G L BAJAJ , GROUP OF INSTITUTIONS,MATHURA

NOTES ON

BCC301-CYBER SECURITY
UNIT 1:-INTRODUCTION TO CYBER CRIME

What is Cyber Security?

Cyber security is the practice of defending computers, servers, mobile devices, electronic systems,
networks, and data from malicious attacks. It's also known as information technology security or
electronic information security.

Cyber Security is the body of technologies, processes, and practices designed to protect networks,
devices, programs, and data from attack, theft, damage, modification or unauthorized access. It’s
also known as Information Security (INFOSEC), Information Assurance (IA), or System
Security.

Why Cybersecurity?

Cyber Security is important because the government, Corporate, medical organizations, collect
military, financial, process, and store the unprecedented amount of data on a computer and other
properties like personal information, and these private information exposure could have negative
consequences.
Cyber Security proper began in 1972 with a research project on ARPANET (The Advanced Research
Projects Agency Network), a precursor to the internet. ARPANET developed protocols for remote
computer networking.

Example – If we shop from any online shopping website and share information like email id, address,
and credit card details as well as saved on that website to enable a faster and hassle-free shopping
experience, then the required information is stored on a server one day we receive an email which
state that the eligibility for a special discount voucher from XXXXX (hacker use famous website
Name like Flipkart, Amazon, etc.) website to receive the coupon code, and we will be asked to fill the
details then we will use saved card account credentials. Then our data will be shared because we
think it was just an account for the verification step, then they can wipe a substantial amount of
money from our account.
Elements of Cyber Security-
Cyber security is the shielding of web associated systems, for example, hardware, software, and
information from cyber dangers.
Various elements of cyber security are given below:

Cyber security Fundamentals –

CIA (CONFIDENTIALITY,INTEGRITY,AVAILABILITY)
CONFIDENTIALITY-

Confidentiality is about preventing the disclosure of data to unauthorized parties. It also means trying
to keep the identity of authorized parties involved in sharing and holding data private and
anonymous.
Standard measures to establish confidentiality include:
1. Data encryption
2. Two-factor authentication
3. Biometric verification
4. Security tokens
INTEGRITY-
Integrity refers to protecting information from being modified by unauthorized parties.
Standard measures to guarantee integrity include:
1. Cryptographic checksums
2. Using file permissions
3. Uninterrupted power supplies
4. Data backups
AVAILABILITY-

Availability is making sure that authorized parties are able to access the information when needed.
Standard measures to guarantee availability include:
1. Backing up data to external drives
2. Implementing firewalls
 3. Having backup power supplies
4. Data redundancy

Types of Cyber Attacks

A cyber-attack is an exploitation of computer systems and networks. It uses malicious code to alter
computer code, logic or data and lead to cybercrimes, such as information and identity theft.

Cyber-attacks can be classified into the following categories:

1) Web-based attacks
2) System-based attacks

Web-based attacks

These are the attacks which occur on a website or web applications. Some of the important web-
based attacks are as follows-

1. Injection attacks

It is the attack in which some data will be injected into a web application to manipulate the
application and fetch the required information.

Example- SQL Injection, code Injection, log Injection, XML Injection etc.

2. DNS Spoofing
DNS Spoofing is a type of computer security hacking. Whereby a data is introduced into a DNS
resolver's cache causing the name server to return an incorrect IP address, diverting traffic to the
attackers computer or any other computer. The DNS spoofing attacks can go on for a long period of
time without being detected and can cause serious security issues.

3. Session Hijacking
It is a security attack on a user session over a protected network. Web applications create cookies to
store the state and user sessions. By stealing the cookies, an attacker can have access to all of the user
data.

4. Phishing
Phishing is a type of attack which attempts to steal sensitive information like user login credentials
and credit card number. It occurs when an attacker is masquerading as a trustworthy entity in
electronic communication.

5. Brute force
It is a type of attack which uses a trial and error method. This attack generates a large number of
guesses and validates them to obtain actual data like user password and personal identification
number. This attack may be used by criminals to crack encrypted data, or by security, analysts to test
an organization's network security.
Denial of Service

It is an attack which meant to make a server or network resource unavailable to the users. It
accomplishes this by flooding the target with traffic or sending it information that triggers a crash. It
uses the single system and single internet connection to attack a server. It can be classified into the
following-

Volume-based attacks- Its goal is to saturate the bandwidth of the attacked site, and is measured in
bit per second.

Protocol attacks- It consumes actual server resources, and is measured in a packet.

Application layer attacks- Its goal is to crash the web server and is measured in request per second.

7. Dictionary attacks

This type of attack stored the list of a commonly used password and validated them to get original
password.

8. URL Interpretation

It is a type of attack where we can change the certain parts of a URL, and one can make a web server
to deliver web pages for which he is not authorized to browse.

9. File Inclusion attacks

It is a type of attack that allows an attacker to access unauthorized or essential files which is available
on the web server or to execute malicious files on the web server by making use of the include
functionality.

10. Man in the middle attacks

It is a type of attack that allows an attacker to intercepts the connection between client and server and
acts as a bridge between them. Due to this, an attacker will be able to read, insert and modify the data
in the intercepted connection.

System-based attacks

These are the attacks which are intended to compromise a computer or a computer network. Some of
the important system-based attacks are as follows-

1. Virus
It is a type of malicious software program that spread throughout the computer files without the
knowledge of a user. It is a self-replicating malicious computer program that replicates by inserting
copies of itself into other computer programs when executed. It can also execute instructions that
cause harm to the system.

2. Worm
It is a type of malware whose primary function is to replicate itself to spread to uninfected computers.
It works same as the computer virus. Worms often originate from email attachments that appear to be
from trusted senders.

