Just when you thought it was safe to go outs… er, online, they dream up new ways to mess with us!
When we think about cyberattacks, elaborate headline-making attacks often come to mind. Or the more common threats we are all familiar with, like email phishing and password hacks. In reality, cyberattacks are much more discreet – almost invisible – and there are many not commonly talked about that could be catastrophic to your league if enacted.

Here is a quick-and-dirty guide to 20 types of cyberattacks you’ve likely never heard of before now. For full details about each, check out the 8-minute video so you can better protect your business and your family.

  1. RANSOMWARE AS A SERVICE: An attacker rents out ransomware to other cybercriminals who don’t have the tech knowledge or resources to launch effective attacks.
    Goal: Make a profit selling illegal software.
    How it’s done: Like a regular business, the attacker offers services on the dark web or underground browser, not typical channels. Those willing to pay get a user-friendly interface and tech support to help them commit crimes.
  2. DOMAIN NAME SERVICE (DNS) SPOOFING: The attacker redirects traffic from a legitimate website to a fake one.
    Goal: Stealing sensitive information.
    How it’s done: When you type a URL or search term into your browser, the attacker intercepts the request and sends back a fake response that directs you to a malicious website. When you enter your credentials, the attacker can use them to access your real account.
  3. TYPOSQUATTING: An attacker uses an intentional typo to trick you into visiting a fake website.
    Goal: Stealing sensitive information.
    How it’s done: Attackers register domain names that look almost identical to their real counterparts. For example, Goggle looks a lot like Google, especially in a link. The attack can be used on those who accidentally misspell a URL or click on a link with a similar spelling.
  4. KEYLOGGING: An attacker records every keystroke made on a device to access usernames and passwords.
    Goal: Steal sensitive information.
    How it’s done: The attacker uses software to record everything a person types into a device. Keyloggers can monitor the data to recognize sensitive information like payment info, usernames, and passwords.
  5. SQL INJECTION: The attacker exploits vulnerabilities in a website or app to gain access to its database, change or delete data, and/or make permanent alterations to the website or application.
    Goal: Steal sensitive information.
    How it’s done: This one is a little more technical, but in short, if an application has dynamic database queries that uses user-supplied input (think entering your name, credit card, etc., into fields on a website), an attacker can enter their own SQL code into a query and the application would take the attacker’s code and execute it on the database.
  6. ZERO DAY: An attacker uses previously unknown vulnerabilities to target a specific site.
    Goal: Varies depending on the opportunity presented by the vulnerable website.
    How it’s done: The attacker learns of the vulnerability through personal experimentation or when the vulnerability is made public and exploits it before it’s widely known, and an update or patch is created.
  7. CROSS-SITE SCRIPTING: The attacker injects malicious code into a trusted website which can then be executed by users who visit the site.
    Goal: Steal sensitive information.
    How it’s done: You view a post, and the script runs on your browser, giving the attacker access to information retained by the browser.
  8. ADVANCED PERSISTENT THREAT ATTACKS: Attackers conduct complex, targeted attacks that are usually aimed at specific organizations.
    Goal: Varies but is usually related to gaining a profit from organizational data or PII.
    How it’s done: An intruder gains access to a system and remains undetected while stealing data over a prolonged period of time.
  9. EAVESDROPPING: The attacker intercepts and listens in on communication between two parties to gather valuable information.
    Goal: Gain information to carry out attacks that will provide access to an organizational system.
    How it’s done: The attacker gains access to a network in which traffic isn’t secured and data isn’t encrypted. Monitoring conversations can allow them to gather information to gain access to sensitive data.
  10. WATERING HOLE ATTACKS: An attacker infects a website that is frequently visited by a targeted group to compromise their devices or steal sensitive info.
    Goal: To gain access to a connected corporate network and steal information like PII, banking details, and intellectual property.
    How it’s done: Various attack methods, from zero-day exploits to phishing may be used to gain access.
  11. BOTNETS: Networks of compromised devices controlled by an attacker are used to carry out attacks.
    Goal: Varies but usually includes stealing sensitive information or denial of service attacks.
    How it’s done: An attacker targets devices with poor security and installs malware that uses the devices to automatically carry out larger attacks on targeted victims.
  12. SOCIAL MEDIA ATTACKS: An attacker uses social media to spread malware or steal information.
    Goal: Varies based on the attacker’s intention: manipulate people into sharing information that they shouldn’t share, downloading software that they shouldn’t download, visiting websites they shouldn’t visit, sending money to criminals or making other mistakes that compromise their personal or organizational security.
    How it’s done: Attackers use a variety of tactics to engage users on platforms they trust, such as phishing, social engineering, fake giveaways, likejacking, brand impersonation, and affiliate scams.
  13. WIFI ATTACKS: The attackers exploit vulnerabilities in Wi-Fi networks to gain access to operational systems.
    Goal: Gain access to information or sensitive data.
    How it’s done: Attackers gain access to your Wi-Fi connection and then connect to it or redirect it. This allows them to gain access to sensitive information while you’re using Wi-FI.
  14. BAIT AND SWITCH ATTACKS: The attacker entices a user to install seemingly legit software that turns out to be malware.
    Goal: Gaining access to systems and data.
    How it’s done: Similar to any type of advertising, attackers use engagement tactics to sell ideas to users.
  15. FILELESS MALWARE: An attacker uses fileless malware to inject malicious code directly into your device’s memory. These attacks are particularly hard to detect because the malware isn’t stored in your computer’s hard drive.
    Goal: Codes can be used to perform various actions.
    How it’s done: The attacker uses a phishing email or a post with a link to convince victims to download malware with a single click.
  16. SUPPLY CHAIN ATTACKS: An attacker targets a popular supplier or vendor that works with many companies across various industries.
    Goal: Gain access to many organizational systems to profit from stealing PII or other sensitive data.
    How it’s done: Attackers launch different types of attacks on third-party vendors to gain system access.
  17. CREDENTIAL STUFFING: The attacker uses stolen login credentials from one source to try to gain access to others.
    Goal: Typically to gain access to valuable organizational data or to commit identity fraud.
    How it‘s done: Attackers steal credentials from the most vulnerable login access points to try to use them in more secure (and potentially damaging) sites or access points.
  18. INTERNET OF THINGS (IOT) ATTACKS: An attacker exploits the vulnerability of low security IoT-connected devices to gain system access and potentially access devices used to control them.
    Goal: Gain access to protected systems or devices.
    How it’s done: IoT and some smart-home devices are notoriously vulnerable from the factory because they aren’t considered a target. Attackers use them as an access point to gain access to secure devices and data.
  19. SOCIAL ENGINEERING ATTACKS: An attacker manipulates individuals to gain access to sensitive information.
    Goal: Stealing sensitive data for profit or manipulating users into taking actions like sending money or their personal banking information, etc.
    How it’s done: The attacker contacts victims directly, masquerading as a known entity or individual and then employs the four phases of the social engineering cycle: information gathering, relationship development, exploitation, and execution. The most common assaults attackers use are baiting, scareware, pretexting, phishing, and spear phishing.
  20. CRYPTOJACKING: The attacker(s) use a victim’s computing resources to mine cryptocurrency without their knowledge or consent.
    Goal: To make a profit from cryptocurrency.
    How it’s done: Attackers hack into systems using various methods and install cryptojacking software that works in the background to mine cryptocurrency or steal from cryptocurrency wallets.

