Tools and Methods Used in Cybercrime
Tools and Methods Used in Cybercrime
Topics
• Introduction
• Proxy Servers and Anonymizers
• Phishing
• Password Cracking, Keyloggers and Spywares
• Virus and Worms
• Trojan-horses and Backdoors
• Steganography
• DoS and DDoS At-tacks
• SQL Injection
Introduction
• There are various tools and techniques and complex
methodologies used to launch attacks against the target.
• we have provided an insight toward these techniques to enable the
reader to understand how the computer is an indispensable tool
for almost all cybercrimes.
• As the Internet and computer networks are integral parts of
information systems, attackers have in-depth knowledge about the
technology and/or they gain thorough knowledge about it.
Introduction
• The basic stages of an attack are here described here to
understand how an attacker can compromise a network
here:
1. Initial uncovering
2. Network probe
3. Crossing the line toward electronic crime
4. Capturing the network
5. Grab the data
6. Covering attacks
Introduction
1. Initial uncovering:
Two steps are involved here.
• In the first step called as reconnaissance, the attacker gathers
information, as much as possible, about the target by legitimate
means-
• Usually, a “ping sweep” of the network IP addresses is performed to seek out potential
targets, and then a “port scanning” tool is used to discover exactly which services are
running on the target system.
• At this point, the attacker has still not done anything that would be considered as a
abnormal activity on the network or anything that can be classified as an intrusion
Introduction
3.Crossing the line toward electronic crime:
• He/she does this by exploiting possible holes on the target system. The attacker
usually goes through several stages of exploits to gain access to the system. Certain
programming errors can be used by attackers to compromise a system and are quite
common in practice.
• Exploits usually include vulnerabilities in common gateway interface scripts or well-
known buffer-overflow holes, but the easiest way to gain an entry is by checking for
default login accounts with easily guessable(or empty) passwords.
• Once the attackers are able to access a user account without many privileges, they will
attempt further exploits to get an administrator or “root” access.
• The “Root” is basically an administrator or super-user access and grants them the
privileges to do anything on the system
Introduction
4.Capturing the network:
• At this stage, the attacker attempts to own the network.
The attacker gains a foothold in the internal network
quickly and easily, by compromising low-priority target
systems.
• There are a number of hacking tools which can clean up log files
and remove any trace of an intrusion.
• Once the attacker has gained access to one system, he/she will
then repeat the process by using the system as a steppingstone
to access other systems deeper within the network.
Introduction
5. Grab the data:
• Now that the attacker has captured the network, he/she takes
advantage of his/her position to steal confidential data, customer
credit information, deface webpages, alter processes and even
launch attacks at other sites from your network, causing a
potentially expensive and embarrassing situation for an individual
and/or for an organization.
Introduction
6. Covering attacks:
• This is the last step in any cyberattack, which refers to the activities
undertaken by the attacker to extend misuse of the system without
being detected.
• The attacker can remain undetected for long periods or use this
phase either to start a fresh reconnaissance to a related target
system or continued use of resources, removing evidence of hacking,
avoiding legal action, etc.
• During the entire process, the attacker takes optimum care to hide
his/her identity from the first step itself.
Proxy servers and Anonymizers
• Proxy server is a computer on a network which acts as an intermediary for
connections with other computers on that network.
• The attacker first connects to a proxy server and establishes a connection with
the target system through existing connection with proxy.
• A client connects to a proxy server and requests some services(such as a file,
webpage, connection or other resource) available from a different server.
• The proxy server evaluates the request and provides the resource by establishing
the connection to the respective server and/or requests the required service on
behalf of the client.
• Using a proxy server can allow an attacker to hide ID
Proxy servers and Anonymizers
A proxy server has following purposes:
• Keep the systems behind the curtain
• Speed up access to a resource(through caching). It is usually used to cache the
webpages from a web server.
• Specialized proxy servers are used to filter unwanted content such as advertisements.
• Proxy server can be used as IP address multiplexer to enable to connect number of
computers on the Internet, whenever one has only one IP address.
• One of the advantage of a proxy server is that its cache memory can serve all users. If
one or more websites are requested frequently, may be by different users, it is likely
to be in the proxy’s cache memory, which will improve user response time. In fact
there are special servers available known as cache servers. A proxy can also do
logging.
Proxy servers and Anonymizers
A proxy server has following purposes (Cont…)
• One of the advantage of a proxy server is that its cache memory
can serve all users.
• If one or more websites are requested frequently, may be by
different users, it is likely to be in the proxy’s cache memory,
which will improve user response time.
• In fact there are special servers available known as cache
servers.
• A proxy can also do logging.