3. Trojan horse
It is a malicious program that occurs unexpected changes to computer setting and unusual activity,
even when the computer should be idle. It misleads the user of its true intent. It appears to be a
normal application but when opened/executed some malicious code will run in the background.

4. Backdoors
It is a method that bypasses the normal authentication process. A developer may create a backdoor so
that an application or operating system can be accessed for troubleshooting or other purposes.

5. Bots
A bot (short for "robot") is an automated process that interacts with other network services. Some
bots program run automatically, while others only execute commands when they receive specific
input. Common examples of bots program are the crawler, chatroom bots, and malicious bots.
Types of cyber-attacker actions and their motivations when deliberate-
Active attacks: An active attack is a network exploit in which a hacker attempts to make
changes to data on the target or data en route to the target.

Types of Active attacks:

Masquerade: in this attack, the intruder pretends to be a particular user of a system to gain access or
to gain greater privileges than they are authorized for. A masquerade may be attempted through the
use of stolen login IDs and passwords, through finding security gaps in programs or through
bypassing the authentication mechanism.
Session replay: In this type of attack, a hacker steals an authorized user’s log in information by
stealing the session ID. The intruder gains access and the ability to do anything the authorized user
can do on the website.
Message modification: In this attack, an intruder alters packet header addresses to direct a message
to a different destination or modify the data on a target machine.
In a denial of service (DoS) attack, users are deprived of access to a network or web resource. This is
generally accomplished by overwhelming the target with more traffic than it can handle.
In a distributed denial-of-service (DDoS) exploit, large numbers of compromised systems
(sometimes called a botnet or zombie army) attack a single target.
Passive Attacks:Passive attacks are relatively scarce from a classification perspective, but can be
carried out with relative ease, particularly if the traffic is not encrypted.

Types of Passive attacks:

Eavesdropping (tapping): the attacker simply listens to messages exchanged by two entities. For the
attack to be useful, the traffic must not be encrypted. Any unencrypted information, such as a
password sent in response to an HTTP request, may be retrieved by the attacker.
Traffic analysis: the attacker looks at the metadata transmitted in traffic in order to deduce
information relating to the exchange and the participating entities, e.g. the form of the exchanged
traffic (rate, duration, etc.). In the cases where encrypted data are used, traffic analysis can also lead
to attacks by cryptanalysis, whereby the attacker may obtain information or succeed in unencrypting
the traffic.

Software Attacks: Malicious code (sometimes called malware) is a type of software designed
to take over or damage a computer user's operating system, without the user's knowledge or
approval. It can be very difficult to remove and very damaging. Common malware examples
are listed in the following table:
 What is cybercrime?
Cybercrime is criminal activity that either targets or uses a computer, a computer network or a
networked device. Most cybercrime is committed by cybercriminals or hackers who want to make
money. However, occasionally cybercrime aims to damage computers or networks for reasons other
than profit. These could be political or personal.

Cybercrime can be carried out by individuals or organizations. Some cybercriminals are organized,
use advanced techniques and are highly technically skilled. Others are novice hackers.

What are the types of cybercrime?

Types of cybercrime include:

 Email and internet fraud.

 Identity fraud (where personal information is stolen and used).
 Theft of financial or card payment data.
 Theft and sale of corporate data.
 Cyberextortion (demanding money to prevent a threatened attack).
 Ransomware attacks (a type of cyberextortion).
 Cryptojacking (where hackers mine cryptocurrency using resources they do not own).
 Cyberespionage (where hackers access government or company data).
 Interfering with systems in a way that compromises a network.
 Infringing copyright.
 Illegal gambling.
 Selling illegal items online.
 Soliciting, producing, or possessing child pornography.

Cybercrime involves one or both of the following:

 Criminal activity targeting computers using viruses and other types of malware.
 Criminal activity using computers to commit other crimes.
Cybercriminals that target computers may infect them with malware to damage devices or stop them
working. They may also use malware to delete or steal data. Or cybercriminals may stop users from
using a website or network or prevent a business providing a software service to its customers, which
is called a Denial-of-Service (DoS) attack.
Examples of cybercrime

Here are some famous examples of different types of cybercrime attack used by cybercriminals:
Malware attacks
A malware attack is where a computer system or network is infected with a computer virus or other
type of malware. A computer compromised by malware could be used by cybercriminals for several
purposes. These include stealing confidential data, using the computer to carry out other criminal
acts, or causing damage to data.
A famous example of a malware attack was the WannaCry ransomware attack, a global cybercrime
committed in May 2017. WannaCry is a type of ransomware, malware used to extort money by
holding the victim’s data or device to ransom. The ransomware targeted a vulnerability in computers
running Microsoft Windows.
When the WannaCry ransomware attack hit, 230,000 computers were affected across 150 countries.
Users were locked out of their files and sent a message demanding that they pay a Bitcoin ransom to
regain access.Worldwide, the WannaCry cybercrime is estimated to have caused $4 billion in
financial losses. To this day, the attack stands out for its sheer size and impact.
Phishing
A phishing campaign is when spam emails, or other forms of communication, are sent with the
intention of tricking recipients into doing something that undermines their security. Phishing
campaign messages may contain infected attachments or links to malicious sites, or they may ask the
receiver to respond with confidential information.

A famous example of a phishing scam took place during the World Cup in 2018. According to our
report, 2018 Fraud World Cup , the World Cup phishing scam involved emails that were sent to
football fans. These spam emails tried to entice fans with fake free trips to Moscow, where the World
Cup was being hosted. People who opened and clicked on the links contained in these emails had
their personal data stolen.

