What Is a Cyberattack? Types, Examples, and How to Stop One

A) Malware attacks (including virus infections)

Malware is malicious software designed to compromise, damage, spy, or steal.

Viruses

A virus spreads by infecting files/programs. Some are destructive (corrupt/delete data), while others focus on stealth and credential theft.

Worms

A worm spreads without attaching to a host file. Worms can move rapidly across networks. Some newer concepts are sometimes described as AI worms—worms that use adaptive logic to choose propagation paths, modify payload behavior, or evade defenses based on feedback from the environment.

Trojans

A trojan is malware disguised as something legitimate—often bundled with pirated software, fake installers, or “urgent updates.”

Spyware and keylogging

Spyware collects sensitive information. Keyloggers specifically capture keystrokes, which is why password managers help: they reduce typing of passwords.

Rootkits

Rootkits hide malicious activity and help attackers maintain stealth.

Ransomware

Ransomware encrypts data and demands payment. Modern ransomware often includes:

• Double extortion (steal first, encrypt second)
• Lateral movement to hit many systems
• Deleting backups and tampering with recovery paths

Botnets and cryptojacking

Botnets are compromised-device networks used for DDoS, credential attacks, spam, and more. Cryptojacking steals compute to mine cryptocurrency.

Where infections come from: malicious websites, cracked software, infected attachments, supply-chain tampering, and exploited vulnerabilities.

B) Fileless malware and “living off the land”

Not all attacks drop obvious malware files.

Fileless malware executes in memory using native tools (PowerShell, WMI, .NET) and may use LOLBins (legitimate binaries) to blend in.

Why it’s hard: signature-based antivirus looks for known malicious files. Fileless attacks look like normal administrative activity—until you correlate context.

Defenses that work:

• Behavioral EDR + centralized logs
• Restrict/monitor scripting (especially on admin workstations)
• Application allowlisting for high-risk environments
• Alerting on suspicious process chains (Office → PowerShell, browser → script host)

C) Social engineering (phishing, impersonation, and AI-enhanced scams)

Social engineering uses psychology instead of code: urgency, fear, authority, curiosity, and routine.

Phishing (the classic)

Attackers impersonate trusted brands or colleagues. Many phishing operations recycle the same brand templates because they work. Some research has found that an overwhelming share of phishing attempts impersonate a relatively small pool of household-name brands (on the order of a few hundred), because familiarity boosts click-through and credential theft.

Common paths:

• Link to a fake login page (credential harvest)
• Attachment that drops malware
• “Verify your account” message that steals tokens

Spear phishing and whaling

Targeted phishing that uses personal details (role, projects, reporting lines) to raise credibility.

Business email compromise (BEC)

BEC targets payment workflows: fake vendor invoices, “urgent wire transfers,” payroll rerouting, gift-card fraud.

Smishing, quishing, and callback phishing

• Smishing: SMS-based lures.
• Quishing: QR-code phishing that hides the destination.
• Callback phishing: messages that push you to call a fake help number.

MFA fatigue and token theft

Attackers bombard users with push prompts until one is approved. More advanced kits steal session tokens via reverse proxy, letting attackers reuse the authenticated session.

Deepfake voice scams

Voice synthesis can be “good enough” to pass a quick phone call—especially when paired with urgency.

What actually helps:

• Verification processes built into workflows (“call back on known numbers”)
• Phishing-resistant MFA (passkeys/FIDO2) for high-value accounts
• Conditional access (device + risk + location + behavior)
• Training that includes modern lures (QR codes, MFA fatigue, help-desk pretexting)

D) Password and credential attacks (the fastest way in)

Credential stuffing

Attackers buy leaked username/password pairs and try them across many services.

Password spraying

Trying common passwords across many accounts (avoids lockouts).

Brute force and dictionary attacks

Systematically guessing passwords—blocked by rate limits, lockouts, and strong passwords.

Credential dumping

Extracting credentials from memory or local stores, then using them for lateral movement.

Session hijacking (cookies/tokens)

Stealing session cookies or tokens can bypass MFA because the attacker reuses an already-authenticated session.

Defenses:

• Password managers + unique passwords
• MFA/passkeys, especially for admin accounts
• Rate limits and bot mitigation
• Monitoring for impossible travel, new device fingerprints, token replay
• Rapid secret rotation after incidents

E) Web and API attacks (SQLi, XSS, SSRF, and logic abuse)

Web apps and APIs are high-value because they often connect directly to customer data and internal systems.

SQL injection (SQLi)

SQLi occurs when unsanitized input becomes part of a database query. Attackers can extract data, modify records, or gain administrative control.

Defenses: parameterized queries, strict input validation, least-privilege DB accounts, WAF rules, and secure coding discipline.

Cross-site scripting (XSS)

XSS injects scripts into pages so they run in the user’s browser—stealing sessions, redirecting to malicious websites, or capturing inputs.

CSRF

CSRF tricks an authenticated user’s browser into performing unwanted actions.

Clickjacking and formjacking

• Clickjacking hides actions behind UI tricks.
• Formjacking skims form fields (often payment data).

SSRF

SSRF forces servers to request internal resources (including cloud metadata services), which can lead to privilege escalation.

Broken access control and business logic abuse

Many severe breaches come from authorization mistakes—not “hacker magic.” If a user can change an ID and see someone else’s invoice, you have a business-logic vulnerability.

