Chapter 2
IN THIS CHAPTER
Exploring attacks that can inflict damage
Discovering the difference between impersonation, data interception, and data theft
Looking at the various types of malware, poisoning, and malvertising
Finding out about advanced forms of cyberattacks
Many different types of cyberattacks exist — so many that I could write an entire series of books about them and add many new chapters every year. In this book, however, I do not cover all types of threats in detail because the reality is, you’re likely reading this book to learn about how to keep yourself cybersecure, not to learn about matters that have no impact on you, such as forms of attacks that are normally directed at espionage agencies, industrial equipment, or military armaments.
In this chapter, you find out about the different types of problems that cyberattackers can create through the use of attacks that commonly impact individuals and small businesses.
Attackers launch some forms of cyberattacks with the intent to inflict damage to victims. The threat posed by such attacks is not that a criminal will directly steal your money or data, but that the attackers will inflict harm to you in some other specific manner — a manner that may ultimately translate into financial, military, political, physical, or other benefit to the attacker and (potentially) damage of some sort to the victim.
Types of attacks that inflict damage include
A denial-of-service (DoS) attack is one in which an attacker intentionally attempts to either partially cripple or totally paralyze a computer or computer network by flooding it with large amounts of requests or data, which overload the target and make it incapable of responding properly to legitimate requests.
In many cases, the requests sent by the attacker are each, on their own, legitimate — for example, a normal request to load a web page. In other cases, the requests aren’t normal requests. Instead, they leverage knowledge of various protocols to send requests that optimize, or even magnify, the effect of the attack.
In any case, denial-of-service attacks work by overwhelming computer systems’ central processing units (CPUs) and/or memory, utilizing all the available network communications bandwidth, and/or exhausting networking infrastructure resources such as routers.
A distributed denial-of-service (DDoS) attack is a DoS attack in which many individual computers or other connected devices across disparate regions simultaneously flood the target with requests. In recent years, nearly all major denial-of-service attacks have been distributed in nature — and some have involved the use of Internet-connected cameras and other devices as attack vehicles, rather than classic computers. Figure 2-1 illustrates the anatomy of a simple DDoS attack.
The goal of a DDoS attack is to knock the victim offline, and the motivation for doing so varies.
Sometimes the goal is financial: Imagine, for example, the damage that may result to an online retailer’s business if an unscrupulous competitor knocked the former’s site offline during Black Friday weekend. Imagine a crook who shorts the stock of a major retailer of toys right before launching a DDoS attack against the retailer two weeks before Christmas.
DDoS attacks remain a serious and growing threat. Criminal enterprises even offer DDoS for hire services, which are advertised on the dark web as offering, for a fee, to “take your competitor’s websites offline in a cost-effective manner.”
In some cases, DDoS launchers may have political, rather than financial, motives. For example, corrupt politicians may seek to have their opponents’ websites taken down during an election season, thereby reducing the competitors’ abilities to spread messages and receive online campaign contributions. Hacktivists may also launch DDoS attacks in order to take down sites in the name of “justice” — for example, targeting law enforcement sites after an unarmed person is killed during an altercation with police.
In fact, according to a 2017 study by Kaspersky Lab and B2B International, almost half of companies worldwide that experienced a DDoS attack suspect that their competitors may have been involved.
DDoS attacks can impact individuals in three significant ways:
A DDoS attack can render inaccessible a site that a person plans on using. On October 21, 2016, for example, many users were unable to reach several high-profile sites, including Twitter, PayPal, CNN, HBO Now, The Guardian, and dozens of other popular sites, due to a massive DDoS attack launched against a third party providing various technical services for these sites and many more.
The possibility of DDoS attacks is one of the reasons that you should never wait until the last minute to perform an online banking transaction — the site that you need to utilize may be inaccessible for a number of reasons, one of which is an ongoing DDoS attack.
Often, DDoS attacks use what are known as botnets. Botnets are a collection of compromised computers that belong to other parties, but that a hacker remotely controls and uses to perform tasks without the legitimate owners’ knowledge.