Another type of phishing campaign is known as spear-phishing. These are targeted phishing
campaigns which try to trick specific individuals into jeopardizing the security of the organization
they work for.

Unlike mass phishing campaigns, which are very general in style, spear-phishing messages are
typically crafted to look like messages from a trusted source. For example, they are made to look like
they have come from the CEO or the IT manager. They may not contain any visual clues that they are
fake.

Distributed DoS attacks

Distributed DoS attacks (DDoS) are a type of cybercrime attack that cybercriminals use to bring
down a system or network. Sometimes connected IoT (Internet of Things) devices are used to launch
DDoS attacks.
A DDoS attack overwhelms a system by using one of the standard communication protocols it uses to
spam the system with connection requests. Cybercriminals who are carrying out cyberextortion may
use the threat of a DDoS attack to demand money. Alternatively, a DDoS may be used as a
distraction tactic while another type of cybercrime takes place.

A famous example of this type of attack is the 2017 DDoS attack on the UK National Lottery
website. This brought the lottery’s website and mobile app offline, preventing UK citizens from
playing. The reason behind the attack remains unknown, however, it is suspected that the attack was
an attempt to blackmail the National Lottery.

Impact of cybercrime

Generally, cybercrime is on the rise. According to Accenture’s State of Cybersecurity Resilience

2021 report, security attacks increased 31% from 2020 to 2021. The number of attacks per company
increased from 206 to 270 year on year. Attacks on companies affect individuals too since many of
them store sensitive data and personal information from customers.

A single attack – whether it’s a data breach, malware, ransomware or DDoS attack - costs companies
of all sizes an average of $200,000, and many affected companies go out of business within six
months of the attack, according to insurance company Hiscox.

Javelin Strategy & Research published an Identity Fraud Study in 2021 which found that identity
fraud losses for the year totalled $56 billion.

For both individuals and companies, the impact of cybercrime can be profound – primarily financial
damage, but also loss of trust and reputational damage.

How to report a cybercrime

Reporting a cybercrime in the US:
File a report with the Internet Crime Complaint Center (IC3) as soon as possible. Visit ic3.gov for
more information.
Reporting a cybercrime in the UK:
Contact Action Fraud as soon as possible – find out more on their website here.
Reporting a cybercrime in the EU:

Europol has a useful website here which collates the relevant cybercrime reporting links for each EU
member state.

Reporting a cybercrime in the UAE:

You can find information about how to report cybercrime in the UAE on this official website here.

Reporting a cybercrime in Australia:

The Australian Cyber Security Centre has information about how to report a cybercrime here
ORIGIN OF CYBER CRIME-

Human civilization came a long way from abacus to modern high speed computers. This transition is
one of the crucial developments witnessed by humanity because it has changed the ways of living and
except select few remotely located people, it has affected everybody’s life. Although this transition
took its time and it was long enough to make evolution in cyber crimes quite visible. Cyber criminals
evolved with time, they changed their strategies in consonance with advancement in technology to
commit cyber crimes. The technically skilled criminals prefer to work in cyber space because there’s
not much physical exertion involved and seemingly cyber crimes yield maximum financial rewards
with minimal risk of being caught, given the anonymity factor involved in cyber crimes. The cyber
criminals have made use of developing or developed nation’s propaganda of computerization as
means for sustainable growth for the country. In past few decades, there has been a continuous
upsurge in recorded number cyber crimes across the world. The more people are connected to the e-
world networking, the more are chances of victimization from malwares, viruses and phishing. There
has been very little work done at the international level to ascertain the country trends of cyber
crimes. In one such comparative study of country trends (shown in diagram below) carried by an
organization named Bluecoat reported trends of cyber crimes across the world, as on December 2013

A History Of Cyber Crime

We have learnt to place a great deal of faith in computer systems since they have become a vital part
of the everyday operations of corporations, organisations, governments, and people. As a result,
we've entrusted them with extremely essential and valuable information. Things of value have always
been a target for criminals, as history has proved.
Cyber Crime is no exception. As consumers fill their personal computers, phones, and other devices
with valuable information, they provide a target for criminals to aim at in order to profit from the
activity.
In the past, a criminal would have to commit a robbery in some form or another in order to acquire
access to a person's goods. In the instance of data theft, the thief would need to break into a facility
and sift through files in search of the most valuable and profitable information. In today's society,
criminals may attack their victims from afar, and because of the nature of the internet, these actions
are unlikely to be punished.

Cyber Crime in the 70s and 80s

Criminals took advantage of the tone mechanism employed on phone networks in the 1970s. The
assault was known as phreaking, and it involved the attacker reverse-engineering the telephone
companies' long-distance call tones.
The first computer worm appeared on the internet in 1988, wreaking havoc on businesses. The Morris
worm, named after its inventor Robert Morris, was the first worm. Despite the fact that this worm
was not designed to be malevolent, it nonetheless did a lot of damage. In 1980, the United States
Government Accountability Office assessed that the cost of the damage may have been as much as
$10,000,000.00.

The first recorded ransomware assault, which targeted the healthcare business, occurred in 1989.
Ransomware is a sort of malicious software that encrypts a user's data and locks it until a tiny ransom
is paid, after which a cryptographic unlock key is sent. 20,000 floppy discs were delivered across 90
nations by an evolutionary researcher named Joseph Popp, who claimed the discs contained software
that could be used to analyse an individual's risk factors for developing the AIDS virus. The disc, on
the other hand, included malware that, when run, presented a message requesting payment for a
software licence. Ransomware assaults have developed significantly over time, with the healthcare
industry continuing to be a major target.

