Cyber offenses:

How criminals plan them

 Unit 2: Learning Objectives
• Understand different types of cyber attacks.
• Get an overview of the steps involved in planning
cybercrime
• Understand tools used for gathering information
about the target
• Get an overview on social engineering
• Learn about the role of cybercafé in cybercrime
• Understand what is cyber stalking
• Learn about botnet and attack vector
• Get an overview of cloud computing
 Introduction
• Cybercriminals use the World Wide Web and
Internet to an optimal level for an illegal
activities.
• These criminals take the advantage of the
wide spread lack of awareness about
cybercrimes and cyberlaws among people
who are constantly using the IT infrastructure
for official and personal purposes.
 Few terminologies
• Hacker: A hacker is a person with strong interest
in computers who enjoys learning and
experimenting with them.
• Hackers are usually very talented, smart people
who understand computers better than the
others.
• Brute force Hacking: it is a technique used to find
passwords or encryption keys. It involves trying
every possible combination of letters, numbers,
etc., until the code is broken.
 Few terminologies
• Cracker: a cracker is a person who breaks into
computers. They are computer criminals.
• Their act include vandalism, theft and snooping in
unauthorized areas.
• Cracking: it is the act of breaking into computers.
• Cracking is a popular, growing subject on the internet.
• Many sites are devoted to supplying crackers with
programs that allow them to crack computers (like
guessing passwords)
• Cracker tools: these are programs that break into
computers. Like password crackers, Trojans, viruses,
war dialers and worms.
 Few terminologies
• Phreaking: this is notorious art of breaking
into phone or other communication systems.
• War dialer: it is program that automatically
dials phone numbers looking for computers on
the other end. It catalogs numbers so that the
hackers can call back and try break in.
 Categories of vulnerabilities that
hackers typically search for:
• Inadequate border protection
• Remote access servers(RASs) with weak access
controls.
• Application servers with well-known exploits.
• Misconfigured systems and systems with
default configurations.
What color is your Hat in the security
world?
 What color is your Hat in the security
world?
• Black Hat - Just like in the old westerns, these
are the bad guys. A black hat is a cracker.
• To add insult to injury, black hats may also
share information about the “break in” with
other black hat crackers so they can exploit
the same vulnerabilities before the victim
becomes aware and takes appropriate
measures.
 What color is your Hat in the security
world?
• White Hat – While black hats use their skill for
malicious purposes, white hats are ethical
hackers.
• They use their knowledge and skill to thwart
the black hats and secure the integrity of
computer systems or networks.
• If a black hat decides to target you, it’s a great
thing to have a white hat around.
 What color is your Hat
in the security world?
• Gray Hat – A gray hat, as you would imagine, is a bit of a white
hat/black hat hybrid.
• Thankfully, like white hats, their mission is not to do damage to a
system or network, but to expose flaws in system security.
• The black hat part of the mix is that they may very well use illegal
means to gain access to the targeted system or network, but not for
the purpose of damaging or destroying data:
• they want to expose the security weaknesses of a particular system
and then notify the “victim” of their success.
• Often this is done with the intent of then selling their services to
help correct the security failure so black hats can not gain entry
and/or access for more devious and harmful purposes.
 What color is your Hat in the security
world?
• A Brown hat is one who thinks before acting
or committing a malice or non-malice deed.
• Often referred as Grey hats
 Categories of Cybercrime
• Target of the crime
– Crimes targeted at individuals
– Crimes targeted at property
– Crimes targeted at organizations
• Whether the crime occurs as a single event or
as a series of events.
– Single event cybercrime: hacking or fraud
– Series of events: cyberstalking
How criminals Plan
the Attacks
• Phases involved in planning cybercrime:
1. Reconnaissance :
-information gathering , first phase, passive
attack
2. Scanning and scrutinizing the gathered
information
- for validity of the information as well as to
identify the existing vulnerabilities
3. Launching an attack
- gaining and maintaining the system access
 Types of attacks:
• Active attack
– Used to alter system
– Affects the availability, integrity and authenticity of data
• Passive attack
– Attempts to gain information about the target
– Leads to breaches of confidentiality
• Inside attack
– Attack originating and/or attempted within the security perimeter of
an organization
– Gains access to more resources than expected.
• Outside attack
– Is attempted by a source outside the security perimeter,
– May be an insider or an outsider , who is indirectly associated with the
organization
– Attempted through internet or remote access connection
 Reconnaissance
• A reconnaissance attack occurs when an adversary tries to
learn information about your network
• Reconnaissance is the unauthorized discovery and mapping
of systems, services, or vulnerabilities.
• Reconnaissance is also known as information gathering
• Reconnaissance is somewhat analogous to a thief
investigating a neighborhood for vulnerable homes, such as
an unoccupied residence or a house with an easy-to-open
door or window. In many cases, intruders look for vulnerable
services that they can exploit later when less likelihood that
anyone is looking exists.
• Is the preparatory phase to understand the system, its
networking ports and services and other aspects of security,
that are needful for launching the attack
• An attacker attempts to gather information in
two phases
1. Passive attack
2. Active attacks
 Passive attacks
• Involves gathering information about the target without his/ her
knowledge.
• Google or yahoo search: to locate information about employees
• Surfing online community group: facebook; to gain information about an
