How Do Hackers Hack?

Denial of Service (DoS / DDoS)

Some of the more common "hacks" as reported in the press aren't strictly speaking hacks at all, in that they don't involve gaining access to a website. We're talking here about "Denial of Service" attacks (or DoS for short) which simply aim to stop websites from working.

Criminals like to do this either for fun (yes, some people regard this as fun!), or to blackmail the website owners into paying a ransom to stop the attack.

There are different ways in which this can be done, but the most common is to simply recruit an army of PCs to overwhelm the site with huge amounts of website visits until it can't cope and falls over. Because the attack is distributed across thousands of computers all working together, you may sometimes hear the term "Distributed Denial of Service" (or 'DDoS' for short).

The PCs doing this are normally owned by innocent users like you & me, who've unwittingly got a virus on our machine that grants control of them to the attacker (you may not even notice it if your computer is one of these). Together this network of zombie PCs are known as "botnets" - there's even a whole underground market in renting these out to other criminals.

Credit card and password theft

Stealing customer data (such as passwords & credit cards) is perhaps the most common objective of hackers today. There are many ways that this can be done, with some of the more common methods explained below.

SQL injection

Whenever you type something into a website such as your name, address, or credit card number, then this should normally just be stored in a database. Sounds simple enough, huh?

But because of the way websites work, certain sequences of characters can instead trick the website into interpreting whatever is typed as an instruction, allowing hackers to take over and control the website. This is known as "SQL Injection" ("SQL" is a type of computer code).

The attackers may then exploit this to display all the usernames & passwords the website has, they may use it to steal all stored credit card details, or they could even delete all of the website's files and stop it from working (another form of Denial of Service!).

By the way, SQL injection (indeed, any form of hacking) is illegal so don't start experimenting - even attempting it can land you in jail! If you're curious about it and want to learn more (so that you can defend against it if you run your own website) then there are plenty of resources available.

Other website weaknesses

Websites can be incredibly complicated these days, with huge amounts of computer code running them. With this complexity can come vulnerabilities.

As well as the SQL Injection mentioned above, there are many other different categories of common website attacks. These all effectively involve interacting with and maniplating the website in ways for which it wasn't designed, often leading to unexpected results. It could, for example, involve:

• Manipulating the web address slightly;
• Finding a weakness in how a user's identity is verified during the login process;
• Finding hidden data that wasn't meant to be public;

A flaw in how Facebook implemented the "View As" feature, revealed in 2018, reportedly would have allowed anyone to take control of anyone else's Facebook account. Given that Facebook is commonly used as a means of logging in to other websites, this means accounts on those websites could also have been affected too.

Attackers can also target the systems that run the website. In 2017 the US credit reference agency Equifax failed to keep software up to date, allowing hackers access to steal the credit files of over 140 million individuals.

The excellent OWASP website periodically publish their "Top 10" list of website weaknesses - if you're technically minded (and it is technical) then this is a really interesting read.

Phishing

Whilst website attacks such as SQL injection can be used to steal large amounts of data in one go, they can require a bit of skill and patience to pull off (especially if the site being targetted has some basic defences in place). Instead, it can be easier for hackers to try a phishing attack.

This is where the criminal will create a realistic copy of a genuine website, such as a popular bank, and send a spoofed email to millions of people with a link to the site. If any user follows the link & logs in, then the attackers can simply grab their username and password as they type it. Often these sites then silently redirect the victim to the real site so they don't suspect anything is wrong.

Supply chain compromise

If a hacker is struggling to attack a company they're targetting, then how about finding another weak spot - namely a supplier?

It's not uncommon for criminals to target the supply chain as a route into a company. This is how hackers got the credit card details of 40 million Target customers in 2013, how they got the data of 21,000 TalkTalk customers in 2015, and how the originators of the "NotPetya" ransomware got it onto their target's computer systems.

Websites can also be attacked this way, with hackers sometimes targetting the externally supplied code that many modern sites rely on. In 2018, for example, criminals stole the credit card details of thousands of Ticketmaster customers after managing to hack one of Ticketmaster's suppliers and change some of the code that their website relied on.

Website defacement

A less common form of hacking these days is to deface a website - in other words, to change the content to show whatever the hacker wants.

