UNIT-3

3.1 INTRODUCTION
Cybercrime encompasses unlawful activities in which a computer plays the central role, either as the primary target or as a
tool facilitating the offense like hacking, phishing, spamming, and so on. Cybercriminals employ computer technology to
gain unauthorized access to personal information, and confidential business data, or engage in malicious and exploitative
online activities. Furthermore, criminals utilize computers for communication and storage of documents and data. These
individuals are commonly known as hackers and cybercrime is also referred to as computer crime.
Tools and methods used in cybercrime encompass a wide range of software, hardware, techniques, and tactics used by
individuals or groups with malicious intent to engage in illegal activities within the digital realm. These tools and methods
are used to exploit vulnerabilities, gain unauthorized access to computer systems, steal sensitive data, or disrupt digital
services.
The basic stages of an attack are described under the following section to understand how an attacker can
compromise a network.
1. Initial uncovering: Two steps are involved here. In the first step called as reconnaissance, the attacker gathers
information, as much as possible, about the target by legitimate means-searching the information about the target
on the Internet by Googling social networking websites and people finder websites. In the second step, the attacker
uncovers as much information as possible on the company's internal network, such as, Internet domain, machine
names and the company's Internet Protocol (IP) address ranges.
2. Network probe: At the network probe stage, the attacker uses more invasive techniques to scan the information.
Usually, a ‘ping sweep’ of the network IP addresses is performed to check which devices are on the network, and
then a 'port scanning' tool is used to discover exactly which services are running on the target system. At this point,
the attacker has still not done anything that would be considered as an abnormal activity on the network or anything
that can be classified as an intrusion.
3. Crossing the line towards electronic crime (E-crime): The attacker does this by exploiting possible holes on the
target system. The attacker usually goes through several stages of exploits to gain access to the system. Once the
attackers are able to access a user account without many privileges, they will attempt further exploits to get an
administrator or 'root' access. Root access is a Unix term and is associated with the system privileges required to
run all services and access all files on the system
4. Capturing the network: At this stage, the attacker attempts to "own" the network. The attacker gains a foothold
in the internal network quickly and easily, by compromising low-priority target systems. The next step is to remove
any evidence of the attack. The attacker will usually install a set of tools that replace existing files and services with
Trojan files and services that have a backdoor password.
5. Grab the data: Now that the attacker has "captured the network," he/she takes advantage of his/her position to
steal confidential data, customer credit card information, deface web pages, alter processes and even launch attacks
at other sites from your network, causing a potentially expensive and embarrassing situation for an individual and/or
for an organisation.
6. Covering tracks: This is the last step in any cyber attack, which refers to the activities undertaken by the attacker
to extend misuse of the system without being detected. The attacker can remind or use this phase either to start a
fresh reconnaissance to a related target system of resources, removing evidence of hacking, avoiding legal action,
etc.
3.1.1 Tools used to Cover Attacks
1. EL Save: It is a tool to save and/or clear an NT event log. EL Save is written by Jesper Lauritsen. The executable
is available on the web link, but source code is not available.
2. Win Zapper: This tool enables to erase event records selectively from the security log in Windows NT 4.0 and
Windows 2000
3. Evidence eliminator: It is simple and one of the top-quality professional PC cleaning programs that can defeat all
known investigative
4. Traceless: It is a privacy cleaner for Internet explorer that can delete common Internet tracks, including history,
cache, typed URLs, cookies, etc.
5. Tracks Eraser Pro: It deletes following history data:
 Delete address bar history of IE, Netscape, AOL and Opera.
 Delete cookies of IE, Netscape, AOL and Opera.
 Delete Internet cache (temporary Internet files),
 Delete Internet history files.

3.1.2 Fundamental Stages of Cyber Attack

The fundamental stages of a cyber attack are outlined in the following section to gain insight into how an attacker can
compromise a network:
1) Initial Reconnaissance: In this stage, the attacker takes two steps. First, through legitimate means, they gather as
much information as possible about the target, including online research and social networking sites. Second, they
uncover internal network details such as Internet domains, machine names, and IP address ranges.
2) Network Probe: Here, the attacker employs more invasive techniques. They perform a 'ping sweep of network IP
addresses to identify potential targets and use port scanning tools to determine which services are running on the
target system. These actions still do not constitute abnormal network activity or intrusion.
3) Crossing into Electronic Crime (E-crime): In this phase, the attacker begins technically committing a 'computer
crime' by exploiting vulnerabilities in the target system. The attacker progresses through various exploits to gain
access, aiming for administrator or 'root' access, which provides extensive system privileges.
4) Capturing the Network: At this stage, the attacker seeks to control the network by compromising low-priority
target systems. They establish a foothold within the internal network and proceed to eliminate any evidence of the
attack. Typically, the attacker installs tools that replace existing files and services with Trojan versions, granting
backdoor access.
5) Data Theft: Now that the attacker has control of the network, they leverage their position to steal sensitive data,
such as customer credit card information or confidential data. They may also deface web pages, manipulate
processes, or launch attacks from the compromised network.
6) Covering Tracks: This final step involves the attacker's efforts to remain undetected while continuing to misuse
the system. They may erase evidence of hacking, conduct further reconnaissance, or avoid legal action.

3.2 PROXY SERVERS AND ANONYMISERS

3.2.1 Proxy Servers
A proxy server acts as intermediary between your device (like a computer or smartphone) and the internet. When
you want to see a webpage or something online, your request first goes through the proxy server. The proxy server then
sends your request to the actual server where the webpage is, gets the response, and passes it back to you. This whole
process helps hide your original IP address.
Think of the proxy server as another computer in the network that helps yours talk to other computers on the
internet. Sometimes, attackers use a proxy to connect to other computers on the network without revealing their own
identity. The proxy server handles requests for the attacker's computer. The other computers on the network can tell it's
coming from a proxy, but they can't figure out who the real attacker is.
Proxy servers are like go-betweens for your requests to specific servers on the internet. They have different types
depending on what you're asking for. They also play a big role in keeping your IP address private when you're browsing.
The proxy server is like a bridge between you and the websites or servers you want to access. It has its own special address
on the internet and helps keep your system separate from the larger network. This way, you can access websites using a
different IP address.
Remember, though, that a proxy server doesn't encrypt your internet traffic, so it doesn't make your connection super secure.

3.2.2 Mechanism of Proxy Server

Mechanism allows proxy servers to perform various functions, including improving security, enhancing privacy,
accelerating content delivery through caching, and enforcing network policies. The specific configuration and purpose of a
proxy server can vary widely based on the needs of the organisation or individual using it. The mechanism of a proxy server
involves a series of steps that enable it to intercept, process, and forward network requests between clients and destination
servers.
Overview of how a proxy server works:
1) Client Request: When a client device, such as a computer or Smartphone, makes a request to access a web resource
(e.g., a website or a file), it sends the request to the proxy server instead of directly to the destination server.
2) Proxy Server Interception: The proxy server intercepts the client's request. It has its own IP address and listens
on a specific port to accept the incoming requests from clients.
3) Processing and Caching (Optional): Depending on the proxy server's configuration and intended purpose, it may
process the request in several ways:
 Caching: When configured accordingly, the proxy server may perform a cache check to determine if the
requested resource has been previously accessed and stored. If found in the cache and still deemed valid,
the proxy can promptly deliver it to the client, resulting in bandwidth and time savings.
 Content Filtering: Some proxy servers are set up to filter content based on policies. For example, they can
block specific websites or types of content.
 Authentication: In corporate environments, proxy servers may require users to log in before allowing
access to the internet, enforcing security policies.
  Logging: Many proxy servers log requests and responses for monitoring and security purposes.
4) Forwarding the Request: After processing the request (if necessary), the proxy server forwards the request to the
destination server. This is done by establishing a new connection to the target server.
5) Destination Server Response: The destination server processes the request and sends a response back to the proxy
server.
6) Proxy Server Response to Client: The proxy server receives the response from the destination server and, if
applicable, processes it. It may also cache the response for future requests. Finally, the proxy server sends the
response to the client device that originally made the request.
7) End-User Experience: From the perspective of the end-user (client device), it appears as if the response came
directly from the proxy server. The client may not be aware of the existence of the destination server.
8) Network Traffic Routing: The proxy server continues to route traffic between clients and destination servers for
subsequent requests, maintaining its role as an intermediary.

The proxy server accepts the request from the client and produces a response based on the following conditions:
1. If the requested data or page already exists in the local cache, the proxy server itself provides the required retrieval to
the client.
2. If the requested data or page does not exist in the local cache, the proxy server forwards that request to the destination
server.
3. The proxy servers transfer the replies to the client and being cached to them.
Therefore, it can be said that the proxy server acts as a client as well as the server.

Fig. 3.3 How a Proxy Server Works

3.2.3 Need of Proxy Server
The need for a proxy server can vary depending on the specific use case, organization, or individual requirements. Here are
some common reasons and needs for using a proxy server:
1) Enhanced Privacy and Anonymity: Proxy servers act as an intermediary, masking the user's original IP address
and providing a level of anonymity while browsing the internet.
2) Bypassing Internet Restrictions: In regions where certain websites or services are blocked, a proxy server allows
users to bypass these restrictions and access blocked content.
3) Improved Security: Proxy servers can filter malicious content, block harmful websites, and help protect against
various cyber threats, providing an additional layer of security. Proxy server is used to encrypt your web requests
to keep prying eyes from reading your transactions as it provides top-level security.
4) Network Performance Optimization: By caching frequently accessed content, proxy servers can improve
network performance, reduce bandwidth usage, and speed up access to resources.
5) Content Filtering and Parental Controls: Organisations and parents can use proxy servers to filter and control
internet content, ensuring safe browsing experiences and compliance with organisational policies.
6) Load Balancing and Redundancy: Proxy servers can distribute traffic across multiple servers, optimising resource
usage and ensuring high availability through redundancy.
7) Access Geo-Restricted Content: Proxy servers located in different regions enable users to access region-specific
content or services that might otherwise be restricted based on geographical location.
8) Monitoring and Logging: Proxy servers can log and monitor internet activity, providing insights into user
behaviour and helping with compliance, auditing, and troubleshooting.
9) Bandwidth Savings: Proxies can cache content locally, reducing the need to fetch the same content repeatedly
from the original server, resulting in significant bandwidth savings.
10) Anonymised Web Scraping: In web scraping activities, proxy servers help anonymise requests, preventing IP bans
and detection by websites, allowing for effective data gathering.
11) Secure Remote Access: Proxy servers can facilitate secure remote access to internal networks by acting as a secure
gateway for remote users.
12) Compliance with Organisational Policies: Proxy servers enable organisations to enforce internet usage policies,
ensuring compliance with acceptable use and data protection guidelines.
13) Defeat Hackers: To protect organisations data from malicious use, passwords are used and different architects are
setup, but still, there may be a possibility that this information can be hacked in case the IP address is accessible
easily. To prevent such kind of misuse of Data Proxy servers are set up to prevent tracking of original IP addresses
instead data is shown to come from a different IP address.
14) Examine Packet headers and Payloads: Payloads and packet headers of the requests made by the user nodes in
the internal server to access to social websites can be easily tracked and restricted.
Understanding these needs helps individuals and organisations make informed decisions about implementing and utilising
proxy servers to enhance their internet experience, security, and network performance.

3.2.4 Types of Proxy Server

1. Reverse Proxy Server:
The primary function of a reverse proxy server is to receive requests from clients and direct them to specific web
servers located on distinct server platforms. For instance, it listens on TCP port 80 for website connections, typically hosted
in a demilitarised zone (DMZ) to allow public access to services while preserving the actual server's identity. Furthermore,
it remains inconspicuous to external users, preventing them from discerning the precise number of internal servers. The
fundamental role of a reverse proxy is to guide the traffic based on the internal server configurations.
When requests traverse the private network, safeguarded by firewalls and requiring a proxy server not bound by
local policies, the reverse proxy efficiently handles such client requests. Its utilisation extends to limiting client access to
sensitive data stored on specific servers.

2. Open or Forward Proxy Server:

A forward proxy acts as an intermediary situated between the internet and one or multiple user devices. Instead of directly
transmitting a client request to a web server, a forward proxy server assesses the request, implements necessary actions, and
channels the request to the intended destination on behalf of the client. An open or forward proxy server refers to those sorts
of intermediaries that get demands from web clients and afterward peruse destinations to gather the mentioned information.
After collecting the data from the sites, it forwards the data to the internet users directly. It bypasses the firewall made by
authorities. The following Fig. 3.5 shows forward proxy configuration.

3. Web Proxy Server

This type of proxies forwards the HTTP requests. This request is the same as HTTP requests; only URL is passed instead
of a path. A request is sent to which the proxy server responds. Examples of such proxies are Apache, HAP Proxy.

4. Anonymous Proxy
This is the type of proxy server that does not make an original IP address. Although these servers are detectable still provides
rational anonymity to the client device.
5. High Anonymity Proxy
This proxy server does not allow the original IP address to be detected, and no one can detect it as a proxy server.

6. Transparent Proxy
This type of proxy server never provides any anonymity to the client; instead, an original IP address can be easily detected
using this proxy. Still, it is being used to act as a cache for the websites. A transparent proxy combined with gateway results
in a proxy server where the client IP's connection requests are redirected. This redirection occurs without the client IP
address configuration. This redirection can be easily detected by the HTTP headers present on the server-side. These are
also known as intercepting proxies, inline proxy, and forged proxy.
 Working: It intercepts the communication at the network level without the need for any configuration. It also works
as a gateway or router that authenticates the communication without making any changes to the requests or
responses passing through the server.
 Uses: These types of proxies are most used at the business level to enforce the policy over communication. It also
tries to prevent any attack on TCP servers' example - denial-of-service attack.

7. CGI Proxy
This type of proxies was developed to make the websites more accessible.
 Working: It accepts the requests to target URLs using a web form, processes it and returns the result to the web
browser. It is less popular due to VPNs and other privacy policies, but it still receives many requests these days. Its
usage reduces because of excessive traffic that can be caused to the website after passing the local filtration, leading
to collateral damage to the organisation.

8. Suffix Proxy
This type of proxy server appends the proxy's name to the URL to the content that has been requested to the proxy. This
type of proxy does not preserve a higher level of anonymity.
 Uses: It is used for bypassing the web filters. This proxy is easy to use and can be easily implemented but is used
less due to more or more web filters.

9. Distorting Proxy
Proxy servers can generate an incorrect original IP address of clients once being detected as a proxy server. It uses HTTP
headers to maintain the confidentiality of the Client IP address.

10. TOR Onion Proxy

It is software that aims at online anonymity to the user's personal information.
 Working: It routes the traffic through various networks present worldwide to make it difficult to track the users'
address and prevent the attack of any anonymous activities. It makes it difficult for any person who is performing
traffic analysis to track the original address.
 For this, it uses ONION ROUTING. In this type of routing, the information is encrypted in a multi-fold's layer by
layer to prevent it. At the destination, each layer is decrypted to prevent the information from scrambling or getting
distorted.
11. Invisible Internet Project (I2P) Anonymous Proxy
It uses encryption to hide all the communications at various levels. This encrypted data is then relayed through various
network routers present at different locations and thus I2P is a fully distributed proxy. This software is free of cost and open
source to use. It also resists the censorship.

12. DNS Proxy

DNS proxy take requests in the form of DNS queries and forward them to the Domain server where it can also be cached,
moreover flow of request can also be redirected.

