How Hackers Cover Their Tracks

(Antiforensics)
Proxy

• What is a Proxy Server? - YouTube

Actual Need Of Private Proxy:

1. To protect organizations data from malicious use, hide

actual IP
2. Filtering of Content
3. Examine Packet headers and Payloads
4. To control internet usage of employees
5. Bandwidth savings and improved speeds
6. Privacy Benefits
7. Security
 But Attackers Use Proxy to:
1. IP Address Masking: The most basic function of a proxy server is to mask the user's IP address.
Instead of directly connecting to a website or service, the request appears to come from the IP
address of the proxy server. This hides the attacker's true IP address from the target server.
2. Anonymity: Some proxy servers offer varying levels of anonymity. High-anonymity proxies do
not disclose the user's IP address to the destination server, further concealing the attacker's
identity.
3. Geographical Obfuscation: By using a proxy server located in a different geographical
location, attackers can make it appear as if their attacks are originating from somewhere else
entirely, making it harder for defenders to pinpoint their actual location.
4. Access Control Bypass: Proxy servers can also be used to bypass access controls or restrictions
implemented by network administrators. By routing their traffic through a proxy server,
attackers can evade detection and access resources that would otherwise be blocked.
5. Traffic Encryption: Some proxy servers offer encryption capabilities, which can secure the
communication between the user and the proxy server. This prevents intermediaries, such as
Internet Service Providers (ISPs) or network administrators, from intercepting and inspecting
the traffic.
Let's say there's an attacker, Sam, who wants to access a website, but they
don't want their IP address to be traced back to them. Sam decides to use a
proxy server to hide their identity.
1.Without a Proxy Server:
1. Sam's computer sends a request directly to the website.
2. The website receives the request and logs Sam's IP address.
3. If Sam is doing something malicious, the website can trace it back to
Sam's IP address.
2.With a Proxy Server:
1. Sam configures their browser to use a proxy server.
2. Sam's computer sends a request to the proxy server instead of directly
to the website.
3. The proxy server forwards Sam's request to the website on behalf of
Sam.
4. The website receives the request but sees the IP address of the proxy
server, not Sam's real IP address.
5. If Sam is doing something malicious, the website can only trace it
back to the proxy server's IP address, not Sam's.
1. Open Browser Settings: Sam should open the settings menu of their web browser. This can
usually be done by clicking on the menu icon (often represented by three horizontal lines)
located in the top-right corner of the browser window.
2. Access Network Settings: Within the settings menu, there should be an option related to
network or internet settings. Sam should click on this option to access the network settings page.
3. Find Proxy Settings: In the network settings page, there should be an option to configure proxy
settings. This option might be labeled differently depending on the browser, but common labels
include "Proxy settings," "Network proxy," or "Internet options."
4. Enter Proxy Server Details: Sam will need to enter the details of the proxy server they want to
use. This typically includes the IP address or hostname of the proxy server and the port number
it operates on. Sam may also need to specify whether the proxy server requires authentication
(username and password).
5. Save Settings: Once Sam has entered the proxy server details, they should save the settings.
Depending on the browser, there may be a "Save," "Apply," or "OK" button to confirm the
changes.
6. Test Connection: Sam can now test whether the browser is using the proxy server correctly.
They can try accessing a website and verify that the request is being routed through the proxy
server by checking the IP address associated with their connection using online tools or services.
7. Optional: Enable/Disable Proxy: Some browsers allow users to enable or disable the proxy
server on-demand. Sam can explore these options within the browser settings if they want to
switch between using the proxy server and connecting directly to the internet.
Here's how Sam would enter these details in their browser settings:
1. Open Browser Settings: Sam opens the settings menu of their web browser.
2. Access Network Settings: Sam clicks on the option related to network or
internet settings.
3. Find Proxy Settings: Sam selects the option to configure proxy settings.
4. Enter Proxy Server Details:
1. Proxy Server IP Address: 192.168.1.100
2. Proxy Server Port Number: 8080
3. (Optional) Proxy Authentication: If the proxy server requires authentication,
Sam would also enter their username and password in the designated fields.
5. Save Settings: Sam saves the settings by clicking on the "Save," "Apply," or
"OK" button, depending on the browser.
Types of Proxies
• Common proxies listen on TCP port 80 (HTTP proxies), 8000, 8081, 443, 1080
(SOCKS Proxy), and 3128 (Squid Proxy) and some also handle User Datagram
Protocol (UDP).
• Some applications either do not operate correctly through proxy services because
the proxy server removes necessary information or cannot satisfy the request
• Some services like The Onion Router (Tor) browser also give users the ability to
proxy traffic and hide their original location from victims.
• A virtual private network (VPN) acts as a more versatile proxy and supports more
security features.
• Instead of configuring the applica­tion to use a proxy, users can tunnel all traffic
through the VPN. VPN services usually support strong authentication and are less
likely to leak information that could identify the user of a proxy

