MODULE 2

Cyber Offenses,Botnets
1. Introduction
• Cybercriminal use the World Wide Web and Internet to an optimum level for all
illegal activities to store data, contacts, account information, etc.
• The criminals take advantage of the widespread lack of awareness about cybercrimes
and cyberlaws among the people who are constantly using the IT infrastructure for
official and personal purposes. People who commit cybercrimes are known as
“Crackers”.
• An attacker would look to exploit the vulnerabilities in the networks. The categories
of vulnerabilities that hackers typically search are the following:
(i) Inadequate border protection (border as in the sense of network periphery)
(ii) Remote Access Servers (RASs) with weak access controls
(iii) Application servers with well-known exploits
(iv) Misconfigured systems and systems with default configurations

1.1 Categories of Cybercrime

• Cybercrime can be categorized based on the following:
(i) The target of the crime
(ii) Whether the crime occurs as a single event or as a series of events
• Cybercrime can be targeted against individuals (persons), assets (property) and/or
organizations (government, business and social).
(i) Crimes targeted at individuals
The goal is to exploit human weakness such as greed and naivety. These
crimes include financial frauds, sale of non-existent or stolen items, child
pornography, copyright violation, harassment, etc. with the development in the
IT and the Internet, thus, criminals have a new tool that allows them to expand
the pool of potential victims. This also makes difficult to trace and apprehend
the criminals.
(ii) Crimes targeted at property
This includes stealing mobile devices such as cell phone, laptops, personal
digital assistants (PDAs), and removable medias (CDs and pen drives),
transmitting harmful programs that can disrupt functions of the systems and/or
can wipe out data from hard disk, and can create the malfunctioning of the
attached devices in the system such as modem, CD drive, etc.
(iii) Crimes targeted at organizations
Cyberterrorism is one of the distinct crimes against
organizations/governments. Attackers (individuals or groups of individuals)
use computer tools and the Internet to usually terrorize the citizens of a
particular country by stealing the private information, and also to damage the
programs to get control of the network and/or system.
 (iv) Single event of cybercrime
It is the single event from the perspective of the victim. For example,
unknowingly open an attachment that may contain virus that will infect the
system (PC/laptop). This is known as hacking or fraud.
(v) Series of events
This involves attacker interacting with the victims repetitively. For example,
attacker interacts with the victim on the phone and/or via chat rooms to
establish relationship first and then they exploit that relationship to commit the
sexual assault.

