2- tools and methods used in cybercrime stages of an
TRANSCRIPT
18EET452
Page 1
2- TOOLS AND METHODS USED IN CYBERCRIME
STAGES OF AN ATTACK ON NETWORK
1) Initial covering: two stages
Reconnaissance- social networking websites
Uncovers information on company’s IP
2) Network probe
Ping sweep- seek out potential targets
Port scanning
3) Crossing the line toward electronic crime:
Commits computer crime by exploiting possible holes on the target system
4) Capturing the network:
Attackers attempts to own the network
Uses tools to remove any evidence of the attack
Trojan horses, backdoors
5) Grab the data:
Attacker has captured the network
Steal confidential data, customer CC information, deface WebPages…
6) Covering the attack:
Extend misuse of the attack without being detected.
Start a fresh reconnaissance to a related target system
Continue use of resources
Remove evidence of hacking
PROXY SEVERS AND ANONYMIZERS
PROXY SERVER
➢ A proxy server is a dedicated computer or a software system running on a computer that acts as
an intermediary between an endpoint device, such as a computer, and another server from which
a user or client is requesting a service.
➢ A client connects to the proxy server, requesting some service, such as a file, connection, web
page, or other resource available from a different server and the proxy server evaluates the
request as a way to simplify and control its complexity.
Purpose of a proxy server
➢ Improve Performance:
➢ Filter Requests
➢ Keep system behind the curtain
➢ Used as IP address multiplexer
➢ Its Cache memory can serve all users
Attack on this: the attacker first connects to a proxy server- establishes connection with the target
through existing connection with the proxy.
18EET452
Page 2
PHISHING
➢ Stealing personal and financial data
➢ Also can infect systems with viruses
➢ A method of online ID theft Work flow of phishing/How Phishing works?
1. Planning : use mass mailing and address collection techniques- spammers
2. Setup : E-Mail / webpage to collect data about the target
3. Attack : send a phony message to the target
4. Collection: record the information obtained
5. Identity theft and fraud: use information to commit fraud or illegal purchases
Example of phishing :
Sometimes spammers create fake pages that look like the Facebook login page. When you enter your email
and password on one of these pages, the spammer records your information and keeps it. This is called
phishing. The fake sites, like the one below, use a similar URL to Facebookcom in an attempt to steal people’s
login information.The people behind these websites, then use the information to access victims’ accounts and
send messages to their friends, further propagating the illegitimate sites. In some instances, the phishers make
money by exploiting the personal information they’ve obtained.
18EET452
Page 3
KEYLOGGERS
➢ Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of
recording (or logging) the keys struck on a keyboard, typically in a covert manner so that the person
using the keyboard is unaware that their actions are being monitored.
➢ It has uses in the study of human–computer interaction.
➢ There are numerous keylogging methods, ranging from hardware and software-based
approaches to acoustic analysis.
Types of Keylogger
1. Software-based keyloggers
Software-based keyloggers use the target computer’s operating system in various ways, including:
imitating a virtual machine, acting as the keyboard driver (kernel-based), using the application
programming interface to watch keyboard strokes (API-based), recording information submitted on
web-based forms (Form Grabber based) or capturing network traffic associated with HTTP POST
events to steal passwords (Packet analyzers).
Usually consists of two files DLL and EXE
2. Hardware keyloggers
Installing a hardware circuit between the keyboard and the computer that logs keyboard stroke activity
(keyboard hardware).
Target- ATMs
3. Acoustic keylogging
Acoustic keylogging monitors the sound created by each individual keystroke and uses the subtly
different acoustic signature that each key emits to analyze and determine what the target computer’s
user is typing.
AntiKeylogger
An anti-keylogger (or anti–keystroke logger) is a type of software specifically designed for the
detection of keystroke logger software; often, such software will also incorporate the ability to delete or
at least immobilize hidden keystroke logger software on your computer.
18EET452
Page 4
Benefits of Antikeyloggers
SPYWARES
Spyware is software that aims to gather information about a person or organization without their
knowledge and that may send such information to another entity without the consumer's consent, or that
asserts control over a computer without the consumer's knowledge.
