Module 2

Cyberoffenses: How
Criminals Plan Them
Syllabus:

Module 2: Cyber offenses: How Criminals Plan Them: Introduction,

How criminals Plan the attacks, Social Engineering, Cyberstalking,
Cybercafe and cybercrimes, Botnets: The fuel for cybercrime.
SLT: Attack Vector
Introduction:
• In today’s world of Internet and computer networks, a criminal activity
can be carried out across national borders with ‘False sense of
anonymity’; without realizing, we seem to pass on tremendous amount
of information about ourselves.
• Cybercriminal use the World Wide Web and Internet to an optimum level
for all illegal activities to store data, contacts, account information, etc.
• The criminals take advantage of the widespread lack of awareness about
cybercrimes and cyberlaws among the people who are constantly using
the IT infrastructure for official and personal purposes.
• People who commit cybercrimes are known as ‘Crackers’.
• Note:
 Hacker: A hacker is a person with a strong interest in computers who
enjoys learning and experimenting with them.
Brute Force Hacking: It is a technique used to find passwords or
encryption keys. Brute force hacking involves trying every possible
combination of letters, numbers, etc., until the code is broken.
Cracker: A cracker is a person who breaks into computers.
Phreaking: This is the notorious art of breaking into phone or other
communication systems.
War dialer: It is program that automatically dials phone numbers looking
for computers on the other end. It catalogs numbers so that the hackers
can call back and try to break in.
• An attacker would look to make use of vulnerabilities in the networks,
most often so because the networks are not adequately protected.

• The categories of vulnerabilities that hackers typically search are the

following:
1. Inadequate border protection;
2. Remote access servers(RASs) with weak access control;
3. Application servers with well-known exploits;
4. Misconfigured systems and systems with default configurations.
Categories of Cybercrime:
• Cybercrimes can be categorized based on the following:
1. The target of the crime, and
Crimes targeted at individuals
Crimes targeted at property
Crimes targeted at organizations

2. Whether the crime occurs as a single event or as a series of events.

Single event of cybercrime
Series of events
a) Crimes targeted at individuals:
 The goal is to make use of human weakness such as greed and naivety.
 These crimes include financial frauds, sale of non-existent or stolen items,
child pornography, copyright violation, harassment, etc., with the
development in the IT and the Internet;
 Thus, criminals have a new tool that allows them to expand the pool of
potential victims.

b) Crimes targeted at property:

