Module 2

Cyberoffenses: How Criminals

Plan Them
Syllabus:

Module 2: Cyber offenses: How Criminals Plan Them: Introduction,

How criminals Plan the attacks, Cyberstalking, Botnets: The fuel for
cybercrime.
SLT: Attack Vector
Introduction:
• In today’s world of Internet and computer networks, a criminal activity
can be carried out across national borders with ‘False sense of
anonymity’; without realizing, we seem to pass on tremendous amount
of information about ourselves.
• Cybercriminal use the World Wide Web and Internet to an optimum
level for all illegal activities to store data, contacts, account information,
etc.
• The criminals take advantage of the widespread lack of awareness about
cybercrimes and cyberlaws among the people who are constantly using
the IT infrastructure for official and personal purposes.
• People who commit cybercrimes are known as ‘Crackers’.
• Note:
Hacker: A hacker is a person with a strong interest in computers who
enjoys learning and experimenting with them.
Brute Force Hacking: It is a technique used to find passwords or
encryption keys. Brute force hacking involves trying every possible
combination of letters, numbers, etc., until the code is broken.
Cracker: A cracker is a person who breaks into computers.
Phreaking: This is the notorious art of breaking into phone or other
communication systems.
War dialer: It is program that automatically dials phone numbers looking
for computers on the other end. It catalogs numbers so that the hackers
can call back and try to break in.
 • An attacker would look to make use of vulnerabilities in the networks,
most often so because the networks are not adequately protected.

• The categories of vulnerabilities that hackers typically search are the

following:
1. Inadequate border protection;
2. Remote access servers(RASs) with weak access control;
3. Application servers with well-known exploits;
4. Misconfigured systems and systems with default configurations.
1. Inadequate Border Protection:
• Description: This refers to weaknesses in the systems and technologies
used to protect the boundary between an internal network and the
external world, usually the internet. Border protection includes firewalls,
intrusion detection systems (IDS), and intrusion prevention systems (IPS).
• How Hackers Exploit: If these security measures are improperly
configured or outdated, hackers can bypass them, gaining unauthorized
access to internal systems. A lack of proper segmentation between
networks can also expose sensitive internal assets to external threats.
2. Remote Access Servers (RASs) with Weak Access Control:
• Description: Remote Access Servers (RAS) allow users to access a
network remotely, typically over the internet. Access control refers to
the mechanisms used to authenticate and authorize users.
• How Hackers Exploit: If these servers have weak access controls (e.g.,
simple passwords, no multi-factor authentication), attackers can
easily break in and gain access to the corporate network. Attackers
often use brute force attacks or exploit known vulnerabilities in the
RAS software to take control.
3. Application Servers with Well-Known Exploits
• Description: Application servers host applications that provide
services to users over a network. These servers may have
vulnerabilities that are publicly known (such as SQL injection, buffer
overflows, or cross-site scripting) and may be listed in exploit
databases like CVE (Common Vulnerabilities and Exposures).
• How Hackers Exploit: Hackers actively scan for application servers
that are running outdated software or versions that have known
vulnerabilities. Once identified, they use publicly available exploits to
compromise the server, often allowing them to steal data, launch
attacks, or gain deeper access to the network.
4. Misconfigured Systems and Systems with Default Configurations
• Description: Many systems, when first installed, come with default settings
that may include weak passwords, open ports, or unneeded services
running. Sometimes systems are misconfigured, leaving them exposed to
attacks (e.g., allowing anonymous access or not encrypting sensitive data).

• How Hackers Exploit: Attackers scan for systems that still use these default
configurations or have easily guessable credentials. Misconfigurations,
such as open ports or directories, give hackers easy entry points to exploit,
allowing them to move laterally within the network or take control of
critical resources.
Categories of Cybercrime:
• Cybercrimes can be categorized based on the following:
1. The target of the crime, and
Crimes targeted at individuals
Crimes targeted at property
Crimes targeted at organizations

2. Whether the crime occurs as a single event or as a series of events.

Single event of cybercrime
Series of events
a) Crimes targeted at individuals:
The goal is to make use of human weakness such as greed and naivety.
These crimes include financial frauds, sale of non-existent or stolen items,
child pornography, copyright violation, harassment, etc., with the
development in the IT and the Internet;
Thus, criminals have a new tool that allows them to expand the pool of
potential victims.

b) Crimes targeted at property:

This includes stealing mobile devices such as cell phones, laptops, personal
digital assistant(PDA), and removable medias(CDs and pen drives);
Transmitting harmful programs that can disrupt functions of the systems
and/or can wipe out data from hard disk, and can create the malfunctioning
of the attached devices in the system such as modem, CD drive, etc.
c) Crimes targeted at organizations:
Cyberterrorism is one of the distinct crimes against
organizations/governments.
Attackers use computer tools and the Internet to usually terrorize the
citizens of the particular country by stealing the private information, and also
to damage the programs and files or plant programs to get control of the
network and/or system.
d) Single event of cybercrime:
It is the single event from the perspective of the victim.
For example: Unknowingly open an attachment that may contain virus that
will infect the system. This is known as hacking or fraud.
e) Series of events:
This involves attacker interacting with victims repetitively.
For example: Attacker interacts with the victim on the phone and/or via chat
rooms to establish relationship to commit the sexual assault.
How Criminals Plan the Attacks:
• Criminals use many methods and tools to locate the vulnerabilities of
their target.
• The target can be an individual and/or an organization.
• Criminals plan passive and active attacks.
• Active attacks are usually used to alter the system, whereas passive
attacks attempt to gain information about the target.
• Active attacks may affect the availability, integrity, and authenticity of
data whereas passive attacks lead to breaches of confidentiality.
• In addition to the active and passive categories, attacks can be
categorized as either inside or outside.
• An attack originating and/or attempted within the security perimeter of
an organization is an inside attack; it is usually attempted by an ‘insider’
who gains access to more resources than expected.
• An outside attack is attempted by a source outside the security
perimeter, maybe attempted by an insider and/or an outsider, who is
indirectly associated with organization, it is attempted through the
Internet or a remote access connection.
 • The following phases are involved in planning cybercrime:
1. Reconnaissance (Information gathering) is the first phase and is
treated as passive attacks.
2. Scanning and scrutinizing the gathered information for the validity of
the information as well as to identify the existing vulnerabilities.
3. Launching an attack (gaining and maintain the system access).
1. Reconnaissance:
• The literal meaning of ‘Reconnaissance’ is an act of reconnoitering-
explore, often with the goal of finding something or somebody.
• Reconnaissance phase begins with ‘footprinting’- this is the preparation
towards pre-attack phase and involves accumulating data about the
target’s environment and computer architecture to find ways to intrude
into the environment.
• Footprinting gives an overview about system vulnerabilities.
• The objective of this phase is to understand the system, its networking
ports and services, and any other aspects of its security that are needful
for launching the attack.
• Thus, an attacker attempts to gather information in two phases:
passive attacks and active attacks.
a. Passive Attacks:
• This involves gathering of information about a
target without his/her knowledge.
• It can be as simple as watching a building to
identify what time employees enter the building
premises.
• It is usually done using Internet searches or by
Googling an individual or company to gain
information.
• Example:
1. Google or Yahoo search;
2. Surfing online community groups like
Orkut/Facebook;
3. Organization’s website may provide a personnel
directory or information;
4. Blogs, newsgroups, press release etc.
5. Going through the job posting;
• Along with Google search, various other tools are also used for gathering
information about the target victim.
• Tools used during Passive attacks: (Some of them are)
Google Earth Google Earth is a virtual globe, map and geographic information program. Google Earth is a
free version with limited functionality.
Internet Archive It is an Internet library, with the purpose of offering permanent access for researchers,
historians, and scholars to historical collections that exist in digital format.
Professional LinkedIn is an interconnected network of experienced professionals from around the
Community world.
People Search People Search provides details about personal information: DoB, residential address,
contact number, etc.
Domain Name To perform searches for domain names using multiple keywords. This helps to enable to
configuration find every registered domain name in ‘.com’, ‘.net’, ‘.org’, ‘.edu’, etc.
HTTrack This tool acts like an offline browser. It can mirror the entire website to a desktop.
Traceroute This is the best tool to find the route to a target system. It determines the route taken by
packets across an IP network.
eMailTrackerPro This analyzes the Email header and provides the IP address of the system that sent the
mail.
b. Active Attacks:
• This involves probing the network to
discover individual hosts to confirm the
information gathered in the passive
attack phase.
• It involves the risk of detection and is
also called ‘Rattling the doorknobs’ or
‘Active Reconnaissance’.
• Active reconnaissance can provide
confirmation to an attacker about
security measures in place, but the
process can also increase the chance of
being caught or raise a suspicion.
• Tools used for Active attacks: (Some of them are)
Arphound This is a tool that listens to all traffic on an Ethernet network interface. It reports IP/media
access control (MAC) address pairs as well as events, such as IP conflicts, IP changes and IP
addresses with no reverse DNS.
Bing This is used for Bandwidth Ping. It is a point-to-point bandwidth measurement tool based on
ping. It can measure raw throughput between any two-network links. Bing determines the
real throughput on a link by measuring Internet Control Message Protocol (ICMP).
DNStracker This is a tool to determine the data source for a given DNS server and follow the chair of DNS
servers back to the authoritative sources.
Filesnarf This is a network auditing tool to capture file transfers and file sharing traffic on a local
subnet.
Msgsnarf This is a network auditing tool to capture instant message traffic on a local subnet.
Nmap This is a port scanner, operating system finger printer, service/version identifier and much
more. Nmap is designed to rapidly scan large networks.
Ping This is a standard network utility to send ICMP packets to a target host.
2. Scanning and Scrutinizing gathered Information:
• Scanning is a key step to examine intelligently while gathering information
about the target.
• The objective of scanning are as follows:
i. Port Scanning: Identify open/close ports and services.
ii. Network Scanning: Understand IP Addresses and related information
about the computer network systems.
iii. Vulnerability Scanning: Understand the existing weakness in the system.
• The scrutinizing phase is always called ‘enumeration’ in hacking world.
• The objective of scrutinizing step is to identify:
i. The valid user accounts or groups;
ii. Network resources and/or shared resources;
iii. OS and different applications that are running on the OS.
 3. Attack (Gaining and Maintaining the System Access):
• After the scanning and enumeration, the attack is launched using the
following steps:
i. Crack the password;
ii. Exploit the privileges;
iii. Execute the malicious commands/applications;
iv. Hide the files;
v. Cover the tracks-delete the access logs, so that there is no trail illicit
activity.
 Cyberstalking:
• The dictionary meaning of ‘stalking’ is an ‘act or process of following prey
stealthily-trying to approach somebody or something’.
• Cyberstalking has been defined as the use of information and communications
technology, particularly the Internet, by an individual or group of individuals to
harass another individual, group of individuals, or organization.
• The behavior includes false accusations, monitoring, transmission of threats, ID
theft, damage to data or equipment and gathering information for harassment
purposes.
• Cyberstalking refers to the use of Internet and/or other electronic
communications devices to stalk another person.
• It involves harassing or threatening behavior that an individual will conduct
repeatedly for example, following a person, visiting a person’s home/business
place, making phone calls, leaving written messages etc.
 •Types of Stalkers:
• There are primarily two types of stalkers:
1. Online Stalkers
2. Offline Stalkers

