Cyber Security

BCC301 / BCC401/ BCC301H / BCC401H

UNIT 3

TOOLS AND METHODS USED IN CYBERCRIME

 Syllabus

Introduction, Proxy Servers and Anonymizers, Phishing, Password Cracking,

Keyloggers and Spywares, Virus and Worms, Trojan-horses and Backdoors,
Steganography, DoS and DDoS At-tacks, SQL Injection, Buffer Overflow, Attacks on
Wireless Networks. Phishing and Identity Theft: Introduction to Phishing, Identity
Theft (ID Theft).
Lets Get Started..!
 Introduction

Proxy Servers and Anonymizers: Methods used to mask identity and location.
Phishing: Techniques to deceive users into divulging sensitive information.
Password Cracking: Strategies for breaking passwords to gain unauthorized access.
Keyloggers and Spywares: Software used to monitor and record user activity.
Virus and Worms: Malicious software designed to spread and disrupt systems.
Trojan Horses and Backdoors: Programs that create unauthorized access points.
Steganography: Hiding information within other non-suspicious data.
DoS and DDoS Attacks: Disrupting services by overwhelming resources.
SQL Injection: Exploiting vulnerabilities in web applications to execute arbitrary SQL code.
Buffer Overflow: Techniques to exploit memory management vulnerabilities.
Attacks on Wireless Networks: Methods to compromise wireless network security.
 Proxy Servers
Proxy Servers:

A proxy server acts as an intermediary between a user's computer and the internet.
It receives requests from the user, forwards them to the appropriate server, and then returns the server's response to
the user.

Uses in Cybercrime:

Hiding IP Address: Cybercriminals use proxy servers to hide their real IP address, making it difficult to trace their
online activities.
Accessing Restricted Content: Proxies can bypass geographical restrictions and access blocked websites.
Anonymous Browsing: They enable anonymous web browsing, which is essential for illicit activities.

Tools Used for Proxy Servers:

HTTP Proxy: Routes HTTP requests through a proxy server to anonymize the user's browsing.
SOCKS Proxy: Supports various types of internet traffic, including HTTP, FTP, and SMTP, by routing them through a
proxy server.
Transparent Proxy: Redirects users without their knowledge, often used in cyber cafes and public Wi-Fi.
 Advantages and Challenges of Proxy Server
Advantages:

1. Enhanced Privacy: Masks the user's IP address, making it difficult to trace their online activities.
2. Access to Restricted Content: Allows users to access websites and services that are blocked in their region.
3. Improved Security: Can filter out malicious content and block harmful websites.
4. Load Balancing: Distributes network traffic across multiple servers, hence enhancing performance and reliability of
websites and services.
5. Bandwidth Savings: Reduces bandwidth usage and speeds up access to popular resources.
6. Anonymity for Businesses: Allows companies to conduct market research and competitor analysis anonymously.

Challenges:

1. Performance and Latency: Proxies can introduce delays as traffic is routed through additional servers.
2. Reliability and Availability: Proxies can be unreliable, with potential downtime affecting connectivity.
3. Security Risks: Proxies can be compromised, leading to data interception and misuse.
4. IP Address Blocking: Websites and services may block known proxy IP addresses.
5. Limited Encryption: Not all proxies provide encryption, leaving data vulnerable.
 Anonymizers
Anonymizers:
Anonymizers are tools designed to make online activity untraceable by hiding the user's IP address and encrypting
their internet traffic.

Uses in Cybercrime:

Enhanced Privacy: Anonymizers provide an additional layer of privacy, making it harder for law enforcement to track
cybercriminals.
Avoiding Surveillance: They help in avoiding government and ISP surveillance.
Maintaining Anonymity: Essential for illegal activities such as hacking, data theft, and cyber espionage.