This type of attack was common in the early days of the internet when people would do this for fun, but it happens much less frequently now. When it does it's normally due to activists who are trying to make a political point against a company or organisation.

There's several ways in which this can be done.

Directory traversal

In order to be able to change a website's homepage hackers need to gain access to the files that run the website. Years ago this was ridiculously easy; all you had to do was to type certain characters into the web address in an attack known as "Directory traversal". This gave attackers access to where the files were stored, which they could then simply swap out for ones of their own.

This type of attack worked because of a weakness in the most popular software than ran websites at the time (this has long since been fixed!).

Don't try this attack on any website though; it could land you in court!

Website management tools

A more modern method of getting access to a website's files is to take advantage of any website management facilities that might be set up, for example if there's an administrative page (often hidden from normal users like us) where a hacker could try breaking the password to login. The hacker may also try to login to the hosting service where the raw website files are stored; this login will be on a different website altogether.

Redirection

Alternatively a hacker may not even have to change the actual website itself - they could instead just send the user to a fake website without them knowing it.

This can be done because web addresses tell your computer where to find a website. If a hacker can change where the address points to (computers use something called a "DNS record" to look the location of websites up) then users could be sent to a site that's under the control of a hacker instead. It's a bit like a criminal convincing the postal service that your address points to their house, meaning they'd receive all your post instead of you.

In 2011 the UK's Sun newspaper was hit with this type of attack with visitors being presented with fake headlines about the "death" of the newspaper's owner Rupert Murdoch. In January 2015 this technique was also used by hackers to show, to anyone trying to visit the Malaysian Airlines website, a tasteless "404 Plane Not Found" error page - a combined reference of the missing MH370 flight and a technical error code for missing webpages known as 404.

Theft of company secrets

Another common goal of hackers is to steal data from companies, such as the hi-tech designs of new products, or sensitive financial information that can be used to profit on the stock exchange.

Viruses

Companies with highly sensitive data will often invest heavily in security, so the effort needed by the hacker to get at these secrets can be high. If the prize is valuable enough then viruses might be custom written for the job, with many attacks being well researched and highly targeted.

A common way to get any viruses onto the victim's computer systems is through targeted email phishing attempts (known as "spear phishing"). The attackers will create genuine looking emails aimed at an individual which are more likely to be opened, for example sending a HR related email to a specific person in HR. The attachment will then launch the virus when it's opened. The security company RSA were famously hit this way in 2010.

Social Engineering

Another highly specialist method involves social engineering (or in other words, the manipulation of people). This uses human psychology against us, often taking advantage of people's inherent desire to be friendly, trusting, and helpful.

Social Engineering can take many forms, with the criminals for example:

• Pretending to be an employee who's forgotten their staff pass and needs a new one;
• Phoning the CEO's secretary, pretending to be from the IT help desk and investigating a problem with the CEO's computer;
• Befriending the company's staff in the pub, persuading them to unwittingly reveal secrets.
• Posing as a supplier and talking their way into the building, where they then just walk around unchallenged (how often do you challenge strangers in your office, or check staff badges?)

This sounds like the stuff of Hollywood movies or government espionage, but don't think it's just restricted to them! If you're interested in this area then take a look at the fascinating books by Kevin Mitnick, a famous social engineer in the 80's and 90's.

Even Phishing emails are a form of social engineering, with the attacker using human psychology techniques to try and persuade us to open their emails.

Insider threat

What could be an easier way of getting company secrets than getting them from people who already have access, ie trusted employees? There have been numerous cases of theft by insiders over the years, with motivations ranging from disgruntlement through to simple financial greed.

Perhaps the most famous recent case is that of Edward Snowdon who stole millions of classified US documents by simply downloading them to a USB stick and walking out of the door. It's not necessarily just about data theft either - a suspended engineer with the Canadian Pacific Railroad sabotaged their systems in retaliation for (in his opinion) being treated badly.

Network attacks

Whilst a company's website seems like an obvious target to attack, sometimes a more technical attack against the company's internal network can be carried out. These use highly advanced methods to punch through the company's firewall (a firewall is a device that separates a company from the internet) and allow the hacker to access the internal network. Once there they might do a quick smash and grab, or (more commonly) stay on the network for months gradually learning and taking what they need.

These types of attack take a lot of skill and are often reserved for highly motivated organised criminals or nation states.