GO
Loading...

Dangerous website attacks—and how to avoid them

Every minute in the U.S., 19 people fall victim to identity theft, according to credit bureau TransUnion.

Consumers can unintentionally leak a deluge of personal information as they shop online and surf the web. That's because websites can house coding flaws and other vulnerabilities that attract malicious hackers, who are prowling the Internet for consumers' personal information.

"Out of all the websites we've scanned, 75 percent of them have a vulnerability on the first scan," said Ainsley Braun, co-founder and CEO at Tinfoil Security, which specializes in website security.

Even large, well-known companies' websites can be vulnerable.

Braun said scans for potential vulnerability found 30 percent of Fortune 1000 companies have website flaws. Vulnerabilities also were discovered among some of the most visited websites, as tracked by the Alexa Rank of the top 500 sites.

Customer data loss, in fact, is a growing concern. A survey of information security professionals by cybersecurity company Trustwave found 58 percent of IT professionals worry about customer data theft. That concern eclipsed IT professionals' worries about international property theft, damage to reputation, and fines and legal action, according to the survey.

Here are some of the most dangerous kinds of attacks on websites, according to Braun and Michael Borohovski, co-founder and chief technology officer at Tinfoil.

Insecure cookies

Every time you log into a website, your computer receives a small piece of data called a cookie—information about your user session so you do not need to log in again when you visit a new page. If the website does not secure that cookie, your data is vulnerable.

The Open Web Application Security Project (OWASP)—a nonprofit focused on improving software security—also cited cookies as a potential threat. A hacker can gain access to a cookie on an unsecured wireless network and hijack a user's website session, potentially gaining access to private data, according to the group's 2013 report.

Zmeel Photography | E+ | Getty Images

"For example I'm at … Starbucks or something like that, an attacker who is listening for all of the network traffic that is flying around him can actually pull down the cookie since your information, your session information, is not secured and [they can] impersonate you on that website," said Tinfoil's Borohovski.

(Read more: Mistakes businesses are still making in cyberspace)

Cross-site scripting

Another kind of dangerous website attack occurs when it's unclear if the user is browsing the authentic website, or a fake site that's masquerading as the real thing. This type of attack is called cross-site scripting.

The attack starts once you click on a malicious link, which redirects traffic to the attacker's site. Cybercriminals then take advantage of users who are unaware they've been forwarded to a malicious site and innocently give up their username, password and potentially other bits of personal information.

The effects of cross-site scripting can be lasting.

"In some cases, cross-site scripting has been used to actually install malware on users' computers and thus maintain sort of a persistent attack on a user," Tinfoil's Borohovski said.

(Read more: From 'Kitten' to 'Panda': Dangerous hacker groups to avoid)

Database injection

Borohovski said he believes database injection—which can release a website's user information—is the most devastating kind of website attack. According to OWASP's 2013 report, injection attacks, including database injection, were the top security issue.

"What an attacker can do with a database injection basically is rather than simply using the website to insert their own data, they could actually trick the database into dumping out all of their other data, of the other customer data," Borohovski explained.

Protecting your information

To protect yourself from these website attacks, Borohovski recommends using different passwords for different websites. This way, even if one account is compromised, the rest are safe.

Tinfoil suggests being cautious about sharing information on unsecured wireless networks, such as those in public places.

Also, check to see if the website you are on is secure. Most browsers will display a lock symbol to show a site is secure.

"Most browsers will also display a warning if that certificate has been tampered with, or modified, or if somebody is potentially listening in, in the middle of the connection," Borohovski said. "If that is the case, the user should not go ahead and click 'I want to go there anyway.' They should stop."

(Read more: How cybersecurity pros feel about those on the other side)

By CNBC's Jennifer Schlesinger and Sabrina Korber. Follow Schlesinger on Twitter @jennyanne211

For more CNBC coverage of cybersecurity, visit HackingAmerica.cnbc.com.

Investigations Inc.: Cyber Espionage

  • When a person enters information on a website, like an email or credit card, it gets stored in that company’s data base. Those web-based forms are a simple tool for users, but they are also another way hackers can exploit a company’s system. Instead of inputting a name into the website, cyber spies can put in a specially crafted text that may cause the database to execute the code instead of simply storing it, Alperovitch said. The result is a “malicious takeover of the system,” he said.

    By attacking business computer networks, hackers are accessing company secrets and confidential strategies and creating huge losses for the overall economy.

  • China is working feverishly to counteract its slowest GDP growth in recent years, and one of the ways it’s doing so, say U.S. officials, is through the theft of American corporate secrets.

  • US businesses are enduring an unprecedented onslaught of cyber invasions from foreign governments, organized crime syndicates, and hacker collectives, all seeking to steal information and disrupt services, cybersecurity experts say.

Technology

Technology Explained