MODULE 2-INTRODUCTION TO CYBER SECURITY [BECL653] NOTES

MODULE 2
CYBER OFFENSES: HOW CRIMINALS PLAN THE ATTACK

CONTENTS
 Understand different types of Cyber attacks
 Overview the steps involved in cybercrime
 Understand tools used for gathering information about the target
 Overview of Social Engineering
 Role of Cybercafes in Cybercrime
 Understand what is cyberstalking
 Learn about Botnet and Attack Vector

INTRODUCTION
Cybercriminals use the World Wide Web (www) and Internet for all illegal activities. These
criminal0 take the advantage of the wide spread lack of awareness about cybercrime and
cyberlaws among the people who are constantly using the Information Technology(IT) for
official and personal purpose.

FEW TERMINOLOGIES

(a) Hacker- Hacker is a person with strong interest in computers who enjoys learning
and experimenting with them. Hackers are usually very talented, smart people who
understand computers better than others.
(b) Brute Force Hacking- it is a technique used to find passwords and Encryption Keys.
It involves trying every possible combination of letters, numbers etc. until the code is
broken.
(c) Cracker- A cracker is a person who breaks into computers. They are computer
criminals. Their act includes Vandalism, theft and snooping in unauthorized areas.
(d) Cracking- It is an act of breaking into computers. Cracking is a popular growing
subject on the internet. Many sites are available to supply Crackers with programs that
allow them to crack computers.
(e) Cracker Tools- These are programs that break into the computers like password
crackers, viruses, war dialer and worms
(f) Phreaking- This is the notorious act of breaking into phones and other
communication systems.
(g) War Dialer- It is a program that automatically dials phone numbers looking for
modems or computers on the other end to which they are connected. It catalogs
numbers so that the hacker can call back and try to break in.
(h) Cyber Bullying- when Internet, phones and other devices are used to send or post
texts or images intended to hurt and embarrass another person is called cyber bullying

Dept. of ECE, EWIT

MODULE 2-INTRODUCTION TO CYBER SECURITY [BECL653] NOTES

CATEGORIES OF VULNERABILITIES THAT HACKERS TYPICALLY

SEARCH FOR
1. Inadequate border protection-Firewall
2. Remote Access Servers (RAS) with weak access controls
3. Application Server with well-known exploits
4. Misconfigured systems and systems with default configurations.

TYPES OF HACKERS
1. Black hat hackers
2. White hat hackers
3. Gray hat hackers
4. Brown hat hackers

1. Black hat hackers

 Malicious and criminal hackers
 They break into information technology systems
 They use the knowledge for personal gain and to target others
 They are meant to do illegal activities
 They use holes/vulnerabilities in the systems to launch attack
2. White hat hackers
 They are Ethical Hackers
 They ethically oppose any cause against computer system
 They focus on securing Information Technology (IT) systems or networks
 They use their knowledge and skill to prevent the black hat hackers
 If a black hat hacker decides to target a victim, it’s a great thing to have white hat
hacker
3. Gray hat hackers
 They are hybrid of both black and white hat hackers
 Like black hat hackers their mission is not to damage system or network but to expose
the flaws in the Security System
 They do it without the concern for how the information will be used by others in
future
4. Brown hat hackers
 They think before acting and committing a malicious or non-malicious deed

Dept. of ECE, EWIT

MODULE 2-INTRODUCTION TO CYBER SECURITY [BECL653] NOTES

CATEGORIES OF CYBERCRIME

Cybercrimes can be categorised based on the following

1. The target of the crime- Targeted against individuals, assets or organisations

2. whether the crime occurs as a Single event or Series of event

1. Target of the Crime

a) Crimes targeted at Individuals-The goal is to exploit human weakness such as Greed and
Innocence. These crimes include financial fraud sale of non-existent or stolen items copyright
violation harassment etc.

b) Crimes targeted at Property-Programs that can disrupt the functions and erase the data
from cell phone, laptops, Personal Digital Assistants (PDA’s) and renewable medias (CDs
and drivers), hard disk etc. Then they can create malfunctioning of the device.

c) Crimes targeted at Organisation-Cyber terrorism one of the vital crime against

organisation or governments attackers use computer tools and the internet to usually target
the citizens of a particular country by stealing the private information and also damage the
programs and files or important programs to get control of the network and/or system