Tools Used for Proxy Servers:

VPNs (Virtual Private Networks): Create encrypted connections over the internet, masking the user's IP address and
location.
TOR (The Onion Router): Routes traffic through multiple servers and encrypts it at each stage, providing strong
anonymity.
SOCKS Proxies: Proxy servers that relay network packets between a client and server through a proxy server.
 Advantages and Challenges of Anonymizers
Advantages:

1. Strong Anonymity: Conceals the user's IP address and encrypts their internet traffic.
2. Bypassing Censorship: Enables access to websites and services blocked by governments or ISPs.
3. Enhanced Security: Secures sensitive communications and personal data from eavesdropping.
4. Protection from Online Threats: Shields users from targeted cyber-attacks.
5. Safe Public Wi-Fi Usage: Encrypts traffic on unsecured networks, providing a secure browsing experience on public
Wi-Fi hotspots.
6. Preventing Behavorial Profiling: Stops advertisers and companies from building profiles based on browsing habits.

Challenges:

1. Performance and Speed: Anonymizers, especially those like TOR, can significantly slow down internet speeds.
2. Detection and Blocking: Some services detect and block anonymizer traffic, reducing effectiveness.
3. Complexity of Use: Setting up and correctly using anonymizers can be complex for average users.
4. Trust and Reliability: Users must trust that anonymizers are not logging or misusing their data.
5. Legal Implications: Use of anonymizers for illegal activities can lead to legal repercussions.
6. Resource Intensive: Anonymizers like TOR rely on volunteer nodes, which can be resource-intensive.
 Phishing
Phishing is a fraudulent technique used to deceive individuals into divulging sensitive information such as usernames,
passwords, credit card numbers, or other personal data.
It typically involves impersonating a legitimate entity through various communication channels to trick victims into
revealing their private information.

Common Types of Phishing

1. Email Phishing: The most common form, where attackers send fraudulent emails that appear to come from reputable
organizations or contacts.
Example: An email that looks like it’s from a bank requesting account verification.
2. Spear Phishing: A more targeted form of phishing aimed at specific individuals or organizations. It Uses personal
information to craft convincing and personalized messages.
Example: An email tailored to a company's executive with details about recent transactions.
3. Whaling: A type of spear phishing that targets high-profile individuals, such as executives or leaders within an
organization.
Example: An email that mimics a CEO’s request for sensitive company [Link] service asking for
verification details.
 Phishing
[Link] (SMS Phishing): Phishing conducted via SMS text messages. It often contains links to fraudulent websites or
prompts the user to call a scammer.
Example: A text message claiming to be from a delivery service asking for verification details.
[Link] (Voice Phishing): Phishing carried out over the [Link] impersonate legitimate entities and request
sensitive information during a phone call.
Example: A call from someone claiming to be from a financial institution asking for account verification.
[Link] Phishing: A technique where attackers replicate a legitimate email but replace links or attachments with
malicious ones. Exploits previously sent legitimate emails for increased trust.
Example: A follow-up email with a modified link that leads to a fake login page.

Techniques Used in Phishing

1. Social Engineering: Manipulating individuals into providing confidential information.

2. Fake Websites: Creating counterfeit websites that mimic legitimate ones used to capture login credentials and
personal information.
3. Malware: Embedding malicious software in phishing emails or websites. Infects the victim's device to steal information
or cause damage.
4. Spoofing: Forging sender information to make it appear as if the message comes from a trusted source.
 Password Cracking
Password Cracking is a method used by cybercriminals to gain unauthorized access to systems by deciphering or
bypassing passwords.
It involves various techniques and tools to determine or guess a password.
The goal is to find a password that can be used to access protected systems, networks, or accounts.

Common Techniques

1. Brute Force Attack: Attempts every possible combination of characters until the correct password is found.
Example: Trying all possible 8-character combinations until the correct one is identified.
2. Dictionary Attack: Uses a list of common passwords and phrases (a dictionary) to guess the password.
Example: commonly used passwords like "password123" or "qwerty".
3. Rainbow Table Attack: Utilizes precomputed tables of hash values for different password combinations to reverse
cryptographic hash functions. Speeds up the cracking process by using precompiled data.
Example: Matching the hash of the target password against a rainbow table to find the plain text password.
4. Phishing: Trick users into revealing their passwords through deceptive means.
Example: An email pretending to be from a bank asking the user to confirm their password.
[Link]: Records the keystrokes made by a user to capture passwords.
Example: A keylogger records everything typed by the user, including passwords
 Password Cracking
Tools Used:

John the Ripper: An open-source password cracking tool that supports a variety of hash types. It Includes brute force,
dictionary, and other cracking modes.
Hashcat: Advanced password recovery tool supporting GPU acceleration. Highly efficient for large-scale password
cracking using various attack methods.
Cain and Abel: Windows-based tool for password recovery. It includes functionalities like brute force, dictionary
attacks, and network sniffing.
Hydra: Parallelized network login [Link] supports numerous protocols, making it versatile for network password
cracking.
Aircrack-ng: Includes password cracking capabilities for WPA and WEP encrypted networks.

