Unit II

Tools and Methods Used in

Cybercrime
Introduction
As the Internet and computer networks are integral parts of information systems, attackers have in-
depth knowledge about the technology and/or they gain thorough knowledge about it.

The basic stages of an attack are:

1. Initial uncovering:
i. In the first step called as reconnaissance, the attacker gathers information, as much as
possible, about the target by legitimate means.
ii. In the second step, the attacker uncovers as much information as possible on the
company’s internal network.
2. Network probe: A “ping sweep” of the network IP addresses is performed to seek out potential
targets, and then a “port scanning” tool is used to discover exactly which services are running on
the target system.
3. Crossing the line toward electronic crime (E-crime): Now the attacker is toward committing
what is technically a “computer crime” by exploiting possible holes on the target system.
4. Capturing the network: At this stage, the attacker attempts to “own” the network. The attacker
gains a foothold in the internal network quickly and easily.
5. Grab the data: Now that the attacker has “captured the network,” he/she takes advantage of
his/her position to steal confidential data, customer credit card information, deface webpages, alter
processes and even launch attacks at other sites from your network.
6. Covering tracks: This is the last step in any cyberattack, which refers to the activities undertaken
by the attacker to extend misuse of the system without being detected.
Proxy Servers and Anonymizers
 Proxy server is a computer on a network which acts as an intermediary for connections with
other computers on that network.
 A proxy server has following purposes:
1. Keep the systems behind the curtain.
2. Speed up access to a resource (through “caching”).
3. Specialized proxy servers are used to filter unwanted content such as advertisements.
4. Proxy server can be used as IP address multiplexer to enable to connect number of computers on
the Internet, whenever one has only one IP address.
 An anonymizer or an anonymous proxy is a tool that attempts to make activity on the Internet
untraceable.
 It accesses the Internet on the user’s behalf, protecting personal information by hiding the
source computer’s identifying information.
Phishing
Phishing is a fake or false e-mail which can infect systems with in addition to stealing personal and
financial data.
How Phishing Works?
<

Phishers work in the following ways: (1) Planning (decide the target), (2) Setup (create methods for
delivering the message and to collect the data about the target), (3) Attack (phisher sends a phony
message), (4) Collection (record the information of victims), (5) Identity theft and fraud (use the
information that they have gathered to make illegal purchases or commit fraud).
Password Cracking
Password cracking is a process of recovering passwords from data that have been stored in or
transmitted by a computer system. Examples of guessable passwords include:
1. Blank (none);
2. the words like “password,” “passcode” and “admin”;
3. series of letters from the “QWERTY” keyboard, for example, qwerty, asdf or qwertyuiop;
4. user’s name or login name;
5. name of user’s friend/relative/pet;
6. user’s birthplace or date of birth, or a relative’s or a friend’s;
7. user’s vehicle number, office number, residence number or mobile number;
8. name of a celebrity who is considered to be an idol (e.g., actors, actress, spiritual gurus) by the
user;
9. simple modification of one of the preceding, such as suffixing a digit, particularly 1, or reversing
the order of letters.

Password cracking attacks can be classified under three categories as follows:

1. Online attacks;
2. offline attacks;
3. non-electronic attacks (e.g., social engineering, shoulder surfing and dumpster diving).
Online Attacks
 The most popular online attack is man-in-the middle (MITM) attack, also termed as “bucket-brigade
attack” or sometimes “Janus attack.”
 It is a form of active eavesdropping in which the attacker establishes a connection between a victim
and the server to which a victim is connected.
Offline Attacks
 Offline attacks usually require physical access to the computer and copying the password file from
the system onto removable media.
Strong, Weak and Random Passwords
 A weak password is one, which could be easily guessed, short, common and a system default
password that could be easily found by executing a brute force attack and by using a subset of all
possible passwords.
 A strong password is long enough, random or otherwise difficult to guess – producible only by
the user who chooses it.
Random Passwords
 Password is stronger if it includes a mix of upper and lower case letters, numbers and other
symbols, when allowed, for the same number of characters.
 The general guidelines applicable to the password policies are:
Keyloggers and Spywares
 Keystroke logging- practice of noting (or logging) the keys struck on a keyboard.
 Keystroke logger or keylogger is quicker and easier way of capturing the passwords and
monitoring the victims’ IT savvy behavior.
 It can be classified as software keylogger and hardware keylogger.
Software Keyloggers
 Software keyloggers are software programs installed on the computer systems which usually are
located between the OS and the keyboard hardware, and every keystroke is recorded.
 A keylogger usually consists of two files that get installed in the same directory: a dynamic link
library (DLL) file and an EXEcutable (EXE) file that installs the DLL file and triggers it to work.
Hardware Keyloggers
 Hardware keyloggers are small hardware devices connected to the PC and/or to the keyboard
and save every keystroke into a file or in the memory of the hardware device.
 These keyloggers look like an integrated part of such systems; hence, bank customers are
unaware of their presence.
Antikeylogger
 Antikeylogger is a tool that can detect the keylogger installed on the computer system and also
can remove the tool.
1. Firewalls cannot detect the installations of keyloggers on the systems; hence, antikeyloggers
can detect installations of keylogger.
2. This software does not require regular updates of signature bases to work effectively such as
other antivirus and antispy programs.
3. Prevents Internet banking frauds.
4. It prevents ID theft.
5. It secures E-Mail and instant messaging/chatting.
Spywares
 Spyware is malicious software secretly installed on the user’s personal computer.
 Spywares such as keyloggers are installed by the owner of a shared, corporate or public computer
on purpose to secretly monitor other users.
Virus and Worms
Computer virus is a program that can “infect” legitimate programs by modifying them to include
a possibly “evolved” copy of itself.
Viruses can take some typical actions:
1. Display a message to prompt an action which may set of the virus;
2. delete files inside the system into which viruses enter;
3. scramble data on a hard disk;
4. cause erratic screen behavior;
5. halt the system (PC);
6. just replicate themselves to propagate further harm.
Types of Viruses
Computer viruses can be categorized based on attacks on various elements of the system and
can put the system and personal data on the system in danger.
1. Boot sector viruses
2. Program viruses
3. Multipartite viruses
4. Stealth viruses
5. Polymorphic viruses
6. Macroviruses
7. Active X and Java Control
 A computer worm is a self-replicating malware computer program which uses a computer
network to send copies of itself to other nodes (computers on the network) and it may do so
without any user intervention
Trojan Horse
 Trojan Horse is a program in which malicious or harmful code is contained inside apparently
harmless programming or data in such a way that it can get control and cause harm.
 Trojans can get into the system in a number of ways, including from a web browser, via E-Mail
or in a bundle with other software downloaded from the Internet.
o Unlike viruses or worms, Trojans do not replicate themselves but they can be equally
destructive.
o On the surface, Trojans appear benign and harmless, but once the infected code is
executed, Trojans kick in and perform malicious functions to harm the computer system
without the user’s knowledge.
Backdoor
 A backdoor is a means of access to a computer program that bypasses security mechanisms.
 A programmer may sometimes install a backdoor so that the program can be accessed for
troubleshooting or other purposes.
 An attackers often use backdoors that they detect or install themselves as part of an exploit.
 In some cases, a worm is designed to take advantage of a backdoor created by an earlier
attack.