Disadvantages of Proxy Server

While proxy servers offer various advantages, they also have some disadvantages and limitations that users and
organisations should be aware of:
1) Limited Security: Some proxy servers may not provide strong encryption or security features, making data
vulnerable to interception by malicious actors.
2) Single Point of Failure: If the proxy server experiences downtime or malfunctions, it can disrupt internet access
for all connected clients, acting as a single point of failure.
3) Performance Overheads: Routing traffic through a proxy server can introduce additional latency and reduce
network performance, especially during high traffic periods.
4) Dependency on Proxy Server: Users and applications relying on a proxy server may face issues accessing the
internet if the proxy server is unavailable or misconfigured.
5) Privacy Risks with Logging: Proxy servers that log user activity can pose privacy risks if the logs are accessed or
misused. Users' online activities may be stored and potentially monitored.
6) Bandwidth Limitations: Some proxy servers may limit bandwidth for users, affecting the speed and performance
of internet access.
7) Content Filtering Challenges: Implementing content filtering on a proxy server can be resource-intensive and
may struggle with efficiently filtering certain types of content, especially as encryption becomes more prevalent.
8) Configuration Complexity: Setting up and configuring a proxy server, especially for specific use cases like load
balancing or complex filtering, can be technically challenging and time-consuming.
9) Potential for Abuse: Proxy servers can be misused for illegal activities or to access restricted content, posing
ethical and legal concerns.
10) Identification by Websites: Some websites can detect and block requests coming from known proxy server IP
addresses, restricting access for users.
11) Compatibility Issues: Certain applications and services may not function properly when accessed through a proxy
server, leading to compatibility issues.
12) Resource Consumption: Running a proxy server consumes computational resources (CPU, memory, etc.), which
could affect the performance of the hosting machine or network.
13) Proxy Server Risks: Free installation does not invest much in backend hardware or encryption. It will result in
performance issues and potential data security issues. If you install a "free" proxy server, treat very carefully, some
of those might steal your credit card numbers.
 14) Browsing history log: The proxy server stores your original IP address and web request information is possibly
unencrypted form and saved locally. Always check if your proxy server logs and saves that data - and what kind of
retention or law enforcement cooperation policies they follow while saving data.

3.3 ANONYMISER
An anonymiser is a proxy server that makes Internet activity untraceable. An anonymiser protects personally
identifying information by hiding private information on the user's behalf. An anonymiser is referred to as an anonymous
proxy or privacy service, is a tool or service that allows users to browse the internet while keeping their identities and online
activities anonymous. Anonymisers work by masking the user's IP address and encrypting their internet traffic, enhancing
privacy and security.
An anonymiser refers to a proxy server designed to minimise the data a user discloses while browsing the internet.
However, contrary to its name, it does not grant complete anonymity online. Rather, it conceals the device's IP address from
the website being accessed and substitutes it with a different one, creating the illusion that the user is browsing from an
alternate location.
How an anonymiser operates?
1. IP Address Masking: Anonymisers act as an intermediary between the user's device and the internet. When a user
sends a request to access a website or online resource, the request is sent through the anonymiser, which substitutes
the user's IP address with its own. This prevents the target website from identifying the user's actual IP address.
2. Encryption of Traffic: Anonymisers often encrypt the user's internet traffic, providing an additional layer of
security. This encryption helps protect the user's data from being intercepted or monitored by third parties.
3. Anonymity Layer: An anonymiser adds a layer of anonymity by obscuring the user's original IP address and other
identifying information associated with the request.
4. Access to Blocked Content: Anonymisers allow users to bypass internet restrictions and access blocked websites
or services, particularly in regions where certain content is restricted or censored.
5. Privacy Enhancement: By hiding the user's IP address and encrypting their traffic, anonymisers significantly
enhance privacy and make it difficult for websites, ISPs, or other entities to track and trace their online activities.
6. Secure Connection: Anonymisers ensure that the user's internet connection is secure and private, making it safer
to browse the web, especially on public or unsecured networks.

3.3.1 Uses of an Anonymiser

There are several reasons to use an anonymiser, including:
1. Ensuring Privacy: Anonymisers help safeguard your identity by making your internet browsing activities
untraceable. Your privacy remains protected unless you willingly provide personal information online, such as by
filling out forms.
2. Accessing Government-Restricted Content: Many governments restrict their citizens from accessing certain
websites or content considered inappropriate or containing sensitive data. An anonymiser, located outside the target
country, allows access to these sites while preserving anonymity.
3. Protection against Online Attacks: An anonymiser provides defense against various online phishing attacks by
routing all internet traffic through its secure DNS server.
4. Bypassing IDS and Firewall Rules: Firewalls are often bypassed by employees or students attempting to access
unauthorised websites. An anonymiser service circumvents the organisation's firewall by establishing a connection
 between your computer and the anonymiser service. Consequently, firewalls only detect the connection between
your computer and the anonymiser's web address. The anonymiser can then connect to any website, like Twitter,
through an internet connection and deliver the content to you. From your organisation's perspective, your system
appears connected solely to the anonymiser's web address, not to the actual website you browsed.

3.3.2 Types of Anonymisers

An anonymiser is a service that allows individuals to conceal their identity when using specific internet services. It encrypts
data from the user's computer to the internet service provider. Anonymisers can be categorised into two main types:
Networked Anonymisers and Single-Point Anonymisers.
1. Networked Anonymisers: Networked anonymisers initially route user data through a network of internet-connected
computers before forwarding it to the intended website. The data passes through several internet computers, making it
challenging for anyone attempting to trace the data to establish a clear link between the user and the anonymiser.
 Example: When attempting to visit a website, the request may pass through internet computers A, B, and C before
reaching the website.
 Advantage: Complication in communication makes traffic analysis complex.
 Disadvantage: Any multi-node network communication carries a risk of compromising confidentiality at each
node.
2. Single-Point Anonymisers: Single-point anonymisers first direct user data through a specific website before sending it
to the target website. The anonymiser collects data from the target website and then relays it back to the user via the website,
thus protecting the user's identity.
 Advantage: Maintains a degree of separation between the user's information and unique identifiers.
 Disadvantage: Offers less resistance to advanced traffic analysis.
Some of the anonymisers are as follows:
 Tunnelbear  Anonymous net surfriding
 Invisible net Project (I2P)  Guardster
 Proxify  Ultrasurf
 Psiphon  Net Proxy Server
 Anonymiser Universal

Anonymiser for Mobile

 Orbot: Orbot may be a proxy app that enables alternative apps to use the web additional firmly. It uses Tor to
inscribe net traffic, and so hides it by bouncing through a series of computers round the world. Tor may be a free
package that gives associate open network to assist defend your system against any type of network police work
that threatens personal freedom and privacy, confidential business activities and relationships, and a form of state
security observance called "traffic analysis". Orbot creates a non-public web affiliation.
 Psiphon: Psiphon may be an evasion tool from Psiphon INC. that utilizes VPN, SSH, and HTTP Proxy technology
to supply you with open and uncensored access to web content.

3.4 PHISHING
Phishing in cybersecurity is a malicious technique used by cybercriminals to trick individuals into revealing sensitive
information, such as passwords, credit card numbers, social security numbers, and other personal or financial data.
They do this by pretending to be a trustworthy company or website. They send messages that look real, with a link that
takes you to a fake website where they ask for your personal details. This could include things like your credit card number.
Once they have this information, they can steal your identity or make unauthorized charges on your credit card.
Phishing gets its name from the idea of "phish," like fishing with bait. In this case, cyber attackers set a trap to lure in
unsuspecting people. They use deceptive methods to make fake websites look real, tricking victims into thinking they are
dealing with a legitimate source. The most common way they do this is by sending fake emails that seem real, aiming to
get your sensitive information.
These attackers use the stolen information to impersonate you and cause more problems. Most phishing attacks happen
through email, where victims are fooled into sharing private information. While the email may look real, checking the web
address can reveal if it's authentic or a fake attempt to trick you.
Let us understand this concept with the help of an example:

In this example, most people believe its amazon login page, thinking of amazon as a secure platform, the users' signs with
his e-mail and password. But if we look carefully, we can see the URL is www.amazonn.com and not www.amazon.com.
How Does Phishing Occur?
Below mentioned are the ways through which Phishing generally occurs. Upon using any of the techniques mentioned
below, the user can lead to Phishing Attacks.
 Clicking on an unknown file or attachment: Here, the attacker deliberately sends a mysterious file to the victim,
as the victim opens the file, either malware is injected into his system or it prompts the user to enter confidential
data.
 Using an open or free Wi-Fi hotspot: This is a very simple way to get confidential information from the user by
luring him by giving him free Wi-Fi. The Wi-Fi owner can control the user's data without the user knowing it.
 Responding to social media requests: This commonly includes social engineering. Accepting unknown friend
requests and then, by mistake, leaking secret data are the most common mistake made by naive users.
 Clicking on unauthenticated links or ads: Unauthenticated links have been deliberately crafted that lead to a
phished website that tricks the user into typing confidential data.
3.4.1 Types of Phishing Attacks
There are several types of Phishing Attacks, some of them are mentioned below. Below mentioned attacks are very common
and mostly used by the attackers.
 E-mail Phishing: The most common type where users are tricked into clicking unverified spam e-mails and leaking
secret data. Hackers impersonate a legitimate identity and send e-mails to mass victims. Generally, the goal of the
attacker is to get personal details like bank details, credit card numbers, user IDs, and passwords of any online
shopping website, installing malware, etc. After getting the personal information, they use this information to steal
money from the user's account or harm the target system, etc.
 Spear Phishing: In spear phishing of phishing attack, a particular user(organization or individual) is targeted. In
this method, the attacker first gets the full information of the target and then sends malicious e-mails to his/ her
inbox to trap him into typing confidential data. For example, the attacker targets someone (let's assume an employee
from the finance department of some organization). Then the attacker pretends to be like the manager of that
employee and then requests personal information or transfers a large sum of money. It is the most successful attack.
 Whaling: Whaling is just like spear-phishing but the main target is the head of the company, like the CEO, CFO,
etc. a pressurized e-mail is sent to such executives so that they don't have much time to think, therefore falling prey
to phishing.
 Smishing: In this type of phishing attack, the medium of phishing attack is SMS. Smishing works similarly to e-
mail phishing. SMS texts are sent to victims containing links to phished websites or invite the victims to call a
phone number or to contact the sender using the given e-mail. The victim is then invited to enter their personal
information like bank details, credit card information, user id/password, etc. Then using this information the
attacker harms the victim.
 Vishing: Vishing is also known as voice phishing. In this method, the attacker calls the victim using modern caller
id spoofing to convince the victim that the call is from a trusted source. Attackers also use IVR to make it difficult
for legal authorities to trace the attacker. It is generally used to steal credit card numbers or confidential data from
the victim.
 Clone Phishing: Clone Phishing this type of phishing attack, the attacker copies the e-mail messages that were sent
from a trusted source and then alters the information by adding a link that redirects the victim to a malicious or fake
website. Now the attacker sends this mail to a larger number of users and then waits to watch who clicks on the
attachment that was sent in the e-mail. It spreads through the contacts of the user who has clicked on the attachment.

Impact of Phishing
Each person has their own impact after getting into Phishing Attacks, but these are some of the common impacts that happen
to the majority of people.
 Financial Loss: Phishing attacks often target financial information, such as credit card numbers and bank account
login credentials. This information can be used to steal money or make unauthorised purchases, leading to
significant financial losses.
 Identity Theft: Phishing attacks can also steal personal information, such as Social Security numbers and date of
birth, which can be used to steal an individual's identity and cause long-term harm.
 Damage to Reputation: Organisations that fall victim to phishing attacks can suffer damage to their reputation, as
customers and clients may lose trust in the company's ability to protect their information.
  Disruption to Business Operations: Phishing attacks can also cause significant disruption to business operations,
as employees may have their e-mail accounts or computers compromised, leading to lost productivity and data.
 Spread of Malware: Phishing attacks often use attachments or links to deliver malware, which can infect a victim's
computer or network and cause further harm.

Signs of Phishing
It is very much important to be able to identify the signs of a phishing attack in order to protect against its harmful effects.
These signs help the user to protect user data and information from hackers. Here are some signs to look out for include:
 Suspicious e-mail addresses: Phishing e-mails often use fake e-mail addresses that appear to be from a trusted
source, but are actually controlled by the attacker. Check the e-mail address carefully and look for slight variations
or misspellings that may indicate a fake address.
 Urgent requests for personal information: Phishing attacks often try to create a sense of urgency in order to trick
victims into providing personal information quickly. Be cautious of e-mails or messages that ask for personal
information and make sure to verify the authenticity of the request before providing any information.
 Poor grammar and spelling: Phishing attacks are often created quickly and carelessly, and may contain poor
grammar and spelling errors. These mistakes can indicate that the e-mail or message is not legitimate.
 Requests for sensitive information: Phishing attacks often try to steal sensitive information, such as login
credentials and financial information. Be cautious of e-mails or messages that ask for sensitive information and
verify the authenticity of the request before providing any information.
 Unusual links or attachments: Phishing attacks often use links or attachments to deliver malware or redirect
victims to fake websites. Be cautious of links or attachments in e-mails or messages, especially from unknown or
untrusted sources.
 Strange URLs: Phishing attacks often use fake websites that look similar to the real ones, but have slightly different
URLs. Look for strange URLs or slight variations in the URL that may indicate a fake website.

How to Stay Protected Against Phishing?

Until now, we have seen how a user becomes so vulnerable due to phishing. But with proper precautions, one can avoid
such scams. Listed below are the methods to safeguard users against phishing attacks.
 Authorized Source: Download software from authorized sources only where you have trust.
 Confidentiality: Never share your private details with unknown links and keep your data safe from hackers.
 Check URL: Always check the URL of websites to prevent any such attack. it will help you not get trapped in
Phishing Attacks.
 Avoid replying to suspicious things: If you receive an e-mail from a known source but that e-mail looks
suspicious, then contact the source with a new e-mail rather than using the reply option.
 Phishing Detection Tool: Employ phishing-detection tools to monitor websites that are created with fraudulent
content.
 Try to avoid free Wifi: Avoid using free Wifi, it will lead to threats and Phishing.
 Keep your system updated: It's better to keep your system always updated to protect from different types of
Phishing Attacks.
 Keep the firewall of the system ON: Keeping ON the firewall system helps in filtering ambiguous and suspicious
data and only authenticated data will reach to you.
How to Distinguish between a Fake Website and a Real Website?
In today's digital landscape, it is crucial to safeguard yourself from both fraudulent and legitimate websites. To differentiate
between fake and genuine websites, consider the following guidelines:
 Check the URL of the website: A good and legal website always uses a secure medium protection from online
threats. So, when you first see a website link, always check the beginning of the website. That means if a website
is started with https:// then the website is secure because https:// s denotes secure, which means the website uses
encryption to transfer data, protecting it from hackers. If a website uses http:// then the website is not guaranteed to
be safe. So, it is advised not to visit HTTP websites as they are not secure.
 Check the domain name of the website: The attackers generally create a website whose address mimic of large
brands or companies like www.amazon. com/order_id=23. If we look closely, we can see that it's a fake website as
the spelling of Amazon is wrong, that is amazon is written. So it's a phished website. So be careful with such types
of websites.
 Look for site design: If you open a website from the link, then pay attention to the design of the site. Although the
attacker tries to imitate the original one as much as possible, they still lack in some places. So, if you see something
off, then that might be a sign of a fake website. For example, www.sugarcube. com/facebook, when we open this
URL the page open is cloned to the actual Facebook page but it is a fake website. The original link to Facebook is
www. facebook.com.
 Check for the available web pages: A fake website does not contain the entire web pages that are present in the
original website. So, when you encounter fake websites, just open the option (links) present on the website. If it
displays only a login page, then the website can be assumed as a fake website.

Anti-Phishing Tools
The use of Anti-Phishing tools is essential for the detection of phishing attacks. Here are some of the widely recognized
and highly effective options in this category:
 Anti-Phishing Domain Advisor (APDA): A browser extension that warns users when they visit a phishing website.
It uses a database of known phishing sites and provides real-time protection against new threats.
 Phish Tank: A community-driven website that collects and verifies reports of phishing attacks. Users can submit
phishing reports and check the status of suspicious websites.
 Webroot Anti-Phishing: A browser extension that uses machine learning algorithms to identify and block phishing
websites. It provides real-time protection and integrates with other security tools.
 Malwarebytes Anti-Phishing: A security tool that protects against phishing attacks by detecting and blocking
suspicious websites. It uses a combination of machine learning and signature-based detection to provide real-time
protection.
 Kaspersky Anti-Phishing: A browser extension that provides real-time protection against phishing attacks. It uses
a database of known phishing sites and integrates with other security tools to provide comprehensive protection.
These anti-phishing tools can provide an additional layer of protection against phishing attacks, but it is important to
remember that they are not a complete solution. Users should also be cautious of suspicious e-mails and messages and
practice safe browsing habits to minimize their risk of falling victim to phishing attacks.
3.5 PASSWORD CRACKING
Password cracking involves the act of deciphering a password. Passwords are typically stored or transmitted in an
encrypted format, represented as a string of bits that is generated through a cryptographic hash function. This hash function
takes the password as input and produces an encrypted version of it as output.
Password cracking is a critical aspect within the realm of hacking. It involves the process of retrieving passwords
from data that is stored or transmitted by a computer or mainframe. The purpose of password cracking varies, including
aiding a user in recovering a forgotten password, preventive measures by system administrators to identify weak passwords,
or even unauthorised system access by malicious attackers.

