[Type here]

Module I . INTRODUCTION TO CYBERCRIME

List of Topics:
 Introduction
 Cybercrime: Definition and Origins of the Word
 Cybercrime and Information Security
 Who are Cybercriminals?
 Classifications of Cybercrimes
 Cybercrime: The Legal Perspectives
 Cybercrimes: An Indian Perspective
 Cybercrime and the Indian ITA 2000
 A Global Perspective on Cybercrimes
 Cybercrime Era: Survival Mantra for the Netizens

INTRODUCTION

 “Cyber security is the protection of internet-connected systems, including hardware, software and
data, from cyber attacks”.
 “Cybersecurity” means protecting information, equipment, devices, computer, computer resource,
communication device and information stored therein from unauthorized access, use, disclosure,
disruption, modification or destruction.
 Almost everyone is aware of the rapid growth of the Internet.
 Given the unrestricted number of free websites, the Internet has undeniably opened a new way of
exploitation known as cybercrime.
 These activities involve the use of computers, the Internet, cyberspace and the worldwide web
(WWW).
 Interestingly, cybercrime is not a new phenomena; the first recorded cybercrime took place in the
year 1820.
 It is one of the most talked about topics in the recent years.
 Based on a 2008 survey in Australia, the below shows the cybercrime trend
[Type here]

Figure: Cybercrime Trend

 Indian corporate and government sites have been attacked or defaced more than 780 times
between February 2000 and December 2002.
 There are also stories/news of other attacks; for example, according to a story posted on 3
December 2009, a total of 3,286 Indian websites were hacked in 5 months – between January and
June 2009.
 Various cybercrimes and cases registered under cybercrimes by motives and suspects in States
and Union Territories (UTs).

CYBERCRIME: DEFINITION AND ORIGINS OF THE WORD

Definition:
“A crime conducted in which a computer was directly and significantly instrumental is called as a
Cybercrime.”
Alternative definitions of Cybercrime are as follows:
1. Any illegal act where a special knowledge of computer technology is essential for its perpetration
(to commit a crime), investigation or prosecution.
2. Any traditional crime that has acquired a new dimension or order of magnitude through the aid
of a computer, and abuses that have come into being because of computers.
3. Any financial dishonesty that takes place in a computer environment.
4. Any threats to the computer itself, such as theft of hardware or software, damage and demands
for money.
[Type here]

5. “Cybercrime (computer crime) is any illegal behavior, directed by means of electronic operations, that
targets the security of computer systems and the data processed by them.”
Note that in a wider sense, “computer-related crime” can be any illegal behavior committed by means of,
or in relation to, a computer system or network; however, this is not cybercrime. The term “cybercrime”
relates to a number of other terms that may sometimes be used to describe crimes committed using
computers.
• Computer-related crime
• Computer crime
• Internet crime
• E-crime
• High-tech crime, etc. are the other synonymous terms.

Cybercrime specifically can be defined in a number of ways; a few definitions are:

1. A crime committed using a computer and the Internet to steal a person’s identity (identity theft) or
sell contraband or stalk victims or disrupt operations with malevolent programs.
2. Crimes completed either on or with a computer.
3. Any illegal activity done through the Internet or on the computer.
4. All criminal activities done using the medium of computers, the Internet, cyberspace and the WWW.

According to one information security, cybercrime is any criminal activity which uses network access to
commit a criminal act. Cybercrime may be internal or external, with the former easier to perpetrate. The term
“cybercrime” has evolved over the past few years since the adoption of Internet connection on a global scale
with hundreds of millions of users. Cybercrime refers to the act of performing a criminal act using
cyberspace as the communications vehicle.
Some people argue that a cybercrime is not a crime as it is a crime against software & not against a person
(or) property. However, while the legal systems around the world scramble to introduce laws to combat cyber
criminals, 2 types of attacks are prevalent:
1. Techno-crime: A premeditated act against a system or systems, with the intent to copy, steal, prevent
access, corrupt or otherwise deface or damage parts of or the complete computer system. The 24X7
connection to the internet makes this type of cybercrime a real possibility to engineer from anywhere in
the world, leaving few, if any, “finger prints”.
2. Techno-vandalism: These acts of “brainless” defacement of websites and/or other activities, such as
copying files and publicizing their contents publicly, are usually opportunistic in nature. Tight internal
security, allied to strong technical safeguards should prevent the vast majority of such incidents.
[Type here]

There is a very thin line between the two terms “computer crime” and “computer fraud”; both are
punishable. Cybercrimes (harmful acts committed from or against a computer or network) differ from most
terrestrial crimes in four ways:
a. how to commit them is easier to learn,
b. they require few resources relative to the potential damage caused,
c. they can be committed in a jurisdiction without being physically present in it &
d. they are often not clearly illegal.

Important Definitions related to Cyber Security:

Cyberterrorism:
This term was coined in 1997 by Barry Collin, a senior research fellow at the institute for Security and
Intelligence in California. Cyberterrorism seems to be a controversial term. The use of information
technology and means by terrorist groups & agents is called as Cyberterrorism.
“The premeditated use of disruptive activities, or the threat thereof, against computers and/or
networks, with the intention to cause harm or further social, ideological, religious, political or similar
objectives or to intimidate any person in furtherance of such objectives.”
(or)
Cyberterrorism is defined as “any person, group or organization who, with terrorist intent, utilizes
accesses or aids in accessing a computer or computer network or electronic system or electronic device by
any available means, and thereby knowingly engages in or attempts to engage in a terrorist act commits the
offence of cyberterrorism.”

Cybernetics:
Cybernetics deals with information and its use. Cybernetics is the science that overlaps the fields of
neurophysiology, information theory, computing machinery and automation. Worldwide, including India,
cyberterrorists usually use computer as a tool, target for their unlawful act to gain information.
Internet is one of the means by which the offenders can gain priced sensitive information of
companies, firms, individuals, banks and can lead to intellectual property (IP) crimes, selling illegal
articles, pornography/child pornography, etc. This is done using methods such as Phishing, Spoofing,
Pharming, Internet Phishing, wire transfer, etc. and use it to their own advantage without the consent of the
individual.
[Type here]

Phishing:
Phishing is a cyber attack that uses disguised email as a weapon. The goal is to trick the email
recipient into believing that the message is something they want or need a request from their bank, for
instance, or a note from someone in their company and to click a link or download an attachment.
Phishing is an attempt by an individual or a group to thieve personal confidential information such as
passwords, credit card information from unsuspecting victims for identity theft, financial gain & other
fraudulent activities.
(or)
Phishing is a form of online identity theft that aims to steal sensitive information such as online
banking passwords, credit card information from users etc.

Cyberspace:
This is a term coined by William Gibson, a science fiction writer in 1984. Cyberspace is where users
mentally travel through matrices of data. Conceptually, cyberspace is the nebulous place where humans
interact over computer networks. The term “cyberspace” is now used to describe the Internet and other
computer networks. In terms of computer science, “cyberspace” is a worldwide network of computer
networks that uses the Transmission Control Protocol/Internet Protocol (TCP/IP) for communication to
facilitate transmission and exchange of data. Cyberspace is most definitely a place where you chat, explore,
research and play.

Cybersquatting:
The term is derived from “squatting” which is the act of occupying an abandoned/unoccupied space/
building that the user does not own, rent or otherwise have permission to use. Cybersquatting, however, is a
bit different in that the domain names that are being squatted are (sometimes but not always) being paid for
by the cybersquatters through the registration process.
Cybersquatters usually ask for prices far greater than those at which they purchased it. Some
cybersquatters put up derogatory or defamatory remarks about the person or company the domain is meant to
represent in an effort to encourage the subject to buy the domain from them. This term is explained here
because, in a way, it relates to cybercrime given the intent of cybersquatting.
Cybersquatting means registering, selling or using a domain name with the intent of profiting from the
goodwill of someone else’s trademark. In this nature, it can be considered to be a type of cybercrime.
Cybersquatting is the practice of buying “domain names” that have existing businesses names.
[Type here]

In India, Cybersquatting is considered to be an Intellectual Property Right (IPR). In India,

Cybersquatting is seen to interfere with “Uniform Dispute Resolution Policy” (a contractual obligation to
which all domain name registrants are presently subjected to).

Cyberpunk:
This is a term coined by Bruce Bethke, published in science fiction stories magazine in November
1983. According to science fiction literature, the words “cyber” and “punk” emphasize the two basic aspects
of cyberpunk: “technology” and “individualism.” The term “cyberpunk” could mean something like “anarchy
via machines” or “machine/computer rebel movement.”

Cyberwarfare:
Cyberwarfare means information attacks against an unsuspecting opponent’s computer networks,
destroying and paralyzing nations. This perception seems to be correct as the terms cyberwarfare and
Cyberterrorism have got historical connection in the context of attacks against infrastructure. The term
“information infrastructure” refers to information resources, including communication systems that support
an industry, institution or population. These type of Cyber attacks are often presented as threat to military
forces and the Internet has major implications for espionage and warfare.

CYBERCRIME AND INFORMATION SECURITY

Lack of information security gives rise to cybercrimes. Let us refer to the amended Indian Information
Technology Act (ITA) 2000 in the context of cybercrime. From an Indian perspective, the new version of the
Act (referred to as ITA 2008) provides a new focus on “Information Security in India". "Cybersecurity”
means protecting information, equipment, devices, computer, computer resource, communication device and
information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction.
The term incorporates both the physical security of devices as well as the information stored therein. It covers
protection from unauthorized access, use, disclosure, disruption, modification and destruction.
Where financial losses to the organization due to insider crimes are concerned (e.g., leaking customer
data), often some difficulty is faced in estimating the losses because the financial impacts may not be
detected by the victimized organization and no direct costs may be associated with the data theft. The 2008
CSI Survey on computer crime and security supports this. Cybercrimes occupy an important space in
information security domain because of their impact. The other challenge comes from the difficulty in
attaching a quantifiable monetary value to the corporate data and yet corporate data get stolen/lost (through
loss/theft of laptops).
[Type here]

Because of these reasons, reporting of financial losses often remains approximate. In an attempt to
avoid negative publicity, most organizations abstain from revealing facts and figures about “security
incidents” including cybercrime. In general, organizations perception about “insider attacks” seems to be
different than that made out by security solution vendor. However, this perception of an organization does
not seem to be true as revealed by the 2008 CSI Survey. Awareness about “data privacy” too tends to be low
in most organizations. When we speak of financial losses to the organization and significant insider crimes,
such as leaking customer data, such “crimes” may not be detected by the victimized organization and no
direct costs may be associated with the theft

Figure: Cybercrime trend over the years

Figure: shows several categories of incidences – viruses, insider abuse, laptop theft and
unauthorized access to systems
[Type here]

The Botnet Menace:

A group of computers that are controlled by software containing harmful programs, without their
users' knowledge is called as Botnet. The term “Botnet” is used to refer to a group of compromised
computers (zombie computers, i.e., personal computers secretly under the control of hackers) running
malwares under a common command and control infrastructure. Below figure shows how a “zombie” works.

Figure: How a Zombie works

 A Botnet maker can control the group remotely for illegal purposes, the most common being
 denial-of-service attack (DoS attack),
 Adware,
 Spyware,
 E-Mail Spam,
 Click Fraud
 theft of application serial numbers,
 login IDs
 financial information such as credit card numbers, etc.
 An attacker usually gains control by infecting the computers with a virus or other Malicious Code.
The computer may continue to operate normally without the owner’s knowledge that his computer
has been compromised.

 The problem of Botnet is global in nature and India is also facing the same.
[Type here]

 India has an average of 374 new Bot attacks per day and had more than 38,000 distinct Bot-
infected computers in the first half of the year 2009.
 Small and medium businesses in the country are at greater risk, as they are highly vulnerable
to Bots, Phishing, Spam and Malicious Code attacks.
 Mumbai with 33% incidences tops the Bot-infected city list,
 followed by New Delhi at 25%,
 Chennai at 17% and
 Bangalore at 13%.
 Tier-II locations are now also a target of Bot-networks with Bhopal at 4% and Hyderabad, Surat,
Pune and Noida at 1% each.
 The Internet is a network of interconnected computers. If the computers, computer systems,
computer resources, etc. are unsecured and vulnerable to security threats, it can be detrimental to
the critical infrastructure of the country.

WHO ARE CYBERCRIMINALS?

Cybercrime involves such activities

 credit card fraud;
 cyberstalking;
 defaming another online;
 gaining unauthorized access to computer systems;
 ignoring copyright, software licensing and trademark protection;
 overriding encryption to make illegal copies;
 software piracy and stealing another’s identity (known as identity theft) to perform criminal acts

Types of Cybercriminals:

1. Type I: Cybercriminals – hungry for recognition

 Hobby hackers;
 IT professionals (social engineering is one of the biggest threat);
 Politically motivated hackers;
 Terrorist organizations.
2. Type II: Cybercriminals – not interested in recognition
 Psychological perverts;
[Type here]

 financially motivated hackers (corporate espionage);

 state-sponsored hacking (national espionage, sabotage)
 organized criminals
3. Type III: Cybercriminals – the insiders
 Disgruntled or former employees seeking revenge;
 Competing companies using employees to gain economic advantage through damage
and/or theft.

CLASSIFICATIONS OF CYBERCRIMES

Table: Classifying Cybercrimes

“Crime is defined as an act or the commission of an act that is forbidden, or the omission of a duty that is
commanded by a public law and that makes the off ender liable to punishment by that law”. Cyber crimes are
classified as follows:
 Cybercrime against individual
 Cybercrime against property
 Cybercrime against organization
 Cybercrime against society
 Crimes emanating from Usenet newsgroup

Cybercrime against individual

1. E-Mail Spoofing: A spoofed E-Mail is one that appears to originate from one source but actually has
been sent from another source. For example, let us say, Roopa has an E-Mail address
roopa@asianlaws.org. Let us
[Type here]

say her boyfriend Suresh and she happen to have a show down. Then Suresh, having become her enemy,
spoofs her E-Mail and sends vulgar messages to all her acquaintances. Since the E-Mails appear to have
originated from Roopa, her friends could take offense and relationships could be spoiled for life.
2. Online Frauds: The most common types of online fraud are called phishing and spoofing. Phishing is the
process of collecting your personal information through e-mails or websites claiming to be legitimate. This
information can include usernames, passwords, credit card numbers, social security numbers, etc. Often times
the e-mails directs you to a website where you can update your personal information. Because these sites
often look “official,” they hope you’ll be tricked into disclosing valuable information that you normally
would not reveal. This often times, results in identity theft and financial loss.
Spyware and viruses are both malicious programs that are loaded onto your computer without your
knowledge. The purpose of these programs may be to capture or destroy information, to ruin computer
performance or to overload you with advertising. Viruses can spread by infecting computers and then
replicating. Spyware disguises itself as a legitimate application and embeds itself into your computer where it
then monitors your activity and collects information.
3. Phishing, Spear Phishing and its various other forms such as Vishing and Smishing:
Phishing is the process of collecting your personal information through e-mails or websites claiming to be
legitimate. This information can include usernames, passwords, credit card numbers, social security numbers,
etc. Often times the e-mails directs you to a website where you can update your personal information.
Because these sites often look “official,” they hope you’ll be tricked into disclosing valuable information that
you normally would not reveal. This often times, results in identity theft and financial loss.
Spear Phishing is a method of sending a Phishing message to a particular organization to gain organizational
information for more targeted social engineering. Here is how Spear Phishing scams work; Spear Phishing
describes any highly targeted Phishing attack. Spear phishers send E-Mail that appears genuine to all the
employees or members within a certain company, government agency, organization or group. The message
might look as if it has come from your employer, or from a colleague who might send an E-Mail message to
everyone in the company; it could include requests for usernames or passwords. While traditional Phishing
scams are designed to steal information from individuals, spear phishing scam works to gain access to a
company's entire computer system.
Vishing (voice phishing) is a type of phishing attack that is conducted by phone and often targets users
of Voice over IP (VoIP) services like Skype.
It’s easy to for scammers to fake caller ID, so they can appear to be calling from a local area code or even
from an organization you know. If you don’t pick up, then they’ll leave a voicemail message asking you
to call back. Sometimes these kinds of scams will employ an answering service or even a call center that’s
unaware of the crime being perpetrated.
[Type here]