• What is VPN and how it works? - YouTube

1. HTTP/HTTPS Proxy:
HTTPS proxy is specifically designed to handle HTTPS (Hypertext Transfer Protocol Secure) traffic, which is
encrypted. It intercepts and forwards encrypted HTTPS requests from clients to destination servers, allowing
for secure communication between the client and server. HTTPS proxies are commonly used for securing web
browsing and protecting sensitive data.
2. SOCKS Proxy:
A SOCKS (Socket Secure) proxy operates at a lower level than HTTP or HTTPS proxies. It can handle
various types of traffic, including TCP (Transmission Control Protocol) and UDP (User Datagram
Protocol). SOCKS proxies are often used for tasks like bypassing firewall restrictions, anonymizing
internet traffic, and accessing restricted services.
3. Transparent Proxy:
A transparent proxy intercepts network traffic without requiring any configuration on the client side.
Clients are unaware that their requests are being proxied. Transparent proxies are commonly used for tasks
like content filtering, caching, and load balancing in corporate networks.
4. Anonymous Proxy:
An anonymous proxy hides the client's IP address from destination servers, making it appear as if the
requests are originating from the proxy server's IP address. However, anonymous proxies may still reveal
some information about the client, such as the user-agent string(browser details). They are often used for
enhancing privacy and bypassing geo-restrictions.
5. Elite (High-Anonymous) Proxy: Elite proxies provide the highest level of anonymity by not disclosing any
information about the client, including the IP address and user-agent string. They completely hide the client's
identity from destination servers, making it difficult to trace the origin of the requests. Elite proxies are
commonly used for activities that require maximum anonymity, such as web scraping and automated browsing.
• Attackers commonly use free or commercial proxies (e.g., SOCKS and VPN) that operators advertise on hacking
forums.
• Attackers may prefer these services to public proxies because they advertise anonym­ity and claim they do not
keep logs, unlike Tor, where community operators can monitor traffic going through an exit node that it con­trols.
• Proxy services that keep logs are a danger to attackers who use these services for conducting fraud and can lead to
their arrests.
Some commercial VPN and SOCKS proxy services include
• hxxp://secretsline.net
• hxxp://vpn-secure.net

• hxxp://thesafety.us

• hxxp://5socks.net

• hxxp://vpn-service.us

• Attackers may prefer proxy services advertised on hacking forums because they are less responsive to
abuse requests. For example, commercial proxy services like FindNot keep logs of their users for a
maximum of five days to protect the system from being used for abusive purposes, while many of those
services advertised on hacking forums do not keep any logs.