2. How Criminals Plan the Attacks

• Criminals use many methods and tools to locate the vulnerabilities of their target.
• The target can be an individual and/or an organization.
• Criminals plan passive and active attacks.
• Active attacks are usually used to alter the system (that is, computer network) whereas
passive attacks attempt to gain information about the target.
• Active attacks may affect the availability, integrity and authenticity of data whereas
passive attacks lead to breaches of confidentiality.
• Attacks can be categorized as either inside or outside.
• An attack originating and/or attempted within the security perimeter of an
organization is an inside attack. It is usually attempted by an “insider” who gains
access to more resources than expected.
• An outside attack is attempted by a source outside the security perimeter, maybe
attempted by an insider and/or an outsider, who is indirectly associated with the
organization, it is attempted through the Internet or a remote access connection.
• The following phases are involved in planning cybercrime:
(i) Reconnaissance (information gathering) is the first phase and is treated as passive
attacks.
(ii) Scanning and scrutinizing the gathered information for the validity of the
information as well as to identify the existing vulnerabilities.
(iii) Launching an attack (gaining and maintaining the system access).
2.1 Reconnaissance
• The meaning of “Reconnaissance” is an act of reconnoitering – explore, often with the
goal of finding something or somebody (especially to gain information about an
enemy or potential enemy).
• In the world of “hacking”, reconnaissance phase begins with “Footprinting” – this is
the preparation toward preattack phase, and involves accumulating data about the
target’s environment and computer architecture to find ways to intrude into that
environment.
• Footprinting gives an overview about system vulnerabilities and provides a judgment
about possible exploitation of those vulnerabilities.
• The objective of this preparatory phase is to understand the system, its networking
ports and services, and any other aspects of its security that are needful for launching
the attack.
 • Thus, an attacker attempts to gather information in two phases: passive and active
attacks.
2.2 Passive Attacks
• A passive attack involves gathering information about a target without his/her
(individual’s or company’s) knowledge.
• It is usually done using Internet searches or by Googling (that is, searching the
required information with the help of search engine Google) an individual or company
to gain information.
• Network sniffing is another means of passive attack to yield useful information such
as Internet Protocol (IP) address ranges, hidden servers or networks, and other
available services on the system or network.
• The network traffic is sniffed for monitoring the traffic on the network – attacker
watches the flow of data to see what time certain transactions takes place and where
the traffic is going.
• Along with Google search, various other nodes are also used for gathering
information about the target/victim.
2.3 Active Attacks
• An active attack involves probing the network to discover individual hosts to confirm
the information (IP addresses, operating system type and version, and services on the
network) gathered in the passive attack phase.
• It involves the risk of detection and is also called “Rattling the doorknobs” or “Active
reconnaissance”.
• Active reconnaissance can provide confirmation to an attacker about security
measures in place, but the process can also increase the chance of being caught or
raise a suspicion.
2.4 Scanning and Scrutinizing Gathered Information
• Scanning is a key step to examine intelligently while gathering information about the
target.
• The objectives of scanning are as follows:
(i) Port scanning: Identify open/close ports and services.
(ii) Network scanning: Understand IP Addresses and related information about the
computer network systems.
(iii) Vulnerability scanning: Understand the existing weaknesses in the system.
• The scrutinizing phase is always called “enumeration” in the hacking world.
• The objective behind this step is to identify:
(i) The valid user accounts or groups
(ii) Network resources and/or shared resources
(iii) OS and different applications that are running on the OS
• Most of the tools are used for computer network scanning also.
2.5 Attack (Gaining and Maintaining the System Access)
• After the scanning and enumeration, the attack is launched using the following steps:
(i) Crack the password
(ii) Exploit the privileges
(iii) Execute the malicious commands/applications
(iv) Hide the files (if required)
(v) Cover the tracks – delete the access logs, so that there is no trail illicit activity

