CYBER SECURITY

UNIT-3
TOOLS AND METHODS USED IN CYBERCRIME

Introduction
Different forms of attacks through which attackers target the computer systems are as follows:

1. Initial uncovering:
Two steps are involved here.
a) In the first step called as reconnaissance, the attacker gathers information about the target on
the Internet websites.
b) In the second step, the attacker finds the company’s internal network, such as, Internet
domain, machine names and the company’s Internet Protocol (IP) address ranges to steal the
data.

2. Network probe (investigation):

a) At the network probe stage, the attacker scans the organization information through a “ping
sweep” of the network IP addresses.
b) Then a “port scanning” tool is used to discover exactly which services are running on the
target system.
c) At this point, the attacker has still not done anything that would be considered as an
abnormal activity on the network or anything that can be classified as an intrusion.

3. Crossing the line toward electronic crime (E-crime):

a) Once the attackers are able to access a user account, then they will attempt further exploits to
get an administrator or “root” access.
b) “Root” is an administrator or super-user access and grants them the privileges to do
anything on the system.

4. Capturing the network:

a) At this stage, the attacker attempts to “own” the network. The attacker gains the internal
network quickly and easily by target systems.
b) The next step is to remove any evidence of the attack. The attacker will usually install a set of
tools that replace existing files and services with Trojan files and services that have a
backdoor password.

5. Grab the data:

Now that the attacker has “captured the network,” he/she takes advantage of his/her position to
steal confidential data

6. Covering tracks:
a) This is the last step in any cyber attack, which refers to the activities undertaken by the
attacker to extend misuse of the system without being detected.
b) The attacker can remain undetected for long periods.
c) During this entire process, the attacker takes optimum care to hide his/her identity
(ID) from the first step itself.
Phishing
“Phishing” refers to an attack using mail programs to deceive Internet users into disclosing
confidential information that can be then exploited for illegal purposes.
 While checking electronic mail (E-Mail) one day a user finds a message from the bank
threatening to close the bank account if he/she does not reply immediately.
 Although the message seems to be suspicious from the contents of the message, it is difficult
to conclude that it is a fake/false E-Mail.
 This message and other such messages are examples of Phishing – in addition to stealing
personal and financial data – and can infect systems with viruses and also a method of online
ID theft in various cases.
 These messages look authentic and attempt to get users to reveal their personal information.
 It is believed that Phishing is an alternative spelling of “fishing,” as in “to fish for
information.”
 The first documented use of the word “Phishing” was in 1996.

How Phishing Works?

Phishers work in the following ways:
1. Planning: Criminals, usually called as phishers, decide the target.
2. Setup: Once phishers know which business/business house to spoof and who their victims.
3. Attack: the phisher sends a phony message that appears to be
from a reputable source.
4. Collection: Phishers record the information of victims entering into webpages or pop-up
windows.
5. Identity theft and fraud: Phishers use the information that they have gathered to make illegal
purchases or commit fraud.
Nowadays, more and more organizations/institutes provide greater online access for their
customers and hence criminals are successfully using Phishing techniques to steal personal
information and conduct ID theft at a global level.

Password Cracking
a) Password is like a key to get an entry into computerized systems like a lock.
b) Password cracking is a process of recovering passwords from data that have been stored in or
transmitted by a computer system.
c) Usually, an attacker follows a common approach – repeatedly making guesses for the
password.

The purpose of password cracking is as follows:

1. To recover a forgotten password.
2. As a preventive measure by system administrators to check for easily crackable
passwords.
3. To gain unauthorized access to a system.

Manual password cracking is to attempt to logon with different passwords. The attacker follows the
following steps:
1. Find a valid user account such as an Administrator or Guest;
2. create a list of possible passwords;
3. rank the passwords from high to low probability;
4. try again until a successful password is found.

