Unit 2

Tools and Methods used in Cyber Crime: Introduction, Proxy Servers and Anonymizers, Phishing,
Password Cracking, Key loggers and Spywares, Virus and Worms, Trojan horses and Backdoors,
Steganography, DoS and DDoS attacks.

Phishing and Identity Theft: Introduction, Phishing, Identity Theft (ID Theft).

(pg 125) There are different forms of attacks through which attackers target computer systems. There
are various tools and techniques and complex methodologies used to launch these attacks against
targets.

The computer is an indispensable tool for almost all cybercrimes.

Network attack incidents reveal that attackers are often very systematic in launching their attacks.
The basic stages of an attack are described here to understand how an attacker can compromise a
network.

 Initial Uncovering – There are 2 steps involved

First step – ‘Reconnaissance’ attackers gather information on the target using legitimate
means either by googling social networking websites or by surfing public websites if the
target is an organization/institute
Second step is attackers uncovering as much information as possible from company’s
internal network such as, internet domain, machines names and company’s internet protocol
(IP) address ranges.
At this stage you cannot really detect the attackers because they haven’t done anything
illegal and so their information requests are considered legitimate.

 Network Probe – Use of invasive techniques like “ping sweep” and “port scanning” tool
At this point as well, the attacker hasn’t done anything that can be classified as an intrusion.

 Crossing the line toward electronic crime(E-crime) – Attacker starts exploiting possible holes
in the system. Exploits usually include vulnerabilities in common gateway interface (CGI)
scripts. The easiest way is to check default login accounts with easy guessable passwords.
After this the attacker will further exploit to get an administrator or ‘root’ access. Root is
basically the administrator or super-access and grants them the privileges to do anything on
the system.

 Capturing the network – Attacker will attempt to “own” the network by compromising low-
priority target systems.
Next step is to remove any evidence. The attacker will install a set of tools that replace
existing files and services with Trojan files and services that have a backdoor password.
The attacker tries to “capture” the network.

 Grab the Data - Stealing confidential data & launch attacks at other sites from your network

 Covering tracks – Extends misuse of system without being detected.

Proxy Servers and Anonymizers(129)
 A proxy server acts as an intermediary between a user's device and other servers on a
network.
 Attackers can use a proxy server to connect to a target system anonymously, concealing their
identity and the attack.
 The client connects to the proxy server, which evaluates and fulfils requests for services or
resources from different servers on behalf of the client.
 Proxy servers serve various purposes, including enhancing security by keeping internal
systems hidden, speeding up access to resources through caching, and filtering unwanted
content such as ads.
 They can also function as IP address multiplexers, enabling multiple computers to connect to
the internet with a single IP address.
 Proxy servers offer the advantage of cache memory, improving user response time by storing
frequently requested content.

Phishing (131)
Phishing is a deceptive online tactic that involves sending fake messages, often posing as legitimate
entities like banks or businesses, to trick users into revealing personal and financial information.
These messages can also infect systems with viruses and lead to online identity theft. Phishers, or
criminals behind phishing attacks, follow a systematic process:

1. Planning: Phishers select a target, such as a specific business or individual, and gather email
addresses using mass mailing and other spam-like techniques.

2. Setup: Once the target and victims are identified, phishers create methods, including email
messages and fake webpages, to deliver the phishing attack.

3. Attack: Phishers send deceptive messages, appearing authentic, to lure users into providing
sensitive information.

4. Collection: Phishers record the information entered by victims on fake webpages or pop-up
windows.

5. Identity Theft and Fraud: The stolen information is then used for illegal activities, such as making
unauthorized purchases or committing fraud. Phishing has evolved from its roots in hacking culture,
with an increasing number of organizations providing online access, making it a global threat for
personal information and identity theft.

Password Cracking (132)

 A password serves as a key for accessing computerized systems, akin to a lock.
 Password cracking is the process of recovering passwords from stored or transmitted data,
often involving repeated guesses by attackers.
 The purposes of password cracking include recovering forgotten passwords, checking system
security by administrators, and gaining unauthorized access.
 Manual password cracking involves attempting to log in with various passwords, targeting a
valid user account and systematically ranking and trying different passwords until success.
  Guessable passwords often involve personal information, such as names, birthdates, or
common words like "password."
 Automated scripts can be created for password cracking but are time-consuming and less
effective.
 Passwords are stored in a database using one-way functions, like encryption or cryptographic
hash, for verification during authentication.
 Despite cryptographic security, attackers seek hashed passwords to test guesses rapidly using
password cracking tools, compromising the confidentiality of passwords.
 Password cracking can be classified into 3 categories: online attacks, offline attacks, non-
electronic attacks.