 This includes stealing mobile devices such as cell phones, laptops, personal
digital assistant(PDA), and removable medias(CDs and pen drives);
 Transmitting harmful programs that can disrupt functions of the systems
and/or can wipe out data from hard disk, and can create the malfunctioning
of the attached devices in the system such as modem, CD drive, etc.
c) Crimes targeted at organizations:
 Cyberterrorism is one of the distinct crimes against
organizations/governments.
 Attackers use computer tools and the Internet to usually terrorize the
citizens of the particular country by stealing the private information, and also
to damage the programs and files or plant programs to get control of the
network and/or system.
d) Single event of cybercrime:
It is the single event from the perspective of the victim.
For example: Unknowingly open an attachment that may contain virus that
will infect the system. This is known as hacking or fraud.
e) Series of events:
This involves attacker interacting with victims repetitively.
For example: Attacker interacts with the victim on the phone and/or via chat
rooms to establish relationship to commit the sexual assault.
How Criminals Plan the Attacks:
• Criminals use many methods and tools to locate the vulnerabilities of their
target.
• The target can be an individual and/or an organization.
• Criminals plan passive and active attacks.
• Active attacks are usually used to alter the system, whereas passive
attacks attempt to gain information about the target.
• Active attacks may affect the availability, integrity, and authenticity of data
whereas passive attacks lead to breaches of confidentiality.
• In addition to the active and passive categories, attacks can be categorized
as either inside or outside.
• An attack originating and/or attempted within the security perimeter of
an organization is an inside attack; it is usually attempted by an ‘insider’
who gains access to more resources than expected.
• An outside attack is attempted by a source outside the security perimeter,
maybe attempted by an insider and/or an outsider, who is indirectly
associated with organization, it is attempted through the Internet or a
remote access connection.
• The following phases are involved in planning cybercrime:
1. Reconnaissance (Information gathering) is the first phase and is
treated as passive attacks.
2. Scanning and scrutinizing the gathered information for the validity of
the information as well as to identify the existing vulnerabilities.
3. Launching an attack (gaining and maintain the system access).
1. Reconnaissance:
• The literal meaning of ‘Reconnaissance’ is an act of reconnoitering-
explore, often with the goal of finding something or somebody.
• Reconnaissance phase begins with ‘footprinting- this is the preparation
towards preattack phase and involves accumulating data about the
target’s environment and computer architecture to find ways to intrude
into the environment.
• Footprinting gives an overview about system vulnerabilities.
• The objective of this phase is to understand the system, its networking
ports and services, and any other aspects of its security that are needful
for launching the attack.
• Thus, an attacker attempts to gather information in two phases: passive
attacks and active attacks.
a. Passive Attacks:
• This involves gathering of information about a
target without his/her knowledge.
• It can be as simple as watching a building to
identify what time employees enter the building
premises.
• It is usually done using Internet searches or by
Googling an individual or company to gain
information.
• Example:
1. Google or Yahoo search;
2. Surfing online community groups like
Orkut/Facebook;
3. Organization’s website may provide a personnel
directory or information;
4. Blogs, newsgroups, press release etc.
5. Going through the job posting;
• Along with Google search, various other tools are also used for gathering
information about the target victim.
• Tools used during Passive attacks: (Some of them are)
Google Earth Google Earth is a virtual globe, map and geographic information program. Google Earth is a
free version with limited functionality.
Internet Archive It is an Internet library, with the purpose of offering permanent access for researchers,
historians, and scholars to historical collections that exist in digital format.
Professional LinkedIn is an interconnected network of experienced professionals from around the
Community world.
People Search People Search provides details about personal information: DoB, residential address,
contact number, etc.
Domain Name To perform searches for domain names using multiple keywords. This helps to enable to
configuration find every registered domain name in ‘.com’, ‘.net’, ‘.org’, ‘.edu’, etc.
HTTrack This tool acts like an offline browser. It can mirror the entire website to a desktop.
Traceroute This is the best tool to find the route to a target system. It determines the route taken by
packets across an IP network.
eMailTrackerPro This analyzes the Email header and provides the IP address of the system that sent the
mail.
b. Active Attacks:
• This involves probing the network to
discover individual hosts to confirm the
information gathered in the passive
attack phase.
• It involves the risk of detection and is
also called ‘Rattling the doorknobs’ or
‘Active Reconnaissance’.
• Active reconnaissance can provide
confirmation to an attacker about
security measures in place, but the
process can also increase the chance of
being caught or raise a suspicion.
• Tools used for Active attacks: (Some of them are)
Arphound This is a tool that listens to all traffic on an Ethernet network interface. It reports IP/media
access control (MAC) address pairs as well as events, such as IP conflicts, IP changes and IP
addresses with no reverse DNS.

Bing This is used for Bandwidth Ping. It is a point-to-point bandwidth measurement tool based on
ping. It can measure raw throughput between any two-network links. Bing determines the
real throughput on a link by measuring Internet Control Message Protocol (ICMP).

