How to Avoid the Most Dangerous Website Attacks
and Sabrina Korber
Every minute in the U.S., 19 people fall victim to identity theft, according to credit bureau TransUnion.
Consumers can unintentionally leak a deluge of personal information as they shop online and surf the Web. That's because websites can house coding flaws and other vulnerabilities that attract malicious hackers, who are prowling the Internet for consumers' personal information.
"Out of all the websites we've scanned, 75 percent of them have a vulnerability on the first scan," said Ainsley Braun, co-founder and CEO at Tinfoil Security, which specializes in website security.
Even large, well-known companies' websites can be vulnerable.
Braun said scans for potential vulnerability found 30 percent of Fortune 1000 companies have website flaws. Vulnerabilities also were discovered among some of the most visited websites, as tracked by the Alexa Rank of the top 500 sites.
Customer data loss, in fact, is a growing concern. A survey of information security professionals by cybersecurity company Trustwave found 58 percent of IT professionals worry about customer data theft. That concern eclipsed IT professionals' worries about international property theft, damage to reputation, and fines and legal action, according to the survey.
Here are some of the most dangerous kinds of attacks on websites, according to Braun and Michael Borohovski, co-founder and chief technology officer at Tinfoil.
Every time you log into a website, your computer receives a small piece of data called a cookie -- information about your user session so you do not need to log in again when you visit a new page. %VIRTUAL-article-sponsoredlinks%If the website does not secure that cookie, your data is vulnerable.
The Open Web Application Security Project -- a nonprofit focused on improving software security -- also cited cookies as a potential threat. A hacker can gain access to a cookie on an unsecured wireless network and hijack a user's website session, potentially gaining access to private data, according to the group's 2013 report.
"For example I'm at ... Starbucks or something like that, an attacker who is listening for all of the network traffic that is flying around him can actually pull down the cookie since your information, your session information, is not secured and [they can] impersonate you on that website," said Tinfoil's Borohovski.
Another kind of dangerous website attack occurs when it's unclear if the user is browsing the authentic website, or a fake site that's masquerading as the real thing. This type of attack is called cross-site scripting.
The attack starts once you click on a malicious link, which redirects traffic to the attacker's site. Cybercriminals then take advantage of users who are unaware they've been forwarded to a malicious site and innocently give up their username, password and potentially other bits of personal information.
The effects of cross-site scripting can be lasting.
"In some cases, cross-site scripting has been used to actually install malware on users' computers and thus maintain sort of a persistent attack on a user," Tinfoil's Borohovski said.
Borohovski said he believes database injection -- which can release a website's user information -- is the most devastating kind of website attack. According to OWASP's 2013 report, injection attacks, including database injection, were the top security issue.
"What an attacker can do with a database injection basically is rather than simply using the website to insert their own data, they could actually trick the database into dumping out all of their other data, of the other customer data," Borohovski explained.
Protecting Your Information
To protect yourself from these website attacks, Borohovski recommends using different passwords for different websites. This way, even if one account is compromised, the rest are safe.
Tinfoil suggests being cautious about sharing information on unsecured wireless networks, such as those in public places.
Also, check to see if the website you are on is secure. Most browsers will display a lock symbol to show a site is secure.
"Most browsers will also display a warning if that certificate has been tampered with, or modified, or if somebody is potentially listening in, in the middle of the connection," Borohovski said. "If that is the case, the user should not go ahead and click 'I want to go there anyway.' They should stop."
More from CNBC
- Google 'Pretty Sure' Your Data Is Safe
- How Cybersecurity Pros Really Feel About Hackers
- Cybersecurity Industry At War With Itself