Key loggers and Spywares (pg137)

 Keystroke logging, often called keylogging, is the practice of noting (or logging) the keys
struck on a keyboard, typically in a covert manner so that the person using the keyboard is
unaware that such actions are being monitored.
 Keystroke logger or keylogger is quicker and easier way of capturing the passwords and
monitoring the victims' IT savvy behaviour. It can be classified as software keylogger and
hardware keylogger.

Software Keylogger
 Software keyloggers are programs installed on computer systems, typically positioned
between the operating system and keyboard hardware, capturing and recording every
keystroke.
 They are stealthily installed by Trojans or viruses without the user's knowledge.
 Cybercriminals often target insecure computer systems in public places, like cybercafes or
libraries, to easily obtain sensitive information.
 A typical keylogger comprises two files in the same directory: a dynamic link library (DLL) file
and an executable (EXE) file.
 EXE file installs the DLL file and triggers it to work.
 The DLL file is responsible for recording keystrokes, making it a potent tool for unauthorized
access and data theft.

Hardware Keylogger
 To install these keyloggers, physical access to the computer system is required.
 Hardware keyloggers are small hardware devices.
 These are connected to the PC and/or to the keyboard and save every keystroke into a file or
in the memory of the hardware device.
 Cybercriminals install such devices on ATM machines to capture ATM Cards' PINs.
 Each keypress on the keyboard of the ATM gets registered by these keyloggers.
 These keyloggers look like an integrated part of such systems; hence, bank customers are
unaware of their presence.

Antikeylogger
Antikeylogger is a tool that can detect the keylogger installed on the computer system and also can
remove the tool.

Advantages of using antikeylogger are as follows:

1. Firewalls cannot detect the installations of keyloggers on the systems; hence, antikeyloggers can
detect installations of keylogger.

2. This software does not require regular updates of signature bases to work effectively such as other
antivirus and antispy programs; if not updated, it does not serve the purpose, which makes the users
at risk.

3. Prevents Internet banking frauds. Passwords can be easily gained with the help of installing
keyloggers.

4. It prevents ID theft

5. It secures E-Mail and instant messaging/chatting.

Spywares
 Spyware is a form of malicious software (malware) that secretly collects information about
users without their knowledge.
 Secretly monitors the user.
 It is often discreetly installed on personal computers, hidden from the user.
 In some cases, owners intentionally install spyware, like keyloggers, on shared or public
computers to monitor other users.
 Beyond simple monitoring, spyware gathers personal information such as internet surfing
habits and visited websites.
 It can also redirect internet activities and alter computer settings, leading to issues like
slowed internet speed.
 Anti-spyware software is available to counteract these threat, a common practice in
computer security to protect against the troublesome effects of spyware.

Virus and Worms(pg143)

 A computer virus is a program that infects legitimate programs by modifying them to include
a potentially evolved copy of itself.
 These viruses spread without user knowledge or permission, affecting numerous programs
on various machines.
 Similar to biological viruses, computer viruses pass from computer to computer. They often
contain malicious instructions that can cause damage or annoyance.
 The ability to spread combined with potentially malicious code makes viruses a significant
concern.
 Viruses may spread without visible symptoms and can be triggered by events, time, or
randomly.

 Viruses can take some typical actions:

1. Display a message to prompt an action which may set of the virus;

2. delete files inside the system into which viruses enter;

3. scramble data on a hard disk;

4. cause erratic screen behaviour;

5. halt the system (PC);

6. just replicate themselves to propagate further harm.

- Viruses can spread (a) through the Internet, (b) through a standalone computer, (c) through
local networks

Types of Viruses
A. Boot Sector Viruses
B. Program Viruses
C. Multipartite Viruses
D. Stealth Viruses
E. Polymorphic Viruses
F. Macro Viruses
G. Active X and Java Control

1. **Boot Sector Viruses**: These infect the storage media used to start the computer (e.g., floppy
disks, hard drives) by attacking the master boot record (MBR). They spread when infected disks are
used, potentially infecting other systems.