3.5.1 Types of Password Attacks

There are distinct types of password attacks, and they fall into four main categories based on the attacker's approach:
1) Non-Electronic Attacks: Non-electronic attacks are the go-to method for hackers seeking to obtain a target
system's password. These attacks don't require technical hacking skills but instead rely on social engineering or
non-technical methods like dumpster diving or shoulder surfing.
2) Active Online Attacks: Active online attacks involve gaining unauthorised administrator-level access to a
mainframe. Attackers attempt to crack passwords by interacting with the target machines, often using techniques
like dictionary attacks, brute-forcing, password guessing, or phishing.
3) Passive Online Attacks: Passive online attacks are deliberate and don't alter the system in any way. Attackers
monitor or record information passing through communication channels to and from the mainframe. This acquired
data is then used to infiltrate the system. Techniques include replay attacks, wire-sniffing, and man-in-the-middle
attacks.
4) Offline Attacks: Offline attacks involve attempts to recover plaintext passwords from a password hash dump.
While these hacks can be time-consuming, they can also be effective. Attackers use preprocessed hashes from
rainbow tables to conduct offline and distributed network hacks.

Common Password Attack Methods

Some common password cracking techniques are:
1. Password Guessing Attacks
One of the most popular password attack techniques is simply guessing the password. Most of today's systems take mercy
on humans as we have countless passwords to remember. The systems permit us to make some mistakes, without locking
us out of our account. When lock-outs do occur, they generally last less than 30 minutes.
  Random Guesses: Usernames are the portion of credentials that do not change, and are also highly predictable,
regularly taking the form of first initial plus surname. Usernames are commonly an e-mail address, something
widely communicated. An attacker now has half the details needed to log into many of your systems. All that's
missing is the password. A random password guess rarely succeeds unless it's a common password, or based on a
dictionary word. Knowing information about the target identity enhances the likelihood of a successful guess by a
threat actor. This information is gathered from social media, direct interaction, deceptive conversation, or even data
aggregated from prior breaches.
The most common variants for passwords susceptible to guessing include these common schemas:
 The word "password" or basic derivations like "password"
 Derivations of the account owner's username, including initials. This may include subtle variations, such as numbers
and special characters.
 Reformatted or explicit birthdays for the user or their relatives, most commonly, offspring
 Memorable places or events
 Relatives' names and derivations with numbers or special characters, when presented together
 Pets, colors, foods, or other important items to the individual

2. Dictionary Attacks
Dictionary attacks are an automated technique utilizing a list of passwords against a valid account to reveal the password.
The list itself is a dictionary of words. Basic password crackers use lists of common single words like "baseball" to crack a
password, hack an account, and reveal the complete credential.
If the threat actor knows the password length and complexity requirements of the target account, the dictionary is
customized to the target. Advanced password crackers often use a dictionary and mix in numbers and symbols to mimic a
real-world password with complexity requirements.
An effective dictionary attack tool lets a threat actor:
 Set complexity requirements for length, character requirements, and character set
 Manually add words and combinations of words/names
 Target common misspellings of frequently used words
 Operate in multiple languages
A weakness of dictionary attacks is that they rely on real words and derivations supplied by the user of the default dictionary.
If the real password is fictitious, uses multiple languages, or uses more than one word or phrase, it should thwart a dictionary
attack. The most common method to mitigate the threat of a dictionary attack is account lockout attempts. After "n" times
of wrong attempts, a user's account is automatically locked for a period of time. It must be manually unlocked by an
authority, like the help desk or via an automated password reset solution.

3. Brute Force
Brute force password attacks utilize a programmatic method to try all possible combinations for a password. This method
is efficient for passwords that are short in string (character) length and complexity. This can become infeasible, even for the
fastest modern systems, with a password of eight characters or more. If a password only has alphabetical characters,
including capital letters or lowercase, odds are it would take 8,031,810,176 guesses to crack. This assumes the threat attacker
knows the password length and complexity requirements. Other factors include numbers, case sensitivity, and special
characters in the localized language.
With the proper parameters dialed in, a brute force attack will always find the password, eventually. The computing power
required and length of time it takes often renders brute force tests a moot by the time it has completed. The time it takes to
perform attacks is determined by the time it takes to generate all possible password permutations.Brute force password
attacks tend to be the least efficient method for hacking a password. Thus, threat actors use them as a last resort.

4. Credential Stuffing
Credential stuffing is an automated hacking technique that utilizes stolen credentials. These credentials are comprised of
lists of usernames, e-mail addresses, and passwords. The technique generally leverages automation to submit login requests
directed against an application and to capture successful login attempts for future exploitation.
Credential stuffing attacks do not attempt to brute force or guess any passwords. The threat actor automates authentication
based on previously discovered credentials using customized tools. This approach can entail launching millions of attempts
to determine where a user potentially reused their credentials on another website or application. Credential stuffing attacks
prey on password reuse and are only effective because so many users reuse the same credential combinations across multiple
sites.

5. Password Spraying
Password spraying is a credential-based attack that attempts to access many accounts by using a few common passwords.
Conceptually, this is the opposite of a brute force password attack. Brute force attempts to gain authorized access to a single
account by repeatedly pumping large quantities of password combinations. During a password spray attack, the threat actor
attempts a single, commonly used password (such as "12345678" or "Password") against many accounts before proceeding
to attempt a second password.

Best practices protecting against password cracking

Implementing effective practices to protect against password cracking is crucial in maintaining strong cybersecurity. Here
are some recommended best practices:
1) Conduct Data Security Reviews: Regularly review and monitor data security to detect and track password attacks,
enabling timely responses and improvements in security measures.
2) Avoid Password Reuse: Refrain from using the same password across different accounts or during password
changes to enhance overall security.
3) Do Not Share Passwords: Emphasize not sharing passwords, promoting individual account security and
preventing unauthorised access.
4) Avoid Common Words or Phrases: Discourage the use of passwords that can be easily found in dictionaries,
promoting the use of strong and unique combinations.
5) Avoid Plain Text or Weak Encryption: Steer clear of using passwords in plain text or weakly encrypted forms,
opting for robust encryption methods for password protection.
6) Set Regular Password Changes: Implement a password change policy, mandating users to update passwords at
regular intervals (e.g., every 30 days) to enhance security.
7) Secure Password Storage: Ensure passwords are stored securely and not in vulnerable locations, minimizing the
risk of unauthorised access.
8) Avoid Default Passwords: Discard the use of default passwords on computers or servers, replacing them with
strong, unique passwords to prevent unauthorised entry.
 9) Keep Systems Updated: Regularly update and patch computer systems to prevent vulnerabilities that can be
exploited for password resets during buffer overflow or denial of service attacks.
10) Enable Account Lockout: Implement account lockout policies specifying the number of login attempts allowed,
counter time, and lockout duration, enhancing security against brute-force attacks.
11) Automate Password Resets: Employ automated password reset mechanisms to manage passwords effectively
within organisations, promoting security and password hygiene.
12) Encrypt BIOS Passwords: Encrypt BIOS (Basic Input/Output System) passwords on computers and servers,
particularly on devices exposed to significant risks, such as mainframes and unprotected PCs.
By following these best practices, organisations can significantly improve their resilience against password cracking
attempts and bolster their overall cybersecurity posture.

3.6 KEYLOGGER
 A keylogger, also known as keystroke logger or keystroke recorder, is a type of software, hardware, or a
combination of both that records every keystroke made on a computer or mobile device. This includes not only the
characters typed but also special keys, function keys, and keyboard shortcuts.
 The primary purpose of a keylogger is to secretly monitor and capture a user's keystrokes without their knowledge.
Keyloggers are a particularly insidious type of spyware that can record and steal consecutive keystrokes (and much
more) that the user enters on a device.
 The term keylogger, or "keystroke logger," is self-explanatory: Software that logs what you type on your keyboard.
However, keyloggers can also enable cybercriminals to eavesdrop on you, watch you on your system camera, or
listen over your smartphone's microphone.
 Keyloggers, whether categorized as tools or malicious software, capture and log the keystrokes executed on a
system, subsequently storing this data in a file. The individual employing this malware can access and review the
recorded keystrokes. Keyloggers can manifest as software or hardware devices. In terms of operation, keyloggers
are primarily utilised to surreptitiously capture sensitive data such as passwords, bank information, and other
confidential details.
 The first keylogger emerged in the 1970s as a hardware device, and the first software-based keylogger was
developed in 1983. Since then, keyloggers have evolved and become increasingly sophisticated, posing a significant
threat to users' privacy and security.

3.6.1 Types of Keyloggers

Keyloggers can be categorised based on their functionality, deployment methods, and visibility. Some common types of
keyloggers are:
1. Software-based Keyloggers: Software-based keyloggers are applications or programs installed on a computer or
mobile device. They run in the background and capture keystrokes, storing the logged data either locally or
transmitting it to a remote server.
2. Hardware-based Keyloggers: Hardware-based keyloggers are physical devices inserted between a keyboard and
a computer or integrated directly into a keyboard. They intercept and record keystrokes at a hardware level before
the data reaches the computer.
 3. Wireless Keyloggers: Wireless keyloggers intercept and record keystrokes transmitted between a wireless
keyboard and its receiver. They can be either hardware or software-based and capture data over a wireless
connection.
4. Kernel or Rootkit-based Keyloggers: Kernel-based keyloggers operate at the kernel level of the operating system,
making them difficult to detect. They can capture keystrokes before they reach applications, providing a stealthy
means of monitoring.
5. Remote Keyloggers: Remote keyloggers transmit captured keystrokes to a remote server controlled by an attacker.
These keyloggers are often software- based and are designed to remain undetected while sending data to a remote
location.
6. Form-grabbing Keyloggers: Form-grabbing keyloggers capture and record information entered into online forms,
including login credentials and personal details. They focus on collecting data from web forms.
7. Memory Injection Keyloggers: Memory injection keyloggers use techniques to inject malicious code into a
running process or the memory of a system. This allows them to capture keystrokes and other sensitive information.
8. Script-based Keyloggers: Script-based keyloggers use scripts (e.g., JavaScript) embedded in websites to capture
keystrokes entered into online forms. They can be hidden within malicious websites.
9. Time-based Keyloggers: Time-based keyloggers capture keystrokes at specific time intervals, recording the
entered characters within those intervals. This helps reduce the amount of captured data.
10. SMS-based Keyloggers: SMS-based keyloggers capture and intercept text messages and keystrokes entered on
mobile devices. They can transmit the captured data to a predefined phone number or server.
11. Remote Administration Tool (RAT) Keyloggers: RAT keyloggers are part of a remote administration tool,
providing complete control over a victim's computer. They often include keylogging as one of their features.

3.6.2 Prevention from Keyloggers

A few common methods for preventing keyloggers include:
1. Anti-Keyloggers: As the name suggests these are the software which are anti/ against keyloggers and main task is
to detect keyloggers from a computer system.
2. Anti-virus: Many types of anti-virus software detect and remove keyloggers from the computer system. These are
software anti-software so these cannot get rid from the hardware keyloggers.
3. Automatic form filler: This technique can be used by the user to not fill forms on regular bases instead use
automatic form filler which will give a shield against keyloggers as keys will not be pressed.
4. One-Time-Passwords: Using OTPs as password may be safe as every time, we login we must use a new password.
5. Patterns or mouse-recognition: On android devices used pattern as a password of applications and on PC use
mouse recognition, mouse program uses mouse gestures instead of stylus.
6. Voice to Text Converter: This software helps to prevent Keylogging which targets a specific part of our keyboard.

3.7 SPYWARE
 Spyware is malicious software that enters a user's computer, gathers data from the device and user, and sends it to
third parties without their consent. A commonly accepted spyware definition is a strand of malware designed to
access and damage a device without the user's consent. Spyware collects personal and sensitive information that it
sends to advertisers, data collection firms, or malicious actors for a profit.
  Attackers use it to track, steal, and sell user data, such as internet usage, credit card, and bank account details, or
steal user credentials to spoof their identities.
 Spyware is one of the most used cyberattack methods that can be difficult for users and businesses to identify and
can-do serious harm to networks. It also leaves businesses vulnerable to data breaches and data misuse, often affects
device and network performance, and slows down user activity.
 Spyware is malicious software that is designed to monitor and collect information from a user's device without their
knowledge or consent. It often operates in the background, covertly gathering data about a user's online activities,
browsing habits, passwords, keystrokes, personal information, and more. The collected data is then sent to a remote
server controlled by the attacker or entity behind the spyware.
 Spyware is a breach of cyber security as they usually get into the laptop/ computer system when a user
unintentionally clicks on a random unknown link or opens an unknown attachment, which downloads the spyware
alongside the attachment. It is a best practice to be cautious of the sites that are used for downloading content on
the system. Spyware is a type of software that unethically without proper permissions or authorisation steals a user's
personal or business information and sends it to a third party. Spyware may get into a computer or laptop as a hidden
component through free or shared wares.
 Spywares perform the function of maliciously tracking a user's activity, having access to data, or even resulting in
the crashing of the computer/laptop system. Spyware in many cases runs as a background process and slows down
the normal functioning of the computer system.
Key characteristics and aspects of spyware:
1. Stealthy Operation: Spyware operates discreetly and is often difficult to detect by the user. It runs silently in the
background, capturing data without the user's awareness.
2. Data Collection: Spyware can collect a wide range of information, including keystrokes, passwords, login
credentials, browsing history, e-mail content, chat logs, personal information, and more.
3. Information Leakage: The gathered data is transmitted to the attacker's server or a predefined location, where it
can be accessed and exploited for various malicious purposes.
4. Adware vs. Spyware: While adware displays unwanted advertisements, spyware goes beyond this by secretly
collecting user data. Some adware, however, may have spyware components.
5. Infiltration Methods: Spyware can infiltrate a device through malicious e-mail attachments, infected websites,
software downloads, freeware or shareware bundles, phishing, or exploiting software vulnerabilities.
6. Keylogging and Screen Capture: Some spyware variants record keystrokes and take screenshots, allowing
attackers to capture sensitive information, passwords, and user interactions.
7. Financial and Identity Theft: Spyware can be used for financial fraud, identity theft, stealing banking information,
credit card numbers, and other confidential data.
8. Browser Hijacking: Spyware can manipulate browser settings, change the default search engine, modify the
homepage, or redirect the user to malicious websites.
9. Remote Control: Advanced spyware may allow attackers to remotely control the infected device, execute
commands, or even download and install additional malware.
10. Legitimate Purposes: While spyware is typically malicious, there are instances where monitoring software is used
legally for parental control or employee monitoring with explicit consent and appropriate notifications.
Protecting against spyware involves implementing robust cybersecurity practices, such as using reputable antivirus and
anti-malware software, regularly updating operating systems and applications, being cautious of e-mail attachments and
suspicious websites, and being mindful of the sources from which software is downloaded. Additionally, educating users
about potential risks and the importance of safe browsing practices is crucial in mitigating the threat of spyware.