• Operating proxy services is not illegal because it has legitimate purposes related to anonymity for users
Detecting use of proxies
Detecting proxies is difficult and not always reliable.
1. Malicious code authors install custom proxies and use encrypted or custom protocols
2. Port scanning on corporate networks can identify proxies that listen on default ports.
3. Organizations should also monitor changes to proxy configuration because such changes could indicate that
an attacker compromised a host.
4. IDS (Intrusion Detection System) use blacklist from domain name system blacklist (DNSBL) to block URLs
5. Certain proxies do not proxy all traffic.
For instance, a Web application can force users to perform unique DNS requests with subdomains (see Exhibit
2-3). The application links the DNS request to the user’s IP address and verifies that the HTTP request
originates from the same IP address. If they are not the same, indicating the use of a proxy, the application can
determine that the proxy IP address made the HTTP request and that the user’s actual IP address made the DNS
request.
• There are various port scanning tools available, such as Nmap, Masscan, and Netcat. For this example, let's use Nmap, which is one of the most popular and
versatile port scanning tools.
• Run the Port Scan: Open a terminal or command prompt and type the following command to scan the target system (192.168.1.100) using Nmap:

• nmap 192.168.1.100
• This command will perform a basic scan of the target system, scanning the most common 1,000 TCP ports.
• View Scan Results: After the scan completes, Nmap will display the results, showing which ports are open, closed, or filtered on the target system. For example:

PORT STATE SERVICE

22/tcp open ssh
80/tcp open http
443/tcp open https

• In this example, Nmap found that ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) are open on the target system.
• Interpret the Results:
• Open Ports: These are ports that responded to the scan, indicating that there is an active service listening on those ports. Attackers often target open ports to
exploit vulnerabilities or gain unauthorized access.
• Closed Ports: These are ports that did not respond to the scan, indicating that there is no active service listening on those ports. Closed ports are generally
considered less vulnerable to attacks.
• Filtered Ports: These are ports that did not respond to the scan, either due to firewall rules, packet filtering, or other security measures in place on the target
system.
• Advanced Scanning Techniques: Nmap offers various advanced scanning techniques, such as SYN scanning (-sS), TCP connect scanning (-sT), and UDP
scanning (-sU), which can provide more detailed information about the target system's network configuration and security posture.
• Metasploit has even provided an application programming interface
(API) for website owners to determine the true IP addresses of their
visitors. iDefense configured a browser to use a proxy and showed that
the Flash test correctly identified the real IP address because Flash
does not use Internet Explorer proxy settings.
Tunnelling Techniques
Most enterprise security controls include strong firewalls, intrusion detection systems (IDSs), and
user policies, such as proxies and time-of-day rules that limit the amount and type of traffic
generated on user networks. Tunneling data through other protocols often bypasses these controls
and may allow sensitive data to exit the network and unwanted data to enter. It is even possible to
extend all networks through these means without ever triggering an alert or log entry.
 Difference between tunnel and proxy
Aspect Tunnel Proxy

Tunnels are primarily used to establish a secure, private communication Proxies act as intermediaries between clients (such as web browsers) and
channel between two endpoints over an untrusted network, such as the destination servers (such as websites). They receive requests from clients,
internet. They provide a way to encapsulate and protect data as it travels forward them to the destination servers, and return the responses to the
Purpose
between the endpoints. Tunnels are commonly used for purposes like clients. Proxies are often used for purposes like anonymizing internet
connecting remote offices in a corporate network, accessing private traffic, accessing geo-restricted content, caching web content to improve
resources securely over the internet, or establishing VPN connections. performance, or filtering content for security or compliance reasons.

Tunnels operate at lower layers of the OSI model, typically at the

Proxies operate at the application layer (Layer 7) of the OSI model. They
transport layer (Layer 4) or the network layer (Layer 3), depending on the
intercept and process application-level protocols such as HTTP, HTTPS,
Layer of Operation tunneling protocol used. Tunnels encapsulate the original data packets
FTP, etc. Proxies may also operate at lower layers for protocols like
within new packets, effectively creating a private communication channel
SOCKS, which can handle other types of traffic such as TCP or UDP.
between endpoints.

Proxies intercept and mediate traffic between clients and destination

In a tunnel, the entire data packet, including the original header and
servers. They receive requests from clients, modify them if necessary
payload, is encapsulated within a new packet. The encapsulated packet is
(e.g., for content filtering or caching purposes), forward them to the
then transmitted through the tunnel to the other end, where it is
Encapsulation vs. Interception destination servers, receive the responses from the destination servers,
decapsulated and delivered to the destination. Tunnels effectively create a
and return them to the clients. Proxies can be transparent (clients are
virtual, private pathway within a public network, allowing for secure
unaware of their presence) or explicit (clients are configured to use
communication between endpoints.
them).