TROJAN HORSES AND BACKDOORS
A Trojan horse, or Trojan, in computing is generally a non-self-replicating type of malware program
containing malicious code that, when executed, carries out actions determined by the nature of the
Trojan, typically causing loss or theft of data, and possible system harm
Examples of threats by Trojans
➢ Erase, overwrite or corrupt data on a computer
➢ Help to spread other malware such as viruses- dropper Trojan
➢ Deactivate or interface with antivirus and firewall programs
➢ Allow remote access to your computer- remote access Trojan
➢ Upload and download files
➢ Gather E-mail address and use for spam
➢ Log keystrokes to steal information – pwds, CC numbers
➢ Copy fake links to false websites
➢ slowdown, restart or shutdown the system
➢ Disable task manager
➢ Disable the control panel
BACKDOORS
➢ A backdoor in a computer system is a method of bypassing normal authentication, securing
unauthorized remote access to a computer, obtaining access to plaintext, and so on, while attempting to
remain undetected.
➢ Also called a trapdoor. An undocumented way of gaining access to a program, online service or
18EET452
Page 5
an entire computer system.
➢ The backdoor is written by the programmer who creates the code for the program. It is often
only known by the programmer. A backdoor is a potential security risk.
Functions of backdoors/ allows an attacker to
➢ create, delete, rename, copy or edit any file
➢ Execute commands to change system settings
➢ Alter the windows registry
➢ Run, control and terminate applications
➢ Install arbitrary software and parasites
➢ Control computer hardware devices,
➢ Shutdown or restart computer
➢ Functions of backdoors
➢ Steals sensitive personal information, valuable documents, passwords, login name…
➢ Records keystrokes, captures screenshots
➢ Sends gathered data to predefined E-mail addresses
➢ Infects files, corrupts installed apps, damages entire system
➢ Distributes infected files to remote computers
➢ Installs hidden FTP server
➢ Degrades internet connection and overall system performance
➢ Decreases system security
➢ Provides no uninstall feature, hides processes, files and other objects
EXAMPLES OF BACKDOOR TROJANS
➢ Back Orifice : for remote system administration
➢ Bifrost : can infect Win95 through Vista, execute arbitrary code
➢ SAP backdoors : infects SAP business objects
➢ Onapsis Bizploit: Onapsis Bizploit is an SAP penetration testing framework to assist security
professionals in the discovery, exploration, vulnerability assessment and exploitation phases of
specialized SAP security assessment
HOW TO PROTECT FROM TROJAN HORSES AND BACKDOORS
➢ Stay away from suspect websites/ links
➢ Surf on the web cautiously : avoid P2P networks
➢ Install antivirus/ Trojan remover software
18EET452
Page 6
STEGANOGRAPHY
➢ Steganography (from Greek steganos, or "covered," and graphie, or "writing") is the hiding of a
secret message within an ordinary message and the extraction of it at its destination.
➢ Steganography takes cryptography a step farther by hiding an encrypted message so that no one
suspects it exists. Ideally, anyone scanning your data will fail to know it contains encrypted data.
➢ Other names: data hiding, information hiding, digital watermarking.
➢ Digital watermarking is the act of hiding a message (trademark) related to a digital signal (i.e. an
image, song, and video) within the signal itself.
➢ It is a concept closely related to steganography, in that they both hide a message inside a
digital signal.
➢ However, what separates them is their goal.
➢ Watermarking tries to hide a message related to the actual content of the digital signal,
➢ While in steganography the digital signal has no relation to the message, and it is merely used
as a cover to hide its existence.
DIFFERENCE BETWEEN STEGANOGRAPHY AND CRYPTOGRAPHY
➢ Cryptography is the study of hiding information, while Steganography deals with
composing hidden messages so that only the sender and the receiver know that the
message even exists.
➢ In Steganography, only the sender and the receiver know the existence of the message,
whereas in cryptography the existence of the encrypted message is visible to the world.
