INTRODUCTION TO CYBER SECURITY

MODULE 2

Cyber Offenses

1
 • How Criminals Plan Them: Introduction
• How criminals plan the attacks
• Social Engineering
• Cyber Stalking
• Cybercaafe & cybercrimes
• Botnets: The fuel for cybercrime
• Attack Vector

Textbook:1 Chapter 2 (2.1 to 2.7)

2
3 Introduction

 Technology is a double edged sword as it can be used for both good and
bad purpose.
 In today’s world of internet and computer networks, criminal activity can
be carried out across national borders with “false sense of anonymity”.
 Cybercriminal use the World Wide Web and Internet to an optimum level
for all illegal activities to store data, contacts, account information, etc.
 People who commit cybercrimes are known as “crackers”.
4  Hacker: A hacker is a person with a strong interest in computers who
enjoys learning and experimenting with them.

 Brute force hacking: It is a technique used to find passwords or

encryption keys.

 Cracker: A cracker is a person who breaks onto computers. The term

Cracker is usually connected to computer criminals.

 Cracking: It is the act of breaking into computers. Many sites are devoted
to supplying crackers with programs that allow them to crack computers.
5  Cracker tools: These are programs used to break into computers. They
include Password crackers, Trojan, Viruses, war dialers and worms.

 Phreaking: This is the notorious art of breaking into phone or other

communication system.

 War dialer: It is program that automatically dials phone numbers

looking for computers on the other end.
 The categories of vulnerabilities:
6
 Inadequate border protection
 Remote access servers (RASs) with weak access controls
 Application servers with well-known exploits
 Misconfigured systems and systems with default configurations
7 Categories of Cybercrime

 The target of the crime and

 Whether the crime occurs as a single event or as a series of events.
  Crimes targeted at individuals: The goal is to exploit human
8 weakness such as greed and naivety. These crimes include financial
fraud, sale of non-existent or stolen items, child pornography, copyright
violation, harassment etc.

 Crimes targeted at property: This includes stealing mobile devices

such as cell phone, laptops, personal digital assistant (PDA) etc.

 Crimes targeted at organizations: Cyberterrorism is one of the

distinct crimes against organization/ governments. Attackers use
computer tools and the Internet to usually terrorize the citizens of a
particular country by steaking private information.
  Single event of cybercrime: It is the single event from the
9
perspective of the victim.
 For example, unknowingly open an attachment that may contain virus
that will infect the system. This is known as hacking or fraud.

 Series of events: this involves attacker interacting with the victims

repetitively.
 For example, attacker interacts with the victim on the phone and/ or via
chat rooms to establish relationship first and then they exploit that
relationship to commit the sexual assault.
10 Patriot Hacking:
Also known as Digital Warfare, is a form of vigilante computer systems’
cracking done by individuals or groups against a real or perceived threat.
11 What color is your hat in the security
world?
 A black hat is called a cracker or dark side hacker.
 Such a person is a malicious or criminal hacker.
 A white hat cracker is considered an ethical cracker.
 White hat cracker is a person who is ethically opposed to the abuse of
computer systems.
 A black hat will wish to secure his/her own machine whereas a white
hat might need to break into black hat’s machine in course of
investigation.
 A brown hat hacker is one who thinks before acting or committing a
malice or non-malice deed.
 A grey hat commonly refers to a hacker who releases information about
any exploits or security holes he/she finds openly to the public.
12 How Criminals Plan the Attacks

 Criminals plan passive and active attacks.

 Active attacks are usually used to alter the system.
 Active attacks may affect the availability, integrity and authenticity of
data.
 Passive attacks attempt to gain information about the target.
 Passive attacks lead to breaches of confidentiality.
13 How Criminals Plan the Attacks
cont…
 Attacks can be categorized as either inside or outside.
 An attack originating and/or attempted within the security perimeter of
an organization is an inside attack.
 It is usually attempted by an insider who gains access to more
resources than expected.
 An outside attack is attempted by a source outside the security
perimeter , may be attempted by an insider/or an outsider, who is
indirectly associated with the organization.
 It is attempted through the internet or a remote access connection.
14 The following phases are
involved in planning cybercrime
1. Reconnaissance (information gathering) is the first phase and is
treated as passive attacks.
2. Scanning and scrutinizing the gathered information for the validity of
the information as well as to identify the existing vulnerabilities.
3. Launching an attack (gaining and maintaining the system access).
15 Reconnaissance

 Reconnaissance is an act of reconnoitring- explore, often with goal of

finding something or somebody (especially to gain information about an
enemy or potential enemy).
 It phase begins with “footprinting”- this is the preparation toward
preattack phase, and involves accumulating data about the target’s
environment and the computer architecture to find ways to intrude into
that environment.
16 Reconnaissance

 Footprinting gives an overview about the system vulnerabilities and

provides a judgment about possible exploitation of those vulnerabilities.

