Obtaining User or

Website Data and

Email Attacks
Obtaining User or Website Data
Code Within Data
1. Cross-Site Scripting
• Executable code is included in the interaction between client and
server and executed by the client or server.
• Eg., a Google search on the string “cross site scripting” becomes

http://www.google.com/search?q=cross+site+scripting
&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official
&client=firefox-a&lr=lang_enent or server.
Cross-site scripting (XSS) exploit is either added to the end of a URL or posted directly onto a page
that displays user-generated content. It is a client-side code injection attack.
2. SQL Injection
• Operates by inserting code into an exchange between a client and
database server. Eg., Bank application
3. Dot-Dot-Slash
• Enter the dot-dot. In both Unix and Windows, ‘..’ is the directory
indicator for “predecessor.” And ‘../..’ is the grandparent of the current
location.
• So someone who can enter file names can travel back up the
directory tree one .. at a time.
• Eg., passing the following URL causes the server to return the
requested file, autoexec.nt, enabling an attacker to modify or delete
it.
4. Sever-Side Include
• Web pages can be organized to invoke a particular function
automatically. For example, many pages use web commands to send
an email message in the “contact us” part of the displayed page.
• One of the server-side include commands is exec, to execute an
arbitrary file on the server.
 Website Data: A User’s Problem, Too

• Some website data affect users significantly. Consider one of the most
common data items that web sites maintain: user IDs and passwords.
• Faced with many passwords to remember, users skimp by reusing the
same password on multiple sites. Even that reuse would be of only
minor consequence if websites protected IDs and corresponding
passwords.
• Websites’ ID and password tables are both valuable to attackers and
frequently obtained. Even if it is the website that is attacked, it is the
users who suffer the loss.
 Foiling Data Attacks

• Depend on passing commands disguised as input.

Countermeasures for Foiling data attacks are:

• An input preprocessor could watch for and filter out specific

inappropriate string forms, such as < and > in data expected to
contain only letters and numbers.
• Access control on the part of backend servers that might receive and
execute these data attacks. For example, a database of names and
telephone numbers might support queries for a single person.
Email Attacks
Fake Email
 Fake Email Messages as Spam
• False messages try to get people to click to download a browser
enhancement or even just click for more detail. Spammers use more
realistic topics for false messages to entice recipients to follow a
malicious link. Types:
fake “nondelivery” messages
false social networking messages, especially attempts to obtain login
details
current events messages
shipping notices
• Volume of Spam
• Why Send Spam?
• Pump and Dump
• Advertising
• Malicious Payload
• Links to Malicious Web Sites
• The Price Is Right
• How to eliminate/reduce spams: Legal, Source Addresses, Screeners,
Volume Limitations, Postage
 Phishing

• Cybercriminal attempts to steal personal and financial information or

infect computers and other devices with malware and viruses

• Designed to trick you into clicking a link or providing personal or financial

information
• Often in the form of emails and websites
• May appear to come from legitimate companies, organizations or known
individuals
• Take advantage of natural disasters, epidemics, health scares, political elections or
timely events
Types of Phishing
• Mass Phishing – Mass, large-volume attack intended to reach as many people as
possible
• Spear Phishing – Targeted attack directed at specific individuals or companies using
gathered information to personalize the message and make the scam more difficult to
detect
• Whaling – Type of spear phishing attack that targets “big fish,” including high-profile
individuals or those with a great deal of authority or access
• Clone Phishing – Spoofed copy of a legitimate and previously delivered email, with
original attachments or hyperlinks replaced with malicious versions, which is sent from
a forged email address so it appears to come from the original sender or another
legitimate source
• Advance-Fee Scam: Requests the target to send money or bank account information
to the cybercriminal
Common Baiting Tactics
• Notification from a help desk or system administrator
Asks you to take action to resolve an issue with your account (e.g., email account has reached
its storage limit), which often includes clicking on a link and providing requested information.
• Advertisement for immediate weight loss, hair growth or fitness prowess
Serves as a ploy to get you to click on a link that will infect your computer or mobile device
with malware or viruses.
• Attachment labeled “invoice” or “shipping order”
Contains malware that can infect your computer or mobile device if opened. May contain
what is known as “ransomware,” a type of malware that will delete all files unless you pay a
specified sum of money.
• Notification from what appears to be a credit card company
Indicates someone has made an unauthorized transaction on your account. If you click the link
to log in to verify the transaction, your username and password are collected by the scammer.
• Fake account on a social media site
Mimics a legitimate person, business or organization. May also appear in the form of an online
game, quiz or survey designed to collect information from your account.
Phishing Lure
• Claims to come from the NDSU IT Help Desk and system
administrators
• References NDSU and North Dakota State University
• Calls for immediate action using threatening language
• Includes hyperlink that points to fraudulent site
Phishing Lure
• Claims to come from the NDSU Human Resources
• Timely call for action during annual review season
• From address includes NDSU, but not .edu address (@ndsu.com)
• Includes hyperlink that points to fraudulent site
Phishing Lure
• Claims to come from PayPal
• Includes PayPal logo, but from
address is not legitimate
(@ecomm360.net)
• Calls for immediate action using
threatening language
• Includes hyperlink that points to
fraudulent site
Phishing Lure
• Likely an advanced-fee scam
• Takes advantage of ongoing
humanitarian crisis
• If it sounds too good to be
true, it likely is
Detect a Phishing Scam
• Spelling errors (e.g., “pessward”), lack of punctuation or poor grammar
• Hyperlinked URL differs from the one displayed, or it is hidden
• Threatening language that calls for immediate action
• Requests for personal information
• Announcement indicating you won a prize or lottery
• Requests for donations
Can you detect a phishing
scam?
Is the name of the staff mailing list correct?

Use the “hover” technique.

Does the displayed URL match the actual URL?

Examine the spelling, grammar and punctuation.

Examine the login page – is the logo familiar?

Look at the subtitles on the logo, is anything unusual?

Who is requesting this information?

Is it someone who would normally request it?

Check for spelling errors

 Do you know the sender?

There is no greeting

There is no salutation or signature

Are you expecting an attachment from this person or company?

Protecting Against Email
Attacks
• PGP (Pretty Good Privacy)
It addresses the key distribution problem with a “ring of trust” or a
user’s “keyring.”
One user directly gives a public key to another, or the second user
fetches the first’s public key from a server.
And one person can give a second person’s key to a third (and a fourth,
and so on).
Thus, the key association problem becomes one of caveat emptor. If I
trust you, I may also trust the keys you give me for other people.
PGP performs following:

1. Create a random session key for a symmetric algorithm.

2. Encrypt the message, using the session key (for message
confidentiality).
3. Encrypt the session key under the recipient’s public key.
4. Generate a message digest or hash of the message; sign the hash by
encrypting it with the sender’s private key (for message integrity and
authenticity).
5. Attach the encrypted session key to the encrypted message and
digest.
6. Transmit the message to the recipient.
• S/MIME (Secure Multipurpose Internet Mail
Extensions)
Uses hierarchically validated certificates, usually represented in X.509
format, for key exchange.
Thus, with S/MIME, the sender and recipient do not need to have
exchanged keys in advance as long as they have a common certifier they
both trust.
S/MIME handles (secures) all sorts of attachments, such as data files
(for example, spreadsheets, graphics, presentations, movies, and
sound).