Script kiddies might sound like they’re just mischievous teenagers up to no good. While this is often the case, script kiddies don’t actually have to be youngsters with malicious intent. They could be adults too.
Even so, whether young or old, script kiddies can cause you some real damage if you’re not careful.
Who Are Script Kiddies?
Simply put, a script kiddie is a wanna-be hacker who doesn’t have the skills or knowledge to carry out sophisticated cyberattacks. Instead, they rely on pre-written scripts and programs developed by others to penetrate networks and systems.
Think of someone who downloads a ready-made hacking tool and uses it to gain unauthorized access to someone’s computer. They didn’t code the tool themselves–they just executed it. That’s essentially what a script kiddie does.
Some common characteristics of script kiddies include:
- Little to no programming knowledge: They can’t code their own hacking tools from scratch.
- Motivated by reputation rather than ethics: They hack to brag about their “skills.”
- Target easy victims: Script kiddies go after low-hanging fruit like personal websites, rather than particularly secure and professional networks.
- Use brute force techniques: They rely on blunt hacking programs to crack passwords and overwhelm systems.
- Attack for disruption: They seek attention and controversy through disruptive attacks rather than financial gain.
While lacking sophistication, script kiddies can still inflict damage through common mischievous techniques.
The Common Tactics Script Kiddies Use
Script kiddies may not be highly skilled, but they can still cause serious headaches with cyber antics. Here are some of the most common tactics they rely on.
1. Denial-of-Service (DoS) Attacks
Script kiddies use brute force attacks to overwhelm websites and online services by flooding them with more traffic than they can handle and subsequently crashing them. They are big on using DDoS tools like Low Orbit Ion Cannon (LOIC), High Orbit Ion Cannon (HOIC), or Botnets that they didn’t code themselves to flood targets with junk requests and take them offline.
For example, the hacking group Lizard Squad comprising 17-year-old Julius “zeekill” Kivimaki, took down Xbox Live and PlayStation Network with DoS attacks in 2014 using off-the-shelf tools.
2. SQL Injection
The SQL injection technique involves finding vulnerable websites and inserting malicious SQL database queries into input fields like login forms or search bars. If successful, the attacker can access, modify, or delete a site’s backend data.
The script kiddie just needs to find an insecure website and plug the SQL injection code into a simple form field.
3. Phishing Attempts
Script kiddies use basic social engineering scams to trick unwitting users into handing over passwords or sensitive info. This includes spamming out fake login pages for common sites like Google or Facebook. Or sending phony “account suspended” emails to get victims to enter their credentials on the attacker’s bogus site.
While easy to spot for many, these phishing attempts still hook the less tech-savvy.
4. Password Cracking
Without the skill to write their own password-cracking tools, script kiddies turn to programs like Cain and Abel to launch brute-force dictionary attacks. They’ll also simply guess weak passwords like “123456” or crack hashed passwords leaked in database dumps.
They take advantage of common human tendencies like using simple passwords or reusing them across sites.
5. Website Defacements
Quick hijackings to plaster weird images or offensive graffiti—such as “Hacked by [hacker name]”—on websites is a calling card of script kiddies looking to troll and get attention.
In one of the largest website defacement sprees ever, a script kiddie known as iSKORPiTX managed to hack several thousands of websites in a single attack in May 2006 (as per The Hacker News).
As we can see, script kiddies rely on rudimentary yet sometimes effective techniques to cause disproportionate disruption. Understanding their tactics is key to protecting yourself against these reckless, wannabe hackers.
How to Defend Against Script Kiddie Attacks
First things first: know what you’re up against. Script kiddies are basically novice hackers who use scripts and tools developed by others to carry out cyberattacks. They often go after easy targets because they don’t have the skills to break into sophisticated systems.
The good news is, their attacks are generally not especially advanced. However, the bad news is, tons of free hacking tools are out there that anyone can download and use to target you. Here’s how to protect yourself.
1. Use Strong Passwords
Weak, easy-to-guess passwords are a welcome mat for script kiddies looking to brute force their way into accounts. Instead of “password123”, create unique passwords with up to 15+ random characters, numbers, capital letters, and symbols. Thinkpassphraseslik3Th!sL0ngJibberish.
If you used a weak password like “baseball” across sites, script kiddies could compromise your eBay, bank, and email accounts in one go. (We advise against using the same password on numerous sites for this very reason.)
2. Enable Two-Factor Authentication
SMS codes, biometrics, and one-time push notifications can be a hacker’s worst nightmare. Even with a password to hand, script kiddies will be stopped in their tracks when 2FA is switched on.
Whether it’s a code texted to a phone, a fingerprint scan, or a notification on a separate device, the second factor keeps unauthorized logins out, even if hackers have obtained a stolen password.
While not completely foolproof against sophisticated attacks, enabling 2FA significantly improves security and makes life much harder for common script kiddie tactics.
3. Patch and Update Software
Updating your apps is like getting booster shots—it protects you against recently-found vulnerabilities. Script kiddies look for outdated software susceptible to their tools, much like how flu viruses prey on people who skip their flu shot. Automate updates so you don’t have to think about it.
Remember WannaCry ransomware, one of the most notorious malware attacks ever? Most of its damage came from neglecting Windows updates.
4. Use a VPN and Firewall
Most attack scripts sniff out target IP addresses as the first step. But hiding your IP behind a VPN or blocking access with a firewall breaks this link.
By masking or restricting your public IP address, script kiddies are unable to pinpoint your exact location and devices on the network. VPN services assign you a different virtual IP, cloaking your true address.
Firewalls create rules only to allow connections from trusted sources. Both mechanisms function as roadblocks that obstruct the attacker’s initial reconnaissance and render IP-based scripts ineffective.
5. Back Up Your Data
Ransomware and wiped files can lead to permanent data loss. Schedule regular backups so you can restore corrupted or encrypted data if a script attack hits your machine.
Automated backup solutions that run daily or weekly in the background create safe copies of your files on external drives or cloud storage.
Should a malicious script encrypt your data and demand payment, you can reject the ransom, knowing you have intact backups to revert to. Even an attack that irreversibly deletes or overwrites your files can be recovered by pulling from your backup archives.
Stay one step ahead of the script kiddie curve with these security practices. They may keep trying, but you’ll be too tough of a target.
Script Kiddies’ Lack of Skill Is Not a Lack of Risk
While they may not seem like formidable adversaries at first glance, script kiddies’ reckless use of attack tools can lead to real damage. You cannot afford to underestimate these crafty troublemakers.
So stay on top of protecting your devices, and you shouldn’t have too much to fear from these nuisances of the hacker world.