The birth of the web and a new dawn for Cyber Crime

The web browser and email were widely available in the 1990s, providing new tools for
cybercriminals to exploit. The cybercriminal was able to dramatically increase their reach as a result
of this. Until the cybercriminal had to carry out a physical transaction, such as handing over a floppy
disc. Cybercriminals might now use these new, very susceptible web browsers to send virus code
around the internet. Cybercriminals adapted what they'd learnt in the past to operate via the internet,
with disastrous repercussions.

With phishing assaults, cybercriminals were also able to reach out and scam individuals from afar. It
was no longer required to interact with folks on a one-on-one basis. You could attempt to trick
millions of users simultaneously. Even if only a small percentage of people took the bait you stood to
make a lot of money as a cybercriminal.

The decade of the 2000s saw the emergence of social media as well as identity theft. Identity theft has
become the new financial piggy bank for criminal groups all over the world, thanks to the emergence
of databases storing millions of users' personal identifying information (PII).

Because of this information and the general public's lack of cybersecurity knowledge, hackers were
able to perpetrate a variety of financial frauds, including creating bank accounts and credit cards in
the names of others.

Cyber Crime in a fast-paced technology landscape

Cybercriminal behaviour has only become worse in recent years. We've seen the cybercriminal grow
more adept and difficult to apprehend as computer systems have gotten quicker and more
complicated. Botnets, which are a network of private computers infected with malicious software and
used by criminals to manage millions of infected computer systems throughout the world, are already
commonplace.
These botnets allow hackers to overburden organisational networks while concealing their origins:
We see constant ransomware attacks across all sectors of the economy
People are constantly on the lookout for identity theft and financial fraud
Continuous news reports regarding the latest point of sale attack against major retailers and
hospitality organizations

Cyber Criminals and its types

Cyber crime is taken very seriously by law enforcement. In the early long periods of the cyber
security world, the standard cyber criminals were teenagers or hobbyists in operation from a home
laptop, with attacks principally restricted to pranks and malicious mischief. Today, the planet of the
cyber criminals has become a lot of dangerous. Attackers are individuals or teams who attempt to
exploit vulnerabilities for personal or financial gain.

Types of Cyber Criminals:

1. Hackers: The term hacker may refer to anyone with technical skills, however, it typically refers
to an individual who uses his or her skills to achieve unauthorized access to systems or networks so
as to commit crimes. The intent of the burglary determines the classification of those attackers as
white, grey, or black hats. White hat attackers burgled networks or PC systems to get weaknesses so
as to boost the protection of those systems. The owners of the system offer permission to perform the
burglary, and they receive the results of the take a look at. On the opposite hand, black hat attackers
 make the most of any vulnerability for embezzled personal, monetary or political gain. Grey hat
attackers are somewhere between white and black hat attackers. Grey hat attackers could notice a
vulnerability and report it to the owners of the system if that action coincides with their agenda.
(a). White Hat Hackers – These hackers utilize their programming aptitudes for a good and lawful
reason. These hackers may perform network penetration tests in an attempt to compromise networks
to discover network vulnerabilities. Security vulnerabilities are then reported to developers to fix
them and these hackers can also work together as a blue team. They always use the limited amount of
resources which are ethical and provided by the company, they basically perform pentesting only to
check the security of the company from external sources.
(b). Gray Hat Hackers – These hackers carry out violations and do seemingly deceptive things
however not for individual addition or to cause harm. These hackers may disclose a vulnerability to
the affected organization after having compromised their network and they may exploit it .
(c). Black Hat Hackers – These hackers are unethical criminals who violate network security for
personal gain. They misuse vulnerabilities to bargain PC frameworks. theses hackers always exploit
the information or any data they got from the unethical pentesting of the network.
2. Organized Hackers: These criminals embody organizations of cyber criminals, hacktivists,
terrorists, and state-sponsored hackers. Cyber criminals are typically teams of skilled criminals
targeted on control, power, and wealth. These criminals are extremely subtle and organized, and
should even give crime as a service. These attackers are usually profoundly prepared and well-
funded.

What do cybercriminals want?

Cybercriminals want a number of different things, including:

Money (extorting or transferring money from accounts)
 Power/influence
 Financial information
 Personal profiling data (passwords, etc)
 Corporate data
 Sensitive information (government institutions, personal data from public/private companies)
 Information relating to new product research and development
 Access to systems (to create ‘zombies’)
 To place software on your machine (adware, spyware.)

Cyber-crime: A Global Perspective

Cybersecurity constitutes one of the top five risks of most firms, especially in Big Tech and Banking
& Financial Services. A weekend reading led to some interesting data points from various sources
such as AV-Test and Coveware, among others, and that further led to me pondering over the
mitigating actions that we can take as individuals and as organisations for some, if not all, of these
cybercrime risks. I extend my thanks to the respective experts who shared their knowledge, enabling
me to piece together some parts of the larger jigsaw puzzle.

Global cybercrime damage costs this year are expected to breach US $6 trillion an annum. That is
almost one-fourth of the US GDP or twice the GDP of India. This is expected to scale up to US $10.5
trillion an annum by 2025. Cyber attackers are disrupting critical supply chains, at least 4 times more
than in 2019.

Yet, approximately 4 of every 5 organisations don’t consider themselves having proper responses to
cyber-attacks which creates a need for a cybersecurity risk management team for them. Let’s have a
look at the individual components

Malware

Total Malware expected to exceed 1.2 billion samples in 2021 and is averaging approx. 18 million
new malware samples every month (Source AV-Test). Approximately 94 % of this malware is
polymorphic, i.e., can constantly change its identifiable features to evade detection.

