Cybersecurity can seem like a game of cat and mouse. No sooner do security experts get wise to the latest threats than attackers modify their tactics, discover fresh vulnerabilities, and develop new lines of offense.
Still, most fall into a known set of categories. In this post, we review ten of the most common cyber attacks, how they work, and what developers and users can do to protect their data.
What is a cyber attack?
A cyber attack is any attempt by a malicious actor (often called a cybercriminal or hacker) to breach a computer system, network, infrastructure, or database. An attack can be launched against a single user or device or against a group like a corporate or governmental organization.
What’s at risk in a cyber attack? What do hackers want?
Generally, cybercriminals are out to steal, destroy, or otherwise tamper with sensitive data, including account credentials, personal or financial information, or valuable intellectual property. They may be doing this for monetary gain, for an ideological or political cause, or even just for fun.
What are the most common forms of cyber attack?
There are ten popular varieties of cyber attack that pop up time and again in security circles.
1. Malware
Malware, short for malicious software, is an umbrella term for any invasive file, program, or code introduced to a computer through email attachments, corrupt links, or ads that an unsuspecting user loads when visiting a website.
There are many different types of malware, including:
- Viruses that attach themselves to legitimate files or programs, replicate, and spread across different platforms, software, and devices
- Ransomware that encrypts data or files on a device and blocks user access until a certain price is paid or condition is met as ransom
- Spyware that secretly monitors a user’s online activity, gathers data, and relays it to a malicious third party
- Trojans that, like a Trojan horse, are disguised as harmless or desirable programs to trick a user into downloading a corrupt file
- Bots (short for robots) that are programmed to quickly and automatically carry out attacks, with the potential to infect and control many different computers at once
A classic example of malware (in trojan form) is pop-up advertising for fake antivirus software that promises to rid a computer of viruses but—once installed—actually introduces one to the system.
Recently, there’s also been a growing trend of malware as a service (MaaS), where cybercriminals can buy or lease pre-made software or hardware that they can use to carry out attacks, widening both the access to and reach of malware.
2. Phishing
Phishing is a form of social engineering. Attackers send messages via email, SMS, social media, and other channels in an attempt to trick recipients into disclosing private or restricted data. Phishing attacks are often carried out at random, but they can also target specific individuals or businesses in a tactic known as spear phishing.
One of the most well-known phishing tropes involves an email scam where the author poses as foreign royalty, offering the recipient a share in a vast fortune if they help move the funds out of another country. As the story goes, the recipient must provide their bank account information, so the money can be transferred to them for safekeeping. Of course, a naive and obliging reader will quickly find their account balance drained.
3. Man in the middle (MitM) attacks
In a man-in-the-middle (MitM) attack, a hacker eavesdrops on or otherwise intercepts sensitive communications between a user/app and another platform—like an unknown third party listening in on a confidential phone conversation.
An active MitM attack could take the form of session hijacking, where a hacker observes the web traffic occurring over a given network, locates an active session ID, and uses the session token to gain unauthorized access to a user’s account.
In a passive MitM attack, a hacker might create a free, public WiFi hotspot—like at a cafe—and get a full view of every activity and data exchange a user engages in over the wireless connection.
4. Denial of service (Dos) and distributed denial of service (DDoS)
A denial of service (DoS) attack occurs when a hacker floods a website or network with pointless or unnecessary requests—often from fraudulent accounts—overloading the system until it crashes or is shut down. This disruption means that legitimate users and requests cannot access the site or service, thus thwarting its regular operations or business.
It’s like a crank caller continuously phoning a pizza shop during peak hours, tying up the line so real customers can’t dial in with actual orders.
In a conventional DoS attack, this congestion is caused by a single source. In a distributed denial of service attack (DDos), however, it comes from many sources at once. In the pizza shop analogy, imagine the crank caller has help from a dozen of his closest friends, each calling from a different phone, making it nearly impossible to trace and block each number and free up the line.
5. Cross-site scripting (XSS)
Cross-site scripting (XSS) is a code injection attack where hackers insert malicious, typically client-side JavaScript code into a trusted app or website. In other words, an attacker targets a user by injecting harmful, hidden code into their browser behind seemingly harmless content.
An XSS attack can occur when the data a user submits—like entering their name into a contact form—is not properly validated or escaped, allowing hackers to substitute the user’s input with JavaScript code that the browser executes automatically. Alternatively, XSS can take the form of shortened or disguised URLs in a phishing email—like a fake message from a user’s bank that asks them to “click here” to resolve a problem—with the added link really just running a malicious script.
