8 Common Hacking Techniques Your Organisation Is Facing

Following on from the previous article detailing Cyber Security terminology (if you missed the article you can find it here). This article details eight of the most popular attack types malicious individuals use to breach their targets.

This isn’t an exhaustive list, but as the threat of organisations being breached rises it’s important that you are aware of the methods threat actors use to attack individuals and businesses, ensuring you have the knowledge and awareness to defend against them.

1. Fake WAP

How Does It Work?

A Fake WAP (Wireless Access Point) is set up in a public location, for example a coffee shop where there is a large number of potential targets and uses a legitimate name such as ‘coffee shop name WIFI’ to make it appear trusted and legitimate.

The intention is that targets will connect to the Fake WAP. However, once connected all traffic will travel through a rogue access point for inspection and any traffic which is unencrypted will potentially be stolen for future use.

How To Spot A Fake WAP?

Fake WAPS often use an open unsecured network and users aren’t required to enter any credentials to sign in or access. (Often free WIFI access in public locations requires the user to sign in in order to access).

How To Avoid This Technique?

• Avoid connecting to free, open wireless networks.
• Ensure you get the network name and password directly from the provider offering the network.
• If you do have to utilise a free network, utilise a host VPN to encrypt your traffic.

2. Cookie Theft

How Does It Work?

Cookie Theft, also referred to as Sidejacking or Session Hijacking involves the cookie you receive from accessing websites being stolen through an unsecured connection. The attacker can then use the cookie to pretend they are you, accessing a site using your session id and changing your account settings to hijack it.

How Do You Avoid This Technique?

• Look for HTTPS not HTTP at the start of the address bar to ensure you are visiting a secure site.
• Use a host VPN to encrypt your traffic.

3. Bait and Switch

How Does It Work?

Bait and Switch leverages clickable ads on websites to divert unsuspecting users to malicious websites. If this technique is successful, the malicious destination could be used to steal your credentials or install malware on your computer, enabling an attacker to more easily perform future attacks.

How Do You Avoid This Technique?

• Never click on ads whilst browsing the internet. Use a reputable search engine or the address bar in your browser to search for the sites you are using.
• User secure browser plug-ins which block pop-ups.

4. Clickjacking

How Does It Work?

Clickjacking, also referred to as UI Redress lays an invisible frame over the website you’re accessing. A clickjacked page tricks unsuspecting users into performing undesired actions by clicking concealed links on authentic pages. The user believes they are clicking legitimate buttons, but they are actually performing actions on the invisible page.

How Do You Avoid This Technique?

• Use an updated and reputable browser (Google Chrome, Firefox etc.) with built in defences.
• Install ad-blocker and script blocking plugins.

5. Browse Locker

How Does It Work?

Browse lockers are the popup screen which display messages warning about viruses, computer infections or other incidents. They then encourage you to follow links which lead you to malicious websites or phone numbers. When you call the support line a fake technician will attempt to charge you to fix the incident, divulge your credentials or allow them remote access to fix it themselves.

How Do You Avoid This Technique?

• Using browser plugins will enable you to block malicious links and ads.
• Never call the numbers or click on the links provided.
• If you are unsure whether the link is legitimate, contact the company directly without clicking the link.

6. IoT Attacks

How Does This Work

As the deployment of smart technologies has grown, so have the security challenges associated with them. Passwords and usernames are frequently left as the defaults, making it easier for attackers to compromise these devices.

How Do You Avoid This Technique?

• Ensure the IoT device is secure by changing the default username and password, placing it on a different VLAN if possible.
• Use a strong encryption and a complex password passphrase.
• Keep your software updated.
• Leverage multi factor authentication on your devices.

7. Phishing

How Does This Work?

Phishing emails are malicious spam emails designed to trick you into clicking links, download malicious files or call phone numbers.

Whilst some attempt at phishing emails are obvious and easy to identify, attacks are becoming increasingly convincing as malicious individuals use social engineering to create realistic looking scenarios.

How To Spot A Phishing Email?

Some of the tell-tale signs an email is malicious include; spelling mistakes and grammatical anomalies such as random capital letters and broken English. Phishing emails also tend to use a sense of urgency, for example urging you to act before an account is locked. Finally, phishing emails often use generic greetings such as “Dear User” or are addressed to your email.

How Do You Avoid This Technique?

• Invest in companywide training to give your employees the knowledge to detect these attacks.
• Create an open environment based on education rather than punishment where employees can admit they’ve clicked malicious emails and the email can be dealt with.

8. Credential Reuse

How Does This Work?

Many users still use the same or similar passwords across multiple sites. However, if a malicious individual is able to gain access to your login credentials, they can then try those credentials with other sites you may be on to gain access. Your information can also be sold on the dark web so numerous malicious individuals could also have access to your credentials.

How Do You Avoid This Technique?

• Don’t use the same password across multiple sites.
• Use a password vault application to keep your credentials secure.
• Utilise a password compromise website such as www.haveibeenpwned.com to see if website using your email have been compromised.

This article contained just a sample of the methods malicious individuals will use to attempt to breach your organisation. If you are interested in finding out more about how SES can help increase your organisations cyber security against these threats, please get in touch to speak to one of our specialists. 

 © SES Secure Limited and ses-escrow.co.uk, 2019. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to SES Secure Limited and ses-escrow.co.uk, with appropriate and specific direction to the original content.