 The objective of this preparatory phase is to understand the system, its

networking ports and services, and any other aspects of its security that
are needful for launching the attack.
17 Passive Attacks

 A passive attack involves gathering information about the target without

his/her knowledge.

 It can be as simple as watching a building to identify what time

employees enter the building premises.

 It is usually done using Internet searches or by googling an individual or

company to gain information.
18 Passive Attacks cont….

1. Google or yahoo search: people search to locate information about

employees.

2. Surfing online community groups like orkut/ facebook will prove useful to
gain the information about an individual.

3. Organization’s website may provide a personnel directory or information

about key employees, for example, contact details, E-Mail address, etc.
these can be used in a social engineering attack to reach the target.
19 Passive Attacks cont….

 Blogs, newsgroups, press releases, etc. are generally used as the

mediums to gain information about the company or employees.

 Going through the job postings in particular job profiles for technical
persons can provide information about key type of technology, that is,
servers or infrastructure devices a company may be using on its
network.
20 Passive Attacks cont….

 Network sniffing is another means of passive attack to yield useful

information such as Internet Protocol (IP) address ranges, hidden servers
or networks, and other viable services on the system or network.

 The network traffic is sniffed for monitoring the traffic on the network-
attacker watches the flow of data to see what time certain transactions
take place and where the traffic is going.
21 Other tools that are used for
gathering information
 Google Earth: is a virtual globe, map, and geographic information
program.

 It maps the earth by the superimposition of images obtained from

satellite imagery and provides aerial photography of the globe.

 It is available under 3 different licenses: Google Earth, Google Earth

Plus, Google Earth Pro.
  Internet Archive: the Internet Archive is an Internet library, with the
22 purpose of offering permanent access for researchers, historians and
scholars to historical collections that exist in digital format.

 It includes texts, audio, moving images, and software as well as archived

webpages in our collections.

 Professional Community: LinkedIn is an interconnected network of

experienced professionals from around the world, representing 170
industries and 200 countries.

 People search: it provides details about personal information: date of

birth, residential address, contact number, etc.
  Domain Name Confirmation: to perform searches of domain names
23 (e.g., website names) using multiple keywords.

 This helps to enable to find every registered domain name in “com”,

“net”, “org”, “edu”, “biz”, etc.

 WHOIS: this is a domain registration lookup tool.

 This utility is used for communicating with WHOIS servers located

around the world to obtain domain registration information.

 It supports IP address queries and automatically selects the appropriate

WHOIS server for IP address.
  Traceroute: this is the best tool to find the route (i.e., computer
24 network path) to a target system.

 It determines the route taken by packets across an IP network.

 VisualRoute Trace: this is a graphical tool which determines where and

how virtual traffic on the computer network is flowing between source
and target destination.

 eMailTrackerPro: eMailTrackerPro analyzes the E-Mail header and

provides the IP address of the system that sent the mail.
25  This tool will lookup information on a domain, IP address, or a domain
registration information.

 Nslookup: The name Nslookup means “name server lookup”.

 The tool is used on windows and unix to query domain name system
(DNS) servers to find DNS details, including IP addresses of a particular
computer and other technical details such as small exchanger (MX)
records for a domain and name server (NS) servers of a domain.

 Dnsstuff: using this tool it is possible to extract DNS information about

IP addresses, mail server extensions, DNS lookup, WHOIS lookups etc.
  HTTrack: this tool acts like an offline browser.
26

 It can mirror the entire website to a desktop.

 One can analyze the entire website by being offline.

 Website Watcher: the tool can be used to keep the track of favorite
websites for an update.

 When the website undergoes an update/change, this tool automatically

detects it and saves the last two versions onto the desktop.
27

 Competitive Intelligence: It can provide information related to almost

any product, information on recent industry trends, or information about
geopolitical indications.

 Effective use of competitive intelligence can reveal attack against the

website or an industrial espionage.
28 Active Attacks

 An active involves probing the network to discover individual hosts to

confirm the information (IP address, operating system type and version,
and services on the network) gathered in the passive attack phase.

 It involves the risk of detection and is also called “Rattling the

doorknobs” or “Active reconnaissance”.

 Active reconnaissance can provide confirmation to an attacker about

security measures in place (e.g., whether the front door is locked?), but
the process can also increase the chance of being caught or raise a
suspicion.
29 Tools used during active attacks

 Arphound: this is a tool that listens to all traffic on an Ethernet network

interface.

 It reports IP/media access control (MAC) address pairs as well as events,

such as IP conflicts, IP changes and IP addresses with no reverse DNS,
various Address Resolution Protocol (ARP) Spoofing and packets not
using the expected gateway.
  Arping: this is a network tool that broadcasts ARP packets and receives
30 replies similar to “ping”.

 It is good for mapping a local network and finding used IP space.

 It broadcasts a “who-has ARP packet” on the network and prints

answers.