Once again, the aim is to get credit card details, birthdates, account sign-ins, or sometimes just to
harvest phone numbers from your contacts. If you respond and call back, there may be an automated
message prompting you to hand over data and many people won’t question this, because they accept
automated phone systems as part of daily life now.
Smishing (SMS phishing) is a type of phishing attack conducted using SMS (Short Message Services)
on cell phones. Just like email phishing scams, smishing messages typically include a threat or
enticement to click a link or call a number and hand over sensitive information. Sometimes they might
suggest you install some security software, which turns out to be malware.
Smishing example: A typical smishing text message might say something along the lines of,
“Your ABC Bank account has been suspended. To unlock your account, tap here: https://bit.ly/2LPLdaU”
and the link provided will download malware onto your phone. Scammers are also adept at adjusting to
the medium they’re using, so you might get a text message that says, “Is this really a pic of you?
https://bit.ly/2LPLdaU” and if you tap that link to find out, once again you’re downloading malware.
4. Spamming: People who create electronic Spam are called spammers. Spam is the abuse of electronic
messaging systems (including most broadcast media, digital delivery systems) to send unrequested bulk
messages indiscriminately. Although the most widely recognized form of Spam is E-Mail Spam, the term is
applied to similar abuses in other media: instant messaging Spam, Usenet newsgroup Spam, web search
engine Spam, Spam in blogs, wiki Spam, online classified ads Spam, mobile phone messaging Spam, Internet
forum Spam, junk fax transmissions, social networking Spam, file sharing network Spam, video sharing sites,
etc.
Spamming is difficult to control because it has economic viability – advertisers have no operating
costs beyond the management of their mailing lists, and it is difficult to hold senders accountable for their
mass mailings. Spammers are numerous; the volume of unrequested mail has become very high because the
barrier to entry is low. Therefore, the following web publishing techniques should be avoided:
 Repeating keywords;
 use of keywords that do not relate to the content on the site;
 use of fast meta refresh;
 redirection;
 IP Cloaking;
 use of colored text on the same color background;
 tiny text usage;

 duplication of pages with different URLs;

 hidden links;
[Type here]

 use of different pages that bridge to the same URL (gateway pages).
5. Cyber defamation: It is a cognizable (Software) offense. “Whoever, by words either spoken or intended
to be read, or by signs or by visible representations, makes or publishes any imputation concerning any
person intending to harm, or knowing or having reason to believe that such imputation will harm, the
reputation of such person, is said, except in the cases hereinafter expected, to defame that person.”
Cyber defamation happens when the above takes place in an electronic form. In other words, cyber
defamation occurs when defamation takes place with the help of computers and/or the Internet. For example,
someone publishes defamatory matter about someone on a website or sends an E-Mail containing defamatory
information to all friends of that person.
6. Cyberstalking and harassment: The dictionary meaning of “stalking” is an “act or process of following
prey stealthily – trying to approach somebody or something.” Cyberstalking has been defined as the use of
information and communications technology, particularly the Internet, by an individual or group of
individuals to harass another individual, group of individuals, or organization. The behavior includes false
accusations, monitoring, transmission of threats, ID theft, damage to data or equipment, solicitation of minors
for sexual purposes, and gathering information for harassment purposes.
As the internet has become an integral part of our personal & professional lives, cyberstalkers take advantage
of ease of communication & an increased access to personal information available with a few mouse clicks or
keystrokes. They are 2 types of stalkers: Online Stalkers: aim to start the interaction with the victim directly
with the help of the internet. Offline Stalkers: the stalker may begin the attack using traditional methods
such as following the victim, watching the daily routine of the victim.
7. Computer Sabotage: The use of the Internet to stop the normal functioning of a computer system through
the introduction of worms, viruses or logic bombs, is referred to as computer sabotage. It can be used to gain
economic advantage over a competitor, to promote the illegal activities of terrorists or to steal data or
programs for extortion purposes. Logic bombs are event-dependent programs created to do something only
when a certain event (known as a trigger event) occurs. Some viruses may be termed as logic bombs because
they lie dormant all through the year and become active only on a particular date.
8. Pornographic Offenses: Child pornography means any visual depiction, including but not limited to
the following:
1. Any photograph that can be considered obscene and/or unsuitable for the age of child viewer;
2. film, video, picture;
3. computer-generated image or picture of sexually explicit conduct where the production of such
visual depiction involves the use of a minor engaging in sexually explicit conduct.

Child Pornography is considered an offense. The internet is being highly used by its abusers to reach and
abuse children sexually, worldwide. The Internet has become a household commodity in the urban areas of
[Type here]

the nation. Its explosion has made the children a viable victim to the cybercrime. As the broad-band
connections get into the reach of more and more homes, larger child population will be using the
Internet and therefore greater would be the chances of falling victim to the aggression of pedophiles.
Pedophiles are the people who physically or psychologically coerce minors to engage in sexual activities,
which the minors would not consciously consent too. Here is how pedophiles operate:
 Step 1: Pedophiles use a false identity to trap the children/teenagers.
 Step 2: They seek children/teens in the kids’ areas on the services, such as the Games BB or chat
areas where the children gather.
 Step 3: They befriend children/teens.
 Step 4: They extract personal information from the child/teen by winning his/her confidence.
 Step 5: Pedophiles get E-Mail address of the child/teen and start making contacts on the victim’s E-
Mail address as well. Sometimes, these E-Mails contain sexually explicit language.
 Step 6: They start sending pornographic images/text to the victim including child pornographic
images in order to help child/teen shed his/her inhibitions so that a feeling is created in the mind of
the victim that what is being fed to him is normal and that everybody does it.
 Step 7: At the end of it, the pedophiles set up a meeting with the child/teen out of the house and then
drag him/her into the net to further sexually assault him/her or to use him/her as a sex object.
9. Password Sniffing: is a hacking technique that uses a special software application that allows a hacker to
steal usernames and passwords simply by observing and passively recording network traffic. This often
happens on public WiFi networks where it is relatively easy to spy on weak or unencrypted traffic.
And yet, password sniffers aren’t always used for malicious intent. They are often used by IT
professionals as a tool to identify weak applications that may be passing critical information unencrypted
over the Local Area Network (LAN). IT practitioners know that users download and install risky software at
times in their environment, running a passive password sniffer on the network of a business to identify leaky
applications is one legitimate use of a password sniffer.

Cybercrime against property

1. Credit Card Frauds: Credit card fraud is an inclusive term for fraud committed using a payment
card, such as a credit card or debit card. The purpose may be to obtain goods or services, or to make
payment to another account which is controlled by a criminal. The Payment Card Industry Data Security
Standard (PCI DSS) is the data security standard created to help businesses process card payments
securely and reducecard fraud. Credit card fraud can be authorised, where the genuine customer
themselves processes a payment to another account which is controlled by a criminal, or unauthorised, where
the account holder does not provide authorisation for the payment to proceed and the transaction is carried out by a
[Type here]

third party. Credit cards are more secure than ever, with regulators, card providers and banks taking
considerable time and effort to collaborate with investigators worldwide to ensure fraudsters aren't successful.
Cardholders' money is usually protected from scammers with regulations that make the card provider and
bank accountable. The technology and security measures behind credit cards are becoming increasingly
sophisticated making it harder for fraudsters to steal money.

2. Intellectual Property (IP) Crimes: With the growth in the use of internet these days the cyber crimes
are also growing. Cyber theft of Intellectual Property (IP) is one of them. Cyber theft of IP means stealing
of copyrights, software piracy, trade secrets, patents etc., using internet and computers.
Copyrights and trade secrets are the two forms of IP that is frequently stolen. For example,
stealing of software, business strategies etc. Generally, the stolen material is sold to the rivals or others
for further sale of the product. This may result in the huge loss to the company who originally created it.
Another major cyber theft of IP faced by India is piracy. These days one can get pirated version of
movies, software etc. The piracy results in a huge loss of revenue to the copyright holder. It is difficult to
find the cyber thieves and punish them because everything they do is over internet, so they erase the data
immediately and disappear within fraction of a second.
 Internet time theft: Such a theft occurs when an unauthorized person uses the Internet hours paid for by
another person. Basically, Internet time theft comes under hacking because the person who gets access to
someone else’s ISP user ID and password, either by hacking or by gaining access to it by illegal means,
uses it to access the Internet without the other person’s knowledge. However, one can identify time theft
if the Internet time has to be recharged often, even when one’s own use of the Internet is not frequent. The
issue of Internet time theft is related to the crimes conducted through identity theft.

Cybercrime against Organization

1. Unauthorized accessing of Computer: Hacking is one method of doing this and hacking is punishable
offense. Unauthorized computer access, popularly referred to as hacking, describes a criminal action
whereby someone uses a computer to knowingly gain access to data in a system without permission to
access that data.

2. Password Sniffing: Password Sniffers are programs that monitor and record the name and
password of network users as they login, jeopardizing security at a site. Whoever installs the Sniffer can
then impersonate an authorized user and login to access restricted documents. Laws are not yet
set up to adequately prosecute a person for impersonating another person online. Laws designed to prevent
unauthorized access to information may be effective in apprehending crackers using Sniffer programs.
3. Denial-of-service Attacks (DoS Attacks): It is an attempt to make a computer resource (i.e..,
information systems) unavailable to its intended users. In this type of criminal act, the attacker floods the
[Type here]

bandwidth of the victim’s network or fills his E-Mail box with spam mail depriving him of the services
he is entitled to access or provide. The goal of DoS is not to gain unauthorized access to systems or data,
but to prevent intended users (i.e., legitimate users) of a service from using it. A DoS attack may do the
following:
a. Flood a network with traffic, thereby preventing legitimate network traffic.
b. Disrupt connections between two systems, thereby preventing access to a service.
c. Prevent a particular individual from accessing a service.
d. Disrupt service to a specifi c system or person.
4. Virus attacks/dissemination of Viruses:
Computer virus is a program that can “infect” legitimate (valid) programs by modifying them to include
a possibly “evolved” copy of itself. Viruses spread themselves, without the knowledge or permission of
the users, to potentially large numbers of programs on many machines. A computer virus passes from
computer to computer in a similar manner as a biological virus passes from person to person. Viruses
may also contain malicious instructions that may cause damage or annoyance; the combination of
possibly Malicious Code with the ability to spread is what makes viruses a considerable concern. Viruses
can often spread without any readily visible symptoms. Viruses can take some typical actions:
 Display a message to prompt an action which may set of the virus
 Delete files inside the system into which viruses enter
 Scramble data on a hard disk
 Cause erratic screen behavior
 Halt the system (PC)
 Just replicate themselves to propagate further harm
5. E-Mail bombing/Mail bombs: E-Mail bombing refers to sending a large number of E-Mails to the
victim to crash victim’s E-Mail account (in the case of an individual) or to make victim’s mail servers
crash (in the case of a company or an E-Mail service provider). Computer program can be written to
instruct a computer to do such tasks on a repeated basis. In recent times, terrorism has hit the Internet in
the form of mail bombings. By instructing a computer to repeatedly send E-Mail to a specified person’s
E-Mail address, the cybercriminal can overwhelm the recipient’s personal account and potentially shut
down entire systems. This may or may not be illegal, but it is certainly disruptive.

6. Salami Attack/Salami technique: These attacks are used for committing financial crimes. The idea here
is to make the alteration so insignificant that in a single case it would go completely unnoticed; For
example a bank employee inserts a program, into the bank’s servers, that deducts a small amount of
money (say Rs. 2/- or a few cents in a month) from the account of every customer. No account holder
will probably notice this unauthorized debit, but the bank employee will make a sizable amount every
[Type here]

month.
7. Logic Bomb: A Logic Bomb is a piece of often-malicious code that is intentionally inserted into
software. It is activated upon the host network only when certain conditions are met. Some viruses may
be termed as logic bombs because they lie dormant all through the year and become active only on a
particular date.
8. Trojan Horse: A Trojan Horse, Trojan for short, is a term used to describe malware that appears, to the
user, to perform a desirable function but, in fact, facilitates unauthorized access to the user’s computer
system.
9. Data Diddling: A data diddling (data cheating) attack involves altering raw data just before it is
processed by a computer and then changing it back after the processing is completed. Electricity Boards
in India have been victims to data diddling programs inserted when private parties computerize their
systems.
10. Newsgroup Spam/Crimes emanating from Usenet newsgroup : This is one form of spamming. The
word “Spam” was usually taken to mean Excessive Multiple Posting (EMP). The advent of Google
Groups, and its large Usenet archive, has made Usenet more attractive to spammers than ever. Spamming
of Usenet newsgroups actually predates E-Mail Spam.
11. Industrial spying/Industrial espionage: Spying is not limited to governments. Corporations, like
governments, often spy on the enemy. The Internet and privately networked systems provide new
and better opportunities for espionage. “Spies” can get information about product finances, research and
development and marketing strategies, an activity known as “industrial spying.”
However, cyberspies rarely leave behind a trail. Industrial spying is not new; in fact it is as old
as industries themselves. The use of the Internet to achieve this is probably as old as the Internet itself.
Traditionally, this has been the reserved hunting field of a few hundreds of highly skilled hackers,
contracted by high-profile companies or certain governments via the means of registered organizations
(it is said that they get several hundreds of thousands of dollars, depending on the “assignment”). With
the growing public availability of Trojans and Spyware material, even low-skilled individuals are now
inclined to generate high volume profit out of industrial spying. This is referred to as “Targeted Attacks”
(which includes “Spear Phishing”).

12. Computer network intrusions: “Crackers” who are often misnamed “Hackers can break into
computer systems from anywhere in the world and steal data, plant viruses, create backdoors, insert
Trojan Horses or change user names and passwords. Network intrusions are illegal, but detection
and enforcement are difficult. Current laws are limited and many intrusions go undetected. The cracker can
bypass existing password protection by creating a program to capture logon IDs and passwords. The practice of
“strong password” is therefore important.
[Type here]

13. Software piracy: This is a big challenge area indeed. Cybercrime investigation cell of India defines
“software piracy” as theft of software through the illegal copying of genuine programs or the
counterfeiting and distribution of products intended to pass for the original. There are many examples of
software piracy:
1. end-user copying: friends loaning disks to each other, or organizations under-reporting the
number of software installations they have made, or organizations not tracking their software
licenses;
2. hard disk loading with illicit means: hard disk vendors load pirated software;
3. counterfeiting: large-scale duplication and distribution of illegally copied software;
4. Illegal downloads from the Internet: by intrusion, by cracking serial numbers, etc. Beware
that those who buy pirated software have a lot to lose:
 getting untested software that may have been copied thousands of times over,
 the software, if pirated, may potentially contain hard-drive-infecting viruses,
 there is no technical support in the case of software failure, that is, lack of
technical product support available to properly licensed users,
 there is no warranty protection,
 there is no legal right to use the product, etc.

Cybercrime against Society

1. Forgery: Counterfeit currency notes, postage and revenue stamps, marksheets, etc. can be forged using
sophisticated computers, printers and scanners. Outside many colleges there are miscreants soliciting the
sale of fake mark-sheets or even degree certificates. These are made using computers and high quality
scanners and printers. In fact, this is becoming a booming business involving large monetary amount
given to student gangs in exchange for these bogus but authentic looking certificates.
2. Cyberterrorism: Cyberterrorism is a controversial term. Cyberterrorism is the use of the Internet to
conduct violent acts that result in, or threaten, loss of life or significant bodily harm, in order to achieve
political or ideological gains through threat or intimidation. It is also sometimes considered an act of
Internet terrorism where terrorist activities, including acts of deliberate, large-scale disruption of
computer networks, especially of personal computers attached to the Internet by means of tools such as
computer viruses, computer worms, phishing, and other malicious software and hardware methods and
programming scripts.

3. Web Jacking: Web jacking occurs when someone forcefully takes control of a website (by cracking the
password and later changing it). Thus, the first stage of this crime involves “password sniffing”. The
actual owner of the website does not have any more control over what appears on that website.
[Type here]

Crimes emanating from Usenet newsgroup:

By its very nature, Usenet groups may carry very offensive, harmful, inaccurate or otherwise
inappropriate material, or in some cases, postings that have been mislabeled or are deceptive in another way.
Therefore, it is expected that you will use caution and common sense and exercise proper judgment when
using Usenet, as well as use the service at your own risk.
Usenet is a popular means of sharing and distributing information on the Web with respect to specific
topic or subjects. Usenet is a mechanism that allows sharing information in a many-to-many manner. The
newsgroups are spread across 30,000 different topics.