2. **Program Viruses**: These activate when program files are opened, making copies of themselves
and infecting other programs on the computer.

3. **Multipartite Viruses**: A combination of boot sector and program viruses, infecting both the
boot record and program files. They spread when infected programs are activated.

4. **Stealth Viruses**: Difficult to detect as they disguise themselves (camouflage or mask), altering
file sizes and concealing in computer memory. They may evade antivirus software by hiding in
memory.

5. **Polymorphic Viruses**: Act like chameleons, changing their signature each time they spread,
making them hard to detect. Polymorphic generators create new variants to evade detection.

6. **Macroviruses**: Target applications supporting macros, like Microsoft Word and Excel. They
infect documents and spread when opened, potentially bypassing outdated antivirus software.

7. **ActiveX and Java Control**: Threats related to web browsing, where users may unwittingly
allow harmful functions like pop-ups and file downloads. Awareness and control of browser settings
are crucial to prevent such threats.

Worms
 A worm spreads itself automatically to other computers through networks by exploiting
security vulnerabilities where areas at Trojan is a cord of program that appears to be
harmless, but hides malicious functions.
 Worms and Trojans, such as viruses may harm the systems data performance.
 Some viruses and other malware have notable symptoms that enable computer user to take
necessary corrective actions, but many viruses are surreptitious, or simply do nothing for
users to take note of them.
  Some viruses do nothing beyond reproducing themselves.

Trojan Horses and Backdoors

 Imagine a Trojan Horse like a sneaky trickster from Greek mythology. It looks harmless on the
outside, but inside, it's hiding something dangerous.
 Trojan Horses on computers work similarly. They pretend to be safe programs or files, but
once you open them, they unleash harmful stuff onto your computer without you knowing.

Here are some things Trojans can do:

1. **Mess up your files: They can delete, change, or ruin your computer files.

2. **Spread other bad stuff: Trojans can help spread viruses or other malware to mess up more
computers.

3. **Block your defenses: They can stop your antivirus or firewall programs from working so they can
keep causing trouble.

4. **Let others control your computer: Some Trojans let bad people access your computer from far
away without you knowing.

5. **Secretly move files: They can move files around on your computer without you seeing.

6. **Steal information: Trojans can sneakily record what you type, like passwords or credit card
numbers, and send it to bad people. (log keystrokes)

7. **Show inappropriate stuff: They can make your computer show things you don't want, like bad
websites or images.

8. **Mess with your computer: Trojans can slow down, restart, or shut down your computer
whenever they want.

9. **Keep coming back: Even if you try to get rid of them, Trojans can come back and infect your
computer again.

10. **Block your control: Some Trojans stop you from using your computer's task manager or control
panel to fix things. (disable task manager & control panel)

So, in short, Trojans are sneaky programs that pretend to be safe but actually cause a lot of trouble
on your computer. Be careful what you download or click on!

Backdoors
1. What's a Backdoor?

- Think of a backdoor like a secret entrance into a computer program that bypasses normal security
checks.

- Sometimes, programmers put backdoors in their programs for troubleshooting or special access.
2. How Backdoors Are Used:

- But bad guys can also use backdoors they find or create to sneak into computers.

- They're like hidden tunnels that let hackers get into your computer without you knowing.

3. What Can a Backdoor Do?

- Backdoors can do a lot of bad stuff once they're inside your computer.

- They can:

- Mess with your files: They can change, delete, or copy your files without you knowing.

- Control your computer: Hackers can control your computer's hardware and make it do things like
shut down or restart.

- Steal your info: Backdoors can take your personal information like passwords and send it to the
bad guys.

- Spy on you: They can secretly watch what you type on your keyboard or take screenshots of
what's on your screen.

- Send data out: Backdoors can send all the stolen information to the hackers through email or the
internet.

- Spread more trouble: They can infect other files on your computer and even spread to other
computers.

- Set up secret servers: Hackers can use backdoors to set up hidden servers for illegal activities.

- Slow things down: Backdoors can make your internet slow, mess up your computer's
performance, and cause problems with other programs.

- Hide themselves: They're tricky to find and remove because they hide from your computer's
defenses.

So, in short, backdoors are sneaky ways for hackers to get into your computer and cause a lot of
trouble. Be careful with what you download and click on to keep them out!