 It is very useful when trying to pick an unused when trying to pick an

unused IP for a Net to which routing does not exist as yet.
  Bing: this is used for bandwidth ping.
31

 It is a point-to-point bandwidth measurement tool based on ping.

 It can measure raw throughput between any two network links.

 Bing determines the real (raw as opposed to available or average)

throughput on a link by measuring Internet Control Message Protocol
(ICMP) echo requests roundtrip times for different packet sizes for each
end of the risk.
  Dig: This is used to perform detailed queries about DNS records and
32 zones, extracting configuration, and administrative information about a
network or domain.

 DNStracer: This is a tool determine the data source for a given DNS
server and follow the chain of DNS servers back to the authoritative
sources.

 Dsniff: This is a network auditing tool to capture username, password,

and authentication information on a local subnet.

 Filesnarf: this is network auditing tool to capture files transfers and file
sharing traffic on a local subnet.
33  FindSMB: this is used to find and describe server message block (SMB)
servers on the local subnet.

 Fping: This is a utility similar to ping used to perform parallel network

discovery.

 Fragroute: This intercepts, modifies and rewrites egress traffic destined

for specified host, implementing several intrusion detection system (IDS)
evasion techniques.
34  Fragtest: this tests the IP fragment reassembly behavior of the
Transmission Control Protocol (TCP) stack on a target.

 It intercepts, modifies and rewrites egress traffic destined for a specific

host, implementing most of the attacks.

 Hackbot: this is a host exploration tool, simple vulnerability scanner

and banner logger.

 Hmap: this is used to obtain detailed fingerprint of web servers to

identify vendor, version, patch level, including modules and much more.
Hmap is a web server fingerprinting tool.
35
 Hping: this is a TCP/ IP packet assembler and analyzer.

 It can perform firewall ruleset testing, port scanning, network type of

service/ quality-of-service (TOS/QOS) testing, maximum transmission
unit(MTU) discovery, alternate-protocol traceroute, TCP stack auditing,
and much more.
36  Using hping you can do the following:
1. Firewall testing
2. Advanced port scanning network testing, using different protocols, TOS,
fragmentation
3. Manual path MTU discovery
4. Advanced traceroute, under all the supported protocols
5. Remote uptime guessing
6. TCP/IP stacks auditing
7. Hping can also be useful to students that are learning TCP/ IP

 Hping works on the following Unix-like systems: Linux, FreeBSD, NetBSD,

OpenBSD, Solaris, MAcOs X, Windows.
37  Httping: This is similar to “ping” that is, hping, but for HTTP requests.

 I shows how long a URL will take to connect, send a request, and receive
a reply.

 Hunt: This is a tool for exploiting well-known weakness in tthe TCP/IP

protocol suite.

 Libwhisker: this is an application library designed to assist in

scannanilities.
38  Mailsnarf: this is a network auditing tool to capture SMTing for CGI/web
vulnerP and POP3 E-Mail traffic (including message headers, bodies, and
attachments) on a local subnet.

 Msgsnarf: This is a network auditing tool to capture instant message

(Yahoo, MSN, ICQ, AIM, and many more) traffic on a local subnet.

 NBTScan: this is a utility for scanning networks for NetBIOS

information.

 It reports IP address, NetBIOS name, logged-in username, and MAC

address.
  Nessus: This is powerful, fast, and modular security scanner that tests
39 for many thousands of vulnerabilities.

 ControlScans’ system can also be used to create custom Nessus report.

 Netcat: this is a utility to read and write custom TCP/ User Datagram
Protocol (UDP) data packets across a network debugging or exploration.

 Nikto: This is a web server vulnerability scanner that rests over 2,600
potentially dangerous files/ CGIs on over 625 types of servers.

 This tool also performs comprehensive tests against web servers for
multiple items and version-specific problems on over 230 servers. Scan
items and plugins are frequently updated and can be automatically
updated (if desired).
40  Nmap: This is a port scanner, operating system fingerprinter,
service/version identifier, and much more.

 Nmap is designed to rapidly scan large networks.

 Pathchar: this is a network tool for inferring the characteristics of

Internet paths, including layer 3 hops, bandwidth capacity, and
autonomous system information.

 Ping: This is a standard network utility to send ICMP packets to a target

host.
  ScanSSH: this supports scanning a list addresses and networks for open
41 proxides, SSH Protocol servers, and Web and SMTP servers.

 Where possible, it displays the version number of the running services.

 ScanSSH supports the following features:

• Variable scanning speed: per default, ScanSSH sends out 100 probes per
second;
• Open proxy detection;
• Random sampling: it is possible to randomly sample hosts on the
Internet.
  SMBclient: this helps a client to talk to an SMB (Samba, Windows File
42 Sharing) server.

 Operations include getting files from the server, retrieving directory

information, and much more.

 It is a open-source/ free software suite that has, since 1992, provided file
and print services to all types of SMB/ common Internet file system
(CIFS) clients, including the numerous versions of Microsoft Windows
operating systems.

 Samba is freely available under the GNU General Public License.

