In the spirit of the twelve days of Christmas, which will be starting soon on December 25, 2022, we present to you the twelve days of hacking — a holiday month-themed look at the common hacks and attacks that hackers utilize to gain unauthorized access for financial gain, reputation and street cred, corporate and state-sponsored espionage, or just plain fun.
Hacking is an overarching umbrella term that describes finding or exploiting weaknesses in computer systems. It may be done for nefarious purposes by black or gray hat hackers or done in the form of white hat hacking by organizations themselves who are attempting to find and fix their flaws and vulnerabilities before malicious hackers do. Hardware, software, servers, or even the people controlling these systems may all be susceptible to cyberattacks. Let’s take a look at just a few of the many tools, tactics, and methods that hackers use to gain access to our data, files, finances, lives, and sanity — and what individual users, cybersecurity professionals, and developers need to do to stay safe.
Malware describes any malicious software, regardless of how it works, its intent, or the way it’s distributed. Malicious can mean that it disrupts the devices or network, leaks or steals information, or otherwise gains unauthorized access to sensitive information or systems, deprives access, or circumvents security or privacy. Common types of malware include viruses, worms, trojans, ransomware, bots or botnets, adware, spyware, rootkits, file-less malware, and malvertising. There are many forms of malware and new threats are constantly evolving so the best and most reliable protection is for all of your devices to have up-to-date, comprehensive, virus protection software.
Phishing attacks are when hackers try to lure you into sharing sensitive information such as account login credentials, credit card numbers, financial information, and any other sensitive data. Phishing can also be when attackers get you to infect your machine with malware. A common example of phishing attacks, especially this time of year when online shopping is at an all-time high, is for attackers to send a text message that claims there’s a delivery problem with one of your orders and includes an official-looking link where you can fix the issue. But there is no issue. It’s just an attempt to get you to provide your login information on a fake login page. Defend against phishing attacks by not clicking unexpected links in texts or emails. And if you need to log into an account, log into the website directly
We often think of hacking as technical but psychology in the form of social engineering can also be a surprisingly successful tactic to gain sensitive information. In the context of information security, social engineering is psychologically manipulating people into doing actions or providing confidential information. In other words, social engineering is lying. Going with the flow, acting in accordance with social norms, and playing on people’s expectations are keys to this in-plain-sight deception. A simple example of social engineering would be if someone showed up at your door with a vest, clipboard, and pleasant demeanor saying they’re with the power company and need to inspect a line in the backyard, can you let them in? Many people would do it without thinking twice. After all, it looks legit. But looking legit isn’t the same as being legit. And that’s how you can prevent being a victim of social engineering — think twice, ask why, check credentials, call it in and verify.
A denial-of-service attack is a cyber-attack in which an attacker uses an overflow of data or network traffic to shut down access to a machine or network. Common DoS attacks include ping floods, UDP attacks, ICMP echo requests, SYN floods, ping of death — the list goes on. These attacks, like all others, are extremely common. For example, in Q3 2022, Kaspersky’s DDoS Intelligence system detected 57,116 DoS attacks. Because DoS attacks target services, preventing them is more of an issue for network administrators than individual users. And the best defense against DoS attacks is a well-documented resiliency plan, automatic network traffic monitoring, and a relationship with a mitigation provider.
Alright, let’s shift gears to a topic we recently covered in our Android app hacking ebook — application repackaging. This is an attack where attackers use your intellectual property (your application) against you and your customers. The way that they do this is by downloading a legitimate app from a legitimate business and then reverse engineering that application so that they can view the source code and modify it before recompiling and repackaging the application for download. Typically, the modification is a tiny change that’s undetectable to users and does something simple like emailing login credentials to an email account. Users then download the application, which looks legitimate, and use it, never the wiser that the application was compromised and is now leaking data.
Users can get a level of protection against these types of apps by only downloading known applications from trusted sources. Developers can utilize application hardening to obfuscate source code and make applications impervious to reverse engineering attempts so that hackers can’t repackage the app.