DNStracker This is a tool to determine the data source for a given DNS server and follow the chair of DNS
servers back to the authoritative sources.
Filesnarf This is a network auditing tool to capture file transfers and file sharing traffic on a local
subnet.
Msgsnarf This is a network auditing tool to capture instant message traffic on a local subnet.
Nmap This is a port scanner, operating system finger printer, service/version identifier and much
more. Nmap is designed to rapidly scan large networks.
Ping This is a standard network utility to send ICMP packets to a target host.
2. Scanning and Scrutinizing gathered Information:
• Scanning is a key step to examine intelligently while gathering information
about the target.
• The objective of scanning are as follows:
i. Port Scanning: Identify open/close ports and services.
ii. Network Scanning: Understand IP Addresses and related information
about the computer network systems.
iii. Vulnerability Scanning: Understand the existing weakness in the system.
• The scrutinizing phase is always called ‘enumeration’ in hacking world.
• The objective of scrutinizing step is to identify:
i. The valid user accounts or groups;
ii. Network resources and/or shared resources;
iii. OS and different applications that are running on the OS.
3. Attack (Gaining and Maintaining the System Access):
• After the scanning and enumeration, the attack is launched using the
following steps:
i. Crack the password;
ii. Exploit the privileges;
iii. Execute the malicious commands/applications;
iv. Hide the files;
v. Cover the tracks-delete the access logs, so that there is no trail illicit
activity.
 Cyberstalking:
• The dictionary meaning of ‘stalking’ is an ‘act or process of following prey
stealthily-trying to approach somebody or something’.
• Cyberstalking has been defined as the use of information and communications
technology, particularly the Internet, by an individual or group of individuals to
harass another individual, group of individuals, or organization.
• The behavior includes false accusations, monitoring, transmission of threats, ID
theft, damage to data or equipment and gathering information for harassment
purposes.
• Cyberstalking refers to the use of Internet and/or other electronic
communications devices to stalk another person.
• It involves harassing or threatening behavior that an individual will conduct
repeatedly for example, following a person, visiting a person’s home/business
place, making phone calls, leaving written messages etc.
• Types of Stalkers:
• There are primarily two types of stalkers:
1. Online stalkers: They aim to start the interaction with the victim
directly with the help of the Internet.
• Email and chat rooms are the most popular communication
medium to get connected with the victim, rather than using
traditional instrumentation like telephone/cell phones.
• The stalker makes sure that the victim recognizes the attack
attempted on him/her.
• The stalker can make use of a third party to harass the victim.
2. Offline stalkers: The stalker may begin the attack using traditional
methods such as following the victim, watching the daily routine of
the victim etc.
• Searching on message boards/newsgroups, personal websites, and
people finding services or websites are most common ways to
gather information about the victim using the Internet.
• The victim is not aware that the Internet has been used to
perpetuate an attack against them.
How Stalking Works?:
• It is seen that stalking works in the following ways:
1. Personal information gathering about the victim.
2. Establish a contact with victim through telephone/cellphone.
3. Stalkers will almost always establish a contact with the victims through Email.
4. Some stalkers keep on sending repeated Emails asking for various kinds of
favors or threaten the victim.
5. The stalker may post the victim’s personal information on any website related
to illicit services. (Ex: Dating Services)
6. Whosoever comes across the information, start calling the victim the given
contact details.
7. Some stalkers subscribe/register the Email account of the victim to
innumerable pornographic and other sites.
Social Engineering:
• Social engineering is the “technique to influence” and “persuasion to
deceive” people to obtain the information or perform some action.
• Social engineers exploit the natural tendency of a person to trust social
engineer’s word, rather than exploiting computer security holes.
• A social engineer usually uses telecommunication or Internet to get
them to do something that is against the security practices and/or
policies of the organization.
• Social engineering involves gaining sensitive information or unauthorized
access privileges by building inappropriate trust relationships with
insiders.
• It is an art of exploiting the trust of people, which is not doubted while
speaking in a normal manner.
• The goal of a social engineer is to fool someone into providing
valuable information or access to that information.
• Social engineer studies the human behavior so that people will help
because of the desire to be helpful, the attitude to trust people, and
the fear of getting into trouble.
• The sign of truly successful social engineers is that they receive
information without any suspicion.
Classification of Social Engineering:
1. Human-Based Social Engineering
i. Impersonating an employee or valid user
ii. Posing as an important user
iii. Using a third person
iv. Calling technical support
v. Shoulder surfing
vi. Dumpster diving
2. Computer-Based Social Engineering
i. Fake E-Mail
ii. E-Mail attachments
iii. Pop-up windows
 Cybercafe and Cybercrimes:
• In February 2009, Nielsen survey on the profile of cybercafes users in
India, it was found that 90% of the audience, across eight cities and
3500 cafes, were male and in the age group of 15-35 years;
• 52% were graduates and postgraduates, though almost over 50% were
students.
• Public computers, usually referred to the systems, available in
cybercafes, hold two types of risks:
1. We do not know what programs are installed on the computer-that is,
risk of malicious programs such as keyloggers or spywares-which
maybe running at the background that can capture the keystrokes to
know the password.
2. Over-the-shoulder peeping can enable others to find out your
password.
• Cybercriminals prefer cybercafes to carry out their activities.
• The criminals tend to identify one particular personal computer to
prepare it for their use.
• Cybercriminals can either install malicious programs such as
keyloggers and spywares or launch an attack on the target.
• Cybercriminals will visit these cafes at a particular time and on the
prescribed frequency, maybe alternate day or twice a week.
• A survey conducted in one of the metropolitan cities in India reveals the
following facts:
1. Pirated software(s) such as OS, browser, office automation software are
installed in all the computers.
2. Antivirus software is found to be not updated to the latest patch and/or
antivirus signature.
3. Several cybercafes had installed the software called “Deep Freeze” for
protecting the computers from prospective malware attacks. Deep Freeze can
wipe out the details of all activities carried out on the computer when one
clicks on the “restart” button.
4. Annual maintenance contract(AMC) found to be not in the place for serving
the computers; hence hard disks for all the computers are not formatted
unless the computer is down.
5. Cybercafe owners have very less awareness about IT Security and IT
Governance.
• Few tips for safety and security while using the computer in a
cybercafe:
1. Always logout
2. Stay with the computer
3. Clear history and temporary files
4. Be alert
5. Avoid online financial transactions
6. Change passwords
7. Virtual keyboard
8. Security warnings
Botnets: The Fuel for Cybercrime:
• The dictionary meaning of Bot is “(computing) an automated
program for doing some particular task, often over a network.”
• Botnet is a term used for collection of software robots, or Bots, that
run autonomously and automatically.
• The term is often associated with malicious software but can also refer
to the network of computers using distributed computing software.
• In simple terms, a Bot is simply an automated computer program.
• One can gain the control of the computer by infecting them with the
virus or other malicious code that gives the access.
• Botnets are often used to conduct a range of activities, from
distributing Spam and viruses to conducting denial-of-service attacks.
• A Botnet (also called as zombie network) is a network of computers
infected with a malicious program that allows cybercriminals to
control the infected machines remotely without the users
knowledge.
• “Zombie networks” have become a source of income for entire groups
of cybercriminals.
• If someone wants to start a “business” and has no programming skills,
there are plenty of “Bot for sale” offers on forum.
• One can reduce the chances of becoming part of Bot by limiting access into the
system. Leaving the Internet connection ON and unprotected is just like leaving
the front door of the house wide open.
• One can ensure following to secure the system:
1. Use antivirus and anti-Spyware software and keep it up-to-date.
2. Set the OS to download and install security patches automatically.
3. Use the firewall to protect the system from hacking attacks while it is
connected on the Internet.
4. Disconnect from the Internet when you are away from your computer.
5. Downloading the freeware only from websites that are known and
trustworthy.
6. Check regularly the folders in the mailbox-sent items or outgoing- for those
messages you did not send.
7. Take an immediate action if your system is infected.
Attack Vector:
• An ‘attack vector’ is a path or means by which an attacker can gain
access to a computer or to a network server to deliver a payload or
malicious outcome.
• Attack vectors enable attackers to make use of system vulnerabilities,
including the human element.
• Attack vectors include viruses, Email attachments, webpages, pop-up
windows, instant messages, chat rooms, and deception.
• All of these methods involve programming, except deception, in which a
human operator is fooled into removing or weakening system defenses.
• To some extent, firewalls and antivirus software can block attack vectors.
• The most common malicious payloads are viruses, Trojan Horses, worms
and spyware.
The attack vectors are launched:
1. Attack by Email
2. Attachment(and other files)
3. Attack by deception
4. Hackers
5. Viruses
6. Attack of the worms
7. Heedless guests (Attack by Webpage)
8. Malicious Macros
9. Foistware (Sneakware)
1. Attack by Email:
 The hostile content is either embedded in the message or leaked to by
the message.
 Sometimes attacks combine the two vectors, so that if the message does
not get you, the attachment will.
 Spam is almost always carrier for scams, frauds, dirty tricks, or malicious
action of some kind.
 Any link that offers something ‘free’ or tempting is a suspect.
2. Attachment(and other files):
 Malicious attachments install malicious computer code.
 The code could be a virus, Trojan Horse, Spyware, or any other kind of
malware.
 Attachments attempt to install their payload as soon as we open them.
3. Attack by deception:
 Deception is aimed at the user/operator as a vulnerable entry point.
 It is not just malicious computer code that one needs to monitor.
 Frauds, scams, hoaxes, spam, viruses, worms, and such require the unwitting
cooperation of the computer’s operator to succeed.