  SMTPscan: This is a tool to determine the type and version of a remote
43
Simple Mail Transfer Protocol (SMPT) mail server based on active probing
and analyzing error codes of the target SMTPserver.

 TCPdump: It is a network tool fir the protocol packet capture and

dumper program.

 TCPreplay: This is a utility to read captured TCPdump/ pcap data and

“replay” it back onto the network at arbitrary speeds.

 TCPreplay is a suite of licensed tools written by Aron Turner for Unix

operating systems.

 It gives you the ability to use previously captured traffic to test a variety
of network devices.
44

 It allows you to classify traffic as client or server; rewrite open system

interconnection (OSI) layers 2, 3 and 4 headers; and finally replay the
traffic back onto the network and through other devices such as
switches, routers, firewalls, network-based intrusion detection system
(NIDS), and intrusion prevention system (IPS).

 TCPreplay supports both single and dual NIC modes for testing both
sniffing and inline devices.

 TCPreplay is used by numerous firewalls, IDS, IPS, and other

networking vendors, enterprises, universities, laboratories, and open-
source projects.
45  THC-Amap: this is a scanner to remotely fingerprint and identify
network applications and services.

 Traceroute: this is a standard network utility to trace the logical path to

target host by sending ICMP or UDP packets with the incrementing
tunneled transport layer security (TTLs).

 URLsnarf: This is a network auditing tool to capture HTTP traffic on a

local subnet.

 XProbe2: This is a tool employing several techniques to actively

fingerprint the operating system of a target host.
46 Scanning and Scrutinizing
Gathered Information
 Scanning is a key step to examine intelligently while gathering
information about the target.
1. Port Scanning: Identify open/close ports and services.

2. Network Scanning: Understand IP Addresses and related information

about the computer network systems.

3. Vulnerability scanning: Understand the existing weaknesses in the

system.
47 Ports and Ports Scanning

 A port is an interface on a computer to which one can connect a device.

 TCP/IP Protocol suite made out of the two protocols, TCP and UDP, is
used universally to communicate on the internet.

 Each of these has ports 0 through 65536 (i.e., the range is from 2 0 to 216

for binary address calculation).

48  The port numbers are divided into three ranges
1. Well-known ports (from 0 to 1023).
2. Registered ports.
3. Dynamic and/or private ports.
49 Well Known Port Numbers
Port Number Port Description
1 TCP port service multiplexer (TCPMUX)
5 Remote Job entry (RJE)
7 ECHO
18 Message Send Protocol (MSP)
20 FTP- Data
21 FTP- Control
22 Secure shell (SSH) remote log-in
protocol
23 Telnet
50 Well Known Port Numbers
cont…
Port Number Port Description
25 Simple Mail Transfer Protocol (SMTP)
29 MSG ICP
37 Time
42 Nameserv (host name server
53 Domain name system (DNS)
69 Trivial File Transfer Protocol (TFTP)
70 Gopher services
79 Finger
51 Well Known Port Numbers
cont…
Port Number Port Description
80 HTTP
103 X.400 Standard
108 SNA gateway access server
109 POP2
110 POP3
115 Simple File Transfer Protocol (SFTP)
52 Ports and Ports Scanning
cont….
 In TCP/ IP and UDP networks, a part is an endpoint to a logical connection
and the way a client program specifies a specific server program on a
computer in a network.

 Some ports have numbers that are preassigned to them by the Internet
Assigned Numbers Authority (IANA), an organization working under the
auspices of the Internet Architecture Board (IAB), responsible for
assigning new Internet-wide IP addresses.

 Vulnerability scanning employs software that seeks out security flaws

based on a database of known flaws, testing systems for the occurrence of the
flaws, and generating a report of the findings that an individual or an
enterprise can use to tighten the network’s security.
53 Port Scanning

 A port is a place where information goes into and out of a computer and
so, with port scanning, one can identify open doors to a computer.

 Ports are basically entry/exit points that any computer has to be able to
communicate with external machines.

 Each computer is enabled with three or more external ports.

 These are ports used by the computer to communicate with the other
computers, printer, modem, mouse, video game, scanner, and other
peripherals.
54 Port Scanning cont....

 The important characteristic about these external ports is that they are
indeed external and visible to the naked eye.

 Port scanning is one of the first things an attacker will do when

attempting to penetrate a particular computer.

 Tools such as Nmap offer an automated mechanism for an attacker to

not only scan the system to find out what ports are open , but also help
to identify what operating system is being used by the system.
55 Port Scanning cont....

 Port scanning is similar to a thief going through your

neighborhood and checking every door and window on each house to
see which ones are open and which ones are locked.

 Port scanning refers to the act of using various open-ended

technologies, tools, and commands to be able to communicate
with another remote computer system or network, in a stealth
mode, without being apparent, and be able to obtain certain sensitive
information about the functions of system and the properties of the
hardware and the software being used by the remote systems.
56 Port Scanning cont....