individual
• Organizations website: for personnel directory or information about key
employees; used in social engineering attack to reach the target
• Blogs, newsgroups, press releases, etc
• Going through job postings
• Network sniffing: information on Internet Protocol address ranges, hidden
servers or networks or services on the system.
 Tools used during passive attacks
• Google earth
• Internet Archive: permanent access for
researchers , historians and scholars to historical
collections
• Professional community: linkedIn
• People Search
• Domain Name Confirmation
• WHOIS
• Nslookup
• Dnsstuff
 Tools used during passive attacks
• Traceroute
• VisualRoute Trace
• eMailTrackerPro
• HTTrack
 Active Attacks
• Rattling the doorknobs
• Active reconnaissance
• Involves probing the network to discover
individual hosts to confirm the information
gathered in the passive attack phase.
• Can provide confirmation to an attacker about
security measures in place.
 Tools used during active attacks
• Arphound
• Arping
• Bing
• Bugtraq
• Dig
• DNStacer
• Dsniff
• Filesnarf
• FindSMB
 Tools used during active attacks
• Hmap
• Hping
• Hunt
• Netcat
• Nmap
• TCPdump
• TCPreplay
 Scanning and Scrutinizing gathered
information
• Is a key step to examine intelligently while
gathering information about the target.
• The objectives are:
1. Port scanning
2. Network scanning
3. Vulnerability scanning
 What is Port Scanning?
• The act of systematically scanning a computer's ports.
• Since a port is a place where information goes into and out
of a computer, port scanning identifies open doors to a
computer.
• It is similar to a thief going through your neighborhood and
checking every door and window on each house to see
which ones are open and which ones are locked.
• There is no way to stop someone from port scanning your
computer while you are on the Internet because accessing
an Internet server opens a port, which opens a door to your
computer.
• There are, however, software products that can stop a port
scanner from doing any damage to your system.
 What is Port Scanning?
• TCP (Transmission Control Protocol) and UDP (User
Datagram Protocol) are two of the protocols that make up
the TCP/IP protocol suite which is used universally to
communicate on the Internet.
• Each of these has ports 0 through 65535 available so
essentially there are more than 65,000 doors to lock.
• The first 1024 TCP ports are called the Well-Known Ports
and are associated with standard services such as FTP,
HTTP, SMTP or DNS.
• Some of the addresses over 1023 also have commonly
associated services, but the majority of these ports are not
associated with any service and are available for a program
or application
 Port scan
• a port scan consists of sending a message to each
port, one at a time. The kind of response received
indicates whether the port is used and can
therefore be probed for weakness.
• The result of a scan on a port is usually
generalized into one of the following categories:
1. Open or accepted
2. Closed or not listening
3. Filtered or blocked.
 Types of port scans:
• vanilla: the scanner attempts to connect to all 65,535 ports
• strobe: a more focused scan looking only for known
services to exploit
• fragmented packets: the scanner sends packet fragments
that get through simple packet filters in a firewall
• UDP: the scanner looks for open UDP ports
• sweep: the scanner connects to the same port on more
than one machine
• FTP bounce: the scanner goes through an FTP server in
order to disguise the source of the scan
• stealth scan: the scanner blocks the scanned computer
from recording the port scan activities.
 Scrutinizing phase
• Called as “enumeration” in the hacking world
• The objective behind this step is to identify:
1. The valid user accounts or groups
2. Network resources and/or shared resources
3. OS and different applications that are
running on the OS.
 Attack (Gaining and Maintaining the
System Access)
• After scanning and scrutinizing, the attack is
launched using the following steps:
1. Crack the password
2. Exploit the privileges
3. Execute the malicious command/ applications
4. Hide the files
5. Cover the track – delete access logs, so that
there is no trail illicit activity.
 Social Engineering
• Technique to influence and persuasion to deceive
people to obtain the information or perform
some action.
• A social engineer usually uses
telecommunications or internet to get them to do
something that is against the security practices
and/ or policies of the organization.
• SE involves gaining sensitive information or
unauthorized access privileges by building
inappropriate trust relationships with insiders.
• It is an art of exploiting the trust of people.
 Social Engineering
• Social engineering is a non-technical method of intrusion hackers
use that relies heavily on human interaction and often involves
tricking people into breaking normal security procedures.
• A social engineer runs what used to be called a "con game."
• or example, a person using social engineering to break into a
computer network might try to gain the confidence of an
authorized user and get them to reveal information that
compromises the network's security.
• Social engineers often rely on the natural helpfulness of people as
well as on their weaknesses.
• They might, for example, call the authorized employee with some
kind of urgent problem that requires immediate network access.
Appealing to vanity, appealing to authority, appealing to greed, and
old-fashioned eavesdropping are other typical social engineering
techniques.
 Classification of Social Engineering
1. Human-Based Social Engineering
needs interaction with humans; it means person-to-person contact and
then retrieving the desired information. People use human based social
engineering techniques in different ways; the top popular methods are:
– Impersonating an employee or valid user
– Posing as an important user
– Using a third person
– Calling technical support
– Shoulder surfing
– Dumpster diving
2. Computer –Based Social Engineering
Computer-based social engineering uses computer software that attempts
to retrieve the desired information.
– Fake E-mails
– E-mail attachments
– Pop-up windows
1.1. Impersonation