(pg- 153) Following are a few examples of backdoor Trojans:

1. **Back Orifice:

- It's like a sneaky tool that lets someone control a Windows computer from far away.

- Imagine it's like having a remote control for a computer, even if you're not next to it.

- The name is a clever twist on Microsoft's BackOffice Server.

2. **Bifrost:

- This one infects Windows computers from older versions like Windows 95 to newer ones like Vista.
 - It sets up a secret connection that lets someone far away run any commands they want on the
infected computer.

- It's like giving someone the keys to your computer without you knowing.

3. **SAP Backdoors:

- SAP is a big software used by businesses to manage important stuff like finances and inventory.

- Backdoors in SAP can let sneaky people get into the system without permission.

- They might mess with user accounts or important business programs, which can be really harmful.

4. **Onapsis Bizploit:

- This one is like a toolkit for testing the security of big business software like SAP.

- It helps security experts find weaknesses in SAP systems so they can be fixed before bad guys find
them.

- It's like having a detective tool to make sure the big business software stays safe from hackers.

How to protect your systems from Trojan Horses and backdoors:

Stay away from suspect websites/weblinks

Surf on the web cautiously

Install antivirus/Trojan remover software

1. **Be Careful Online

- Avoid sketchy websites and links that offer free or pirated software. They often hide Trojan Horses
and other harmful stuff.

- Surf the web cautiously, especially on peer-to-peer (P2P) networks. These networks are hotspots
for spreading Trojan Horses.

- Sometimes, even if you download something from these sites and it doesn't work, your system
could still be infected without you knowing it.

2. **Use Spam Filters

- Turn on your spam filter to help block malicious emails, but remember it's not foolproof.
Spammers are always finding new ways to bypass filters.

3. **Install Antivirus Software

- Get antivirus software that can also detect and remove Trojan Horses and other malware.

- There are free Trojan remover programs available online that can help keep your system safe.

- Keep your antivirus software updated regularly to ensure it can catch the latest threats.
Steganography
- Steganography is like hiding a message in plain sight. It's all about concealing information so that
it's not even noticeable.

- The word comes from Greek, meaning "covered writing." It's been used for centuries, like writing
secret messages under wax or tattooing messages on messengers' heads.

- In digital terms, it means hiding data within other data, like embedding a message in a digital
image without changing how the image looks.

- Steganography helps keep data confidential and maintains its integrity, meaning it's hard for
others to see the hidden message or alter it without permission.

(elaborate accordingly)

Steganography can be used to make a digital watermark to detect illegal copying of digital images.
Thus, it aids confidentiality and integrity into a digital signal.

Digital Watermarking:

- Digital watermarking is a bit like putting an invisible stamp on something digital, like an image,
audio file, or video.

- The original, innocent file is called the "cover" or "cover medium." It's what hides the secret
message.

- Watermarking embeds information into the digital signal, so if the signal gets copied, the hidden
info goes along with it.

- For example, digital watermarking can help detect illegal copying of digital images by embedding
identifying information that's hard to remove.

- The parts of the cover medium that can be changed without affecting it much are called
"redundant bits." These bits can be replaced with the hidden message.

In simple terms, steganography is about hiding messages so they're not obvious, and digital
watermarking is about embedding information into digital files to protect them or identify them.
They both help keep digital data safe and secure!
  Steganalysis is the art and science of detecting messages that are hidden in images,
audio/video files using steganography.
 The goal is to identify suspected packages and to determine whether or not they have a
payload encoded into them, and if possible, recover it
 Automated tools are used to detect such steganographic data/information hidden in the
image and audio and/or video files.

DoS and DDoS Attacks(158)

DoS attacks

Classification of DoS attacks: bandwidth attacks, Logic attacks, protocol attacks, Unintentional Dos
attacks

Types or levels of DoS attacks: flood attack, ping of death attack, SYN attack, Teardrop attack, smurf
attack, Nuke
Tools used to launch DoS attack: Jolt2, Nemesy, Targa, Crazy pinger, SomeTrouble

DDoS attacks -

Tools used to launch DDoS attack: Trinoo, Tribe flood network (TFN), Shaft, MStream

How to protect from DoS/DDoS attacks

Phishing (187)
Phishing is a type of deception designed to steal your identity. Phisher tries to get the user to
disclose valuable personal data such as credit card information by convincing the user to provide it
under false pretences. Emails is a popular medium.