Passwords can be guessed sometimes with knowledge of the user’s personal

information. Examples of guessable passwords include:
1. Blank (none);
2. the words like “password,” “passcode” and “admin”;
3. series of letters from the “QWERTY” keyboard, for example, qwerty, asdf or qwertyuiop;
4. user’s name or login name;
5. name of user’s friend/relative/pet;
6. user’s birthplace or date of birth, or a relative’s or a friend’s;
7. user’s vehicle number, office number, residence number or mobile number;
8. name of a celebrity who is considered to be an idol (e.g., actors, actress, spiritual gurus)
by the user;

Passwords are stored in a database and password verification process is established into the
system when a user attempts to login or access a restricted resource. When a user attempts to login to
the system by entering the password, the same function is applied to the entered value and the result
is compared with the stored value. If they match, user gains the access; this process is called
authentication.

Password cracking attacks can be classified under three categories as follows:

1. Online attacks;
2. offline attacks;
3. non-electronic attacks (e.g., social engineering, shoulder surfing and dumpster diving).

Online Attacks
The most popular online attack is man-in-the middle (MITM) attack, also termed as “bucket- brigade
attack” or sometimes “Janus attack.”
a. It is a form of active stealing in which the attacker establishes a connection between a victim
and the server to which a victim is connected.
b. When a victim client connects to the fraudulent server, the MITM server intercepts the call,
hashes the password and passes the connection to the victim server.
c. This type of attack is used to obtain the passwords for E-Mail accounts on public websites
such as Yahoo, Hotmail and Gmail and can also used to get the passwords for financial
websites that would like to gain the access to banking websites

Offline Attacks
Mostly offline attacks are performed from a location other than the target (i.e., either a computer
system or while on the network) where these passwords reside or are used. Offline attacks usually
require physical access to the computer and copying the password file from the system onto
removable media.

Keyloggers and Spywares

Keystroke logging, often called keylogging, is the practice of noting (or logging) the keys struck
on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that
such actions are being monitored. Keystroke logger or keylogger is quicker and easier way of
capturing the passwords and monitoring the victims’ IT savvy behavior.

It can be classified as software keylogger and hardware keylogger.

Software Keyloggers
Software keyloggers are software programs installed on the computer systems which usually are
located between the OS and the keyboard hardware, and every keystroke is recorded. Software
keyloggers are installed on a computer system by Trojans or viruses without the knowledge of the
user. Cybercriminals always install such tools on the insecure computer systems available in public
places (i.e., cybercafés, etc) and can obtain the required information about the victim very easily.

Hardware Keyloggers
Hardware keyloggers are small hardware devices.
These are connected to the PC and/or to the keyboard and save every keystroke into a file or in the
memory of the hardware device. Cybercriminals install such devices on ATM machines to capture
ATM Cards’ PINs. Each keypress on the keyboard of the ATM gets registered by these keyloggers.
These keyloggers look like an integrated part of such systems; hence, bank customers are unaware of
their presence.

Antikeylogger
Antikeylogger is a tool that can detect the keylogger installed on the computer system
and can remove the tool.

Advantages of using antikeylogger are as follows:

1. Firewalls cannot detect the installations of keyloggers on the systems; hence, antikeyloggers can
detect installations of keylogger.
2. This software does not require regular updates of signature bases to work effectively such as other
antivirus and antispy programs; if not updated, it does not serve the purpose, which makes the users
at risk.
3. Prevents Internet banking frauds. Passwords can be easily gained with the help of installing
keyloggers.
4. It prevents ID theft.
5. It secures E-Mail and instant messaging/chatting.

Spywares
1. Spyware is a type of malware (i.e., malicious software) that is installed on computers which
collects information about users without their knowledge.
2. The presence of Spyware is typically hidden from the user; it is secretly installed on the user’s
personal computer.
3. Sometimes, however, Spywares such as keyloggers are installed by the owner of a shared
corporate or public computer on purpose to secretly monitor other users.