 In portscan, a host scans for listening ports on a single target host.

 In portsweep, a host scans multiple hosts for a specific listening port.

57 Port Scanning cont....

The result of a scan on a port is usually generalized into one of the

following three categories:

1. Open or accepted: the host sent a reply indicating that a service is

listening on the port.

2. Closed or not listening: the host sent a reply indicating that

connections will be denied to the port.

3. Filtered or blocked: there was no reply from the host.

58 Port Scanning cont....

 Ports 20 and 21- File Transfer Protocols (FTP)-are used for uploading
and downloading of information.

 Port 25- Simple Mail Transfer Protocol (SMPT)- is used for

sending/receiving E-mails.

 Port 23- Telnet Protocol – is used to connect directly to remote host and
Internet control message.

 Port 80- It is used for Hypertext Transfer Protocol (HTTP).

59 Port Scanning cont....

 Internet Control Message Protocol (ICMP)- It does not have a port

abstraction and is used for checking network errors. For example, ping.

 Open ports present two vulnerabilities of which administrators must be wary:

1. Vulnerabilities associated with the program that is delivering the service.
2. Vulnerabilities associated with the OS that is running on the host.

 Closed ports present only the latter of the two vulnerabilities that open ports
do.

 Blocked ports do not present any reasonable vulnerabilities.

60 Scrutinizing

 The scrutinizing phase is always called enumeration in the hacking

world. The objective behind this step is to identify:

1. The valid user accounts or groups.

2. Network resources and/or shared resources.
3. OS and different applications that are running on the OS.
61 Attack (Gaining and Maintaining
the System Access)
After the scanning and enumeration, the attack is launched using the
following steps:
1. Crack the password.
2. Exploit the privileges.
3. Execute the malicious commands/ applications.
4. Hide the files.
5. Cover the tracks- delete the access logs, so that there is no trail illicit
activity.
62 Social Engineering

 Social engineering is the “technique to influence” and “persuasion

to deceive” people to obtain the information or perform some action.

 Social engineers exploit the natural tendency of a person to trust

social engineer’s word, rather than exploiting computer security holes.

 A social engineer usually uses telecommunication (i.e. telephone and/ or

cell phone) or Internet to get them to do something that is against the
security practices and/ or policies of the organization.
63 Social Engineering cont….

 Social engineering involves gaining sensitive information or

unauthorized access privileges by building inappropriate trust
relationships with insiders.

 It is an art of exploiting the trust of people, which is not doubted while

speaking in a normal manner.

 The goal of a social engineer is to fool someone into providing valuable

information or access to that information.
64 Social Engineering cont….

 The sign of truly successful social engineer is that they receive

information without any suspicion.

 A simple example is calling a user and pretending to be someone from

the service desk working on a network issue, the attacker then proceeds
to ask questions about what the user is working on, what file shares
he/she uses, what his/her password is, and so on…
65 Classification of Social
Engineering
Human –Based Social Engineering
 Human based social engineering refers to person-person interaction to
get the required/ desired information.

 An example is calling the help desk and trying to find out a password.
66 Human –Based Social Engineering
cont..
1. Impersonating an employee or valid user:
 “Impersonation “ (eg. Posting oneself as an employee of
the same organization) is perhaps the greatest technique
used by social engineers to deceive people.

 Social Engineers take advantage of the fact that most

people are basically helpful, so it seems harmless to tell
someone who appears to be lost where the computer room
is located or pretending to be an employee or valid user on
the system.
67 Human –Based Social Engineering
cont..

2. Posting as an important user:

 The attacker pretends to be an important user.

 For example, a Chief Executive Officer (CEO)

or high-level manager who needs immediate
assistance to gain access to a system.
68 Human –Based Social Engineering
cont..

2. Posting as an important user:

 The attacker uses the intimidation so that a
lower level- employee such as a help-desk
worker will help him/her in gaining access to
the system.

 Most of the low-level employees will not ask

any question to someone who appears to be in
a position of authority.
69 Human –Based Social Engineering
cont..

3. Using a third person:

 An attacker pretends to have permission from
an authorized source to use a system.

 This trick is useful when the supposed

authorized personnel is on vacation or cannot
be contacted for verification.
70 Human –Based Social Engineering
cont..

4. Calling technical support:

 Calling the technical support for assistance is
a classic social engineering example.

 Help-desk and technical support personnel are

trained to help users, which makes them good
prey for social engineering attacks.
71 Human –Based Social Engineering
cont..

5. Shoulder surfing:
 It is a technique of gathering information such
as usernames and passwords by watching
over a person’s shoulder while he/she logs
into the system, thereby helping an attacker
to gain access to the system.
72 Human –Based Social Engineering
cont..

6. Dumpster diving:
 It involves looking in the thrash for information
written on pieces of paper or computer
printouts.

 It is the practice of rummaging through

commercial or residential trash to find useful
free items that have been discarded.
73 Human –Based Social Engineering
cont..