➢ Due to this, Steganography removes the unwanted attention coming to the hidden message.
➢ Cryptographic methods try to protect the content of a message, while Steganography
uses methods that would hide both the message as well as the content.
18EET452
Page 7
➢ By combining Steganography and Cryptography one can achieve better security.
STEGANALYSIS
➢ Steganalysis is the study of detecting messages hidden using steganography;
➢ The goal of steganalysis is to identify suspected packages, determine whether or not they
have a payload encoded into them, and, if possible, recover that payload.
18EET452
Page 8
SQL INJECTION
➢ SQL injection is a code injection technique, used to attack data-driven applications, in which
malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database
contents to the attacker).
➢ It is the type of attack that takes advantage of improper coding of your web applications that
allows hacker to inject SQL commands into say a login form to allow them to gain access to the data
held within your database.
WHAT AN ATTACKER CAN DO?
➢ ByPassing Logins : by obtaining username and passwords
➢ Accessing secret data : reconnaissance
➢ Adding new data or Modifying contents of website: INSERT/UPDATE
➢ Shutting down the My SQL server
Steps for SQL Injection Attack
Step 1: Finding Vulnerable Website:
Find the Vulnerable websites (hackable websites) using Google Dork list, web pages that allow
submitting data i.e login page, search page, feedback etc.
Attackers look for webpage that display HTML commands such as POST or GET by checking the
sites’s source code.
Step 2: Checking the source code of any website,
• attacker checks the source code of the HTML and look for “FORM” tag in the HTML.
• Everything between the <FORM> and </FORM> have potential parameters which will be useful
for finding vulnerabilities.
Step 3:The attacker inputs a single quote under the text box provided on the webpage to accept
the username and password.
• Checks the user input variable is sanitized or interpreted literally by the server.
If the page remains in same page or showing that page not found or showing some other
webpages. Then it is not vulnerable.
If it showing any errors which is related to sql query, then it is vulnerable.
Step 4: Attackers uses SQL commands
• such as SELECT statement command to retrieve data from data base or INSERT statement to add
information to the database.
18EET452
Page 9
BLIND SQL INJECTION
➢ Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the
results of the injection are not visible to the attacker.
➢ The page with the vulnerability may not be one that displays data but will display differently
depending on the results of a logical statement injected into the legitimate SQL statement called for that
page.
➢ This type of attack can become time-intensive because a new statement must be crafted for each
bit recovered.
➢ There are several tools that can automate these attacks once the location of the vulnerability
and the target information has been established
HOW TO PREVENT SQL INJECTION ATTACKS
Input validation
✓ Replace all single quotes to two single quotes
✓ Sanitize the input: clean characters like ;, --, select, etc
✓ Numeric values should be checked while accepting a query string value
✓ Keep all text boxes and form fields short
Modify error reports
SQL errors should not be displayed to the outside world
Other preventions
✓ Never use default system accounts for SQL server 2000
✓ Isolate database server and web server: different machines
✓ Extended stored procedures, user defined functions should be moved to an isolated server.
BUFFER OVERFLOW
➢ In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly
where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites
adjacent memory. This is a special case of violation of memory safety.
➢ This may result in erratic program behavior
➢ Buffer overflows are not easy to discover and even when one is discovered, it is generally
extremely difficult to exploit.
➢ In a classic buffer overflow exploit, the attacker sends data to a program, which it stores in an
undersized stack buffer. The result is that information on the call stack is overwritten, including
the function's return pointer.
➢ The data sets the value of the return pointer so that when the function returns, it transfers control
to malicious code contained in the attacker's data.
➢ At the code level, buffer overflow vulnerabilities usually involve the violation of a
programmer's assumptions.
➢ Many memory manipulation functions in C and C++ do not perform bounds checking and can
easily overwrite the allocated bounds of the buffers they operate upon.
➢ Even bounded functions, such as strncpy (), can cause vulnerabilities when used incorrectly.
18EET452
Page 10
➢ The combination of memory manipulation and mistaken assumptions about the size or makeup
of a piece of data is the root cause of most buffer overflows.