Following a successful XSS attack, a hacker can access a user’s credentials or hijack their account, control their browser remotely, or even spread worms and other malware across their system.
6. SQL injections
Similar to XSS, an SQL injection occurs when an attacker inserts structured query language (SQL) code into a standard request in order to breach or manipulate a vulnerable database.
One example is when an app or website provides a form for users to enter their login information (like username and password), which is then checked against the app’s database to verify the user’s credentials and grant them access. A hacker might use that form to inject SQL code instead—a programming language that allows them to communicate directly with the app’s database and carry out their own requests.
7. Domain name system (DNS) spoofing
Domain name system (DNS) spoofing, sometimes called DNS cache poisoning, is when an attacker impersonates a DNS server, which is responsible for translating the domain name a user enters (like google.com) into an IP address that a computer can understand and route to.Having intercepted a user’s request, the hacker instead sends and reroutes the user to their own server’s IP address, which hosts a fake version of the desired website. For example, a user may think they’re heading to the Facebook login screen—via facebook.com—but be redirected to a different domain hosting the hacker’s forged Facebook page. Any username and password the user enters there can of course be seen and stolen by the hacker.
8. Birthday attacks
Birthday attacks are named after the birthday paradox in mathematics. It states that, for there to be a 50% chance someone at a party shares your birthday, you need 253 people in the mix. But for a 50% chance that any two people there share a birthday, you only need 23—because you’re not already tying one end of the match to a specific date.
In cryptography, a birthday attack follows this same idea. It’s much more challenging to find a collision or match with a specific hash function—a one-way algorithm responsible for encrypting, converting, and validating data like passwords—than it is with randomized attempts. These more dispersed attacks can then be used to crack encrypted values like digital signatures.
9. Drive-by attacks
In a drive-by attack, the user doesn’t actually have to download, open, or click on anything to install a hacker’s program on their device. This malware can piggyback on a legitimate, authorized download—delivering a hidden, malicious payload along with it—or exploit security flaws on a website to transfer a program onto a visitor’s device.
They’re so named because all a user has to do is visit or “drive” by a website to be affected.
10. Password attacks
A password attack is really any attack that attempts to steal a user’s password, and the term covers many of the above strategies. Still, there are a few unique terms used when hackers target passwords, including:
- Brute force attacks, where a hacker tries to access a secure account through trial and error, repeatedly entering random credentials like passwords until one works
- Credential stuffing, where hackers use stolen credentials or user data to break into a secure system
- Password spraying, a type of brute force attack where hackers use the same password over numerous accounts before moving on and trying another, allowing them to get around simple protections like login lock-outs
And on and on…
Remember, this list is by no means comprehensive. Hackers are always adapting and refining their methods to bypass the newest security software and circumvent the latest cryptographic techniques.
That means there’s a constantly growing arsenal of cybersecurity threats, with others including zero-day exploits, internet of things (IoT) attacks, rootkits, and cryptojacking.
How to protect against cyber attacks
While we could write a whole post on the best ways to guard your business or personal data against cyberattacks—in fact, we did—there are a few measures you can take right off the bat:
- Know your sources. This may seem basic, but verify that each file you download is coming from a known and trustworthy source, avoiding exposure to malware.
- Keep your software up to date. You may be annoyed by pesky update reminders, or you may not have time to install the latest version of a program, but not following through can leave your device open to an attack that the software company or operating system has already worked hard to solve.
- Implement multi-factor authentication (MFA). A layered approach to authentication, requiring two or more credentials to verify a user’s identity, MFA is one of the best and simplest ways to secure your app or website against many forms of attack. Better yet, implement unphishable MFA that uses end-to-end cryptography and key-based authentication.
- Get rid of passwords. As a company specializing in passwordless solutions, we’d be remiss if we didn’t remind you that passwords are the weakest link in the authentication game, whether they’re easily forgotten, repeated across multiple accounts, or just downright easy to guess.
What Stytch is doing to help
In the fight against cyberattacks, we’re equipping developers with the latest, strongest passwordless products, from email magic links to SMS one-time passcodes to WebAuthn built-in biometrics and specialized hardware keys.To get started, sign up for a free account, and try our solutions out in a sandbox environment to see what they can do for you.