Proxies can provide security benefits such as filtering malicious content,

Tunnels, especially those established using secure tunneling protocols
blocking certain websites or services, and hiding the client's IP address
like IPsec, TLS/SSL, or SSH, provide a secure communication channel
from destination servers. However, proxies do not inherently provide
between endpoints over an untrusted network. They encrypt the data
Security encryption or secure communication between clients and destination
passing through the tunnel, providing confidentiality and integrity.
servers. Proxies may be used in conjunction with encryption protocols
Tunnels also provide protection against eavesdropping, tampering, and
like HTTPS for secure communication, but they do not provide end-to-
unauthorized access to data.
end encryption like tunnels do.
SSH
A common, simple form of traffic tunneling in SSH is the tun­neling of a Transmission Control Protocol (TCP)
port. When a user configures such tunneling over an SSH session, the protocol simply proxies a TCP connection
over the SSH connection, and the content of the TCP connection does not flow directly from source to destina­
tion, but rather through the SSH connection. One side of the SSH connection (either server or client) listens on a
specified TCP port as the source of the data and transfers all the data to the other side of the SSH connection.
This other side then forwards the data to the specified TCP destination. An SSH tunneling configuration can
become more complicated, because users can configure it to provide a reverse tunnel or arbitrary application
proxying through protocols such as SOCKS, but the underlying concept remains the same.
VPN- Virtual Private Network

https://youtu.be/wJQndtydiB0
open source software already exist, all of which allow tunneling through
well-known protocols, which attackers can use out of the box or with
some simple tweaking to defeat most firewalls’ rules, proxies, and other
administrative access controls quickly. By writing custom applications
that act as the client and server for other protocols in a given
environment, malicious code can hide its activities and gain unfettered
access to and from any network.
HTTP Proxy
HTTP Tunnel - HTTP tunneling is the process in which communications are encapsulated by
using HTTP protocol. HTTP tunneling is used to bypass firewalls and other network
restrictions and an HTTP tunnel is used to create a direct network link between two locations.
The most common form of HTTP tunneling is the standardized HTTP CONNECT method.
• As one can see, the protocol allows, in essence, unlimited space for
content (or payload) in the request or reply message in addition to other
open areas, such as the headers, whether this content includes arbitrary
custom headers or inappropriate data in valid headers.
• This makes it convenient to transfer arbitrary data to and from an HTTP
server. All one needs to tunnel the traffic is software that can pretend to
talk to the protocol but in reality can transfer data for some other
(perhaps nefarious) purpose.
• A tunneling Web server or a tunneling Web application running on a
legitimate Web server will work. Both types of solutions are readily
available as open source software. Since tunneled traffic looks and acts
like HTTP, application proxies are not a viable defence, as malicious
users or software will simply use the proxies as their administrators
intended: to transmit HTTP message through a control point.
Connect method to establish http tunnel
• The most common form of HTTP tunneling is the
standardized HTTP CONNECT method. In this mechanism, the
client asks an HTTP proxy server to forward
the TCP connection to the desired destination. The server then
proceeds to make the connection on behalf of the client. Once
the connection has been established by the server, the proxy
server continues to proxy the TCP stream to and from the client.
Only the initial connection request is HTTP - after that, the
server simply proxies the established TCP connection.
Steganography
• Steganography is the practice of hiding messages and data in content that is not
read­ily apparent and is a form of security through obscurity. For example,
steganographic software and tools can encode messages and data into images21 so
that only users who know where the data exists can retrieve it. Tunnels that use
intermediaries for data exchange can deposit pay­loads that are steganographically
encoded to make it harder to detect the covert communication.

• Mobilefish.com - Online steganography service, hide message or file inside an image.

