The most common types of hacking on the internet
When hackers set out to attack individuals or organizations, they have a broad selection of hacking techniques, tools, and technical expertise at their disposal. By learning about the most common hacking methods and arming yourself with the right tools, you’ll be able to identify vulnerabilities and stop attackers in their tracks.
Table of Contents
Table of Contents
The common hacking techniques in this blog post range from the lazy to advanced, but all of them exploit different vulnerabilities to access your data or infect you with malware. If you understand them, you’ll be empowered to protect yourself online.
What is hacking?
First, we should answer the question, “What is hacking?”. Most hacking definitions define hacking as the usage and exploitation of vulnerabilities and bugs to break into computer systems and access data that would otherwise be unavailable. Hacking can be used for legitimate (e.g., security research) and illegitimate (e.g., credential stealing, ransomware) means.
Below we will look into some of the most common types of hacking.
The top 5 laziest hacking techniques
Here are the top 5 laziest types of hacking.
Fake WAP
This is a very simple type of cybercrime that’s frighteningly easy to fall for. If you don’t like the idea of getting hacked by a high schooler, read on.
In a fake WAP (Wireless Access Point) attack, the hacker sets up a wireless router with a convincingly legitimate name in a public spot where people might connect to it. Once they do, the hacker can monitor and even change internet connections to steal sensitive data or force the user to download malware onto their device.
How many times have you been to a hotel, café, or airport that had one or more separate guest Wi-Fi networks? How sure were you that you connected to a secured router owned by the establishment you were visiting?
✅ Can NordVPN protect you: YES. By encrypting your traffic, NordVPN will make it impossible for the hacker to read or modify what you see or send. However, it’s better never to connect to the fake WAP in the first place.
Before you connect, look for an official Wi-Fi network name and password behind the counter that you know was placed there by an employee – or ask an employee what the real network is called. However, free public Wi-Fi networks are still highly insecure, so we suggest using a VPN anyway.
Bait and switch
A bait and switch attack uses a relatively trusted avenue – ads – to fool users into visiting malicious sites. How much a hacker can get away with all depends on the ad network they use.
Larger advertisers like Facebook and Google have a number of safeguards in place to prevent this behavior, but even they aren’t 100% perfect. Once you’ve clicked on the ad, the attacker can use a number of other attacks, like downloading malware, clickjacking, or browser locking, to compromise your system.
✅ ⛔️ Can NordVPN protect you: IT DEPENDS. NordVPN’s Threat Protection Pro feature can stop you from being redirected to malicious sites, but your best defense is a secure browser and a good ad blocker. If you do click on ads, try to stick to more trusted ad distributors, like Google or Facebook.
Credential reuse
This is an attack that can follow a data breach at a server hosting many users’ login information. It works under the assumption that many people use the same password across multiple sites, which is unfortunately true. After using a vulnerability to access login info, the hacker can try using the same info on a more sensitive website to gain access to more dangerous and damaging information.
⛔️ Can NordVPN protect you: NO. This attack relies on the hacker accessing sensitive data that you’ve stored elsewhere, so private encryption can’t help you. Your very best strategy is to create a different password for every site you use. That makes any password of yours that a hacker gets when they hack one of those sites useless for any of the others.
However, our Dark Web Monitor can help you here. It scans the dark web and alerts you if it detects your exposed credentials. In such case, you can act immediately by changing your password for that service to keep your account secure. Take a look at our article and learn more about what to do if you get a dark web alert.
SQL injection
This is a curious and powerful hacking method that targets vulnerabilities in fairly unsecure websites. In unsecured systems that use the SQL programming language, hackers can insert code into text fields in the website (like a password or username field, for example) that the website will run.
The code they insert can be used to extract information from the website or to give the hacker a foothold from which they can launch further attacks. SQL injection is essentially an attack on the website rather than you, but once a hacker has successfully performed a SQL injection, the site can be used to attack its visitors.
⛔️ Can NordVPN protect you: NO. Like a cross-site scripting attack, SQL injection can turn a legitimate website into a hacker’s tool. It can also steal or modify data on a website that you’ve already chosen to share your information with.
The frustrating thing about SQL injection is that it is relatively simple to fix from a website developer’s standpoint – a simple Google search will provide tons of simple tips on how to prevent these attacks from occurring. However, we still hear about these attacks occurring because website administrators fail to secure their sites.
Check out our video on SQL injection attacks below.
Browser locker
Browser lockers are a common but lazy hacking method that targets users who might not be very technologically literate. After leading a user to a malicious site or infecting a legitimate one, the hacker creates a popup that takes over the screen and makes it difficult or impossible for the user to close.
The popup poses as an antivirus alert and encourages the user to visit a bogus tech support link or call a bogus number. The victim winds up unknowingly paying the attacker to remove the “virus” from their computer.