3. Social Engineering
• Social engineering is the “technique to influence” and “persuasion to deceive” people
to obtain the information or perform some action.
• Social engineers exploit the natural tendency of a person to trust social engineers’
word.
• It is generally agreed that people are the weak link in security and this principle
makes social engineering possible.
• A social engineer usually uses telecommunication (that is, telephone and/or cell
phone) or Internet to get them to do something that is against the security practices
and/or policies of the organization.
• Social engineering involves gaining sensitive information or unauthorized access
privileges by building inappropriate trust relationships with insiders.
• It is an art of exploiting the trust of people.
• The goal of a social engineer is to fool someone into providing valuable information
or access to that information.
• Social engineer studies the human behavior so that people will help because of the
desire to be helpful, the attitude to trust people, and the fear of getting into trouble.
The sign of truly successful social engineers is that they receive information without
any suspicion.
• A simple example is calling a user and pretending to be someone from the service
desk working on a network issue, the attacker then proceeds to ask questions about
what the user is working on, what file shares he/she uses, what his/her password is,
and so on.
3.1 Classification of Social Engineering
• Human-Based Social Engineering
Human-based social engineering refers to person-to-person interaction to get he
required/desired information. An example is calling the help desk and trying to find
out a password.
(i) Impersonating an employee or valid user
“Impersonation” (e.g., posing oneself as an employee of the same organization) is
the greatest technique used by social engineers to deceive people. Social engineers
“take advantage” of the fact that most people are basically helpful, so it seems
harmless to tell someone who appears to be lost where the computer room is
located, or to let someone into the building who “forgot” his/her badge, etc., or
pretending to be an employee or valid user on the system.
(ii) Posing as an important user
The attacker pretends to an important user – for example, a Chief Executive
Officer (CEO) or high-level manager who needs immediate assistance to gain
access to a system. The attacker uses intimidation so that a lower-level employee
such as a help-desk worker will help him/her in gaining access to the system.
(iii) Using a third person
An attacker pretends to have permission from an authorized source to use a
system. This trick is useful when the supposed authorized personnel is on vacation
or cannot be contacted for verification.
(iv) Calling technical support
Calling the technical support for assistance is a classic social engineering
example. Help-desk and technical support personnel are trained to help users,
which makes them good prey for social engineering attacks.
(v) Shoulder surfing
It is a technique of gathering information such as usernames and passwords by
watching over a person’s shoulder while he/she logs into the system, thereby
helping an attacker to gain access to the system.
(vi) Dumpster diving
It involves looking in the trash for information written on pieces of paper or
computer printouts. This term is used to describe the practice of rummaging
through commercial or residential trash to find useful free items that have been
discarded. It is also called dumpstering, binning, trashing, garbing, or garbage
gleaning. “Scavenging” is another term to describe these habits.
• Computer-Based Social Engineering
Computer-based social engineering refers to an attempt made to get the
required/desired information by using computer software/Internet. For example,
sending a fake E-Mail to the user and asking him/her to re-enter a password in a
webpage to confirm it.
(i) Fake E-Mails
The attacker sends fake E-Mails to numerous users in such that the user finds it as
a legitimate mail. This activity is also called “Phishing” It is an attempt to entice
the Internet users (netizens) to reveal their sensitive personal information, such as
usernames, passwords and credit card details by impersonating as a trustworthy
and legitimate organization and/or an individual. Banks, financial institutes and
payment gateways are the common targets. Phishing is typically carried out
through E-Mails or instant messaging and often directs users to enter details at a
website, usually designed by the attacker with abiding the look and feel of the
original website. Thus, Phishing is also an example of social engineering
techniques used to fool netizens.
(ii) E-Mail attachments
E-Mail attachments are used to send malicious code to a victim’s system, which
will automatically (e.g., keylogger utility to capture passwords) get executed.
Viruses, Trojans, and worms can be included cleverly into the attachments to
entice a victim to open the attachment.
(iii) Pop-up windows
Pop-up windows are also used, in a similar manner to E-Mail attachments. Pop-up
windows with special offers or free stuff can encourage a user to unintentionally
install malicious software.