2.Single event or series of event

a) Single event of Cybercrime -It is a single event from the perspective of victims. For
example unknowingly open and attachment that contain virus that will affect the system

b) Series of events-This involves attackers interacting with the victims repetitively. For
example, attacker internets with the victim over the phone or via chat rooms to establish
relationship first and then use the relationship to commit illegal activities

How criminals plan the attack

Criminals use various tools and methods to locate vulnerability of the target. Criminals plan
either Active or Passive Attacks.

a) Active attacks- Attacks used to alter the system or network

b) Passive attacks- Attempts to gain information about target

Attacks can also be classified as either Inside attacks or Outside attacks

a) Inside attack-An attack originating and/or attempted within the security parameters
of an organisation. It is usually attempted by an insider who gains access to more
resources.

Dept. of ECE, EWIT

MODULE 2-INTRODUCTION TO CYBER SECURITY [BECL653] NOTES

b) Outside attack- Attempted by a source outside the security parameter. Maybe

attempted by an insider or outsider indirectly associated with the organisation. It is
attempted through Internet or a Remote Access Connection.

Following phases are involved in Planning Cybercrime

1) Reconnaissance (Information Gathering)- This is the first Phase and it is treated as

passive attack

2) scanning and scrutinizing(examining)-They do this to check whether the collected

information this valid or not as well as to identify existing vulnerability or weak
points in the system

3) Launching the Attack-Gaining and maintaining the system access.

1) RECONAISSANCE [INFORMATION GATHERING

 It is an art of reconnoitring (exploring) often with a goal to find somebody or

something
 Used to gain information about enemy or target
 First phase of reconnaissance is Foot printing
 Foot printing involves accumulating data about target environment and computer
architecture to find a way to intrude into the environment
 Foot printing involves finding vulnerabilities weakness and making use of it
 It is to understand the system, it's networking ports and services needful for launching
the attack

In the reconnaissance stage an attacker attempts to gather information in two phases

a) Passive attacks
b) Active attacks

a) Passive attacks involve gathering information about the target without his/her
knowledge. Example watching a building to identify what time employees Enter
building premises. It is done by internet searches or by googling about and individual
or organisation to gain information

Some of the methods used to gather information in passive attack are

1. Google search- Used to gain information about person or organisation

2. Surfing online community groups -For example Facebook to gain information about
individuals
3. Organisation website-Providing personal or official information about key
employees contact details, email address etc. It is also called as Social Engineering
4. Blogs, newspapers and press releases- Used as medium to gain information about
company or employees

Dept. of ECE, EWIT

MODULE 2-INTRODUCTION TO CYBER SECURITY [BECL653] NOTES

5. Going through job postings in a particular job profile-To get information about
what kind of Technology their company is working on. Example- Naukri, LinkedIn
etc
6. Network sniffing -It is used to get Useful information such as internet protocol
address servers or networks and other available services on the system or network

b) Active attacks -Involves enquiring the information or network to discover individuals

and to confirm the information gathered in passive attack. It is also called as active
reconnaissance. Active r reconnaissance provides information about security
measures in place but the process can also increase the chance of being caught or raise
a suspicion. It involves risk of detection since alterations are made to data in the
system or system itself.

2) Scanning and Scrutinizing

Scanning is the It is the key step to examine intelligently the gathered information about the
target.The objectives of scanning are

a) Port scanning -Identify open or close sports or services

b) Network scanning -Understand IP address and related information about the
computer network systems (network name database in server
c) Vulnerability scanning understand the existence weakness in the system

Scrutinizing- Scrutinizing phase is always called enumeration in the hacking world.The

objectives behind this steps is to identify

a) Valid user accounts/groups

b) network resources/shared resources
c) OS and different applications running on OS

3) Launching the attack (Gaining and maintaining the system access)

After scanning and scrutinizing the attack is launched using the following steps

a) Crack the password

b) Exploit the privileges
c) Execute malicious comments/applications
d) Hide the files (if needed)
e) Cover the tracks (delete logs) so that there is no trace of illegal activity