CYBERCRIME: THE LEGAL PERSPECTIVES

 Cybercrime poses a biggest challenge.
 Computer Crime: As per “Criminal Justice Resource Manual (1979)”, computer-related crime was
defined in the broader meaning as: “any illegal act for which knowledge of computer technology is
essential for a successful prosecution”.
 International legal aspects of computer crimes were studied in 1983.
 In that study, computer crime was consequently defined as: “encompasses any illegal act for
which knowledge of computer technology is essential for its commit”.
 Cybercrime, in a way, is the outcome of “globalization.” However, globalization does not mean
globalized welfare at all.
 Globalized information systems accommodate an increasing number of transnational offenses.
 The network context of cybercrime makes it one of the most globalized offenses of the present and
the most modernized threats of the future.
 This problem can be resolved in two ways.
a) One is to divide information systems into segments bordered by state boundaries (cross-
border flow of information).
b) The other is to incorporate the legal system into an integrated entity obliterating these
state boundaries.

 Apparently, the first way is unrealistic. Although all ancient empires including Rome, Greece and
Mongolia became historical remnants, and giant empires are not prevalent in current world, the
partition of information systems cannot be an imagined practice.
 In a globally connected world, information systems become the unique empire without tangible
territory.
[Type here]

CYBERCRIMES: AN INDIAN PERSPECTIVE

India has the fourth highest number of Internet users in the world. According to the statistics posted
on the site (http://www.iamai.in/), there are 45 million Internet users in India, 37% of all Internet accesses
happen from cybercafés and 57% of Indian Internet users are between 18 and 35 years. The population of
educated youth is high in India. It is reported that compared to the year 2006, cybercrime under the
Information Technology (IT) Act recorded a whopping 50% increase in the year 2007. A point to note is that
the majority of offenders were under 30 years. The maximum cybercrime cases, about 46%, were
related to incidents of cyberpornography, followed by hacking. In over 60% of these cases, offenders were
between 18 and 30 years, according to the “Crime in 2007” report of the National Crime Record Bureau
(NCRB).
Cybercrimes: Indian Statistics:
Cybercrimes: Cases of various categories under ITA 2000: 217 cases were registered under IT Act during the
year 2007 as compared to 142 cases during the previous year 2006, with an increase of 52.8%. 99 cases of the
total 217 cases registered under ITA 2000 were related to obscene publication/transmission in electronic form
known as cyberpornography. There were 76 cases of hacking with computer system which is related to
loss/damage of computer resource/utility. India is said to be “youth country” given the population age
distribution. However from cybercrime perspective, this youth aspect does not seem good as revealed by
cybercrime statistics in India.
Cybercrimes: Cases of various categories under IPC Section: A total of 339 cases were registered under IPC
sections during the year 2007 as compared to 311 such cases during 2006, thereby reporting an increase of
9%.Majority of the crimes out of total 339 cases registered under IPC fall under 2 categories i.e.., Forgery &
Criminal breach of Trust or Fraud.
Incidence of Cybercrimes in cities: 17 out of 35 mega cities did not report any case of cybercrime (neither
under the IT Act nor under IPC Sections) during the year 2007. A total of 17 mega cities have reported 118
cases under IT Act and 7 mega cities reported 180 cases under various sections of IPC.
The Indian Government is doing its best to control cybercrimes. For example, Delhi Police have now
trained 100 of its officers in handling cybercrime and placed them in its Economic Offences Wing. As at the
time of writing this, the officers were trained for 6 weeks in computer hardware and software,
computer networks comprising data communication networks, network protocols, wireless networks and
network security.

CYBERCRIME & THE INDIAN ITA 2000

In India, the ITA 2000 was enacted after the United Nation General Assembly Resolution
A/RES/51/162 in January 30, 1997 by adopting the Model Law on Electronic Commerce adopted by the
[Type here]

United Nations Commission on International Trade Law. This was the first step toward the Law relating to E-
Commerce at international level to regulate an alternative form of commerce and to give legal status in the
area of E-Commerce. It was enacted taking into consideration UNICITRAL model of Law on Electronic
Commerce (1996).
Hacking and the Indian Laws:
Chapter of the Act
Section Ref. and Title And Title Crime Punishment
Sec.43 (Penalty for Chapter IX Penalties and Damage to Compensation for
damage to computer, Adjudication computer system Rs. 1Crore
computer system etc) etc.
Sec.66 (Hacking with Chapter XI Hacking (with intent Fine of Rs. 2 Lakhs &
computer system) Offences or knowledge) Imprisonment for 3 years
Sec.67 (Publishing of Chapter XI Publication of Fine of Rs. 1 Lakh &
information which is Offences obscene material in Imprisonment of 5 years
obscene in electronic electronic form and double conviction
form) on second offence
Sec.68 (Power of Chapter XI Not complying with Fine upto Rs. 2 Lakhs &
controller to give Offences directions of Imprisonment of 3 years
directions) controller
Sec.70 (Protected Chapter XI Attempting or Imprisonment up to 10
System) Offences securing access to Years
computer of another
person without
his/her
knowledge
Sec.72 (Penalty for Chapter XI Attempting or securing Fine up to Rs. 1 Lakh
breach of confidentiality Offences access to computer for and Imprisonment up to
and privacy) breaking confidentiality 2 Years
of the information
of computer
Sec.73 (Penalty for Chapter XI Publishing false Fine of Rs.1 Lakh or
publishing Digital Offences Digital Signatures, imprisonment of 2 years or
Signature Certificate false in certain both
false in certain particulars
particulars)
Sec.74 (Publication for Chapter XI Publishing of Digital Imprisonment for the
fraudulent purpose) Offences Signatures for term of 2 years and fine of
fraudulent purpose Rs. 1 Lakh
Table: The key provisions under the Indian ITA 2000 (before the
amendment)

A GLOBAL PERSPECTIVE ON CYBERCRIMES

In Australia, cybercrime has a narrow statutory meaning as used in the Cyber Crime Act 2001, which
details offenses against computer data and systems. However, a broad meaning is given to cybercrime at an
international level. In the Council of Europe’s (CoE’s) Cyber Crime Treaty, cybercrime is used as an
[Type here]

umbrella term to refer to an array of criminal activity including offenses against computer data and systems,
computer- related offenses, content offenses and copyright offenses.

This wide definition of cybercrime overlaps in part with general offense categories that need not be
Information & Communication Technology (ICT)-dependent, such as white-collar crime and economic
crime.
Although this status is from the International Telecommunication Union (ITU) survey conducted in 2005,
we get an idea about the global perspective. ITU activities on countering Spam can be read by visiting the
link www.itu.int/spam (8 May 2010). The Spam legislation scenario mentions “none” about India as far as E-
Mail legislation in India is concerned.
The linkage of cybersecurity and critical infrastructure protection has become a big issue as a number
of countries have began assessment of threats, vulnerabilities and started exploring mechanisms to redress
them. Recently, there have been a number of significant developments such as

1. August 4, 2006 Announcement: The US Senate ratifies CoE Convention on Cyber Crime. The
convention targets hackers, those spreading destructive computer viruses, those using the Internet for
the sexual exploitation of children or the distribution of racist material, and terrorists attempting to
attack infrastructure facilities or financial institutions. The Convention is in full accord with all the
US constitutional protections, such as free speech and other civil liberties, and will require no change to the US
laws.
2. In August 18, 2006, there was a news article published “ISPs Wary About ‘Drastic Obligations’ on
Web Site Blocking.” European Union (EU) officials want to debar suspicious websites as part of a 6-
point plan to boost joint antiterrorism activities. They want to block websites that incite terrorist
action. Once again it is underlined that monitoring calls, Internet and E-Mail traffic for law
enforcement purposes is a task vested in the government, which must reimburse carriers and providers
for retaining the data.
3. CoE Cyber Crime Convention (1997–2001) was the first international treaty seeking to address
Internet crimes by harmonizing national laws, improving investigative techniques and increasing
cooperation among nations. More than 40 countries have ratified the Convention to date.

Cybercrime and the Extended Enterprise:

It is a continuing problem that the average user is not adequately educated to understand the threats
and how to protect oneself. Actually, it is the responsibility of each user to become aware of the threats as
well as the opportunities that “connectivity” and “mobility” presents them with. In this context, it is important
[Type here]

to understand the concept of “extended enterprise.” This term represents the concept that a company is made
up not just of its employees, its board members and executives, but also its business partners, its suppliers and
even its customers.

Figure: Extended Enterprise

The extended enterprise can only be successful if all of the component groups and individuals have
the information they need in order to do business effectively. An extended enterprise is a “loosely coupled,
self- organizing network” of firms that combine their economic output to provide “products and services”
offerings to the market. Firms in the extended enterprise may operate independently. Seamless flow of
“information” to support instantaneous “decision-making ability” is crucial for the “external enterprise”. This
becomes possible through the “interconnectedness”. Due to the interconnected features of information &
communication technologies, security overall can only be fully promoted when the users have full awareness
of existing threats & dangers.
Given the promises and challenges in the extended enterprise scenario, organizations in the
international community have a special role in sharing information on good practices and creating open and
accessible enterprise information flow channels for exchanging of ideas in a collaborative manner.
CYBERCRIME ERA: SURVIVAL MANTRA FOR THE NETIZENS
The term “Netizen” was coined by Michael Hauben. Quite simply, “Netizens” are the Internet users.
Therefore, by corollary, “Netizen” is someone who spends considerable time online and also has a
considerable presence online (through websites about the person, through his/her active blog contribution
and/or also his/her participation in the online chat rooms). The 5P Netizen mantra for online security is:
a. Precaution
b. Prevention
c. Protection
d. Preservation
e. Perseverance
For ensuring cyber safety, the motto for the “Netizen” should be “Stranger is Danger!” If you
[Type here]

protect your customer’s data, your employee’s privacy and your own company, then you are doing your job
in the grander scheme of things to regulate and enforce rules on the Net through our community. NASSCOM
urges that cybercrime awareness is important, and any matter should be reported at once. This is the reason
they have established cyberlabs across major cities in India
More importantly, users must try and save any electronic information trail on their computers.
That is all one can do until laws become more stringent or technology more advanced. Some agencies have
been advocating for the need to address protection of the Rights of Netizens. There are agencies that are
trying to provide guidance to innocent victims of cybercrimes. However, these NGO like efforts cannot
provide complete support to the victims of cybercrimes and are unable to get the necessary support from the
Police. There are also a few incidents where Police have pursued false cases on innocent IT professionals.
The need for a statutorily empowered agency to protect abuse of ITA 2000 in India was, therefore, a felt need
for quite some time.

Module II: Cyber Offenses

How Criminals Plan Them – Introduction, How Criminals Plan The Attacks, Social Engineering, and Cyber
Stalking, Cyber Cafe And Cybercrimes, Botnets: The Fuel For Cybercrime, Attack Vector Cloud Computing.
Learning Objectives
⦿ Understand different types of cyber attacks.
⦿ Get an overview of the steps involved in planning cybercrime.
⦿ Understand tools used for gathering information about the target.
⦿ Get an overview on social engineering – what and how.
⦿ Learn about the role of cybercafés in cybercrime.
⦿ Understand what cyber stalking is.
⦿ Learn about Botnets and attack vector.
⦿ Get an overview on cloud computing – what and how.
How Criminals Plan Them –Introduction
 Technology is a “double-edged sword” as it can be used for both good and bad purposes
 People with the tendency to cause damages or carrying out illegal activities will use it for bad purpose.
 Computers and tools available in IT are also used as either target of offense.
 In today’s world of Internet and computer networks, a criminal activity can be carried out across
national borders.
 Chapter 1 provided an overview of hacking, cyber terrorism, network intrusions, password sniffing,
[Type here]

computer viruses, etc. They are the most commonly occurring crimes that target the computer.
 Cybercriminal use the World Wide Web and Internet to an optimum level for all illegal activities to
store data, contacts, account information, etc.
 The criminals take advantage of the widespread lack of awareness about cybercrimes and cyber laws
among the people who are constantly using the IT infrastructure for official and personal purposes.
 People who commit cybercrimes are known as “Crackers” (Box 2.1).
Box 2.1 | Hackers, Crackers and Phreakers
Hacker: A hacker is a person with a strong interest in computers who enjoys learning and experimenting with
them. Hackers are usually very talented, smart people who understand computers better than others. The term
is often confused with cracker that defines someone who breaks into computers (refer to Box 2.2).
Brute force hacking: It is a technique used to find passwords or encryption keys. Brute force hacking involves
trying every possible combination of letters, numbers, etc., until the code is broken.
Cracker: A cracker is a person who breaks into computers. Crackers should not be confused with hackers.
The term “cracker” is usually connected to computer criminals. Some of their crimes include vandalism, theft
and snooping in unauthorized areas.
Cracking: It is the act of breaking into computers. Cracking is a popular, growing subject on the Internet.
Many sites are devoted to supplying crackers with programs that allow them to crack computers. Some of
these programs contain dictionaries for guessing passwords. Others are used to break into phone lines (called
“phreaking”). These sites usually display warnings such as “These files are illegal; we are not responsible for
what you do with them.”
Cracker tools: These are programs used to break into computers. Cracker tools are widely distributed on the
Internet. They include password crackers, Trojans, viruses, war dialers and worms.
Phreaking: This is the notorious art of breaking into phone or other communication systems. Phreaking sites
on the Internet are popular among crackers and other criminals.
War dialer: Program automatically dials phone numbers looking for computers on the other end. It catalogs
numbers so that the hackers can call back and try to break in. An attacker would look to exploit the
vulnerabilities in the networks, most often so because the networks are not adequately protected.

The categories of vulnerabilities that hackers typically search for are the following:
 Inadequate border protection (border as in the sense of network periphery);
 remote access servers (RASs) with weak access controls;
[Type here]

 application servers with well-known exploits;

 misconfigured systems and systems with default configurations.
To help the reader understand the network attack scenario, Fig. 2.2 illustrates a small network highlighting
specific occurrences of several vulnerabilities described above.

Box 2.2 | What Color is Your Hat in the Security World?

A black hat is also called a “cracker” or “dark side hacker.” Such a person is a malicious or criminal hacker.
Typically, the term “cracker” is used within the security industry. However, the general public uses the term
hacker to refer to the same thing. In computer terminology, the meaning of “hacker” can be much broader.
The name comes from the opposite of “white hat hackers.”
A white hat hacker is considered an ethical hacker. In the realm of IT, a “white hat hacker” is a person who is
ethically opposed to the abuse of computer systems. It is said that the term is derived from American western
movies, where the protagonist typically wore a white cowboy hat and the antagonist typically wore a black
one. As a simplified explanation, a “white hat” generally focuses on securing IT systems, whereas a “black
hat” (the opposite) would like to break into them, so this sounds like an age-old game of a thief and a police.
A brown hat hacker is one who thinks before acting or committing a malice or non-malice deed. A grey hat
commonly refers to a hacker who releases information about any exploits or security holes he/she finds
openly to the public. He/she does so without concern for how the information is used in the end (whether for
patching or exploiting).

2.1.1 Categories of Cybercrime

Cybercrime can be categorized based on the following:
1. The target of the crime and
2. Whether the crime occurs as a single event or as a series of events.
Cybercrime can be targeted against individuals (persons), assets (property) and/or organizations
(government, business and social).

 Crimes targeted at individuals: The goal is to exploit human weakness such as greed and naivety. These
crimes include financial frauds, sale of non-existent or stolen items, child pornography (explained in
Section 1.5.13, Chapter 1), copyright violation, harassment, etc. with the development in the IT and the
Internet; thus, criminals have a new tool that allows them to expand the pool of potential victims.
However, this also makes difficult to trace and apprehend the criminals.
 Crimes targeted at property: This includes stealing mobile devices such as cell phone, laptops, personal
digital assistant (PDAs), and removable medias (CDs and pen drives); transmitting harmful programs
[Type here]

that can disrupt functions of the systems and/or can wipe out data from hard disk, and can create the
malfunctioning of the attached devices in the system such as modem, CD drive, etc.
 Crimes targeted at organizations: Cyber terrorism is one of the distinct crimes against organizations/
governments. Attackers (individuals or groups of individuals) use computer tools and the Internet to
usually terrorize the citizens of a particular country by stealing the private information, and also to
damage the programs and fi les or plant programs to get control of the network and/or system (see Box
2.3).
 Single event of cybercrime: It is the single event from the perspective of the victim. For example,
unknowingly open an attachment that may contain virus that will infect the system (PC/laptop). This is
known as hacking or fraud.
 Series of events: This involves attacker interacting with the victims repetitively. For example, attacker
interacts with the victim on the phone and/or via chat rooms to establish relationship first and then they
exploit that relationship to commit the sexual assault.