Ransomware

Average ransom payment peaked in Q3 2020 at ~US $234k but decreased to ~US $154k in Q4 2020.
The threat to leak exfiltrated data was up 43% during this period. (Source: Coveware). Sodinokibi,
Egregor, Ryuk, Netwalker and Maze are the top-ranked ransomware by market share.

Data Breach

In 2020, the average cost of a data breach was ~US $3.9 million. Data privacy and cybersecurity risk
are major concerns that are seeing more regulation created, for example, GDPR (EU), PDP(India) etc.
Unfortunately, data breaches take time to be detected.

Phishing

More than 80% of reported security incidents were in the form of phishing attempts

How Cybercriminals Plan Attacks

Cybercriminals commit cybercrimes using different tools and techniques. But, the basic process of
performing the attacks is same in general. The process or steps involved in committing the
cybercrime can be specified in 5 steps namely:
1) Reconnaissance
2) Scanning and Scrutinizing
3) Gaining Access
4) Maintaining Access and
5) Covering the tracks

The simplified or condensed process consists of 3 steps namely:

1) Reconnaissance
2) Scanning and Scrutinizing and
3) Launching an Attack

The 3 step process of how cybercriminals plan attacks is illustrated in the below image.

Reconnaissance

Reconnaissance is an act of exploring to find someone or something. Reconnaissance phase begins

with Footprinting. Footprinting involves gathering information about the target’s environment to
penetrate it. It provides an overview of system vulnerabilities. The objective of this phase
(reconnaissance) is to understand the system, its networking ports and services, and any other related
data. An attacker attempts to gather information in two phases: a) passive and b) active attacks.
Passive Attacks

This attack is used to gather information about a target without their knowledge. These attacks
include:

 Google or Yahoo search

 Facebook, LinkedIn, other social sites
 Organization’s website (target)
 Blogs, newsgroups, press releases, etc
 Job postings on Naukri, Monster, Craiglist, etc
 Network sniffing

Active Attacks

This attack involves exploring the network to discover individual hosts to confirm the data gathered
using passive attacks. This attack involves the risk of being detected and so it is called “Active
Reconnaissance”. This attack allows the attacker to know the security measures in place.
Scanning and Scrutinizing
Scanning involves intelligent examination of gathered information about target. The objectives of
scanning are:

 Port scanning
 Network scanning
 Vulnerability scanning

Scrutinizing is also called enumeration. 90% of the time in hacking is spent in reconnaissance,
scanning and scrutinizing information. The objectives are:

 Find valid user accounts or groups

 Find network resources or shared resources
 OS and different applications running on the target

Launch an Attack
An attack follows the below steps:

 Crack the password

 Exploit the privileges
 Execute malicious software (backdoor)
 Hide or destroy files (if required)
 Cover the tracks
Social Engineering – The Art of Virtual Exploitation
Social engineering uses human weakness or psychology to gain access to the system, data, personal
information, etc. It is the art of manipulating people. It doesn’t involve the use of technical hacking
techniques. Attackers use new social engineering practices because it is usually easier to exploit the
victim’s natural inclination to trust. For example, it is much easier to fool someone to give their
password instead of hacking their password. Sharing too much information on social media can
enable attackers to get a password or extracts a company’s confidential information using the posts
by the employees. This confidential information helped attackers to get the password of victim
accounts.
How do Social Engineering Attacks Take Place?
Phishing scams are the most common type of Social Engineering attacks these days. Tools such as
SET(Social Engineering Toolkit) also make it easier to create a phishing page but luckily many
companies are now able to detect phishing such as Facebook. But it does not mean that you cannot
become a victim of phishing because nowadays attackers are using iframe to manipulate detection
techniques. An example of such hidden codes in phishing pages is cross-site-request-forgery
“CSRF” which is an attack that forces an end user to execute unwanted actions on a web
application. Example: In 2018 we have seen a great rise in the use of ransomware which has been
delivered alongside Phishing Emails. What an attacker does is usually deliver an attachment with a
subject like “Account Information” with the common file extension say .pdf/.docx/.rar etc. The user
generally clicks and the attacker’s job gets done here. This attack often encrypts the entire Disk or
the documents and then to decrypt these files it requires cryptocurrency payment which is said to be
“Ransom(money)”. They usually accept Bitcoin/Ethereum as the virtual currency because of its
non-traceable feature. Here are a few examples of social engineering attacks that are used to be
executed via phishing:
 Banking Links Scams
 Social Media Link Scams
 Lottery Mail Scams
 Job Scams
Purpose
The purpose of social engineering attacks is typically to steal sensitive information, such as login
credentials, credit card numbers, or personal information. Attackers can use this information for
identity theft, financial fraud, or other malicious purposes. Another purpose of social engineering
attacks is to gain unauthorized access to secure areas or systems. For example, an attacker might
use tailgating to follow an authorized individual into a secure area or use pretexting to convince an
individual to give them access to a restricted system.
Types of Social Engineering
There are many different types of social engineering attacks, each of which uses a unique approach
to exploit human weaknesses and gain access to sensitive information. Here are some of the types
of attacks, include:
 Phishing: Phishing is a type of social engineering attack that involves sending an email or
message that appears to be from a legitimate source, such as a bank, in an attempt to trick the
recipient into revealing their login credentials or other sensitive information.
 Baiting: Baiting is a type of social engineering attack that involves leaving a tempting item,
such as a USB drive, in a public place in the hope that someone will pick it up and plug it into
their computer. The USB drive is then used to infect the computer with malware.
 Tailgating: Tailgating is a type of social engineering attack that involves following an
authorized individual into a secure area, such as a building or data center, without proper
authorization.
 Pretexting: Pretexting is a type of social engineering attack that involves creating a false
identity or situation in order to trick an individual into revealing sensitive information. For
example, an attacker might pretend to be a customer service representative in order to trick an
individual into giving them their login credentials.
 Vishing: Vishing is a type of social engineering attack that involves using voice phishing, or
“vishing,” to trick individuals into revealing sensitive information over the phone.
 Smishing: Smishing is a type of social engineering attack that involves using SMS messages to
trick individuals into revealing sensitive information or downloading malware.
Prevention
 Timely monitor online accounts whether they are social media accounts or bank accounts, to
ensure that no unauthorized transactions have been made.
 Check for Email headers in case of any suspecting mail to check its legitimate source.
 Avoid clicking on links, unknown files, or opening email attachments from unknown senders.
 Beware of links to online forms that require personal information, even if the email appears to
come from a source. Phishing websites are the same as legitimate websites in looks.
 Adopt proper security mechanisms such as spam filters, anti-virus software, and a firewall, and
keep all systems updated, with anti-keyloggers.

