and patches.

If you can’t have done this, then weaknesses in your Trojans and Other Attacks
security infrastructure and lead to cyber-attacks.
3. Be Wary of Third-party Traffic: the verified process only processed
with this as the all third-party traffic, no matter where it comes from,
should be treated as untrusted until and unless it has been otherwise
verified.
4. Enable MFA: always imply with the Multi-Factor Authentication
(MFA) to the overall system as it secures the organization’s networks.
With this the you can reduce the impact of watering hole attacks in
case the attackers manage to steal the user credentials of your
employees.
5. Establish a Cyber Resilient Work Environment: always train and
educate your employees after done appointment about watering hole
attacks so they can be more vigilant during the work. Train staff with
proper cyber security awareness training is the best way of creating a
cyber resilient work environment.

6.5 BRUTE FORCE ATTACK

The term “brute force” define the simplistic way in which the attack takes
place. The attack is held with guessing credentials to gain unauthorized
access. Primitive as they are, brute force attacks can be very effective.
The attack in brute force use bots to do their bidding. With this type of
attack, the attackers will have a list of real or commonly used credentials
and assign their bots to attack websites using these credentials.
In manual brute force credential cracking is time-consuming, and this can
be done through using brute force attack software and tools to aid them.
With the tools the attacker will attempt things like inputting numerous
password combinations and accessing web applications by searching for the
correct session ID, among others.
6.5.1 How Brute Force Attacks Work
This attack is held with guessing login passwords. Brute force password
cracking is done here.
For most online systems, a suggestion user to set the password is: the
password should be of 8 character and it should contain at least one capital
letter one small letter and one special character. If the password is not strong
or complex it can be easily guess by the attacker. a guessing of password
will be difficult for attacker if the user makes it very complex and
confidential. Hence the good practice is changing the password frequently.

117
Ethical Hacking • In March 2018, Magento was hit by a brute force attack. Up to 1000
admin panels had been compromised.

• In March 2018, several accounts of members of the Northern Irish

Parliament had been compromised in a brute force attack.

• In 2016, a brute force attack resulted in a massive data leak in the e-

Commerce giant, Alibaba.

• According to Kaspersky, RDP-related brute force attacks rose

dramatically in 2020 due to the COVID-19 pandemic.

6.6 COMMON TYPES OF PHISHING ATTACK

In organization the Phishing is the biggest cyber threats faced during the
work. As per the Phish Report of Proofpoint’s 2021, most of the
organisations fell victim to a phishing attack last year.
The fast growing sophisticated of phishing scams has contributed to the
same objective that is to steal the user personal data or infect our devices
with the new countless ways.
1. Email phishing
In Email phishing the attacks can be done through email. The Email
is sent to the user, the attacker will register a fake domain that mimics
a genuine organisation and sends thousands of generic requests.
The fake domain created by the attacker involves character
substitution, like using ‘r’ and ‘n’ together with no space ‘rn’ which
look exactly like ‘m’.
In many of the cases, the attacker creates a unique domain that
includes the legitimate organisation’s name in the URL. The example
below is sent from ‘[email protected]’.
The user or recipient might see the word ‘Meesho’ in the sender’s
address and assume that it was a genuine email.
User should always identify the user by checking the mail sender’s
address to spot a phishing email, and also check the content of the
mail in which may have a link or download an attachment.
2. Spear phishing
Another type of email phishing is, spear phishing which describes
malicious emails sent to a specific person. Here Criminals have the
following information about the victim:

• Their name;

• Employment place;

120
120 • Title of the Job;
 • Email address; and Trojans and Other Attacks

• Specific information about their job role.

The attacker has the above information so he addresses the individual
by name, knows that their job role involves making bank transfers on
behalf of the company.
3. Whaling
Taking aim at senior executives, who are targeted by Whaling attacks.
Instead of using tricks such as fake links and malicious URLs aren’t
helpful in this instance, as criminals are attempting to imitate senior
staff.
This type of attack on emails also commonly use the pretext of a busy
CEO who wants an employee to do them a favour.
Emails such as the above might not be as sophisticated as spear
phishing emails, but they play on employees’ willingness to follow
instructions from their boss. Recipients might suspect that something
is amiss but are too afraid to confront the sender to suggest that they
are being unprofessional.
4. Smishing and vishing
Smishing and vishing both are the attack done by emails instead of
telephones as the method of communication.
In Smishing attacker sending text messages (the content of which is
much the same as with email phishing), whereas in vishing attacker
give a telephone call for conversation.
Most common technique of smishing is sending pretexts messages
supposedly from your bank alerting you to suspicious activity.

