The business of cybercrime is becoming more and more sophisticated each day as hackers perfect their methods and discover new ways of taking advantage of unsuspecting users. In spite of the new and creative ways that these criminals devise to infiltrate businesses and organizations, a great number of attacks are still perpetrated with tried-and-true methods that have been in use for decades. These methods are some of the most common but are also some of the most easily preventable.

Brute Force

One of the most straightforward of hacking methods is the brute force attack. This method utilizes automation to repeatedly attempt various username and password combinations until the correct one is discovered through trial and error. Some of these attempts use specialized software that employ basic dictionary words to create millions of possible combinations. Others will attempt common passwords such as “password” on multiple accounts.

Phishing / Spear Phishing

Phishing is a technique in which a cybercriminal impersonates a legitimate entity in order to capture sensitive information from unsuspecting victims. One of the most common methods is by use of fake emails that appear to originate from real institutions. These emails ask for information such as personal data, financial account numbers, and passwords. They often link to fake websites harboring viruses and malware where this information can be entered.

Credential Stuffing

Once credentials from a data breach are obtained, those same credentials can then be used to attempt to access user accounts on other popular applications. Hacking into a corporate database provides a virtual treasure trove of user names and passwords that can then be used to compromise multiple sites with the use of automated login software. The tendency of users to employ duplicate user names and passwords across multiple sites makes this a common and lucrative practice for hackers.

Keylogger

Keylogger software can be illegally used to capture the keystrokes that a user enters into a device in order to obtain sensitive data such as passwords, credit card information, account numbers, and PINs. These programs are most commonly inserted into PCs and other devices when a user clicks on an infected file attachment.  Keyloggers are also available on hardware devices that can surreptitiously be placed on keyboards and other equipment used by the public and remotely accessed.

Man-in-the-middle

A man-in-the-middle attack takes place when a hacker inserts themselves in between the victim and the party with which the victim is trying to communicate. The attacker, undetected by the other parties in the exchange can then freely eavesdrop, intercept, and modify a conversation or transfer of data. One method of doing this is through use of a program called a “packet sniffer.” This software analyzes network traffic in order to find communications that have not been properly secured.

Another variation of this includes posing as a legitimate wi-fi network. When the user logs into the unsecure network, the attacker can intercept data. Stealing session cookies, which save information from previous sessions for the convenience of the user, also allow bad actors to access accounts and obtain confidential information.

Mitigating Risks

The weakest link that risks exposing a business or organization to all of these criminal practices is human error. Vigilance when opening file attachments and clicking on email links is important. Strong passwords that are not reused and avoid dictionary words can reduce the chance of a brute force attack and limit far-reaching effects of credential stuffing. Multi-factor authentication strengthens security by requiring more than one method to prove identity. Also, avoidance of insecure networks and public places where hardware may be compromised is a crucial step.

For ultimate protection of systems and networks, engaging a cybersecurity service to close any system vulnerabilities is necessary. If you wish to provide your business or organization with cutting-edge information security, Asteros Cybersecurity Services is here to help. Begin by scheduling a 100% free, no-strings-attached attack surface audit today.