✅ Can NordVPN protect you: YES. If you turn on NordVPN’s Threat Protection Pro feature, you will be protected from malicious online links and ads. The tool blocks links from a database that is constantly updated to catch the latest threats.
Other common types of hacking attacks
The next types of hack and cyber attack aren’t as common or well known, but you should clue yourself into them nonetheless.
Macro malware in documents
Document-based macro malware is a very insidious type of malware that is easy to detect and avoid if you know what you’re looking for. Many document file types, like .doc or .pdf, have the ability to run scripts when they’re opened. However, these functions usually have to be given permission by the user to run through a prompt when the document is opened.
If you give the document permission to run the macro, you will be at the hacker’s mercy. These scripts can open numerous vulnerabilities in your system, allowing hackers to upload more serious malware and take control of your computer.
⛔️ Can NordVPN protect you: NO. The Threat Protection Pro feature may protect you from sites that distribute macro malware, but dedicated antivirus software will be better at catching infected documents.
The problem is that they often travel through trusted channels, like emails. The ultimate defense is to question every document that asks you for permission to run something. If you get such a document from someone you trust, ask them to explain who put the macro there, why they did so, and what it does.
Cookie theft / sidejacking / session hijacking
Cookies are more than just a way for ad providers to follow you around online. They’re also how websites keep track of users who have to log in and out of their accounts. When you log in to your account, the website sends you a cookie so you don’t immediately get logged out on the next page you visit in their website.
If they send your cookie over an unsecure connection, however, that cookie might not end up where it’s supposed to go. A cookie theft (or session hijacking) is exactly what it sounds like – a hacker exploits an insecure connection to steal your cookie and pretend that they’re you on the website you’re visiting.
They might not gain access to your login credentials, but they can change a number of settings to hijack the account you’re connected to or otherwise exploit it to their advantage.
✅ Can NordVPN protect you: YES. NordVPN encrypts your traffic, securing almost every step along the way from your computer to the site in question. Visiting an https website will also be far more secure when it comes to cookie theft, but we can’t always choose the website we visit.
Even if you’re on an insecure connection, NordVPN will make sure your cookie reaches you and only you. The only exception is if the site you are visiting has been hacked into. However, in that case, the hacker is likely to choose a more powerful attack than cookie theft.
IoT attacks
IoT devices are exciting because of the potential new features they introduce into our daily lives. However, they are also frighteningly vulnerable to cyber attacks. These devices have limited computing power and storage, leaving little room for robust security features.
The passwords are often left as the factory defaults, meaning almost anyone can log into them. Even worse, they provide a direct bridge between the digital and physical worlds.
A hacker from across the street or across the ocean can hack into your air conditioner, oven, refrigerator, or home alarm system. However, your infected devices can also be used as parts of expansive botnets – virtual armies of connected devices that hackers can use to launch orchestrated attacks on targeted servers. One way or another, wrongdoers hacking IoT devices could pose a big risk for you and your family.
✅ ⛔️ Can NordVPN protect you? IT DEPENDS. NordVPN’s standard apps run on the most common devices, which means they don’t cover your IoT appliances. Our tutorial page provides instructions on how to install NordVPN on most home routers, but not all of them are capable of running the latest encryption protocols.
If you have a router capable of running one of the more powerful encryption protocols supported by NordVPN, you can configure your router to secure all of your IoT devices against unwanted connections. However, your encrypted connection will prevent anyone from communicating with your devices – even you! Use this approach only if you don’t need online access to your devices from outside your home.
DDoS attacks
DDoS (Distributed Denial of Service) attacks are a curious phenomenon because the malware used to perform them doesn’t really hurt the person infected by it. Instead, it turns their device into one small part of an army of bots that the hacker then uses to completely flood their target with fraudulent requests and shut their server down. However, it’s not an ethical hacking either.
The defense mechanisms for DDoS differ for bots and targets, and we’ll primarily be discussing the bot end of the equation. For a member of the bot army, the damage actually isn’t that significant.
Besides the fact that having malware controlled by a hacker on your device is highly insecure, all the DDoS bot does is gobble up a fraction of your online bandwidth whenever it’s called on by the hacker to participate in an attack. Despite this, it’s still a good idea to do the world a favor by preventing your devices from becoming part of an organized attack.
✅ ⛔️ Can NordVPN protect you? IT DEPENDS. NordVPN’s Threat Protection Pro feature blocks your computer from connecting to botnet command and control servers, which hackers use to mobilize their armies. This will isolate the bot from its owner and prevent it from attacking others, but you’ll still need an anti-malware program to remove any bots you might have.