Criminals who successfully infect one million computers with malware can, for example, potentially use those machines, known as zombies, to simultaneously make many requests from a single server or server farm in an attempt to overload the target with traffic.
Sometimes attackers want to do more than take a party temporarily offline by overwhelming it with requests — they may want to damage the victim by destroying or corrupting the target’s information and/or information systems. A criminal may seek to destroy a user’s data through a data destruction attack — for example, if the user refuses to pay a ransomware ransom that the crook demands. Of course, all the reasons for launching DDoS attacks (see preceding section) are also reasons that a hacker may attempt to destroy someone’s data as well.
Wiper attacks are advanced data destruction attacks in which a criminal uses malware to wipe the data on a victim’s hard drive or SSD, in such a fashion that the data is difficult or impossible to recover.
To put it simply, unless the victim has backups, someone whose computer is wiped by a wiper is likely to lose access to all the data and software that was previously stored on the attacked device.
One of the great dangers that the Internet creates is the ease with which mischievous parties can impersonate others. Prior to the Internet era, for example, criminals could not easily impersonate a bank or a store and convince people to hand over their money in exchange for some promised rate of interest or goods. Physically mailed letters and later telephone calls became the tools of scammers, but none of those earlier communication techniques ever came close to the power of the Internet to aid criminals attempting to impersonate law-abiding parties.
Creating a website that mimics the website of a bank, store, or government agency is quite simple and can sometimes be done within minutes. Criminals can find a near-endless supply of domain names that are close enough to those of legitimate parties to trick some folks into believing that a site that they are seeing is the real deal when it’s not, giving crooks the typical first ingredient in the recipe for online impersonation.
Phishing refers to an attempt to convince a person to take some action by impersonating a trustworthy party that reasonably may legitimately ask the user to take such action.
For example, a criminal may send an email that appears to have been sent by a major bank and that asks recipients to click on a link in order to reset their passwords due to a possible data breach. When users click the link, they are directed to a website that appears to belong to the bank, but is actually a replica run by the criminal. As such, the criminal uses the fraudulent website to collect usernames and passwords to the banking site.
Spear phishing refers to phishing attacks that are designed and sent to target a specific person, business, or organization. If a criminal seeks to obtain credentials into a specific company’s email system, for example, the attacker may send emails crafted specifically for particular targeted individuals within the organization. Often, criminals who spear phish research their targets online and leverage overshared information on social media in order to craft especially legitimate-sounding emails.
For example, the following type of email is typically a lot more convincing than, “Please login to the mail server and reset your password”:
Hi, I am going to be getting on my flight in ten minutes. Can you please log in to the Exchange server and check when my meeting is? For some reason, I cannot get in. You can try to call me by phone first for security reasons, but if you miss me, just go ahead, check the information, and email it to me — as you know that I am getting on a flight that is about to take off.
CEO fraud is similar to spear phishing (see preceding section) in that it involves a criminal impersonating the CEO or other senior executive of a particular business, but the instructions provided by “the CEO” may be to take an action directly, not to log in to a system, and the goal may not be to capture usernames and passwords or the like.
The crook, for example, may send an email to the firm’s CFO with instructions to issue a wire payment to a particular new vendor or to send all the organization’s W2 forms for the year to a particular email address belonging to the firm’s accountant.
CEO fraud often nets significant returns for criminals and makes employees who fall for the scams appear incompetent. As a result, people who fall prey to such scams are often fired from their jobs. CEO fraud increased during the COVID-19 pandemic as people worked from home and were unable to verify the veracity of communications with as much ease as they could prior to the arrival of the novel coronavirus.
Smishing refers to cases of phishing in which the attackers deliver their messages via text messages (SMS) rather than email. The goal may be to capture usernames and passwords or to trick the user into installing malware.
Vishing, or voice-based phishing, is phishing via POTS — that stands for “plain old telephone service.” Yes, criminals use old, time-tested methods for scamming people. Today, most such calls are transmitted by Voice over Internet Protocol (VoIP) systems, but in the end, the scammers are calling people on regular telephones much the same way that scammers have been doing for decades.