Prevention and Protection:

1. Strong Password Policies

2. Multi-Factor Authentication (MFA)
3. Regular Password Changes
4. Monitoring and Alerts
5. Education and Awareness
 Keyloggers
Keyloggers are malicious programs or devices designed to record keystrokes on a user's keyboard.
They capture everything typed, including usernames, passwords, and other sensitive information.

Types of Keyloggers:

1. Software Keyloggers: Malicious software installed on a victim's computer to log keystrokes.

Installation: Often installed through phishing emails, malicious websites, or bundled with other software.
Capabilities: Can capture keystrokes, take screenshots, log clipboard activity, and send the collected data to the
attacker.
2. Hardware Keyloggers: Physical devices attached to a computer's keyboard or placed within the keyboard itself.
Installation: Requires physical access to the victim's device.
Capabilities: Records keystrokes directly from the keyboard and may have built-in storage or wireless
transmission capabilities.

Uses in Cybercrime:

Credential Theft: Capturing usernames, passwords, and other information to gain unauthorized access to accounts.
Surveillance: Monitoring the activities of individuals or employees without their knowledge.
Financial Fraud: Stealing sensitive information like credit card numbers and banking details.
 Tools Used in Keylogging
Hardware Keyloggers:

KeyGrabber USB Keylogger: plugs into a USB port between the keyboard and the computer, capturing all keystrokes
typed. It stores the data locally and can be retrieved later by the user.
KeeLog PS/2 Keylogger: designed for older PS/2 keyboards, intercepting keystrokes between the keyboard and the
computer. It's used to monitor and log all typed data, stored internally for later access.

Software Keyloggers:

Logkeys (Linux): An open-source software keylogger for Linux systems, capable of recording keystrokes in real time;
often used for legitimate purposes like debugging or parental monitoring; highly customizable.
PyKeylogger: An open-source keylogging software designed for simplicity and ease of use. It captures all keystrokes
on a system and saves them to a log file. PyKeylogger can be used for various purposes, including monitoring user
activity.
Refog Keylogger: It captures keystrokes, screenshots, and application usage, often marketed for parental control or
employee monitoring. It operates stealthily in the background, providing detailed logs of user actions.
Emotet: A sophisticated and modular banking Trojan that initially started as a keylogger but evolved into a major
malware distributor. It spreads via phishing emails and malicious attachments, enabling attackers to steal sensitive
information and deploy additional payloads like ransomware. Emotet is known for its persistence and ability to evade
detection.
 Virus
A virus is a type of malware that attaches itself to a legitimate program or file and requires human action to spread (such
as running an infected file). Once activated, it can replicate and spread to other programs and files.

Characteristics:

1. Replication: Attaches to executable files or documents and spreads when the host is executed.
2. Activation: Requires user interaction to execute the infected host file.
3. Payload: Can corrupt or delete data, disrupt system operations, or cause other types of damage.

Example:

Melissa Virus: It is a mass-mailing macro virus that spread rapidly via email in 1999, causing infected computers to
automatically send infected documents to contacts in the user's address book. It caused widespread email system
disruptions and significant financial damage.
ILOVEYOU Virus: also known as the Love Bug, is a computer worm that spread through email in 2000 with the
subject "ILOVEYOU" and an attached script file. When opened, it overwrote files, stole passwords, and spread itself
to contacts in the victim's address book.
 Worms
A worm is a type of malware that can self-replicate and spread independently across networks without needing to attach
itself to a host program. Worms exploit vulnerabilities in operating systems or applications to spread.