3.7.1 Types of Spyware

Cybercriminals employ a range of spyware variants to infiltrate users' computers and devices. These spyware variants are
designed to collect data for the attacker. While less sophisticated types simply monitor and transmit data to a third party,
the more advanced and perilous spyware varieties can go a step further, making alterations to a user's system that ultimately
exposes them to additional security risks
Some of the most used types of spyware include:
1. Adware: This sits on a device and monitors users' activity then sells their data to advertisers and malicious actors
or serves up malicious ads.
2. Info stealer: This is a type of spyware that collects information from devices. It scans them for specific data and
instant messaging conversations.
3. Keyloggers: Also known as keystroke loggers, keyloggers are a type of info stealer spyware. They record the
keystrokes that a user makes on their infected device, then save the data into an encrypted log file. This spyware
method collects all of the information that the user types into their devices, such as e-mail data, passwords, text
messages, and usernames.
4. Rootkits: These enable attackers to deeply infiltrate devices by exploiting security vulnerabilities or logging into
machines as an administrator. Rootkits are often difficult and even impossible to detect.
5. Red Shell: This spyware covertly installs itself on a device when a user is in the process of installing certain PC
games, subsequently monitoring their online activities. It is typically employed by developers to enhance their
games and bolster their marketing efforts.
6. System monitors: These also track user activity on their computer, capturing information like e-mails sent, social
media and other sites visited, and keystrokes.
7. Tracking cookies: Tracking cookies are dropped onto a device by a website and then used to follow the user's
online activity.
8. Trojan Horse Virus: This brand of spyware enters a device through Trojan malware, which is responsible for
delivering the spyware program.
Most spyware targets Windows computers and laptops, but attackers are increasingly targeting other forms of
devices.
1. Apple device spyware: Malware targeting Apple devices, particularly its Mac computers, has increased rapidly in
the last few years. Mac spyware is similar in behaviour to those targeting Windows operating systems but are
typically password-stealing or backdoor types of spyware. They frequently see the attacker attempt attacks such as
keylogging, password phishing, remote code execution, and screen captures.
2. Mobile spyware: Spyware targeting mobile devices steals data such as call logs, browser history, contact lists,
photos, and short message service (SMS) messages. Certain types will log user keystrokes, record using the device's
microphone, take photos, and track location using Global Positioning System (GPS) trackers. Others take control
of devices through commands sent from SMS messages, data transfers, and remote servers. Hackers can also use
mobile spyware to breach an organisation through mobile device vulnerabilities, which may not be detected by the
security team.
What Does Spyware Do?
All forms of spyware are designed to clandestinely observe a user's activities on their device, monitoring websites visited
and data gathered or shared. Their primary objective is to track user actions, acquire login credentials, and identify sensitive
data.
Some variations of spyware possess the ability to install additional software on the user's device, granting attackers the
capability to make alterations to the device. However, spyware generally follows a three-stage process, starting from its
installation on a device to transmitting or selling the pilfered information.
1. Infiltration: Spyware gains access to a device through various means such as application installation packages,
malicious websites, or file attachments.
2. Monitoring and Capture: Once installed, spyware begins its surveillance, tracking the user's internet activities,
capturing the data they generate, and stealing vital credentials and passwords. This is accomplished through
techniques like screen captures, keystroke logging, and tracking codes.
3. Transmission or Sale: After collecting the essential data, the attacker proceeds to either employ it for their purposes
or offer it for sale to third parties. If used, the acquired user credentials could be employed to impersonate the user
or as part of larger cyberattacks against businesses. Alternatively, if sold, the data could generate profit through
transactions with data organisations, fellow hackers, or by being placed on the dark web.
This process enables attackers to amass and sell highly sensitive information, encompassing the user's e-mail addresses and
passwords, internet usage patterns, financial particulars, and account Personal Identification Number (PIN) codes.

3.7.2 How Spyware Attacks Your System

Spyware employs several tactics to infiltrate and compromise systems while avoiding detection. Attackers are skilled at
disguising spyware to deceive users into inadvertently allowing its installation:
1. Camouflaging within Regular Downloads and Websites: Spyware is concealed within seemingly legitimate
downloads and websites, encouraging users to open them without suspicion. These deceptive files coexist with
trusted programs and websites, exploiting code vulnerabilities or embedding themselves in fraudulent applications
and websites.
2. Bundleware: A common method for deploying spyware is through bundleware. It involves attaching spyware to
other software packages that users download or install. As a result, spyware is installed without the user's knowledge
 or consent. Some bundleware packages coerce users into agreeing to download a complete software bundle,
unbeknownst to them.
3. Exploiting Code Vulnerabilities: Spyware can take advantage of weaknesses in software code and hardware,
exploiting vulnerabilities to gain unauthorised access to devices and systems. This is a common method for
implanting spyware.
4. Compromised or Spoofed Websites: Like other types of malwares, spyware can infiltrate a computer through
compromised or fake websites. These websites may appear genuine but are designed to deliver spyware to
unsuspecting visitors.
5. Flaws in Operating Systems: Attackers target vulnerabilities in mobile operating systems, often exposed through
software updates.
6. Malicious Applications: Spyware may hide within seemingly legitimate mobile applications that users download
from unofficial websites rather than official app stores.
7. Unsecured Free Wi-Fi Networks: Attackers can exploit the lax security of public Wi-Fi networks in places like
airports and cafes to eavesdrop on users' activities and potentially deliver spyware.
These methods allow spyware to infiltrate and compromise various devices, from computers and laptops to mobile phones
and tablets. While devices running Windows operating systems are often more susceptible, cybercriminals are developing
techniques to target Apple and mobile devices as well.
Users can also inadvertently introduce spyware to their devices through actions such as accepting cookie consent requests
from insecure websites, clicking on malicious links, opening harmful attachments, downloading content from pirated or
spoofed websites, and installing malicious mobile apps.

Problems Caused by Spyware

The effects of spyware are wide-ranging. Some could go unseen, with users not knowing they have been affected for months
or even years. Others might just cause an inconvenience that users may not realise is the result of being hacked. Some forms
of spyware can cause reputational and financial damage.
Common problems that spyware can result in include:
1. Data theft: One of the most common problems caused by spyware is data theft. Spyware is used to steal users'
personal data, which can then be sold to third-party organisations, malicious actors, or hacking groups.
2. Identity fraud: If spyware harvests enough data, then it can be used for identity fraud. This sees the attacker amass
data like browsing history, login credentials for e-mail accounts, online banking, social networks, and other websites
to spoof or imitate the user's identity.
3. Device damage: Some spyware will be poorly designed, which ends up having a negative effect on the computer
it attaches itself to. This can end up draining system performance and eating up huge amounts of internet bandwidth,
memory, and processing power. Even worse, spyware can cause operating systems to crash, disable internet security
software, and make computers overheat, which can cause permanent damage to the computer.
4. Browsing disruption: Some spyware can take control of the user's search engine to serve up harmful, fraudulent,
or unwanted websites. They can also change homepages and alter computer settings, as well as repeatedly push
pop- up ads.
3.7.3 Spyware Protection
Spyware and other malicious attack methods are a constant threat to any device connected to the internet. Therefore, the
first line of defense against spyware is to deploy an internet security solution that includes proactive anti-malware and
antivirus detection. In addition, tools like antispam filters, cloud-based detection, and virtual encrypted keyboards are useful
to eliminate potentially malicious risks. Some spyware types are also able to install software and modify the settings on a
user's device. This means it is also vital for users to use secure passwords, not recycle their credentials on multiple
applications and websites, and use processes like multi-factor authentication (MFA) to keep their identity secure and their
devices updated.
In addition to software, there are several steps that can be taken to protect devices and systems:
1. Cookie consent: It can be easy for users to simply click «accept» on the cookie consent pop-ups that appear on
nearly every website they visit. However, they need to be careful about issuing their consent every time and only
accept cookies from websites they trust.
2. Browser extensions: Users can also install anti-tracking extensions that prevent the relentless online tracking of
their activity on web browsers. These extensions can block activity tracking by both reputable sources and malicious
actors, keeping users' data private when they access the internet.
3. Security updates: Updating software with the latest versions is vital to preventing spyware and other types of
malwares. Spyware typically makes its way onto devices through gaps in code or vulnerabilities in operating
systems. So, it is important to constantly patch potential issues and fix vulnerabilities immediately.
4. Avoid free software: It can be appealing to download free software, but doing so can have costly ramifications for
users and their organisations. The free software may be insecure and the creator can make a profit from users' data.
5. Use secure networks: Unsecured Wi-Fi networks are an easy resource for hackers to breach devices. Avoid using
free Wi-Fi networks, and only connect to trusted, secure networks.
6. Best practice and behaviour: Practicing good cybersecurity behaviour is crucial to avoiding spyware. All users
need to be aware of the security risks they face, avoid opening e-mails or downloading files from people they do
not know, and make it a habit to hover over links to check if they are reputable before clicking on them.
Computer and laptop users can follow steps to keep their devices secure. These include enabling and downloading pop-up
blockers on their desktops and limiting allowed applications and permissions. All users should also avoid clicking links or
opening attachments in all e-mails, even those purporting to be from trusted senders, as this is a prime delivery method for
spyware and other malicious attacks.
There are also steps that can be taken to specifically protect mobile devices from spyware. These include:
1. Only download apps from the official store of the operating system, such as the Google Play Store, Apple's App
Store, and official publishers.
2. Be careful about giving permission to apps that track data or location and take control of cameras or microphones.
3. Avoid clicking links in e-mails and SMS messages. Instead, only enter trusted Uniform Resource Locators (URLs)
directly into the browser address bar.
4. Be aware of unexpected warning messages, especially those that cannot be verified by the server
3.8 VIRUS AND WORMS
3.8.1 Virus
Virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user.A virus
could potentially corrupt or obliterate data stored on a computer, exploit email programs to propagate to other systems, or
even execute a complete erasure of all data on a hard disk. It is a type of malicious software (malware) that can replicate
and spread by inserting copies of itself into other programs, files, or areas of a computer's memory. It is designed to cause
harm to a computer system, data, or software by altering, corrupting, or destroying files and applications.
A virus is a fragment of code embedded in a legitimate program. Viruses are self- replicating and are designed to infect
other programs. They can wreak havoc in a system by modifying or destroying files causing system crashes and program
malfunctions. On reaching the target machine a virus dropper (usually a trojan horse) inserts the virus into the system.
Viruses can harm the system by the following means:
 Filling up the disk space unnecessarily
 Formatting the hard disk drive automatically
 Making the system slow
 Modify, or delete personal data or system files
 Stealing sensitive data

How does a virus spread?

The virus does not have the capability of spreading itself. It requires the host and human support to spread. The virus is
developed in such a way that it attaches itself to the executable files. It further spreads when the infected executable file or
software is transferred from one device to another. As soon as human launches the infected file or a program, the virus starts
replicating itself.
Typically, the infected program continues to work normally even after the viral infection. However, some viruses can
overwrite all the infected program files, destroying the particular program altogether. Besides, the virus attaches itself to
new executable files and repeats the entire vicious cycle all over again. This is the reason why the viruses spread at a slower
speed. Usually, the viruses are transferred using collaboration apps, e-mail attachments, network share, hard drive, and USB
flash drive.

3.8.2 Types of Viruses

 File Virus: This type of virus infects the system by appending itself to the end of a file. It changes the start of a
program so that the control jumps to its code. After the execution of its code, the control returns to the main program.
Its execution is not even noticed. It is also called a Parasitic virus because it leaves no file intact but also leaves the
host functional.
 Boot sector Virus: A boot sector virus is a type of virus that infects the boot sector of floppy disks or the primary
boot record of hard disks (some infect the boot sector of the hard disk instead of the primary boot record). The
infected code runs when the system is booted from an infected disk, but once loaded it will infect other floppy disks
when accessed in the infected computer. It is a type of malware that infects a system's boot partition or the Master
Boot Record (MBR) of a hard disk. During startup and before security software can be executed, the virus executes
malicious code.
 Macro Virus: Unlike most viruses which are written in a low-level language (like C or assembly language), these
are written in a high-level language like Visual Basic. These viruses are triggered when a program capable of
executing a macro is run. For example, the macro viruses can be contained in spreadsheet files. These viruses
specifically target macro language commands in applications such as Microsoft Word and other programs. In Word,
macros are saved sequences for commands or keystrokes that are embedded in the documents. Macro viruses, or
scripting viruses, can add their malicious code to the legitimate macro sequences in a Word file. Microsoft disabled
macros by default in more recent versions of Word; as a result, hackers have used social engineering schemes to
convince targeted users to enable macros and launch the virus.
 Source code Virus: It looks for source code and modifies it to include virus and to help spread it.
 Polymorphic Virus: A virus signature is a pattern that can identify a virus (a series of bytes that make up virus
code). So, in order to avoid detection by antivirus a polymorphic virus changes each time it is installed. The
functionality of the virus remains the same but its signature is changed.
 Encrypted Virus: In order to avoid detection by antivirus, this type of virus exists in encrypted form. It carries a
decryption algorithm along with it. So the virus first decrypts and then executes.
 Stealth Virus: It is a very tricky virus as it changes the code that can be used to detect it. Hence, the detection of
viruses becomes very difficult. For example, it can change the read system call such that whenever the user asks to
read a code modified by a virus, the original form of code is shown rather than infected code.
 Tunneling Virus: This virus attempts to bypass detection by antivirus scanner by installing itself in the interrupt
handler chain. Interception programs, which remain in the background of an operating system and catch viruses,
become disabled during a tunneling virus. Similar viruses install themselves in device drivers.
 Multipartite Virus: This type of virus can infect multiple parts of a system including the boot sector, memory, and
files. This makes it difficult to detect and contain.
  Armored Virus: An armored virus is coded to make it difficult for antivirus to unravel and understand. It uses a
variety of techniques to do so like fooling antivirus to believe that it lies somewhere else than its real location or
using compression to complicate its code.
 Browser Hijacker: As the name suggests this virus is coded to target the user's browser and can alter the browser
settings. It is also called the browser redirect virus because it redirects your browser to other malicious sites that
can harm your computer system.
 Memory Resident Virus: Resident viruses' installation store for your RAM and meddle together along with your
device operations. They behave in a very secret and dishonest way that they can even connect themselves for the
anti- virus software program files.
 Direct Action Virus: The main perspective of this virus is to replicate and act when it is executed. When a particular
condition is met the virus will get into action and infect files in the directory that are specified in the
AUTOEXEC.BAT file path.
 Rootkit viruses: A rootkit virus is a type of malware that installs an unauthorised rootkit on an infected system,
giving attackers full control of the system with the ability to fundamentally modify or disable functions and
programs. Rootkit viruses were designed to bypass antivirus software, which typically scanned only applications
and files. More recent versions of major antivirus and antimalware programs include rootkit scanning to identify
and mitigate these types of viruses.

3.8.3 Prevention from Viruses

Preventing viruses and maintaining a secure computing environment involves a combination of good practices,
cybersecurity measures, and vigilant behavior. Here are essential steps to help prevent viruses:
1) Install Antivirus Software: Use reputable antivirus software and keep it up to date. Ensure it includes real-time
scanning and automatic updates to protect against the latest threats.
2) Update Operating Systems and Software: Regularly update your operating system, applications, and software to
patch vulnerabilities and weaknesses that could be exploited by viruses.
3) Exercise Caution with E-mail: Avoid opening e-mail attachments or clicking on links from unknown or suspicious
sources. Be wary of phishing e-mails that may contain virus-laden attachments or malicious links.
4) Use a Firewall: Enable and configure a firewall to filter incoming and outgoing network traffic, adding an extra
layer of security against unauthorised access and malicious activity.
5) Be Cautious with Downloads: Download files, software, and applications only from reputable and official sources.
Avoid downloading from unknown or untrusted websites or torrents.
6) Enable Automatic Updates: Turn on automatic updates for your operating system and applications to ensure you
receive the latest security patches and bug fixes.
7) Secure Your Network: Use strong passwords for your Wi-Fi network and router. Enable network encryption
(WPA3) and change default login credentials to protect against unauthorisedunauthorised access.
8) Use Strong Passwords: Create complex passwords for all your accounts, including a mix of letters, numbers, and
special characters. Avoid using easily guessable passwords and consider using a password manager.
9) Regular Backups: Regularly back up your important files and data to an external drive or a secure cloud service.
In the event of a virus infection, you can restore your data without paying a ransom or losing vital information.
10) Educate Yourself and Users: Stay informed about the latest cybersecurity threats and educate yourself and others
about safe online practices, including recognising phishing attempts and suspicious behavior.
 11) Disable Autorun: Turn off the autorun feature on your computer to prevent viruses from spreading via removable
devices automatically.
12) Implement User Account Control (UAC): Enable UAC on your operating system to prompt for permission before
allowing changes to your system, adding an extra layer of security.
13) Use a Virtual Private Network (VPN): When using public Wi-Fi, utilise a VPN to encrypt your internet traffic
and enhance privacy and security.
14) Regular Security Audits: Conduct periodic security audits and vulnerability assessments to identify and address
potential security risks and weaknesses.
Staying proactive, informed, and adopting a security-first mindset are crucial steps in protecting your devices and data from
viruses and other cyber threats.