Virus and Worms

Computer virus is a program that can “infect” legitimate programs by modifying them to include a
possibly “evolved” copy of itself.
Viruses spread themselves, without the knowledge or permission of the users, to potentially large
numbers of programs on many machines.
 A computer virus passes from computer to computer in a similar manner as a biological virus
passes from person to person.
Viruses may also contain malicious instructions that may cause damage or annoyance; the
combination of possibly Malicious Code with the ability to spread is what makes viruses a
considerable concern.
Viruses can often spread without any readily visible symptoms.
Computer virus has the ability to copy itself and infect the system.
The term virus is also commonly but erroneously used to refer to other types of malware, Adware
and Spyware programs that do not have reproductive ability.Viruses are sometimes confused with
computer worms and Trojan Horses, which are technically different.
A worm spreads itself automatically to other computers through networks by exploiting security
vulnerabilities, whereas a Trojan is a code/program that appears to be harmless but hides malicious
functions.
Worms and Trojans, such as viruses, may harm the system’s data or performance.
Some viruses and other malware have noticeable symptoms that enable computer user to take
necessary corrective actions, but many viruses are surreptitious or simply do nothing for user’s to
take note of them.

Types of Viruses
1. Boot sector viruses:
It infects the storage media on which OS is stored (e.g., hard drives) and which is used to start the
computer system.

2. Program viruses:
These viruses become active when the program file (usually with extensions .bin, .com,.exe, .ovl,
.drv) is excuted

3. Multipartite viruses:
It is a hybrid of a boot sector and program viruses. It infects program files along with the boot record
when the infected program is active.

4. Stealth viruses:
It hides itself and so detecting this type of virus is very difficult. It can hiding itself such a way that
antivirus software also cannot detect it. Example for Stealth virus is “Brain Virus”.

5. Polymorphic viruses:
It acts like a “chameleon” that changes its virus signature (i.e., binary pattern) every time it spreads
through the system (i.e., multiplies and infects a new file). Hence, it is always difficult to detect
polymorphic virus with the help of an antivirus program.

6. Macro viruses:
Many applications, such as Microsoft Word and Microsoft Excel, support MACROs (i.e.,
macrolanguages). These macros are programmed as a macro embedded in a document. Once
macrovirus gets onto a victim’s computer then every document he/she produces will become
infected.
Trojan Horses and Backdoors
Trojan Horse is a program in which malicious or harmful code is contained inside apparently
harmless programming or data in such a way that it can get control and cause harm.

Like Spyware and Adware, Trojans can get into the system in a number of ways, including
from a web browser, via E-Mail.
It is possible that one could be forced to reformat USB flash drive or other portable device to
eliminate infection and avoid transferring it to other machines.
Unlike viruses or worms, Trojans do not replicate themselves but they can be equally destructive.
On the surface, Trojans appear benign and harmless, but once the infected code is executed,
Trojans kick in and perform malicious functions to harm the computer system without the user’s
knowledge.

Some typical examples of threats by Trojans are as follows:

1. They erase, overwrite or corrupt data on a computer.
2. They help to spread other malware such as viruses (by a dropper Trojan).
3. They deactivate or interfere with antivirus and firewall programs.
4. They allow remote access to your computer (by a remote access Trojan).
5. They upload and download files without your knowledge.
6. They gather E-Mail addresses and use them for Spam.
7. They log keystrokes to steal information such as passwords and credit card numbers.
8. They copy fake links to false websites, display porno sites, play sounds/videos and display
Images.
9. They slow down, restart or shutdown the system.
10. They reinstall themselves after being disabled.
11. They disable the task manager.
12. They disable the control panel.

Backdoor
 A backdoor is a means of access to a computer program that bypasses security mechanisms.
A programmer may sometimes install a backdoor so that the program can be accessed for
troubleshooting or other purposes.
 However, attackers often use backdoors that they detect or install themselves as part of an
exploit.
 In some cases, a worm is designed to take advantage of a backdoor created by an earlier
attack.
 A backdoor works in background and hides from the user.
 It is very similar to a virus and, therefore, is quite difficult to detect and completely disable.
 A backdoor is one of the most dangerous parasite, as it allows a malicious person to perform
any possible action on a compromised system.
Following are some functions of backdoor:
1. It allows an attacker to create, delete, rename, copy or edit any file, execute various commands;
change any system settings; alter the Windows registry; run, control and terminate applications;
install arbitrary software and parasites.
2. It allows an attacker to control computer hardware devices, modify related settings, shutdown or
restart a computer without asking for user permission.
3. It steals sensitive personal information, valuable documents, passwords, login names, ID
details; logs user activity and tracks web browsing habits.
4. It records keystrokes that a user types on a computer’s keyboard and captures screenshots.
5. It infects files, corrupts installed applications and damages the entire system.