Phishing
Unlike most hacks, phishing targets the person behind the device rather than the device itself and it’s one of the most popular hacking queries. By tricking the user through a convincing and cleverly crafted email or other message, the hacker can convince them to lower their guard and provide access to their most sensitive information.
Phishing can take many different forms, so there’s no single way to defend yourself. A healthy dose of online skepticism and attention to detail will get you a long way, though. If an official-looking email sent you a link, make sure the URL it’s taking you to looks correct. Anyone actually representing a website or service you use won’t actually need your password, so don’t give it to them. Don’t download anything from an email unless you’re absolutely sure it’s safe.
✅ ⛔️ Can NordVPN protect you? IT DEPENDS. Phishing is relatively easy to avoid if you’re careful, but it’s also one of the most powerful attacks out there. That’s because you have the power to bypass any of your own defenses. If the hacker can convince you to do what they want, then all the software in the world won’t help you.
NordVPN’s Threat Protection Pro feature can detect some links from a vast database of known malicious sites, but you’ll have to trust NordVPN’s warning and keep yourself from navigating to the malicious website.
Clickjacking/UI redress
One thing many users don’t realize when they chance upon a suspicious website is that they might be looking at more than one website. Malicious websites (or legitimate ones that have been compromised) can lay an invisible frame over the site you see – complete with invisible buttons that can cover existing buttons or even follow your cursor. Any click you take could be executing actions you had no idea you were taking – hence the term “clickjacking.”
The damage clickjacking can do depends on how creative the hacker using it is. The most common uses include collecting fake Facebook likes, getting users to click on ads and generate revenue, and even unlocking their cameras and microphones (through an Adobe Flash vulnerability that has since been fixed).
✅ ⛔️ Can NordVPN protect you? IT DEPENDS. Your best defense against this attack will be a secure browser with built-in defenses as well as an adblocker or script-blocking browser plugin. If a site or ad is known for clickjacking, however, then NordVPN’s Threat Protection Pro feature CAN help by blocking you from visiting that site. Together with the other tools mentioned, it can form part of your defense against clickjacking attacks.
Man-in-the-middle attack
In a man-in-the-middle (MITM) attack, the hacker inserts themselves as an invisible intermediary between you and the server you’re communicating with. By copying communication from both ends, they can monitor your traffic or even modify it without being detected.
There are different ways to do this, but the easiest way is by exploiting an unsecure Wi-Fi connection (or through a fake WAP attack). Imagine performing a financial transaction during a MITM attack. Even if they don’t get your login information, which they probably will, they can insert data into the transaction to redirect your funds. Your device will tell you that you’re sending your money where you want it to go, but the bank will think you’re sending your money to the hacker’s bank account.
✅ Can NordVPN protect you: YES. This is the attack that VPNs were made to prevent. Because even the target of your traffic is hidden by our encryption, the hacker won’t be able to send your message on to its destination. They won’t be able to read or modify its contents. The worst that a hacker on an unsecure or fake connection can do to you is terminate your connection without compromising the security of your data.
Cross-site scripting
Websites connect to many different servers to optimize their functionality, and to make their communications more efficient, they don’t bother reconfirming their authentication procedures every single time they exchange information.
These connections can include ad services or special plugins. If one of these connections is hacked, the attacker can inject scripts directly into a website’s UI to compromise anyone who visits that site. Those scripts, in turn, can be used to capture information that you enter into the site or to perform different types of attacks (like clickjacking). This is called cross-site scripting.
⛔️ Can NordVPN protect you: NO. This is a difficult type of attack to defend yourself from because it targets the website you visit, not your device. However, a secure browser with anti-script plugins will go a long way towards keeping you safe. If the website in question has made it into NordVPN’s Threat Protection Pro blocklist of malicious sites, then NordVPN will also help keep you safe. Keep your eyes open for suspicious behavior on any website you visit.
DNS spoofing
DNS servers are like the signposts of the internet. When you enter a website into your browser, they tell your device where to go to get the information you need. If a hacker can in some way poison the information provided by a DNS server, however, they can potentially take thousands of users to a malicious domain as part of an attack.
DNS spoofing can happen in many different ways – by corrupting the data on its way to your device, by feeding corrupted information to a DNS server, or by completely taking it over. They all have a similar result, however – they send you to a website that the hacker has designed to take advantage of you.
✅ Can NordVPN protect you: YES. NordVPN stops DNS spoofing attacks (we also stop DNS leaks! When using NordVPN or any other VPN, use our free DNS leak test to make sure you’re secure). As your DNS signal travels from NordVPN’s DNS server through your encrypted tunnel, it’s virtually impossible for hackers to corrupt that signal in any way.
There are two rare exceptions, however, in which a user might become vulnerable to this type of attack. If the user’s device doesn’t use NordVPN’s DNS server (either by choice or because a piece of malware has caused it to do so), NordVPN can no longer guarantee that your DNS information won’t be spoofed.