Difference Between Active Attack and Passive Attack

Active Attack Passive Attack

Data modification Data monitoring
Affect the system Does not affect the system

Dept. of ECE, EWIT

MODULE 2-INTRODUCTION TO CYBER SECURITY [BECL653] NOTES

Easy to detect Difficult to detect

Attack on availability and integrity
Victim gets informed
Examples-Spying, Eavesdropping and
Dumpster diving
Techniques used to avoid are Firewalls,
VPN etc
Attack on Confidentiality
Victim does not get informed
Examples- Man in the middle, DOS, DDOS
Attacks
Techniques used to avoid are using strong
passwords and encryption methods

Tools used to Launch passive attacks

1. People search -Provides details about personal information, date of birth, residential
address, contact information etc of a person
2. Domain name confirmation -Perform searches for domain names. This helps to find
registered domain names like “.Com”, “.net”, “.org” and “.edu”
3. Trace route- best tool to find routes to the target system by knowing the packets
(data) transmitted across network
4. Email Tracker Pro-Analysis the email address and provides IP address of the system
that sent the email
5. Competitive intelligence- Provides information related to almost any product on
recent industry trends
6. Visual Route Trace- This is a tool which determines traffic(data) on computer
flowing between source and target

Tools used to Launch Active attacks

1. NMap-Automated mechanism tool used to find the open port and also to identify the
OS being used in the system
2. Dsniff-This is a networki monitoring tool to capture usernames, Password and
authentication information
3. FileSnarf-This tool is used to capture file transfers and data
4. MsgSnarf-Tool used to capture instant messages. Example Yahoo chat
5. URLSnarf-Tool used to capture Http traffic
6. Xprobe2-Tool used to find the type of operating system of target host

SOCIAL ENGINEERING

 It is a “technique to influence” and “make someone to believe” for obtaining the

information
 The person who does it is called a Social Engineer
 Social engineering uses natural tendency and quality of people such as desire to be
helpful, attitude to trust people and fear of getting into trouble. This makes people
a weak link in security

Dept. of ECE, EWIT

MODULE 2-INTRODUCTION TO CYBER SECURITY [BECL653] NOTES

 Social engineering involves gathering sensitive information or unauthorized

access by building inappropriate trust relationships
 Social engineer uses telecommunication or internet to get victims to do something
that is against the security practices and/or policies
 The goal of social engineer is to fool someone into providing valuable information
or access the information
 The sign of a truly successful social engineers is that they receive information
without any suspicion


CLASSIFICATION OF SOCIAL ENGINEERING

1. Human based social engineering

2. Computer Based social engineering

1. Human based social engineering

a. Impersonating an employee or valid user-Impersonation posing oneself as an

employee of the same organisation is Greater technique of making somebody believe
something that is not true
b. Posing as an important user -The Attacker pretends to be the chief executive officer
CEO or High-Level Manager who needs Immediate assistants to gain access to
system. The attacker takes advantage of Low-Key employees. Most of the low-level
employees will not question to someone who appears to be in position of authority.
c. Using a third person name-Attacker pretends to have permission from authorised
source to use the system. This trick is useful when the supposed authorised person is
on Vacation and cannot be contacted for verification
d. Calling Technical Support-Helpdesk and Technical Support people are trained to
help users. Attackers call them for assistance which makes them good prey for social
engineering attacks
e. Shoulder surfing-It is a technique of gathering information such as usernames and
passwords by watching over a person's shoulder while he/she logs into the system
f. Dumpster diving-It involves looking in the trash for information written on pieces of
paper or computers printouts. This is also called as Dumpster” binning” , “trashing”
or “garbing”. Practice is referred to as “binning” or “skipping” and the person doing it
is called a “Binner” or “Skipper”
g. Scavenging-It is equivalent to Dumpster diving but in digital world. It is a form in
which discarded articles and information are obtained and recovered from recycle bin.

2. Computer Based social engineering

a. Fake emails-The attacker sends fake emails to numerous users such that the user
finds it as legitimate mail. This act is called as Phishing
b. Email attachments-Email attachments consisting of Malicious codes and sending it
to victim system which will automatically get executed in their system. Example
keyloggers virus worms and Trojan Horses all these can be included in the attachment

Dept. of ECE, EWIT

MODULE 2-INTRODUCTION TO CYBER SECURITY [BECL653] NOTES

c. Pop-up Windows- They are used in similar manner to email attachments. Pop-up
windows with special offers and free stuffs can encourage users to unintentionally
install malicious software or programs.