6. Dumpster diving:
 it is also called dumpstering, binning, trashing,
garbing or garbage gleaning, scavanging etc.

 In digital world, it is a form in which discarded

articles and information are scavanged in an
attempt to obtain/recover advantageous data.
74 Human –Based Social Engineering
cont..

6. Dumpster diving:
 For example, going through someone’s trash
to recover documentation of his/her critical
data [eg. Social security number (SSN) in the
US, PAN number in India, credit card identity
(ID) numbers etc.]
75 Human–Based Social Engineering
cont..
6. Dumpster diving:
 According to the definition in the glossary of
terms for the convoluted terminology of
information warfare, “scavanging” means
searching through object residue
(eg.,discarded disks, tapes, or paper) to
acquire sensitive data without authorization.
76 Computer-Based Social
Engineering
 It refers to an attempt made to get the
required/ desired information by using
computer software/Internet.

 For example sending a fake email to the user

and asking him/her to re-enter a password in a
webpage to confirm it.
77 Computer-Based Social
Engineering cont…
1. Fake E-Mails:
 the attacker sends fake E-Mails to numerous
users such that the user finds it as a
legitimate mail.

 This activity is also called as Phishing.

78 Computer-Based Social
Engineering cont…
1. Fake E-Mails:
 It is an attempt to entice the Internet
users (netizens) to reveal their sensitive
personal information, such as user names,
passwords and credit card details by
impersonating as a trustworthy and
legitimate organization and/ or an individual.
79 Computer-Based Social
Engineering cont…
1. Fake E-Mails:
 Banks, financial institutes and payment
gateways are the common targets.
 Phishing is typically carried out through E-
Mails or instant messaging and often directs
users to enter details at a website, usually
designed by the attacker which resembles
the original website.
80 Computer-Based Social
Engineering cont…
1. Fake E-Mails:
 thus phishing is also an example of social
engineering techniques used to fool
neitizens.
 The term phishing has been evolved from the
analogy that the internet scammers are using
E-Mails lures to fish for passwords and
financial data from the sea of Internet users.
81 Computer-Based Social
Engineering cont…
2. E-Mail Attachments:
 E-Mail attachments are used to send malicious code to a
victim’s system, which will automatically (e.g., keylogger
utility to capture passwords) get executed.

 Viruses, Trojans, and worms can be included cleverly into

the attachments to entice a victim to open the
attachment.
 82 Computer-Based Social Engineering
cont…
3. Pop-up windows:
 Pop-up windows are also used, in a similar manner to E-
Mail attachments.

 Pop-up windows with special offers or free stuff can

encourage a user to unintentionally install malicious
software.
 Types of Stalkers
There two types of stackers
•Online stackers and
•Offline stackers
 Online stalkers

 They aim to start the interaction with the victim directly with the help of the internet
email and chat rooms are the most popular communication medium to get
communicated with the victim rather, than using traditional instrumentation Like
telephone/cell phone. The stalker make sure that the victim recognizes the attack
attempted on him/her .The stalker can make use of a third party to harass the victim
 Offline stalkers

 The stalker may begin the attack using traditional methods such as the
following victim watching the daily routine of the victim etc searching on
message boards or news groups personal website and people finding services
or websites are most common ways to gather information about the victim
using the internet .
How Stalking works
 It is seen that stalking works in the following ways
 Personal information gathering about the victim; name; family background;
contact details such as cell phone and telephone numbers ;address of
Residence as well as of the office ;email address ; date of birth, etc .
 Establish a contact with the victim through telephone or cell phone. Once the
contact is established, the stalker may make calls to the victim to threaten or
harass .
 Stalker will almost always establish a contact with the victims through email .
 Some stalkers keep on sending repeated email asking for various kinds of
favors or threaten the victim.
 88 Real-Life Incident of Cyberstalking

The Indian police have registered first case of cyberstalking in Delhi –in brief
account of the case has been mentioned here, To maintain confidentiality and
privacy.
Mrs. Joshi received almost 40 calls in 3days mostly at odd hours from as far away
as cochin, Bombay and Ahmadabad.
the said calls created Havoc in the personal life destroying mental peace of Mrs.
Joshi who decided to register a complaint with Delhi police.
 A person was using her ID to chat over the internet at the website
www.mirc.com, mostly in the Delhi channel for four consecutive days.
 89 Real-Life Incident of Cyberstalking cont....