Defenses that work:

• OWASP-focused secure development (SAST/DAST + code review)
• Strong authz enforcement and object-level access checks
• API inventory + consistent auth on every endpoint
• Rate limits and anomaly detection on sensitive workflows

F) Network attacks (DoS/DDoS, DNS tunneling, spoofing, MitM)

DoS and DDoS

DoS overwhelms a target system. DDoS does it from many sources—often botnets of compromised IoT devices.

Multi-terabit DDoS floods have become common in the modern landscape, and some campaigns have exceeded the multi‑terabit-per-second range.

DDoS categories include:

• Volumetric floods (bandwidth exhaustion)
• Protocol attacks (resource exhaustion at network layers)
• Application-layer (Layer 7) attacks (login/search/checkout endpoints)

Many DDoS operations use botnets assembled from compromised IoT devices and routers (Mirai-style botnets and their variants are a well-known example). DDoS is also sometimes used as a distraction while attackers attempt intrusion elsewhere.

DNS tunneling

DNS is ubiquitous, so attackers hide data and commands inside DNS queries to bypass security controls.

Spoofing (ARP/DNS)

Spoofing can redirect traffic or impersonate systems:

• ARP poisoning redirects local network traffic.
• DNS spoofing misleads users to fake destinations.

Man-in-the-middle (MitM)

MitM intercepts and may modify communications—often via insecure public Wi‑Fi or rogue access points. A related risk is eavesdropping (packet sniffing), where an attacker captures and analyzes traffic to steal logins, session data, or other sensitive information when encryption is weak or absent.

Defenses:

• Encrypt traffic (TLS everywhere; VPN on untrusted networks)
• Monitor DNS and outbound traffic anomalies
• Segment networks; restrict east-west movement
• DDoS protection + rate limiting

G) Supply-chain attacks (vendors and software pipelines)

Supply-chain attacks succeed because they ride trust.

Common patterns:

• Breaching a vendor with access to the target
• Poisoning dependencies (typo-squatting, repo-jacking, dependency confusion) in popular ecosystems (for example, package registries used for JavaScript, Python, and container images)
• Tampering with CI/CD pipelines or build artifacts
• Malicious update injection

Defenses:

• Tight third-party access (least privilege + monitoring)
• SBOMs and dependency scanning
• Build provenance and code signing
• Secrets management for CI/CD (short-lived, scoped credentials)
• Segmentation of build systems and production

H) Cloud-native attacks (misconfigurations + stolen identity)

Cloud breaches often stem from preventable mistakes:

• Public storage buckets or permissive sharing
• Overprivileged IAM roles and service accounts
• Stolen session cookies and OAuth tokens
• Exposed dashboards (Kubernetes, admin consoles)

Attackers may never drop malware. They may simply impersonate a legitimate identity and use native cloud APIs.

In containerized and Kubernetes-heavy environments, attackers may also:

• Exploit overly permissive runtime permissions to escape containers
• Inject malicious sidecars or tamper with deployment manifests
• Abuse exposed dashboards or kubelet settings to pivot to the host
• Traverse environments via weak secrets management (tokens in config maps, long-lived keys)

These are “cloud-native” compromises because they exploit orchestration and identity—not just endpoints.

Defenses:

• Least privilege for IAM (no wildcards)
• Conditional access and device posture checks
• Reduce long-lived keys; rotate secrets
• Monitor cloud audit logs for abnormal role assumptions
• Prioritize high-risk misconfigurations (public exposure + privilege escalation)

I) IoT and OT/ICS attacks

IoT attacks

IoT devices often have weak defaults and poor patching. Compromised devices can join botnets for DDoS or serve as entry points.

OT/ICS attacks

Industrial systems often use unauthenticated protocols (Modbus, DNP3, Profinet). If attackers reach OT networks, they can manipulate processes, sensor values, and safety systems.

Defenses:

• Asset inventory + segmentation
• Remove default credentials
• Restrict management interfaces
• Monitor anomalies in OT traffic
• Protect “bridge” systems connecting IT and OT

J) Zero-day exploits and APT-style campaigns

A zero-day targets a vulnerability unknown to the vendor or unpatched at the time. APT-style campaigns focus on stealth and long dwell time.

Even if you’ll never face a “Hollywood APT,” many modern criminal groups borrow APT techniques—because the tools are widely available.

K) Tools, platforms, and infrastructure attackers use

Attackers rarely build everything from scratch anymore. They operate in a mature ecosystem that looks a lot like legitimate software development:

• Post-exploitation frameworks: tools like Cobalt Strike (often abused via cracked versions) and newer alternatives like Sliver and Havoc support payload staging, command execution, lateral movement, and stealthy beaconing.
• Offensive toolkits: frameworks such as Metasploit lower the barrier to exploitation and payload delivery; other toolchains (including PowerShell-focused frameworks like Empire) specialize in memory execution and Windows-native tradecraft.
• Initial-access brokers (IABs): compromised access to VPNs, RDP, and cloud consoles is bought and sold. This collapses the time between “someone got in” and “ransomware hit production.”
• Credential harvesting at scale: infostealers, phishing kits, and breach dumps feed account takeover, especially when password reuse exists.
• Command-and-control camouflage: C2 infrastructure may hide in normal traffic (HTTPS, DNS) or sit behind trusted services (for example, cloud storage shares, code snippets, or document platforms) so traffic blends in with legitimate business use. The goal is to look boring.
• Exploit economies: zero-day vulnerabilities can be brokered privately, while bug bounty programs incentivize responsible disclosure—creating a tension between public safety and private monetization.

If this sounds “organized,” it is. Modern cybercrime is modular: one group gets access, another sells it, another deploys ransomware, another negotiates.