• In this type of social-engineering attack, the hacker pretends

to be an employee or valid user on the system. A hacker can
gain physical access by pretending to be an employee, or
contractor.
• To attackers, sets of valid credentials are a coveted asset. An
attacker who has obtained valid user credentials through
social engineering techniques has the ability to roam the
network with impunity searching for valuable data. In log
data, the attacker’s activities are easily hidden due to the
inability to see the subtle differences in behaviors and access
characteristics. Yet, this phase of the classic attack chain often
represents the lengthiest portion of the attack.
 1.2. Posing as an important user
• —In this type of attack, the hacker pretends to
be a VIP or high-level manager who has the
authority to use computer systems or files.
• Most of the time, low-level employees don’t
ask any questions of someone who appears in
this position.
 1.3. Being a third party
• —In this attack, the hacker pretends to have
permission from an authorized person to use
the computer system. It works when the
authorized person is unavailable for some
time.
 1.4. Desktop support
• Calling tech support for assistance is a classic
social-engineering technique.
• Help desk and technical support personnel are
trained to help users, which makes them good
prey for social engineering attacks.
 1.5. Shoulder surfing
• Shoulder surfing is the technique of gathering
passwords by watching over a person’s
shoulder while they log in to the system.
• A hacker can watch a valid user log in and
then use that password to gain access to the
system.
 1.6.Dumpster diving
• Dumpster diving involves looking in the trash
for information written on pieces of paper or
computer printouts.
• The hacker can often find passwords,
filenames, or other pieces of confidential
information like SSN, PAN, Credit card ID
numbers etc
• Also called dumpstering, binning, trashing,
garbaging or garbage gleaning.
 2.1Fake E-mails

