Denial-of-service (DoS) attacks

A denial-of-service (DoS) attack is one in which an attacker intentionally attempts to either partially cripple or totally paralyze a computer or computer network by flooding it with large amounts of requests or data, which overload the target and make it incapable of responding properly to legitimate requests.

In many cases, the requests sent by the attacker are each, on their own, legitimate — for example, a normal request to load a web page. In other cases, the requests aren’t normal requests. Instead, they leverage knowledge of various protocols to send requests that optimize, or even magnify, the effect of the attack.

In any case, denial-of-service attacks work by overwhelming computer systems’ central processing units (CPUs) and/or memory, utilizing all the available network communications bandwidth, and/or exhausting networking infrastructure resources such as routers.

Distributed denial-of-service (DDoS) attacks

A distributed denial-of-service (DDoS) attack is a DoS attack in which many individual computers or other connected devices across disparate regions simultaneously flood the target with requests. In recent years, nearly all major denial-of-service attacks have been distributed in nature — and some have involved the use of Internet-connected cameras and other devices as attack vehicles, rather than classic computers. Figure 2-1 illustrates the anatomy of a simple DDoS attack.

The goal of a DDoS attack is to knock the victim offline, and the motivation for doing so varies.

Sometimes the goal is financial: Imagine, for example, the damage that may result to an online retailer’s business if an unscrupulous competitor knocked the former’s site offline during Black Friday weekend. Imagine a crook who shorts the stock of a major retailer of toys right before launching a DDoS attack against the retailer two weeks before Christmas.

DDoS attacks remain a serious and growing threat. Criminal enterprises even offer DDoS for hire services, which are advertised on the dark web as offering, for a fee, to “take your competitor’s websites offline in a cost-effective manner.”

In some cases, DDoS launchers may have political, rather than financial, motives. For example, corrupt politicians may seek to have their opponents’ websites taken down during an election season, thereby reducing the competitors’ abilities to spread messages and receive online campaign contributions. Hacktivists may also launch DDoS attacks in order to take down sites in the name of “justice” — for example, targeting law enforcement sites after an unarmed person is killed during an altercation with police.

In fact, according to a 2017 study by Kaspersky Lab and B2B International, almost half of companies worldwide that experienced a DDoS attack suspect that their competitors may have been involved.

DDoS attacks can impact individuals in three significant ways:

• A DDoS attack on a local network can significantly slow down all Internet access from that network. Sometimes these attacks make connectivity so slow that connections to sites fail due to session timeout settings, meaning that the systems terminate the connections after seeing requests take longer to elicit responses than some maximum permissible threshold.

• A DDoS attack can render inaccessible a site that a person plans on using. On October 21, 2016, for example, many users were unable to reach several high-profile sites, including Twitter, PayPal, CNN, HBO Now, The Guardian, and dozens of other popular sites, due to a massive DDoS attack launched against a third party providing various technical services for these sites and many more.

  The possibility of DDoS attacks is one of the reasons that you should never wait until the last minute to perform an online banking transaction — the site that you need to utilize may be inaccessible for a number of reasons, one of which is an ongoing DDoS attack.

• A DDoS attack can lead users to obtain information from one site instead of another. By making one site unavailable, Internet users looking for specific information are likely to obtain it from another site — a phenomenon that allows attackers to either spread misinformation or prevent people from hearing certain information or vantage points on important issues. As such, DDoS attacks can be used as an effective mechanism — at least over the short term — for censoring opposing points of view.

Botnets and zombies

Often, DDoS attacks use what are known as botnets. Botnets are a collection of compromised computers that belong to other parties, but that a hacker remotely controls and uses to perform tasks without the legitimate owners’ knowledge.

Criminals who successfully infect one million computers with malware can, for example, potentially use those machines, known as zombies, to simultaneously make many requests from a single server or server farm in an attempt to overload the target with traffic.