Box 2.3 | Patriot Hacking

Patriot hacking[1] also known as Digital Warfare, is a form of vigilante computer systems’ cracking done by
individuals or groups (usually citizens or supports of a country) against a real or perceived threat.
Traditionally, Western countries, that is, developing countries, attempts to launch attacks on their perceived
enemies.
Although patriot hacking is declared as illegal in the US, however, it is reserved only for government agencies
[i.e., Central Intelligence Agency (CIA) and National Security Agency (NSA)] as a legitimate form of attack
and defense. Federal Bureau of Investigation (FBI) raised the concern about rise in cyber attacks like website
defacements (explained in Box 1.4, Chapter1) and denial-of-service attacks (DoS – refer to Section 4.9,
Chapter 4), which adds as fuel into increase in international tension and gets mirrored it into the online world.
After the war in Iraq in 2003, it is getting popular in the North America, Western Europe and Israel. These are
countries that have the greatest threat to Islamic terrorism and its aforementioned digital version.
The People’s Republic of China is allegedly making attacks upon the computer networks of the US and the
UK. Refer to Box 5.15 in Chapter 5. For detailed information visit www.patriothacking.com

2.2 How Criminals Plan the Attacks

 Criminals use many methods and tools to locate the vulnerabilities of their target.
 The target can be an individual and/or an organization.
 Criminals plan passive and active attacks
 Active attacks are usually used to alter the system (i.e., computer network) whereas
[Type here]

 Passive attacks attempt to gain information about the target.

 Active attacks may affect the availability, integrity and authenticity of data whereas
 Passive attacks lead to violation of confidentiality.
The following phases are involved in planning cybercrime:
1. Reconnaissance (information gathering) is the first phase and is treated as passive attacks.
2. Scanning and scrutinizing the gathered information for the validity of the information as well as to identify
the existing vulnerabilities.
3. Launching an attack (gaining and maintaining the system access).

2.2.1 Reconnaissance (reconnaissance= 9 ఘ a)

 The literal meaning of “Reconnaissance” is an act of finding something or somebody

(especially to gain information about an enemy or potential enemy).
 In the world of “hacking,” reconnaissance phase begins with “Foot printing” – this is the preparation
toward pre-attack phase, and involves accumulating data about the target’s environment and computer
architecture to find ways to intrude into that environment.
 Foot printing gives an overview about system vulnerabilities and provides a judgment about possible
exploitation of those vulnerabilities.
 The objective of this preparatory phase is to understand the system, its networking ports and services,
and any other aspects of its security that are needful for launching the attack.
 Thus, an attacker attempts to gather information in two phases: passive and active attacks. Let us
understand these two phases.

2.2.2 Passive Attacks

A passive attack involves gathering information about a target without his/her (individual’s or company’s)
knowledge. It can be as simple as watching a building to identify what time employees enter the building
premises. However, it is usually done using Internet searches or by Googling (i.e., searching the required
information with the help of search engine Google) an individual or company to gain information.
1. Google or Yahoo search: People search to locate information about employees.
2. Surfing online community groups like Orkut/Facebook will prove useful to gain the information about an
individual.
3. Organization’s website may provide a personnel directory or information about key employees, for
example, contact details, E-Mail address, etc. These can be used in a social engineering attack to reach the
target (see Section 2.3).
4. Blogs, newsgroups, press releases, etc. are generally used as the mediums to gain information about the
[Type here]

company or employees.

2.2.3 Active Attacks

An active attack involves probing the network to discover individual hosts to confirm the information (IP
addresses, operating system type and version, and services on the network) gathered in the passive attack
phase. It involves the risk of detection and is also called “Rattling the doorknobs” or “Active reconnaissance.”
Active reconnaissance can provide confirmation to an attacker about security measures in place (e.g., whether
the front door is locked?), but the process can also increase the chance of being caught or raise a suspicion.

2.2.4 Scanning and Scrutinizing Gathered Information

Scanning is a key step to examine intelligently while gathering information about the target.
The objectives of scanning are as follows:
1. Port scanning: Identify open/close ports and services. Refer to Box 2.5.
2. Network scanning: Understand IP Addresses and related information about the computer network systems.
3. Vulnerability scanning: Understand the existing weaknesses in the system.

2.2.5 Attack (Gaining and Maintaining the System Access)

After the scanning and enumeration, the attack is launched using the following steps:
1. Crack the password.
2. Exploit the privileges.
3. Execute the malicious commands/applications.
4. Hide the files (if required).
5. Cover the tracks – delete the access logs, so that there is no trail illicit activity.

2.3 Social Engineering

Social engineering is the “technique to influence” and “persuasion to deceive” people to obtain the information
or perform some action.
 Social engineers exploit the natural tendency of a person to trust social engineers’ word, rather than
exploiting computer security holes.
 It is generally agreed that people are the weak link in security and this principle makes social
engineering possible.
 A social engineer usually uses telecommunication (i.e., telephone and/or cell phone) or Internet to get
[Type here]

them to do something that is against the security practices and/or policies of the organization.
 Social engineering involves gaining sensitive information or unauthorized access privileges by building
inappropriate trust relationships with insiders.
 It is an art of exploiting the trust of people, which is not doubted while speaking in a normal manner.
 The goal of a social engineer is to fool someone into providing valuable information or access to that
information.
 Social engineer studies the human behavior so that people will help because of the desire to be helpful,
the attitude to trust people, and the fear of getting into trouble.
 The sign of truly successful social engineers is that they receive information without any suspicion.
 A simple example is calling a user and pretending to be someone from the service desk working on a
network issue; the attacker then proceeds to ask questions about what the user is working on, what file
shares he/she uses, what his/her password is, and so on… (see Box 2.6).

Box 2.6 | Social Engineering Example

Mr. Joshi: Hello?
The Caller: Hello, Mr. Joshi. This is Geeta Thomas from Tech Support. Due to some disk space constraints on
the file server, we will be moving few user’s home directories to another disk. This activity will be performed
tonight at 8:00 p.m. Your account will be a part of this move and will be unavailable temporarily.
Mr. Joshi: Ohh … okay. I will be at my home by then, anyway.
Caller: Great!!! Please ensure to log off before you leave office. We just need to check a couple
of things. What is your username?
Mr. Joshi: Username is “pjoshi.” None of my files will be lost in the move, right?
Caller: No sir. But we will have to check your account to ensure the same. What is the password of that
account?
Mr. Joshi: My password is “ABCD1965,” all characters in upper case.
Caller: Ok, Mr. Joshi. Thank you for your cooperation. We will ensure that all the files are there.
Mr. Joshi: Thank you. Bye.
Caller: Bye and have a nice day.

2.3.1 Classification of Social Engineering Human-Based Social Engineering

Human-based social engineering refers to person-to-person interaction to get the required/desired information.
An example is calling the help desk and trying to find out a password.
1. Impersonating an employee or valid user:
 “Impersonation” is perhaps the greatest technique used by social engineers to deceive people.
[Type here]

 Social engineers “take advantage” of the fact that most people are basically helpful, so it seems
harmless to tell someone who appears to be lost where the computer room is located, or to let someone
into the building who “forgot” his/her badge, etc., or pretending to be an employee or valid user on the
system.
2. Posing as an important user:
 The attacker pretends to be an important user – for example, a Chief Executive Officer (CEO) or high-
level manager who needs immediate assistance to gain access to a system.
 The attacker uses intimidation so that a lower-level employee such as a help-desk worker will help
him/her in gaining access to the system. Most of the low-level employees will not ask any question to
someone who appears to be in a position of authority.
3. Using a third person:
 An attacker pretends to have permission from an authorized source to use a system. This trick is useful
when the supposed authorized personnel is on vacation or cannot be contacted for verification.
4. Calling technical support:
 Calling the technical support for assistance is a classic social engineering example.
 Help-desk and technical support personnel are trained to help users, which makes them good prey for
social engineering attacks.
5. Shoulder surfing:
 It is a technique of gathering information such as usernames and passwords by watching over a
person’s shoulder while he/she logs into the system, thereby helping an attacker to gain access to the
system.
6. Dumpster diving:
 It involves looking in the trash for information written on pieces of paper or computer printouts.
 This is a typical North American term; it is used to describe the practice of rummaging through
commercial or residential trash to find useful free items that have been discarded.
 It is also called dumpstering, binning, trashing, garbing or garbage gleaning.
 “Scavenging” is another term to describe these habits.
 In the UK, the practice is referred to as “ binning” or “skipping” and the person doing it is a “binner”
or a “skipper.”

Computer-Based Social Engineering

Computer-based social engineering refers to an attempt made to get the required/desired information by using
computer software/Internet.
For example, sending a fake E-Mail to the user and asking him/her to re-enter a password in a webpage to
[Type here]

confirm it.
1. Fake E-Mails:
 The attacker sends fake E-Mails (see Box 2.7) to users in such that the user finds it as a real e-mail.
 This activity is also called “Phishing”.
 It is an attempt to attract the Internet users (netizens) to reveal their personal information, such as
usernames, passwords and credit card details by impersonating as a trustworthy and legitimate
organization or an individual.
 Banks, financial institutes and payment gateways are the common targets.
 Phishing is typically carried out through E-Mails or instant messaging and often directs users to enter
details at a website, usually designed by the attacker with abiding the look and feel of the original
website.
 Thus, Phishing is also an example of social engineering techniques used to fool netizens.
 The term “Phishing” has been evolved from the analogy that Internet scammers are using E-Mails
attract to fish for passwords and financial data from the sea of Internet users (i.e., netizens).
 The term was coined in 1996 by hackers who were stealing AOL Internet accounts by scamming
passwords without the knowledge of AOL users.
 As hackers have a tendency of replacing “f” with “ph,” the term “Phishing” came into being.
2. E-Mail attachments:
 E-Mail attachments are used to send malicious code to a victim’s system, which will automatically
(e.g., keylogger utility to capture passwords) get executed.
 Viruses, Trojans, and worms can be included cleverly into the attachments to entice a victim to open
the attachment.
3. Pop-up windows:
Pop-up windows are also used, in a similar manner to E-Mail attachments. Pop-up windows with special
offers or free stuff can encourage a user to unintentionally install malicious software.

2.4 Cyber stalking

 The dictionary meaning of “stalking” is an “act or process of following prey stealthily – trying to
approach somebody or something.”
 Cyber stalking has been defined as the use of information and communications technology, particularly
the Internet, by an individual or group of individuals to harass another individual, group of individuals,
or organization.
 The behavior includes false accusations, monitoring, transmission of threats, ID theft, damage to data
or equipment, solicitation of minors for sexual purposes, and gathering information for harassment
[Type here]

purposes.
 Cyberstalking refers to the use of Internet and/or other electronic communications devices to stalk
another person.
 It involves harassing or threatening behavior that an individual will conduct repeatedly, for example,
following a person, visiting a person’s home and/or at business place, making phone calls, leaving
written messages, or vandalizing against the person’s property. As the Internet has become an integral
part of our personal and professional lives, cyberstalkers take advantage of ease of communication and
an increased access to personal information available with a few mouse clicks or keystrokes.
2.4.1 Types of Stalkers
There are primarily two types of stalkers.
1. Online stalkers:
 They aim to start the interaction with the victim directly with the help of the Internet.
 E-Mail and chat rooms are the most popular communication medium to get connected with the victim,
rather than using traditional instrumentation like telephone/cell phone.
 The stalker makes sure that the victim recognizes the attack attempted on him/her.
 The stalker can make use of a third party to harass the victim.
2. Offline stalkers:
 The stalker may begin the attack using traditional methods such as following the victim, watching the
daily routine of the victim, etc.
 Searching on message boards/newsgroups, personal websites, and people finding services or websites
are most common ways to gather information about the victim using the Internet.
 The victim is not aware that the Internet has been used to perpetuate an attack against them.
2.4.2 Cases Reported on Cyberstalking
 The majority of cyberstalkers are men and the majority of their victims are women.
 Some cases also have been reported where women act as cyberstalkers and men as the victims as well
as cases of same-sex cyberstalking.
 In many cases, the cyberstalker and the victim hold a prior relationship, and the cyberstalking begins
when the victim attempts to break off the relationship, for example, ex-lover, ex-spouse,
boss/subordinate, and neighbor.
 However, there also have been many instances of Cyberstalking by strangers.
2.4.3 How Stalking Works?
It is seen that stalking works in the following ways:
1. Personal information gathering about the victim: Name; family background; contact details such as
cell phone and telephone numbers (of residence as well as office); address of residence as well as of
[Type here]

the office; E-Mail address; date of birth, etc.

2. Establish a contact with victim through telephone/cell phone. Once the contact is established, the
stalker may make calls to the victim to threaten/harass.
3. Stalkers will almost always establish a contact with the victims through E-Mail. The letters may have
the tone of loving, threatening or can be sexually explicit. The stalker may use multiple names while
contacting the victim.
4. Some stalkers keep on sending repeated E-Mails asking for various kinds of favors or threaten the
victim.
5. The stalker may post the victim’s personal information on any website related to illicit services such
as sex-workers’ services or dating services, posing as if the victim has posted the information and
invite the people to call the victim on the given contact details (telephone numbers/cell phone
numbers/E-Mail address) to have sexual services. Whosoever comes across the information, start
calling the victim on the given contact details ( telephone/cell phone nos), asking for sexual services
or relationships.
6. Some stalkers subscribe/register the E-Mail account of the victim to innumerable pornographic and
sex sites, because of which victim will start receiving such kind of unsolicited E-Mails.
2.4.4 Real-Life Incident of Cyberstalking Case Study
The Indian police have registered first case of cyberstalking in Delhi – the brief account of the case has been
mentioned here. To maintain confidentiality and privacy of the entities involved, we have changed their
names.
 Mrs. Joshi received almost 40 calls in 3 days mostly at odd hours from as far away as Kuwait,
Cochin, Bombay, and Ahmadabad.
 The said calls created havoc in the personal life destroying mental peace of Mrs. Joshi who decided
to register a complaint with Delhi Police.
 A person was using her ID to chat over the Internet at the website www.mirc.com, mostly in the
Delhi channel for four consecutive days.
 This person was chatting on the Internet, using her name and giving her address, talking in obscene
language.
 The same person was also deliberately giving her telephone number to other chatters encouraging
them to call Mrs. Joshi at odd hours.
 This was the first time when a case of cyberstalking was registered.
 Cyberstalking does not have a standard definition but it can be defined to mean threatening,
unwarranted behavior, or advances directed by one person toward another person using Internet and
other forms of online communication channels as medium.
[Type here]

Box 2.8 | Cyberbullying

 The National Crime Prevention Council defi nes Cyberbullying as “when the Internet, cell phones or
other devices are used to send or post text or images intended to hurt or embarrass another person.”
 www.StopCyberbullying.org, an expert organization dedicated to Internet safety, security, and privacy
defi nes cyberbullying as “a situation when a child, tween, or teen is repeatedly ‘tormented, threatened,
harassed, humiliated, embarrassed, or otherwise targeted’ by another child, tween, or teen using text
messaging, E-Mail, instant messaging, or any other type of digital technology.”
 The practice of cyberbullying is not limited to children and, while the behavior is identified by the
same definition in adults, the distinction in age groups is referred to as cyberstalking or cyber
harassment when perpetrated by adults toward adults. Source: http://en.wikipedia.org/wiki/Cyber-
bullying (2 April 2009).