This person was chatting on the internet, using her name and giving her address,
talking in absence language.
The same person was also deliberately giving her telephone number to other
chatters encouraging them to call Mrs. Joshi at odd hours
This was the first time when a case of cyber stalking was registered.
 Cyberstalking does not have a standard definition but it can be defined to mean
threatening, unwarranted behaviour or advance directed by one persons toward
another person using internet and other forms of online communication channel
as medium.
 90 Cybercafe and Cybercrimes: Facts
Pirated softwares are installed in all the computers.
Cybercafe owners have very less awareness about IT security and IT governance.
Antivirus software is found to be not updated to the latest patch and /or antivirus.
1. Cybercafe association or state police ( cyber cell wing) do not conduct regular
visits to cybercafes.
2. Several cybercafes had installed the software called “deep freeze” for protecting
the computer from prospective malware attacks.
3. Not having the AMC(Annual maintenance contract) is a risk from cybercrime
perspective because a cybercriminal can install a malicious code on a computer
and conduct criminal activities without any interruption.
4. Government/ISPs/State Police do not seem to provide IT governance guidelines
to cybercafe owners.
 91 Tips for safety and security while using
the computer in a cybercafe:
1. Always logout: while checking E-Mails or logging into chatting services such as
instant messaging or using any other service that requires a username and a
password, always click “logout” or “signout” before leaving the system.
2. Stay with the computer: while surfing/browsing, one should not leave the
system unattended for any period of time. If one has to go out, logout and close
all browser windows.
3. Clear history and temporary files.
4. Be alert: one should have to stay alert and aware of the surroundings while using
a public computer. Snooping over the shoulder is an easy way of getting your
username and password.
 92 Tips for safety and security while using
the computer in a cybercafe: cont....
5. Avoid online financial transactions: ideally one should avoid online banking,
shopping, or other transactions that require one to provide personal, confidential
and sensitive information such as credit card or bank account details.
6. Change passwords.
7. Virtual keyboard: Nowadays almost every bank has provided the virtual
keyboard on their website.
8. Security warnings: one should take utmost care while accessing the websites
of any banks/financial institution. The security warnings should be followed while
accessing these financial accounts from cybercafe.
93 BOTNETS: THE FUEL FOR CYBERCRIME

BOTNET:
 An automatic program for doing some particular task, often
over a network.

 Botnet is a term used for collection of software robots, or

bots, that run autonomously and automatically.
 BOTNET:
94
 A Bot is simply an automated computer program.

 One can gain the control of your computer by infecting them

with a virus or other Malicious Code that gives the access.

 Botnets are often used to conduct a range of activities, from

distributing Spam and Viruses to conducting denial of service
(DoS) attacks.

 A botnet is a network of computers infected with a malicious

program that allows cybercriminals to control the infected
machines remotely without the user’s knowledge.
 BOTNET:
95
 “zombie networks” have become a source of income for entire
groups of cybercriminals.
96 Botnets are used for gainful
purposes
97 Explanation of the technical terms
used in the figure
Malware: It is a malicious software, designed to damage a
computer system without the owner’s informed consent.
Viruses and worms are the example of malware.

Adware: it is advertising-supported software, which automatically

plays, displays, or downloads advertisements to a computer
after the software is installed on it or while the application is being
used.
98 Explanation of the technical terms
used in the figure
Spam: It means unsolicited or undesired E-Mail messages.

Spamdexing: It is also known as search Spam or search engine

Spam.
 It involves a number of methods, such as repeating unrelated
phrases, to manipulate the relevancy or prominence of
resources indexed by a search engine in a manner inconsistent
with the purpose of the indexing system.
99 Explanation of the technical terms
used in the figure
DDoS: Distributed denial-of-service attack (DDoS) occurs when
multiple systems flood the bandwidth or resources of a targeted
system, usually one or more web servers.
100 One can ensure following to secure
the system:
1. Use antivirus and anti-Spyware software and keep it up-to-
date:
 it is important to remove and/or quarantine the viruses.
 The settings of these softwares should be done during the
installations so that these softwares get updated automatically on
a daily basis.
101 One can ensure following to secure
the system:
2. Set the OS to download and install security patches
automatically:
 OS companies issue the security patches for flaws that are found
in these systems.
102 One can ensure following to secure
the system:
3. Use a firewall to protect the system from hacking attacks
while it is connected on the Internet:
 A firewall is a software and/or hardware that is designed to block
unauthorized access while permitting authorized
communications.
 It is a device or set of devices configured to permit, deny, encrypt,
decrypt, or proxy all computer traffic between different security
domains based upon a set of rules and other criteria.
103 One can ensure following to secure
the system:
3. Use a firewall to protect the system from hacking attacks
while it is connected on the Internet:
 A firewall is different from antivirus protection.

 Antivirus software scans incoming communications and files for

troublesome viruses properly configured firewall that helps to
block all incoming communications from unauthorized sources.
104 One can ensure following to secure
the system:
4. Disconnect from the Internet when you are away from your
computer:
 Attackers cannot get into the system when the system is
disconnected from the Internet.

 Firewall, antivirus and anti-Spyware softwares are not foolproof

mechanisms to get access to the system.
105 One can ensure following to secure
the system:
5. Downloading the freeware only from websites that are known
and trustworthy:
 It is always appealing to download free softwares such as
games, files, file-sharing programs, customized toolbars, etc.