Pharming refers to attacks that present much like typical phishing attacks, but exploit different technical vulnerabilities in Internet-based routing in order to do so. Like phishing attacks, pharming attacks involve impersonating a trustworthy party that may legitimately ask the would-be victim to take some particular action. However, in pharming attacks, this is achieved not by tricking users into taking an action that brings them to a rogue clone of a legitimate website, but rather by poisoning routing tables and other network infrastructure so that any user who clicks a link to the legitimate website, or even enters the legitimate website’s URL into a browser, will be routed to a criminal’s clone.
Whaling refers to spear phishing that targets high-profile business executives or government officials. (I know that whales are mammals and not fish, but this is about phishing not fishing.) For more on spear phishing, see the section earlier in this chapter.
Sometimes attackers don’t want to disrupt an organization’s normal activities, but instead seek to exploit those activities for financial gain. Often, crooks achieve such objectives by manipulating data in transit or as it resides on systems of their targets in a process known as tampering.
In a basic case of tampering with data in transit, for example, imagine that a user of online banking has instructed the bank to wire money to a particular account, but somehow a criminal intercepted the request and changed the relevant routing and account number to the criminal’s own.
A criminal may also hack into a system and manipulate information for similar purposes. Using the previous example, imagine if a criminal changed the payment address associated with a particular payee so that when the Accounts Payable department makes an online payment, the funds are sent to the wrong destination (well, at least it is wrong in the eyes of the payer).
One can also imagine the impact of a criminal modifying an analyst’s report about a particular stock before the report is issued to the public, with the criminal, of course, standing by to buy or sell stocks when the report is released in order to exploit the soon-to-be-reversed impact of the misinformation.
Interception occurs when attackers capture information in transit. In the context of cybersecurity, the transit is usually between computers or other electronic devices, but it could also be between a human and a device as well (such as capturing voice spoken to a voice recognition system). If the data isn’t properly encrypted, the party intercepting it may be able to misuse it. And, of course, data captured directly from humans — such as the aforementioned voice recordings — often cannot be encrypted.
One special type of interception is known as a man-in-the-middle attack. In this type of an attack, the interceptor proxies the data between the sender and recipient in an attempt to disguise the fact that the data is being intercepted. Proxying in such a case refers to the man-in-the-middle intercepting requests and then transmitting them (either in modified form or unmodified) to their original intended destinations and then receiving the responses from those destination and transmitting them (in modified form or unmodified) back to the sender. By employing proxying, the man-in-the-middle makes it difficult for senders to know that their communications are being intercepted because when they communicate with a server, they receive the responses they expect.
For example, a criminal may set up a bogus bank site (see the earlier “Phishing” section) and relay any information that anyone enters on the bogus site to the actual bank site so that the criminal can respond with the same information that the legitimate bank would have sent. Proxying of this sort not only helps criminals avoid detection — users who provide the crook with their password and then perform their normal online banking tasks may have no idea that anything abnormal occurred during the online banking session — but also helps the criminals ensure that they capture the right password. If a user enters an incorrect password, the criminal will know to prompt for the correct one.
Figure 2-2 shows the anatomy of a man-in-the-middle intercepting and relaying communications.
Many cyberattacks involve stealing the victim’s data. An attacker may want to steal data belonging to individuals, businesses, or a government agency for one or more of many possible reasons.
People, businesses, nonprofits, and governments are all vulnerable to data theft.
Criminals often try to steal people’s data in the hope of finding items that they can monetize, including:
Criminals can use data stolen from businesses for a number of nefarious purposes:
Data exfiltration is a somewhat complicated term for a simple concept, and refers to situations in which a party, through the use of malware or other automated means, or by manually issuing commands to a remote computer, causes data to be transferred without authorization from some information system or repository to somewhere else.