2.5 Cybercafe and Cybercrimes

In February 2009, Nielsen survey on the profile of cybercafes users in India, it was found that 90% of the
audience, across eight cities and 3,500 cafes, were male and in the age group of 15–35 years; 52% were
graduates and postgraduates, though almost over 50% were students.
Hence, it is extremely important to understand the IT security and governance practiced in the cybercafes.
 In the past several years, many instances have been reported in India, where cybercafes are known to
be used for either real or false terrorist communication.
 Cybercrimes such as stealing of bank passwords and subsequent fraudulent withdrawal of money have
also happened through cybercafes.
 Cybercafes have also been used regularly for sending obscene mails to harass people.
 Public computers, usually referred to the systems, available in cybercafes, hold two types of risks.
 First, we do not know what programs are installed on the computer – that is, risk of malicious programs
such as keyloggers or Spyware, which maybe running at the background that can capture the
keystrokes to know the passwords and other confidential information and/or monitor the browsing
behavior.
 Second, over-the-shoulder surfing can enable others to find out your passwords. Therefore, one has to
be extremely careful about protecting his/her privacy on such systems, as one does not know who will
use the computer after him/her.
 Indian Information Technology Act (ITA) 2000, does not define cybercafes and interprets cybercafes
as “network service providers” referred to under the Section 79, which imposed on them a
responsibility for “due diligence” failing which they would be liable for the offenses committed in their
[Type here]

network.
 Cybercriminals prefer cybercafes to carry out their activities.
 The criminals tend to identify one particular personal computer (PC) to prepare it for their use.
 Cybercriminals can either install malicious programs such as keyloggers and/or Spyware or launch an
attack on the target.
 Cybercriminals will visit these cafes at a particular time and on the prescribed frequency, maybe
alternate day or twice a week.
 A recent survey conducted in one of the metropolitan cities in India reveals the following facts:
 Pirated software(s) such as OS, browser, office automation software(s) (e.g., Microsoft Office) are
installed in all the computers.
 Antivirus software is found to be not updated to the latest patch and/or antivirus signature.
 Several cybercafes had installed the software called “Deep Freeze” for protecting the computers from
prospective malware attacks. Deep Freeze can wipe out the details of all activities carried out on the
computer when one clicks on the “restart” button. Such practices present challenges to the police or
crime investigators when they visit the cybercafes to pick up clues after the Interet Service Provider
(ISP) points to a particular IP address from where a threat mail was probably sent or an online Phishing
attack was carried out, to retrieve logged files.
 Annual maintenance contract (AMC) found to be not in a place for servicing the computers; hence,
hard disks for all the computers are not formatted unless the computer is down. Not having the AMC is
a risk from cybercrime perspective because a cybercriminal can install a Malicious Code on a computer
and conduct criminal activities without any interruption.
 Pornographic websites and other similar websites with indecent contents are not blocked.
 Cybercafe owners have very less awareness about IT Security and IT Governance.
 Government/ISPs/State Police (cyber cell wing) do not seem to provide IT Governance guidelines to
cybercafe owners.
 Cybercafe association or State Police (cyber cell wing) do not seem to conduct periodic visits to
cybercafes – one of the cybercafe owners whom we interviewed expressed a view that the police will
not visit a cybercafe unless criminal activity is registered by filing an First Information Report (FIR).
Cybercafe owners feel that police either have a very little knowledge about the technical aspects
involved in cybercrimes and/or about conceptual understanding of IT security. There are thousands of
cybercafes across India.

In the event that a central agency takes up the responsibility for monitoring cybercafes, an individual should
take care while visiting and/or operating from cybercafe. Here are a few tips for safety and security while
[Type here]

using the computer in a cybercafe:

1. Always logout:
2. Stay with the computer:
3. Clear history and temporary files:
4. Be alert:
5. Avoid online financial transactions:
6. Change passwords:
7. Use Virtual keyboard:
8. Security warnings:

2.6 Botnets: The Fuel for Cybercrime

2.6.1 Botnet
 The dictionary meaning of Bot is “(computing) an automated program for doing some particular task,
often over a network.”
 Botnet is a term used for collection of software robots, or Bots, that run autonomously and
automatically.
 The term is often associated with malicious software but can also refer to the network of computers
using distributed computing software.
 In simple terms, a Bot is simply an automated computer program One can gain the control of computer
by infecting them with a virus or other Malicious Code that gives the access.
 Computer system maybe a part of a Botnet even though it appears to be operating normally.
 Botnets are often used to conduct a range of activities, from distributing Spam and viruses to
conducting denial-of-service (DoS) attacks.
 A Botnet (also called as zombie network) is a network of computers infected with a malicious program
that allows cybercriminals to control the infected machines remotely without the users’ knowledge.
 “Zombie networks” have become a source of income for entire groups of cybercriminals. The
invariably low cost of maintaining a Botnet and the ever diminishing degree of knowledge required to
manage one are conducive to the growth in popularity and, consequently, the number of Botnets.
 If someone wants to start a “business” and has no programming skills, there are plenty of “Bot for sale”
offers on forums.
 ‘encryption of these programs’ code can also be ordered in the same way to protect them from
detection by antivirus tools.
 Another option is to steal an existing Botnet. Figure 2.8 explains how Botnets create business.
 One can reduce the chances of becoming part of a Bot by limiting access into the system.
[Type here]

 Leaving your Internet connection ON and unprotected is just like leaving the front door of the house
wide open.
One can ensure following to secure the system:
 Use antivirus and anti-Spyware software and keep it up-to-date:
 Set the OS to download and install security patches automatically:
 Use a firewall to protect the system from hacking attacks while it is connected on the Internet: A
firewall is a software and/or hardware that is designed to block unauthorized access while permitting
authorized communications.
 Disconnect from the Internet when you are away from your computer:
 Downloading the freeware only from websites that are known and trustworthy:
 Check regularly the folders in the mail box – “sent items” or “outgoing” – for those messages you did
not send:
 Take an immediate action if your system is infected:
Box 2.9 | Technical Terms
Malware: It is malicious software, designed to damage a computer system without the owner’s informed
consent. Viruses and worms are the examples of malware.
Adware: It is advertising-supported software, which automatically plays, displays, or downloads
advertisements to a computer after the software is installed on it or while the application is being used. Few
Spywares are classifi ed as Adware.
Spam: It means unsolicited or undesired E-Mail messages
Spamdexing: It is also known as search Spam or search engine Spam. It involves a number of methods, such
as repeating unrelated phrases, to manipulate the relevancy or prominence of resources indexed by a search
engine in a manner inconsistent with the purpose of the indexing system.
DDoS: Distributed denial-of-service attack (DDoS) occurs when multiple systems flood the bandwidth or
resources of a targeted system, usually one or more web servers. These systems are compromised by attackers
using a variety of methods.
2.7 Attack Vector
 An “attack vector” is a path, which an attacker can gain access to a computer or to a network server to
deliver a payload or malicious outcome.
 Attack vectors enable attackers to exploit system vulnerabilities, including the human element.
 Attack vectors include viruses, E-Mail attachments, webpages, pop-up windows, instant messages, chat
rooms, and deception. All of these methods involve programming (or, in a few cases, hardware), except
deception, in which a human operator is fooled into removing or weakening system defenses.
 To some extent, firewalls and antivirus software can block attack vectors.
[Type here]

 However, no protection method is totally attack-proof.

 A defense method that is effective today may not remain so for long because attackers are constantly
updating attack vectors, and seeking new ones, in their quest to gain unauthorized access to computers
and servers. Refer to Box 2.10.
 The most common malicious payloads are viruses (which can function as their own attack vectors),
Trojan Horses, worms, and Spyware.
 If an attack vector is thought of as a guided missile, its payload can be compared to the warhead in the
tip of the missile.
 In the technical terms, payload is the necessary data being carried within a packet or other transmission
unit – in this scenario (i.e., attack vector) payload means the malicious activity that the attack performs.
From the technical perspective, payload does not include the “overhead” data required to get the packet to its
destination. Payload may depend on the following point of view: “What constitutes it?” To a communications
layer that needs some of the overhead data to do its job, the payload is sometimes considered to include that
part of the overhead data that this layer handles. The attack vectors described here are how most of them are
launched.
 Attack by E-Mail: The content is either embedded in the message or linked to by the message.
Sometimes attacks combine the two vectors, so that if the message does not get you, the attachment
will. Spam is almost always carrier for scams, fraud, dirty tricks, or malicious action of some kind.
Any link that offers something “free” or tempting is a suspect.
 Attachments (and other files): Malicious attachments install malicious computer code. The code could
be a virus, Trojan Horse, Spyware, or any other kind of malware. Attachments attempt to install their
payload as soon as you open them.
 Attack by deception: Deception is aimed at the user/operator as a vulnerable entry point. It is not just
malicious computer code that one needs to monitor. Fraud, scams, and to some extent Spam, not to
mention viruses, worms and such require the unwitting cooperation of the computer’s operator to
succeed. Social engineering are other forms of deception that are often an attack vector too.
 Hackers: Hackers/crackers are a formidable attack vector because, unlike ordinary Malicious Code,
people are flexible and they can improvise. Hackers/crackers use variety of hacking tools, heuristics,
Cyberoffenses: How and social engineering to gain access to computers and online accounts. They
often install a Trojan Horse to commandeer the computer for their own use.
 Heedless guests (attack by webpage): Counterfeit websites are used to extract personal information.
Such websites look very much like the genuine websites they imitate. One may think he/she is doing
business with someone you trust. However, he/she is really giving their personal information, like
address, credit card number, and expiration date. They are often used in conjunction with Spam,
[Type here]

which gets you there in the first place. Pop-up webpages may install Spyware, Adware or Trojans.
 Attack of the worms: Many worms are delivered as E-Mail attachments, but network worms use holes
in network protocols directly. Any remote access service, like file sharing, is likely to be vulnerable to
this sort of worm. In most cases, a firewall will block system worms. Many of these system worms
install Trojan Horses.
 Malicious macros: Microsoft Word and Microsoft Excel are some of the examples that allow macros.
A macro does something like automating a spreadsheet, for example. Macros can also be used for
malicious purposes. All Internet services like instant messaging, Internet Relay Chart(IRC), and P2P
fi le-sharing networks rely on cozy connections between the computer and the other computers on the
Internet. If one is using P2P software then his/her system is more vulnerable to hostile exploits.
 Foistware (sneakware): Foistware is the software that adds hidden components to the system with
cunning nature. Spyware is the most common form of foistware. Foistware is partial- legal software
bundled with some attractive software. Sneak software often hijacks your browser and diverts you to
some “revenue opportunity” that the foistware has set up.
 Viruses: These are malicious computer codes that hitch a ride and make the payload. Nowadays, virus
vectors include E-Mail attachments, downloaded files, worms, etc.

Box 2.10 | Zero-Day Attack

A zero-day (or zero-hour) attack[17] is a computer threat which attempts to exploit computer application
vulnerabilities that are unknown to anybody in the world (i.e., undisclosed to the software vendor and
software users) and/or for which no patch (i.e., security fi x) is available. Zero-day exploits are used or shared
by attackers before the software vendor knows about the vulnerability.
Sometimes software vendors discover the vulnerability but developing a patch can take time. Alternatively,
software vendors can also hold releasing the patch reason to avoid the flooding the customers with numerous
individual updates. A “zero-day” attack is launched just on or before the first or “zeroth” day of vendor
awareness, reason being the vendor should not get any opportunity to communicate/distribute a security fix to
users of such software. If the vulnerability is not particularly dangerous, software vendors prefer to hold until
multiple updates (i.e., security fixes commonly known as patches) are collected and then release them
together as a package. Malware writers are able to exploit zero-day vulnerabilities through several different
attack vectors.
Zero-day emergency response team (ZERT): This is a group of software engineers who work to release non-
vendor patches for zero-day exploits. Nevada is attempting to provide support with the Zeroday Project at
www.zerodayproject.com, which purports to provide information on upcoming attacks and provide support to
vulnerable systems. Also, visit the weblink http://www.isotf.org/zert to get more information about it.
[Type here]

2.8 Cloud Computing

 The growing popularity of cloud computing and virtualization among organizations have made it
possible, the next target of cybercriminals.
 Cloud computing services, while offering considerable benefits and cost savings, move servers
outside the organizations security perimeter, which make it easier for cybercriminals to attack these
systems.
 Cloud computing is Internet (“cloud”)-based development and use of computer technology
(“computing”).
 The term cloud is used as a metaphor for the Internet, based on the cloud drawing used to depict the
Internet in computer networks.
 Cloud computing is a term used for hosted services delivered over the Internet.
A cloud service has three distinct characteristics which differentiate it from traditional hosting:
1. It is sold on demand – typically by the minute or the hour;
2. It is elastic in terms of usage – a user can have as much or as little of a service as he/she wants at any
given time;
3. The service is fully managed by the provider – a user just needs PC and Internet connection.
Significant innovations into distributed computing and virtualization as well as improved access speed over
the Internet have generated a great demand for cloud computing.

2.8.1 Why Cloud Computing?

The cloud computing has following advantages.
 Applications and data can be accessed from anywhere at any time. Data may not be held on a hard
drive on one user’s computer.
 It could bring hardware costs down. One would need the Internet connection.
 Organizations do not have to buy a set of software or software licenses for every employee and the
organizations could pay a metered fee to a cloud computing company.
 Organizations do not have to rent a physical space to store servers and databases. Servers and digital
storage devices take up space. Cloud computing gives the option of storing data on someone else’s
hardware, thereby removing the need for physical space on the front end.
 Organizations would be able to save money on IT support because organizations will have to ensure
about the desktop (i.e., a client) and continuous Internet connectivity instead of servers and other
hardware. The cloud computing services can be either private or public.
[Type here]

2.8.2 Types of Services

Services provided by cloud computing are as follows:
1. Infrastructure-as-a-service (IaaS): It is like Amazon Web Services that provide virtual servers with
unique IP addresses and blocks of storage on demand. Customers benefit from an Application
Programmable Interface (API) from which they can control their servers. As customers can pay for
exactly the amount of service they use, like for electricity or water, this service is also called utility
computing.
2. Platform-as-a-service (PaaS): It is a set of software and development tools hosted on the provider’s
servers. Developers can create applications using the provider’s APIs. Google Apps is one of the most
famous PaaS providers. Developers should take notice that there are not any interoperability
standards; therefore, some providers may not allow you to take your application and put it on another
platform.
3. Software-as-a-service (SaaS): It is the broadest market. In this case, the provider allows the customer
only to use its applications. The software interacts with the user through a user interface. These
applications can be anything from Web-based E-Mail to applications such as Twitter or Last.fm.

2.8.3 Cybercrime and Cloud Computing

Nowadays, prime area of the risk in cloud computing is protection of user data. Although cloud computing is
an emerging field, the idea has been evolved over few years.
Risks associated with cloud computing environment are as follows:
 Elevated user access-Any data processed outside the organization brings with it an inherent level of
risk
 Regulatory compliance-Cloud computing service providers are not able and/or not willing to undergo
external assessments.
 Location of the data-User doesn’t know where the data is stored or in which country it is hosted.
 Segregation of data-Data of one organization is scattered in different locations
 Recovery of the data-In case of any disaster, availability of the services and data is critical.
 Information security- violation reports Due to complex IT environment and several customers logging
in and logging out of the hosts, it becomes difficult to trace inappropriate and/or illegal activity
 Long-term viability- In case of any major change in the cloud computing service provider (e.g.,
acquisition and merger, partnership breakage), the service provided is at the stake.