Proxy servers and Anonymizers
• Listed are few websites where free proxy servers can be found:
• http://www.proxy4free.com
• http://www.publicproxyservers.com
• http://www.proxz.com
• http://www.anonymitychecker.com
• http://www.surf24h.com
• http://www.hidemyass.com
Proxy servers and Anonymizers
• An anonymizer or an anonymous proxy is a tool that attempts to
make activity on the Internet untraceable.
• It accesses the Internet on the user’s behalf, protecting personal
information by hiding the source computer’s identifying
information.
• Anonymizers are services used to make Web surfing anonymous
by utilizing a website that acts as a proxy server for the web
client. In 1977 the first anonymizer software tool was created by
Lance Cottrell, developed by Anonymizer.com.
Proxy servers and Anonymizers
• Listed are few websites where more information about
anonymizers can be found:
• www.anonymizer.com
• www.browzar.com
• www.anonymize.net
• www.anonymouse.ws
• www.anonymousindex.com
Phishing
• Most people associate Phishing with E-Mail messages that
spoof or mimic banks, credit card companies or other
business such as Amazon and eBay.
• These messages look authentic and attempt to get users to
reveal their personal information. It is believed that
Phishing is an alternative spelling of “fishing,” as in “to fish
for.
Phishing
• . Phishing work in the following way:
• Planning:
• Criminals, usually called as phishers, decide the target
and determine how to get E-Mail address of that
target or customers of that business.
• Phishers often use mass mailing and address collection
techniques as spammers.
Phishing
• Setup: Once phishers know which business/business house to spoof and
who their victims are, they will create methods for delivering the message
and to collect the data about the target. Most often this involves E-Mail
addresses and a webpage.
• Attack: This is the step people are most familiar with-the phisher sends a
phony message that appears to be from a reputable source.
• Collection: Phishers record the information of victims entering into
webpages or pop-up windows.
• Identity theft and fraud: Phishers use the information that they have
gathered to make illegal purchases or commit fraud.
Password Cracking
• The purpose of password cracking is as follows:
1. To recover a forgotten password.
2. As a preventive measure by system administrators to check for easily crackable
passwords.
3. To gain unauthorized access to a system.
4. Manual password cracking is to attempt to logon with different passwords.
executed to try each password in a list and when matches, an attacker can gain
• The most popular online attack is man-in-the middle attack, also termed as
1. Online attacks:
• When a victim client connects to the fraudulent server, the MITM
server intercepts the call, hashes the password and passes the
connection to the victim server.
• This type of attack is used to obtain the passwords for E-Mail
accounts on public websites such as Yahoo, Hotmail and Gmail and
can also used to get the passwords for financial websites that would
like to gain the access to banking websites.
Password Cracking
2. Offline attacks:
• These are performed from a location other than the
target(i.e., either a computer system or while on the
network) where these passwords reside or are used.
• Offline attacks usually require physical access to the
computer and copying the password file from the system
onto removable media.
Password Cracking
Strong, Weak and Random Passwords
• A weak password is one, which could be easily guessed, short, common and a system
default password that could be easily found by executing a brute force attack and by
using a subset of all possible passwords, such as words in the dictionary, proper
names and words based on the username or common variations on these themes.
• Passwords that can be easily guessed by acquaintances of the netizens (such as date
of birth, pet’s name and spouses’ name) are considered to be very weak.
Password Cracking
Strong, Weak and Random Passwords
• Here are some of the examples of “weak passwords”:
1. Susan: Common personal name;
10. p@$$\/\/0rd: simple letter substitutions are preprogrammed into password cracking tools;
12. December12: using the date of a forced password change is very common.
Password Cracking
Strong, Weak and Random Passwords
• A strong password is long enough, random or otherwise difficult to guess –
producible only by the user who chooses it.
• The length of time deemed to be too long will vary with the attacker, the
attacker’s resources, the ease with which a password can be tried and the value
of the password to the attacker.
8. Successful logons should display the date and time of the last logon and logoff.
9. Logon IDs and passwords should be suspended after a specified period of non-use.
10. For high-risk systems, after excessive violations, the system should generate an alarm and
be able to simulate a continuing session (with dummy data) for the failed user
Password Cracking
Similarly, netizens should practice password guidelines to avoid being victim
of getting their personal E-Mail accounts hacked/attacked by the
attackers.
1. Passwords used for business E-Mail accounts, personal E-Mail accounts
(Yahoo/Hotmail/Gmail) and banking/financial user accounts (e.g., online
banking/securities trading accounts) should be kept separate.
2. Passwords should be of minimum eight alphanumeric characters (common names or
phrases should be phrased).