CYBERSTALKING

Cyberstalking an act of following the prey trying to approach somebody or something

Definition- It is defined as "The use of Information and Communication Technology,

particularly internet by an individual or group of individuals to harass another individual or
group of individuals or organisations"

Cyberstalking can be done in two ways

a) Through online

1. False accusations
2. Monitoring
3. Transmission of data
4. ID theft
5. Damage the data or system gathering information for harassment purpose

b) Through offline

1. Following a person
2. visiting the persons home or business place
3. making Phone calls
4. Leaving written messages
5. Destroying the victims property

TYPES OF STALKERS

There are two types of stalkers

1. Online stalker
2. Offline stalker

1. Online stalker

 They aim to start the interaction with the victim directly through the internet
 Email and chat rooms are the most popular communication medium to get connected
with the victim

Dept. of ECE, EWIT

MODULE 2-INTRODUCTION TO CYBER SECURITY [BECL653] NOTES

 The stalker makes sure that the victim recognises the Attack made by him or her

2. Offline stalker

 Stalker uses traditional methods such as following victim, watching daily routine of
the victim etc
 Stalker individually searches in newsgroups, personal websites and people finding
services
 All these are done without the knowledge of victim so that victim is not aware about
stalking

HOW STALKING WORKS

1. Personal information gathering about the victim- Name, Family background,

contact details such as phone numbers, residential addresses date of birth etc
2. Establish a contact with them through phone- Once the contact is established
Stalker may call the victim to threaten and harass
3. Establish contact with victim through email- Emails having tone of love
threatening etc. Stalker uses multiple names while contacting the victim
4. Keep on sending repeated emails- Asking for various kinds of favours or threatens
the victim
5. Posting the victims personal information on any websites related to unlawful
services- Posing as if the victim as posted the information and invite people to call the
victim on given contact details
6. Stalker subscribes or register the email account of the victim- Registering or
Subscribing in unwanted websites because of which the victim starts receiving
unsolicited (not asked for) emails messages attachments etc

CASES REPORTED ON CYBERSTALKING

 The majority of Cyber stalkers are men and majority of victims are women
 Some cases also have been reported where women act as cyber stockers and men as
victims as well as cases of same sex
 In many cases cyber stalkers and victims hold a prior relationship and it begins when
the victims try to break the relationship. Example Ex-Lover, Ex-Spouse, -Ex-Boss etc

CYBER CAFE AND CYBER CRIMES

“Cyber Cafe or internet cafe provides internet access to public for a Fee”.

 Since many people you cybercafes IT security and governance should be maintained
by the cybercafe owners
 The most common attacks carried out using cyber cafes are stealing Bank passwords,
fraudulent transaction of money using username and password etc

RISKS IN CYBER CAFES

Dept. of ECE, EWIT

MODULE 2-INTRODUCTION TO CYBER SECURITY [BECL653] NOTES

Public computers in cyber cafes hold two types of risks

1. Risk of malicious programs such as keyloggers and spywares

Keyloggers run on the background capturing keystrokes to know password and other
confidential information and monitoring browsing behaviour

Spywares are software that install itself on the user computer and starts secretly
monitoring online behaviour without users’ knowledge or permission

2. Over the Shoulder peeping

Looking over someone's shoulder to get information about what they are doing on the
system and find out usernames and passwords.

CYBER CRIMINALS TARGETING CYBER CAFES

1. They target one PC in cyber cafe for their use sometimes

2. They install malicious programs (keyloggers and spyware) to launch attack
3. They visit cyber cafes at a particular time of a day or week to monitor the activities of
victim