4. Cyberstalking
• “Stalking” is an “act or process of following prey stealthily – trying to approach
somebody or something”.
• Cyberstalking has been defined as the use of information and communications
technology, particularly the Internet, by an individual or group of individuals to harass
another individual, group of individuals, or organization.
• The behavior includes false accusations, monitoring, transmission of threats, ID theft,
damage to data or equipment, solicitation of minors for sexual purposes, and
gathering information for harassment purposes.
• Cyberstalking refers to the use of Internet and/or other electronic communications
devices to stalk another person.
• It involves harassing or threatening behavior that an individual will conduct
repeatedly, for example, following a person, visiting a person’s home and/or at
business place, making phone calls, leaving written messages, or vandalizing against
the person’s property.
• As the Internet has become an integral part of our personal and professional lives,
cyberstalkers take advantage of ease of communication and an increased access to
personal information available with a few mouse clicks or keystrokes.
4.1 Types of Stalkers
There are primarily two types of stalkers
(i) Online stalkers
They aim to start the interaction with the victim directly with the help of the
Internet. E-Mail and chat rooms are the most popular communication medium to
get connected with the victim. The stalker makes sure that the victim recognizes
the attack attempted on him/her. The stalker can make use of a third party to
harass the victim.
(ii) Offline stalkers
The stalker may begin the attack using traditional methods such as following the
victim, watching the daily routine of the victim, etc. Searching on message
boards/newsgroups, personal websites, and people finding services or websites are
most common ways to gather information about the victim using the Internet. The
victim is not aware that the Internet has been used to perpetuate an attack against
them.
4.2 Cases Reported on Cyberstalking
• The majority of cyberstalkers are men and the majority of their victims are women.
• Some cases also have been reported where women act as cyberstalkers and men as the
victims as well as cases of same-sex cyberstalking.
• In many cases, the cyberstalker and the victim hold a prior relationship, and the
cyberstalking begins when the victim attempts to break off the relationship, for
 example, ex-lover, ex-spouse, boss/subordinate, and neighbor. There also have been
many instances of cyberstalking by strangers.
4.3 How Stalking Works?
It is seen that stalking works in the following ways:
(i) Personal information gathering about the victim: Name, family background,
contact details such as cell phone and telephone numbers (of residence as well as
office), address of residence as well as of the office, E-Mail address, date of birth,
etc.
(ii) Establish a contact with victim through telephone/cell phone: Once the contact is
established, the stalker may make calls to the victim to threaten/harass.
(iii) Stalkers will almost always establish a contact with the victims through E-Mail:
The letters may have the tone of loving, threatening or can be sexually explicit.
The stalker may use multiple names while contacting the victim.
(iv) Some stalkers keep on sending repeated E-Mails asking for various kinds of
favors or threaten the victim.
(v) The stalker may post the victim’s personal information on any website related to
illicit services such as sex-workers’ services or dating services, posing as if the
victim has posted the information and invite the people to call the victim on the
given contact details (telephone numbers/cell phone numbers/E-Mail address) to
have sexual services. The stalker will use bad and/or offensive/attractive language
to invite the interested persons.
(vi) Whosoever comes across the information, start calling the victim on the given
contact details (telephone/cell phone nos), asking for sexual services or
relationships.
(vii) Some stalkers subscribe/register the E-Mail account of the victim to innumerable
pornographic and sex sites, because of which victim will start receiving such kind
of unsolicited E-Mails.
4.4 Real-Life Incident of Cyberstalking
Case Study
• The Indian police have registered first case of cyberstalking in Delhi – the brief
account of the case has been mentioned here.
• To maintain confidentiality and privacy of the entities involved, names have been
changed.
• Mrs. Joshi received almost 40 calls in 3 days mostly at odd hours from as far away
from Kuwait, Cochin, Mumbai, and Ahmedabad.
• The said calls created havoc in the personal life destroying mental peace of Mrs. Joshi
who decided to register a complaint with Delhi Police.
• A person was using her ID to chat over the Internet at the website www.mirc.com,
mostly in the Delhi channel for four consecutive days.
• This person was chatting on the Internet, using her name and giving her address,
talking in obscene language.
• The same person was also deliberately giving her telephone number to other chatters
encouraging them to call Mrs. Joshi at odd hours.
• This was the first time when a case of cyberstalking was registered.
• Cyberstalking does not have a standard definition but it can be defined to mean
threatening, unwarranted behavior, or advances directed by one person onward
 another person using Internet and other forms of online communication channels as
medium.

5. Cybercafe and Cybercrimes

• In India, the cybercafes users are 90% of the audience, across eight cities and 3500
cafes who are males and in the age group of 15-35 years. 52% are graduates and
postgraduates, almost over 50% are students. Hence, it is extremely important to
understand the IT security and governance practiced in the cybercafes.
• As per the reports, in India, cybercafes are known to be used for either real or false
terrorist communication.
• Cybercrimes such as stealing of bank passwords and subsequent fraudulent
withdrawal of money have also happened through cybercafes. Cybercafes have also
been used regularly for sending obscene mails to harass people.
• Public computers, usually referred to the systems, available in cybercafes, hold two
types of risks.
• First, we do not know what programs are installed on the computer – that is, risk of
malicious programs such as “keyloggers” or “Spyware”, which maybe running at the
background that can capture the keystrokes to know the passwords and other
confidential information and/or monitor the browsing behavior.
• Second, over-the-shoulder peeping (i.e., shoulder surfing) can enable others to find
out our passwords. Therefore, one has to be extremely careful about protecting his/her
privacy on such systems, as one does not know who will use the computer after
him/her.
• Cybercriminals prefer cybercafes to carry out their activities. The criminals tend to
identify one particular personal computer (PC) to prepare it for their use.
• Cybercriminals can either install malicious programs such as keyloggers and/or
Spyware or launch an attack on the target. Cybercriminals will visit these cafes at a
particular time and on the prescribed frequency, maybe alternate day or twice a week.
• Here are a few tips for safety and security while using the computer in a cybercafe:
(i) Always logout
While checking E-Mails or logging into chatting services such as instant
messaging or using any other service that requires a username and a password,
always click “logout” or “sign out” before leaving the system.
(ii) Stay with the computer
While surfing/browsing, one should not leave the system unattended for any
period of time. If one has to go out, logout and close all browser windows.
(iii) Clear history and temporary files
Before beginning browsing, do the following in case of the browser Internet
Explorer:
➢ Go to Tools → Internet options → click the Content tab → click
AutoComplete. If the checkboxes for passwords are selected, deselect
them. Click OK twice.
➢ After finishing browsing, clear the history and temporary Internet files
folders. For this, go to Tools → Internet options again → click the
General tab → go to Temporary Internet Files → click Delete Files and
then click Delete Cookies.
 ➢ Then, under history, click clear history. Wait for the process to finish
before leaving the computer.
(iv) Be alert
One should have to stay alert and aware of the surroundings while using a public
computer. Snooping over the shoulder is an easy way of getting the username and
password of user.
(v) Avoid online financial transactions
Ideally one should avoid online banking, shopping or other transactions that
require one to provide personal, confidential and sensitive information such as
credit card or bank account details.
(vi) Change passwords
Changing the bank account/transaction passwords is the best practice to be
followed.
(vii) Virtual keyboard
Nowadays almost every bank has provided the virtual keyboard on their website.
(viii) Security warnings
One should take utmost care while accessing the websites of any banks/financial
institution.