3. Passwords should be changed every 30/45 days.
4. Passwords should not be shared with relatives and/or friends.
5. Password used previously should not be used while renewing the password.
Password Cracking
• It can be classified as
1. software keylogger
2. hardware keylogger.
Keyloggers and Spywares
Software keyloggers
• These are software programs installed on the computer systems which usually are located
between the OS and the keyboard hardware, and every keystroke is recorded.
• It is installed on a computer system by Trojans or viruses without the knowledge of the user.
• A keylogger usually consists of two files that get installed in the same directory: a dynamic link
library(DLL) file and an Executable file that installs the DLL file and triggers it to work. DLL does all
the recording of keystrokes.
Keyloggers and Spywares
Keyloggers and Spywares
Hardware keyloggers
• To install these keyloggers, physical access to the computer system is required.
Hardware keyloggers are small hardware devices.
• These are connected to the PC and/or to the keyboard and save every keystroke
into a file or in the memory of the hardware device.
• Cybercriminals install such devices on ATM machines to capture ATM cards’ PINs.
Keyloggers and Spywares
Hardware keyloggers
Keyloggers and Spywares
Antikeylogger
• It is a tool that can detect the keylogger installed on the computer system and
also can remove the tool.
• Advantages of using antikeylogger are as follows:
1. Firewalls cannot detect the installations of keyloggers on the systems; hence,
antikeyloggers can detect installations of keylogger.
2. This software does not require regular updates of signature bases to work
effectively such as other antivirus and antispy programs; if not updated, it does
not serve the purpose, which makes the users at risk.
3. Prevents Internet banking frauds. Passwords can be easily gained with the help
of installing keyloggers.
4. It prevents ID theft.
5. It secures E-Mail and instant messaging/chatting.
Keyloggers and Spywares
Spywares
• Spyware is a type of malware that is installed on computers which collects
information about users without their knowledge.
• The presence of Spyware is typically hidden from the user; it is secretly installed
on the user’s personal computer.
• Sometimes, however, Spywares such as keyloggers are installed by the owner of a
shared, corporate or public computer on purpose to secretly monitor other users.
• It secretly monitors the user. The features and functions of such Spywares are
beyond simple monitoring.
• Spyware programs collect personal information about the victim, such as the
Internet surfing habits/patterns and websites visited.
Keyloggers and Spywares
Spywares
• The Spyware can also redirect Internet surfing activities by installing
another stealth utility on the users’ computer system.
• Spyware may also have an ability to change computer settings, which may
result in slowing of the Internet connection speeds and slowing of response
time.
• Various Spywares are available in the market
• Installation of anti-Spyware software has become a common element
nowadays from computer security practices perspective.
Keyloggers and Spywares
Spywares
Keyloggers and Spywares
Spywares
Viruses and Worms
• Computer virus is a program that can “infect” legitimate programs by modifying
them to include a possibly “evolved” copy of itself.
• Viruses spread themselves, without the knowledge or permission of the users, to
potentially large numbers of programs on many machines.
• A computer virus passes from computer to computer in a similar manner as a
biological virus passes from person to person.
• Viruses may also contain malicious instructions that may cause damage or
annoyance; the combination of possibly Malicious Code with the ability to spread
is what makes viruses a considerable concern.
• Viruses can often spread without any readily visible symptoms.
Viruses and Worms
• A virus can start on event-driven effects (e.g., triggered after a specific
number of executions), time-driven effects (e.g., triggered on a specific
date, such as Friday the 13th) or can occur at random.
Viruses can take some typical actions:
1. Display a message to prompt an action which may set of the virus;
2. Delete files inside the system into which viruses enter;
3. Scramble data on a hard disk;
4. Cause erratic screen behaviour;
5. Halt the system;
6. Just replicate themselves to propagate further harm.
Viruses and Worms
• Figures 4.1–4.3 explain how viruses spread (a) through the Internet, and
Viruses and Worms
• b) through a stand-alone
( computer system
Viruses and Worms
(c) through local networks.
Viruses and Worms
• Computer virus has the ability to copy itself and infect the system.
• The term virus is also commonly but erroneously used to refer to other types of
malware, Adware and Spyware programs that do not have reproductive ability.
• A true virus can only spread from one system to another (in some form of executable
code) when its host is taken to the target computer; for instance, when a user sent it
over the Internet or a network, or carried it on a removable media such as CD, DVD or
USB drives.
Viruses and Worms
• The term Trojan Horse comes from Greek mythology about the Trojan War
Trojan Horses and Backdoors
• Like Spyware and Adware, Trojans can get into the system in a number of
ways, including from a web browser, via E-Mail or in a bundle with other
software downloaded from the Internet.
Steganalysis
• Is the art and science of detecting messages that are hidden in images,