How to Protect from Trojan Horses and Backdoors

1. Stay away from suspect websites/weblinks
2. Surf on the Web cautiously
3. Install antivirus/Trojan remover software
Steganography
 It is a method that attempts to hide the existence of a message or communication.
 The word “steganography” comes from the two Greek words: steganos meaning “covered” and
graphein meaning “to write” that means “concealed writing.”
Steganalysis
 Steganalysis is the art and science of detecting messages that are hidden in images,
audio/video files using steganography.
 Automated tools are used to detect such steganographed data/information hidden in the image
and audio and/or video files.
DoS and DDoS Attacks
 A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an
attempt to make a computer resource unavailable to its intended users.
DoS Attacks
 The attacker floods the bandwidth of the victim’s network or fills his E-Mail box with Spam mail
depriving him of the services he is entitled to access or provide.
 The goal of DoS is not to gain unauthorized access to systems or data, but to prevent intended
users (i.e., legitimate users) of a service from using it.
1. Flood a network with traffic, thereby preventing legitimate network traffic.
2. Disrupt connections between two systems, thereby preventing access to a service.
3. Prevent a particular individual from accessing a service.
4. Disrupt service to a specific system or person.
DDoS Attacks
 In a DDoS attack, an attacker may use your computer to attack another computer.
 By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of your
computer.
 He/she could then force your computer to send huge amounts of data to a website or send Spam to
particular E-Mail addresses.
 A DDoS attack is a distributed DoS wherein a large number of zombie systems are synchronized to
attack a particular system. The zombie systems are called “secondary victims” and the main target is
called “primary victim.”
 DDoS attacks involves hardcoding the target IP address prior to release of the malware, hence no
further interaction is necessary to launch the attack.
 A system may also be compromised with a Trojan, allowing the attacker to download a zombie agent.
How to Protect from DoS/DDoS Attacks
1. Implement router filters.
2. If such filters are available for your system, install patches to guard against TCP SYN flooding.
3. Disable any unused or inessential network service.
4. Enable quota systems on your OS if they are available.
5. Observe your system’s performance and establish baselines for ordinary activity
6. Routinely examine your physical security with regard to your current needs.
7. Use Tripwire or a similar tool to detect changes in configuration information or other files.
8. Invest in and maintain “hot spares” – machines that can be placed into service quickly if a similar
machine is disabled.
9. Invest in redundant and fault-tolerant network configurations.
10. Establish and maintain regular backup schedules and policies, particularly for important configuration
information.
11. Establish and maintain appropriate password policies, especially access to highly privileged accounts
such as Unix root or Microsoft Windows NT Administrator.
Phishing and Identity Theft
Phishing

A type of e-mail scam that steals your identity.

An e-mail fraud technique in which the culprit sends out e-mails looking legitimate in an
effort to accumulate personal and financial information from recipients (messages likely
come from well-known and trustworthy sites, viz., PayPal, eBay, MSN, Yahoo, BestBuy, and
America Online).

Phishers use a different social engineering and e-mail spoofings to try to trick their victims.

The act of sending an e-mail to a user and falsely claiming to be an established legitimate
organization to scam the user into giving up private information to be used for identity theft.

The e-mail steers the user to visit a Web site where they are asked to update their personal
information, viz., their passwords and information about their credit cards, bank account
numbers, etc.
(Courtesy : 2011 Cisco System report)
Spam E-Mails

Also known as “junk E-Mails”

Identical messages are sent to numerous recipients

Popular medium for phishers to scam users to enter personal information on fake websites

A person who creates electronic spam is called a spammer

Types

1. Unsolicited bulk E-Mail (UBE)

2. Unsolicited commercial E-Mail (UCE)

Tactics used by a phisher

1. Names of legitimate organizations

2. “From” a real employee

3. URLs that “look right”

4. Urgent messages

Phrases used to entice the user

1. “Verify your account”

2. “You have won the lottery”

3. “If you don’t respond within 48 hours, your account will be closed”
Hoax E-Mails

Deliberate attempt to deceive or trick a user into believing or accepting that something is real.

Hoax E-Mails may or may not be Spam E-Mails.

Methods of Phishing

1. Dragnet (use of spammed E-Mails)

2. Rod-and-reel (identifying specific prospective victims in advance and convey false information
to them to prompt their disclosure of personal and financial data)

3. Lobsterpot (focuses upon use of spoofed websites)

4. Gillnet (relies far less on social engineering techniques and phishers introduce Malicious Code
into E-Mails and websites)
Phishing Techniques

1. URL (weblink) manipulation

2. Filter evasion

3. Website forgery

4. Flash Phishing

5. Social Phishing

6. Phone Phishing

Phishers usually send millions of E-Mail messages, pop-up windows, etc., that appear to be
looking official and legitimate.
Spear Phishing

A method of sending a Phishing message to a particular organization to gain organizational

information for more targeted social engineering.