Data destruction attacks

Sometimes attackers want to do more than take a party temporarily offline by overwhelming it with requests — they may want to damage the victim by destroying or corrupting the target’s information and/or information systems. A criminal may seek to destroy a user’s data through a data destruction attack — for example, if the user refuses to pay a ransomware ransom that the crook demands. Of course, all the reasons for launching DDoS attacks (see preceding section) are also reasons that a hacker may attempt to destroy someone’s data as well.

Wiper attacks are advanced data destruction attacks in which a criminal uses malware to wipe the data on a victim’s hard drive or SSD, in such a fashion that the data is difficult or impossible to recover.

To put it simply, unless the victim has backups, someone whose computer is wiped by a wiper is likely to lose access to all the data and software that was previously stored on the attacked device.

Phishing

Phishing refers to an attempt to convince a person to take some action by impersonating a trustworthy party that reasonably may legitimately ask the user to take such action.

For example, a criminal may send an email that appears to have been sent by a major bank and that asks recipients to click on a link in order to reset their passwords due to a possible data breach. When users click the link, they are directed to a website that appears to belong to the bank, but is actually a replica run by the criminal. As such, the criminal uses the fraudulent website to collect usernames and passwords to the banking site.

While phishing attacks have been around for many years, they show no signs of going away. Some experts believe that a majority of medium- and large-sized businesses in the United States now suffer some form of successful phishing attack every year.

Spear phishing

Spear phishing refers to phishing attacks that are designed and sent to target a specific person, business, or organization. If a criminal seeks to obtain credentials into a specific company’s email system, for example, the attacker may send emails crafted specifically for particular targeted individuals within the organization. Often, criminals who spear phish research their targets online and leverage overshared information on social media in order to craft especially legitimate-sounding emails.

For example, the following type of email is typically a lot more convincing than, “Please login to the mail server and reset your password”:

Hi, I am going to be getting on my flight in ten minutes. Can you please log in to the Exchange server and check when my meeting is? For some reason, I cannot get in. You can try to call me by phone first for security reasons, but if you miss me, just go ahead, check the information, and email it to me — as you know that I am getting on a flight that is about to take off.

CEO fraud

CEO fraud is similar to spear phishing (see preceding section) in that it involves a criminal impersonating the CEO or other senior executive of a particular business, but the instructions provided by “the CEO” may be to take an action directly, not to log in to a system, and the goal may not be to capture usernames and passwords or the like.

The crook, for example, may send an email to the firm’s CFO with instructions to issue a wire payment to a particular new vendor or to send all the organization’s W2 forms for the year to a particular email address belonging to the firm’s accountant.

CEO fraud often nets significant returns for criminals and makes employees who fall for the scams appear incompetent. As a result, people who fall prey to such scams are often fired from their jobs. CEO fraud increased during the COVID-19 pandemic as people worked from home and were unable to verify the veracity of communications with as much ease as they could prior to the arrival of the novel coronavirus.

Smishing

Smishing refers to cases of phishing in which the attackers deliver their messages via text messages (SMS) rather than email. The goal may be to capture usernames and passwords or to trick the user into installing malware.

Vishing

Vishing, or voice-based phishing, is phishing via POTS — that stands for “plain old telephone service.” Yes, criminals use old, time-tested methods for scamming people. Today, most such calls are transmitted by Voice over Internet Protocol (VoIP) systems, but in the end, the scammers are calling people on regular telephones much the same way that scammers have been doing for decades.

Pharming

Pharming refers to attacks that present much like typical phishing attacks, but exploit different technical vulnerabilities in Internet-based routing in order to do so. Like phishing attacks, pharming attacks involve impersonating a trustworthy party that may legitimately ask the would-be victim to take some particular action. However, in pharming attacks, this is achieved not by tricking users into taking an action that brings them to a rogue clone of a legitimate website, but rather by poisoning routing tables and other network infrastructure so that any user who clicks a link to the legitimate website, or even enters the legitimate website’s URL into a browser, will be routed to a criminal’s clone.

