In the age of digital connectivity, passwords are one of the weakest links in the defense against cyber threats. Cybercriminals tend to constantly attack passwords as they are one of the easiest and effective methods to breach your environment. Furthermore, passwords are often the only defense against unauthorized access to your sensitive information or accounts. Hence, this situation is advantageous for these cybercriminals to play in.
From brute force attacks to credential stuffing, understanding these password attack strategies is crucial for fortifying your online security. This is essential as based on Verizon's report on data breach, more than 80% of web application breaches were resulted from password-related issues. In this article, we will unravel the top 8 password attacks and arm you with effective strategies to fend off these cyber threats and protect your digital world. Top 8 Types Of Password Attacks 1. Brute Force Attacks Brute force attacks involve relentless guessing of passwords until the correct combination is found. Cybercriminals tend to utilize a large list of common or compromised passwords. This attack can be laborious and resource-intensive, as it involves going through all possible character permutations until the password is correctly identified. However, cybercriminals can also use a computer that can “guess” billions of passwords each second, using today’s high powered CPU power. What this does is that it proactively guesses legitimate users’ passwords “by force”. This attack is a highly effective method for cybercriminals to gain access to victim’s accounts. A recent example of brute force attack is the recent LinkedIn mass account hijacking campaign. For some of the attacks, the cybercriminals appear to use brute force to take control of a large number of LinkedIn accounts. What You Can Do To deter brute force attacks, it is highly recommended to:
2. Dictionary Attacks Attackers use large databases of common words and phrases to guess passwords, which is similar to a dictionary. This is a brute-force hacking method. How cybercriminals utilize this is by entering every word in a dictionary and derivatives of those words, and previously leaked passwords or key phrases to break into password-protected assets. One example of a dictionary attack is the cybercriminal would use a program to try common words and phrases such as “password” and “123456”, until they achieve the correct password. If an user’s account password is easily guessable such as “password123”, their account will be easily broken in using a dictionary attack. What You Can Do To deter dictionary attacks, it is highly recommended to:
3. Credential Stuffing Cybercriminals exploit reused credentials from previous breaches to gain unauthorized access. In short, it’s a type of attack whereby stolen usernames and passwords are utilized by cybercriminals to gain unauthorized access to victim’s accounts on a range of online services and websites (i.e. online banking, social media, e-commerce platforms). Credential stuffing tends to be an automated hack whereby large numbers of stolen usernames and password combinations are attempted to try to break in. Credential stuffers account for more than 90% of all login traffic on many of the largest websites and cause of 2nd-hand data breaches. What You Can Do To deter credential stuffing, it is highly recommended to:
4. Keylogger Attacks This is a type of password attack whereby the cybercriminals utilize malware to record the keystrokes on a victim’s computer. This can involve both hardware and software. This allows cybercriminals to steal a range of sensitive data, from the victim's password to credit card numbers. Keyloggers can be installed on the victim’s computer in a myriad of ways: phishing email, malicious software that the victim downloads, and/or a malicious website. What You Can Do To deter keylogger attacks, it is highly recommended to:
5. Phishing Phishing is a type of attack that aims to manipulate users into providing sensitive information or performing actions via disguising cybercriminals as trustworthy. This is commonly attempted through the use of legitimate-looking emails and/or spoof websites. Cybercriminals tend to use personalized messages that often exploit internal information to appear authentic and convincing. These messages tend to usually convey a sense of urgency, to make the victim transfer funds quickly. One example was when cybercriminals impersonated the office manager of a small safety management business and emailed the facilities manager of a food distribution company to notify about outstanding invoices and that payment details have changed. To make the email look legitimate:
The targeted victim was tricked and replied to the email with the requested information. The cybercriminal followed up with the “new” bank information and asked that payments be made to this account. When the victim did not respond, the scammer sent a succession of emails to pressure them that a reply is of utmost urgency (common technique used in phishing). Luckily, cybersecurity analysts managed to step in just in time to ensure no transfer of payments were made. What You Can Do To deter phishing attacks, it is highly recommended to:
6. Rainbow Table Attacks This is a type of attack whereby cybercriminals gain access to a database and use precomputed hash values to crack passwords. This is a more sophisticated form of the dictionary attack, and this attack is often used to crack complex or long passwords. What You Can Do To deter rainbow table attacks, it is highly recommended to:
7. Password Spraying Password spraying involves attempting one or two common passwords across many different accounts. Cybercriminals utilize this method to avoid detection or account lockout. As the account lockout threshold is commonly set up to 5 incorrect attempts in many organizations. This method is often successful as people tend to either use the same password for multiple accounts or commonly-used passwords. Furthermore, by avoiding the account lockout threshold, cybercriminals can successfully attempt a myriad of passwords across the organization without triggering default protective mechanisms. What You Can Do To deter password spraying, it is highly recommended to:
8. Social Engineering Attacks Social engineering attacks involve manipulating victims to perform actions or revealing sensitive information such as their passwords. This includes phishing, baiting and tailgating, and can be carried out through emails, phone calls or even in-person interactions. This is often successful as cybercriminals tend to impersonate someone victims are likely to trust or believe to be a legitimate authority figure. As shown in the example under ‘Phishing Attacks’, cybercriminals were able to impersonate the office manager and tricked the victim by making the email look legitimate via usage of the manager’s real signature with the company’s contact information and logo, and the address looked almost identical to the real company mimicked. Another example was when cybercriminals incorporated CAPTCHA, an extra verification product, to reassure users that they are safe. Truist, a financial corporation that was targeted by threat actors using this method. Victims were sent an email that had a hyperlink called “Finish To-Do List”. When they clicked on the link, victims were redirected to a page with a Truist-branded CAPTCHA, and also had to input their phone number. After inputting this information, victims were then taken to a Truist-branded credential-harvesting page where the threat actors stole their information. What You Can Do To deter social engineering attacks, it is highly recommended to:
Takeaway The battle to safeguard your digital fortress against password attacks is ongoing. Understanding the strategies that cybercriminals employ empowers you to take proactive steps to defend against them. By adopting strategies such as but not limited to strong, unique passwords, embracing multi-factor authentication, and staying educated about evolving cyber threats, you can ensure that your online world remains secure. Remember, your digital presence is only as strong as its weakest password – fortify it with knowledge and vigilance to ensure a safer and more secure digital future. Related Topics The Rise Of Phishing: Safeguarding Against Digital Deception Protect Yourself: Best Practices to Combat Phishing Attacks When Cybercriminals Go Phishing: Email Threats On The Rise The Common Signs Of Being Cyberattacked 7 Types of Cyber Security Measures SMEs Need to Protect Their Business Comments are closed.
|
Archives
June 2024
Categories
All
|
© 2021, TAFA HOLDINGS (S) PTE LTD. ALL RIGHTS RESERVED
|