Follow the following steps to protect your systems from Trojan Horses and backdoors:
1. Stay away from suspect websites/weblinks:
2. Surf on the Web cautiously:
3. Install antivirus/Trojan remover software:

Steganography
 Steganography is the practice of concealing (hiding) a file, message, image, or video within
another file, message, image, or video. The word steganography combines the Greek words
steganos, meaning "covered, concealed, or protected", and graphein meaning "writing".
 It is a method that attempts to hide the existence of a message or communication.
 Steganography is always misunderstood with cryptography
 The different names for steganography are data hiding, information hiding and digital
watermarking.
 Steganography can be used to make a digital watermark to detect illegal copying of digital
images. Thus, it aids confidentiality and integrity of the data.
 Digital watermarking is the process of possibly irreversibly embedding information into a
digital signal.The Digital signal may be, for example, audio, pictures or video. If the signal is
copied then the information is also carried in the copy.
In other words, when steganography is used to place a hidden “trademark” in images, music and
software, the result is a technique referred to as “watermarking”.

Steganalysis
 Steganalysis is the art and science of detecting messages that are hidden in images,
audio/video files using steganography.
 The goal of steganalysis is to identify suspected packages and to determine whether or not
they have a payload encoded into them, and if possible recover it.
 Automated tools are used to detect such steganographed data/information hidden in the
image and audio and/or video files.

DoS and DDoS Attacks

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an
attempt to make a computer resource (i.e., information systems) unavailable to its intended users.

DoS Attacks
 In this type of criminal act, the attacker floods the bandwidth of the victim’s network or
fills his E-Mail box with Spam mail depriving him of the services he is entitled to access or
provide.
 The attackers typically target sites or services hosted on high-profile web servers such
as banks, credit card payment gateways, mobile phone networks and even root name servers
 The attacker spoofs the IP address and floods the network of the victim with repeated requests.
 As the IP address is fake, the victim machine keeps waiting for response from the attacker’s
Machine for each request.
 This consumes the bandwidth of the network which then fails to serve the legitimate requests
and ultimately breaks down.
 The United States Computer Emergency Response Team defines symptoms of DoS attacks to
include:
1. Unusually slow network performance (opening fi les or accessing websites);
2. unavailability of a particular website;
3. inability to access any website;
4. dramatic increase in the number of Spam E-Mails received (this type of DoS attack is termed as an
E-Mail bomb).

Classification of DoS Attacks

1. Bandwidth attacks: Loading any website takes certain time. Loading means complete webpage
appearing on the screen and system is awaiting user’s input.

2. Logic attacks: These kind of attacks can exploit vulnerabilities in network software such as web
server or TCP/IP stack.

3. Protocol attacks: Protocols here are rules that are to be followed to send data over network.

4. Unintentional DoS attack : This is a scenario where a website ends up denied not due to a attack
by a single individual or group of individuals, but simply due to a sudden enormous spike
in popularity.

Proxy Servers and Anonymizers

Proxy server is a computer on a network which acts as an intermediary for connection with other
computers on that network.
 The attacker first connects to a proxy server and establishes a connection with the target
system through existing connection with proxy.
 This enables an attacker to surf on the Web anonymously and/or hide the attack.
 A client connects to the proxy server and requests some services (such as a file,
webpage)available from a different server.
 The proxy server evaluates the request and provides the resource by establishing the
connection to the respective server and/or requests the required service on behalf of the
client.
 Using a proxy server can allow an attacker to hide ID (i.e., become anonymous on the
network).
A proxy server has following purposes:
1. Keep the systems behind the curtain (mainly for security reasons).
2. Speed up access to a resource (through “caching”). It is usually used to cache the web
pages from a web server.
3. Specialized proxy servers are used to filter unwanted content such as advertisements.
4. Proxy server can be used as IP address multiplexer to enable to connect number of
computers on the Internet, whenever one has only one IP address.