TYPES OF BUFFER OVERFLOW
➢ stack-based buffer overflow
➢ Heap buffer overflow
➢ NOPs
1) Stack-Based Buffer Overflow
A stack-based buffer overflow condition is a condition where the buffer being overwritten is
allocated on the stack
Attack may exploit this to manipulate the program by
➢ Changing the local variable
➢ Changing the return address
➢ Changing the function pointer or exception handler
2) Heap buffer overflow
➢ A heap overflow is a type of buffer overflow that occurs in the heap data area.
➢ Heap overflows are exploitable in a different manner to that of stack-based overflows.
➢ Memory on the heap is dynamically allocated by the application at run-time and typically
contains program data.
➢ Exploitation is performed by corrupting this data in specific ways to cause the application to
overwrite internal structures such as linked list pointers.
➢ The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as
malloc meta data) and uses the resulting pointer exchange to overwrite a program function
pointer.
3) NOP-SLED
➢ A NOP-sled is the oldest and most widely known technique for successfully exploiting a stack
buffer overflow.
➢ It solves the problem of finding the exact address of the buffer by effectively increasing the size
of the target area.
➢ To do this, much larger sections of the stack are corrupted with the no-op machine instruction.
At the end of the attacker-supplied data, after the no-op instructions, the attacker places an
instruction to perform a relative jump to the top of the buffer where the shellcode is located.
➢ This collection of no-ops is referred to as the "NOP-sled" because if the return address is
overwritten with any address within the no-op region of the buffer it will "slide" down the no-
ops until it is redirected to the actual malicious code by the jump at the end.
HOW TO MINIMIZE BUFFER OVERFLOW
➢ Assessment of secure code manually
➢ Disable stack execution
➢ Compiler tools
➢ Dynamic run-time checks
➢ Various tools are used to detect/ defend buffer overflow
✓ stackGaurd
18EET452
Page 11
✓ Propolice
✓ LibSafe
ATTACKS ON WIRELESS NETWORK
In security breaches, penetration of a wireless network through unauthorized access termed as wireless
cracking Traditional techniques
➢ Sniffing
➢ Spoofing
➢ DoS
➢ Man-in-the-middle attack
➢ Encryption cracking How to secure the wireless n/w
1. Change the default settings of all the equipments/ components of wireless network
2. Enable WPA/WEP encryption
3. Change the default SSID
4. Enable MAC address filtering
5. Disable remote login
6. Disable SSID broadcast
7. Disable the features that are not used in AP
8. Avoid providing the n/w a name which can be easily identified
9. Connect only to secured wireless n/w
10.Upgrade router’s firmware periodically
11. Assign static IP address to devices
12. Enable firewalls on each computer & the router
13. Position the router or AP safely
14. Turn off the n/w during extended periods when not in use
15. Periodic and regular monitor wireless n/w security
PHISHING: phishing is a type of deception designed to steal your identity
18EET452
Page 12
Methods of Phishing Attack
These techniques are briefed in the following:
i. Dragnet Method: This method involves the use of spammed emails, bearing falsified corporate identification (e.g.,
trademarks, logos, and corporate names), that are addressed to a large class of people (e.g., customers of a particular
financial institution or members of a particular auction site) to websites or pop-up windows with similarly falsified
identification to trigger immediate response.
ii. Rod-and-Reel method: This method targets prospective victims with whom initial contact is already made. Specific
prospective victims so defined are targeted with false information to them to prompt their disclosure of personal and
financial data.
iii. Lobsterpot Method: It consists of creation of websites similar to legitimate corporate websites which narrowly
defined class of victims by phishers. Smaller class of prospective victims identified in advance, but no triggering of victim
response. It is enough that the victims mistake the spoofed website as a legitimate and trust worthy site and provides
information of personal data.
iv. Gillnet phishing: In gillnet phishing; phishers introduce malicious code into emails and websites. They can, for
example misuse browser functionality by injecting hostile content into another site’s pop – up window. Merely by opening
a particular email, or browsing a particular website, Internet users may have a Trojan horse introduced into their systems.
