Unit 3- Tools and Methods Used in Cybercrime

Introduction

Different forms of attacks through which attackers target the computer systems are as
follows

1. Initial uncovering:

Two steps are involved here.

In the first step called as reconnaissance, the attacker gathers information about the
target on the Internet websites.

In the second step, the attacker finds the company’s internal network, such as, Internet
domain, machine names and the company’s Internet Protocol (IP) address ranges to steal the
data.

2. Network probe (investigation) :

At the network probe stage, the attacker scans the organization information through a
“ping sweep” of the network IP addresses.

And then a “port scanning” tool is used to discover exactly which services are running
on the

target system.

At this point, the attacker has still not done anything that would be considered as an
abnormal activity on the network or anything that can be classified as an intrusion.

3. Crossing the line toward electronic crime (E-crime):

Once the attackers are able to access a user account, then they will attempt further
exploits to get an administrator or “root” access.

Root access is a UNIX term and is associated with the system privileges required to
run all services and access all files on the system (readers are expected to have a basic
familiarity with Unix-based systems).

“Root” is basically an administrator or super-user access and grants them the privileges to
do anything on the system.
4. Capturing the network:

At this stage, the attacker attempts to “own” the network.

The attacker gains the internal network quickly and easily by target systems.

The next step is to remove any evidence of the attack.

The attacker will usually install a set of tools that replace existing files and services
with

Trojan files and services that have a backdoor password.

5. Grab the data:

Now that the attacker has “captured the network,” he/she takes advantage of his/her
position

to steal confidential data

6. Covering tracks:

This is the last step in any cyberattack, which refers to the activities undertaken by
the attacker to extend misuse of the system without being detected.

The attacker can remain undetected for long periods.

During this entire process, the attacker takes optimum care to hide his/her identity
(ID) from the first step itself.

Proxy Servers and Anonymizers

Proxy server is a computer on a network which acts as an intermediary for connections

with other computers on that network.

The attacker first connects to a proxy server and establishes a connection with the
target system through existing connection with proxy.

This enables an attacker to surf on the Web anonymously and/or hide the attack.

A client connects to the proxy server and requests some services (such as a file,
webpage) available from a different server.

The proxy server evaluates the request and provides the resource by establishing the

connection to the respective server and/or requests the required service on behalf of the
client.

Using a proxy server can allow an attacker to hide ID (i.e., become anonymous on the

network).

A proxy server has following purposes:

1. Keep the systems behind the curtain (mainly for security reasons).

2. Speed up access to a resource (through “caching”). It is usually used to cache the webpages

from a web server.

3. Specialized proxy servers are used to filter unwanted content such as advertisements.

4. Proxy server can be used as IP address multiplexer to enable to connect number of computers

on the Internet, whenever one has only one IP address

One of the advantages of a proxy server is that its cache memory can serve all users.

If one or more websites are requested frequently, may be by different users, it is likely to be

in the proxy’s cache memory, which will improve user response time.

An anonymizer or an anonymous proxy is a tool that attempts to make activity on the

Internet

untraceable. It accesses the Internet on the user’s behalf, protecting personal information by
hiding the source computer’s identifying information.

Anonymizers are services used to make Web surfing anonymous by utilizing a

website that acts as a proxy server for the web client.

Phishing
“Phishing” refers to an attack using mail programs to deceive Internet users into
disclosing
confidential information that can be then exploited for illegal purposes.
While checking electronic mail (E-Mail) one day a user finds a message from the
bank
threatening to close the bank account if he/she does not reply immediately.
Although the message seems to be suspicious from the contents of the message, it is
difficult
to conclude that it is a fake/false E-Mail.
 This message and other such messages are examples of Phishing – in addition to
stealing
personal and financial data – and can infect systems with viruses and also a method of
online
ID theft in various cases.
These messages look authentic and attempt to get users to reveal their personal
information.
It is believed that Phishing is an alternative spelling of “fishing,” as in “to fish for
information.”
The first documented use of the word “Phishing” was in 1996.

How Phishing Works?

Phishers work in the following ways:
1. Planning: Criminals, usually called as phishers, decide the target.
2. Setup: Once phishers know which business/business house to spoof and who their
victims.
3. Attack: the phisher sends a phony message that appears to be from a reputable
source.
4. Collection: Phishers record the information of victims entering into webpages or pop-
up windows.
5. Identity theft and fraud: Phishers use the information that they have gathered to
make illegal purchases or commit fraud.
Nowadays, more and more organizations/institutes provide greater online access for
their customers and hence criminals are successfully using Phishing techniques to steal
personal information and conduct ID theft at a global level.