One of the advantages of a proxy server is that its cache memory can serve all users. If one or
more websites are requested frequently, may be by different users, it is likely to be in the proxy’s
cache memory, which will improve user response time.
Anonymizer
An anonymizer or an anonymous proxy is a tool that attempts to make activity on the Internet
untraceable. It accesses the Internet on the user’s behalf, protecting personal information by hiding
the source computer’s identifying information.
* Anonymizers are services used to make Web surfing anonymous by utilizing a website that acts as
a proxy server for the web client.

SQL Injection
 Structured Query Language (SQL) is a database computer language designed for managing
data in relational database management systems (RDBMS).
 SQL injection is a code injection technique that exploits a security vulnerability occurring in
the database layer of an application.
 SQL injection attacks are also known as SQL insertion attacks.
 Attackers target the SQL servers – common database servers used by many organizations to
store confidential data.
 The prime objective behind SQL injection attack is to obtain the information while accessing
a database table that may contain personal information such as credit card numbers, social
security numbers or passwords.
 During an SQL injection attack, Malicious Code is inserted into a web form field or the
website’s code.
 For example, when a user logs in with username and password, an SQL query is sent to the
database to check if a user has valid name and password.
 With SQL injection, it is possible for an attacker to send crafted username and/or password
field that will change the SQL query.

How to Prevent SQL Injection Attacks

SQL injection attacks occur due to poor website administration and coding. The following steps can
be taken to prevent SQL injection.

1. Input validation
 Replace all single quotes to two single quotes.
 Sanitize the input: User input needs to be checked and cleaned of any characters or strings
that could possibly be used maliciously. For example, character sequences such as ; , --,
select, insert and xp_ can be used to perform an SQL injection attack.
 Numeric values should be checked while accepting a query string value. Function –
IsNumeric() for Active Server Pages (ASP) should be used to check these numeric values.
 Keep all text boxes and form fields as short as possible to limit the length of user input.

2. Modify error reports:

SQL errors should not be displayed to outside users

3. Other preventions
 The default system accounts for SQL server 2000 should never be used.
Isolate database server and web server.
Buffer Overflow
 Buffer overflow, or buffer overrun, is an anomaly where a process stores data in a buffer
outside the memory the programmer has set aside for it.
 This may result unreliable program behavior, including memory access errors, incorrect
results, program termination (a crash) or a breach of system security.
 Buffer overflows can be triggered by inputs that are designed to execute code or alter the way
the program operates.
 They are, thus, the basis of many software vulnerabilities and can be maliciously exploited.

Bounds checking can prevent buffer overflows.

 Programming languages commonly associated with buffer overflows include C and C++,
which provide no built-in protection against accessing or overwriting data in any part of
memory and do not automatically check that data written to an array.
 Buffer overflow occurs when a program or process tries to store more data in a buffer
(temporary data storage area) than it was intended to hold.
 Although it may occur accidentally through programming error, buffer overflow is an
increasingly common type of security attack on data integrity.
 The knowledge of C, C++ or any other high-level computer language (i.e., assembly
language) is essential to understand buffer overflow.

For example,
int main () {
int buffer[10];
buffer[20] = 10;
}
 This C program is a valid program and every compiler can compile it without any errors.
 However, the program attempts to write beyond the allocated memory for the buffer, which
might result in an unexpected behavior.

Types of Buffer Overflow

Stack-Based Buffer Overflow
Stack buffer overflow occurs when a program writes to a memory address on the program’s call
stack outside the intended data structure – usually a fixed length buffer. Here are the characteristics
of stack-based programming:
1. “Stack” is a memory space in which automatic variables (and often function parameters) are
allocated.
2. Function parameters are allocated on the stack and are not automatically initialized by the system,
so they usually have garbage in them until they are initialized.
3. Once a function has completed its cycle, the reference to the variable in the stack is removed.