What is meaning of cyber crime and cyber café?

In February 2009 survey, 90% of the audience across eight cities and 3500 cafes were male and in the
age group of 15-35 years.52% were graduates and postgraduates.Almost 50% were students.In India,
cybercafes are known to be used for either real or false terrorist communication.

Cybercafe hold two types of risks :

1. We do not know what programs are installed on the computer like keyloggers or spyware.
2. Over the shoulder peeping can enable others to find out your passwords.
Cyber criminals prefer cybercafes to carry out their activities.
A recent survey conducted in one of the metropolitan cities in India reveals the following facts :
1.Pirated software are installed in all the computers.
2.Antivirus was not updated with latest patch.
3.Several cybercafes has installed “Deep Freeze” to protect computer which helps cyber criminals.
4.Annual Maintenance Contract (AMC) was not found for servicing of the computer.
5.Pornographical websites were not blocked.
6.Cybercafe owner have very less awareness about IT security.
7.Cybercafe association or State Police do not seem to conduct periodic visits to cybercafe.
Security tips for cyber cafe
Always Logout–While checking email or logging in for chatting, always click logout/sign out.

Stay with the computer–While surfing, don’t leave the system unatteneded for any period of time.

Clear history and temporary files–Before browsing deselect AutoComplete option. Browser ->
Tools -> Internet options -> Content tab.–Tools -> Internet Option -> General Tab -> Temporary
Internet Files -> Delete files and then Delete Cookies.

Avoid online financial transactions–One should avoid online banking, shopping, etc.–Don’t provide
sensitive information such as credit card number or bank account details.

Change Passwords / Virtual Keyboard–Change password after completion of transaction.

Be alert–One have to be alert for snooping over the shoulder.

BOTNET

A botnet is a collection of internet-connected devices, which may include personal computers (PCs),
servers, mobile devices and internet of things (IoT) devices, that are infected and controlled by a
common type of malware, often unbeknownst to their owner.

Infected devices are controlled remotely by threat actors, often cybercriminals, and are used for
specific functions, yet the malicious operations stay hidden from the user.

Botnets are commonly used to send spam emails, engage in click fraud campaigns and generate
malicious traffic for distributed denial-of-service (DDoS) attacks.
How do botnets work?
The term botnet is derived from the words robot and network. A bot, in this case, is a device infected
by malicious code, which then becomes part of a network, or net, of infected machines all controlled
by a single attacker or attack group.

A bot is sometimes called a zombie, and a botnet is sometimes referred to as a zombie army.
Conversely, those controlling the botnet are sometimes referred to as bot herders.

The botnet malware typically looks for devices with vulnerable endpoints across the internet, rather
than targeting specific individuals, companies or industries.

The objective for creating a botnet is to infect as many connected devices as possible and to use the
large-scale computing power and functionality of those devices for automated tasks that generally
remain hidden to the users of the devices.

For example, an ad fraud botnet infects a user's PC with malicious software that uses the system's
web browsers to divert fraudulent traffic to certain online advertisements. However, to stay
concealed, the botnet won't take complete control of the operating system (OS) or the web browser,
which would alert the user.Instead, the botnet may use a small portion of the browser's processes,
often running in the background, to send a barely noticeable amount of traffic from the infected
device to the targeted ads.

On its own, that fraction of bandwidth taken from an individual device won't offer much to the
cybercriminals running the ad fraud campaign. However, a botnet that combines millions of botnet
devices will be able to generate a massive amount of fake traffic for ad fraud.

The architecture of a botnet

Botnet infections are usually spread through malware or spyware. Botnet malware is typically
designed to automatically scan systems and devices for common vulnerabilities that haven't been
patched in hopes of infecting as many devices as possible.Once the desired number of devices is
infected, attackers can control the bots using two different approaches.

The client-server botnet

The traditional client-server model involves setting up a command and control (C&C) server and
sending automated commands to infected botnet clients through a communications protocol, such as
Internet Relay Chat (IRC).

The bots are then often programmed to remain dormant and await commands from the C&C server
before initiating any malicious activities or cyber attacks.

The P2P botnet

The other approach to controlling infected bots involves a peer-to-peer (P2P) network. Instead of
using C&C servers, a P2P botnet relies on a decentralized approach.Infected devices may be
programmed to scan for malicious websites or even for other devices that are part of a botnet. The
bots can then share updated commands or the latest versions of the malware.The P2P approach is
more common today, as cybercriminals and hacker groups try to avoid detection by cybersecurity
vendors and law enforcement agencies, which have often used C&C communications to locate and
disrupt botnet operations.
Examples of botnet attacks
Zeus

The Zeus malware, first detected in 2007, is one of the best-known and widely used malware types in
the history of information security. Zeus uses a Trojan horse program to infect vulnerable devices.
Variants of this malware have been used for various purposes over the years, including to spread
CryptoLocker ransomware.Initially, Zeus, or Zbot, was used to harvest banking credentials and
financial information from users of infected devices. Once the data was collected, attackers used the
bots to send out spam and phishing emails that spread the Zeus Trojan to more prospective victims.