METROPOLITAN CITIES USES COMPUTERS WITH FOLLOWING

INSECURITIES IN CYBER CAFES

1. Pirated or illegally copied Software- Using pirated operating systems, Browser's

office Automations such as Microsoft Word Excel etc
2. Anti-virus softwares not updated- Cyber Cafe owners not updating Antivirus on
regular basis
3. Using Deep Freeze Software- Several cyber cafes use this software for protecting
their computers from Malware attacks. This software is used to wipe out all the
activities carried out on computer once restart button is clicked. This becomes
challenging for investigating Agencies and cybercrime investigators while collecting
clues of the cyber attacks
4. Annual Maintenance Contract (AMC)- Cyber Cafe owners not servicing the
computer due to this cybercriminal can install malicious code on computer and
conduct criminal activity without interruption
5. Websites not blocked-Indecent or obscene websites are not blocked in cyber café
6. Less awareness-Cybercafe owners having less awareness about IT security and
governance
7. Not providing Guidelines - Government, Internet service providers and State
policies such as Cyber cell wings not providing IT guidelines to Cyber Cafe owners
8. Not conducting periodic visit- cyber cafe Associations or cyber cell wings do not
conduct periodic visit to Cyber Café

Tips And safety measures to be carried out in cyber cafes

Dept. of ECE, EWIT

MODULE 2-INTRODUCTION TO CYBER SECURITY [BECL653] NOTES

1. Always Logout-After checking mail or logging into accounts one should logout or
sign out before leaving the system. Do not save your login information and disable
automatic login option
2. Stay with the Computer-while browsing one should not leave the system unattended
for any period of time. If you get any emergency call or work make sure you have
logged out of the account and close all the browser Windows
3. Clear history and Temporary Files-Internet Explorer saves Pages that users have
visited. Your passwords can be stored in the browser if that option has been enabled
on computer being used
4. Be alert-stay alert and be aware of the surroundings
5. Avoid online financial transactions-Avoid online banking, shopping and other
transactions requiring to provide personal or confidential information. In case if there
is an emergency do it but try to change the password as soon as possible using trusted
computer at home or at office
6. Change Passwords- Change strong passwords at regular intervals of time
7. Use virtual keyboard-Nowadays almost every bank has provided virtual keyboard on
their website providing high security
8. Follow Security warnings-Each Bank provides security warnings like (a) changing
password after using computers outside (b) use virtual keyboards to protect password
from keyloggers, spywares and trojans (c) Do not share your CVV or OTP with
anyone

Individuals should take care while accessing computers or internet in public places such as
hotels, libraries etc. It is required to follow safety and security while operating on systems
outside

BOTNET- THE FUEL TO CYBER CRIME

Bot-It is an automated program or software application program that does a certain task.
Bots are automated that run according to the instructions without human intervention

Botnet-A group of computers infected by Malware and is under the control of malicious
attacker

Activities carried on botnets

1. Distribution of spam and viruses

2. Conducting Dos and DDOS attacks

Zombie networks

Botnet is also called as “Zombie network” here Network of Computers are infected with
malicious programs that allows criminals to control the infected machines remotely without
users knowledge. Zombie Networks become a source of income for group of Cyber criminals

Dept. of ECE, EWIT

MODULE 2-INTRODUCTION TO CYBER SECURITY [BECL653] NOTES

HOW BOTS CREATE A BUSINESS

Botnets have gained popularity and have increased in number due to the following reasons

1. Low cost of maintenance

2. Diminishing degree of knowledge to maintain one

Below figure shows Botnets create business

There are plenty of “Bot for sales” for someone who wants to start a business and has no
programming skills

1. Malware-It is a malicious software designed to damage a computer system without

the user’s knowledge. Example viruses ,worms , Trojan Horse etc
2. Adware-It is advertising supported software which automatically plays, Displays or
downloads advertisements where application is being used
3. Spam-It means unsolicited or undesired emails or messages
4. Spamdexing-It is also called “Search Spam” or “Search Engines Spam”. It
manipulates the relevancy or prominence of sources indexed in search engine
5. DDOS Attack (Distributed Denial of Service Attack)- It occurs when multiple
systems flood the traffic of targeted system or server and make it unavailable or non-
functional

