual Private Network) to protect yourself, or else you could have been a honeypot victim.
The scheme goes like this: A hacker sets up a free WiFi hotspot with a packet sniffer behind the scenes to harvest passwords and other valuables from those surfing the web for free. Some even set up fake company hotspots, such as you would find at coffee shops, airports, and restaurants.
To avoid such hacks, simply stay away from free hotspots, or use a VPN if you have to use public WiFis.
6. Brute Force
A brute force attack is an attempt to log in to a victim’s account by trying all possible username and password combinations. It can also refer to the cracking of an algorithm by attempting as many keys as possible.
Kali Linux, the popular hacker operating system, comes with brute force tools such as John the Ripper, ncrack, and Hydra. There are also word lists, which aid in dictionary attacks. These contain a list of the most popular passwords and words from the dictionary, such as monkey, 12345, mysecretpassword, 00000, and so on.
Methods for avoiding brute force attacks include adding a captcha to the login page, limiting the number of login tries, and enforcing the use of secure passwords – 8 characters or more, with a combination of symbols, numbers, and upper- and lower-case letters.
7. DoS & DDoS
DoS stands for Denial of Service attack, while DDoS stands for Distributed Denial of Service attack. The aim here is to overwhelm a computer system, such as a server, with so many requests, that it becomes incapable of fulfilling further requests – goes offline.
DoS comes from a single machine and is easy to spot and block. DDoS on the other hand comes from multiple computers and this can be a botnet that is spread across the globe, oftentimes originating from computers infected with malware.
You should note that unlike most other methods on this list, DDoS attacks do not aim to steal or execute malicious code on the victim’s computer. Rather, they are used to hold business servers under siege, as these companies can impossibly continue their services until a ransom is paid.
The simplest way to avoid DDoS attacks is to use a web host that includes DDoS protection in the offered package.
8. Targeted & Non-targeted Website Attacks
A targeted attack is an attack that is aimed specifically at the victim’s website, while a non-targeted attack happens to a website because the attacker was exploiting a general software weakness.
WordPress websites, for instance, are prone to non-targeted attacks, especially those running on older, un-updated versions. The attacker discovers an exploit that works with a particular platform, version, or development framework, then runs the exploit through a list of website addresses that use the platform, to see which ones break.
For targeted attacks, the hacker will spend a little more time getting to know the victim’s website, and this can range anywhere from a few days to many months. Targeted attacks are usually more dangerous and can be disastrous, especially for large firms.
9. SQL Injection
When LulzSec broke into Sony PlayStation Network’s servers in 2011 and stole 1 million passwords, they described the operation as a simple SQL injection hack.
SQL injection is the act of adding SQL language directives into a website’s request address, in the hopes that the programmer did not clean out such potentially harmful inputs. And when SQLi works, the hacker often gains admin access to the database, as happened at Sony.
Preventing SQL injection is possible by using the latest versions of popular platforms and frameworks. However, those building by themselves will have to focus on proper input validation, the use of prepared statements, stored procedures, and vulnerability scanning.
10. Plugin Vulnerabilities
Asides from core security issues with popular platforms such as WordPress, which can often be avoided by upgrading to the latest software versions, plugins, on the other hand, can create a major hacking threat.
There are over 50,000 plugins in the WordPress ecosystem, and each one poses a potential security risk, as the majority of current WordPress hacks come from these plugin vulnerabilities.
Although 100% safety is not possible here, you can still improve a website’s defense against plugin vulnerability by only choosing top-quality plugins with high ratings. Then regularly do core system and plugin updates, and avoid using old themes or extensions of any kind.
We have listed the top 10 methods of hackers out there and you have seen their causes and possible prevention methods. As you must have concluded as well, hacking is part of the computer world, so hack threats are always to be reckoned with.
By being aware of these threats, however, and applying the right protection measures where necessary, you too can drastically reduce your risk of getting hacked.