Whaling: Going for the “big fish”

Whaling refers to spear phishing that targets high-profile business executives or government officials. (I know that whales are mammals and not fish, but this is about phishing not fishing.) For more on spear phishing, see the section earlier in this chapter.

Man-in-the-middle attacks

One special type of interception is known as a man-in-the-middle attack. In this type of an attack, the interceptor proxies the data between the sender and recipient in an attempt to disguise the fact that the data is being intercepted. Proxying in such a case refers to the man-in-the-middle intercepting requests and then transmitting them (either in modified form or unmodified) to their original intended destinations and then receiving the responses from those destination and transmitting them (in modified form or unmodified) back to the sender. By employing proxying, the man-in-the-middle makes it difficult for senders to know that their communications are being intercepted because when they communicate with a server, they receive the responses they expect.

For example, a criminal may set up a bogus bank site (see the earlier “Phishing” section) and relay any information that anyone enters on the bogus site to the actual bank site so that the criminal can respond with the same information that the legitimate bank would have sent. Proxying of this sort not only helps criminals avoid detection — users who provide the crook with their password and then perform their normal online banking tasks may have no idea that anything abnormal occurred during the online banking session — but also helps the criminals ensure that they capture the right password. If a user enters an incorrect password, the criminal will know to prompt for the correct one.

Figure 2-2 shows the anatomy of a man-in-the-middle intercepting and relaying communications.

Personal data theft

Criminals often try to steal people’s data in the hope of finding items that they can monetize, including:

• Data that can be used for identity theft or sold to identity thieves
• Compromising photos or health-related data that may be sellable or used as part of blackmail schemes
• Information that is stolen and then erased from the user’s machine that can be ransomed to the user
• Password lists that can be used for breaching other systems
• Confidential information about work-related matters that may be used to make illegal stock trades based on insider information
• Information about upcoming travel plans that may be used to plan robberies of the victim’s home

Business data theft

Criminals can use data stolen from businesses for a number of nefarious purposes:

• Making stock trades: Similar to the criminals mentioned earlier in this chapter who tamper with data in order to manipulate financial markets, criminals may also seek to steal data in order to have advance knowledge of how a particular business’s current and yet unreported quarter is going. They then use that insider information to illegally trade stocks or options, thereby potentially making a significant profit.
• Selling data to unscrupulous competitors: Criminals who steal sales pipeline information, documents containing details of future products, or other sensitive information can sell that data to unscrupulous competitors or to unscrupulous employees working at competitors whose management may never find out how such employees suddenly improved their performance.
• Leaking data to the media: Sensitive data can embarrass the victim and cause its stock to decline (perhaps after selling short some shares).
• Leaking data covered by privacy regulations: The victim may be potentially fined.
• Recruiting employees: By recruiting employees or selling the information to other firms looking to hire employees with similar skills or with knowledge of competitions’ systems, criminals who steal emails and discover communication between employees that indicates that one or more employees are unhappy in their current positions can sell that information to parties looking to hire.
• Stealing and using intellectual property: Parties that steal the source code for computer software may be able to avoid paying licensing fees to the software’s rightful owner. Parties that steal design documents created by others after extensive research and development can easily save millions of dollars — and, sometimes, even billions of dollars — in research and development costs. For more on the effects of this type of theft, see the nearby sidebar “How a cyberbreach cost one company $1 billion without 1 cent being stolen.”

Data exfiltration

Data exfiltration is a somewhat complicated term for a simple concept, and refers to situations in which a party, through the use of malware or other automated means, or by manually issuing commands to a remote computer, causes data to be transferred without authorization from some information system or repository to somewhere else.

Anytime you hear of a data breach in which sensitive data has been copied by criminals, that is an example of data exfiltration. Depending on what data leaks and from whom, data exfiltration can easily harm the confidence of a business’s customers, reduce trust in a government entity, undermine the confidentiality of proprietary information, and/or undermine national security.