 However, one should remember that many free softwares contain

other software, which may include Spyware.
106 One can ensure following to secure
the system:
6. Check regularly the folders in the mail box- “sent items” or
“ongoing”- for those messages you did not send:
 If you find such messages in your outbox, it is a sign that your
system may have infected with spyware, and maybe a part of a
Botnet.

 This is not foolproof; many spammers have learned to hide their

unauthorized access.
107 One can ensure following to secure
the system:
7. Take an immediate action if your system is infected:
 If your system is found to be infected by a virus, disconnect it
from the internet immediately.

 Then scan the entire system with fully updated antivirus and anti-
Spyware software.

 Report the unauthorized access to ISP and to the legal

authorities and change all the passwords immediately.
108 Attack Vector

 An “Attack vector” is a path or means by which an attacker

can gain access to a computer or to a network server to
deliver a payload or malicious outcome.

 Attack vectors enable attackers to exploit system

vulnerabilities, including the human element.
109 Attack Vector

 Attack vectors include viruses, E-Mail attachments,

webpages, pop-up windows, instant messages, chat
rooms, and deception.

 All of these methods involve programming, except

deception, in which a human operator is fooled into
removing or weakening system defenses.
110 Attack Vector

 To some extent, firewalls and antivirus software can block vectors.

 However, no protection method is totally attack-proof.

 The defense method that is effective today may not remain so for long
because attackers are constantly updating attack vectors, and seeking
new ones, in their quest to gain unauthorized access to computers and
servers.
111 Attack Vector

 The most common malicious payloads are viruses, Trojan Horses,

worms, and Spyware.

 Payload is the necessary data being carried within a packet or other

transmission unit.

 In the context of attack vector payload means the malicious activity that
the attack performs.
112 Attack Vector

 Payload is the bits that get delivered to the end-user at the destination.
113 Attack Vector: based on how they
are launched
1. Attack by E-Mail:
 The hostile content is either embedded in the message or linked to buy
the message.

 Sometimes attacks combine the two vectors, so that if the message

does not get you, the attachment will.
114 Attack Vector: based on how they
are launched
1. Attack by E-Mail:

 Spam is almost always carrier for scams, fraud, dirty tricks, or

malicious action of some kind. Any link that offers something for
“free” or tempting is a suspect.
115 Attack Vector: based on how they
are launched
2. Attachments (and other files):
 Malicious attachments install malicious computer code.

 The code could be a virus, Trojan horse, Spyware, or any other kind
of malware.

 Attachments attempt to install their payload as soon as you open

them.
116 Attack Vector: based on how they
are launched
3. Attack by deception:
 Deception is aimed at the user/operator as a vulnerable entry point.

 Fraud, scams, hoaxes, and to some extent Spam, not to mention

viruses, worms and such require the unwitting cooperation of the
computer’s operator to succeed.

 Social engineering and hoaxes are other forms of deception that are
often an attack vector too.
117 Attack Vector: based on how they
are launched
4. Hackers:
 Hackers/crackers are a formidable attack vector because, unlike
ordinary Malicious Code, people are flexible and they can improvise.

 Hackers/crackers use a variety of hacking tools, heuristics, and

social engineering to gain access to computers and online accounts.

 They often install a Trojan Horse to commandeer the computer for their
own use.
118 Attack Vector: based on how they
are launched
5. Heedless guests (attack by webpage):
 Counterfeit websites are used to extract personal information.

 Such websites look very much like the genuine websites they initiate.

 They are often used in conjunction with Spam, which gets you there in
the first place.

 Pop-up webpages may install Spyware, Adware or Trojans.

119 Attack Vector: based on how they
are launched
6. Attack of the worms:
 Many worms are delivered as E-Mail attachments, but network worms
use holes in network protocols directly.

 Remote access service, like file sharing, is likely to be vulnerable to

this sort of worm.

 Many of these system worms include Trojan Horses.

120 Attack Vector: based on how they
are launched
6. Attack of the worms:
 They begin scanning the internet from the computer they have just
infected, and start looking for other computers to infect.

 If the worm is successful, it propagates rapidly.

121 Attack Vector: based on how they
are launched
7. Malicious macros:
 Microsoft Word and Microsoft Excel are some examples that allows
macros.

 A macro does something like automating a spreadsheet.

 All internet services like instant messaging, Internet Relay Chart

(IRC), and P2P file-sharing networks rely on cozy connections
between the computer and other computers on the internet.
122 Attack Vector: based on how they
are launched
8. Foistware (sneakware):
 It is the software that adds hidden components to the system on the
sly.

 Spyware is the most common form of foistware.

 Foistware is quasi-legal software bundled with some attractive

software. Sneak software often hijacks the browser and diverts the
user to some “revenue opportunity” that the foistware has set up.
123 Attack Vector: based on how they
are launched
8. Viruses:
 These are malicious computer codes that hitch a ride and make the
payload.

 Virus vectors include E-Mail attachments, downloaded files, worms

etc.