6. Botnets: The Fuel for Cybercrime

6.1 Botnet
• The meaning of Bot is “(computing) an automated program for doing some
particular task, often over a network”.
• Botnet is a term used for collection of software robots, or Bots, that run
autonomously and automatically.
• The term is often associated with malicious software but can also refer to the
network of computers using distributed computing software.
• In simple terms, a Bot is simply an automated program. One can gain the
control of user’s computer by infecting them with a virus or other Malicious
Code that gives the access.
• The computer system maybe a part of a Botnet.
• Botnets are often used to conduct a range of activities, from distributing Spam
and viruses to conducting denial-of-service (DoS) attacks.
• A Botnet (also called as zombie network) is a network of computers infected
with a malicious program that allows cybercriminals to control the infected
machines remotely without the user’s knowledge.
• If someone wants to start a “business” and has no programming skills, there
are plenty of “Bot for sale” offers on forums.
• Obfuscation and encryption of these programs’ code can also be ordered in the
same way to protect them from detection by antivirus tools. Another option is
to steal an existing Botnet.
• Figure explains how Botnets create business.
 Botnets are used for gainful purposes
• One can reduce the chances of becoming part of a Bot by limiting access into
the system.
• One can ensure following to secure the system:
(i) Use antivirus and anti-Spyware software and keep it up-to-date
It is important to remove and/or quarantine the viruses. The settings of
these softwares should be done during the installations so that these
softwares get updated automatically on a daily basis.
(ii) Set the OS to download and install security patches automatically
OS companies issue the security patches for flaws that are found in these
systems.
(iii) Use a firewall to protect the system from hacking attacks while it is
connected on the Internet
A firewall is a software and/or hardware that is designed to block
unauthorized access while permitting authorized communications. It is a
device or set of devices configured to permit, deny, encrypt, decrypt, or
proxy all (in and out) computer traffic between different security domains
based upon a set of rules and other criteria.
(iv) Disconnect from the Internet when away from computer
Attackers cannot get into the system when the system is disconnected from
the Internet. Firewall, antivirus, and anti-Spyware softwares are not
foolproof mechanisms to get access to the system.
(v) Downloading the freeware only from websites that are known and
trustworthy
It is always appealing to download free software(s) such as games, file-
sharing programs, customized toolbars, etc. One should remember that
many free software(s) contain other software, which may include Spyware.
 (vi) Check regularly the folders in the mail box – “sent items” or “outgoing” –
for those messages not sent
If such messages are found in outbox, it is a sign that system may have
infected with Spyware, and maybe a part of a Botnet. This is not foolproof,
many spammers have learnt to hide their unauthorized access.
(vii) Take an immediate action if system is infected
If system is found to be infected by a virus, disconnect it from the Internet
immediately. Then scan the entire system with fully updated antivirus and
anti-Spyware software. Report the unauthorized accesses to ISP and to the
legal authorities. There is a possibility that passwords may have been
compromised in such cases, so change all the passwords immediately.