• Phishing involves false emails, chats, or websites

designed to impersonate real systems with the
goal of capturing sensitive data.
• A message might come from a bank or other
well-known institution with the need to “verify”
your login information.
• It will usually be a mocked-up login page with all
the right logos to look legitimate.
• The term was coined in 1996 by hackers who
were stealing AOL Internet accounts by scamming
passwords without the knowledge of AOL users.
 2.2 Baiting:
• Baiting involves dangling something you want to
entice you to take an action the criminal desires.
• It can be in the form of a music or movie
download on a peer-to-peer site or it can be a
USB flash drive with a company logo labeled
“Executive Salary Summary Q1 2013″ left out in
the open for you to find.
• Then, once the device is used or downloaded,
the person or company’s computer is infected
with malicious software allowing the criminal to
advance into your system.
 2.3 E-Mail attachments
• Emails sent by scammers may have
attachments that include malicious code
inside the attachment. Those attachments can
include key loggers to capture users’
passwords, viruses, Trojans, or worms.
 2.4 Pop-up windows
• Sometimes pop-up windows can also be used
in social engineering attacks.
• Pop-up windows that advertise special offers
may tempt users to unintentionally install
malicious software.
 Don’t become a victim
• Slow down. Spammers want you to act first and think later. If the message conveys
a sense of urgency, or uses high-pressure sales tactics be skeptical; never let their
urgency influence your careful review.
• Research the facts. Be suspicious of any unsolicited messages. If the email looks
like it is from a company you use, do your own research. Use a search engine to go
to the real company’s site, or a phone directory to find their phone number.
• Delete any request for financial information or passwords. If you get asked to
reply to a message with personal information, it’s a scam.
• Reject requests for help or offers of help. Legitimate companies and organizations
do not contact you to provide help. If you did not specifically request assistance
from the sender, consider any offer to ’help’ restore credit scores, refinance a
home, answer your question, etc., a scam. Similarly, if you receive a request for
help from a charity or organization that you do not have a relationship with, delete
it. To give, seek out reputable charitable organizations on your own to avoid falling
for a scam.
• Don’t let a link in control of where you land. Stay in control by finding the website
yourself using a search engine to be sure you land where you intend to land.
Hovering over links in email will show the actual URL at the bottom, but a good
fake can still steer you wrong.
 Don’t become a victim
• Email hijacking is rampant. Hackers, spammers, and social engineerers taking over
control of people’s email accounts (and other communication accounts) has
become rampant. Once they control someone’s email account they prey on the
trust of all the person’s contacts. Even when the sender appears to be someone
you know, if you aren’t expecting an email with a link or attachment check with
your friend before opening links or downloading.
• Beware of any download. If you don’t know the sender personally AND expect a
file from them, downloading anything is a mistake.
• Foreign offers are fake. If you receive email from a foreign lottery or sweepstakes,
money from an unknown relative, or requests to transfer funds from a foreign
country for a share of the money it is guaranteed to be a scam.
• Set your spam filters to high. Every email program has spam filters. To find yours,
look under your settings options, and set these high–just remember to check your
spam folder periodically to see if legitimate email has been accidentally trapped
there. You can also search for a step-by-step guide to setting your spam filters by
searching on the name of your email provider plus the phrase ’spam filters’.
• Secure your computing devices. Install anti-virus software, firewalls, email filters
and keep these up-to-date. Set your operating system to automatically update,
and if your smartphone doesn’t automatically update, manually update it
whenever you receive a notice to do so. Use an anti-phishing tool offered by your
web browser or third party to alert you to risks.
 Cyberstalking
• Cyberstalking is the use of the Internet or other
electronic means to stalk or harass an individual, a
group, or an organization.
• It may include false accusations, defamation, slander
and libel.
• It may also include monitoring, identity theft,
threats, vandalism, solicitation for sex, or gathering
information that may be used to threaten or harass.
• Cyberstalking is sometimes referred to as Internet
stalking, e-stalking or online stalking.
 Cyberstalking
• Cyberstalking is a crime in which the attacker harasses
a victim using electronic communication, such as e-
mail or instant messaging (IM), or messages posted to
a Web site or a discussion group.
• A cyberstalker relies upon the anonymity afforded by
the Internet to allow them to stalk their victim without
being detected.
• Cyberstalking messages differ from ordinary spam in
that a cyberstalker targets a specific victim with often
threatening messages, while the spammer targets a
multitude of recipients with simply annoying
messages.
 Types of Stalkers
• online Stalkers
• offline stalkers.
• Both are criminal offenses.
• Both are motivated by a desire to control,
intimidate or influence a victim.
• A stalker may be an online stranger or a person
whom the target knows. He may be anonymous
and solicit involvement of other people online
who do not even know the target.
 How stalking works?
1. Personal information gathering about the victim.
2. Establish a contact with the victim through telephone/ cell phone. – start
threatening or harassing
3. Establish a contact with the victim through E-mail.
4. Keep sending repeated E-mails asking for various kinds of favors or
threaten the victim.
5. Post victim’s personal information on any website related to illicit
services.
6. Whosoever comes across the information, start calling the victim on the
given contact details, asking for sexual services.
7. Some stalkers may subscribe/ register E-Mail account of the victim to
innumerable unwanted / pornographic sites, be of which victim start
receiving such kind of unsolicited E-Mails
Cybercafe and Cybercrimes
• An Internet café or cybercafé is a place which provides
Internet access to the public, usually for a fee.
• According to Nielsen Survey on the profile of
cybercafes users in India:
1. 37% of the total population use cybercafes
2. 90% of this were males in age group 15-35 years
3. 52% graduates and post graduates
4. > 50% were students
Hence, it is extremely important to understand the IT
security and governance practiced in the cybercafes.
 Role of Cybercafe
• used for either real or false terrorist
communication.
• for stealing bank passwords, fraudulent
withdrawal of money
– Keyloggers or spywares
– Shoulder surfing
• For sending obscene mails to harass people.
• They are not network service providers
according to ITA2000
Illegal activities observed in Cybercafes
• Pirated softwares: OS, browser, Office
• Antiviruse software not updated
– Cybercafes have installed “deep freeze” software
• This software clears details of all activities carried out, when one clicks “restart”
button.
• Annual Maintenance Contract(AMC): not in place
– Is a risk be a cybercriminal can install Malacious code for criminal
activities without any interruption
• Pornographic websites and similar websites are not blocked
• Owners have less awareness about IT Security and IT Governance.
• IT Governance guide lines are not provided by cyber cell wing
• No periodic visits to cybercafes by Cyber cell wing( state police) or
Cybercafe association
 Safety and security measures while
using the computer in Cyber Cafe
1. Always Logout:
do not save login information through automatic login
information
2. Stay with the computer
3. Clear History and temporary files
4. Be alert:
don’t be a victim of Shoulder surfing
5. Avoid Online Financial Transaction
6. Change passwords
7. Virtual Keyboards
8. Security warnings
 Botnets: The fuel for Cybercrime
• Bot: “ an automated program for doing some particular task, often
over a network”
• A botnet (also known as a zombie army) is a number of Internet
computers that, although their owners are unaware of it, have been
set up to forward transmissions (including spam or viruses) to other
computers on the Internet.
• Any such computer is referred to as a zombie - in effect, a computer
"robot" or "bot" that serves the wishes of some master spam or
virus originator.
• Most computers compromised in this way are home-based.
• According to a report from Russian-based Kaspersky Labs, botnets --
not spam, viruses, or worms -- currently pose the biggest threat to
the Internet
 Botnet used for gainful purposes
Botnet creation