Anytime you hear of a data breach in which sensitive data has been copied by criminals, that is an example of data exfiltration. Depending on what data leaks and from whom, data exfiltration can easily harm the confidence of a business’s customers, reduce trust in a government entity, undermine the confidentiality of proprietary information, and/or undermine national security.
Compromised credentials refers to account authentication information that someone else other than you is privy to, such as your username and/or password. Abusing compromised credentials almost always refers to situations in which a criminal uses a login and password combination that was obtained from one cybersecurity breach in order to gain unauthorized access to a system and carry out another cybersecurity breach. Such attacks with compromised credentials are common, as criminals know that people commonly reuse login username/password combinations.
Likewise, use by a rogue employee of another employee’s credentials for any nefarious purpose (and even for most non-nefarious purposes) is also an example of such an attack.
Any attack in which a user or device is forced to violate cybersecurity policies is considered a forced policy violation attack.
Malware, or malicious software, is an all-encompassing term for software that intentionally inflicts damage on its users who typically have no idea that they are running it. Malware includes computer viruses, worms, Trojans, ransomware, scareware, spyware, cryptocurrency miners, adware, and other programs intended to exploit computer resources for nefarious purposes.
Computer viruses are instances of malware that, when executed, replicate by inserting their own code into computer systems. Typically, the insertion is in data files (for example, as rogue macros within a Word document), the special portion of hard drives or solid state drives that contain the code and data used to boot a computer or disk (also known as boot sectors), or other computer programs.
Like biological viruses, computer viruses can spread like wildfire, but they cannot spread without having hosts to infect. Some computer viruses significantly impact the performance of their hosts, while others are, at least at times, hardly noticeable.
Computer worms are stand-alone pieces of malware that replicate themselves without the need for hosts in order to spread. Worms often propagate over connections by exploiting security vulnerabilities on target computers and networks. Because they normally consume network bandwidth, worms can inflict harm even without modifying systems or stealing data. They can slow down network connections — and few people, if any, like to see their internal and Internet connections slow down.
Trojans (appropriately named after the historical Trojan horse) is malware that is either disguised as nonmalicious software or hidden within a legitimate, nonmalicious application or piece of digital data.
Trojans are most often spread by some form of social engineering — for example, by tricking people into clicking on a link, installing an app, or running some email attachment. Unlike viruses and worms, Trojans typically don’t self-propagate using technology — instead, they rely on the effort (or more accurately, the mistakes) of humans.
Ransomware is malware that demands that a ransom be paid to some criminal in exchange for the infected party not suffering some harm. Ransomware often encrypts user files and threatens to delete the encryption key if a ransom isn’t paid within some relatively short period of time, but other forms of ransomware involve a criminal actually stealing user data and threatening to publish it online if a ransom is not paid.
Some ransomware actually steals the files from users’ computers, rather than simply encrypting data, so as to ensure that users have no possible way to recover their data (for example, using an anti-ransomware utility) without paying the ransom.
Ransomware is most often delivered to victims as a Trojan or a virus, but has also been successfully spread by criminals who packaged it in a worm. In recent years sophisticated criminals have even crafted targeted ransomware campaigns that leverage knowledge about what data is most valuable to a particular target and how much that target can afford to pay in ransoms.
Figure 2-3 shows the ransom demand screen of WannaCry — a flavor of ransomware that inflicted at least hundreds of millions of dollars in damage (if not billions), after initially spreading in May 2017. Many security experts believe that the North Korean government or others working for it created WannaCry, which, within four days infected hundreds of thousands of computers in about 150 countries.
Since publication of the first edition of this book, ransomware has both emerged as one of the largest sources of financial losses due to cyberattacks for American businesses, as well as led to interruptions in the life of ordinary civilians. For example, in 2021, ransomware attacks on an American fuel pipeline operator led to shortages of gas and price increases, and attacks on a meat processing facility led to shortages of meat in some locations (see Chapter 21).
Scareware is malware that scares people into taking some action. One common example is malware that scares people into buying security software. A message appears on a device that the device is infected with some virus that only a particular security package can remove, with a link to purchase that “security software.” This topic is also explored in the discussion about fake malware later in this chapter.