Fraud techniques
Phishing

Many phishing attacks against mobile devices use short message service (SMS, or smishing) and
voice-over Internet protocol (VoIP, or vishing) to distribute lures and collect personal information.
Attackers often send fraudulent SMS messages containing a URL or phone number using
traditional phishing themes. Responders either enter their personal information into a fraudulent
website, as with traditional e-mail phishing, or, if calling phone numbers, may even provide their
information directly to other people.

To limit exposure to these growing threats, organizations should not send contact infor­mation to
users via SMS but instead should be sure phone numbers are readily available on their websites. In
addition, financial institu­tions should carefully consider using mobile devices as two-factor
authentication devices, given that customers may use the same mobile device to access the online
banking system.
Phishing against Mobile Devices

• Most instances of SMS phishing (smishing) target banks or financial institutions by sending a phone number
that the victim calls after receiving the message, resulting in a vishing attack
Is it Phishing, Vishing or Smishing?

Phishing
Vishing
Phishing
Smishing
Smishing
 • SMS gateway providers have
Mobile Phishing attack responded to abuse by rejecting
excessive num­bers of messages or
fraudulent messages. This is
dependent upon the cooperation of the
Internet service providers (ISPs)
themselves, rather than defensive tools
on a mobile device. Uncooperative or
unwilling ISPs could cause this type of
filtering to fail.
Mobile SMS Phishing is difficult to detect
than email phishing
• Smishing and vishing are serious problems.
• Anti phishing products are designed to filter e-mails, but mobile phishing is more difficult to filter
for both users and automatic products. SMS messages con­tain much less tracking information;
therefore, recipients will not be able to determine from where they originate.
• Mobile phone brows­ers and SMS programs also lack integrated phishing defences built into
today’s e-mail clients and browsers. Most mobile browsers lack support for protections normally
available on desktop systems such as URL filtering, phishing toolbars, and extended vali­dation
(EV) SSL certificates.
• Smishers also often spoof the source address and use a large number of different phone numbers
to perform vishing.
• Mobile browsers also make it difficult to determine the legitimacy of a URL. The small-form
factor and limited display are incapable of displaying full URLs, and it can take as many as ten
clicks to access the security information of a site.
• Based upon these concerns, it seems likely that users of mobile devices have an increased risk of
falling victim to a phishing attack when they surf with mobile browsers or receive fraudulent
SMS messages.
Mobile Malicious Code

Although rare and only a more recent occurrence, SMS messages sent to mobile devices may
also attempt to convince users to install a mobile malicious code. On or before February 4,
2009, Chinese mobile phone users began reporting a new virus that affects Symbian S60.25 A
signature is required on all code that runs on the S60 third edition, and this virus is no
exception; it uses a certificate from Symbian licensed to “ShenZhen ChenGuangWuXian.”
After the user installs the program, it spreads to other users by sending SMS messages that
contain URLs, such as the following, for users to download and install the code:
hxxp://www.wwqx-mot.com/game

hxxp://www.wwqx-cyw.com/game

hxxp://www.wwqx-sun.com/game
Rogue antivirus
• During the past year, fake antivirus programs have become dramati­cally more prevalent and are now a major
threat to enterprises and home users. Moreover, attackers often bundle this software with stealthier malicious
programs. Fortunately, in attackers’ attempts to get users’ attention, rogue antivirus software also alerts
administra­tors to system compromises and inadvertently exposes other mali­cious software.

• Attackers aggressively target users with Trojan applications that claim to be antivirus programs. These
rogue antivirus applications, once installed, falsely report security issues to mislead victims into purchasing
a purported “full” version, which can cost each victim up to US$89.95. Victims have had little success when
contacting the payment providers for refund and removal.

• rogue antivirus application often changes a user’s background, displays pop-up windows, modifies search
behaviour, and displays fake windows and security center messages, it often makes its presence repeatedly
visible to users. This can be a benefit, if system administrators aggressively audit infected computers for
other malicious programs with which it is bundled.

