15 Common Types of Cyber Attacks

While there are many different ways that an attacker can infiltrate an IT system, most

cyber-attacks rely on pretty similar techniques. Below are some of the most common

types of cyber-attacks.

1. Malware

Malware is a type of application that can

perform a variety of malicious tasks. Some

strains of malware are designed to create

persistent access to a network, some are

designed to spy on the user in order to obtain

credentials or other valuable data, while some

are simply designed to cause disruption.

Some forms of malware are designed to extort the victim in some way. Perhaps the

most notable form of malware is Ransomware – a program designed to encrypt the

victim‟s files and then ask them to pay a ransom in order to get the decryption key.

2. Phishing

A Phishing attack is where the attacker

tries to trick an unsuspecting victim into

handing over valuable information, such

as passwords, credit card details,

intellectual property, and so on.

From: lepide.com
Phishing attacks often arrive in the form of an email pretending to be from a legitimate

organization, such as your bank, the tax department, or some other trusted entity.

Phishing is probably the most common form of cyber-attack, largely because it is easy

to carry-out, and surprisingly effective.

3. Man-in-the-middle attack (MITM)

A man-in-the-middle attack (MITM) is where an attacker intercepts the communication

between two parties in an attempt to spy on the victims, steal personal information or

credentials, or perhaps alter the conversation in some way.

MITM attacks are less common these days as most email and chat systems use end-to-

end encryption which prevents third parties from tampering with the data that is

transmitted across the network, regardless of whether the network is secure or not.

From: lepide.com
4. Distributed Denial-of-Service (DDoS) attack

A DDoS attack is where an attacker essentially floods a target server with traffic in an

attempt to disrupt, and perhaps even bring down the target. However, unlike traditional

denial-of-service attacks, which most sophisticated firewalls can detect and respond to,

a DDoS attack is able to leverage multiple compromised devices to bombard the target

with traffic.

5. SQL injection

SQL injection is a type of attack which is specific to SQL databases. SQL databases

uses SQL statements to query the data, and these statements are typically executed via
a HTML form on a webpage. If the database permissions have not been set properly,

From: lepide.com
the attacker may be able to exploit the HTML form to execute queries that will create,

read, modify or delete the data stored in the database.

If you like this, you’ll love this:

6. Zero-day exploit

A zero-day exploit is where cyber-criminals learn of a vulnerability that has been

discovered in certain widely-used software applications and operating systems, and

then target organizations who are using that software in order to exploit the vulnerability

before a fix becomes available.

From: lepide.com
7. DNS Tunnelling

DNS tunnelling is a sophisticated attack vector that is designed to provide attackers with

persistent access to a given target.

Since many organizations fail to monitor DNS traffic for malicious activity, attackers are

able to insert or “tunnel” malware into DNS queries (DNS requests sent from the client

to the server). The malware is used to create a persistent communication channel that

most firewalls are unable to detect.

From: lepide.com
8. Business Email Compromise (BEC)

A BEC attack is where the attacker targets specific individuals, usually an employee

who has the ability to authorize financial transactions, in order to trick them into

transferring money into an account controlled by the attacker.

BEC attacks usually involve planning and research in order to be effective. For

example, any information about the target organization‟s executives, employees,

convince the employee into handing over the funds.

BEC attacks are one of the most financially damaging forms of cyber-attack.

From: lepide.com
9. Cryptojacking

Cryptojacking is where cyber criminals compromise a user‟s computer or device and

use it to mine cryptocurrencies, such as Bitcoin. Cryptojacking is not as well-known as

other attack vectors, however, it shouldn‟t be underestimated.

Organizations don‟t have great visibility when it comes to this type of attack, which
means that a hacker could be using valuable network resources to mine a

cryptocurrency without the organization having any knowledge of it.

Of course, leaching resources from a company network is far less problematic than

stealing valuable data.

From: lepide.com
10. Drive-by Attack

A „drive-by-download‟ attack is where an unsuspecting victim visits a website which in

turn infects their device with malware. The website in question could be one that is

directly controlled by the attacker, or one that has been compromised.

In some cases, the malware is served in content such as banners and advertisements.

These days exploit kits are available which allow novice hackers to easily setup

malicious websites or distribute malicious content through other means.

From: lepide.com
 11. Cross-
site scripting
(XSS) attacks

Cross-site

scripting attacks

are quite similar

to SQL injection

attacks, although

instead of

extracting data

from a database,

they are typically

used to infect

other users who

visit the site. A

simple example

would be the

comments

section on a webpage.

If the user input isn‟t filtered before the comment is published, an attacker can publish a

malicious script that is hidden in the page. When a user visits this page, the script will

execute and either infect their device, or be used to steal cookies or perhaps even be

used to extract the user‟s credentials.

Alternatively, they may just redirect the user to a malicious website.

From: lepide.com
12. Password Attack

A password attack, as you may have already guessed, is a type of cyber-attack where

an attacker tries to guess, or “crack” a user‟s password. There are many different

techniques for cracking a user‟s password, although an explanation of these different

techniques is beyond the scope of this article.

However, some examples include the Brute-Force attack, Dictionary attack, Rainbow

Table attack, Credential Stuffing, Password Spraying and the Keylogger attack. And of
course, attackers will often try to use Phishing techniques to obtain a user‟s password.

From: lepide.com
13. Eavesdropping attack

Sometimes referred to as “snooping” or “sniffing”, an eavesdropping attack is where the

attacker looks for unsecured network communications to intercept and access data that

is being sent across the network. This is one of the reasons why employees are asked

to use a VPN when accessing the company network from an unsecured public Wi-Fi

hotspot.

14. AI-Powered Attacks

The use of Artificial Intelligence to launch sophisticated cyber-attacks is a daunting

prospect, as we don‟t yet know what such attacks will be capable of. The most notable

AI-powered attack we‟ve seen to-date involved the use of AI-powered botnets which

used slave machines to perform a huge DDoS attack.

From: lepide.com
However, we‟re likely to see much more sophisticated attack vectors to come.

AI-powered software is able to learn what kinds of approaches work best and adapt

their attack methods accordingly. They can use intelligence feeds to quickly identify

software vulnerabilities, as well as scan systems themselves for potential vulnerabilities.

AI-generated text, audio and video will be used to impersonate company executives,

which can be used to launch very convincing Phishing attacks. Unlike humans, AI-

powered attacks can work around the clock. They are fast, efficient, affordable and

adaptable.

From: lepide.com
15. IoT-Based Attacks

As it currently stands, IoT devices are generally less secure than most modern

operating systems, and hackers are keen to exploit their vulnerabilities. As with AI, the

internet-of-things is still a relatively new concept, and so we are yet to see what

methods cyber-criminals will use to exploit IoT devices, and to what ends.

Perhaps hackers will target medical devices, security systems, smart thermometers, or

perhaps they will seek to compromise IoT devices in order to launch large-scale DDoS

attacks. I guess we will find out in the years to come.

From: lepide.com