Picture a cybercriminal and you still might imagine someone in a mask breaking into bank vaults. The reality? Cybercriminals can use incredibly sophisticated methods, and attacks happen everywhere. In fact, they could even be targeting something in your home right now.
That is why it is critically important to learn as much as possible about the various types of cyberattacks – even if the sometimes obscure names can be intimidating to those less versed in the darker side of cyberspace.
“The public should understand cybersecurity terminology”, underlines Benoit Poletti, CEO of the INCERT digital security watchdog, with whom we discussed the various kinds of cyberattacks, from simple fraud to the most intricate approaches imaginable.
In many instances, attacks are all about gaining the upper hand. One careless click can lead to identity theft or empty bank accounts – and this holds true both for businesses as well as private individuals.
In the simplest of cases, it is social engineering rather than hacking technology that tricks people. Whether through fake invoices or clever emails, the goal stays the same: access, control, and profit.
Unsurprisingly, phishing still tops the list of cyberattacks. Scammers pretend to be companies you trust, your bank, Amazon, even your boss. They send messages designed to steal your passwords or credit card details. “Criminal organisations are creative, and their main goal is making money”, Poletti explains.
An extension of this approach are ransomware attacks in the form of digital hostage-taking. In such cases, a software locks you out of your own files until you pay up, usually in cryptocurrency. “For businesses, these attacks can shut down operations overnight. For individuals, you might lose family photos or important documents forever”, Poletti warns.
However, not all attacks announce themselves. “Other tactics are more subtle”, Poletti notes. With an even more sophisticated hacking tool, cybercriminals can forego the digital hostage-taking altogether. “Keyloggers are spyware that secretly records every keystroke on your computer or phone”, Poletti explains. They capture everything you type – passwords, credit card numbers, private messages – without you ever knowing.
This of course makes it an equally dangerous attack for anyone with whom you communicate, in which case we speak of digital eavesdropping. Here’s how it works: hackers secretly slip between you and, say, your bank’s website. “A criminal could intercept communication between a customer and their bank, stealing login details while the user has no idea”, according to Poletti.
Another strategy employed by hackers is the distributed denial-of-service attack, also often simply called a DDoS attack, a coordinated attempt to knock a website or online service offline by flooding it with more traffic than it can handle, typically using a so-called botnet of malware-infected devices spread across the internet. The surge overwhelms network bandwidth or server resources, causing slowdowns or outages for legitimate users. Imagine trying to get through a door while thousands of people push from behind – that is what happens to servers during a DDoS attack, they fall victim to a complete digital gridlock.
However, digital liabilities are not always an external matter. Sometimes, danger comes from inside. Angry employees or careless contractors can steal data, leak secrets, or install malicious software, as Poletti warns: “These insider threats are among the hardest to detect, since they come from people with legitimate access.”
After stealing money, criminals need to hide their tracks – which very often means entering the world of cryptocurrencies. Digital money-laundering is usually done via crypto mixers, a service that obscures the origin and destination of digital assets by pooling users’ coins and redistributing them in smaller, randomised batches, often through multiple wallets. Mixers are marketed as privacy tools but are also used to launder proceeds from hacks and ransomware attacks, shuffling digital currencies like a shell game and making it nearly impossible for investigators to follow the money trail.
The final installment in the Dark Web Diaries will cover some of the more curious cyberattacks that INCERT tracked here in Luxembourg. Read part one here.
