4 Common Cyberattacks (+How to Prevent Them)

Sam Bocetta
Sam Bocetta  |  April 17, 2019

A peek at recent headlines backs up what most IT professionals already know: cyberattacks against businesses, governments, and individuals are on the rise.

As a webmaster, a big part of your job is protecting clients' websites from infiltration by crackers, hackers, and malicious trackers. So, you might be wondering what the most common types of cyberattacks are and what you can do to prevent them?  

Common cybersecurity issues

Even old attacks can become new again when cybercriminals find fresh ways to probe and penetrate website vulnerabilities. Its essential for everyone from seasoned IT experts to the average computer user to stay aware of where the threats come from and the take steps to prevent data breaches.

1. Distributed Denial of Service (DDoS)

DDoS attacks are easy to launch. They aren't normally used to access the system under attack, but to block access for others. Although there are several types of DDoS attacks, they mainly work by overloading a network with requests until it crashes. 

hacker bot, DNS resolver, victim 

There are five main varieties of DDoS attacks: 

  1. TCP SYN Flood attack: floods the target system with connection requests, then doesn't respond when they're answered, flooding the queue with requests until it crashes.
  2. Teardrop attack: causes IP packets to overlap until the receiving system crashes while trying to reconstruct them.
  3. Smurf attack: uses IP spoofing and the ICMP to saturate target networks with traffic until they become overloaded and crash.
  4. Ping of Death attack: breaks down overlarge IP packets that overflow buffers when the receiving network reassembles them.
  5. Botnet attack: deploys millions of bots that are infected with malware to launch large-scale DDoS attacks. 
TIP: A solution to these problems? DDoS protection software.

2. Phishing and spear-phishing

This tried-and-true email scam has seen many evolutions over the years.

The cybercriminal sends an email pretending to be from a trusted source with the purpose of gaining access to personal information or convincing the recipient to act in a way that benefits the sender, often financially.

One of the most notorious of these is the “Nigerian Prince” email scams that resurface in some form every few years, while ransomware is a relatively new player on a scene that has created plenty of havoc in its short lifespan.  

phishing for information

Image courtesy of iStock

3. SQL injection

SQL injections are perhaps the most common form of cyberattack today. The malicious SQL commands are injected into existing script instead of traditional input like a password.

This causes changes in command lines, allowing data to be read or changed in some way. This kind of attack allows the hacker to issue commands to the operating system and even shut the whole system down.

4. Cross-site scripting (XSS)

Another popular style of attack is cross-site scripting. There has been a recent spate of them involving adware used by Google clients. An XSS attack affects systems from the user side. The XSS script inserts alternative JavaScript code that redirects a visitor to the hacker's website or account instead of the correct one.

The website owner may not even know that their script has been hijacked until they notice a lack of commission deposits due to lower to click-through rates; likewise, the user may never know they're been redirected from the normal browsing and shopping experience either.

With this type of attack, it's more than money from ad clicks that can be stolen. XSS attacks can also allow the hijacker to record keystrokes, obtain passwords, collect private information, or gain control of the user's computer.

How to prevent cybercrime

There are a number of tactics a webmaster can deploy to secure a website from these sort of infiltrations. It’s also not a bad idea to put time and effort into educating clients on preventative actions they can take, such as creating more secure passwords and recognizing the signs of fraudulent emails.

General protection against cyberattacks

The best defense against cyberattacks is a good offense.

One of the first steps should be data encryption through Secure Socket Layers (SSL) technology. Google has pushed for net-wide adoption of SSL to the extent that your website will display the message not secure in the URL bar if you don’t have it. The only way to remove that message is to get an SSL certificate.  

SSL certificate good and bad

Image courtesy of pixelprivacy.com

Understanding and using resources like Google's Webmaster tools provides you a single dashboard to work from and early warnings if something is amiss. 

TIP: For a full explanation of SSL protection and how it works, check out this guide.

Here are some tips for warding off specific kinds of cybercrime: 

Fend off DDoS attacks

How you handle this depends on the nature, mode, and scope of attack. For example, users can install security patches or disable SMBv2 and block ports 139 and 445 to protect against a teardrop attack.

Smurf attacks can be handled by disabling IP-directed broadcasts from the router to prevent ICMP echos, or you can simply reconfigure the system to keep it from responding to such broadcasts. Using a firewall that checks the file size of IP packets will keep you from experiencing the Ping of Death, and Black Hole or RFC3704 filters will chase away botnets.

Prevent XSS attacks

There are several measures that can be taken to guard against XSS attacks. Google handles it by removing all affected affiliate advertisers. Educating clients, advertisers, affiliates, and the general public about their existence won't protect systems, but it will make them aware of the problem.

What can a webmaster do on the admin side?

Using the filter_var() function for PHP code with the FILTER_SANITIZE_STRING will remove tags and sanitize input code. Another trick is to write script so that you keep the first line intact when you write to the file and discard it when the file is read. 

Store the file with a data.php or other .php extension. When a hacker tries to gain access, it will be interpreted as an executable PHP and the server will exit the file.

You can also use functions to validate data and ensure that it's coming from a reliable source. The most common are: 

  • is_numeric(): tests to see if data matches 0 to 9 with an optional sign and decimal point.
  • preg_match(): checks if the data matches regular expression.
  • filter_var(): ensures data conforms to a built-in PHP filter.
  • in_array(): checks that data is one of a range of allowed values.

Guard against SQL injection

A good start is to update from older functional interfaces used by PHP and ASP applications. Using J2EE and ASP.NET applications will increase the chances of running into the more vulnerable interfaces that can be exploited by SQL injections. Applying least privilege permission models and validating input against a whitelist at the application level will also protect your system.

Get help from your web host

In the midst of fighting off hackers from the client side, don’t overlook the server side help that should be available from your web host provider. A good one should be a partner against cyberattacks. The industry leaders offer strong security solutions for locking down client websites against exploit attempts as a core feature, and they’re not shy about telling potential customers. Read the fine print before signing up to understand exactly what they offer. 

One of the best ways to harden your website against attacks is to avoid free or very cheap hosting, lest you end up one of the 13.5 million username/password combinations either leaked or hacked from 000webhost.com. During a multi-year review of Canadian web hosts, Hosting Canada reported on the leak and subsequent investigation by Forbes. Inquiries to contact 000 and other hacked hosting providers led nowhere.

Free web hosts not only can be expected to not invest in the hardware or software to properly protect customers from cybercriminals, but also have been known to actively collect and sell customer data. They’ve got to make money somehow! 

The bottom line?

In 2017 alone, ransomware attacks cost businesses more than 2 billion dollars. On top of that, individuals were duped out of 9 billion dollars through scams involving compromised business emails.

Obviously there’s a problem, and it’s one without a simple solution. Investing in security software, a proactive mindset, and being aware of growing threats is the best defense against cybercrime that costs time, money, and public trust. 

Ready to learn more about protecting yourself from cyberattacks? Learn about the biggest cybersecurity trends and read our comprehensive list of 50 cybersecurity statistics for 2019. 

Sam Bocetta
Author

Sam Bocetta

Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefense, and cryptography.