This is why we recommend that users do not alter NordVPN’s default DNS settings. NordVPN also can’t guarantee that your DNS info will be safe if an attack happens at one of the servers down the line from NordVPN’s DNS server. Such attacks, however, are a rare occurrence and are reported widely when they do occur.
Watering hole attack
A watering hole attack is an attack in which an attacker guesses or observes websites frequently used by employees of a targeted organization and infects them with malware. So, there is a high chance that an employee will visit such a website and become infected. Cybercriminals can also attack users only with specific IP addresses, which makes attacks way harder to detect. Such attacks usually rely on exploiting vulnerabilities of websites and software.
⛔️ Can NordVPN protect you: NO. NordVPN can’t protect you from malware you get online. However, its Threat Protection Pro feature can protect you from malicious pop-ups, ads, and websites. But it would be quite powerless if a malicious script is injected into a legitimate website. The companies should monitor their traffic, block the affected websites, and update their software to avoid the latest vulnerabilities.
Keylogger attack
Keylogging or keyboard capturing is the process of recording the keys struck on your keyboard, usually without the consent and knowledge of the typing person. Snoopers do this with the help of keyloggers, software, or hardware pieces recording the data you type in. Then they can easily snatch passwords and other confidential data.
While the keylogging software as such is not illegal, hackers abuse them for illegal purposes.
⛔️ Can NordVPN protect you: NO. NordVPN can’t protect you from something messing up with your device and secretly installing malicious software or you contracting it while online.
Brute force attack
In a brute force attack, a hacker uses a trial-and-error approach to guess passwords, PINs, or encryption keys. By doing this, they can gain access to protected services and databases or decrypt data. One can also perform brute force for security reasons to test one’s security strength.
Hackers employ software, which tries loads of password combinations per second till the guess is correct. So, if you use a weak password of just a few symbols, it may take seconds for such software to crack it. However, it may take years to guess a strong and complex password.
⛔️ Can NordVPN protect you: NO. NordPass can store your super-strong passwords, so you won’t need to memorize them. Strong passwords are an essential protection measure for this attack, so you should use complex ones. Our Dark Web Monitor can also be useful as it scouts the dark web for exposed credentials that may belong to you.
Dictionary attack
A dictionary attack is a type of brute-force attack. Just, in this case, hackers use predefined lists of passwords. Sometimes it consists of the most commonly used password phrases, while in other cases, it may have all the dictionary entries.
Hackers usually do acute research when compiling their dictionaries. They can analyze users’ social media profiles and other publicly available data to find out the names of their pets, relatives, and interests to make their dictionary more focused and accurate. Basically, a dictionary attack is a more customized and focused variant of a brute-force attack.
⛔️ Can NordVPN protect you: NO. See the brute-force-attack section for the reasons why.
Is hacking illegal?
Well, it depends on what you use it for. If you use hacking to steal data, compromise systems, or other criminal purposes, it’s obviously illegal. People doing it are called black-hat hackers.
However, one can hack for good means. White-hat hackers search for vulnerabilities to strengthen the security of targeted systems, while hacktivists hack to raise or tackle various social or political issues. So, hacking is just a measure — it all depends on what you use it for.
If you wear a white hat, our bug bounty program is on, so you can help us to improve by participating in it.
How to protect yourself from hackers
Here are a few cybersecurity measures on how to protect yourself from hackers.
- Don’t skip updates. It’s tempting to postpone updates for later, but you’ll be putting yourself at risk. Hackers exploit known software vulnerabilities and can use them to hack your device. Always keep your smartphone secure by updating its operating system and apps on time.
- Use strong passwords. A strong password should contain uppercase and lowercase letters, along with numbers and special characters. Since it’s hard to remember complex passwords, try a password manager like NordPass.
- Enable two-factor authentication (2FA). A password is not enough to protect your digital life, so combine it with a two-factor authentication. When 2FA is enabled, you’ll need to authenticate yourself via an app, token, or SMS, as well as inputting your password.
- Don’t overshare on social media. Criminals can visit your Facebook or Instagram profiles to extract your email address, phone number, job title, and social connections. This information can be used to orchestrate social engineering and phishing attacks against you or people around you. Don’t share personal information on social media and keep your profile private.
- Minimize the amount of services you use. Use only the services you really need to reduce the chances of your data leaking. Don’t create an account for a service you aren’t planning to use.
- Use a VPN. If you want to secure your online activities and enhance your privacy, look no further than NordVPN. The app hides your IP address and wraps your traffic in encryption. It also has the Threat Protection Pro feature that stops you from landing on malicious websites, and blocks trackers and intrusive ads on the spot.