MODULE III: Tools and Methods Used in Cybercrime

Introduction, Proxy Servers And Anonymizers, Phishing, Password Cracking, Key
[Type here]

Loggers And Spywares, Virus And Worms, Trojan Horses And Backdoors, Steganography,
DoS And DDoS Attacks, SQL Injection, Buffer Overflow, Attacks On Wireless Networks,
Phishing And Identity Theft: Introduction, Phishing, Identity Theft (ID Theft)
1. Introduction
2. Proxy Servers and Anonymizers,
3. Phishing
4. Password Cracking
5. Key loggers and Spywares
6. Virus and Worms
7. Trojan Horses and Backdoors
8. Steganography
9. DoS and DDoS Attacks
10. SQL Injection
11. Buffer Overflow
12. Attacks on Wireless Networks
13. Phishing and Identity Theft: Introduction - Phishing,
14. Identity Theft (ID Theft)
Introduction
Different forms of attacks through which attackers target the computer systems are as
follows:
1. Initial uncovering:
 Two steps are involved here.
i. In the first step called as reconnaissance, the attacker gathers
information about the target on the Internet websites.
ii. In the second step, the attacker finds the company’s internal
network, such as, Internet domain, machine names and the company’s
Internet Protocol (IP) address ranges to steal the data.
2. Network probe (investigation):
[Type here]

 At the network probe stage, the attacker scans the organization information
through a “ping sweep” of the network IP addresses.
 Then a “port scanning” tool is used to discover exactly which services are
running on the target system.
 At this point, the attacker has still not done anything that would be
considered as an abnormal activity on the network or anything that can be
classified as an intrusion.
3. Crossing the line toward electronic crime (E-crime):
 Once the attackers are able to access a user account, then they will attempt
further exploits to get an administrator or “root” access.
 Root access is a UNIX term and is associated with the system privileges
required to run all services and access all files on the system (readers are
expected to have a basic familiarity with Unix-based systems).
 “Root” is an administrator or super-user access and grants them the privileges
to do anything on the system.
4. Capturing the network:
 At this stage, the attacker attempts to “own” the network. The attacker gains the
internal network quickly and easily by target systems.
 The next step is to remove any evidence of the attack. The attacker will usually
install a set of tools that replace existing files and services with Trojan files
and services that have a backdoor password.
5. Grab the data:
 Now that the attacker has “captured the network,” he/she takes advantage of
his/her position to steal confidential data
6. Covering tracks:
 This is the last step in any cyber attack, which refers to the activities
undertaken by the attacker to extend misuse of the system without being
detected.
 The attacker can remain undetected for long periods.
 During this entire process, the attacker takes optimum care to hide his/her
identity (ID) from the first step itself.
[Type here]

Proxy Servers and Anonymizers

Proxy server is a computer on a network which acts as an intermediary for connection
with other computers on that network.
 The attacker first connects to a proxy server and establishes a connection with the
target system through existing connection with proxy.
 This enables an attacker to surf on the Web anonymously and/or hide the attack.
 A client connects to the proxy server and requests some services (such as a file,
webpage) available from a different server.
 The proxy server evaluates the request and provides the resource by establishing
the connection to the respective server and/or requests the required service on
behalf of the client.
 Using a proxy server can allow an attacker to hide ID (i.e., become
anonymous on the network).
A proxy server has following purposes:
1. Keep the systems behind the curtain (mainly for security reasons).
2. Speed up access to a resource (through “caching”). It is usually used to cache the
web pages from a web server.
3. Specialized proxy servers are used to filter unwanted content such as advertisements.
4. Proxy server can be used as IP address multiplexer to enable to connect number
of computers on the Internet, whenever one has only one IP address
 One of the advantages of a proxy server is that its cache memory can serve all
users.
 If one or more websites are requested frequently, may be by different users, it is
likely to be in the proxy’s cache memory, which will improve user response
time.
 An anonymizer or an anonymous proxy is a tool that attempts to make activity
on the Internet untraceable. It accesses the Internet on the user’s behalf,
protecting personal information by hiding the source computer’s identifying
information.
 Anonymizers are services used to make Web surfing anonymous by utilizing a
website that acts as a proxy server for the web client.
[Type here]

Phishing
“Phishing” refers to an attack using mail programs to deceive Internet users into disclosing
confidential information that can be then exploited for illegal purposes.
 While checking electronic mail (E-Mail) one day a user finds a message from the bank
threatening to close the bank account if he/she does not reply immediately.
 Although the message seems to be suspicious from the contents of the message, it is
difficult to conclude that it is a fake/false E-Mail.
 This message and other such messages are examples of Phishing – in addition to
stealing personal and financial data – and can infect systems with viruses and also a
method of online ID theft in various cases.
 These messages look authentic and attempt to get users to reveal their personal
information.
 It is believed that Phishing is an alternative spelling of “fishing,” as in “to fish for
information.”
 The first documented use of the word “Phishing” was in 1996.

How Phishing Works?

Phishers work in the following ways:
1. Planning: Criminals, usually called as phishers, decide the target.
2. Setup: Once phishers know which business/business house to spoof and who
their victims.
3. Attack: the phisher sends a phony message that appears to be from a reputable source.
4. Collection: Phishers record the information of victims entering into webpages or
pop- up windows.
5. Identity theft and fraud: Phishers use the information that they have gathered to
make illegal purchases or commit fraud.
Nowadays, more and more organizations/institutes provide greater online access for
their customers and hence criminals are successfully using Phishing techniques to steal
personal information and conduct ID theft at a global level.
[Type here]

Password Cracking
 Password is like a key to get an entry into computerized systems like a lock.
 Password cracking is a process of recovering passwords from data that have been
stored in or transmitted by a computer system.
 Usually, an attacker follows a common approach – repeatedly making guesses for
the password.
The purpose of password cracking is as follows:
1. To recover a forgotten password.
2. As a preventive measure by system administrators to check for easily
crackable passwords.
3. To gain unauthorized access to a system.
Manual password cracking is to attempt to logon with different passwords. The attacker
follows the following steps:
1. Find a valid user account such as an Administrator or Guest;
2. create a list of possible passwords;
3. rank the passwords from high to low probability;
4. key-in each password;
5. try again until a successful password is found.
Passwords can be guessed sometimes with knowledge of the user’s personal
information. Examples of guessable passwords include:
1. Blank (none);
2. the words like “password,” “passcode” and “admin”;
3. series of letters from the “QWERTY” keyboard, for example, qwerty, asdf or
qwertyuiop;
4. user’s name or login name;
5. name of user’s friend/relative/pet;
6. user’s birthplace or date of birth, or a relative’s or a friend’s;
7. user’s vehicle number, office number, residence number or mobile number;
8. name of a celebrity who is considered to be an idol (e.g., actors, actress, spiritual
gurus) by the user;
[Type here]

 An attacker can also create a script file (i.e., automated program) which will be
executed to try each password in a list.
 This is still considered manual cracking, is time-consuming and not usually effective.
 Passwords are stored in a database and password verification process is established
into the system when a user attempts to login or access a restricted resource.
 To ensure confidentiality of passwords, the password verification data is usually
not stored in a clear text format.
 For example, one-way function (which may be either an encryption
function or a cryptographic hash) is applied to the password, possibly in combination
with other data, and the resulting value is stored.
 When a user attempts to login to the system by entering the password, the same
function is applied to the entered value and the result is compared with the stored
value. If they match, user gains the access; this process is called authentication.
The most commonly used hash functions can be computed rapidly and the attacker can test
these hashes with the help of passwords cracking tools (see Table 4.3) to get the plain text
password.
Password cracking attacks can be classified under three categories as follows:
1. Online attacks;
2. offline attacks;
3. non-electronic attacks (e.g., social engineering, shoulder surfing and dumpster diving).
Online Attacks
 An attacker can create a script file that will be executed to try each password in a list
and when matches, an attacker can gain the access to the system.
 The most popular online attack is man-in-the middle (MITM) attack, also termed as
“bucket- brigade attack” or sometimes “Janus attack.”
 It is a form of active stealing in which the attacker establishes a connection between a
victim and the server to which a victim is connected.
 When a victim client connects to the fraudulent server, the MITM server intercepts the
call, hashes the password and passes the connection to the victim server (e.g., an
attacker within reception range of an unencrypted Wi-Fi wireless access point can
insert himself as a man-in- the-middle).
[Type here]

 This type of attack is used to obtain the passwords for E-Mail accounts on public
websites such as Yahoo, Hotmail and Gmail and can also used to get the
passwords for financial websites that would like to gain the access to banking
websites.

Offline Attacks
 Mostly offline attacks are performed from a location other than the target (i.e.,
either a computer system or while on the network) where these passwords reside or are
used.
 Offline attacks usually require physical access to the computer and copying the
password file from the system onto removable media.

Password guidelines.
1. Passwords used for business E-Mail accounts, personal E-Mail accounts and
banking/financial user accounts should be kept separate.
2. Passwords should be of minimum eight alphanumeric characters (common names
or phrases should be phrased).
3. Passwords should be changed every 30/45 days.
4. Passwords should not be shared with relatives and/or friends.
5. Password used previously should not be used while renewing the password.
6. Passwords of personal E-Mail accounts and banking/financial user accounts
should be changed from a secured system, within couple of days, if these E-
Mail accounts has been accessed from public Internet facilities such as
cybercafes/hotels/libraries.
7. Passwords should not be stored under mobile phones/PDAs, as these devices are also
prone to cyberattacks.
8. In case E-Mail accounts/user accounts have been hacked, respective agencies/institutes
should be contacted immediately.
[Type here]

Keyloggers and Spywares

 Keystroke logging, often called keylogging, is the practice of noting (or logging) the
keys struck on a keyboard, typically in a covert manner so that the person using the
keyboard is unaware that such actions are being monitored.
 Keystroke logger or keylogger is quicker and easier way of capturing the passwords
and monitoring the victims’ IT savvy behavior. It can be classified as software
keylogger and hardware keylogger.
Software Keyloggers
 Software keyloggers are software programs installed on the computer systems which
usually are located between the OS and the keyboard hardware, and every keystroke is
recorded.
 Software keyloggers are installed on a computer system by Trojans or viruses without
the knowledge of the user.
 Cybercriminals always install such tools on the insecure computer systems available in
public places (i.e., cybercafés, etc) and can obtain the required information about the
victim very easily.
 A keylogger usually consists of two files that get installed in the same directory: a
dynamic link library (DLL) file and an EXEcutable (EXE) file that installs the DLL
file and triggers it to work. DLL does all the recording of keystrokes.
Some Important Keyloggers are as follows
All In One Keylogger Stealth Keylogger Perfect Keylogger
KGB Spy Spy Buddy Elite Keylogger
CyberSpy Powered Keylogger

Hardware Keyloggers
 Hardware keyloggers are small hardware devices.
 These are connected to the PC and/or to the keyboard and save every keystroke into a
file or in the memory of the hardware device.
 Cybercriminals install such devices on ATM machines to capture ATM Cards’ PINs.
 Each keypress on the keyboard of the ATM gets registered by these keyloggers.
 These keyloggers look like an integrated part of such systems; hence, bank customers
are unaware of their presence.
[Type here]

Antikeylogger
 Antikeylogger is a tool that can detect the keylogger installed on the computer
system and can remove the tool. (Visit http://www.anti-keyloggers.com for more
information)
Advantages of using antikeylogger are as follows:
1. Firewalls cannot detect the installations of keyloggers on the systems; hence,
antikeyloggers can detect installations of keylogger.
2. This software does not require regular updates of signature bases to work effectively
such as other antivirus and antispy programs; if not updated, it does not serve the
purpose, which makes the users at risk.
3. Prevents Internet banking frauds. Passwords can be easily gained with the help of
installing keyloggers.
4. It prevents ID theft (we will discuss it more in Chapter 5).
5. It secures E-Mail and instant messaging/chatting.

Spywares
 Spyware is a type of malware (i.e., malicious software) that is installed on
computers which collects information about users without their knowledge.
 The presence of Spyware is typically hidden from the user; it is secretly installed on
the user’s personal computer.
 Sometimes, however, Spywares such as keyloggers are installed by the owner of a
shared, corporate or public computer on purpose to secretly monitor other users.
Some Important Spywares are as follows:
Spy. Spector Pro. Spector Pro.
eBlaster. Remotespy . Stealth Recorder Pro.
Stealth Website Logger. Flexispy. Wiretap Professional.
PC PhoneHome. SpyArsenal Print Monitor Pro.

Box 4.3 | Malwares

Malware, short for malicious software, is a software designed to infiltrate a computer system
without the owner’s informed consent. The expression is a general term used by computer
professionals to mean a variety of forms of hostile, intrusive or annoying software or program
code. Malware can be classified as follows:
[Type here]

1. Viruses and worms: These are known as infectious malware. They spread from one computer
system to another with a particular behavior.
2. Trojan Horses: A Trojan Horse,[14] Trojan for short, is a term used to describe malware that
appears,to the user, to perform a desirable function but, in fact, facilitates unauthorized access to
the user’s computer system
3. Rootkits: Rootkits is a software system that consists of one or more programs designed to
obscurethe fact that a system has been compromised.
4. Backdoors: Backdoor[16] in a computer system (or cryptosystem or algorithm) is a method of
bypassing normal authentication, securing remote access to a computer, obtaining access to plain
text and so on while attempting to remain undetected.
5. Spyware:
6. Botnets:
7. Keystroke loggers:

Virus and Worms

 Computer virus is a program that can “infect” legitimate programs by modifying them
to include a possibly “evolved” copy of itself.
 Viruses spread themselves, without the knowledge or permission of the users, to
potentially large numbers of programs on many machines.
 A computer virus passes from computer to computer in a similar manner as a
biological virus passes from person to person.
 Viruses may also contain malicious instructions that may cause damage or annoyance;
the combination of possibly Malicious Code with the ability to spread is what makes
viruses a considerable concern.
 Viruses can often spread without any readily visible symptoms.
 A virus can start on event-driven effects (e.g., triggered after a specific number of
executions), time-driven effects (e.g., triggered on a specific date, such as Friday the
13th) or can occur at random.
Viruses can take some typical actions:
1. Display a message to prompt an action which may set of the virus;
[Type here]

2. delete files inside the system into which viruses enter;

3. scramble data on a hard disk;
4. cause erratic screen behavior;
5. halt the system (PC);
6. just replicate themselves to propagate further harm.

Figure: Virus Spread Through Internet

[Type here]

Figure: Virus Spread Through stand alone System

 Computer virus has the ability to copy itself and infect the system.
 The term virus is also commonly but erroneously used to refer to other types of
malware, Adware and Spyware programs that do not have reproductive ability.
 A true virus can only spread from one system to another (in some form of executable
code) when its host is taken to the target computer; for instance, when a user sent it
over the Internet or a network, or carried it on a removable media such as CD, DVD or
USB drives.
 Viruses can increase their chances of spreading to other systems by infecting files on a
network file system or a file system that is accessed by another system.
 Malware includes computer viruses, worms, Trojans, most Rootkits, Spyware,
dishonest Adware, crimeware and other malicious and unwanted software as well as
true viruses.
 Viruses are sometimes confused with computer worms and Trojan Horses, which are
technically different (see Table 4.7 to understand the difference between computer
virus and worm).
 A worm spreads itself automatically to other computers through networks by
exploiting security vulnerabilities, whereas a Trojan is a code/program that appears to
be harmless but hides malicious functions.
[Type here]

 Worms and Trojans, such as viruses, may harm the system’s data or performance.
 Some viruses and other malware have noticeable symptoms that enable computer user
to take necessary corrective actions, but many viruses are surreptitious or simply do
nothing for user’s to take note of them.
 Some viruses do nothing beyond reproducing themselves.

Types of Viruses
1. Boot sector viruses: It infects the storage media on which OS is stored (e.g., hard
drives) and which is used to start the computer system.
2. Program viruses: These viruses become active when the program file (usually with
extensions .bin, .com,.exe, .ovl, .drv) is excuted
3. Multipartite viruses: It is a hybrid of a boot sector and program viruses. It infects
program files along with the boot record when the infected program is active.
4. Stealth viruses: It hides itself and so detecting this type of virus is very difficult. It can
hiding itself such a way that antivirus software also cannot detect it. Example for
Stealth virus is “Brain Virus”.
5. Polymorphic viruses: It acts like a “chameleon” that changes its virus signature (i.e.,
binary pattern) every time it spreads through the system (i.e., multiplies and infects a
new file). Hence, it is always difficult to detect polymorphic virus with the help of an
antivirus program.
6. Macro viruses: Many applications, such as Microsoft Word and Microsoft Excel,
support MACROs (i.e., macrolanguages). These macros are programmed as a macro
embedded in a document. Once macrovirus gets onto a victim’s computer then every
document he/she produces will become infected.
7. Active X and Java Control: All the web browsers have settings about Active X and
Java Controls.
World’s worst worm attacks.
Conficker INF/AutoRun Win32 PSW Win32/Agent
Win32/FlyStudio Win32/Pacex.Gen Win32/Qhost WMA/ TrojanDownloader
[Type here]

The world’s worst virus and worm attacks!!!

Morris Worm ILOVEYOU Nimda Jerusalem
Code Red Melissa Melissa
Sobig Storm Worm Michelangelo

Trojan Horses and Backdoors

 Trojan Horse is a program in which malicious or harmful code is contained inside
apparently harmless programming or data in such a way that it can get control and
cause harm, for example, ruining the file allocation table on the hard disk.
 A Trojan Horse may get widely redistributed as part of a computer virus.
 The term Trojan Horse comes from Greek mythology about the Trojan War.
 Like Spyware and Adware, Trojans can get into the system in a number of ways,
including from a web browser, via E-Mail.
 It is possible that one could be forced to reformat USB flash drive or other portable
device to eliminate infection and avoid transferring it to other machines.
 Unlike viruses or worms, Trojans do not replicate themselves but they can be equally
destructive.
 On the surface, Trojans appear benign and harmless, but once the infected code is
executed, Trojans kick in and perform malicious functions to harm the computer
system without the user’s knowledge.
 For example, waterfalls.scr is a waterfall screen saver as originally claimed by the
author; however, it can be associated with malware and become a Trojan to unload
hidden programs and allow unauthorized access to the user’s PC.