3.8.4 Some Famous Computer Viruses

Several notorious computer viruses have left a significant mark on the history of cybersecurity. Here are some famous
computer viruses:
1) ILOVEYOU (Love Bug) (2000): Spread via e-mail as a love letter, this virus infected millions of computers
globally, causing massive financial damage by overwriting files and stealing passwords.
2) Melissa (1999): A macro virus spread through e-mail attachments, it replicated itself and sent infected documents
to the first 50 people in the victim's address book.
3) Wanna Cry (2017): A ransomware attack that exploited Windows vulnerabilities, encrypting files and demanding
a ransom. It affected hundreds of thousands of computers in over 150 countries.
4) Code Red (2001): A worm that targeted Microsoft IIS web servers, defacing websites and slowing down internet
traffic by launching a DDoS attack against the White House's website.
5) Conficker (2008): A worm that spread across Windows-based systems, exploiting vulnerabilities and creating a
botnet. It's estimated to have infected millions of computers worldwide.
6) Blaster (MSBlast) (2003): An internet worm exploited Windows vulnerability, triggering infected computers to
initiate Distributed Denial of Service (DDoS) attacks, resulting in network traffic slowdowns.
7) Sasser (2004): A worm that exploited Windows vulnerability, causing infected systems to crash and reboot
continuously.
8) Nimda (2001): A multifaceted worm that spread via e-mail, websites, and network shares, causing a wide range of
damage, including slowing down internet traffic.
9) Slammer (SQL Slammer) (2003): An internet worm that exploited vulnerability in Microsoft SQL Server, causing
a significant internet slowdown by generating a massive amount of network traffic.
10) Mydoom (2004): A worm that spread via e-mail and peer-to-peer networks, creating a backdoor for hackers and
launching DDoS attacks on specific targets.
11) Stuxnet (2010): A sophisticated worm designed to target supervisory control and data acquisition (SCADA)
systems, notably Iran's nuclear program, causing physical damage to centrifuges.
12) Zeus (2007): A Trojan horse that targeted Windows systems, stealing sensitive information such as banking
credentials and personal data.
These viruses have had a significant impact on the world of cybersecurity, influencing how security measures are designed
and implemented to counter evolving threats.
3.8.5 Worm
 A computer worm is a form of malicious software designed to autonomously reproduce and contaminate other
computer systems while maintaining its functionality on the infected devices.
 Computer worms replicate themselves to propagate to computers that have not been infected. Typically, this is
achieved by exploiting elements of an operating system that function automatically and inconspicuously to the user.
 A worm is a harmful software that repeats itself as it moves from computer to computer, leaving copies of itself in
each computer's memory.
 A worm finds a computer's vulnerability and spreads like an illness throughout its associated network, constantly
looking for new holes.
 Worms, like viruses, are spread by e-mail attachments from seemingly trustworthy senders. Worms then propagate
through a user's e-mail account and address book to contacts. Some worms reproduce and then go dormant, while
others inflict harm. The worm's code is referred to as payload in such circumstances.
How do Worm work?
 Computer worms make use of network flaws to spread. The worm is hunting for an unobserved back door into the
network.
 Worms search for hidden openings in computer networks, like secret back doors.
 Hackers send tricky emails or messages, pretending to be something safe. They might use names that seem harmless
or urgent, like "invoice."
 The worm is disguised so you'll click on it willingly. When you open an attachment or click a link, the worm sneaks
into your computer.
 The worm gets into your computer without you knowing.
 After getting in, the worm makes copies of itself and looks for other computers to infect. It might send emails to
your friends with more copies.
 Many worms have something harmful inside, called a "payload." This could be bad things like ransomware or
viruses that harm your computer.
 The worm or its creator can use your computer's power. They might team up with other infected computers to form
a group called a "botnet."
 Cyber thieves can use these botnets to do bad things like attacking websites or mining cryptocurrency.
 So, be careful with emails and links to keep these digital bugs away from your computer.

3.8.6 Types of Computer Worms

Malicious computer worms come in a variety of forms:
1. e-mail worms: To spread, e-mail worms create and send outbound messages to all addresses in a user's contact list.
When the recipient opens the mail, it contains a malicious executable file that infects the new system. Successful
e-mail worms typically use social engineering and phishing approaches to persuade users to open the linked file.
2. File-sharing worms: File-sharing worms are malicious programs that hide as media files. Stuxnet, one of the most
well-known computer worms of all time, comprises two parts: a worm that spreads malware via USB devices
infected with the host file and malware that targets supervisory control and data acquisition systems. Industrial
contexts, such as power utilities, water supply services, and sewage plants are frequently targeted by file-sharing
worms.
 3. Crypto worms: Crypto worms encrypt data on the victim's computer system. This worm can be used in
ransomware attacks, in which the attackers contact the victim and seek payment in exchange for a key to decrypt
their files.
4. Internet worms: Some computer worms are designed to attack prominent websites that have weak security. They
can infect a computer viewing the website if they can infect the site. Internet worms then propagate to other devices
connected to the infected PC via internet and private network connections.
5. Worms that spread via instant messaging: Instant messaging worms, like e-mail worms, are disguised as
attachments or links, which the worm uses to spread throughout the infected user's contact list. The only difference
is that it comes as an instant message on a chat site rather than an e-mail.If the worm hasn't had time to replicate
itself on the machine, it may usually be stopped by resetting the user's chat service account password.

Preventing from computer worms

Preventing computer worms involves implementing a combination of security practices, network defenses, and user
education. Here are essential steps to help prevent computer worms and minimise their impact:
 Keep Software Up-to-Date: Regularly update your operating system, applications, and antivirus software to patch
vulnerabilities and weaknesses that worms could exploit.
 Use a Firewall: Implement a firewall and configure it to filter incoming and outgoing network traffic. This helps
prevent unauthorised access and the spread of worms.
 Install a Reliable Antivirus and Anti-malware Software: Use reputable antivirus and anti-malware solutions.
Keep them up to date to detect and remove potential worm infections.
 Enable Automatic Updates: Turn on automatic updates for your operating system and applications to ensure you
receive the latest security patches and bug fixes.
 Exercise Caution with e-mail and Downloads: Avoid opening e-mail attachments or clicking on links from
unknown or suspicious sources. Download files only from reputable and official sources.
 Implement Network Segmentation: Divide your network into segments to limit the spread of a worm to specific
areas, helping to contain potential infections.
 Use Strong and Unique Passwords: Create strong passwords for all your accounts, and avoid using the same
password across different services. Change passwords regularly.
 Educate Users: Train employees and users about safe browsing habits, the risks of clicking on suspicious links or
downloading attachments, and the importance of keeping software up to date.
 Regular Backup and Recovery Procedures: Regularly back up critical data and files. Store backups in secure
and isolated locations to ensure data recovery in case of a worm attack.
 Implement e-mail Filtering: Use e-mail filtering systems to block malicious attachments, links, and spam that
may contain worm payloads.
 Monitor Network Traffic: Continuously monitor network traffic for unusual or suspicious activity that could
indicate a worm infection.
 Utilise Intrusion Detection and Prevention Systems (IDPS): Employ IDPS to detect and block potential worm
activity on the network.
 Apply the Principle of Least Privilege (PoLP): Grant users the least amount of access necessary to perform their
tasks, reducing the potential damage of a worm spreading through the network.
  Regular Security Audits and Penetration Testing: Conduct security audits and penetration tests to identify and
address vulnerabilities that could be exploited by worms.
By implementing a comprehensive cybersecurity strategy and fostering a security- aware culture, you can significantly
reduce the risk of computer worm infections and their impact on your network and systems.
Difference between Virus and Worms
Table 3.1 Difference between Virus and Worms
S.No Basis of Worms Virus
Comparison
Definition
1 Definition A Worm is a form of malware that replicates A Virus is a malicious executable code
itself and can spread to different computers via attached to another executable file which can
Network. be harmless or can modify or delete data.

2 Objective The main objective of worms is to eat the The main objective of the viruses is to
system resources. It consumes system modify the information.
resources such as memory and bandwidth and
made the system slow in speed to such an
extent that it stops responding.

3 Host It doesn't need a host to replicate from one It requires a host is needed for spreading.
computer to another.

4 Harmful It is less harmful as compared. It is more harmful.

5 Detection and Worms can be detected and Antivirus software Antivirus software is used for protection
protection and firewall. against viruses.
6 Controlled by Worms can be controlled by remote. Viruses can’t be controlled by remote.
7 Execution Worms are executed via weaknesses of the Viruses are executed via executable files.
systems.
8 Comes from Worms generally comes from the downloaded Viruses generally comes from the shared and
files or through a network connection. downloaded files.
9 Symptoms -Hampering computer performance by -Pop-up windows linking to malicious
slowing down. websites.
-Automatic opening and running of programs. -Hampering computer performance by
-Sending of e-mails without your knowledge. slowing down it.
-Affected the performance of web browser. -After booting, starting of unknown
program.
-Passwords get changed without your
knowledge.
10 Prevention -Keep your operating system and system in -Installation of Antivirus software.
updates state. -Never open an email attachment.
-Avoid clicking on the links from untrusted or -Avoid usage of pirated software.
unknown websites. -Keep your operating system updated.
-Avoid opening e-mails from unknown
sources.
-Use Antivirus software and a firewall.
11 Types Internet worms, Instant messaging worms, E- Boot sector virus, Direct Action virus,
mail worms, File sharing worms, Internet Polymorphic virus, Macro virus, Overwrite
relay chat (IRC) worms are different types of virus, File In- fector virus are different types
worms. of viruses

12 Speed Its spreading speed is faster. Its spreading speed is slower as compared to
worms.

13 Examples Examples of worms include Morris worm, Examples of viruses include Creeper,
storm worm, etc. Blaster, Slammer, etc.
3.9 TROJAN-HORSES AND BACKDOORS
 A Trojan horse is a type of malware that pretends to be a harmless file or program to trick users into executing it.
 Named after the ancient Greek tale of the Trojan War, where a wooden horse was used to infiltrate Troy.
 It disguises itself using social engineering, hiding malicious code within seemingly legitimate software.
 Unlike viruses or worms, Trojans don't self-replicate; they need to be intentionally installed by a user.
 Capable of taking control of the computer and performing harmful actions like stealing or damaging data.
 Tricks users into loading and executing files on their devices, often through disguised attachments or downloads.
 In cybersecurity, a Trojan appears harmless but is malicious. Unexpected changes in computer settings or unusual
activities may indicate a Trojan's presence.
 Typically hidden in seemingly innocent email attachments or free downloads.
 Once the user opens the attachment or downloads the program, the hidden malware is transferred to the computer.
 Aims to deceive users into thinking it's safe, leading them to unwittingly install and activate the malicious code.
 Unlike viruses or worms, Trojans cannot replicate themselves but rely on user actions for installation.

3.9.1 How Trojan Horse Operates

Characteristics of Trojan Horse
 It pilfers sensitive information like passwords and more.
 It can grant unauthorised remote access to a computer.
 Trojans require user interaction to download and execute, needing the installation of the server side through an
executable file (.exe).
 Spammers maximize email penetration by sending seemingly legitimate attachments containing Trojan viruses.
 Social engineering tricks users into installing malicious software, with concealed files in internet links, pop-up ads,
or banners.
 Trojans spread from infected computers to others, and hackers can transform compromised devices into zombie
computers for remote access.
 Users might unknowingly install Trojans via seemingly legitimate email attachments, activating the malware upon
powering on the infected device.
 A Trojan, once installed, operates silently, remaining undetected until the user takes specific actions, triggering the
intended hacking activity.
 Depending on the Trojan type, it may self-destruct, return to a dormant state, or persistently remain active on the
infected device.

Example of Trojan Horse Attacks

Trojan horse attacks can vary widely in their methods and targets. Here are a few examples of Trojan horse attacks that
have occurred in the past:
 Zeus Trojan (Zbot): Zeus is a notorious banking Trojan that emerged around 2007. It primarily targeted banking
credentials by injecting malicious code into banking websites. Once a user logged in, Zeus would steal their
credentials and other personal information.
 Emotet Trojan: Emotet is a sophisticated Trojan that started as a banking malware but evolved into a major threat.
It's often delivered via malicious e-mail attachments or links and can steal sensitive information, download
additional malware, or act as a delivery mechanism for other malicious payloads.
  Cryptolocker Ransomware: While technically a ransomware, Cryptolocker is often delivered through Trojan
horse methods. It encrypts a user's files and demands a ransom for their release. Victims are coerced into paying
the ransom to get their files decrypted.
 Hancitor Trojan: Hancitor is a Trojan used to deliver other malware payloads, often distributing banking Trojans
or ransomware. It typically spreads via malicious e-mail attachments, pretending to be invoices, receipts, or other
seemingly important documents.
 PoisonIvy RAT: Poisonlvy is a Remote Access Trojan (RAT) used to gain unauthorised remote access to
compromised systems. Attackers use it to steal sensitive information, capture screenshots, and control the infected
system remotely.
 DarkTequila Trojan: DarkTequila is a sophisticated Trojan that targeted banking and financial information. It
primarily affected users in Latin America. The Trojan stole credentials and financial data to conduct fraudulent
transactions.
 Gameover Zeus Trojan: Gameover Zeus was a variant of the Zeus banking Trojan that was used to steal banking
credentials and perform wire fraud. It had a peer-to-peer botnet infrastructure, making it difficult to take down.
 Spy Eye Trojan: SpyEye was another banking Trojan that functioned similarly to Zeus. It stole financial
information, credentials, and personal data to carry out fraud and identity theft.
These examples demonstrate the diverse ways in which Trojan horse attacks have been carried out, from stealing sensitive
information to facilitating ransomware attacks and other forms of cybercrime. It's crucial to remain cautious and employ
robust cybersecurity measures to protect against such threats.

3.9.2 Uses of Trojan Horse

Trojan horses, a type of malicious software (malware), are deceptive and harmful programs disguised as legitimate or
desirable software. Cybercriminals use them for a variety of malicious purposes, often with the intent to exploit or harm
users and their systems. Here are some common uses of Trojan horse malware:
1. Data Theft: Trojans can be designed to steal sensitive data such as login credentials, passwords, credit card
information, social security numbers, and other personal details from infected systems.
2. Financial Fraud: Banking Trojans, a type of Trojan horse, are designed to steal online banking credentials and
financial information. Cybercriminals can use this stolen data for fraudulent transactions and identity theft.
3. Spying and Surveillance: Some Trojans act as spyware, allowing attackers to monitor user activities, capture
screenshots, record keystrokes, access files, and even turn on webcams or microphones for unauthorised
surveillance.
4. Remote Access and Control: Trojans can create a backdoor, granting cybercriminals remote access and control
over infected systems. Attackers can execute commands, upload or download files, or use the compromised system
as a part of a larger botnet.
5. Distributed Denial of Service (DDoS) Attacks: Trojans can be used to launch DDoS attacks by coordinating a
network of infected devices to flood a target server with overwhelming traffic, disrupting its services, and making
them unavailable to legitimate users.
6. Ransomware Delivery: Some Trojans act as carriers for ransomware, delivering the malicious payload to the
victim's system. Ransomware encrypts files and demands a ransom for their release.
7. Malware Downloading: Trojans often download additional malware or malicious payloads onto infected systems.
This can include ransomware, spyware, adware, or other types of malwares.
 8. Botnet Participation: Trojans can join infected systems into a botnet, a network of compromised devices under
the control of a single entity. These botnets are then used for various malicious activities, such as spam distribution,
DDoS attacks, or further malware distribution.
9. Keylogging: Keylogger Trojans record keystrokes made by users, allowing attackers to gather sensitive information
like passwords and other credentials.
10. Phishing Attacks: Trojans can be used in phishing campaigns, tricking users into downloading a seemingly
harmless file or clicking on a malicious link, which then installs the Trojan on their system.
11. Ad Fraud: Trojans can fraudulently generate clicks on online advertisements or websites, creating ad revenue for
the attacker.
12. System Damage and Manipulation: Trojans can alter or delete files, modify system settings, corrupt data, or even
render the system inoperable, causing significant damage.
Understanding these malicious uses of Trojan horses is essential for users to stay vigilant, employ effective cybersecurity
measures, and protect their systems and personal information from potential attacks.