Characteristics:

1. Self-Replication: Spreads autonomously through networks by exploiting security vulnerabilities.

2. Network Spread: Primarily targets network resources to propagate itself.
3. Payload: Can consume bandwidth, cause system slowdowns, or deliver additional malware.

Example:

Code Red Worm: The Code Red Worm is a network worm that exploited a vulnerability in Microsoft’s IIS web server
software in 2001, allowing it to deface websites and launch denial-of-service attacks. It spread rapidly across the
internet, causing significant disruptions and damage.
Mydoom Worm: The Mydoom Worm is a fast-spreading email worm that emerged in 2004, generating massive
amounts of spam and launching distributed denial-of-service (DDoS) attacks against various websites. It became one
of the most damaging email worms in history due to its rapid propagation and destructive payload.
Difference Between Virus and Worm
 Trojan-Horses

A Trojan Horse, or simply Trojan, is a type of malware that disguises itself as legitimate software to deceive users into
installing it. Once installed, it can perform malicious activities, such as stealing data, installing other malware, or creating
backdoors.

Characteristics:

1. Deceptive Appearance: Appears as legitimate software or files to trick users into downloading and executing it.
2. Payload Delivery: Can deliver various types of payloads, such as spyware, ransomware, or additional malware.
3. User Interaction: Requires the user to execute the Trojan for it to activate.

Example:

Zeus Trojan: A highly sophisticated Trojan primarily used for banking fraud, stealing financial information by logging
keystrokes and capturing screenshots. It often spreads through phishing emails and drive-by downloads.
Emotet: Initially a banking Trojan, Emotet evolved into a malware distributor, delivering other malware such as
ransomware. It spreads through phishing emails containing malicious attachments or links.
Trojan-Horses - An Interesting History

The term "Trojan Horse" originates from an

ancient Greek story in which Greek soldiers
hid inside a giant wooden horse to gain entry
into the city of Troy.
The Trojans brought the horse inside their city
walls as a victory trophy, not realizing it
concealed enemy soldiers who then opened
the gates from within.
Similarly, in cybersecurity, a Trojan Horse
refers to malicious software that deceives
users by masquerading as a legitimate or
harmless program, allowing attackers to gain
access to the user's system.
 Backdoors

A backdoor is a method by which an attacker gains unauthorized remote access to a computer system, bypassing normal
authentication mechanisms. Backdoors can be installed through Trojans, worms, or other malware, or they can be
deliberately placed by software developers for maintenance purposes.

Characteristics:

1. Unauthorized Access: Provides attackers with remote access to the infected system.
2. Persistence: Often designed to remain undetected and maintain access over time.
3. Exploitation: Can be used to steal data, install additional malware, or control the system.

Examples:

Back Orifice: A backdoor tool that allows remote control of a Windows-based system, often used for unauthorized access
and control. It was originally released by a hacking group to demonstrate security weaknesses in Windows.
NetBus: A backdoor application that allows remote control of a Windows computer, often used maliciously to spy on users,
steal data, or control the system. It is similar to Back Orifice but with a more user-friendly interface.
 Steganography
Steganography is a technique used to hide secret data within non-suspicious, ordinary files or messages to avoid
detection. Unlike encryption, which makes data unreadable without a decryption key, steganography conceals the
existence of the hidden data.

Common Methods of Steganography:

Image Steganography:
Description: Hiding data within digital images by manipulating pixel values.
Example: Least Significant Bit (LSB) modification, where the least significant bit of each pixel is altered to embed
the hidden message.
Steghide: An open-source steganography tool that hides data within various image and audio file formats. It uses
advanced encryption to protect the hidden data. Supports JPEG, BMP, WAV, and AU files; provides options for
embedding encrypted data.

Audio Steganography:
Description: Embedding secret messages within audio files by modifying audio samples.
Example: LSB coding, phase coding, and echo hiding techniques to embed data within the sound file.
StegoAudio: A specialized tool for embedding secret messages into audio files without noticeable degradation of
audio quality. Uses LSB coding to hide data; supports multiple audio formats; simple and straightforward interface.
 Steganography
Video Steganography:
Description: Concealing information within video files by altering video frames.
Example: Embedding data in the color values of individual pixels within video frames.
OpenStego: An open-source tool primarily for image steganography but also supports basic video steganography.
Embeds data within video frames; supports encryption and watermarking; user-friendly interface.