The attacker may exploit stack-based buffer overflows to manipulate the program in various
ways by overwriting:
1. A local variable that is near the buffer in memory on the stack to change the behavior of the
program that may benefit the attacker.
2. The return address in a stack frame. Once the function returns, execution will resume at the return
address as specified by the attacker, usually a user input-filled buffer.
3. A function pointer, or exception handler, which is subsequently executed.
 Heap Buffer Overflow
Heap buffer overflow occurs in the heap data area and may be introduced accidentally by an
application programmer, or it may result from a deliberate exploit. The characteristics of stack based
and heap-based programming are as follows:
1. “Heap” is a “free store” that is a memory space, where dynamic objects are allocated.
2. The heap is the memory space that is dynamically allocated new(), malloc() and calloc() functions;
it is different from the memory space allocated for stack and code.
3. Dynamically created variables (i.e., declared variables) are created on the heap before the
execution program is initialized to zero.
Memory on the heap is dynamically allocated by the application at run-time and normally contains
program data. Exploitation is performed by corrupting this data in specific ways to cause the
application to overwrite internal structures such as linked list pointers.

How to Minimize Buffer Overflow

Although it is difficult to prevent all possible attacks, the following methods will definitely help
to minimize such attacks:

1. Assessment of secure code manually:

Buffer overflow occurs when a program or process tries to store more data in a buffer than it was
intended to hold. Developers should be educated about minimizing the use of functions like strcpy(),
strcat(), sprintf() and vsprintf() in C Language.

2. Disable stack execution:

Malicious Code causes input argument to the program, and it resides in the stack and not in the code
segment. Any code that attempts to execute any other code residing in the stack will cause a
segmentation violation.

3. Compiler tools:
Over the years, compilers have become more and more aggressive in optimizations and the checks
they perform. Various compiler tools already offer warnings on the use of unsafe constructs such as
gets(), strcpy(), etc. Developers should be educated to restructure the programming code if such
warnings are displayed.

4. Dynamic run-time checks:

In this scheme, an application has restricted access to prevent attacks. This method primarily relies
on the safety code being preloaded before an application is executed. This preloaded component can
either provide safer versions of the standard unsafe functions or it can ensure that return addresses
are not overwritten. One example of such a tool is libsafe. The libsafe library provides a way to
secure calls to these functions, even if the function is not available.

Identity Theft (ID Theft)

This term is used to refer to fraud that involves someone pretending to be someone else to steal
money or get other benefits.
ID theft is a punishable offense under the Indian IT Act (Section 66C and Section 66D).
The statistics on ID theft proves the severity of this fraud and hence a non-profit organization
was found in the US, named as Identity Theft Resource Center (ITRC), with the objective to
extend the support to the society to spread awareness about this fraud.
Federal Trade Commission (FTC) has provided the statistics about each one of the identity
fraud mentioning prime frauds presented below.
1. Credit card fraud (26%):
2. Bank fraud (17%): Besides credit card fraud, cheque theft and Automatic Teller Machines
(ATM) pass code theft have been reported that are possible with ID theft
3. Employment fraud (12%): In this fraud, the attacker borrows the victim’s valid SSN to obtain a
job.
4. Government fraud (9%): This type of fraud includes SSN, driver license and income tax fraud.
5. Loan fraud (5%): It occurs when the attacker applies for a loan on the victim’s name and this
can occur even if the SSN does not match the name exactly.

It is important to note the various usage of ID theft information.

1. 66% of victims’ personal information is used to open a new credit account in their name.
2. 28% of victims’ personal information is used to purchase cell phone service.
3. 12% of victims end up having warrants issued in their name for financial crimes committed by
the identity thief.

Personally Identifiable Information (PII)

The fraudsters attempts to steal the elements mentioned below, which can express the purpose of
distinguishing individual identity:
1. Full name;
2. national identification number (e.g., SSN);
3. telephone number and mobile phone number;
4. driver’s license number;
5. credit card numbers;
6. digital identity (e.g., E-Mail address, online account ID and password);
7. birth date/birth day;
8. birthplace;
9. face and fingerprints.

Types of Identity Theft

1. Financial identity theft;
2. criminal identity theft;
3. identity cloning;
4. business identity theft;
5. medical identity theft;
6. synthetic identity theft;
7. child identity theft.

Techniques of ID Theft
1. Human-based methods:
 Direct access to information:
 Dumpster diving:
 Theft of a purse or wallet:
 Mail theft and rerouting:
 Shoulder surfing:
 Dishonest or mistreated employees:
 Telemarketing and fake telephone calls:
2. Computer-based technique:
 Backup theft:
 Hacking, unauthorized access to systems and database theft:
 Phishing:
 Pharming