Given this extensive list of threats, it’s easy to see why it’s so hard to protect sensitive data against determined cybercriminals. Safeguarding your club requires a comprehensive cybersecurity plan, the implementation of cybersecurity best practices and the right cyber insurance coverage.

CYBERSECURITY HOT TIP

Recover from all types of attacks with a strong cyber insurance policy
Unfortunately, there is no one action you can take to protect your league’s systems from the various types of attacks. However, the right cyber insurance policy can help you deal with the financial fallout related to a breach. You may be surprised at how affordable a cyber policy is, and the premium is definitely much cheaper than the expense of remediating an attack. Be sure to work with an insurance advisor who specializes in cyber for the sports industry and has experience dealing with cyber insurance claims since that is when you will need his or her expertise the most. But hopefully after reading our blog you have taken steps to protect yourself, your members and your family from the never-ending barrage of attacks you don’t see coming.

About the Author
Brad Preston is a client advisor at World Insurance Associates (World) specializing in the Sports industry. Prior to World, he spent more than 20 years at Advanced Event Systems and SportsEngine where he worked closely with the JVA and other member clubs in the volleyball space. He is well versed in club operations, staff, and member management, and most importantly, the use of technology and its inherent cyber risks. The JVA and World have partnered together to bring JVA Members educational articles and content to help you learn about your unique cyber risks and exposures, and how to better protect your businesses, members, and families in general. Feel free to reach out to Brad directly with any questions at bradpreston@worldinsurance.com