What is a Brute Force Attack? 4 Examples you need to know

Brute Force Attack

What comes to your mind when you hear the words “brute force?” You probably have images of somebody (or something) smashing through defenses with no subtlety or strategy. It’s just attack, attack, attack, until you finally break through.

That’s how brute force attacks work in the world of online security too. A hacker throws everything at the wall in the hope that something sticks. If they get the attack right, they may gain access to materials and sensitive information they shouldn’t be able to see.

This article discusses the different types of brute force attacks and looks at some real-world examples.

Summary: A brute force attack is a trial-and-error approach to guessing somebody’s password. Hackers try a ton of passwords to gain unauthorized access to an account. Eventually, one of those passwords is correct and facilitates the attack. Examples of brute force attacks include dictionary attacks, credential stuffing, and the standard simple brute force attack.

Tip: Having unique and complex passwords for each of your accounts, is a great way to defend against brute force attacks. The best antivirus software and VPN providers frequently include a password manager, which can help you create, store and auto-fill those secure passwords.

What Is a Brute Force Attack?

Hackers use brute force attacks to gain access to online accounts. The attacks involve trial-and-error guesswork designed to crack a user’s password to provide the hacker with access. They often start with the hacker trying different combinations of common passwords before they move on to different versions of leaked passwords.

Brute force attacks are one of the oldest methods in the hacking playbook. Still, they’re exceptionally common, not least because it’s easy for hackers to access the tools needed to launch these attacks.

There are many reasons why somebody might want to do so.

Hackers can use brute force methods to steal personal data, which often gives them access to private accounts and financial information. Some use these attacks to spread malware or inject protected websites with malicious adverts. Other brute force attacks allow the hacker to access your device so they can use it for malicious activities.

Brute Force Attack Types

All types of brute force attacks take a figurative sledgehammer to the challenge of cracking passwords. They require a lot of computing power to make multiple login attempts in a matter of seconds.

Still, there are several brute force attack types, meaning hackers have several options open to them.

Type No. 1 – Simple Brute Force Attacks

There’s nothing complicated going on with these types of attacks.

The hacker uses a bunch of bots and scripts designed to test thousands, or even millions, of passwords in a short period of time. Some scripts can make hundreds of password guesses per second. The scripts tend to focus on common passwords, such as “password” or “12345.” They’ll also mix things up by trying these common passwords with uppercase letters, numbers, and symbols.

Using a strong password that contains plenty of random characters reduces the chances of this type of attack working against you. Otherwise, hackers can keep testing possible passwords until they find the right one.

Type No. 2 – Credential Stuffing

These attacks rely on other people to do the username and password stealing. A hacker purchases leaked passwords via the dark web. They then use the password across a bunch of different websites to try to access to online accounts.

Why do credential stuffing attacks work?

We have tons of websites asking us to set up accounts in the modern era of the internet. Instead of using a different password for each account, a lot of people use the same username and password across every account they have.

That’s a credential stuffer’s dream.

If a hacker gains access to the login details you use for one account, there’s a good chance they can use those details to access other accounts. For example, let’s say you use the same password for your Netflix account and your gaming account. If a hacker gets access to your Netflix password, they can also access your gaming account. And that means they can play your games, buy new games, and even lock you out of the account entirely.

Type No. 3 – Dictionary Attacks

Dictionary attacks are a step up from simple brute force attacks.

Instead of focusing on common passwords, they use common combinations of phrases and words. Early versions of these attacks involved a script literally working its way through a dictionary of words to find something that worked. More modern versions incorporate passwords that have already been leaked, with the script trying different variations to gain access.

Several dictionary attack software packages are available to make these attacks easier to execute. The software packages often work by replacing letters in common passwords with the most likely symbol the user would choose. A good example is the @ sign used in place of the letter A. Most people use that substitute as a unique character, which makes it easier for a hacker to attempt different versions of a password containing the letter A.

Type No. 4 – Password Spraying

A simple brute force attack involves using many password variations to try and access a single account. Password spraying takes the opposite approach. The hacker uses a single password and applies it to many different accounts.

Password spraying allows hackers to crack passwords while avoiding getting locked out of accounts for making too many failed login attempts. These attacks are most often used against accounts that offer single sign-on authentication methods.