Spyware is software that surreptitiously, and without permission, collects information from a device. Spyware may capture a user’s keystrokes (in which case it is called a keylogger), video from a video camera, audio from a microphone, screen images, and so on.
It is important to understand the difference between spyware and invasive programs. Some technologies that may technically be considered spyware if users had not been told that they were being tracked online are in use by legitimate businesses; they may be invasive, but they are not malware. These types of nonspyware that also spies includes beacons that check whether a user loaded a particular web page and tracking cookies installed by websites or apps. Some experts have argued that any software that tracks a smartphone’s location while the app is not being actively used by the device’s user also falls into the category of nonspyware that also spies — a definition that would include popular apps, such as Uber.
Cryptocurrency miners, or cryptominers, are malware that, without any permission from devices’ owners, commandeers infected devices’ brainpower (its CPU cycles) to generate new units of a particular cryptocurrency (which the malware gives to the criminals operating the malware) by completing complex math problems that require significant processing power to solve.
The proliferation of cryptocurrency miners exploded in 2017 with the rise of cryptocurrency values. Even after price levels subsequently dropped, the miners are still ubiquitous as once criminals have invested in creating the miners, there is little cost in continuing to deploy them. Not surprisingly, as cryptocurrency prices began to rise again in 2019, new strains of cryptominers began to appear as well — some of which specifically target Android smartphones.
Many low-end cybercriminals favor using cryptominers. Even if each miner, on its own, pays the attacker very little, miners are easy to obtain and directly monetize cyberattacks without the need for extra steps (such as collecting a ransom) or the need for sophisticated command and control systems.
Adware is software that generates revenue for the party operating it by displaying online advertisements on a device. Adware may be malware — that is, installed and run without the permission of a device’s owner — or it may be a legitimate component of software (for example, installed knowingly by users as part of some free, ad-supported package).
Blended malware is malware that utilizes multiple types of malware technology as part of an attack — for example, combining features of Trojans, worms, and viruses.
Blended malware can be quite sophisticated and often stems from skilled attackers.
Zero-day malware is any malware that exploits a vulnerability not previously known to the public or to the vendor of the technology containing the vulnerability, and is, as such, often extremely potent.
Regularly creating zero-day malware requires significant resource and development. It’s quite expensive and is often crafted by the cyber armies of nation states rather than by other hackers.
Commercial purveyors of zero day malware have been known to charge over $1 million for a single exploit.
Ironically, some attackers don’t even bother to actually hack computers. Instead, they just send messages to would-be victims that the would-be victims’ computers are infected and that to re-secure the device the intended victims must pay some fee or purchase some security software. Sometimes criminals are able to display messages to such an effect in a pop-up window, and sometimes they keep things simple, and just send the messages via email.
Fake malware may be even more common on mobile devices than on laptops and other computers. For various technical reasons, it is harder to hack mobile devices, so many criminals go for the “low hanging fruit” and just pretend to have compromised devices in order to get would-be victims to pay up. There are even flavors of “mobile device ransomware” that display ransomware-type demands without ever having encrypted anything on the mobile device.
A type of social-engineering attack that exploits people’s desire to remain cybersecure (and that I have included in the malware section because it is directly related to protection against malware), is fake “renewal notices” from anti-malware product vendors. Email that says one’s security software subscription is expiring and asks users to click a link (don’t do it!) or to otherwise submit payment for a renewal, can closely parallel their legitimate counterparts. This sort of attack has become extremely common during the COVID-19 pandemic era during which many people worked from home and, more often than ever before, were responsible for making sure they had current security software subscriptions.
Many different types of attacks leverage vulnerabilities in servers, and new weaknesses are constantly discovered, which is why cybersecurity professionals have full-time jobs keeping servers safe. Entire books — or even several series of books — can be written on such a topic, which is, obviously, beyond the scope of this work.
That said, it is important for you to understand the basic concepts of server-based attacks because some such attacks can directly impact you.