Some typical examples of threats by Trojans are as follows:

1. They erase, overwrite or corrupt data on a computer.
2. They help to spread other malware such as viruses (by a dropper Trojan).
3. They deactivate or interfere with antivirus and firewall programs.
4. They allow remote access to your computer (by a remote access Trojan).
5. They upload and download files without your knowledge.
6. They gather E-Mail addresses and use them for Spam.
[Type here]

7. They log keystrokes to steal information such as passwords and credit card numbers.
8. They copy fake links to false websites, display porno sites, play sounds/videos and
display images.
9. They slow down, restart or shutdown the system.
10. They reinstall themselves after being disabled.
11. They disable the task manager.
12. They disable the control panel.

Backdoor
 A backdoor is a means of access to a computer program that bypasses security
mechanisms. A programmer may sometimes install a backdoor so that the program can
be accessed for troubleshooting or other purposes.
 However, attackers often use backdoors that they detect or install themselves as part of
an exploit.
 In some cases, a worm is designed to take advantage of a backdoor created by an
earlier attack.
 A backdoor works in background and hides from the user.
 It is very similar to a virus and, therefore, is quite difficult to detect and completely
disable.
 A backdoor is one of the most dangerous parasite, as it allows a malicious person to
perform any possible action on a compromised system.

Following are some functions of backdoor:

1. It allows an attacker to create, delete, rename, copy or edit any file, execute various
commands; change any system settings; alter the Windows registry; run, control and
terminate applications; install arbitrary software and parasites.
2. It allows an attacker to control computer hardware devices, modify related settings,
shutdown or restart a computer without asking for user permission.
3. It steals sensitive personal information, valuable documents, passwords, login names,
ID details; logs user activity and tracks web browsing habits.
[Type here]

4. It records keystrokes that a user types on a computer’s keyboard and captures

screenshots.
5. It sends all gathered data to a predefined E-Mail address, uploads it to a predetermined
FTP server or transfers it through a background Internet connection to a remote host.
6. It infects files, corrupts installed applications and damages the entire system.

Following are a few examples of backdoor Trojans:

1. Back Orifice
2. Bifrost:
3. SAP backdoors
4. Onapsis Bizploit:

Follow the following steps to protect your systems from Trojan Horses and backdoors:
1. Stay away from suspect websites/weblinks:
2. Surf on the Web cautiously:
3. Install antivirus/Trojan remover software:

Steganography
 Steganography is the practice of concealing (hiding) a file, message, image, or video
within another file, message, image, or video. The word steganography combines the
Greek words steganos , meaning "covered, concealed, or protected", and graphein
meaning "writing".
 It is a method that attempts to hide the existence of a message or communication.
 Steganography is always misunderstood with cryptography
 The different names for steganography are data hiding, information hiding and
digital watermarking.
 Steganography can be used to make a digital watermark to detect illegal copying
of digital images. Thus, it aids confidentiality and integrity of the data.
 Digital watermarking is the process of possibly irreversibly embedding information
into a digital signal.
 The Digital signal may be, for example, audio, pictures or video.
[Type here]

 If the signal is copied then the information is also carried in the copy.
 In other words, when steganography is used to place a hidden “trademark” in
images, music and software, the result is a technique referred to as “watermarking”

Steganalysis
 Steganalysis is the art and science of detecting messages that are hidden in
images, audio/video files using steganography.
 The goal of steganalysis is to identify suspected packages and to determine whether
or not they have a payload encoded into them, and if possible recover it.
 Automated tools are used to detect such steganographed data/information hidden in
the image and audio and/or video files.
Box 4.7 | Difference between Steganography and Cryptography
Steganography is the art and science of writing hidden messages in such a way that no one apart
from the intended recipient knows the existence of the message; this is in contrast to
cryptography, of the message itself is not disguised, but the content is obscured. It is said that
terrorists use where the existence steganography techniques to hide their communication in
images on the Internet; most popular images are used such as those of film actresses or other
celebrities. In its basic form, steganography is simple.

DoS and DDoS Attacks

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS
attack) is an attempt to make a computer resource (i.e., information systems) unavailable to its
intended users.

DoS Attacks
 In this type of criminal act, the attacker floods the bandwidth of the victim’s
network or fills his E-Mail box with Spam mail depriving him of the services he is
entitled to access or provide.
 The attackers typically target sites or services hosted on high-profile web servers
such as banks, credit card payment gateways, mobile phone networks and even root
name servers.
[Type here]

 Buffer overflow technique is employed to commit such kind of criminal attack known as
Spoofing.
 The term IP address Spoofing refers to the creation of IP packets with a forged
(spoofed) source IP address with the purpose of concealing the ID of the sender or
impersonating another computing system.
 A packet is a formatted unit of data carried by a packet mode computer network.
 The attacker spoofs the IP address and floods the network of the victim with
repeated requests.
 As the IP address is fake, the victim machine keeps waiting for response from
the attacker’s machine for each request.
 This consumes the bandwidth of the network which then fails to serve the
legitimate requests and ultimately breaks down.
 The United States Computer Emergency Response Team defines symptoms of DoS
attacks to include:
1. Unusually slow network performance (opening fi les or accessing websites);
2. unavailability of a particular website;
3. inability to access any website;
4. dramatic increase in the number of Spam E-Mails received (this type of
DoS attack is termed as an E-Mail bomb).
The goal of DoS is not to gain unauthorized access to systems or data, but to prevent
intended users (i.e., legitimate users) of a service from using it.

A DoS attack may do the following:

1. Flood a network with traffic, thereby preventing legitimate network traffic.
2. Disrupt connections between two systems, thereby preventing access to a service.
3. Prevent a particular individual from accessing a service.
4. Disrupt service to a specific system or person.

Classification of DoS Attacks

1. Bandwidth attacks: Loading any website takes certain time. Loading means
complete webpage appearing on the screen and system is awaiting user’s input.
[Type here]

2. Logic attacks: These kind of attacks can exploit vulnerabilities in network software
such as web server or TCP/IP stack.
3. Protocol attacks: Protocols here are rules that are to be followed to send data over
network.
4. Unintentional DoS attack : This is a scenario where a website ends up denied not due
to a attack by a single individual or group of individuals, but simply due to a sudden
enormous spike in popularity.

Types or Levels of DoS Attacks

There are several types or levels of DoS attacks as follows:
1. Flood attack: This is the earliest form of DoS attack and is also known as ping food. It
is based on an attacker simply sending the victim overwhelming number of ping
packets, usually by using the “ping” command, which result into more traffic than the
victim can handle.
2. Ping of death attack: The ping of death attack sends oversized Internet Control
Message Protocol (ICMP) packets, and it is one of the core protocols of the IP Suite.
It is mainly used by networked computers’ OSs to send error messages indicating (e.g.,
that a requested service is not available or that a host or router could not be reached)
datagrams (encapsulated in IP packets) to the victim.
3. SYN attack: It is also termed as TCP SYN Flooding. In the TCP, handshaking of
network connections is done with SYN and ACK messages.
 An attacker initiates a TCP connection to the server with an SYN.
 The server replies with an SYN-ACK.
 The client then does not send back an ACK, causing the server to allocate memory
for the pending connection and wait.
 This fills up the buffer space for SYN messages on the target system, preventing
other systems on the network from communicating with the target system.
4. Teardrop attack: The teardrop attack is an attack where fragmented packets are
forged to overlap each other when the receiving host tries to reassemble them. IP’s
packet fragmentation algorithm is used to send corrupted packets to confuse the
victim
[Type here]

and may hang the system. This attack can crash various OSs due to a bug in their
TCP/IP fragmentation reassembly code.
5. Smurf attack: This is a type of DoS attack that floods a target system via spoofed
broadcast ping messages. This attack consists of a host sending an echo request
(ping) to a network broadcast address.
6. Nuke: Nuke is an old DoS attack against computer networks consisting of
fragmented or invalid packets sent to the target.

Tools Used to Launch DoS Attack

1. Jolt2 : The vulnerability allows remote attackers to cause a DoS attack against
Windows- based machines – the attack causes the target machine to consume of the
CPU time on processing of illegal packets.
2. Nemesy : This program generates random packets of spoofed source IP to enable the
attacker to launch DoS attack.
3. Targa : It is a program that can be used to run eight different DoS attacks. The attacker
has the option to launch either individual attacks or try all the attacks until one is
successful.
4. Crazy Pinger : This tool could send large packets of ICMP(Internet Control Message
Protocol) to a remote target network.
5. SomeTrouble: It is a remote flooder and bomber. It is developed in Delphi.

DDoS Attacks
 In a DDoS attack, an attacker may use your computer to attack another computer.
 By taking advantage of security vulnerabilities or weaknesses, an attacker could take
control of your computer.
 He/she could then force your computer to send huge amounts of data to a website or
send Spam to particular E-Mail addresses.
 The attack is “distributed” because the attacker is using multiple computers,
including yours, to launch the DoS attack.
 A DDoS attack is a distributed DoS wherein a large number of zombie systems are
synchronized to attack a particular system.
[Type here]

 The zombie systems are called “secondary victims” and the main target is called
“primary victim.”
 Malware can carry DDoS attack mechanisms – one of the better-known examples of
this is MyDoom.
 Botnet is the popular medium to launch DoS/DDoS attacks.
 Attackers can also break into systems using automated tools that exploit flaws in
programs that listen for connections from remote hosts.

How to Protect from DoS/DDoS Attacks

Computer Emergency Response Team Coordination Center (CERT/CC) offers many
preventive measures from being a victim of DoS attack.
1. Implement router filters. This will lessen your exposure to certain DoS attacks.
2. If such filters are available for your system, install patches to guard against TCP
SYN flooding.
3. Disable any unused or inessential network service.
4. Enable quota systems on your OS if they are available.
5. Observe your system’s performance and establish baselines for ordinary activity.
6. Routinely examine your physical security with regard to your current needs.
7. Use Tripwire or a similar tool to detect changes in configuration information or
other files.
8. Invest in and maintain “hot spares” – machines that can be placed into service quickly
if a similar machine is disabled.
9. Invest in redundant and fault-tolerant network configurations.
10. Establish and maintain regular backup schedules
11. Establish and maintain appropriate password policies

SQL Injection
 Structured Query Language (SQL) is a database computer language designed for
managing data in relational database management systems (RDBMS).
 SQL injection is a code injection technique that exploits a security vulnerability
occurring in the database layer of an application.
[Type here]

 SQL injection attacks are also known as SQL insertion attacks.

 Attackers target the SQL servers – common database servers used by many
organizations to store confidential data.
 The prime objective behind SQL injection attack is to obtain the information while
accessing a database table that may contain personal information such as credit card
numbers, social security numbers or passwords.
 During an SQL injection attack, Malicious Code is inserted into a web form field or the
website’s code.
 For example, when a user logs in with username and password, an SQL query is sent to
the database to check if a user has valid name and password.
 With SQL injection, it is possible for an attacker to send crafted username and/or
password field that will change the SQL query.

Steps for SQL Injection Attack

Following are some steps for SQL injection attack:
1. The attacker looks for the webpages that allow submitting data, that is, login page,
search page, feedback, etc. The attacker also looks for the webpages that display the
HTML commands such as POST or GET by checking the site’s source code.
2. To check the source code of any website, right click on the webpage and click on
“view source” – source code is displayed in the notepad. The attacker checks the
source code of the HTML, and look for “FORM” tag in the HTML code.
Everything between the <FORM> and </FORM> have potential parameters
that might be useful to find the vulnerabilities.
<FORM action=Search/search.asp method=post>
<input type=hidden name=A value=C>
</FORM>
3. The attacker inputs a single quote under the text box provided on the webpage to
accept the username and password. This checks whether the user-input variable is
interpreted literally by the server. If the response is an error message such as use “a” =
“a” then the website is found to be susceptible to an SQL injection attack.
[Type here]

4. The attacker uses SQL commands such as SELECT statement command to retrieve
data from the database or INSERT statement to add information to the database.
Here are few examples of variable field text the attacker uses on a webpage to test for SQL
vulnerabilities:
1. Blah’ or 1=1--
2. Login:blah’ or 1=1--
3. Password::blah’ or 1=1--
4. http://search/index.asp?id=blah’ or 1=1--
Similar SQL commands may allow bypassing of a login and may return many rows in
a table or even an entire database table because the SQL server is interpreting the terms
literally. The double dashes near the end of the command tell SQL to ignore the rest of the
command as a comment.

Blind SQL Injection

 Blind SQL injection is used when a web application is vulnerable to an SQL injection
but the results of the injection are not visible to the attacker.
 The page with the vulnerability may not be the one that displays data; however, it will
display differently depending on the results of a logical statement injected into the
legitimate SQL statement called for that page.
 This type of attack can become time-intensive because a new statement must be crafted
for each bit recovered.
 There are several tools that can automate these attacks once the location of the
vulnerability and the target information have been established.

How to Prevent SQL Injection Attacks

SQL injection attacks occur due to poor website administration and coding. The
following steps can be taken to prevent SQL injection.
1. Input validation
 Replace all single quotes to two single quotes.
 Sanitize the input: User input needs to be checked and cleaned of any
characters or strings that could possibly be used maliciously. For example,
character
[Type here]

sequences such as ; , --, select, insert and xp_ can be used to perform an SQL
injection attack.
 Numeric values should be checked while accepting a query string value. Function
– IsNumeric() for Active Server Pages (ASP) should be used to check these
numeric values.
 Keep all text boxes and form fields as short as possible to limit the length of
user input.
2. Modify error reports: SQL errors should not be displayed to outside users
3. Other preventions
 The default system accounts for SQL server 2000 should never be used.
 Isolate database server and web server.
Buffer Overflow
 Buffer overflow, or buffer overrun, is an anomaly where a process stores data in a
buffer outside the memory the programmer has set aside for it.
 This may result unreliable program behavior, including memory access errors,
incorrect results, program termination (a crash) or a breach of system security.
 Buffer overflows can be triggered by inputs that are designed to execute code or alter
the way the program operates.
 They are, thus, the basis of many software vulnerabilities and can be maliciously
exploited.
Bounds checking can prevent buffer overflows.
 Programming languages commonly associated with buffer overflows include C and C+
+, which provide no built-in protection against accessing or overwriting data in any
part of memory and do not automatically check that data written to an array.
 Buffer overflow occurs when a program or process tries to store more data in a buffer
(temporary data storage area) than it was intended to hold.
 Although it may occur accidentally through programming error, buffer overflow is an
increasingly common type of security attack on data integrity.
 The knowledge of C, C++ or any other high-level computer language (i.e., assembly
language) is essential to understand buffer overflow.
For example,
[Type here]

int main ()
{ int
buffer[10];
buffer[20] = 10;
}
 This C program is a valid program and every compiler can compile it without any errors.
 However, the program attempts to write beyond the allocated memory for the
buffer, which might result in an unexpected behavior.

Types of Buffer Overflow

Stack-Based Buffer Overflow
Stack buffer overflow occurs when a program writes to a memory address on the
program’s call stack outside the intended data structure – usually a fixed length buffer. Here
are the characteristics of stack-based programming:
1. “Stack” is a memory space in which automatic variables (and often function
parameters) are allocated.
2. Function parameters are allocated on the stack and are not automatically initialized by
the system, so they usually have garbage in them until they are initialized.
3. Once a function has completed its cycle, the reference to the variable in the stack
is removed.
The attacker may exploit stack-based buffer overflows to manipulate the program in
various ways by overwriting:
1. A local variable that is near the buffer in memory on the stack to change the behavior
of the program that may benefit the attacker.
2. The return address in a stack frame. Once the function returns, execution will resume
at the return address as specified by the attacker, usually a user input-filled buffer.
3. A function pointer, or exception handler, which is subsequently
executed. The factors that contribute to overcome the exploits are
1. Null bytes in addresses;
2. Variability in the location of shell code;
3. Differences between environments.
[Type here]

A shell code is a small piece of code used as a payload in the exploitation of software
vulnerability.
It is called “shell code” because it starts with command shell from which the attacker can
control the compromised machine.
NOPs
NOP or NOOP (short form of no operation) is an assembly language instruction/
command that effectively does nothing at all.
Heap Buffer Overflow
Heap buffer overflow occurs in the heap data area and may be introduced accidentally
by an application programmer, or it may result from a deliberate exploit. The characteristics of
stack based and heap-based programming are as follows:
1. “Heap” is a “free store” that is a memory space, where dynamic objects are allocated.
2. The heap is the memory space that is dynamically allocated new(), malloc() and
calloc() functions; it is different from the memory space allocated for stack and code.
3. Dynamically created variables (i.e., declared variables) are created on the heap before
the execution program is initialized to zero.
Memory on the heap is dynamically allocated by the application at run-time and normally
contains program data. Exploitation is performed by corrupting this data in specific ways to
cause the application to overwrite internal structures such as linked list pointers.