Type No. 5 – Hybrid Brute Force Attacks

A hybrid brute force attack combines a simple brute force attack with a dictionary attack. Its success relies on the common practice of combining a word with a series of numbers that mean something to the user. For example, you may use a common word as a password, followed by your date of birth. This means the number following the word usually begins with a 1, which gives the hybrid brute force attack a starting point.

The hacker uses a dictionary to provide the words you might use, with an automated simple attack trying different combinations of four numbers. While the approach still requires a lot of guesswork, hybrid brute force attacks are more efficient than using a simple or dictionary attack alone.

Type No. 6 – Reverse Brute Force Attacks

Most brute force attacks start with the hacker getting hold of a username or account number. These details aren’t much use on their own. A hacker could know the email address used as a username and do nothing with it because they don’t know your password. They use brute force attacks to guess the password associated with the username.

A reverse brute force attack works in the opposite direction.

The hacker already has your password. That means they need to guess your account number, username, or email address, depending on what your online account uses. This is often a faster form of brute force attack because people often use their email addresses or names as usernames. All the hacker has to do is try multiple usernames until they get a hit.

Brute Force Attack Examples

“Okay,” you might think to yourself. “Brute force attacks sound bad. But I don’t use weak passwords. My complex passwords will save me from any hacking attempts.”

Unfortunately, that isn’t always the case.

There are plenty of examples of brute force attacks that show that even companies with huge financial resources can fall victim to data breaches.

The Alibaba Attack

In 2016, hackers used a database containing 99 million usernames and passwords to launch a password spraying brute force attack on Alibaba. The attack was simple. Enter each username and password individually to see which worked.

The result was 20.6 million compromised accounts. In other words, about 20% of the usernames and passwords in the hackers’ database worked.

While Alibaba’s own systems weren’t breached, the company had to absorb the fact that millions of accounts were stolen and there was little it could do about it.

A Brute Force Attack Shuts Down Remote Access for British Parliament

Midway through 2017, officials from Britain’s parliament announced that their network had experienced a sustained brute force attack. The aim was simple. Hack the emails of peers, staff, or members of parliament (MPs).

The attack appeared to be a combination of dictionary and simple brute force, with the hackers trying to access accounts using common and weak passwords. The good news is that parliamentary IT experts discovered the attack quickly. Still, they had to shut down remote access to emails and parliamentary accounts, preventing Britain’s MPs from working.

Later reports suggested that some MPs’ passwords were made available for sale via the dark web.

A Canadian Revenue Agency Attack Compromises 11,000 Accounts

The Canadian Revenue service experienced a brute force attack in 2020 that led to 11,000 accounts getting compromised. Worse yet, these weren’t the accounts of government officials. Instead, they were accounts that Canadian citizens used to access several of the agency’s support services and programs.

This attack was a perfect example of credential stuffing.

The hackers gained access to a list of stolen login credentials used for other types of accounts. They then launched an attack using those details to access the accounts of anybody who used the same password across multiple online accounts.

The Costly Dunkin’ Donuts Attack

Who’d want to launch a brute force attack on Dunkin’ Donuts?

Hackers who realized that the donut franchise has an online app that asks users to enter their payment details.

Using brute force techniques, hackers managed to log in to 19,715 accounts in just five days. Once they’d achieved access, the hackers could use the payment details logged in the accounts to steal money from the unwitting victims.

Dunkin’ Donuts’ response to the attack was the worst imaginable:

It didn’t tell anyone.

Users of the app couldn’t take measures to protect themselves because the donut franchise kept the attack to themselves. Dunkin’ Donuts eventually had to pay $650,000 as part of a settlement for a lawsuit launched against it.

Brute Force Can Still Work

Brute force attacks may be one of the oldest forms of hacking out there. But they’re still effective. Even the most basic brute force attack can compromise accounts due to so many people using weak passwords. And if the account providers don’t have measures in place to limit login attempts, brute force hackers can just keep trying until they get it right.

What can you do to avoid brute force attacks?

By understanding how brute force password cracking techniques work, you can limit the chances of an attack affecting you.

Using strong passwords is a good start. Brute force attacks rely on people not being vigilant. Long and complex passwords are a lot harder to crack than simple passwords that use your name or something related to you.

It’s also a good idea to stop using the same password across multiple websites. Hackers only need to get access to one set of login credentials to access them all if you’re not using a variety of passwords.

Resources

• Kaspersky
• Crowdstrike
• MakeUsOf
• BBC

Frequently Asked Questions