Cybersecurity can seem like a game of cat and mouse. No sooner do security experts get wise to the latest threats than attackers modify their tactics, discover fresh vulnerabilities, and develop new lines of offense.
Still, most fall into a known set of categories. In this post, we review ten of the most common cyber attacks, how they work, and what developers and users can do to protect their data.
A cyber attack is any attempt by a malicious actor (often called a cybercriminal or hacker) to breach a computer system, network, infrastructure, or database. An attack can be launched against a single user or device or against a group like a corporate or governmental organization.
Generally, cybercriminals are out to steal, destroy, or otherwise tamper with sensitive data, including account credentials, personal or financial information, or valuable intellectual property. They may be doing this for monetary gain, for an ideological or political cause, or even just for fun.
There are ten popular varieties of cyber attack that pop up time and again in security circles.
Malware, short for malicious software, is an umbrella term for any invasive file, program, or code introduced to a computer through email attachments, corrupt links, or ads that an unsuspecting user loads when visiting a website.
There are many different types of malware, including:
A classic example of malware (in trojan form) is pop-up advertising for fake antivirus software that promises to rid a computer of viruses but—once installed—actually introduces one to the system.
Recently, there’s also been a growing trend of malware as a service (MaaS), where cybercriminals can buy or lease pre-made software or hardware that they can use to carry out attacks, widening both the access to and reach of malware.
Phishing is a form of social engineering. Attackers send messages via email, SMS, social media, and other channels in an attempt to trick recipients into disclosing private or restricted data. Phishing attacks are often carried out at random, but they can also target specific individuals or businesses in a tactic known as spear phishing.
One of the most well-known phishing tropes involves an email scam where the author poses as foreign royalty, offering the recipient a share in a vast fortune if they help move the funds out of another country. As the story goes, the recipient must provide their bank account information, so the money can be transferred to them for safekeeping. Of course, a naive and obliging reader will quickly find their account balance drained.
In a man-in-the-middle (MitM) attack, a hacker eavesdrops on or otherwise intercepts sensitive communications between a user/app and another platform—like an unknown third party listening in on a confidential phone conversation.
An active MitM attack could take the form of session hijacking, where a hacker observes the web traffic occurring over a given network, locates an active session ID, and uses the session token to gain unauthorized access to a user’s account.
In a passive MitM attack, a hacker might create a free, public WiFi hotspot—like at a cafe—and get a full view of every activity and data exchange a user engages in over the wireless connection.
A denial of service (DoS) attack occurs when a hacker floods a website or network with pointless or unnecessary requests—often from fraudulent accounts—overloading the system until it crashes or is shut down. This disruption means that legitimate users and requests cannot access the site or service, thus thwarting its regular operations or business.
It’s like a crank caller continuously phoning a pizza shop during peak hours, tying up the line so real customers can’t dial in with actual orders.
In a conventional DoS attack, this congestion is caused by a single source. In a distributed denial of service attack (DDos), however, it comes from many sources at once. In the pizza shop analogy, imagine the crank caller has help from a dozen of his closest friends, each calling from a different phone, making it nearly impossible to trace and block each number and free up the line.
Cross-site scripting (XSS) is a code injection attack where hackers insert malicious, typically client-side JavaScript code into a trusted app or website. In other words, an attacker targets a user by injecting harmful, hidden code into their browser behind seemingly harmless content.
An XSS attack can occur when the data a user submits—like entering their name into a contact form—is not properly validated or escaped, allowing hackers to substitute the user’s input with JavaScript code that the browser executes automatically. Alternatively, XSS can take the form of shortened or disguised URLs in a phishing email—like a fake message from a user’s bank that asks them to “click here” to resolve a problem—with the added link really just running a malicious script.
Following a successful XSS attack, a hacker can access a user’s credentials or hijack their account, control their browser remotely, or even spread worms and other malware across their system.
Similar to XSS, an SQL injection occurs when an attacker inserts structured query language (SQL) code into a standard request in order to breach or manipulate a vulnerable database.
One example is when an app or website provides a form for users to enter their login information (like username and password), which is then checked against the app’s database to verify the user’s credentials and grant them access. A hacker might use that form to inject SQL code instead—a programming language that allows them to communicate directly with the app’s database and carry out their own requests.
Domain name system (DNS) spoofing, sometimes called DNS cache poisoning, is when an attacker impersonates a DNS server, which is responsible for translating the domain name a user enters (like google.com) into an IP address that a computer can understand and route to.Having intercepted a user’s request, the hacker instead sends and reroutes the user to their own server’s IP address, which hosts a fake version of the desired website. For example, a user may think they’re heading to the Facebook login screen—via facebook.com—but be redirected to a different domain hosting the hacker’s forged Facebook page. Any username and password the user enters there can of course be seen and stolen by the hacker.
Birthday attacks are named after the birthday paradox in mathematics. It states that, for there to be a 50% chance someone at a party shares your birthday, you need 253 people in the mix. But for a 50% chance that any two people there share a birthday, you only need 23—because you’re not already tying one end of the match to a specific date.
In cryptography, a birthday attack follows this same idea. It’s much more challenging to find a collision or match with a specific hash function—a one-way algorithm responsible for encrypting, converting, and validating data like passwords—than it is with randomized attempts. These more dispersed attacks can then be used to crack encrypted values like digital signatures.
In a drive-by attack, the user doesn’t actually have to download, open, or click on anything to install a hacker’s program on their device. This malware can piggyback on a legitimate, authorized download—delivering a hidden, malicious payload along with it—or exploit security flaws on a website to transfer a program onto a visitor’s device.
They’re so named because all a user has to do is visit or “drive” by a website to be affected.
A password attack is really any attack that attempts to steal a user’s password, and the term covers many of the above strategies. Still, there are a few unique terms used when hackers target passwords, including:
Remember, this list is by no means comprehensive. Hackers are always adapting and refining their methods to bypass the newest security software and circumvent the latest cryptographic techniques.
That means there’s a constantly growing arsenal of cybersecurity threats, with others including zero-day exploits, internet of things (IoT) attacks, rootkits, and cryptojacking.
While we could write a whole post on the best ways to guard your business or personal data against cyberattacks—in fact, we did—there are a few measures you can take right off the bat:
In the fight against cyberattacks, we’re equipping developers with the latest, strongest passwordless products, from email magic links to SMS one-time passcodes to WebAuthn built-in biometrics and specialized hardware keys.To get started, sign up for a free account, and try our solutions out in a sandbox environment to see what they can do for you.
Sign up or talk to an auth expert to learn how you can improve conversion, retention, and security with Stytch.