One such form of attack is a poisoned web service attack, or a poisoned web page attack. In this type of attack, an attacker hacks into a web server and inserts code onto it that causes it to attack users when they access a page or set of pages that the server is serving.
For example, a hacker may compromise the web server serving www.abc123.com
and modify the home page that is served to users accessing the site so that the home page contains malware.
But a hacker does not even need to necessarily breach a system in order to poison web pages!
If a site that allows users to comment on posts isn't properly secured, for example, it may allow a user to add the text of various commands within a comment — commands that, if crafted properly, may be executed by users’ browsers any time they load the page that displays the comment. A criminal can insert a command to run a script on the criminal’s website, which can receive the authentication credentials of the user to the original site because it is called within the context of one of that site’s web pages. Such an attack is known as cross-site scripting, and it continues to be a problem even after over a decade of being addressed.
As with web servers, many different types of attacks leverage vulnerabilities in network infrastructure, and new weaknesses are constantly discovered. The vast majority of this topic is beyond the scope of this book. That said, as is the case with poisoned web servers, you need to understand the basic concepts of server-based attacks because some such attacks can directly impact you. For example, criminals may exploit various weaknesses in order to add corrupt domain name system (DNS) data into a DNS server.
DNS is the directory of the Internet that translates human readable addresses into their numeric, computer-usable equivalents (IP addresses). For example, if you enter https://JosephSteinberg.com
into your web browser, DNS directs your connection to an address taking the form of four numbers less than 256 and separated by periods, such as 104.18.45.53
.
By inserting incorrect information into DNS tables, a criminal can cause a DNS server to return an incorrect IP address to a user’s computer. Such an attack can easily result in a user’s traffic being diverted to a computer of the attacker’s choice instead of the user’s intended destination. If the criminal sets up a phony bank site on the server to which traffic is being diverted, for example, and impersonates on that server a bank that the user was trying to reach, even a user who enters the bank URL into a browser (as opposed to just clicking on a link) may fall prey after being diverted to the bogus site. (This type of attack is known as DNS poisoning or pharming.)
Malvertising is an abbreviation of the words malicious advertising and refers to the use of online advertising as a vehicle to spread malware or to launch some other form of a cyberattack.
Because many websites display ads that are served and managed by third-party networks and that contain links to various other third parties, online advertisements are a great vehicle for attackers. Even companies that adequately secure their websites may not take proper precautions to ensure that they do not deliver problematic advertisements created by, and managed by, someone else.
As such, malvertising sometimes allows criminals to insert their content into reputable and high-profile websites with large numbers of visitors (something that would be difficult for crooks to achieve otherwise), many of whom may be security conscious and who would not have been exposed to the criminal’s content had it been posted on a less reputable site.
Furthermore, because websites often earn money for their owners based on the number of people who click on various ads, website owners generally place ads on their sites in a manner that will attract users to the ads. As such, malvertising allows criminals to reach large audiences via a trusted site without having to hack anything.
Some malvertising requires users to click on the ads in order to become infected with malware; others do not require any user participation — users’ devices are infected the moment the ad displays.
Drive-by downloads is somewhat of a euphemism that refers to software that users download without understanding what they are doing. A drive-by download may occur, for example, if users download malware by going to a poisoned website that automatically sends the malware to the users’ device when they open the site.
Drive-by downloads also include cases in which users know that they are downloading software, but is not aware of the full consequences of doing so. For example, if a user is presented with a web page that says that a security vulnerability is present on their computer and that tells the user to click on a button that says “Download to install a security patch,” the user has provided authorization for the (malicious) download — but only because the user was tricked into believing that the nature of the download was far different than it truly is.
Criminals can steal passwords many different ways. Two common methods include
Maintaining computer systems is no trivial matter. Software vendors often release updates, many of which may impact other programs running on a machine. Yet, some patches are absolutely critical to be installed in a timely fashion because they fix bugs in software — bugs that may introduce exploitable security vulnerabilities. The conflict between security and following proper maintenance procedures is a never-ending battle — and security doesn’t often win.