Compromised credentials

Compromised credentials refers to account authentication information that someone else other than you is privy to, such as your username and/or password. Abusing compromised credentials almost always refers to situations in which a criminal uses a login and password combination that was obtained from one cybersecurity breach in order to gain unauthorized access to a system and carry out another cybersecurity breach. Such attacks with compromised credentials are common, as criminals know that people commonly reuse login username/password combinations.

Likewise, use by a rogue employee of another employee’s credentials for any nefarious purpose (and even for most non-nefarious purposes) is also an example of such an attack.

Forced policy violations

Any attack in which a user or device is forced to violate cybersecurity policies is considered a forced policy violation attack.

Viruses

Computer viruses are instances of malware that, when executed, replicate by inserting their own code into computer systems. Typically, the insertion is in data files (for example, as rogue macros within a Word document), the special portion of hard drives or solid state drives that contain the code and data used to boot a computer or disk (also known as boot sectors), or other computer programs.

Like biological viruses, computer viruses can spread like wildfire, but they cannot spread without having hosts to infect. Some computer viruses significantly impact the performance of their hosts, while others are, at least at times, hardly noticeable.

While computer viruses still inflict tremendous damage worldwide, the majority of serious malware threats today arrive in the form of worms and Trojans.

Worms

Computer worms are stand-alone pieces of malware that replicate themselves without the need for hosts in order to spread. Worms often propagate over connections by exploiting security vulnerabilities on target computers and networks. Because they normally consume network bandwidth, worms can inflict harm even without modifying systems or stealing data. They can slow down network connections — and few people, if any, like to see their internal and Internet connections slow down.

Trojans

Trojans (appropriately named after the historical Trojan horse) is malware that is either disguised as nonmalicious software or hidden within a legitimate, nonmalicious application or piece of digital data.

Trojans are most often spread by some form of social engineering — for example, by tricking people into clicking on a link, installing an app, or running some email attachment. Unlike viruses and worms, Trojans typically don’t self-propagate using technology — instead, they rely on the effort (or more accurately, the mistakes) of humans.

Ransomware

Ransomware is malware that demands that a ransom be paid to some criminal in exchange for the infected party not suffering some harm. Ransomware often encrypts user files and threatens to delete the encryption key if a ransom isn’t paid within some relatively short period of time, but other forms of ransomware involve a criminal actually stealing user data and threatening to publish it online if a ransom is not paid.

Some ransomware actually steals the files from users’ computers, rather than simply encrypting data, so as to ensure that users have no possible way to recover their data (for example, using an anti-ransomware utility) without paying the ransom.

Ransomware is most often delivered to victims as a Trojan or a virus, but has also been successfully spread by criminals who packaged it in a worm. In recent years sophisticated criminals have even crafted targeted ransomware campaigns that leverage knowledge about what data is most valuable to a particular target and how much that target can afford to pay in ransoms.

Figure 2-3 shows the ransom demand screen of WannaCry — a flavor of ransomware that inflicted at least hundreds of millions of dollars in damage (if not billions), after initially spreading in May 2017. Many security experts believe that the North Korean government or others working for it created WannaCry, which, within four days infected hundreds of thousands of computers in about 150 countries.

Since publication of the first edition of this book, ransomware has both emerged as one of the largest sources of financial losses due to cyberattacks for American businesses, as well as led to interruptions in the life of ordinary civilians. For example, in 2021, ransomware attacks on an American fuel pipeline operator led to shortages of gas and price increases, and attacks on a meat processing facility led to shortages of meat in some locations (see Chapter 21).

Scareware

Scareware is malware that scares people into taking some action. One common example is malware that scares people into buying security software. A message appears on a device that the device is infected with some virus that only a particular security package can remove, with a link to purchase that “security software.” This topic is also explored in the discussion about fake malware later in this chapter.

Spyware

Spyware is software that surreptitiously, and without permission, collects information from a device. Spyware may capture a user’s keystrokes (in which case it is called a keylogger), video from a video camera, audio from a microphone, screen images, and so on.

