Even the best websites get hacked. As the technology for securing websites and applications gets better and better, hackers get more creative and aggressive in finding ways to steal what isn’t theirs. The bottom line for website owners is that their sites are at risk every day and an aggressive security posture is required to keep your assets safe.
Hackers mostly use one of two main ways to get access to your site—exploiting code vulnerabilities and stealing credentials of valid users. Taking advantage of code vulnerabilities takes specialized skills. So, while this still happens, it is not as popular as credential stealing.
Hackers would much rather use an easier and more reliable way to unlock a door into your site—taking over your users’ accounts. It is the most popular way to gain unauthorized access these days. According to the Verizon Data Breach Investigations Report (VDBIR) using stolen credentials has been the number one attack vector for web applications for the past two years.
Stealing credentials does not require as much technical skill as exploiting code vulnerabilities. And does not even necessarily require that the hacker is very sophisticated, depending on how well a website and its associated applications are secured. Believe it or not, these days, hackers can even rent the tools they need to break into a site.
Let’s look at what these criminals have up their sleeves, so you know what to protect against to reduce the likelihood of a breach.
Hackers’ favorite credential stealing tricks:
- Reusing passwords from credentials leaked on another site
- Brute force (aka, taking advantage of weak passwords)
- Phishing and social engineering
Reusing user names and passwords (known in the security business as credential stuffing) takes advantage of the fact that up to 50% of users use the same user names and passwords across sites. All a hacker has to do after getting hold of stolen user names and passwords (which is very easy on the dark web) is stuff them into your website using dedicated bot software or botnets to see if any of them work.
Credential stuffing works: Verizon notes that 63% of the confirmed breaches in 2015 involved “weak, default, or stolen passwords.”
Even when users do not reuse the same passwords, many still create simple passwords so they are easy to remember. Unfortunately, easy to remember for users is also easy to guess for hackers. With a little work, hackers can sometimes get a list of valid user names from a site that is improperly protected. Then they take these confirmed and valid user names and plug them into a bot, which then attempts to log in using known weak passwords.
Hackers like to take advantage of human behavior—people trust known businesses and individuals. So hackers try to trick people into sharing information by pretending to be someone a user trusts. These hackers (89% of which are organized crime syndicates, according to Verizon) send emails that look like they are from a legitimate and trusted business. They then request information or take a user to a fake site, skillfully designed to look like the business’s real website—where the user enters name and password and, by doing so, unknowingly threatens the security of your entire site.
Phishing works: Verizon reports that 30% of phishing messages were opened by users across all campaigns and about 12% clicked on an attachment to “enable the attack to succeed.”
As you can see, hackers are dedicated to finding a way to get around your defenses. They exploit whatever weaknesses they can find in your users’ behavior and your website. To learn more about these vulnerabilities and some of the basic steps you can take to prevent hacking via stolen credentials, download the e-book: Account Takeover: How Hacking Happens in 2016.