3. Online stalkers: They aim to start the interaction with the victim
directly with the help of the Internet.
• Email and chat rooms are the most popular communication
medium to get connected with the victim, rather than using
traditional instrumentation like telephone/cell phones.
• The stalker makes sure that the victim recognizes the attack
attempted on him/her.
• The stalker can make use of a third party to harass the victim.
2. Offline stalkers: The stalker may begin the attack using traditional
methods such as following the victim, watching the daily routine of
the victim etc.
• Searching on message boards/newsgroups, personal websites, and
people finding services or websites are most common ways to
gather information about the victim using the Internet.
• The victim is not aware that the Internet has been used to
perpetuate an attack against them.
How Stalking Works?:
• It is seen that stalking works in the following ways:
1. Personal information gathering about the victim.
2. Establish a contact with victim through telephone/cellphone.
3. Stalkers will almost always establish a contact with the victims through
Email.
4. Some stalkers keep on sending repeated Emails asking for various kinds of
favors or threaten the victim.
5. The stalker may post the victim’s personal information on any website
related to illicit services. (Ex: Dating Services)
6. Whosoever comes across the information, start calling the victim the given
contact details.
7. Some stalkers subscribe/register the Email account of the victim to
innumerable pornographic and other sites.
Botnets: The Fuel for Cybercrime:
• The dictionary meaning of Bot is “(computing) an automated
program for doing some particular task, often over a network.”
• Botnet is a term used for collection of software robots, or Bots, that
run autonomously and automatically.
• The term is often associated with malicious software but can also
refer to the network of computers using distributed computing
software.
• In simple terms, a Bot is simply an automated computer program.
• One can gain the control of the computer by infecting them with the
virus or other malicious code that gives the access.
• Botnets are often used to conduct a range of activities, from
distributing Spam and viruses to conducting denial-of-service attacks.
• A Botnet (also called as zombie network) is a network of computers
infected with a malicious program that allows cybercriminals to
control the infected machines remotely without the user's
knowledge.
• “Zombie networks” have become a source of income for entire groups
of cybercriminals.
• If someone wants to start a “business” and has no programming skills,
there are plenty of “Bot for sale” offers on forum.
• One can reduce the chances of becoming part of Bot by limiting access
into the system. Leaving the Internet connection ON and unprotected
is just like leaving the front door of the house wide open.
 • One can ensure following to secure the system:
1. Use antivirus and anti-Spyware software and keep it up-to-date.
2. Set the OS to download and install security patches automatically.
3. Use the firewall to protect the system from hacking attacks while it is
connected on the Internet.
4. Disconnect from the Internet when you are away from your
computer.
5. Downloading the freeware only from websites that are known and
trustworthy.
6. Check regularly the folders in the mailbox-sent items or outgoing- for
those messages you did not send.
7. Take an immediate action if your system is infected.
 The diagram illustrates how botnets are used for illegal and gainful purposes. Here's a breakdown of the flow:
1. Botnet Creation
•This is the initial step where a botnet is created. A botnet is a network of infected computers controlled by a central
entity (the botmaster).
2. Botnet Renting and Botnet Selling
Once a botnet is established, it can be:
•Botnet Renting: The botnet is rented out to others for various malicious purposes.
• DDoS Attacks: Distributed Denial of Service (DDoS) attacks, where the botnet is used to flood a target with
traffic, making it inaccessible.
• Spam Attacks: The botnet sends mass spam emails or messages.
• Malware and Adware Installation: The botnet is used to install malicious software (malware) or unwanted
advertising software (adware) on infected computers.
•Botnet Selling: The entire botnet is sold to someone else for their use.
• Stealing Confidential Information: This includes collecting sensitive information like personal data and login
credentials from infected devices.
• Selling Credit Card and Bank Account Details: The stolen financial information is sold on black markets.
• Selling Personal Identity Information: The botnet is used to steal and sell personal identity details such as
social security numbers, addresses, etc.
• Spamdexing: The botnet is used to manipulate search engine rankings by generating false or repetitive
content.
• Phishing Attacks: The botnet carries out phishing campaigns to trick users into providing sensitive information
like passwords or credit card numbers.
• Selling Internet Services and Shops Account: Stolen accounts from online services and e-commerce platforms
are sold for illegal profits.
Attack Vector:
• An ‘attack vector’ is a path or means by which an attacker can gain
access to a computer or to a network server to deliver a payload or
malicious outcome.
• Attack vectors enable attackers to make use of system vulnerabilities,
including the human element.
• Attack vectors include viruses, Email attachments, webpages, pop-up
windows, instant messages, chat rooms, and deception.
• All of these methods involve programming, except deception, in which a
human operator is fooled into removing or weakening system defenses.
• To some extent, firewalls and antivirus software can block attack
vectors.
• The most common malicious payloads are viruses, Trojan Horses,
worms and spyware.
The attack vectors are launched:
1. Attack by Email
2. Attachment(and other files)
3. Attack by deception
4. Hackers
5. Viruses
6. Attack of the worms
7. Heedless guests (Attack by Webpage)
8. Malicious Macros
9. Foistware (Sneakware)
1. Attack by Email:
The hostile content is either embedded in the message or leaked to by the
message.
Sometimes attacks combine the two vectors, so that if the message does
not get you, the attachment will.
Spam is almost always carrier for scams, frauds, dirty tricks, or malicious
action of some kind.
Any link that offers something ‘free’ or tempting is a suspect.
2. Attachment(and other files):
Malicious attachments install malicious computer code.
The code could be a virus, Trojan Horse, Spyware, or any other kind of
malware.
Attachments attempt to install their payload as soon as we open them.
3. Attack by deception:
Deception is aimed at the user/operator as a vulnerable entry point.
It is not just malicious computer code that one needs to monitor.
Frauds, scams, hoaxes, spam, viruses, worms, and such require the unwitting
cooperation of the computer’s operator to succeed.