How to Minimize Buffer Overflow

Although it is difficult to prevent all possible attacks, the following methods will
definitely help to minimize such attacks:
1. Assessment of secure code manually: Buffer overflow occurs when a program or
process tries to store more data in a buffer than it was intended to hold. Developers
should be educated about minimizing the use of functions like strcpy(), strcat(),
sprintf() and vsprintf() in C Language.
2. Disable stack execution: Malicious Code causes input argument to the program, and it
resides in the stack and not in the code segment. Any code that attempts to execute any
other code residing in the stack will cause a segmentation violation.
[Type here]

3. Compiler tools: Over the years, compilers have become more and more aggressive in
optimizations and the checks they perform. Various compiler tools already offer
warnings on the use of unsafe constructs such as gets(), strcpy(), etc. Developers
should be educated to restructure the programming code if such warnings are
displayed.
4. Dynamic run-time checks: In this scheme, an application has restricted access to
prevent attacks. This method primarily relies on the safety code being preloaded
before an application is executed. This preloaded component can either provide safer
versions of the standard unsafe functions or it can ensure that return addresses are not
overwritten. One example of such a tool is libsafe. The libsafe library provides a way
to secure calls to these functions, even if the function is not available.

Attacks on Wireless Networks

 Wireless technologies have become increasingly popular in day-to-day business and
personal lives.
 Hand-held devices such as the PDAs allow individuals to access calendars, E-Mail
addresses, phone number lists and the Internet.
 Wireless networks extend the range of traditional wired networks by using radio waves
to transmit data to wireless-enabled devices such as laptops and PDAs.
 Wireless networks are generally composed of two basic elements
o access points (APs) and
o other wireless-enabled devices, such as laptops radio transmitters and receivers
to communicate or “connect” with each other.
 APs are connected through physical wiring to a conventional network, and they
broadcast signals with which a wireless device can connect.
 Wireless access to networks has become very common by now in India – for
organizations and for individuals.
[Type here]

Wireless
Networks The following are different types of
“mobile workers”:
1. Tethered/remote worker: This is considered to be an employee who generally
remains at a single point of work, but is remote to the central company systems.
2. Roaming user: This is either an employee who works in an environment (e.g.,
warehousing, shop floor, etc.) or in multiple areas (e.g., meeting rooms).
3. Nomad: This category covers employees requiring solutions in semi-
tethered (connected) environments where modem use frequently.
4. Road warrior: This is the ultimate mobile user and spends little time in the office;

Important components of wireless network

1. 802.11 networking standards: Institute of Electrical and Electronics Engineers (IEEE)-
802.11 is a family of standards for wireless local area network (WLAN), stating the
specifications and/or requirements for computer communication.
2. Access points: It is also termed as AP. It is a hardware device and/or software that act
as a central transmitter and receiver of WLAN radio signals. Users of wireless device,
such as laptop/PDAs, get connected with these APs, which in turn get connected with
the wired LAN. An AP acts as a communication hub for users to connect with the
wired LAN.
[Type here]

3. Wi-Fi hotspots: A hotspot is a site that offers the Internet access by using Wi-Fi
technology over a WLAN. Hotspots are found in public areas (such as coffee shops,
public libraries, hotels and restaurants) and are commonly offered facility throughout
much of North America and Europe.
 Free Wi-Fi hotspots: Wireless Internet service is offered in public areas, free of
cost and that to without any authentication.
 Commercial hotspots: The users are redirected to authentication and online
payment to avail the wireless Internet service in public areas.
4. Service Set IDentifier (SSID): It is the name of 802.11i WLAN and all wireless
devices on a WLAN must use the same SSID to communicate with each other. While
setting up WLAN, the user (or WLAN administrator) sets the SSID, which can be up
to 32 characters long so that only the users who knew the SSID will be able to connect
the WLAN. It is always advised to turn OFF the broadcast of the SSID.
5. Wired equivalence privacy (WEP): Wireless transmission is susceptible to
eavesdropping and to provide confidentiality, WEP was introduced as part of the
original 802.11i Protocol in 1997. It is always termed as deprecated security algorithm
for IEEE 802.11i WLANs. SSID along with WEP delivers fair amount of secured
wireless network.
6. Wi-Fi protected access (WPA and WPA2): WPA was introduced as an interim
standard to replace WEP to improve upon the security features of WEP. WPA2
provides a stronger encryption mechanism through Advanced Encryption Standard
(AES), which is a requirement for some corporate and government agencies.
7. Media access control (MAC): It is a unique identifier of each node (i.e., each network
interfaces) of the network and it is assigned by the manufacturer of a network interface
card (NIC) stored in its hardware. MAC address filtering allows only the devices with
specific MAC addresses to access the network.
Tools used for hacking wireless networks
NetStumbler: This tool is based on Windows OS and easily identifies wireless signals being
broadcast within range.
Kismet: This tool detects and displays SSIDs that are not being broadcast which 0is very critical
in finding wireless networks.
[Type here]

Airsnort: This tool is very easy and is usually used to sniff and crack WEP keys
CowPatty: This tool is used as a brute force tool for cracking WPA-PSK and is considered to be
the “New WEP” for home wireless security.
Wireshark (formerly ethereal): Ethereal can scan wireless and Ethernet data and comes with
some robust filtering capabilities. It can also be used to sniff out 802.11 management Beacons
and probes, and subsequently could be used as a tool to sniff out non-broadcast SSIDs.

Traditional Techniques of Attacks on Wireless Networks

In security breaches, penetration of a wireless network through unauthorized access is
termed as wireless cracking. There are various methods that demand high level of
technological skill and knowledge, and availability of numerous software tools made it less
sophisticated with minimal technological skill to crack WLANs.
1. Sniffing: The attacker usually installs the sniffers remotely on the victim’s system and
conducts activities such as
 Passive scanning of wireless network;
 detection of SSID;
 colleting the MAC address;
 collecting the frames to crack WEP.
2. Spoofing: The attacker often launches an attack on a wireless network by simply
creating a new network with a stronger wireless signal and a copied SSID in the same
area as a original network. Different types of Spoofing are as follows.
 MAC address Spoofing
 IP Spoofing:
 Frame Spoofing:
3. Denial of service (DoS): We have explained this attack in detail in UNIT-2.
4. Man-in-the-middle attack (MITM): It refers to the scenario wherein an attacker on
host A inserts A between all communications – between hosts X and Y without
knowledge of X and Y. All messages sent by X do reach Y but through A and vice versa.
The objective behind this attack is to merely observe the communication or modify it
before sending it out.
[Type here]

5. Encryption cracking: It is always advised that the first step to protect wireless
networks is to use WPA encryption. The attackers always devise new tools and
techniques to deconstruct the older encryption technology, which is quite easy for
attackers due to continuous research in this field. Hence, the second step is to use a
long and highly randomized encryption key; this is very important. It is a little pain to
remember long random encryption; however, at the same time these keys are much
harder to crack.

How to Secure the Wireless Networks

Nowadays, security features of Wi-Fi networking products are not that time-consuming
and nonintuitive; however, they are still ignored, especially, by home users. Although
following summarized steps will help to improve and strengthen the security of wireless
network, to know the available tools to monitor and protect the wireless networks:
1. Change the default settings of all the equipments/components of wireless network
(e.g., IP address/ user IDs/administrator passwords, etc.).
2. Enable WPA/WEP encryption.
3. Change the default SSID.
4. Enable MAC address filtering.
5. Disable remote login.
6. Disable SSID broadcast.
7. Disable the features that are not used in the AP (e.g., printing/music support).
8. Avoid providing the network a name which can be easily identified
(e.g., My_Home_Wifi ).
9. Connect only to secured wireless network (i.e., do not autoconnect to open Wi-Fi
hotspots).
10. Upgrade router’s firmware periodically.
11. Assign static IP addresses to devices.
12. Enable firewalls on each computer and the router.
13. Position the router or AP safely.
14. Turn off the network during extended periods when not in use.
15. Periodic and regular monitor wireless network security.
[Type here]

Box 4.11 | The New “Wars” in the Internet Era!

1. Warwalking:
2. Warbiking:
3. Warkitting:
4. WAPKitting:
5. WAPjacking:

Phishing and Identity Theft: Introduction , Phishing

Identity theft can be done thorough the following ways.
1. Spam E-Mails
 Also known as “junk E-Mails” they involve nearly identical messages sent to
numerous recipients. Spam E-Mails have steadily grown since the early 1990s.
Botnets, networks of virus-infected computers, are used to send about 80% of
Spam.
 Types of Spam E-Mails are as follows:
2. Unsolicited bulk E-Mail (UBE): It is synonym for SPAM unsolicited E-Mail sent in
large quantities.
3. Unsolicited commercial E-Mail (UCE): Unsolicited E-Mails are sent in large
quantities from commercial perspective, for example, advertising. See Box 5.3 to know
more about US Act on Spam mails.
Examples:
1. HSBC, Santander, CommonWealth Bank: International Banks having large
customer base, phishers always dive deep in such ocean to attempt to hook the fish.
2. eBay: It is a popular auction site, often mimicked to gain personal information.
3. Amazon: It was the top brand to be exploited by phishers till July 2009.
4. Facebook: Netizens, who liked to be on the most popular social networking sites such
as Facebook, are always subject to threats within Facebook as well as through E-Mail.
One can reduce chances of being victim of Phising attack by using the services –
security settings to enable contact and E-Mail details as private.
The E-Mail will usually ask the user to provide valuable information about himself
/herself or to “verify” information that the user may have provided in the past while
[Type here]

registering for online account. To maximize the chances that a recipient will respond,
the phisher might employ any or all of the following tactics:
1. Names of legitimate organizations: Instead of creating a phony company from
scratch, the phisher might use a legitimate company’s name and incorporate the
look and feel of its website (i.e., including the color scheme and graphics) into
the Spam E-Mail.
2. “From” a real employee: Real name of an official, who actually works for the
organization. This way, if a user contacts the organization to confirm whether
“Rajeev Arora” truly is “Vice President of Marketing” then the user gets a
positive response and feels assured.
3. URLs that “look right”: The E-Mail might contain a URL (i.e., weblink)
which seems to be original website wherein user can enter the information the
phisher would like to steal.
4. Urgent messages: Creating a fear to trigger a response is very common in
Phishing attacks – the E-Mails warn that failure to respond will result in no
longer having access to the account or E-Mails might claim that organization
has detected suspicious activity in the users’ account or that organization is
implementing new privacy software for ID theft solutions.

Here are a few examples of phrases used to entice the user to take the action.
1. “Verify your account”:
2. “You have won the lottery”:
3. “If you don’t respond within 48 hours, your account will be closed”:

Let us understand the ways to reduce the amount of Spam E-Mails we receive.
1. Share personal E-Mail address with limited people and/or on public websites – the
more it is exposed to the public, the more Spam E-Mails will be received.
2. Never reply or open any Spam E-Mails.
3. Disguise the E-Mail address on public website or groups by spelling out the sign “@”
and the DOT (.); for example, RajeevATgmailDOTcom. This usually prohibits
phishers to catch valid E-Mail addresses while gathering E-Mail addresses through
programs.
[Type here]

4. Use alternate E-Mail addresses to register for any personal or shopping website.
Never ever use business E-Mail addresses.
5. Do not forward any E-Mails from unknown recipients.
6. Make a habit to preview an E-Mail before opening it.
7. Never use E-Mail address as the screen name in chat groups or rooms.
8. Never respond to a Spam E-Mail asking to remove your E-Mail address from the
mailing distribution list. More often it confirms to the phishers that your E-Mail
address is active.

B. Hoax E-Mails (deceive or trick E-Mail)

 These are deliberate attempt to deceive or trick a user into believing or accepting that
something is real, when the hoaxer (the person or group creating the hoax) knows it is
false.
 Hoax E-Mails may or may not be Spam E-Mails.
 It is difficult sometimes to recognize whether an E-Mail is a “Spam” or a “hoax.”
 The websites mentioned below can be used to check the validity of such “hoax” E-
Mails.
1. www.breakthechain.org: This website contains a huge database of chain E-Mails,
like we discussed, the phisher sends to entice the netizens to respond to such E-Mails.
2. www.hoaxbusters.org: This is an excellent website containing a large database of
common Internet hoaxes. It is maintained by the Computer Incident Advisory
Capability, which is a division of the US Department of Energy.

Identity Theft (ID Theft)

 This term is used to refer to fraud that involves someone pretending to be someone else
to steal money or get other benefits.
 ID theft is a punishable offense under the Indian IT Act (Section 66C and Section 66D).
 The statistics on ID theft proves the severity of this fraud and hence a non-profit
organization was found in the US, named as Identity Theft Resource Center (ITRC),
with the objective to extend the support to the society to spread awareness about this
fraud.
[Type here]

 Federal Trade Commission (FTC) has provided the statistics about each one of
the identity fraud mentioning prime frauds presented below.
1. Credit card fraud (26%):
2. Bank fraud (17%): Besides credit card fraud, cheque theft and Automatic Teller
Machines (ATM) pass code theft have been reported that are possible with ID theft
3. Employment fraud (12%): In this fraud, the attacker borrows the victim’s valid SSN
to obtain a job.
4. Government fraud (9%): This type of fraud includes SSN, driver license and
income tax fraud.
5. Loan fraud (5%): It occurs when the attacker applies for a loan on the victim’s
name and this can occur even if the SSN does not match the name exactly.

It is important to note the various usage of ID theft information.

1. 66% of victims’ personal information is used to open a new credit account in
their name.
2. 28% of victims’ personal information is used to purchase cell phone service.
3. 12% of victims end up having warrants issued in their name for financial
crimes committed by the identity thief.

Personally Identifiable Information (PII)

The fraudsters attempts to steal the elements mentioned below, which can express the
purpose of distinguishing individual identity:
1. Full name;
2. national identification number (e.g., SSN);
3. telephone number and mobile phone number;
4. driver’s license number;
5. credit card numbers;
6. digital identity (e.g., E-Mail address, online account ID and password);
7. birth date/birth day;
8. birthplace;
9. face and fingerprints.
[Type here]

The information can be further classified as

a. non-classified and
b. classified.
1. Non-classified information
 Public information:
 Personal information:
 Routine business information:
 Private information:
2. Classified information
 Confidential: Information that requires protection and unauthorized disclosure
could damage national security (e.g., information about strength of armed
forces and technical information about weapons).
 Secret: Information that requires substantial protection and unauthorized
disclosure could seriously damage national security (e.g., national security
policy, military plans or intelligence operations).
 Top secret: Information that requires the highest degree of protection and
unauthorized disclosure could severely damage national security (e.g., vital
defense plans and cryptologic intelligence systems).

ID theft fraudsters and/or industrial/international spies target to gain the access to private,
confidential, secret and top secret information.

Types of Identity Theft

1. Financial identity theft;
2. criminal identity theft;
3. identity cloning;
4. business identity theft;
5. medical identity theft;
6. synthetic identity theft;
7. child identity theft.
[Type here]

Techniques of ID Theft
1. Human-based methods:
 Direct access to information:
 Dumpster diving:
 Theft of a purse or wallet:
 Mail theft and rerouting:
 Shoulder surfing:
 Dishonest or mistreated employees:
 Telemarketing and fake telephone calls:
2. Computer-based technique:
 Backup theft:
 Hacking, unauthorized access to systems and database theft:
 Phishing:
 Pharming:
 Hardware:
Cambridge Institute of Technology, North Campus
Sub: Introduction to Cyber Security
Sub Code: 22ETC54