As a result, the vast majority of computers aren’t kept up to date. Even people who do enable automatic updates on their devices may not be up to date — both because checks for updates are done periodically, not every second of every day, and because not all software offers automatic updating. Furthermore, sometimes updates to one piece of software introduce vulnerabilities into another piece of software running on the same device.
If you listen to the news during a report of a major cyberbreach, you’ll frequently hear commentators referring to advanced attacks. While some cyberattacks are clearly more complex than others and require greater technical prowess to launch, no specific, objective definition of an advanced attack exists. That said, from a subjective perspective, you may consider any attack that requires a significant investment in research and development to be successfully executed to be advanced. Of course, the definition of significant investment is also subjective. In some cases, R&D expenditures are so high and attacks are so sophisticated that there is near universal agreement that an attack was advanced. Some experts consider any zero-day attack to be advanced, but others disagree.
Advanced attacks may be opportunistic, targeted, or a combination of both.
Opportunistic attacks are attacks aimed at as many possible targets as possible in order to find some that are susceptible to the attack that was launched. The attacker doesn’t have a list of predefined targets — the attacker’s targets are effectively any and all reachable systems that are vulnerable to the launched attack. These attacks are similar to someone firing a massive shotgun in an area with many targets in the hope that one or more pellets will hit a target that it can penetrate.
Targeted attacks are attacks that target a specific party and typically involve utilizing a series of attack techniques until one eventually succeeds in penetrating into the target. Additional attacks may be launched subsequently in order to move around within the target’s systems.
The goal of most opportunistic attacks is usually to make money — which is why the attackers don’t care whose systems they breach; money is the same regardless of whose systems are breached in order to make it.
Furthermore, in many cases, opportunistic attackers may not care about hiding the fact that a breach occurred — especially after they’ve had time to monetize the breach, for example, by selling lists of passwords or credit card numbers that they stole.
While not all opportunistic attacks are advanced, some certainly are. Opportunistic attacks are quite different than targeted attacks.
When it comes to targeted attacks, successfully breaching any systems not on the target list isn’t considered even a minor success.
For example, if a Russian operative is assigned the mission to hack into the Democratic and Republican parties’ email systems and steal copies of all the email on the parties’ email servers, the mission is going to be deemed a success only if the operative achieves those exact aims. If the operative manages to steal $1 million from an online bank using the same hacking techniques that were directed at the targets, it will not change a failure to breach the intended targets into even a small success. Likewise, if the goal of an attacker launching a targeted attack is to take down the website of a former employer the attacker had issues with, taking down other websites doesn’t accomplish anything in the attacker’s mind.
Because such attackers need to breach their targets no matter how well defended those parties may be, targeted attacks often utilize advanced attack methods — for example, exploiting vulnerabilities not known to the public or to the vendors who would need to fix them.
As you may surmise, advanced targeted attacks are typically carried out by parties with much greater technical prowess than those who carry out opportunistic attacks. Often, but not always, the goal of targeted attacks is to steal data undetected or to inflict serious damage — not to make money. After all, if one’s goal is to make money, why expend resources targeting a well-defended site? Take an opportunistic approach and go after the most poorly defended, relevant sites.
Some advanced threats that are used in targeted attacks are described as advanced persistent threats (APTs):
Another type of advanced attack is the opportunistic, semi-targeted attack. If criminals want to steal credit card numbers, for example, they may not care whether they successfully steal an equivalent number of active numbers from Best Buy, Walmart, or Barnes & Noble. All that the criminals likely care about is obtaining credit card numbers — from whom the numbers are pilfered isn’t relevant.
At the same time, launching attacks against sites that don’t have credit card data is a waste of the attacker’s time and resources.
While it is not necessary for most people to understand the details of how technical cyberattacks exploit system vulnerabilities, it is often interesting for people to understand the basic ideas behind popular methods utilized by hackers. The following sections outline some common ways of breaching and exploiting technical systems.