4. Hackers:
 Hackers/crackers are a formidable attack vector.
 Hackers/crackers use a variety of hacking tools and heuristics, to gain access
to computers and online accounts.
 They often install a Trojan Horse to commander the computer for their own
use.
5. Viruses:
 These are malicious computer codes that hitch a ride and make the payload.
 Now-a-days, virus vectors include Email attachments, downloaded files,
worms, etc.

6. Attack of the worms:

 Many worms are delivered as Email attachments, but network worms use
holes in network protocols directly.
 Any remote access service, like file sharing, is likely to be vulnerable to this
sort of worm.
 In most cases, a firewall will block system worms.
 Many of these system worms install Trojan Horses.
 Next they begin scanning the Internet from the computer they have just
infected, and start looking for other computers to infect.
 If the worm is successful, it propagates rapidly.
7. Heedless guests (Attack by Webpage):
 Counterfeit websites are used to extract personal information. Such websites
look very much like the genuine websites they imitate.
 One may think he/she is doing business with someone we trust. However,
he/she is really giving their personal information, like address, credit card
number, and expiration date.
 They are often used in conjunction with Spam, which gets us there in the first
place. Pop-up webpages may install Spyware, Adware or Trojans.
8. Malicious Macros:
 Microsoft word and Microsoft Excel are some of the examples that allow macros.
 A macro does something like automating a spreadsheet, for example. Macros
can also be used for malicious purposes.
 All Internet services like instant messaging, Internet Relay Chart (IRC), and P2P
file-sharing networks rely on cozy connections between the computer and the
other computers on the internet.
9. Foistware (Sneakware):
 Foistware is the software that adds hidden components to the
system on the sly.
 Spyware is the most common form of foistware.
 Foistware is quasi-legal software bundled with some attractive
software.
 Sneak software often hijacks the browser and diverts users to
some ‘revenue opportunity’ that the foistware has set up.