3.9.3 Types of Trojan Horses

Trojan horses are a type of malicious software that masquerade as legitimate or desirable programs or files, tricking users
into executing them and compromising their systems. Trojans can have various purposes and functionalities based on what
the attacker intends to achieve. Here are some common types of Trojan horses:
1. Remote Access Trojans (RATs): RATS create a backdoor on the infected system, allowing attackers to gain remote
access and control over the compromised device. Attackers can execute commands, upload or download files,
monitor user activities, and even use the infected system in a botnet.
2. Data-stealing Trojans: These Trojans are designed to steal sensitive data, including passwords, login credentials,
financial information, personal identification details, and more. The stolen data is sent to remote servers controlled
by attackers.
3. Downloader Trojans: Downloader Trojans are responsible for downloading additional malicious payloads onto
the infected system. They act as a delivery mechanism for other malware, such as ransomware, spyware, or adware.
4. Banking Trojans: Banking Trojans are specialised in targeting online banking credentials and financial
information. They often inject malicious code into banking websites to capture login details and conduct fraudulent
transactions.
5. Ransomware Trojans: Ransomware Trojans encrypt files on the infected system and demand a ransom for their
release. They can lock users out of their own files until the ransom is paid.
6. Keylogging Trojans: Keyloggers record keystrokes made by the user, enabling attackers to capture passwords,
usernames, and other sensitive information entered on the infected system.
7. Spyware Trojans: Spyware Trojans gather information about the user's activities, such as browsing habits,
searches, and other personal data. This information is then sent to the attacker for malicious purposes.
8. FakeAV Trojans: Fake antivirus or security software Trojans pose as legitimate antivirus programs to trick users
into downloading and paying for fake security solutions. They often display false security alerts and warnings.
9. SMS Trojans: SMS Trojans target mobile devices and can send premium-rate SMS messages without the user's
consent, resulting in unexpected charges on the users phone bill.
10. Rootkit Trojans: Rootkit Trojans install stealthy software that provides unauthorised access to the system while
hiding their presence, making detection and removal difficult.
 11. Backdoor Trojans: Backdoor Trojans create a hidden entry point into the system, allowing attackers to access and
control the system remotely. They can also be used to install additional malicious software.
12. Dropper Trojans: Dropper Trojans are responsible for delivering and executing malicious payloads on the infected
system. They often disguise the malware to evade detection.

3.9.4 Prevention from Trojan Horse

Preventing Trojan horse infections and minimising the risk of falling victim to these malicious programs involves a
combination of security measures, safe browsing practices, and user education. Here are key preventive measures:
1. Use Reliable Antivirus and Antimalware Software: Install reputable antivirus and antimalware software on your
devices. Keep these security programs updated to detect and remove Trojan horses and other malware effectively.
2. Regularly Update Operating Systems and Software: Keep your operating system, applications, and antivirus
software up to date with the latest security patches and updates. Updates often include security fixes that help
protect against known vulnerabilities.
3. Exercise Caution with e-mail Attachments and Links: Be wary of e-mail attachments and links, especially from
unknown or suspicious sources. Avoid downloading attachments or clicking on links unless you are certain of the
sender's legitimacy.
4. Enable Firewalls: Enable and configure firewalls on your devices to filter incoming and outgoing traffic, providing
an additional layer of defense against Trojan horse attacks.
5. Be Cautious with Downloads: Download software and files only from reputable and official sources. Avoid
downloading cracked software, torrents, or files from untrusted websites.
6. Educate Yourself and Users: Educate yourself and others about safe browsing practices, the dangers of
downloading from unknown sources, and how to identify phishing attempts or suspicious behavior.
7. Implement Network Security Measures: Use network security measures like intrusion detection systems (IDS),
intrusion prevention systems (IPS), and network access controls to monitor and restrict potentially harmful network
activities.
8. Regular Backup of Important Data: Back up your critical files and data regularly to an external device or secure
cloud storage. In the event of a Trojan attack or ransomware, having backup copies can help restore your data
without paying a ransom.
9. Practice Least Privilege Access: Limit user access to critical systems and information based on their roles. Users
should only have the minimum level of access necessary to perform their tasks.
10. Disable Autorun/Autoplay: Disable the autorun or autoplay feature on your devices to prevent automatic
execution of programs when removable media, such as USB drives, are connected.
11. Use a Virtual Private Network (VPN): When accessing the internet, especially on public Wi-Fi networks, use a
VPN to encrypt your connection and enhance privacy and security.
12. Monitor System Activity: Regularly monitor your system's activity for any unusual behaviour, unauthorised
access, or suspicious processes. Act if you identify any potential threats.
13. Regular Security Audits: Conduct regular security audits to identify vulnerabilities in your network, systems, and
applications. Address these vulnerabilities promptly to strengthen your defenses.
By following these preventive measures and maintaining a proactive approach to cybersecurity, you can significantly reduce
the risk of falling victim to Trojan horse attacks and other malware threats.
Backdoor Trojans
 Backdoor Trojans provide unauthorized access for remote attacks, allowing hackers to send commands or gain
complete control over a compromised computer.
 These malware programs circumvent authentication protocols to enter systems stealthily, avoiding detection.
 Once infiltrated, a Trojan adds itself to the computer's startup routine, preventing easy termination by rebooting.
 Backdoor malware, often called a Trojan horse, disguises itself to propagate malware, steal data, or create illicit
entry points into systems.
 Similar to the Greek myth, computer Trojans lead to unexpected and unpleasant outcomes.
 It acts as a trap door, providing a secret entry point that bypasses normal authentication methods, earning the name
"back door."

How Does a Backdoor Trojan Affect a System?

A backdoor Trojan, often referred to simply as a "backdoor," is a type of malicious software (malware) that creates a secret
or hidden access point, providing unauthorised access and control over an infected system.
Here is how a backdoor Trojan affects a system:
1. Establishment of Unauthorised Access: Backdoor Trojans create a hidden entry point into the system, typically
exploiting vulnerabilities in the operating system or applications. Once installed, the Trojan opens a "backdoor"
that allows remote control of the infected system.
2. Remote Control and Command Execution: Attackers can remotely access and control the compromised system
using the established backdoor. They can execute commands, upload, or download files, modify system settings,
and even manipulate the system in any way they desire.
3. Data Theft and Surveillance: Backdoor Trojans can be used to steal sensitive data from the infected system.
Attackers may extract personal information, passwords, financial data, intellectual property, or any other valuable
data present on the compromised device.
4. Installation of Additional Malware: Backdoors often serve as a pathway for other malware to enter the system.
Attackers can use the backdoor to download and install additional malicious software, such as ransomware,
spyware, or keyloggers.
5. Botnet Formation: Backdoor Trojans are sometimes used to establish a connection to a command-and-control
server. The compromised system becomes a part of the botnet, allowing the attacker to control a network of infected
devices for various malicious purposes.
6. Evasion of Security Measures: Backdoor Trojans often attempt to evade detection by employing stealth
techniques. They may use encryption, polymorphic coding, rootkit capabilities, or other tactics to hide their
presence and activities from security software.
7. Launching DDoS Attacks: Backdoors can be used to facilitate Distributed Denial of Service (DDoS) attacks by
enabling the attacker to control a network of compromised devices, directing them to flood a target server or
network with traffic, thereby causing service disruption.
8. System Degradation and Instability: The presence of a backdoor Trojan can degrade system performance and
stability due to the additional load it imposes, especially if it's part of a larger botnet or involved in malicious
activities.
9. Damage to the Organisation: Backdoors can cause significant harm to individuals, businesses, or organisations.
They can lead to financial losses, reputational damage and loss of sensitive data, legal consequences, and more.
The impact of a backdoor Trojan on a system can be severe, compromising the user's privacy, security, and overall digital
wellbeing. It is crucial to implement robust cybersecurity measures to prevent the installation of backdoors and promptly
detect and remove them if present.

3.10 STEGANOGRAPHY
 The term 'Steganography' originates from the combination of two Greek words: 'stegos,' which translates to 'to
cover', and 'graphia', meaning 'writing". This results in the interpretation of 'covered writing' or 'hidden writing.'
 Steganography is a way of hiding secret information by putting it secretly into files like audio, video, images, or
text. It's like a secret method used to protect important data from potential bad attacks. It's about hiding messages
in a way that only the sender and the intended receiver know it's there.
 Unlike cryptography, which focuses on making a message unreadable to unauthorised users, steganography aims
to keep the existence of the message secret.
 In steganography, the thing that hides the secret information is like a canvas, and this hidden data can be text,
pictures, sound, or video. It's blended into the canvas in a way that makes it hard for someone to notice it casually.

Basic Steganographic Model

As shown in the illustration, both the cover file (X) and the secret message (M) are inputted into the steganographic encoder.
The steganographic encoder function, denoted as f(X, M, K), integrates the secret message into the cover file. The resulting
stego object appears nearly identical to the cover file, displaying no evident alterations. This marks the completion of the
encoding process. To recover the secret message, the stego object is provided as input to the steganographic decoder.

3.10.1 Difference between Cryptography and Steganography

Cryptography and Steganography are both techniques used to secure and protect information, but they differ in how they
achieve this goal and in the way they handle the hidden data as discussed below:
1. Objective
 Cryptography: The primary objective of cryptography is to make the content of a message unreadable to
unauthorised users. It focuses on securing the information by transforming it into an unintelligible format using
mathematical algorithms and encryption keys.
  Steganography: The main objective of steganography is to conceal the existence of the message. It does not
necessarily make the message unreadable but hides it within another message or medium, making it difficult to
detect.
2. Visibility
 Cryptography: In cryptography, the encrypted message is visible, but it is in a scrambled and unreadable form
without the decryption key.
 Steganography: In steganography, the existence of the hidden message is typically invisible or inconspicuous to
an observer. It is concealed within seemingly innocuous data or media.
3. Method
 Cryptography: Cryptography uses mathematical algorithms and techniques to transform the original message into
ciphertext, which is a scrambled and unreadable version of the original message. Reverting to plaintext is only
possible for those in possession of the decryption key.
 Steganography: Steganography hides the message within another message or medium. It embeds the information,
such as text or data, within seemingly unrelated data, such as images, audio, or text.
4. Detection
 Cryptography: Cryptographic algorithms can be detected, but breaking the encryption is computationally
challenging without the decryption key.
 Steganography: Detection of steganography is difficult since the presence of the hidden message is intentionally
made inconspicuous. Without prior knowledge or specific tools, it's challenging to identify steganographic content.
5. Security vs. Concealment
 Cryptography: Cryptography focuses on securing the data by protecting it from unauthorised access. It ensures
the confidentiality and integrity of the message.
 Steganography: Steganography emphasises concealment and tries to hide the fact that a message is being sent or
that information is being shared.
6. Usage:
 Cryptography: Cryptography is widely used for secure communication, data privacy, authentication, digital
signatures, and protecting sensitive information.
 Steganography: Steganography is often used in covert communication, watermarking, copyright protection, hiding
secret messages, and digital forensics.

3.10.2 Types of Steganography

From a digital perspective there are four main types of steganography. These are :
i. Image Steganography
ii. Text Steganography
iii. Audio Steganography
iv. Video Steganography

3.10.3 Image Steganography

As the name suggests, Image Steganography refers to the process of hiding data within an image file. The image selected
for this purpose is called the cover image and the image obtained after steganography is called the stego image.
Image steganography is a technique used to hide secret information within an image without altering the image's perceptible
characteristics significantly. It's a form of steganography where digital images are used as the cover medium to conceal the
hidden message. The goal is to ensure that the presence of the hidden message is undetectable to an observer.
Overview of image steganography working
 Carrier Image: The choice of a carrier image involves selecting the image in which the secret message will be
hidden. This image is typically a common image file such as JPEG, PNG, or BMP.
 Secret Message: The secret message that needs to be hidden is converted into a suitable format for embedding
within the image. This could be text, another image, a file, or any form of data.
 Embedding Process: The secret message is embedded into the carrier image using specific steganographic
algorithms or techniques. The pixels of the image are slightly altered to represent the bits of the secret message.
 Resulting Image: The result is a stego image, which looks like the original carrier image but contains the hidden
message encoded within it.
 Extraction Process: To retrieve the hidden message, a recipient uses a steganographic decoder that can extract the
embedded data from the stego image.

3.10.4 Text Steganography

Text steganography is an approach of hiding secret text message within another text as a covering message or creating
a cover message associated to the initial secret message. It can include anything from transforming the formatting of an
existing text, to changing words within a text, to producing random character sequences or utilising context-free
grammars to make readable texts.

(i) Format Based Methods

Format-based text Steganography entails the covert embedding of information through the manipulation of a text
document's structure and presentation. It depends on a chosen cover text and involves modifying aspects within the
cover text, such as punctuation and spelling, to obfuscate the concealed information.
 These format-based techniques encompass physically altering the text's formatting to obscure the data. However, it's
important to note that this method possesses inherent vulnerabilities. . If the steno file is opened with a word processor,
misspellings and additional white spaces will get identified. Changed fonts sizes can excite suspicion to a human reader.
Moreover, if the initial plaintext is accessible, comparing this plaintext with the suspected Steganographic text can
create manipulated element of the text quite visible.
(ii) Random and Statistical Generation method
In Random and Statistical Generation, it can be prevented corresponding with a known plaintext; stenographers provide
resort to creating their own cover texts. One method is concealing data in random viewing sequence of characters.
In another method, the statistical features of word length and letter frequencies are used to produce words which will
occur to have similar statistical properties as actual words in the given language.
(iii) Linguistic Steganography
Linguistic steganography particularly considers the linguistic properties of generated and altered text, and in some
cases, uses linguistic mechanism as the space in which messages are secret.

Some common techniques used in linguistic steganography:

 Word Embedding: Embedding secret information within a text by modifying or selecting specific words or phrases
that, when taken together, convey the hidden message. The choice of words or phrases can be based on predefined
rules, context, or other linguistic features.
 Grammar-based Steganography: Altering the grammatical structure of a sentence to encode the hidden message.
This can include modifications to sentence construction, syntax, or word order based on a predefined algorithm or
rule set.
 Concealed Information in Syntax: Modifying the syntax of a sentence, such as rearranging phrases or clauses, to
encode the hidden message. The alterations are made in a way that the overall structure of the sentence remains
grammatically correct.
 Semantic Steganography: Using semantic elements or meanings of words to embed the secret message. The
choice of words or the interpretation of their meanings can convey the hidden information.
 Whitespace and Formatting: Utilising whitespace, formatting, or other typographic elements to hide information.
For instance, using specific spacing, font changes, or indentation patterns to encode the message.
Linguistic steganography requires a deep understanding of language and linguistic properties. The challenge lies in
concealing the information effectively while maintaining the appearance of a regular text. Decoding the hidden message
involves understanding the chosen linguistic techniques and rules applied during the encoding process.

3.10.5 Audio Steganography

Audio steganography is about hiding the secret message into the audio. It is a technique uses to secure the transmission of
secret information or hide their existence. It involves concealing information within an audio signal, altering the signal in
a way that remains imperceptible to the human ear while embedding the data.

3.10.6 Video Steganography

In Video Steganography you can hide kind of data into digital video format. Video steganography is a technique that
involves concealing secret or sensitive information within a video file without altering the perceived quality or content of
the video to the ordinary viewer. This hidden data can be text, images, other files, or any form of digital information.

3.11 DENIAL OF SERVICE (DOS)

 A Denial-of-Service (DoS) attack is a cyber-attack where the objective is to make a computer or device inaccessible
to its intended users by disrupting its normal operations.
 The attacker achieves this by flooding the targeted machine with an overwhelming number of requests or traffic,
causing it to be unable to handle legitimate user requests. The result is a denial-of-service for additional users trying
to access the device. DoS attacks work by flooding the target with traffic or sending it data that causes it to crash.
It deprives genuine users of the service or resources they expect to receive.
 A DOS (Denial-of-Service) attack is a type of cyber-attack where a computer floods a victim's computer or network
with an overwhelming amount of traffic, causing it to become inaccessible or shut down. This attack is often
employed online to make a website unavailable to its users. By sending a large volume of traffic to the server
 hosting the website, the attack overwhelms the server's resources and disrupts its normal operations. As a result,
the website becomes unavailable to legitimate users.
 DoS attackers exploit software vulnerability in the system and proceed to exhaust the RAM or CPU of the server.

 For example, if a bank website can handle 10 people a second by clicking the Login button, an attacker only has to
send 10 fake requests per second to make it so no legitimate users can log in. DoS attacks exploit various
weaknesses in computer network technologies. They may target servers, network routers, or network
communication links. They can cause computers and routers to crash and links to bog down.
 The most famous DoS technique is the Ping of Death. The Ping of Death attack works by generating and sending
special network messages (specifically, ICMP packets of non- standard sizes) that cause problems for systems that
receive them. In the early days of the Web, this attack could cause unprotected Internet servers to crash quickly.
 It is strongly recommended to try all described activities on virtual machines rather than in your working
environment.
Following is the command for performing flooding of requests on an IP.
ping ip_address - t-65500
Where:
 "ping" sends the data packets to the victim.
 "ip_address" is the IP address of the victim.
 "-t" means the data packets should be sent until the program is stopped.
 "-1(65500)" specifies the data load to be sent to the victim.

