A brute force attack is a cryptographic method that relies on the hit and trial method owner aimed password until the password is discovered.
It is mainly used to obtain personal information such as passwords, passphrases, usernames, and personal identification numbers and use a script, hacking apps or the same kind of methods to pull out the string of continuous attempts to get the information required.
This method is time-consuming, difficult to perform if methods such as data obfuscation are used at a time downright impossible. It will be more difficult with the longer password because more combinations will be required to test but it will be easier to discover the password when it is weak. It is a very old method used by hackers but it’s still effective and popular.
Goals of hackers from brute force attack
- Collecting activity data or profiling from ads
- Stealing personal data and valuables
- Spreading malware to cause disruptions
- Hijacking your system from malicious activity
- Ruining a website’s reputation
Types of brute force attacks
Simple brute force attack
In this kind of attack, Hackers don’t use any tool or program to reveal the password. They use logical guesses to find out the password. This can reveal a weak password.
A dictionary attack is defined as when a hacker select, aims, and tries possible passwords against that aimed username. It is a basic tool in a brute force attack. Sometimes hackers run through unbridged dictionaries and argument words with special characters and numerical or use special dictionaries of words but this type of sequential attack is cumbersome.
Hybrid brute force attack
It is a combination of brute force attack and a dictionary. A hybrid brute force attack is used to figure out combo passwords with random characters. For example New Delhi 1234
Reverse brute force attack
In this type of attack, hackers reverse the attack strategy by starting with a known password. Hackers may start with the known password which is revealed from existing data breaches.
When hackers reveal the username and password of a user for one website then they will try that username and password with another website because many users use that same username and password for other websites also.
Tools aid for Brute force attack
Automated software is used by hackers to systematically check password combinations until the correct password is revealed. It is difficult for humans alone to check the numerous combination and possibilities of passwords that’s why hackers use brute force password cracking applications. Some the brute force attack tools are:
The program which is used as a tool in brute force attack
- Counter work to computer protocols (like FTP, MySQL, SMPT, and Telnet)
- Allow hackers to crack wireless modems.
- Identify weak passwords
- Decrypt passwords in encrypted storage.
- Conversion words into leetspeak — “don’thackme” becomes “d0n7H4cKm3,”
- Run all possible combinations of characters.
- Operate dictionary attacks
Affect of Brute force attack on the financial industry
Brute force and credential stuffing attacks at 41% and DDoS at 32% are the predominant vectors in the financial industry in 2017- 2019.
The biggest threat to the financial industry is credential stuffing and brute force attacks which are growing very fast and there are no signs of slowing down. Hackers use the trial and error methods to reveal the password of a user’s account or they may reuse already compromised information to gain access to customer accounts.
It also makes sense that attackers prefer these techniques to other approaches considering that financial services IT departments are well funded in comparison to much of the rest of the industry will stop banks have compliance and regulatory pressure to protect their systems and are heavily audited, and does have robust and strong cybersecurity programs.
The protections they have in place may represent too high a bar for crooks to pass so they fall back to simpler, if less efficient methods, like guessing passwords. Often sometimes these attacks begin with attempts against customers of the financial services organizations, not the organization’s systems or employees
Brute force attacks involve a bed actor trying a massive number of usernames and passwords against authentication and point will stop sometimes these are credentials that have been obtained from other breaches, which are then used to target the service in an attack known as credential stuffing.
Other forms of brute force attack simply use a common list of default credential peers, commonly used passwords, or even randomly generated password strings.
As soon as a data dump hits the Internet, cybercriminals attempt logins at as many financial services targets as they can to get access to bank accounts. These dumps have a life span. Eventually, someone on the other side will find out about a dump, and organizations can use this to determine if their customers are affected.
Some attackers are pugnacious, simply trying every stolen credential they have as fastest as they can. This activity can be so forceful that even if it goes unnoticed, back end authentication systems can be overwhelmed, leading to a denial of service condition.
Attackers also use a brute force technique known as password spraying to avoid detection. Hacker quickly tries password across a large number of accounts.
Target defenses may only allow a few login attempts per user name before the account is blocked but with this technique, an attacker can hit many accounts again and again with new password attempts and stay below the threshold for detection. The lack of widespread adoption of multi-factor authentication also enables attackers to conduct brute force activities with greater ease.
For a user, the result of a successful brute force attack can be an account takeover or, at the very least, being logged out of their account if countermeasures are triggered. This leads to frustrations for the customer and increased support desk calls for the provider.
‘By Puru Siddhu’
Puru has completed his B.Sc. (H) Forensic Science from Galgotias University and is pursuing his Masters from IRTE, Faridabad. He has also done 5 weeks course in Information Security from University of London. He has done internship with Legal Desire and Insights for 45 days and presented the 2nd best Oral presentation in International conference on Wildlife Forensics, its laws and conservation.