It is important to understand the difference between spyware and invasive programs. Some technologies that may technically be considered spyware if users had not been told that they were being tracked online are in use by legitimate businesses; they may be invasive, but they are not malware. These types of nonspyware that also spies includes beacons that check whether a user loaded a particular web page and tracking cookies installed by websites or apps. Some experts have argued that any software that tracks a smartphone’s location while the app is not being actively used by the device’s user also falls into the category of nonspyware that also spies — a definition that would include popular apps, such as Uber.

Cryptocurrency miners

Cryptocurrency miners, or cryptominers, are malware that, without any permission from devices’ owners, commandeers infected devices’ brainpower (its CPU cycles) to generate new units of a particular cryptocurrency (which the malware gives to the criminals operating the malware) by completing complex math problems that require significant processing power to solve.

The proliferation of cryptocurrency miners exploded in 2017 with the rise of cryptocurrency values. Even after price levels subsequently dropped, the miners are still ubiquitous as once criminals have invested in creating the miners, there is little cost in continuing to deploy them. Not surprisingly, as cryptocurrency prices began to rise again in 2019, new strains of cryptominers began to appear as well — some of which specifically target Android smartphones.

Many low-end cybercriminals favor using cryptominers. Even if each miner, on its own, pays the attacker very little, miners are easy to obtain and directly monetize cyberattacks without the need for extra steps (such as collecting a ransom) or the need for sophisticated command and control systems.

Adware

Adware is software that generates revenue for the party operating it by displaying online advertisements on a device. Adware may be malware — that is, installed and run without the permission of a device’s owner — or it may be a legitimate component of software (for example, installed knowingly by users as part of some free, ad-supported package).

Some security professionals refer to the former as adware malware, and the latter as adware. Because no consensus exists, it’s best to clarify which of the two is being discussed when you hear someone mention just the generic term adware.

Blended malware

Blended malware is malware that utilizes multiple types of malware technology as part of an attack — for example, combining features of Trojans, worms, and viruses.

Blended malware can be quite sophisticated and often stems from skilled attackers.

Zero-day malware

Zero-day malware is any malware that exploits a vulnerability not previously known to the public or to the vendor of the technology containing the vulnerability, and is, as such, often extremely potent.

Regularly creating zero-day malware requires significant resource and development. It’s quite expensive and is often crafted by the cyber armies of nation states rather than by other hackers.

Commercial purveyors of zero day malware have been known to charge over $1 million for a single exploit.

Fake malware on computers

Ironically, some attackers don’t even bother to actually hack computers. Instead, they just send messages to would-be victims that the would-be victims’ computers are infected and that to re-secure the device the intended victims must pay some fee or purchase some security software. Sometimes criminals are able to display messages to such an effect in a pop-up window, and sometimes they keep things simple, and just send the messages via email.

Fake malware on mobile devices

Fake malware may be even more common on mobile devices than on laptops and other computers. For various technical reasons, it is harder to hack mobile devices, so many criminals go for the “low hanging fruit” and just pretend to have compromised devices in order to get would-be victims to pay up. There are even flavors of “mobile device ransomware” that display ransomware-type demands without ever having encrypted anything on the mobile device.

Fake security subscription renewal notifications

A type of social-engineering attack that exploits people’s desire to remain cybersecure (and that I have included in the malware section because it is directly related to protection against malware), is fake “renewal notices” from anti-malware product vendors. Email that says one’s security software subscription is expiring and asks users to click a link (don’t do it!) or to otherwise submit payment for a renewal, can closely parallel their legitimate counterparts. This sort of attack has become extremely common during the COVID-19 pandemic era during which many people worked from home and, more often than ever before, were responsible for making sure they had current security software subscriptions.

Drive-by downloads

Drive-by downloads is somewhat of a euphemism that refers to software that users download without understanding what they are doing. A drive-by download may occur, for example, if users download malware by going to a poisoned website that automatically sends the malware to the users’ device when they open the site.

