An exploit is a type of attack that takes advantage of software bugs or vulnerabilities, which cybercriminals use to gain unauthorized access to a system and its data. These vulnerabilities lie hidden within the code of the system and it’s a race between the criminals and the cybersecurity researchers to see who can find them first.
The criminals, on one hand, want to abuse the exploits while the researchers, conversely, want to report the exploits to the software manufacturers so the bugs can be patched. Commonly exploited software includes the operating system itself, Internet browsers, Adobe applications, and Microsoft Office applications. Cybercriminal groups sometimes package multiple exploits into automated exploit kits that make it easier for criminals with little to no technical knowledge to take advantage of exploits.
A SQL injection (SQLI) is a type of attack that exploits weaknesses in the SQL database management software of unsecure websites in order to get the website to spit out information from the database that it’s really not supposed to. Here’s how it works. A cybercriminal enters malicious code into the search field of a retail site, for example, where customers normally enter searches for things like “top rated wireless headphones” or “best-selling sneakers.”
Instead of returning with a list of headphones or sneakers, the website will give the hacker a list of customers and their credit card numbers. SQLI is one of the least sophisticated attacks to carry out, requiring minimal technical knowledge. Malwarebytes Labs ranked SQLI as number three in the The Top 5 Dumbest Cyber Threats that Work Anyway. Attackers can even use automated programs to carry out the attack for them. All they have to do is input the URL of the target site then sit back and relax while the software does the rest.
Spyware is a type of malware that infects your computer or network and steals information about you, your Internet usage, and any other valuable data it can get its hands on. You might install spyware as part of some seemingly benign download (aka bundleware). Alternatively, spyware can make its way onto your computer as a secondary infection via a Trojan like Emotet.
As reported on the Malwarebytes Labs blog, Emotet, TrickBot, and other banking Trojans have found new life as delivery tools for spyware and other types of malware. Once your system is infected, the spyware sends all your personal data back to the command and control (C&C) servers run by the cybercriminals.
Phishing attacks work by getting us to share sensitive information like our usernames and passwords, often against normal logic and reasoning, by using social engineering to manipulate our emotions, such as greed and fear. A typical phishing attack will start with an email spoofed, or faked, to look like it’s coming from a company you do business with or a trusted coworker. This email will contain aggressive or demanding language and require some sort of action, like verify payments or purchases you never made.
Clicking the supplied link will direct you to a malicious login page designed to capture your username and password. If you don’t have multi-factor authentication (MFA) enabled, the cybercriminals will have everything they need to hack into your account. While emails are the most common form of phishing attack, SMS text messages and social media messaging systems are also popular with scammers.
Broken or misconfigured access controls can make private parts of a given website public when they’re not supposed to be. For example, a website administrator at an online clothing retailer will make certain back-end folders within the website private, i.e. the folders containing sensitive data about customers and their payment information. However, the web admin might forget to make the related sub-folders private as well.
While these sub-folders might not be readily apparent to the average user, a cybercriminal using a few well-crafted Google searches could find those misconfigured folders and steal the data contained in them. Much like a burglar climbing right into a house through an open window, it doesn’t take a lot of skill to pull off this kind of cyberattack.
The criminals, on one hand, want to abuse the exploits while the researchers, conversely, want to report the exploits to the software manufacturers so the bugs can be patched. Commonly exploited software includes the operating system itself, Internet browsers, Adobe applications, and Microsoft Office applications. Cybercriminal groups sometimes package multiple exploits into automated exploit kits that make it easier for criminals with little to no technical knowledge to take advantage of exploits.
A SQL injection (SQLI) is a type of attack that exploits weaknesses in the SQL database management software of unsecure websites in order to get the website to spit out information from the database that it’s really not supposed to. Here’s how it works. A cybercriminal enters malicious code into the search field of a retail site, for example, where customers normally enter searches for things like “top rated wireless headphones” or “best-selling sneakers.”
Instead of returning with a list of headphones or sneakers, the website will give the hacker a list of customers and their credit card numbers. SQLI is one of the least sophisticated attacks to carry out, requiring minimal technical knowledge. Malwarebytes Labs ranked SQLI as number three in the The Top 5 Dumbest Cyber Threats that Work Anyway. Attackers can even use automated programs to carry out the attack for them. All they have to do is input the URL of the target site then sit back and relax while the software does the rest.
Spyware is a type of malware that infects your computer or network and steals information about you, your Internet usage, and any other valuable data it can get its hands on. You might install spyware as part of some seemingly benign download (aka bundleware). Alternatively, spyware can make its way onto your computer as a secondary infection via a Trojan like Emotet.
As reported on the Malwarebytes Labs blog, Emotet, TrickBot, and other banking Trojans have found new life as delivery tools for spyware and other types of malware. Once your system is infected, the spyware sends all your personal data back to the command and control (C&C) servers run by the cybercriminals.
Phishing attacks work by getting us to share sensitive information like our usernames and passwords, often against normal logic and reasoning, by using social engineering to manipulate our emotions, such as greed and fear. A typical phishing attack will start with an email spoofed, or faked, to look like it’s coming from a company you do business with or a trusted coworker. This email will contain aggressive or demanding language and require some sort of action, like verify payments or purchases you never made.
Clicking the supplied link will direct you to a malicious login page designed to capture your username and password. If you don’t have multi-factor authentication (MFA) enabled, the cybercriminals will have everything they need to hack into your account. While emails are the most common form of phishing attack, SMS text messages and social media messaging systems are also popular with scammers.
Broken or misconfigured access controls can make private parts of a given website public when they’re not supposed to be. For example, a website administrator at an online clothing retailer will make certain back-end folders within the website private, i.e. the folders containing sensitive data about customers and their payment information. However, the web admin might forget to make the related sub-folders private as well.
While these sub-folders might not be readily apparent to the average user, a cybercriminal using a few well-crafted Google searches could find those misconfigured folders and steal the data contained in them. Much like a burglar climbing right into a house through an open window, it doesn’t take a lot of skill to pull off this kind of cyberattack.