Brute force attackers have to put in a bit of effort to make these schemes pay off. While technology does make it easier, you might still question: why would someone do this?
Here’s how hackers benefit from brute force attacks:
- Profiting from ads or collecting activity data
- Stealing personal data and valuables
- Spreading malware to cause disruptions
- Hijacking your system for malicious activity
- Ruining a website’s reputation
Hackers can exploit a website alongside others to earn advertising commissions. Popular ways to do this include:
- Putting spam ads on a well-traveled site to make money each time an ad is clicked or viewed by visitors.
- Rerouting a website’s traffic to commissioned ad sites.
- Infecting a site or its visitors with activity-tracking malware — commonly spyware. Data is sold to advertisers without your consent to help them improve their marketing.
Breaking into online accounts can be like cracking open a bank vault: everything from bank accounts to tax information can be found online. All it takes is the right break-in for a criminal to steal your identity, money, or sell your private credentials for profit. Sometimes, sensitive databases from entire organizations can be exposed in corporate-level data breaches.
If a hacker wants to cause trouble or practice their skills, they might redirect a website’s traffic to malicious sites. Alternatively, they may directly infect a site with concealed malware to be installed on visitor’s computers.
When one machine isn’t enough, hackers enlist an army of unsuspecting devices called a botnet to speed up their efforts. Malware can infiltrate your computer, mobile device, or online accounts for spam phishing, enhanced brute force attacks and more. If you don’t have an antivirus system, you may be more at risk of infection.
If you run a website and become a target of vandalism, a cybercriminal might decide to infest your site with obscene content. This might include text, images, and audio of a violent, pornographic, or racially offensive nature.
Each brute force attack can use different methods to uncover your sensitive data. You might be exposed to any of the following popular brute force methods:
- Simple Brute Force Attacks
- Dictionary Attacks
- Hybrid Brute Force Attacks
- Reverse Brute Force Attacks
- Credential Stuffing
Simple brute force attacks: hackers attempt to logically guess your credentials — completely unassisted from software tools or other means. These can reveal extremely simple passwords and PINs. For example, a password that is set as “guest12345”.
Dictionary attacks: in a standard attack, a hacker chooses a target and runs possible passwords against that username. These are known as dictionary attacks. Dictionary attacks are the most basic tool in brute force attacks. While not necessarily being brute force attacks in themselves, these are often used as an important component for password cracking. Some hackers run through unabridged dictionaries and augment words with special characters and numerals or use special dictionaries of words, but this type of sequential attack is cumbersome.
Hybrid brute force attacks: these hackers blend outside means with their logical guesses to attempt a break-in. A hybrid attack usually mixes dictionary and brute force attacks. These attacks are used to figure out combo passwords that mix common words with random characters. A brute force attack example of this nature would include passwords such as NewYork1993 or Spike1234.
Reverse brute force attacks: just as the name implies, a reverse brute force attack reverses the attack strategy by starting with a known password. Then hackers search millions of usernames until they find a match. Many of these criminals start with leaked passwords that are available online from existing data breaches.
Credential stuffing: if a hacker has a username-password combo that works for one website, they’ll try it in tons of others as well. Since users have been known to reuse login info across many websites, they are the exclusive targets of an attack like this.
Guessing a password for a particular user or site can take a long time, so hackers have developed tools to do the job faster.
Automated tools help with brute force attacks. These use rapid-fire guessing that is built to create every possible password and attempt to use them. Brute force hacking software can find a single dictionary word password within one second.
Tools like these have workarounds programmed in them to:
- Work against many computer protocols (like FTP, MySQL, SMPT, and Telnet)
- Allow hackers to crack wireless modems.
- Identify weak passwords
- Decrypt passwords in encrypted storage.
- Translate words into leetspeak — “don’thackme” becomes “d0n7H4cKm3,” for example.
- Run all possible combinations of characters.
- Operate dictionary attacks.
Some tools scan pre-compute rainbow tables for the inputs and outputs of known hash functions. These “hash functions” are the algorithm-based encryption methods used to translate passwords into long, fixed-length series of letters and numerals. In other words, rainbow tables remove the hardest part of brute force attacking to speed up the process.