Drive-by downloads also include cases in which users know that they are downloading software, but is not aware of the full consequences of doing so. For example, if a user is presented with a web page that says that a security vulnerability is present on their computer and that tells the user to click on a button that says “Download to install a security patch,” the user has provided authorization for the (malicious) download — but only because the user was tricked into believing that the nature of the download was far different than it truly is.

Stealing passwords

Criminals can steal passwords many different ways. Two common methods include

• Thefts of password databases: If a criminal steals a password database from an online store, anyone whose password appears in the database is at risk of having their password compromised. (If the store properly encrypted its passwords, it may take time for the criminal to perform what is known as a hash attack, but nonetheless, passwords — especially those that are likely to be tested early on — may still be at risk. To date, stealing passwords is the most common way that passwords are undermined.
• Social engineering attacks: Social engineering attacks are attacks in which a criminal tricks people into doing something they would not have done had they realized that the person making the request was tricking them in some way. One example of stealing a password via social engineering is when a criminal pretends to be a member of the target’s tech support department and tells the target that the target must reset a particular password to a particular value to have the associated account tested as is needed after the recovery from some breach, and the target obeys. (For more information, see the earlier section on phishing.)
• Credential attacks: Credential attacks are attacks that seek to gain entry into a system by entering, without authorization, a valid username and password combination (or other authentication information as needed). These attacks fall into four primary categories:
  • Brute force: Criminals use automated tools that try all possible passwords until they hit the correct one.
  • Dictionary attacks: Criminals use automated tools to feed every word in the dictionary to a site until they hit the correct one.
  • Calculated attacks: Criminals leverage information about a target to guess the target’s password. Criminals may, for example, try someone’s mother’s maiden name because they can easily garner it for many people by looking at the most common last names of their Facebook friends or from posts on social media. (A Facebook post of “Happy Mother’s Day to my wonderful mother!” that includes a user tag to a woman with a different last name than the user is a good giveaway.)
  • Blended attacks: Some attacks leverage a mix of the preceding techniques — for example, utilizing a list of common last names, or performing a brute force attack technology that dramatically improves its efficiency by leveraging knowledge about how users often form passwords.
• Malware: If crooks manage to get malware onto someone’s device, it may capture passwords. (For more details, see the section on malware, earlier in this chapter.)
• Network sniffing: If users transmit their password to a site without proper encryption while using a public Wi-Fi network, a criminal using the same network may be able to see that password in transit — as can potentially other criminals connected to networks along the path from the user to the site in question.
• Credential stuffing: In credential stuffing, someone attempts to log in to one site using usernames and passwords combinations stolen from another site.

Opportunistic attacks

The goal of most opportunistic attacks is usually to make money — which is why the attackers don’t care whose systems they breach; money is the same regardless of whose systems are breached in order to make it.

Furthermore, in many cases, opportunistic attackers may not care about hiding the fact that a breach occurred — especially after they’ve had time to monetize the breach, for example, by selling lists of passwords or credit card numbers that they stole.

While not all opportunistic attacks are advanced, some certainly are. Opportunistic attacks are quite different than targeted attacks.

Targeted attacks

When it comes to targeted attacks, successfully breaching any systems not on the target list isn’t considered even a minor success.

For example, if a Russian operative is assigned the mission to hack into the Democratic and Republican parties’ email systems and steal copies of all the email on the parties’ email servers, the mission is going to be deemed a success only if the operative achieves those exact aims. If the operative manages to steal $1 million from an online bank using the same hacking techniques that were directed at the targets, it will not change a failure to breach the intended targets into even a small success. Likewise, if the goal of an attacker launching a targeted attack is to take down the website of a former employer the attacker had issues with, taking down other websites doesn’t accomplish anything in the attacker’s mind.