Password Cracking
Password is like a key to get an entry into computerized systems like a lock.
Password cracking is a process of recovering passwords from data that have been
stored in or
transmitted by a computer system.
Usually, an attacker follows a common approach – repeatedly making guesses for the
password.
The purpose of password cracking is as follows:
1. To recover a forgotten password.
2. As a preventive measure by system administrators to check for easily crackable
passwords.
3. To gain unauthorized access to a system.
Manual password cracking is to attempt to logon with different passwords. The attacker
follows
the following
steps:
1. Find a valid user account such as an Administrator or Guest;
2. create a list of possible passwords;
3. rank the passwords from high to low probability;
4. key-in each password;
5. try again until a successful password is found.
Passwords can be guessed sometimes with knowledge of the user’s personal
information.
Examples of guessable passwords include:
1. Blank (none);
2. the words like “password,” “passcode” and “admin”;
3. series of letters from the “QWERTY” keyboard, for example, qwerty, asdf or
qwertyuiop;
4. user’s name or login name;
5. name of user’s friend/relative/pet;
6. user’s birthplace or date of birth, or a relative’s or a friend’s;
7. user’s vehicle number, office number, residence number or mobile number;
8. name of a celebrity who is considered to be an idol (e.g., actors, actress, spiritual
gurus) by the
user;
An attacker can also create a script file (i.e., automated program) which will be
executed to
try each password in a list.
This is still considered manual cracking, is time-consuming and not usually effective.
Passwords are stored in a database and password verification process is established
into
the system when a user attempts to login or access a restricted resource.
To ensure confidentiality of passwords, the password verification data is usually not
stored in a clear text format.
For example, one-way function (which may be either an encryption function or a
cryptographic hash) is applied to the password, possibly in combination with other data,
and
the resulting value is stored.
When a user attempts to login to the system by entering the password, the same
function is
applied to the entered value and the result is compared with the stored value. If they
match, user gains the access; this process is called authentication

The most commonly used hash functions can be computed rapidly and the attacker can
test these
hashes with the help of passwords cracking tools (see Table 4.3) to get the plain text
password.
Password cracking attacks can be classified under three categories as follows:
1. Online attacks;
2. offline attacks;
3. non-electronic attacks (e.g., social engineering, shoulder surfing and dumpster
diving).
4.4.1 Online Attacks
An attacker can create a script file that will be executed to try each password in a list
and
when matches, an attacker can gain the access to the system.
The most popular online attack is man-in-the middle (MITM) attack, also termed as
“bucketbrigade attack” or sometimes “Janus attack.”
It is a form of active stealing in which the attacker establishes a connection between a
victim and the server to which a victim is connected.
When a victim client connects to the fraudulent server, the MITM server intercepts the
call, hashes the password and passes the connection to the victim server (e.g., an
attacker within reception range of an unencrypted Wi-Fi wireless access point can insert
himself as a man-inthe- middle).
This type of attack is used to obtain the passwords for E-Mail accounts on public
websites
such as Yahoo, Hotmail and Gmail and can also used to get the passwords for financial
websites that would like to gain the access to banking websites.

Offline Attacks
Mostly offline attacks are performed from a location other than the target (i.e., either a
computer system or while on the network) where these passwords reside or are used.
Offline attacks usually require physical access to the computer and copying the
password file
from the system onto removable media.
Password guidelines.
1. Passwords used for business E-Mail accounts, personal E-Mail accounts and
banking/financial
user accounts should be kept separate.
2. Passwords should be of minimum eight alphanumeric characters (common names or
phrases
should be phrased).
3. Passwords should be changed every 30/45 days.
4. Passwords should not be shared with relatives and/or friends.
5. Password used previously should not be used while renewing the password.
6. Passwords of personal E-Mail accounts and banking/financial user accounts should
be
changed from a secured system, within couple of days, if these E-Mail accounts has
been
accessed from public Internet facilities such as cybercafes/hotels/libraries.
7. Passwords should not be stored under mobile phones/PDAs, as these devices are
also prone to cyberattacks.
8. In case E-Mail accounts/user accounts have been hacked, respective
agencies/institutes should be contacted immediately.