Spear phishers send E-Mail that appears genuine

The message might look like as if it has come from your employer, or from a colleague who
might send an E-Mail message to everyone in the company (such as the person who
manages the computer systems); it could include requests for usernames or passwords.
Whaling

A specific form of “Phishing” and/or “Spear Phishing” – targeting executives from the top
management in the organizations, usually from private companies.

The objective is to swindle the executives into revealing confidential information.

Whaling targets C-level executives sometimes with the help of information gleaned through
Spear Phishing, aimed at installing malware for keylogging or other backdoor access
mechanisms.

E-Mails sent in the whaling scams are designed to masquerade as a critical business E-Mail sent
from a legitimate business body and/or business authority.

Whaling phishers have also forged official looking FBI subpoena E-Mails and claimed that the
manager needs to click a link and install special software to view the subpoena.
Types of Phishing Scams

1. Deceptive Phishing
2. Malware-based Phishing
3. Keyloggers
4. Session hijacking
5. In-session Phishing
6. Web Trojans
7. Pharming
8. System reconfiguration attacks
9. Data theft
10. Content-injection Phishing
11. Man-in-the-middle Phishing
12. Search engine Phishing
13. SSL certificate Phishing
Distributed Phishing Attack (DPA)

An advanced form of phishing attack that works as per victim’s personalization of the location of
sites collecting credentials and a covert transmission of credentials to a hidden coordination
center run by the phisher.

A large number of fraudulent web hosts are used for each set of lured E-Mails.

Each server collects only a tiny percentage of the victim’s personal information.

Phishing Toolkits and Spy Phishing

A Phishing toolkit is a set of scripts/programs

Quite expensive

Phishers use hypertext preprocessor (PHP) to develop the Phishing kits.

Most of the Phishing kits are advertised and distributed at no charge and usually these free
Phishing kits – also called DIY (Do It Yourself ) Phishing kits.
Phishing Countermeasures
The countermeasures prevent malicious attacks that phisher may target to gain the unauthorized
access to the system to steal the relevant personal information about the victim, from the
system.

It is always challenging to recognize/judge the legitimacy of a website while Googling.

SPS Algorithm to Thwart Phishing Attacks

With Sanitizing Proxy System (SPS), web Phishing attack can be immunized by removing part of
the content that entices the netizens into entering their personal information.

SPS sanitizes all HTTP responses from suspicious URLs with warning messages.

Identity Theft (ID Theft)

Fraud that involves someone pretending to be someone else to steal money or get other
benefits.

The person whose identity is used can suffer various consequences when he/she is held
responsible for the perpetrator’s actions.
Statistics as per Federal Trade Commission (FTC)

1. Credit card fraud (26%)

2. Bank fraud (17%)
3. Employment fraud (12%)
4. Government fraud (9%)
5. Loan fraud (5%)

Personally Identifiable Information (PII)

Fraudsters attempts to steal the elements mentioned below:

1. Full name
2. National identification number (e.g., SSN)
3. Telephone and mobile phone numbers
4. Driver’s license number
5. Credit card numbers
6. Digital identity (e.g., E-Mail address, online account ID and password)
7. Birth date and Place name
9. Face and fingerprints
A fraudster generally searches the following about an individual:

1. First or last name

2. age
3. country, state or city of residence
4. gender
5. name of the school/college/workplace
6. job position, grades and/or salary
7. criminal record

Types of Identity Theft

1. Financial identity theft

2. criminal identity theft
3. identity cloning
4. business identity theft
5. medical identity theft
6. synthetic identity theft
7. child identity theft

Techniques of ID Theft
1. Human-based methods
2. Computer-based technique