Why Are Brute Force Attacks on the Rise?

We have all, at some point, received an email from a website or application informing us of a login attempt to our account. The message states that if you were not making that login attempt, access your account and change your password. Often, we are the ones who try to log in  — and can safely ignore the notification.

Sometimes, however, this isn’t the case, and it was not you who tried to login into your account. If that happens, then there is a strong possibility your account, and potentially your sensitive information, has been compromised by a hacker using a brute force attack.

Brute force attacks are not a new activity for cybercriminals. Cybersecurity experts continually work to stop brute force attacks and the potential data exposure fallout. With the increase in remote work primarily due to the COVID-19 worldwide pandemic, brute force attacks increased from 13% to 31% in 2020, and comprise 5% of all cyber security breaches.

If you are one of the millions of professionals that find themselves in a remote work environment, it might be time for a refresher on a brute force attack and what steps you can take to protect your personal and professional online presence.

What is a Brute Force attack?

A brute force attack is just like it sounds; a hacker makes as many attempts as it takes, forcefully guessing the login credentials to gain access to an account on a website or application. Of all the different types of cyberattacks, a brute force attack is perhaps the most popular among hackers due to the simple nature of the attack and the high effectiveness of the results.

Data leaks and breaches have rapidly become a familiar and almost accepted occurrence as part of our internet-connected lives. They seem to happen so often and make the 24-hour news cycle with increasing regularity that we begrudgingly accept that the next major cyberattack is just a matter of when. The fallout of these data breaches is a treasure trove of personal information on millions of people and their account credentials. A brute force attack, when successful, can result in one of these data breaches impacting countless people.

However, the data stolen from a cyberattack is not typically used in a brute force attack. Instead, when a brute force attack successfully breaks into an account, the hacker now has access to not just the information in the account, but the website or network, allowing the upload of malware or other malicious programs. They can now use this exploit to create a more extensive cyberattack.

What are the Types of Brute Force Attacks?

The most common and well-known brute force attack is when a hacker forces their way into an account by guessing the login credentials. However, other types of brute force attacks exists depending on the hackers’ methods and desired outcomes.

Simple Brute Force Attack. As previously mentioned, this type of attack is when a cybercriminal repeatedly tries to guess your login credentials (typically a password) without any additional context or amplifying information. Easily guessed passwords and pins are cracked with relative speed.

Dictionary Brute Force Attack. This type of brute force attack takes commonly used password combinations and words from the dictionary with numbers or special characters substituted for letters. Similar to a simple brute force attack, poor passwords are quickly cracked.

Hybrid Brute Force Attack. A hybrid attack combines the two previous types. It uses elements of passwords that people frequently use, such as family names, anniversaries, or dates of birth.

Reverse Brute Force Attack. This type of brute force attack happens when a hacker has access to a password and attempts to match that to a username to log into an account.

Credential Stuffing. Although sometimes not classified strictly as a brute force attack, credential stuffing happens when cybercriminals already have login credentials and attempt to use them across many different web applications.

What Tools are used in Brute Force Attacks?

Despite the popular imagery of a hacker sitting behind a computer feverishly trying different combinations of usernames and passwords, this often isn’t very accurate — although this method is still effective with enough time, patience, and persistence.

Compromised computers and automated software programs, commonly called bots, perform the mundane operations of repeatedly guessing login credentials. The hackers merely set up the bot programs and unleash them to do their dirty work.

Bots encompassing a botnet, which is an army of compromised computers performing simple, automated, and repetitive tasks, are used in brute force attacks and other types of criminal cyber activity — including distributed denial of service attacks (DDoS) and email spam phishing.

There are some software applications designed specifically to conduct a brute force attack. THC-Hydra is one such application. When employed, Hydra runs through different combinations of host IP addresses, usernames, and passwords until a successful combination is found. THC is a group of international hackers, of which Hydra is one of their products, that perform independent IT security work.

Why are Brute Force Attacks on the Rise?

The increase in brute force attacks is likely a combination of different factors converging in recent years. There are more people connected to the internet than ever before. The amount of data on the internet, under varying levels of security and protection, grows by the hour. The sophistication of hackers and their tools to bypass cybersecurity defenses improve as fast as other technologies.

However, perhaps the most significant reason for the steep escalation in brute force attacks is the COVID-19 worldwide pandemic and the exponential increase of people working from home. Work from home arrangements sky-rocketed in 2020, and companies quickly embraced and enhanced remote work capabilities across all sectors.

The influx of people working from home and using their personal networks to log into company servers or remote desktops became the new working environment. Hackers looking to launch a brute force attack focused on the weaker home networks and the easily-guessed login credentials that millions of people still use. An example of this is the spike in Windows Remote Desktop (RDP) brute force attacks.

How to Secure Against Brute Force Attacks?

It may come as no surprise, but the steps to defend against a brute force attack are rooted in basic but sound cybersecurity practices. The most obvious step is not to reuse passwords, nor use passwords that are easy to guess. Reused or recycled credentials are one of the most common mistakes people make. With the increasing popularity and protection that password management programs offer, there’s even less reason to rely on weak or reused passwords.

Beyond just creating a hard-to-crack password, many websites and applications now offer the option to enable multi-factor authentication. While this is an added step in the login process, using this feature is a solid defense against a brute force attack.

The companies behind their websites and applications can take additional cybersecurity steps. An example is to limit the number of login attempts before an account or IP address is temporarily lockout. This feature can severely hinder the success rate of a brute force attack. An additional security feature is to enable CAPTCHA. CAPTCHA is an extra layer during the login process. Any time you’ve had to select all the taxis in a picture, for example, this is CAPTCHA in action.

If you’d like to learn more about brute force attacks and other types of credential attacks and steps to take to prevent them, check out our 6-video 53-minute course that is especially relevant for network administrators and security analysts.

Brute force attacks are on the rise due in no small part to the massive increase in remote work across all the world. However, that does not mean that preventative measures can’t be taken to protect your account information.