GameOver Zeus

Approximately a year after the original Zeus botnet was disrupted, a new version of the Zeus
malware, known as GameOver Zeus, emerged.Instead of relying on traditional, centralized C&C
servers to control bots, GameOver Zeus used a P2P network approach, which initially made the
botnet harder for law enforcement and security vendors to pinpoint and disrupt.

Methbot
An extensive cybercrime operation and ad fraud botnet known as Methbot was revealed in 2016 by
cybersecurity services company White Ops.
According to security researchers, Methbot was generating between $3 million and $5 million in
fraudulent ad revenue daily by producing fraudulent clicks for online ads, as well as fake views of
video advertisements.

Mirai
Several powerful, record-setting DDoS attacks were observed in late 2016 and later traced to a brand
of malware known as Mirai.
The traffic produced by the DDoS attack came from a variety of connected devices, including
wireless routers and closed-circuit television (CCTV) cameras.
Mirai malware was designed to scan the internet for unsecured devices, while also avoiding IP
addresses belonging to major corporations and government agencies. After it identified an unsecured
device, the malware attempted to log in using common default passwords. If necessary, the malware
resorted to brute-force attacks to guess passwords.

Preventing botnets with cybersecurity controls

There is no one-size-fits-all solution to botnet detection and prevention, but manufacturers and
enterprises can start by incorporating the following security controls:

 strong user authentication methods;

 secure remote firmware updates, permitting only firmware from the original manufacturer;
 secure boot to ensure devices only execute code produced by trusted parties;
 advanced behavioral analysis to detect unusual IoT traffic behavior; and
 methods using automation, machine learning and artificial intelligence (AI) to automate protective
measures in IoT networks before botnets can cause serious harm.

These measures occur at the manufacturing and enterprise levels, requiring security to be baked into
IoT devices from conception and businesses to acknowledge the risks.From a user perspective, botnet
attacks are difficult to detect because devices continue to act normally even when infected. It may be
possible for a user to remove the malware itself, but it is unlikely for the user to have any effect on
the botnet as a whole. As botnet and IoT attack vectors increase in sophistication, IoT security will
need to be addressed at an industry level.

Attack Vector

An attack vector is a pathway or method used by a hacker to illegally access a network or computer in
an attempt to exploit system vulnerabilities. Hackers use numerous attack vectors to launch attacks
that take advantage of system weaknesses, cause a data breach, or steal login credentials. Such
methods include sharing malware and viruses, malicious email attachments and web links, pop-up
windows, and instant messages that involve the attacker duping an employee or individual user.

Many security vector attacks are financially motivated, with attackers stealing money from people
and organizations or data and personally identifiable information (PII) to then hold the owner to
ransom. The types of hackers that infiltrate a network are wide-ranging. They could be disgruntled
former employees, politically motivated organized groups, hacktivists, professional hacking groups,
or state-sponsored groups.
Common Attack Vector Examples

1. Compromised Credentials

Usernames and passwords are still the most common type of access credential and continue to be
exposed in data leaks, phishing scams, and malware. When lost, stolen, or exposed, credentials give
attackers unfettered access. This is why organizations are now investing in tools to continuously
monitor for data exposures and leaked credentials. Password managers, two-factor
authentication (2FA), multi-factor authentication (MFA), and biometrics can reduce the risk of leak
credentials resulting in a security incident too.

2. Weak Credentials

Weak passwords and reused passwords mean one data breach can result in many more. Teach your
organization how to create a secure password, invest in a password manager or a single sign-on tool,
and educate staff on their benefits.

3. Insider Threats

Disgruntled employees or malicious insiders can expose private information or provide information
about company-specific vulnerabilities.

4. Missing or Poor Encryption

Common data encryption methods like SSL certificates and DNSSEC can prevent man-in-the-middle
attacks and protect the confidentiality of data being transmitted. Missing or poor encryption for data
at rest can mean that sensitive data or credentials are exposed in the event of a data breach or data
leak.

5. Misconfiguration

Misconfiguration of cloud services, like Google Cloud Platform, Microsoft Azure, or AWS, or using
default credentials can lead to data breaches and data leaks, check your S3 permissions or someone
else will. Automate configuration management where possible to prevent configuration drift.

6. Ransomware

Ransomware is a form of extortion where data is deleted or encrypted unless a ransom is paid, such
as WannaCry. Minimize the impact of ransomware attacks by maintaining a defense plan, including
keeping your systems patched and backing up important data.

7. Phishing

Phishing attacks are social engineering attacks where the target is contacted by email, telephone, or
text message by someone who is posing to be a legitimate colleague or institution to trick them into
providing sensitive data, credentials, or personally identifiable information (PII). Fake messages can
send users to malicious websites with viruses or malware payloads.

8. Vulnerabilities

New security vulnerabilities are added to the CVE every day and zero-day vulnerabilities are found
just as often. If a developer has not released a patch for a zero-day vulnerability before an attack can
exploit it, it can be hard to prevent zero-day attacks.

9. Brute Force

Brute force attacks are based on trial and error. Attackers may continuously try to gain access to your
organization until one attack works. This could be by attacking weak passwords or encryption,
phishing emails, or sending infected email attachments containing a type of malware. Read our full
post on brute force attacks.