Because such attackers need to breach their targets no matter how well defended those parties may be, targeted attacks often utilize advanced attack methods — for example, exploiting vulnerabilities not known to the public or to the vendors who would need to fix them.

As you may surmise, advanced targeted attacks are typically carried out by parties with much greater technical prowess than those who carry out opportunistic attacks. Often, but not always, the goal of targeted attacks is to steal data undetected or to inflict serious damage — not to make money. After all, if one’s goal is to make money, why expend resources targeting a well-defended site? Take an opportunistic approach and go after the most poorly defended, relevant sites.

Some advanced threats that are used in targeted attacks are described as advanced persistent threats (APTs):

• Advanced: Uses advanced hacking techniques, likely with a major budget to support R&D
• Persistent: Keeps trying different techniques to breach a targeted system and won’t move on to target some other system just because the initial target is well protected
• Threat: Has the potential to inflict serious damage

Blended (opportunistic and targeted) attacks

Another type of advanced attack is the opportunistic, semi-targeted attack. If criminals want to steal credit card numbers, for example, they may not care whether they successfully steal an equivalent number of active numbers from Best Buy, Walmart, or Barnes & Noble. All that the criminals likely care about is obtaining credit card numbers — from whom the numbers are pilfered isn’t relevant.

At the same time, launching attacks against sites that don’t have credit card data is a waste of the attacker’s time and resources.

Rootkits

Rootkits are software toolsets that allow attackers to perform unauthorized activities at a privileged level on a compromised computer. (“Root” refers to the administrator account on UNIX systems.) Rootkits typically also contain features that seek to ensure that the attacker maintains access while that access remains secret from the authorized user or users of the compromised device.

Brute-force attacks

Brute-force attacks are simply attacks in which an attacker tries many possible values until the tools the attacker is using guess the correct value. A brute-force attack, for example, might consist of an attacker trying to log in to a user’s account by trying every possible password combination until the attacker (or the attacker’s brute-force attack tool, as the case may be) submits the correct one. Or the attacker may try different decryption keys until successfully decrypting an encrypted message.

Injection attacks

Injection attacks are attacks in which a system is expecting some sort of input from a user, but instead of submitting such input, an attacker submits malicious material such as code, which the receiving system then either executes or distributes to others to execute. Even though proper coding of applications can, at least in theory, prevent most forms of injection attacks, the reality is that many (if not most) systems remain vulnerable to such attacks, and as a result, injection attacks are an extremely commonly used tool within hacker arsenals.

Session hijacking

Session hijacking refers to situations in which an attacker takes over the communications session between two or more parties. For example, during an online baking session, if an attacker is able to come between the user and the user’s bank in such a fashion that the bank continues its session with the attacker rather than with the legitimate user, that would be an example of a successful session hijacking attack.

In a session hijacking situation, the attacker effectively becomes the authenticated and authorized user as far as the other party is concerned, and the attacker can do anything on the relevant system that the legitimate user would have been authorized to do. Session hijacking often occurs when session management is mishandled by an application, especially in cases in which trust that communications are from a particular session with a particular user is established through technical mechanisms that should not be trusted for such purposes.

Malformed URL attacks

Malformed URL attacks are attacks in which an attacker crafts a URL that appears to link to a particular legitimate website, but because of special characters utilized within the URL text, actually does something nefarious. The attacker may then distribute the nefarious URL in email and text messages and/or by posting it within a comment on a blog or via other social media.

Another form of malformed URL attack is an attack in which an attacker crafts a URL that contains elements within it that will cause a system being accessed to malfunction.

Buffer overflow attacks

Buffer overflow attacks are attacks in which an attacker submits data to a system that exceeds the storage capacity of the memory buffer in which that data is supposed to be stored, thereby causing the system to overwrite other memory with the data the user submitted. Carefully crafted buffer overflow input by an attacker, for example, could overwrite memory space in which the system is storing commands that it will execute per the instructions of its authorized user — perhaps even replacing such commands with commands the attacker wants the system to execute.