HOW TO REDUCE THE CHANCES OF BECOMING A PART OF

BOT

Dept. of ECE, EWIT

MODULE 2-INTRODUCTION TO CYBER SECURITY [BECL653] NOTES

1. Off The Internet Connection-Leaving your internet connection on and unprotected

is just like leaving the front door of the house wide open for thieves to enter
2. Use anti-virus software and keep it up to date-Settings of software has to be done
during installations so that the software gets updated automatically on daily or
monthly basis
3. Set the operating system to download and install security patches automatically-
OS companies issues security patches for flaws that are found in the system. Do
settings in OS such that software updates are done on regular basis
4. Use firewall to protect the system from hacking attacks while it is connected over
the internet- It is a software or hardware that scans incoming data for Malwares. It
allows only authorized access.
5. Disconnect from the internet when you are away from your computers-Attackers
cannot get into the system when the system is disconnected from the internet.
Sometimes firewalls, antivirus and antispyware have chances of going wrong or being
wrongly used
6. Downloading the freeware only from the websites that are known and
trustworthy- Avoid downloading free software such as games, file sharing etc as they
may contain other “software which may include Spywares

7. Check regularly the folders in the mailbox-Check in “sent items” and “outbox” for
mails or messages you have not sent. If such messages are found then it is a sign that
your system maybe a part of bot
8. Take an immediate action if your system is infected- Steps to be followed
1. Disconnect It from internet
2. Scan entire system with fully updated anti-virus
3. Report to Internet Service Provider (ISP) or Legal Authorities
4. Change the password immediately

ATTACK VECTOR

Definition-" It is a path or means by which an attacker can gain access to the

computer or a network server to deliver the payload"

Note-Payload is a malicious activity performed by attacker. It is a malicious outcome

 Attack Vector enable attackers to exploit vulnerabilities in the system

 Attack vectors include viruses, email attachments, counterfeited webpages,
POPUP windows, instant messages, chat rooms, Deception, Trojan horses
worms etc
 Except Deception all the other attacks vectors need programming
 To some extent firewalls and anti-virus software block attack Victor but they
are not totally attack proof
 Defence vectors (Firewalls and antiviruses) which are effective today may not
remain so for long because attackers constantly update the vectors

Dept. of ECE, EWIT

MODULE 2-INTRODUCTION TO CYBER SECURITY [BECL653] NOTES

LAUNCHING OF ATTACK VECTORS

Attack vectors are launched by the following ways

1. Attack By email - Unwanted contents such as URL’s, Hyperlinks, Responding

Buttons, Downloadable files are attached inside Emails
2. Attachments and other files- Malicious attachments insert malicious codes in our
device. Malicious codes are nothing but viruses and spywares etc. As soon as we open
the attachment it delivers or inserts payloads
3. Attack by Deception-Directly contacting people by fraud or scam Calls, sending
spam and tricking them to obtain confidential information is deception. Social
Engineering is a form of deception
4. Hackers-Hackers are the cause for attack vectors. They use variety of hacking tools
Strategies and social engineering to gain access to our accounts and computers
5. Heedless Guests [not noticeable]-it is an Attack by using counterfeited or duplicated
webpages. Such websites look similar to genuine website. They make internet users to
believe that they are using original website
6. Attack by Worms-Worms propagate through network. They scan network and start
looking for another computer over that network to infect them. Leads to more Zombie
networks used to carry illegal activities
7. Malicious Macros-These macros affect Microsoft Word and Microsoft Excel files.
Messaging and peer-to-peer (P2P) sharing networks which are used to transfer Word
and Excel files are infected by Macros
8. Foistware-It is a software that add hidden component to the system. The hidden
components get into the system when we try to download from website hijacked by
hackers
9. Viruses- These are malicious computer codes that deliver payload

ZERO-DAY ATTACK

 It is a computer threat which attempts to exploit computer applications

vulnerabilities that are unknown to anyone in the world
 Application vulnerability that are not disclosed by software vendors to
software uses and for which software patch is not available
 Zero-day Attacks are done and shared by attackers before the software
vendors know about it
 “Zero-day attack is launched just on or before the First day or Zeroth day of
vendors awareness reason being the vendor should not get any opportunity to
communicate or distribute a security fix or patch to user of such software”
 If the vulnerability is not particularly dangerous software vendors prefer to
hold until multiple updates are collected and later release them together as
package.

Dept. of ECE, EWIT

MODULE 2-INTRODUCTION TO CYBER SECURITY [BECL653] NOTES

Dept. of ECE, EWIT