In some cases, the malicious code will change settings in user’s systems, so that users who want to visit legitimate banking
websites will be redirected to a lookalike phishing site. In other cases, the malicious code will record user’s keystrokes
and passwords when they visit legitimate banking sites, then transmit those data to phishers for later illegal access to
users’ financial accounts.
Phishing techniques
The attacker can attack on any website in different ways. Some of them are as follows
URL (weblink) manipulation: This type of phishing is possible by making some changes in the link provided by the
spoofed page. A number of phishing attacks use technical deception process which is designed to make a link in an e-
mail that appears to the spoofed organization link. It is possible by doing misspell the URLs or by the use of sub-
domains to target the web user. For example, in the URL http://www.mybank.services.com/, it appears that the URL is
asking to login the ‘mybank.services’ part of the website, which is actually a phishing URL of the legitimate site.
Website forgery: An phishing attack can use flaws in a trusted website’s scripts tags against the web user. This type of
phishing attack which is also known as cross-site scripting is very problematic, because they redirect the user to sign in
at bank or services column of web page. In that page everything from the web address to the security certificates appears
original and legitimate.
Filter evasion: Images can also be used for the phishing attack. By the use of image in place of text, it is very difficult
to trace the phishing webpage. The filter evasion technique uses this methodology while making the phishing webpage.
This type of phishing web page takes less time to prepare the spoofing websites, and uses less number of coding tags on
the webpage.
Phone phishing: Since the mobile users are increasing rapidly and the internet access from mobile is also increasing, so
the phishing attacks are targeting the mobile user to steal the confidential information. In the mobile phishing, the
messages looks link coming from the mobile that claimed to be from a bank which told users to dial a number regarding
18EET452
Page 13
the problems with their bank account.
Flash phishing : anti phishing toolbar is install/enabled to check the web page content for signs of phishing but have
limitations & they don’t analyze flash objects at all phishers use it to emulate the legitimate website. Netizens believe
that the website is “clean “and is real website because anti phishing toolbar is unable to detect it
Social phishing: reveal sensitive data by other means and it works in a systematic manner
➢ Phisher send a mail as if it is sent by bank asking to call them back because there was a security
breach
➢ The victim calls the bank on phone displayed in the mail
➢ The phone number they provided is fake so the victim is redirected to phisher
➢ Phisher speaks with victim in the similar manner/style as bank employee and gets all his
information like account number, password etc…
Classification of phishing scams
Phishing attacks can be classified into various types according to the way attack is done. According to many researchers
the various types of phishing attacks has been described below.
18EET452
Page 14
Deceptive Phishing- Messages about the need to verify account information, system failure requiring users to re-enter
their information, fictitious account charges, undesirable account changes, new free services requiring quick action, and
many other scams are broadcast to a wide group of recipients with the hope that the victim will respond by clicking a link
to or signing onto a bogus site where their confidential information falls in this category.
Malware-Based Phishing- Refers to scams that involve running malicious software on users' PCs. Malware can be
introduced as an email attachment, as a downloadable file from a web site, or by exploiting known security vulnerabilities.
Key loggers and Screen loggers
This type of malware tracks the input from the keyboard and the relevant information will be send to the hackers through
internet. They go into the users' browsers as a small program and run automatically when the browser is started as well
as into system files as device drivers or screen monitors.
Session Hijacking
This deals with monitoring the activities of the users until they sign in to the account or transaction and create their
important information. At that point the infected software will perform unauthorized actions, such as transferring funds,
without the user's knowledge.
Web Trojans- They pop-up invisibly when users are attempting to log in. They collect the user's credentials locally and
transmit them to the phisher.
Pharming
DNS-Based Phishing -With a pharming scheme, hackers tamper with a company's hosts files or (DNS)domain
name system so that requests for URLs or name service return a bogus address and subsequent communications are
directed to a fake site.