Text Steganography:
Description: Hiding data within text files by manipulating the format and structure of the text.
Example: Using invisible characters, altering font sizes, or inserting extra spaces and punctuation marks.
StegoNote: A tool for embedding hidden text within notes or documents using invisible characters and formatting.
Allows for hidden text within plain text files; easy to use with a straightforward interface.

Network Steganography:
Description: Embedding information within network traffic and communication protocols.
Example: Using unused header fields in TCP/IP packets or modulating the timing of packet transmissions to carry
hidden messages.
NetSteg: A tool for embedding hidden data within network protocols and packet headers. Modifies unused fields in
TCP/IP headers
 Steganography

Advantages of Steganography:

Invisibility: The hidden data is not apparent to the casual observer, making it difficult to detect without specialized tools.
Plausible Deniability: The presence of hidden data can be easily denied as the carrier file appears normal.
Versatility: Can be applied to various types of digital media, including images, audio, video, and text files.

Challenges and Countermeasures:

Detection Difficulty: Identifying steganographic content requires advanced analysis and detection tools.
Complexity: Creating effective steganographic methods that remain undetectable can be complex and time-
consuming.
Countermeasures: Using steganalysis techniques such as statistical analysis, machine learning, and pattern
recognition to detect hidden data.
 Denial of Service (DoS) Attack
A DoS attack involves a single source that floods a target system with excessive traffic or requests, exhausting its
resources and making it unavailable to legitimate users.

Common Methods of Denial of Service (DoS) Attack:

Flood Attacks: Overwhelming the target with a massive volume of traffic.

Resource Exhaustion: Consuming server resources like CPU, memory, or bandwidth.

Examples:

ICMP Flood: Overwhelms a target with ICMP Echo Request (ping) packets, consuming network bandwidth and
resources.
TCP SYN Flood: Exploits the TCP handshake process by sending a flood of SYN requests, exhausting server
resources.

Prevention and Mitigation:

Rate Limiting: Restricting the number of requests from a single IP address.

Firewalls: Configuring firewalls to filter out malicious traffic.
Intrusion Detection Systems (IDS): Monitoring for unusual traffic patterns.
 Distributed Denial of Service (DDoS) Attack
A DDoS attack amplifies the impact of a DoS attack by using multiple compromised systems, often part of a botnet, to
flood the target with traffic from various sources, making it harder to defend against.

Common Methods of Distributed Denial of Service (DDoS) Attack:

Botnets: Networks of compromised devices controlled by the attacker to launch coordinated attacks.
Amplification Attacks: Exploiting vulnerabilities in network protocols to amplify the volume of attack traffic.
Application Layer Attacks: Targeting specific applications or services with a high volume of requests.
Example: Mirai Botnet, DNS Amplification.

-> Mirai Botnet: Utilizes compromised IoT devices to conduct massive-scale DDoS attacks, notably the 2016 Dyn attack.
-> DNS Amplification: Exploits DNS servers to amplify attack traffic, flooding the target with large volumes of data.

Prevention and Mitigation:

Traffic Analysis: Identifying and filtering malicious traffic using advanced analytics.
DDoS Protection Services: Leveraging cloud-based services and specialized solutions to absorb and mitigate attacks.
Redundancy: Implementing redundant systems and failover strategies to maintain service availability.
 SQL Injection
SQL Injection (SQLi) is a type of cyber attack that targets databases by inserting or "injecting" malicious SQL queries into
input fields or URLs.

Common Methods of SQL Injection:

Error-Based SQL Injection: Exploits database error messages, such as SELECT * FROM users WHERE id = 1; and
submitting invalid queries to trigger errors revealing database structure.
Union-Based SQL Injection: Combines results of multiple queries, such as SELECT id, name FROM users UNION
SELECT username, password FROM admin;, to access additional data.