How Do DoS Attacks Work

DoS (Denial of Service) attacks work by intentionally disrupting or overwhelming a target system, network, or service,
making it unavailable to legitimate users.
Simplified explanation of how DoS attacks typically work:
1. Target selection: The attacker identifies a specific target, such as a website, server, or network, to disrupt or render
inaccessible.
2. Traffic generation: The attacker employs various techniques to generate a high volume of traffic or requests
towards the target. Some common methods include:
  Flood-based attacks: The attacker floods the target with a massive amount of traffic, overwhelming its
resources and causing it to become unresponsive. This can be done through techniques like ICMP flooding,
UDP flooding, or SYN flooding.
 Resource exhaustion attacks: The attacker exploits vulnerabilities or weaknesses in the target's systems
or applications to consume excessive resources like CPU, memory, or bandwidth. This can be achieved
through techniques like ping of death, slow Loris, or HTTP POST flooding.
 Application layer attacks: The attacker targets specific vulnerabilities or limitations in the target's
application layer, such as web servers or databases, to exhaust their resources or cause them to crash.
Examples include SQL injection attacks or buffer overflow attacks.
3. Overwhelming the target: The flood of traffic or resource consumption exhausts the target's resources, making it unable
to handle legitimate user requests. As a result, the target may experience performance degradation, slowdowns, or complete
unavailability.
4. Impact: The target becomes unavailable or significantly impaired, denying access to legitimate users and potentially
causing financial losses, reputational damage, or disruption of services.
It's important to note that there are variations of DoS attacks, such as DDoS (Distributed Denial of Service) attacks,
where multiple compromised devices or botnets are used to launch the attack, making it more challenging to mitigate.
Protecting against DoS attacks involves implementing various security measures, such as network monitoring,
traffic filtering, rate limiting, and utilising specialised hardware or software solutions to detect and mitigate such attacks.
Additionally, regular security updates, vulnerability assessments, and incident response plans are essential to maintain
resilience against DoS attacks.

3.11.1 Types of DoS Attack

There are several different types of DoS (Denial of Service) attacks that attackers can employ to disrupt or render a target
system, network, or service unavailable. Here are some common types:
1. Flooding attacks
 ICMP Flood: The attacker floods the target with a high volume of ICMP (Internet Control Message Protocol)
packets, overwhelming its resources and causing it to become unresponsive.
 UDP Flood: The attacker floods the target with a large number of UDP (User Datagram Protocol) packets,
exhausting its capacity to process them.
 SYN Flood: The attacker floods the target with a flood of TCP SYN (synchronisation) packets, depleting its
resources and preventing legitimate connections from being established.
2. Amplification attacks
 DNS Amplification: The attacker sends DNS (Domain Name System) queries to publicly accessible DNS servers,
spoofing the source IP address as the target's IP. The servers respond with larger responses, overwhelming the target
with amplified traffic.
 NTP Amplification: The attacker exploits the Network Time Protocol (NTP) by sending small queries to publicly
accessible NTP servers, which respond with larger, amplified responses to the target.
3. Application layer attacks
 HTTP Flood: The attacker floods a target web server with a large number of HTTP requests, overwhelming its
resources and causing it to become unresponsive.
  Slowloris: The attacker sends partial HTTP requests to a target web server, keeping the connection open by sending
incomplete request headers. This exhausts the server's resources and prevents it from serving other legitimate
requests.
4. Resource exhaustion attacks
 Ping of Death: The attacker sends oversized or malformed ICMP echo request packets to the target, causing it to
crash or become unresponsive.
 Teardrop Attack: The attacker sends fragmented IP packets with overlapping offsets to the target, causing the
target's operating system to crash or freeze.
5. Application-specific attacks
 SQL Injection: The attacker exploits vulnerabilities in a target's web application by injecting malicious SQL code,
potentially causing the application or database to crash or become unresponsive.
 Buffer Overflow: The attacker sends more data than a system or application can handle, overflowing its allocated
memory buffers and potentially crashing or freezing the system.

3.11.2 Preventing a DoS Attack

Preventing DoS (Denial of Service) attacks requires a combination of proactive measures and best practices. Here are some
steps you can take to help mitigate the risk of a DoS attack:
1. Network security
 Implement firewalls and intrusion detection systems (IDS) to monitor and filter incoming and outgoing traffic.
 Utilise rate limiting or traffic shaping techniques to control the flow of traffic and prevent overwhelming the
network.
 Configure routers and switches to drop or block suspicious or malicious traffic.
2. DDoS protection
 Employ a dedicated DDoS protection service or solution that can detect and mitigate attacks in real-time.
 Consider using a content delivery network (CDN) to distribute traffic and absorb the impact of an attack.
3. Load balancing and redundancy:
 Reducing the impact of a targeted attack on a single system.
 Ensure redundancy in critical systems and services, so if one resource becomes unavailable, others can handle the
load.
4. Network segmentation
 Segmenting networks into smaller, more manageable pieces, can limit the impact of a DoS attack. This can be done
by creating VLANs, and firewalls can limit the spread of an attack. The optimal solution is zero trust micro
segmentation. Adding device-level and device-cloaking firewalling, external to the operating system remains the
most reliable form of DoS protection.
5. Intrusion prevention and detection
 Deploy intrusion prevention systems (IPS) or intrusion detection systems (IDS) to monitor network traffic and
detect any suspicious or malicious activity.
 Configure the systems to alert administrators or automatically block traffic from suspicious sources.
6. Traffic analysis and anomaly detection:
 Monitor network traffic patterns and establish baseline behaviour to detect any abnormal or unusual traffic patterns.
 Utilise network traffic analysis tools to identify and respond to potential attacks in real-time.
7. IP blocking
 Blocking traffic from known or suspected malicious sources can prevent DoS traffic from reaching its target.
8. Rate limiting
 Limiting the rate of traffic to reach a server or resource can prevent a DoS attack from overwhelming it.
9. Content Delivery Networks (CDNs)
 Distributing website content across multiple locations makes it more difficult for an attack to bring down an entire
site.

3.12 DDOS (DISTRIBUTED DENIAL OF SERVICE)

 A DDoS (Distributed Denial of Service) attack is a variant of a DoS attack where multiple compromised devices
or botnets are used to launch the attack, making it more challenging to mitigate.
 Instead of a single attacker, a DDoS attack involves a coordinated effort from multiple sources to overwhelm a
target system, network, or service.
 A DDoS (Distributed Denial of Service) attack is a type of DoS attack where multiple compromised systems, often
part of a botnet, are used to flood a target system or network with a high volume of traffic or requests.
 The goal is to overwhelm the target's resources and make it inaccessible to legitimate users. In a DDoS attack, the
attacker typically gains control over a network of infected computers, servers, or IoT devices, often by using
malware or remote control agents. These compromised systems, known as bots or zombies, are then coordinated to
send a massive amount of traffic to the target simultaneously.
 By using a distributed approach, DDoS attacks can generate a much larger volume of traffic compared to a
traditional DoS attack, making them more challenging to mitigate. The attack traffic can come from various sources,
making it difficult to distinguish between legitimate and malicious traffic.
 The impact of a successful DDoS attack can be severe, causing service disruptions, financial losses, reputational
damage, and potential data breaches.
3.12.1 Types of DDoS Attacks
There are various types of DDoS attacks mentioned below:
1. Volumetric Attacks: Volumetric Attacks are the most prevalent form of DDoS attacks. They use a botnet to
overload the network or server with heavy traffic but exceed the network's capabilities of processing the traffic.
This attack overloads the target with huge amounts of junk data. This leads to the loss of network bandwidth and
can lead to a complete denial of service.
2. Protocol Attacks: TCP Connection Attacks exploit vulnerability in the TCP connection sequence which is
commonly referred to as the three-way handshake connection between the host and the server. The work is
explained as follows. The targeted server receives a request to start with the handshake. In this attack, the handshake
is never accomplished. This leaves the connected port as busy and unavailable to process any further requests.
Meanwhile, the cybercriminal continues to send multiple requests overwhelming all the working ports and shutting
down the server.
3. Application Attacks: Application layer attacks target the applications of the victim in a slower fashion. Thus, they
may initially appear as legitimate requests from users and the victim becomes unable to respond. These attacks
target the layer where a server generates web pages and responds to HTTP requests. Application-level attacks are
combined with other kinds of DDoS attacks targeting applications, along with the network and bandwidth. These
attacks are threatening as it is more difficult for companies to detect.
4. Fragmentation Attacks: The cybercriminal exploits frangibility in the datagram fragmentation process, in which
IP datagrams are divided into smaller packets, transferred across a network, and then reassembled. In such attacks,
fake data packets are unable to be reassembled.

Table 3.2 Difference between DoS and DDoS Attack

DoS DDoS
DOS Stands for Denial of service attack. DDOS Stands for Distributed Denial of service attack.
In Dos attack single system targets the victim system. In DDoS multiple system attacks the victim’s system.
Victim PC is loaded from the packet of data sent from a Victim PC is loaded from the packet of data sent from
single location. Multiple locations
Dos attack is slower as compared to DDOS. DDoS attack is faster than Dos Attack.
Can be blocked easily as only one system is used. It is difficult to block this attack as multiple devices are
sending packets and attacking from multiple locations.
In DOS Attack only single device is used with DOS Attack In DDoS attack, the volumeBots are used to attack at the
tools same time.
DOS Attacks are Easy to trace. DDOS Attacks are Difficult to trace.
Volume of traffic in the Dos attack is less as compared to DDoS attacks allow the attacker to send massive volumes
DDos. of traffic to the victim network.
Types of DOS Attacks are: 1. Buffer overflow attacks 2. Types of DDOS Attacks are: 1. Volumetric Attacks 2.
Ping of Death or ICMP flood 3. Teardrop Attack 4. Fragmentation Attacks 3. Application Layer Attacks 4.
Flooding Attack Protocol Attack.
3.13 SQL INJECTION
 SQL Injection attacks manipulate SQL queries by injecting malicious code, exploiting vulnerabilities in web
applications.
 Successful SQLi attacks enable attackers to alter database info, access sensitive data, perform admin tasks, and
retrieve files from the system.
 SQL injection is a web application vulnerability allowing unauthorized manipulation of a database, leading to
serious consequences like data breaches and application control.
 SQLi involves executing malicious SQL statements to control a web application's database server, bypassing
security measures, and gaining unauthorized access to sensitive data.
 Attackers exploit SQL Injection to bypass authentication, authorization, and manipulate or retrieve the entire SQL
database content.
 SQL Injection vulnerabilities can affect websites using SQL databases (MySQL, Oracle, SQL Server), leading to
unauthorized access and potential compromise of sensitive data.
 Criminals use SQL Injection for unauthorized access to customer information, personal data, trade secrets,
intellectual property, posing one of the oldest and most dangerous web vulnerabilities.

How an SQL Injection Attack is Performed

SQL Injection attacks are performed by exploiting vulnerabilities in web applications that allow user input to be directly
included in SQL queries without proper validation or sanitisation.
Some general steps of an SQL Injection attack are:
1. Identify Vulnerable User Inputs: The attacker examines the web application or web page to identify inputs, such
as form fields or URL parameters, where user-supplied data is used in SQL queries.
2. Craft a Malicious Payload: The attacker constructs a specially crafted input or payload that includes SQL code.
This code is designed to manipulate the SQL query's logic or structure to achieve unintended actions.
3. Inject the Payload: The attacker submits the malicious payload through the vulnerable user input. The application
may not properly validate or sanitise the input, allowing the malicious SQL code to be executed.
4. Execute Malicious SQL Commands: The application processes the input and incorporates the malicious SQL
code into the query. The database server then executes the modified query, which can lead to various unauthorised
actions.
5. Exploit the Vulnerability: Depending on the success of the attack, the attacker can perform actions such as
extracting sensitive information, modifying or deleting data, gaining unauthorised access to the application or
database, or even executing operating system commands.

SQL Injection attacks reasons

SQL Injection attacks are performed for various reasons
1. Unauthorised Data Access: Attackers may exploit SQL Injection to bypass authentication mechanisms and gain
access to sensitive data stored in the database. This can include personal information, credentials, financial data, or
any other valuable information.
2. Data Manipulation: By modifying SQL queries, attackers can manipulate or alter data in the database. They may
change account balances, modify records, insert malicious data, or delete important information.
 3. Privilege Escalation: SQL Injection can allow attackers to elevate their privileges within the application or
database. They may gain administrative access, enabling them to perform actions reserved for privileged users.
4. Application Disruption: Attackers may use SQL Injection to disrupt the normal functioning of an application or
database. This can involve deleting or corrupting data, causing application crashes, or rendering the system
unavailable.
5. Network Exploitation: In some cases, SQL Injection can be used as an initial attack vector to gain access to the
underlying network. By executing operating system commands through SQL queries, an attacker can exploit
vulnerabilities in other systems or launch further attacks within the network.

Notable SQL Injection Vulnerabilities

 Tesla vulnerability: in 2014, security researchers publicised that they were able to breach the website of Tesla
using SQL injection, gain administrative privileges and steal user data.
 Cisco vulnerability: In 2018, SQL injection vulnerability was discovered within Cisco Prime License Manager.
The vulnerability allowed attackers to gain shell access to systems on which the license manager was deployed.
Cisco has patched the vulnerability.
 Fortnite vulnerability: Fortnite is an online game with over 350 million users. In 2019, SQL injection vulnerability
was discovered which could let attacker's access user accounts. The vulnerability was patched.

Preventing SQL Injection attacks

Preventing SQL Injection attacks requires implementing security measures at various levels of your application. Here are
some preventive measures you can take to protect against SQL Injection attacks:
 Input Validation and Sanitisation: Always validate and sanitise user input before using it in SQL queries. Use
parameterised queries or prepared statements to separate the SQL logic from user input. This helps prevent
malicious SQL code from being executed.
 Use Parameterized Queries or Prepared Statements: Instead of directly embedding user input into SQL queries,
use parameterised queries or prepared statements provided by your programming language or framework. These
techniques ensure that user input is treated as data rather than executable code.
 Least Privilege Principle: Limit the privileges and permissions of database accounts used by your application.
Use separate accounts with the minimum required privileges for different tasks. This helps to minimise the potential
damage an attacker can cause if SQL Injection vulnerability is successfully exploited.
 Secure Coding Practices: Follow secure coding guidelines and practices to minimise the risk of introducing SQL
Injection vulnerabilities. Avoid dynamic SQL queries and instead use parameterised queries or prepared statements.
Regularly update and patch your application's code to address any security vulnerabilities.
 Web Application Firewall (WAF): Implement a WAF that can detect and block SQL Injection attempts. WAFs
can analyse incoming requests and block any malicious SQL code before it reaches the database.
 Limit Database Error Messages: Configure your database server to display generic error messages instead of
detailed error messages that may expose sensitive information about your database structure.
 Regular Security Audits and Penetration Testing: Conduct regular security audits and penetration testing to
identify and address SQL Injection vulnerabilities in your application. This helps ensure that your application
remains secure and protected against evolving attack techniques.
  Keep Software and Libraries Updated: Regularly update your application's software dependencies, frameworks,
and libraries to ensure you are benefiting from the latest security patches and fixes.

3.14 BUFFER OVERFLOW

 A buffer is a temporary area for data storage. When more data (than was originally allocated to be stored) gets
placed by a program or system process, the extra data overflows. It causes some of that data to leak out into other
buffers, which can corrupt or overwrite whatever data they were holding.
 In a buffer-overflow attack, the extra data sometimes holds specific instructions for actions intended by a hacker or
malicious user; for example, the data could trigger a response that damages files, changes data or unveils private
information.
 Attacker would use a buffer-overflow exploit to take advantage of a program that is waiting on a user's input.
 There are two types of buffer overflows: stack-based and heap-based. Heap-based, which are difficult to execute
and the least common of the two, attack an application by flooding the memory space reserved for a program.
Stack-based buffer overflows, which are more common among attackers, exploit applications and programs by
using what is known as a stack memory space used to store user input.
Buffer Overflow Consequences
Common consequences of a buffer overflow attack include the following:
1. System crashes: A buffer overflow attack will typically lead to the system crashing. It may also result in a lack of
availability and programs being put into an infinite loop.
2. Access control loss: A buffer overflow attack will often involve the use of arbitrary code, which is often outside
the scope of programs' security policies.
3. Further security issues: When a buffer overflow attack results in arbitrary code execution, the attacker may use it
to exploit other vulnerabilities and subvert other security services.