Hosts File Poisoning- When a user types a URL to visit a website it must first be translated into an IP address
before it is transmitted over the Internet. The majority of SMB(small and medium business organizations) users' PCs
running a operating system look up these "host names" in their "hosts" file before undertaking a Domain Name System
(DNS) lookup. By "poisoning" the hosts file, hackers have a bogus address transmitted, taking the user unwillingly to a
fake website where their information can be stolen.
System Reconfiguration Attacks- Modify settings on a user's PC for malicious purposes. For example: URLs in a
favorites file might be modified to direct users to look alike websites. For example: a bank website URL may be changed
from "www.gmail.com" to "www.gmai1.com".
Data Theft Sensitive data’s will be stored in Pcs. These data’s will be taken by the victims without knowing to the user.
Commonly, this information is user information such as passwords, social security numbers, credit card information,
other personal information, or other confidential corporate information By stealing confidential communications, design
documents, legal opinions, employee related records, etc., thieves profit from selling to those who may want to embarrass
or cause economic damage or to competitors.
Content-Injection Phishing- It describes the situation where hackers replace part of the content of a legitimate site with
false content designed to mislead or misdirect the user into giving up their confidential information to the hacker. For
example, phisher may insert malicious code to log user's credentials or an overlay which can secretly collect information
and deliver it to the phisher.
18EET452
Page 15
Man-in-the-Middle Phishing- In these attacks phisher positions themselves between the user and the legitimate website
or system. They record the information being entered but continue to pass it on so that users' transactions are not affected.
Later they can sell or use the information or credentials collected when the user is not active on the system.
Search Engine Phishing- Occurs when phishers create websites with attractive (often too attractive) sounding offers and
have them indexed legitimately with search engines. Users find the sites in the normal course of searching for products
or services and are fooled into giving up their information. For example, scammers have set up false banking sites offering
lower credit costs or better interest rates than other banks. Victims who use these sites to save or make more from interest
charges are
SSL certificate phishing: advanced type of scam. Targets on web server with ssl certificate to create duplicitous website
with fraudulent webpage displaying similar “lock “icon
Spear phishing is an attempt to entice a specifically targeted victim to open a malicious attachment or visit a
malicious website with the intent of gaining insight into confidential data and/or acting on nefarious objectives against
the victim's organization.
Phishing countermeasures
➢ Keep antivirus up to date
➢ Do not click on hyperlinks in E-Mails
➢ Take advantage of anti-Spam software
➢ Verify https (ssl)
➢ Use anti-spyware software
➢ Use firewall
➢ Do not enter sensitive or financial information into pop-up windows
➢ Protect against DNS pharming attacks
IDENTITY THEFT
Refers to the fraud that involves pretending to de some else to steal money or get other benefits.
Id theft is punishable offense under the Indian IT Act. Identity theft is a term used to refer to fraud that
involves stealing money or getting other benefits by pretending to be someone else [15]. As the result,
the someone whose identity has been stolen can suffer various consequences when he/she is held
responsible for the perpetrator's actions. This is why in many countries specific laws make it a crime to
use another person's identity for personal gain.
TYPES OF IDENTITY THEFT
➢ Financial Identity Theft- another's identity to obtain goods and services includes credit card
fraud, tax refund fraud, mail fraud etc
➢ Criminal Identity Theft- posing as another when apprehended for a crime, drug trafficking
,smuggling, money laundering
➢ Identity cloning - another's information to assume his or her identity in daily life
➢ Business Identity Theft -another's business name to obtain credit
➢ Medical Identity Theft
➢ Synthetic Identity Theft
➢ Child Identity Theft
18EET452
Page 16
Techniques of ID Theft
1. Human based methods
2. Computer-based technique
1. Human based methods
➢ Direct access to information
➢ Dumpster diving
➢ Mail theft and rerouting
➢ Shoulder surfing
➢ False or disguised ATMs
➢ Dishonest and mistreated employees
➢ Telemarketing and fake telephone calls
Computer-based technique
➢ Backup theft
➢ Hacking, unauthorized access to systems and database theft
➢ Phishing
➢ Pharming
➢ Redirectors
➢ Hardware