7. Attack Vector
• An “attack vector” is a path or means by which an attacker can gain access to a
computer or to a network server to deliver a payload or malicious outcome.
• Attack vectors enable attackers to exploit system vulnerabilities, including the human
element.
• Attack vectors include viruses, E-Mail attachments, webpages, pop-up windows,
instant messages, chat rooms, and deception.
• All of these methods involve programming (or, in a few cases, hardware), except
deception, in which a human operator is fooled into removing or weakening system
defenses.
• To some extent, firewalls and antivirus software can block attack vectors. No
protection method is totally attack-proof.
• A defense method that is effective today may not remain so for long because attackers
are constantly updating attack vectors, and seeking new ones, in their quest to gain
unauthorized access to computers and servers.
• The most common malicious payloads are viruses (which can function as their own
attack vectors), Trojan Horses, worms, and Spyware.
• Attack vector payload means the malicious activity that the attack performs.
• The attack vectors are launched by the following ways:
(i) Attack by E-Mail
The hostile content is either embedded in the message or linked to by the
message. Sometimes attacks combine the two vectors, so that if the message does
not get to user, the attachment will get. Spam is almost always carrier for scams,
fraud, dirty tricks, or malicious action of some kind. Any link that offers
something “free” or tempting is a suspect.
(ii) Attachments (and other files)
Malicious attachments install malicious computer code. The code could be a
virus, Trojan Horse, Spyware, or any other kind of malware. Attachments attempt
to install their payload as soon as users open them.
(iii) Attack by deception
Deception is aimed at the user/operator as a vulnerable entry point. Fraud, scams,
hoaxes, and to some extent Spam require the unwitting cooperation of the
computer’s operator to succeed. Social engineering and hoaxes are other forms of
deception that are often an attack vector too.
(iv) Hackers
Hackers/crackers are a formidable attack vector because, people are flexible and
they can improvise. Hackers/crackers use a variety of hacking tools, heuristics,
and social engineering to gain access to computers and online accounts. They
often install a Trojan Horse to commandeer the computer for their own use.
(v) Heedless guests (attack by webpage)
Counterfeit websites are used to extract personal information. Such websites look
very much like the genuine websites they imitate. One may think he/she is doing
business with someone user trusts. He/she is really giving their personal
information, like address, credit card number, and expiration date. They are often
used in conjunction with Spam, which gets the user in the first place. Pop-up
webpages may install Spyware, Adware or Trojans.
(vi) Attack of the worms
Many worms are delivered s E-Mail attachments, but network worms use holes in
network protocol directly. Any remote access service, like file sharing, is likely to
be vulnerable to this sort of worm. In most cases, a firewall will block system
worms. Many of these system worms install Trojan Horses. Next they begin
scanning the Internet from the computer they have just infected, and start looking
for other computers to infect. If the worm is successful, it propagates rapidly. The
worm owner soon has thousands of “zombie” computers to use for more
mischief.
(vii) Malicious macros
Microsoft Word and Microsoft Excel are some of the examples that allow macros.
A macro does something like automating a spreadsheet. Macros can also be used
for malicious purposes. All Internet services like instant messaging, Internet
Relay Chart (IRC), and P2P file-sharing networks rely on cozy connections
between the computer and the other computers on the Internet. If one is using P2P
software then his/her system is more vulnerable to hostile exploits.
(viii) Foistware (sneakware)
Foistware is the software that adds hidden components to the system on the sly.
Spyware is the most common form of foistware. Foistware is quasi-legal software
bundled with some attractive software. Sneak software often hijacks user’s
browser and diverts user to some “revenue opportunity” that the foistware has set
up.
(ix) Viruses
These are malicious computer codes hat hitch a ride and make the payload.
Nowadays, virus vectors include E-Mail attachments, downloaded files, worms,
etc.