Types of Buffer Overflow Attacks

There are several types of buffer overflow attacks that attackers use to exploit organisations' systems. The most common
are:
1. Stack-based buffer overflows: This is the most common form of buffer overflow attack. The stack-based approach
occurs when an attacker sends data containing malicious code to an application, which stores the data in a stack
buffer. This overwrites the data on the stack, including its return pointer, which hands control of transfers to the
attacker.
2. Heap-based buffer overflows: A heap-based attack is more difficult to carry out than the stack-based approach. It
involves the attack flooding a program's memory space beyond the memory it uses for current runtime operations.
3. Format string attack: A format string exploit takes place when an application processes input data as a command
or does not validate input data effectively. This enables the attacker to execute code, read data in the stack, or cause
segmentation faults in the application. This could trigger new actions that threaten the security and stability of the
system.
4. Integer overflow: Although not strictly a buffer overflow, integer overflow vulnerabilities can lead to buffer
overflows. Integer overflow occurs when the result of an arithmetic operation exceeds the maximum value that can
be stored in the variable's data type. This can result in buffer overflows if the resulting value is used to allocate or
copy data into a buffer without proper bounds checking.
Preventing buffer overflow attacks
Preventing buffer overflow attacks requires a combination of secure coding practices and runtime protections, including:
 Input validation and sanitisation: Ensure that all user inputs are properly validated, sanitised, and checked for
length and format before being used in buffer operations.
 Bounds checking: Always perform bounds checking to ensure that data being written to a buffer does not exceed
its allocated size.
 Use secure coding practices: Employ secure coding techniques, such as using safe string functions (e.g., strncpy
instead of strcpy) and avoiding the use of unsafe functions prone to buffer overflows.
 Regularly update and patch software: Keep software, operating systems, and libraries up to date with the latest
security patches to address known vulnerabilities.
 Conduct security testing: Perform regular security testing, including static code analysis and dynamic
vulnerability scanning, to identify and fix potential buffer overflow vulnerabilities.
 Implement runtime protection mechanisms: Use runtime protection mechanisms, such as stack overflow
protection, heap integrity checks, and code execution flow integrity checks, to detect and prevent buffer overflow
attacks at runtime.

3.15 WIRELESS ATTACK

A wireless attack involves identifying and examining the connections between all devices connected to the business's wifi.
These devices include laptops, tablets, smartphones, and any other internet of things (IoT) devices. This attack refers to the
unauthorised exploitation of vulnerabilities in wireless networks or devices to gain unauthorised access, intercept data, or
disrupt network communication
Types of Wireless Attack
Some common types of wireless attacks are:
1. Wi-Fi Eavesdropping: Attackers can eavesdrop on wireless network traffic to intercept sensitive information, such
as usernames, passwords, or financial data. This can be done through techniques like sniffing unencrypted network
traffic or exploiting weak encryption protocols.
2. Rogue Access Points: Attackers can set up rogue access points that mimic legitimate Wi-Fi networks. When users
connect to these malicious access points, the attacker can intercept their data or launch further attacks.
3. Wi-Fi Password Cracking: Attackers can attempt to crack Wi-Fi passwords using techniques like brute-forcing,
dictionary attacks, or exploiting weak password configurations. Once they gain access, they can eavesdrop on
network traffic or gain unauthorised access to connected devices.
4. Denial-of-Service (DoS) Attacks: Attackers can flood a wireless network with a high volume of traffic or exploit
vulnerabilities in network protocols to disrupt or disable the network. This can result in network downtime,
preventing legitimate users from accessing the network or services.
5. Man-in-the-Middle (MitM) Attacks: In a MitM attack, an attacker intercepts and alters communication between
two parties without their knowledge. In a wireless network, attackers can position themselves between the victim
and the legitimate network, allowing them to intercept and manipulate data.
6. Evil Twin Attacks: In an evil twin attack, an attacker sets up a fake Wi-Fi network that appears to be legitimate.
When users unknowingly connect to the attacker's network, the attacker can intercept their data or perform other
malicious activities.
 7. Jamming: Attackers can use jamming devices to disrupt wireless signals, rendering the network or specific devices
unable to connect or transmit data. This can be done by transmitting interference on the same frequency as the
targeted wireless network.
8. Packet sniffing: Packet sniffing is the act of gaining access to raw network traffic. Packet sniffers, such as
Wireshark, detect, monitor and gather network packets. While packet sniffing is a legitimate activity, packet sniffers
can also be used by attackers to spy on network traffic.
9. Spoofing attacks: Spoofing attacks involve malicious actors pretending to be legitimate users or services. Types
of spoofing attacks include the following:
 MAC address spoofing happens when attackers detect network adapter MAC addresses on authorised devices
and attempt to start new connections impersonating the authorised devices.
 Frame spoofing, also known as frame injection, occurs when attackers send malicious frames that appear to
be from legitimate senders.
 IP spoofing takes place when attackers use modified IP packets to hide where the packets originate.
 Data replay occurs when attackers capture wireless data transmission, modify the transmission and resend the
modified transmission to a target system.
 Authentication replay occurs when attackers capture authentication exchanges between users and
subsequently reuse those exchanges in malicious activities.

Prevention of wireless attacks

To prevent wireless attacks, consider implementing the following security measures:
1. Use Strong Encryption: Implement strong encryption protocols like WPA2 or WPA3 to secure your wireless
network. Avoid using weak or outdated encryption standards.
2. Secure Wi-Fi Passwords: Use long, complex, and unique passwords for your Wi-Fi network to make it harder for
attackers to crack them. Regularly update passwords and avoid using default or easily guessable passwords.
3. Enable Network Segmentation: Segment your wireless network into different virtual LANs (VLANs) to isolate
sensitive devices or services from other network segments. This can help contain potential attacks.
4. Disable Unused Network Services: Disable unnecessary network services or protocols to minimize potential
attack vectors. Only enable the services required for your network's operation.
5. Use Intrusion Detection/Prevention Systems (IDS/IPS): Implement IDS/ IPS solutions to detect and block
suspicious network activity or known attack signatures.
6. Regularly Update Firmware: Keep your wireless devices, routers, and access points up to date with the latest
firmware updates. This helps patch security vulnerabilities and improve device security.
7. Monitor Network Activity: Regularly monitor network traffic and logs for any suspicious or unauthorised activity.
This can help detect potential attacks early.
By implementing these preventive measures and maintaining strong wireless network security practices, you can reduce
the risk of wireless attacks and protect your network and connected devices from unauthorised access or data interception.
3.16 INTRODUCTION TO PHISHING
 Phishing attacks are a type of cyber-attack that involves tricking individuals into revealing sensitive information,
such as login credentials, credit card numbers, or personal details.
 These attacks typically occur through fraudulent e-mails, instant messages, or websites that impersonate legitimate
organizations or individuals.
 The term "phishing" is derived from the word "fishing" because attackers use lures to bait unsuspecting victims
into divulging their confidential information.
 In a phishing attack, the attacker poses as a trusted entity, such as a well-known brand, a financial institution, or a
government agency, to deceive the victim into believing that they are interacting with a legitimate source.
 The attacker often employs social engineering techniques to manipulate the victim's emotions or create a sense of
urgency, making them more likely to fall for the scam.
 The main objective of a phishing attack is to obtain sensitive information for malicious purposes, such as identity
theft, financial fraud, or unauthorised access to accounts.
 Attackers can use the stolen information to gain unauthorised access to the victim's accounts, make fraudulent
transactions, or sell the information on the dark web.
Phishing attacks can take various forms, including:
1. E-mail Phishing: Attackers send e-mails that appear to be from a legitimate source, such as a bank or an online
service, requesting the recipient to click on a link or provide personal information.
2. Spear Phishing: This type of attack targets specific individuals or organisations and involves customised messages
that are tailored to the victim's interests or circumstances. Attackers often gather personal information about the
target to make the phishing attempt more convincing.
3. Smishing: Attackers use SMS or text messages to deceive victims into clicking on malicious links or providing
sensitive information. These messages often appear to be urgent or related to an ongoing situation.
4. Vishing: In vishing attacks, attackers use voice calls to impersonate trusted organisations or individuals and trick
victims into revealing their personal information over the phone.
5. Pharming: This attack involves redirecting victims to fraudulent websites that mimic legitimate ones. The goal is
to capture sensitive information, such as login credentials or credit card details, when victims unknowingly enter
them on the fake website.
6. Clone Phishing: In clone phishing attacks, attackers create a replica of a legitimate e-mail or website and replace
certain elements with malicious ones. They then send the cloned version to the victim, typically after a genuine e-
mail or website interaction. The goal is to trick the victim into believing that the cloned version is legitimate and
convince them to click on malicious links or provide sensitive information.
7. Man-in-the-Middle (MitM) Phishing: In MitM phishing attacks, attackers position themselves between the victim
and a legitimate website or service. They intercept the communication, capture the victim's credentials or sensitive
information, and then forward the victim to the genuine website to avoid suspicion.
To protect against phishing attacks, it is important to:
 Be cautious when clicking on links or downloading attachments from unsolicited e-mails or messages.
 Verify the authenticity of websites by checking for secure connections (https://) and examining the URL for any
unusual or misspelled domain names.
 Avoid providing personal information or login credentials in response to unsolicited requests.
  Keep software, browsers, and security applications up to date to mitigate potential vulnerabilities that attackers may
exploit.
 Enable multi-factor authentication (MFA) whenever possible to add an extra layer of security to accounts.
 Educate and raise awareness among users about phishing techniques, warning signs, and best practices for safe
online behaviour.

3.17 INTRODUCTION TO IDENTITY THEFT

 Identity theft is a malicious act wherein an individual appropriates someone else's personal information and exploits
it for personal gain, often without obtaining the rightful consent of the owner.
 Identity theft, also known as ID theft, is a type of crime in which an individual's personal and sensitive information
is stolen and fraudulently used by someone else.
 It involves the unauthorised acquisition and use of another person's identifying information, such as their name,
Social Security number, credit card details, or other personally identifiable information (PII).
 Identity theft can have severe consequences for victims, including financial losses, damage to their credit history,
and emotional distress.

Once an identity thief gains access to someone's personal information, they can use it to commit various fraudulent
activities, such as:
1. Financial Fraud: Identity thieves may use stolen information to open new credit card accounts, apply for loans,
or make unauthorised purchases. They may also drain victims' bank accounts or engage in fraudulent financial
transactions, leaving victims responsible for the charges.
2. Identity Fraud: Identity thieves may assume the victim's identity to obtain government benefits, secure
employment, or even commit crimes, leaving the victim with potential legal consequences.
3. Medical Identity Theft: Thieves may use stolen identities to obtain medical services, prescription drugs, or file
fraudulent insurance claims. This can lead to incorrect medical records, denial of insurance coverage, or even
endanger the victim's health if incorrect information is added to their medical history.
4. Tax Fraud: Identity thieves can use stolen information to file fraudulent tax returns to claim refunds or tax credits,
resulting in financial loss and potential legal issues for the victim.
 5. Social Engineering: Identity thieves may use stolen information to manipulate individuals or organisations into
disclosing more personal or financial data. They may impersonate the victim or use their personal information to
gain trust and deceive others.

To protect yourself from identity theft, consider the following preventive measures
1. Safeguard Personal Information: Keep personal documents and sensitive information in a secure place, and avoid
sharing personal details unless necessary. Be cautious when providing personal information online or over the
phone, especially to unknown or untrusted sources.
2. Use Strong Passwords: Create strong and unique passwords for all online accounts, and enable multi-factor
authentication whenever possible. Regularly update passwords and avoid using easily guessable information, such
as birthdates or names.
3. Secure Online Activities: Be cautious when accessing websites and ensure that they are secure (look for the
padlock symbol and "https" in the URL). Avoid clicking on suspicious links or downloading attachments from
unknown sources.
4. Monitor Financial Accounts: Regularly review bank statements, credit card bills, and other financial accounts for
any unauthorised activity. Report any discrepancies or suspicious charges immediately to the respective financial
institutions.
5. Protect Personal Devices: Keep your computer, smartphone, and other devices secure by installing reputable
antivirus software, keeping them up to date with the latest security patches, and avoiding downloading apps or
software from untrusted sources.
6. Shred Sensitive Documents: Before discarding any documents containing personal information, use a cross-cut
shredder to ensure that the information cannot be retrieved.
7. Check Credit Reports: Regularly check your credit reports from major credit bureaus to identify any suspicious
or unauthorised activities. You are entitled to a free annual credit report from each bureau.
8. Be wary of Phishing Attempts: Be cautious of unsolicited e-mails, messages, or phone calls requesting personal
information. Avoid clicking on links or providing sensitive information unless you can verify the legitimacy of the
source.

3.17.1 Types of Identity Theft

There are several types of identity theft that individuals should be aware of:
1. Criminal Identity Theft: In this type of theft, the victim's identity is used by a criminal to commit illegal activities.
The criminal may provide false identification documents, such as an ID, using the victim's information, leading to
the victim being wrongfully charged.
2. Senior Identity Theft: Seniors over the age of 60 are often targeted by identity thieves. These thieves send
deceptive information to seniors, tricking them into providing personal information that can be used for fraudulent
purposes. Seniors should be cautious and vigilant to avoid becoming victims.
3. Driver's License ID Identity Theft: This is one of the most common forms of identity theft. The thief uses the
victim's driver's license information, including name, address, and date of birth, to apply for loans, credit cards, or
even open bank accounts in the victim's name.
 4. Medical Identity Theft: In this type of theft, the victim's health-related information is stolen and used to create
fraudulent medical services. This can result in the victim being billed for services they did not receive or have a
false medical history created.
5. Tax Identity Theft: Identity thieves target victims' tax-related information, such as their Employer Identification
Number, to file fraudulent tax returns and claim refunds. Victims may only become aware of this when they attempt
to file their own tax returns or receive notices from the tax authorities.
6. Social Security Identity Theft: Thieves aim to obtain the victim's Social Security Number (SSN), which grants
access to personal information and poses a significant threat to the individual's identity.
7. Synthetic Identity Theft: In this type of theft, thieves combine information from multiple sources to create a new
identity. This can lead to multiple victims being affected by the fraudulent activities carried out using the synthetic
identity.
8. Financial Identity Theft: This is the most common type of identity theft, where stolen credentials are used to gain
financial benefits. Victims may only realise they have been targeted when they carefully review their account
balances.

Techniques of Identity Theft:

Identity thieves employ various techniques to carry out their crimes. Some common techniques include:
1. Pretext Calling: Thieves pretend to be employees of a company and contact victims over the phone, requesting
financial information under false pretences.
2. Mail Theft: Thieves steal credit card information and transactional data from public mailboxes.
3. Phishing: Thieves send deceptive e-mails, often impersonating banks, and trick victims into revealing their
personal information or downloading malware.
4. Internet Exploitation: Attackers take advantage of public networks and use spyware to gather personal
information from users who connect to these networks.
5. Dumpster Diving: Thieves search through discarded documents, such as bank statements or credit card bills, to
find personal information that has not been properly disposed of.
6. Card Verification Value (CVV) Code Requests: Attackers may pose as bank officials and request the CVV code
located on the back of debit cards, claiming it is for transaction security.

Steps to Prevent Identity Theft:

To enhance security and prevent identity theft, individuals can follow these steps:
1. Use strong passwords and avoid sharing PINs with anyone.
2. Enable two-factor authentication for e-mail accounts.
3. Secure all devices with passwords or biometric authentication.
4. Only install software from trusted sources.
5. Avoid posting sensitive information on social media.
6. Verify the authenticity of payment gateways when entering passwords.
7. Minimize the personal information carried on a daily basis.
8. Regularly change PINs and passwords.
9. Avoid disclosing personal information over the phone.
10. Be cautious about sharing personal information with strangers while traveling.
 11. Avoid sharing Aadhaar/PAN numbers (in India) or SSNs (in the US) with unknown or untrusted individuals.
12. Limit the amount of personal information made public on social media accounts.
13. Never share Aadhaar OTPs received on phones with anyone over a call.
14. Be cautious of unnecessary OTP SMS related to Aadhaar, as it may indicate a security breach.
15. Avoid filling out personal data on websites that promise benefits in return.
16. Stay informed and knowledgeable about personal security practices.
By following these preventive measures, individuals can reduce the risk of falling victim to identity theft and protect their
personal information from unauthorised
access.