Rootkits are software toolsets that allow attackers to perform unauthorized activities at a privileged level on a compromised computer. (“Root” refers to the administrator account on UNIX systems.) Rootkits typically also contain features that seek to ensure that the attacker maintains access while that access remains secret from the authorized user or users of the compromised device.
Brute-force attacks are simply attacks in which an attacker tries many possible values until the tools the attacker is using guess the correct value. A brute-force attack, for example, might consist of an attacker trying to log in to a user’s account by trying every possible password combination until the attacker (or the attacker’s brute-force attack tool, as the case may be) submits the correct one. Or the attacker may try different decryption keys until successfully decrypting an encrypted message.
Injection attacks are attacks in which a system is expecting some sort of input from a user, but instead of submitting such input, an attacker submits malicious material such as code, which the receiving system then either executes or distributes to others to execute. Even though proper coding of applications can, at least in theory, prevent most forms of injection attacks, the reality is that many (if not most) systems remain vulnerable to such attacks, and as a result, injection attacks are an extremely commonly used tool within hacker arsenals.
Cross-site scripting (XSS) is a specific type of injection attack in which an attacker adds malicious code into a legitimate web site so that when a user visits the relevant website (via a web browser or app), the malicious code is delivered to the user’s device and is executed there. The attacker is able to insert the malicious code into the legitimate server because the server allows users to submit material that will then be displayed to other users.
Online user forums and social media platforms are prime candidates for cross-site scripting attacks if they are not properly secured against such attacks. So are websites that allow users to comment on information such as a news article. For example, an XSS attack may occur if a hacker submits malicious code within a comment in such a fashion that when a subsequent user’s browser tries to display the comment, it will end up executing the code.
SQL injection attacks are a specific type of injection attacks that exploit the way most computer systems store data, which is in relational databases that provide access to people and systems through the use of what is known as standard Structured Query Language (SQL) interfaces. When an attacker launches a SQL injection attack, the attacker simply submits data to the system that includes SQL commands rather than regular data. For example, if the system asks the user to submit a user ID in order to search on it, and the attacker, aware of the SQL command likely to be used by the system to its database in order to perform that search, instead submits a user ID that consists of code to both complete that command and to issue another command to display all records in the database, the system, if not protected against SQL injection, might do exactly what the attacker wants.
Even if the SQL injection attack does not fully work — and the system being attacked does not display the data — the system’s response to the SQL injection attack may still reveal information about how it handles SQL injection, thereby providing the hacker with information about the system, the database, and the security mechanisms in place (or information as to what is not in place that should be).
Session hijacking refers to situations in which an attacker takes over the communications session between two or more parties. For example, during an online baking session, if an attacker is able to come between the user and the user’s bank in such a fashion that the bank continues its session with the attacker rather than with the legitimate user, that would be an example of a successful session hijacking attack.
In a session hijacking situation, the attacker effectively becomes the authenticated and authorized user as far as the other party is concerned, and the attacker can do anything on the relevant system that the legitimate user would have been authorized to do. Session hijacking often occurs when session management is mishandled by an application, especially in cases in which trust that communications are from a particular session with a particular user is established through technical mechanisms that should not be trusted for such purposes.
Malformed URL attacks are attacks in which an attacker crafts a URL that appears to link to a particular legitimate website, but because of special characters utilized within the URL text, actually does something nefarious. The attacker may then distribute the nefarious URL in email and text messages and/or by posting it within a comment on a blog or via other social media.
Another form of malformed URL attack is an attack in which an attacker crafts a URL that contains elements within it that will cause a system being accessed to malfunction.
Buffer overflow attacks are attacks in which an attacker submits data to a system that exceeds the storage capacity of the memory buffer in which that data is supposed to be stored, thereby causing the system to overwrite other memory with the data the user submitted. Carefully crafted buffer overflow input by an attacker, for example, could overwrite memory space in which the system is storing commands that it will execute per the instructions of its authorized user — perhaps even replacing such commands with commands the attacker wants the system to execute.