-spam emails: identical messages sent to numerous recipients

Unsolicited bulk emails (UBE) – synonym for SPAM

Unsolicited commercial emails (UCE) – large quantities of emails sent by commercial

-hoax emails- deceives an individual into believing something is real, when the hoaxer know it’s false.

Methods of phishing –
1. **Dragnet**: This method involves sending out mass emails with falsified corporate identification
to a large group of people, such as customers of a specific financial institution or members of an
auction site. Victims are prompted to click on links in the email that lead to fraudulent websites or
pop-up windows where they are asked to enter sensitive information like bank or credit card details.

2. **Rod-and-reel**: Phishers target specific individuals by conveying false information to prompt

them to disclose personal and financial data. For example, they may create fake webpages offering
items at lower prices to entice victims to enter personal information before confirming the purchase.

3. **Lobsterpot**: Phishers create bogus websites that resemble legitimate corporate sites, targeting
a specific group of victims likely to visit them. Victims may be directed to these spoofed websites
through deceptive links in emails, where they unwittingly provide personal information that is then
used for identity theft or fraudulent activities.
4. **Gillnet**: This technique involves the introduction of malicious code into emails and websites to
infect users' systems. Malicious code may redirect users to fake phishing sites, record keystrokes and
passwords, or alter browser settings to facilitate illegal access to users' financial accounts.

Phishing Techniques – URL manipulation, Filter Evasion, Website forgery, flash phishing, social
phishing, phone phishing

Spear phishing – Spear Phishing is a method of sending highly targeted phishing messages to
specific organizations or groups in order to obtain sensitive information for more sophisticated social
engineering attacks. Here's how Spear Phishing works:

1. **Highly Targeted Attacks**: Spear Phishers send emails that appear legitimate to employees or
members of a particular organization, government agency, or group. These emails are tailored to
look like they come from someone within the organization, such as a colleague or IT administrator,
and may request usernames, passwords, or other sensitive information.

2. **Faked Sender Information**: The sender information in Spear Phishing emails is often faked or
"spoofed" to appear genuine. This adds to the illusion of legitimacy and makes it more likely for
recipients to fall for the scam.

3. **Targeting the Entire System**: Unlike traditional phishing scams that target individuals, Spear
Phishing aims to gain access to an organization's entire computer system. Responding to these emails
by providing login credentials or clicking on malicious links can put both the individual and the
organization at risk of data breaches and identity theft.

4. **Personalized Scams**: Spear Phishing scams are personalized and tailored to specific groups or
individuals. Scam artists use any available information to customize their attacks, making them more
convincing and harder to detect.

5. **Risk to Individuals and Organizations**: Responding to Spear Phishing emails can result in
identity theft and compromise the security of the organization's systems and data. It's crucial for
both individuals and organizations to be vigilant and employ security measures to prevent falling
victim to these scams.

To avoid Spear Phishing scams, individuals and organizations can use similar techniques employed to
avoid standard phishing attacks, such as verifying the legitimacy of emails, avoiding clicking on
suspicious links or attachments, and being cautious when providing sensitive information online.

Whaling – targets executives from the top management in th -e organizations. Objective is to swindle
the executives into revealing confidential info.

Types of phishing scams – Deceptive phishing, Malware-based phishing, keyloggers, Session

hijacking, In-session hijacking, Web trojans, Pharming, Data theft, man-in-the-middle phishing
Phishing countermeasures – keep antivirus up to date, do not click on hyperlinks in emails, take
advantage of anti-spam software, verify https (SSL), Get educated, Firewall, use anti-spy software,
don’t enter sensitive or financial info into pop-up windows.

Identity Theft (206)

Personally Identifiable Information (PII)

Types of ID theft – financial, criminal, identity cloning, business identity theft, medical ID theft,
synthetic ID theft, child identity theft

Techniques of ID Theft:

Human – based methods:

direct access info

dumpster diving

mail theft and rerouting

Shoulder surfing

False or disguised ATMs

Dishonest or mistreated employees

Telemarketing and fake phone calls

Computer based methods:

Backup theft

Hacking, unauthorized access to systems and db theft

Phishing

Pharming

Redirectors

hardware