Another attack that developers in particular need to be aware of when creating applications that interface with databases is SQL injection attacks. This is a common attack where attackers use malicious SQL to gain access to sensitive company data, user lists, or private customer details. These attacks are carried out when attackers send malicious SQL statements to the database through the interfacing application, which the database interprets and runs as a command. According to the Open Web Application Security Project, injection attacks were the third most serious web application security risk in 2021. SQL injection attacks happen when unchecked commands are accepted and sent to a database, so developers can protect against these attacks by sticking to the fundamentals when coding and always validating user input to ensure it’s what’s expected.
Somewhat similar in concept to SQL injection attacks but also unique is cross-site scripting (XSS). These attacks allow attackers to insert client-side scripts into benign and trusted websites viewed by other users. Attackers use a cross-site scripting vulnerability to get around access controls like same-origin policy. An example of cross-site scripting is a search form, where visitors send a search query to the server which then returns tampered results that will send them to compromised web pages.
To prevent XSS attacks, applications must validate input data and ensure that variable output in a page is encoded before being returned to the user. A web application firewall (WAF) can also protect against XSS attacks by filtering bots and other malicious activity that may indicate an attack, blocking attacks before scripts are executed.
In a session hijacking attack, a hacker takes control of a user’s browsing session to get access to personal account information, and passwords. These attacks typically happen when people are checking email or financial accounts. You can prevent session hijacking by avoiding insecure public networks or using a VPN, as well as browsing websites through an encrypted connection such as HTTPS.
Rootkits are a form of malware that hackers use to get “root” control over a device. You might wonder why anyone would willingly run a program that would give hackers this access. How would anyone be tricked into doing such a thing? Well, phishing and social engineering are just a few tactics. What if you found yourself in a situation where a “tech support person” told you to download a program from a website to fix a problem you’re having? But instead of fixing the problem, it gave that person real-time monitoring access to absolutely every single thing you did on your device. That’s what can happen with a rootkit. Again, the best way to avoid rootlets is to avoid clicking unknown links or downloading software from untrusted sources. And if you do suspect you’re infected, a malware removal tool can scan for, find, and remove rootlets.
Credential reuse is a big problem for many organizations. Because every service now requires users to create a unique account, many users get in the bad habit of resting login credentials between accounts for speed and simplicity — but at the expense of security. If one set of credentials becomes compromised in a data breach that may not even be the users’ fault, hackers can take that information and attempt to log in with that information across many services. Think of how many people probably use the same email and password combination for their email, eBay, Amazon, PayPal, Venmo, and everything else. Moreover, once hackers get this information, they can shut you out and cause damage well before you can stop it. What’s the best defense? A unique password for every account and strong password hygiene for every password!
Fake wireless access points are exactly what they sound like. A hacker finds a public spot with many people looking for and using public networks and puts up one of their own. All it takes is an official-sounding name and no-password-required and chances are that many people will hop on and browse all their private accounts while the hacker sits back and intercepts everything. The obvious way to avoid finding yourself on the wrong side of these attacks is to avoid unfamiliar public networks. And if you absolutely must use one, do not do any private browsing.
One of the most horrific attacks a person or organization can fall victim to is ransomware. Ransomware is when access to files, data, networks, or any other component of a computer system is cut off and held for ransom. Typically, hackers lock or encrypt all the data, and paying is the only way to get it back, and even then it’s only a maybe. Ransomware was a big problem in 2022 and it’s expected to get worse, with ransomware damages likely to exceed $30 billion worldwide in 2023. Preventing ransomware is possible but requires organizations to take a comprehensive approach toward security that includes, well, basically everything at the user and system level.
There are a lot of hacks out there and effective cybersecurity measures require multiple levels of protection to adequately protect ourselves, our organizations, and our businesses.
And if you’re a software developer, you’re perfectly positioned to create secure applications. And PreEmptive makes it easy. We’re a trusted global leader in protection tools for Desktop, Mobile, Cloud, and Internet of Things (IoT) applications. We help organizations make their applications more resistant and resilient to hacking and tampering — protecting intellectual property, sensitive data, and revenue. Get a free trial to learn more.