• Attackers that install rogue antivirus applications often use social-engineering techniques to trick victims.
To spread, some variants are bundled with mass-mailing capabilities to send URL links or attach­ments
through e-mail messages.
Following the Money: Payments
• Most of the rogue antivirus incidents that iDefense investigated use third-party
payment organizations. These organizations accept credit card payments and
create a layer of protection and security for attackers who use them. These
payment processors typically use legitimate SSL certificates and claim to handle
fraud requests and operate on a permanent 24/7 basis. The payment processors’
connection with rogue antivirus vendors is not exclusive; therefore, law
enforcement cannot always shut them down immediately.
• In many instances that iDefense investigated, several similar pay­ment providers
exist on the same IP address. The payment providers are highly suspicious
because they use multiple registration names, domains, and contact addresses and
countries, despite their singular purpose to accept money for rogue antivirus
payments.
• Several of the payment provider sites do not list a phone number unless replying
to an authorized customer. They also list in their terms of service that they avoid
taking responsibility for customer content.
Click Fraud
• The Web is interactive tool and allows advertisers to know exactly how many
potential customers viewed an ad and how many clicked the ad.
• This knowledge leads to an advertising model known as pay-per-click (PPC), in
which advertisers pay ad publishers each time a potential customer clicks an ad on
the publisher’s website.
• This direct relation-ship between the number of clicks and the amount of money
earned by the publisher has resulted in a form of fraud best known as click fraud.
Anchor Intelligence reports that in the second quarter of 2009, 22.9 percent of ad
clicks are attempts at click fraud.
 Pay-per-click

• Any advertising transaction has three primary parties: the advertiser,

the publisher, and the viewer. The advertiser is a company that
produces content it would like to display to potential customers. This
content is an advertisement for a specific product or service that is
likely to generate revenue for the advertiser. The pub­lisher is a creative
outlet that produces content that will draw visitors to its medium. These
visitors view the ad and, ideally, purchase the advertised product or
service. The advertiser pays a fee for a specific number of
“impressions,” which is the estimated number of times a viewer will
see the ad.
• If, and only if, the viewer clicks on the ad, the advertiser will pay the
publisher a fee. The direct correlation between the viewer’s action and
the cost to the advertiser is the pri­mary distinction between PPC and
impression-based advertising.
• . When the viewer takes the desired action, be it signing up for a
newsletter or purchasing a new car, a conversion has occurred. This
conversion completes the PPC business model.
• anybody with a website can become an ad publisher. Publishers who
use these networks are affiliates. Affiliates add HTML code to their
website, which draws ads from the advertising network and displays
them in line with the affiliate’s content. The affiliate and the advertising
network then split the PPC fee each time a viewer clicks an ad.
Click Fraud Motivations

• Click fraud occurs when an ad net­work charges an advertiser for a click when there was no opportunity for a
legitimate conversion.
• There are many possible motivations for a person to click an advertisement without any intention to purchase a
product or service. Publishers perform the most obvious and common form of click fraud. Clicking an ad on one’s
own website directly gen­erates revenue for the publisher. Clicking the ad fifty times generates even more revenue.
• Could just as easily ask friends to click the ads. For instance, a blogger who wants to increase revenue might make a
post simply asking his or her read­ers to click every ad on his or her website each time they visit. While they are
legitimate users, these clicks will not result in a conversion for the advertiser.
• If each click costs the Acme Corp. money, Acme’s chief rival might click the ad a few hundred times a day to cost
them as much money as possible. In this case, the publisher benefits from the fraudulent clicks, but the motivation
is merely to harm the advertiser.
• Competing publishers might also be motivated to commit click fraud. A competing publisher can click ads on a
competitor’s website to frame them for click fraud. Once detected, the ad network may ban the competitor, which
will result in an increased share of the advertising revenue for the actual click fraudster.
• Nonfinancial motivations might also cause a person to commit click fraud. If a person disagrees with how Acme
Corp. treats its workers, they might click Acme ads to cost the company additional money. As in the case of clicks
from a competitor, the intent is to harm the advertisers, but the outcome also benefits the publisher.
Click Fraud Tactics and Detections

• The simplest form of click fraud involves manually clicking advertisements through the browser.
Botnets