4. Hackers:
Hackers/crackers are a formidable attack vector.
Hackers/crackers use a variety of hacking tools and heuristics, to gain access
to computers and online accounts.
They often install a Trojan Horse to commander the computer for their own
use.
5. Viruses:
These are malicious computer codes that hitch a ride and make the
payload.
Now-a-days, virus vectors include Email attachments, downloaded files,
worms, etc.

6. Attack of the worms:

Many worms are delivered as Email attachments, but network worms use
holes in network protocols directly.
Any remote access service, like file sharing, is likely to be vulnerable to this
sort of worm.
In most cases, a firewall will block system worms.
Many of these system worms install Trojan Horses.
Next, they begin scanning the Internet from the computer they have just
infected and start looking for other computers to infect.
If the worm is successful, it propagates rapidly.
7. Heedless guests (Attack by Webpage):
Counterfeit websites are used to extract personal information. Such websites
look very much like the genuine websites they imitate.
One may think he/she is doing business with someone we trust. However,
he/she is really giving their personal information, like address, credit card
number, and expiration date.
They are often used in conjunction with Spam, which gets us there in the first
place. Pop-up webpages may install Spyware, Adware or Trojans.
8. Malicious Macros:
Microsoft word and Microsoft Excel are some of the examples that allow
macros.
For example, a macro does something like automating a spreadsheet. Macros
can also be used for malicious purposes.
All Internet services like instant messaging, Internet Relay Chart (IRC), and P2P
file-sharing networks rely on cozy connections between the computer and the
other computers on the internet.
9. Foistware (Sneakware):
Foistware is the software that adds hidden components to the
system on the sly.
Spyware is the most common form of foistware.
Foistware is quasi-legal software bundled with some attractive
software.
Sneak software often hijacks the browser and diverts users to
some ‘revenue opportunity’ that the foistware has set up.