Prevention and Mitigation:

Stored Procedures: Utilize stored procedures to encapsulate SQL code, reducing direct interaction with SQL queries
from user input.
Input Validation and Sanitization: Validate and sanitize all user inputs to prevent malicious data from being processed
by the SQL engine. Filtering out or escaping special characters in user input.
Web Application Firewalls (WAFs): Deploy WAFs to detect and block SQL injection attacks before they reach the
application. Configuring a WAF to filter out SQL injection patterns and payloads.
 Buffer Overflow
Buffer Overflow is a vulnerability in software where a program writes more data to a buffer (a temporary storage area)
than it can hold, causing adjacent memory locations to be overwritten.
This can lead to unpredictable behavior, crashes, and potential execution of malicious code.

Common Methods of Exploiting Buffer Overflow:

Stack-Based Buffer Overflow: Occurs when a buffer located on the stack (used for function call management) is
overflowed, potentially overwriting the return address or other critical stack data.
Example: Exploiting a vulnerable function like strcpy() that does not check the length of input data, leading to
overwriting return addresses to execute malicious code.

Heap-Based Buffer Overflow: Involves overflowing buffers in the heap (dynamic memory) where memory is allocated
for objects at runtime. This can corrupt the memory management structures or manipulate function pointers.
Example: Exploiting vulnerabilities in dynamic memory management functions like malloc() or free() to overwrite
memory blocks and execute arbitrary code.
 Attacks on Wireless Networks
Wireless networks are particularly vulnerable to various types of attacks due to their reliance on radio waves for
communication, making them susceptible to interception and interference.

Common Wireless Network Attacks

WEP/WPA Cracking: Exploiting weaknesses in wireless encryption protocols (WEP, WPA, WPA2) to gain
unauthorized access to a wireless network. Tools used: Aircrack-ng to capture and analyze packets to recover
encryption keys.
Rogue Access Points: Setting up unauthorized access points that mimic legitimate ones to intercept and manipulate
network traffic. An attacker creates a fake access point with a name similar to a trusted network, tricking users into
connecting to it.
Man-in-the-Middle (MitM) Attack: Intercepting and altering communications between two parties without their
knowledge. An attacker intercepts data between a user and a legitimate access point, potentially altering the
communication or stealing sensitive information.
Bluetooth Attacks: Exploiting vulnerabilities in Bluetooth to intercept data or gain unauthorized access.
Types: Bluejacking (sending unsolicited messages), Bluesnarfing (unauthorized access to information), and
Bluebugging (taking control of a device).
 Attacks on Wireless Networks
Prevention and Mitigation:

Strong Encryption: Use robust encryption protocols such as WPA3 to secure wireless communications.
Example: Configuring routers to use WPA3 and disabling outdated protocols like WEP and WPA.

Network Monitoring: Continuously monitor wireless networks for suspicious activity and unauthorized access points.
Example: Using intrusion detection systems (IDS) and wireless network monitoring tools to detect anomalies.

Authentication and Access Control: Implement strong authentication mechanisms and control access to the wireless
network.
Example: Using RADIUS servers for centralized authentication and implementing MAC address filtering.

Regular Updates: Keep firmware and software for wireless devices updated to protect against known vulnerabilities.
Example: Regularly applying patches and updates to routers, access points, and client devices.

User Education: Educate users about the risks of wireless networks and best practices for security.
Example: Training users to recognize rogue access points and avoid connecting to unfamiliar networks.
 Identity Theft (ID Theft)
Identity Theft involves the unauthorized acquisition and use of someone’s personal information, typically for financial gain.
Attackers may use this information to commit fraud, such as opening credit accounts, making unauthorized purchases, or
accessing sensitive services.

Key Points:

Personal Information Theft: Stealing data like Social Security numbers, credit card details, and bank account
information.
Account Takeover: Gaining unauthorized access to existing accounts and using them for fraudulent activities.
Synthetic Identity Theft: Creating a new identity by combining real and fake information to open new accounts.
Medical Identity Theft: Using someone else's identity to receive medical services, potentially leading to inaccurate
medical records.

Prevention and Mitigation:

Secure Personal Information: Shred sensitive documents, use strong passwords, and store personal information
securely.
Monitor Accounts: Regularly check financial statements and credit reports for unauthorized activity.
Fraud Alerts: Place fraud alerts on credit reports to warn creditors of potential identity theft.