10. Distributed Denial of Service (DDoS)

DDoS attacks are cyber attacks against networked resources like data centers, servers, websites, or
web applications and can limit the availability of a computer system. The attacker floods the network
resource with messages which cause it to slow down or even crash, making it inaccessible to users.
Potential mitigations include CDNs and proxies.

11. SQL Injections

SQL stands for a structured query language, a programming language used to communicate with
databases. Many of the servers that store sensitive data use SQL to manage the data in their database.
An SQL injection uses malicious SQL to get the server to expose information it otherwise wouldn't.
This is a huge cyber risk if the database stores customer information, credit card numbers, credentials,
or other personally identifiable information (PII).

12. Trojans

Trojan horses are malware that misleads users by pretending to be a legitimate program and are often
spread via infected email attachments or fake malicious software.

13. Cross-Site Scripting (XSS)

XSS attacks involve injecting malicious code into a website but the website itself is not being
attacked, rather it aims to impact the website's visitors. A common way attackers can deploy cross-
site scripting attacks is by injecting malicious code into a comment e.g. embedding a link to
malicious JavaScript in a blog post's comment section.
14. Session Hijacking

When you log into a service, it generally provides your computer with a session key or cookie so you
don't need to log in again. This cookie can be hijacked by an attacker who uses it to gain access to
sensitive information.

15. Man-in-the-Middle Attacks

Public Wi-Fi networks can be exploited to perform man-in-the-middle attacks and intercept traffic
that was supposed to go elsewhere, such as when you log into a secure system.

16. Third and Fourth-Party Vendors

The rise in outsourcing means that your vendors pose a huge cybersecurity risk to your customer's
data and your proprietary data. Some of the biggest data breaches were caused by third parties.

Why are Attack Vectors Exploited by Attackers?

Cybercriminals can make money from attacking your organization's software systems, such as
stealing credit card numbers or online banking credentials. However, there are other more
sophisticated ways to monetize their actions that aren't as obvious as stealing money.

Attackers may infect your system with malware that grants remote access to a command and control
server. Once they have infected hundreds or even thousands of computers they can establish a botnet,
which can be used to send phishing emails, launch other cyber attacks, steal sensitive data, or mine
cryptocurrency.

Another common motivation is to gain access to personally identifiable information (PII), healthcare
information, and biometrics to commit insurance fraud, credit card fraud or illegally obtain
prescription drugs.

How Do Attackers Exploit Attack Vectors?

Competitors may employ attackers to perform corporate espionage or overload your data centers with
a Distributed Denial of Service (DDoS) attack to cause downtime, harm sales, and cause customers to
leave your business.

Money is not the only motivator. Attackers may want to leak information to the public, embarrass
certain organizations, grow political ideologies, or perform cyber warfare on behalf of their
government like the United States or China.

There are many ways to expose, alter, disable, destroy, steal or gain unauthorized access to computer
systems, infrastructure, networks, operating systems, and IoT devices.

In general, attack vectors can be split into passive or active attacks:

Passive Attack Vector Exploits

Passive attack vector exploits are attempts to gain access or make use of information from the system
without affecting system resources, such as typosquatting, phishing, and other social engineering-
based attacks.

Active Attack Vector Exploits

Active cyber attack vector exploits are attempts to alter a system or affect its operation such
as malware, exploiting unpatched vulnerabilities, email spoofing, man-in-the-middle attacks, domain
hijacking, and ransomware.

That said, most attack vectors share similarities:

 The attacker identifies a potential target

 The attacker gathers information about the target using social
engineering, malware, phishing, OPSEC, and automated vulnerability scanning
 Attackers use the information to identify possible attack vectors and create or use tools to
exploit them
 Attackers gain unauthorized access to the system and steal sensitive data or install malicious
code
 Attackers monitor the computer or network, steal information, or use computing resources.

One often overlooked attack vector is your third and fourth-party vendors and service providers. It
doesn't matter how sophisticated your internal network security and information security policies are
— if vendors have access to sensitive data, they are a huge risk to your organization.

This is why it is important to measure and mitigate third-party risks and fourth-party risks. This
means it needs to be part of your information security policy and information risk
management program.

Consider investing in threat intelligence tools that help automate vendor risk
management and automatically monitor your vendor's security posture and notify you if it worsens.

Every organization now needs a third-party risk management framework, vendor management policy,
and vendor risk management program.

Before considering a new vendor perform a cybersecurity risk assessment to understand what attack
vectors you could be introducing to your organization by using them and ask about their SOC 2
compliance.

How to Defend Against Common Attack Vectors

To address common attack vectors, security controls must spread across the majority of the attack
surface. The process begins by identifying all possible entry points into your private network - a
delineation that will differ across all businesses.
The following cyber defense strategies will help you block frequently abused entry points and also
highlight possible regions in your ecosystem that might be housing attack vectors.

 Create secure IoT credentials - Most IoT devices still use their predictable factory login
credentials, making them prime targets for DDoS attacks.
 Use a password manager - Password managers ensure login credentials are strong and
resilient to brute force attacks.
 Educate employees - To prevent staff from falling common for social engineering and
phishing tactics, they need to be trained on how to identify and report potential cybercriminal
activity. Humans will always be the weakest points in every security program.
 Identify and shut down data leaks - Most businesses are unknowingly leaking sensitive data
that could facilitate data breaches. A data leak detection solution will solve this critical
security issue.
 Detect and remediate all system vulnerabilities - This should be done for both the internal
and external vendor networks. An attack surface monitoring solution can help you do this.
 Keep antivirus software updated - Updates keep antivirus software informed of the latest
cyber threats roaming the internet.
 Keep third-party software regularly updated - Software updates contain critical patches for
newly discovered attack vectors. Many cyber attackers have achieved success by abusing
known vulnerabilities in out-of-date software.