Botnet renting Botnet Selling

DDoS attacks
Malware and Adware spamdexing Phishing
installation attacks
Spam attacks Stealing
confidential
information

Selling Credit card Selling internet

and bank account Selling personal services and shops
details identity information account
 Ways to secure the system
• Use antivirus and anti-spyware
• Install updates
• Use firewall
• Disconnect internet when not in use
• Don’t trust free downloads
• Check regularly inbox and sent items
• Take immediate action if system is infected
 Attack vector
• An attack vector is a path or means by which a hacker
(or cracker) can gain access to a computer or network
server in order to deliver a payload or malicious
outcome.
• Attack vectors enable hackers to exploit system
vulnerabilities, including the human element.
• Attack vectors include viruses, e-mail attachments,
Web pages, pop-up windows, instant messages, chat
rooms, and deception. All of these methods involve
programming (or, in a few cases, hardware), except
deception, in which a human operator is fooled into
removing or weakening system defenses.
• To some extent, firewalls and anti-virus
software can block attack vectors.
• But no protection method is totally attack-
proof.
• A defense method that is effective today may
not remain so for long, because hackers are
constantly updating attack vectors, and
seeking new ones, in their quest to gain
unauthorized access to computers and
servers.
• If vulnerabilities are the entry points, then attack
vectors are the ways attackers can launch their
assaults or try to infiltrate the building.
• In the broadest sense, the purpose of the attack
vectors is to implant a piece of code that makes
use of a vulnerability. This code is called the
payload, and attack vectors vary in how a
payload is implanted.
• The most common malicious payloads are viruses
(which can function as their own attack vectors),
Trojan horses, worms, and spyware.
• If an attack vector is thought of as a guided
missile, its payload can be compared to the
warhead in the tip of the missile.
 Different ways to launch Attack
Vectors:
• Attack by E-Mail
• Attachments
• Attack by deception: social engineering/ haoxes
• Hackers
• Heedless guests (attack by webpage)
• Attack of the worms
• Malicious macros
• Sneakware
• viruses
 A zero-day attack
• A zero-day (or zero-hour or day zero) attack or threat is an
attack that exploits a previously unknown vulnerability in a
computer application or operating system, one that
developers have not had time to address and patch.
• Software vulnerabilities may be discovered by hackers, by
security companies or researchers, by the software vendors
themselves, or by users.
• If discovered by hackers, an exploit will be kept secret for as
long as possible and will circulate only through the ranks of
hackers, until software or security companies become
aware of it or of the attacks targeting it.