121
Ethical Hacking In the above example, the message contains the information about
new payee added to the account and have a link to prevent the user if
he has not done that transaction it prevents the further damage. But all
the time it is not trustable however, the link directs the recipient to a
website controlled by the fraudster and designed to capture your
banking details.
5. Angler phishing
A new type of attack vector, the growing user of social media
offers several ways for criminals to trap people. Fake URLs; cloned
websites, posts, and tweets; and instant messaging (which is
essentially the same as smishing) can all be used to persuade people
to divulge sensitive information or download malware.
Attackers are always use the data that people post on social media to
create highly targeted attacks.
The following example demonstrates; angler phishing which is often
made possible due to the number of people containing organisations
directly on social media with complaints.

Sometime organisations may use these as an opportunity to mitigate

the damage by giving refund to the individual.
However, scammers are tried to hijacking responses and asking the
customer to provide their personal details. They are seemingly doing
this to facilitate some form of compensation, but it is instead done to
compromise their accounts.

6.7 EAVESFDROPPING

The data transfer between two devices can be altered, delete or intercepts
through an eavesdropping attack by hacker. Eavesdropping, also known as
sniffing or snooping, which relies on untrusted or unsecured network
communications to access data in transit between devices.
The further explanation of the definition of "attacked with eavesdropping",
it typically occurs when a user connects to a network in which traffic is not
secured or encrypted and sends sensitive business data to a colleague. across
an open network, the data is transmitted which gives an attacker the
122
122
opportunity to exploit a vulnerability and intercept it via various methods. Trojans and Other Attacks
It is difficult to spot Eavesdropping attacks.
6.7.1 Eavesdropping Methods
Various methods are used by attacker for eavesdropping, to launch attacks
that typically involve the use of various eavesdropping devices to listen in
on conversations and review network activity.
A traditional example of an electronic listening device is a concealed in a
home or office with the equipment’s. in many cases the device fitted under
a chair or on a table, or by concealing a microphone within an inconspicuous
object like a pen or a bag. This is very easy to installed but very difficult to
detect devices being installed, such as microphones within lamps or ceiling
lights, books on a bookshelf, or in picture frames on the wall.
Now in this day or any age eavesdropping increasingly with the number of
technological advances and also it makes easy to use, however many attacks
still rely on intercepting telephones. As the telephones have its own electric
power, built-in microphones, speakers, hence the space for hiding bugs, and
are easy to quickly install a bug on. Eavesdropping attackers can monitor
conversations in the room the telephone is in and calls to telephones
anywhere else in the world.
Now a day computerized phone system makes it possible to intercept
phones electronically without direct access to the device. Attackers also use
technique of sending signals down the telephone line and transmit any
conversations that take place in the same room, even if the handset is not
active. As well as many of the computers have sophisticated communication
tools in which by default eavesdropping technique is there hence the
attackers to intercept communication activity, like user voice conversations,
their online chats, and even bugs in keyboards to log what the user is
intended to type.
Electromagnetic radiation emits by Computers also sophisticated
eavesdroppers can use to reconstruct a computer screen’s contents. These
radiations can be flow up to a few hundred feet and going further through
cables and telephone lines, which can be used as antennas.
1. Pickup Device
The Attackers get the information of the user by using devices that
pick up sound or images, such as microphones and video cameras,
and convert them into an electrical format to eavesdrop on targets. As
we know it is an electrical device which is run on power consumption
and set in the target room, which eliminates the need for the attacker
to access the room to recharge the device or replace its batteries.
In some of the devices they have the capability of storing digital
information and transmitting it to a listening post. Sometimes
attackers can also make use of mini amplifiers that enable them to
remove background noise.
123