Tools and Methods of Cybercrime
Cyberattacks are not random acts but typically follow a structured methodology. Attackers use a variety of tools and publicly available resources to find and exploit vulnerabilities in target systems, whether those targets are individuals or large organizations. Understanding this process is the first step in building an effective defense.
The basic stages of an attack to compromise a network:
- Initial Uncovering
- Network Probe
- Coding the line toward electronic (E-Crime)
- Capturing the network
- Grab the data
- Covering Tracks
Key Resources and Tools
Attackers rely on a rich ecosystem of databases and tools to conduct their operations, particularly during the reconnaissance and exploitation stages.
Vulnerability Databases
These are public repositories that catalog known software vulnerabilities.
NVD (National Vulnerability Database)
The official U.S. government repository of vulnerability data. It provides detailed analysis, severity scores (CVSS), and links for CVEs (Common Vulnerabilities and Exposures).CVE Details A user-friendly website that aggregates and visualizes data from the NVD, making it easy to search for vulnerabilities by product, vendor, or date.
Exploit Database (by Offensive Security) A massive, searchable archive of public exploits and proof-of-concept code. It is an essential resource for penetration testers and attackers alike.
Vulnerability Scanning & Exploitation Tools
These tools are used to actively probe systems for weaknesses and execute attacks.
Nessus : A powerful and widely used commercial vulnerability scanner that performs deep scans for thousands of vulnerabilities, misconfigurations, and missing patches.
OpenVAS : A free and open-source alternative to Nessus. It's a comprehensive scanner with a large, community-fed database of vulnerability tests.
Nikto : A specialized command-line tool focused on scanning web servers for common security issues, such as outdated software, dangerous files, and server misconfigurations.
Nmap : The industry-standard tool for network discovery and port scanning. Its power can be extended with the Nmap Scripting Engine (NSE) to actively scan for specific vulnerabilities (nmap --script vuln).
Metasploit Framework : The quintessential penetration testing framework. It's a "Swiss Army knife" for attackers, providing a massive database of exploits, scanners, and tools to create and deliver malicious payloads (msfconsole, msfvenom).
Proxies, Anonymizers, and Cookies
In the digital world, your identity and data are constantly being exchanged as you browse the web. Proxy servers, anonymizers, and cookies are three core technologies that manage, hide, or track that information, playing a critical role in both privacy and security.
Proxy Servers
A proxy server is an intermediary computer that sits between system and the rest of the internet and other systems on the network as an intermediary for connections.
Attackers use proxy servers to hide their true identity and location. By routing their malicious traffic through one or more proxies, they can make it extremely difficult for investigators to trace the attack back to its source.
Key Purposes of a Proxy Server
Security: Hides the IP addresses of users on an internal network, making it harder for external attackers to target them directly.
Content Filtering: Can be configured to block access to specific websites, services, or unwanted content like advertisements.
Performance: Speeds up access to resources by caching (storing) frequently visited webpages. When another user requests the same page, the proxy can deliver it from its cache instead of fetching it again.
Access Control: Allows users to bypass geo-restrictions or censorship by making it appear as if they are browsing from the proxy's location.
Anonymizer
An anonymizer is any tool—whether it's a service, software, or a special type of proxy—that is specifically designed to make user's online activity untraceable. Its primary goal is to hide user's IP address and personal information to prevent websites, governments, or attackers from tracking real identity and location.
It accesses the Internet on the user's behalf, protecting personal information, hiding the source's computer's identifying information.
Purpose of Anonymizers:
Hide IP address and geolocation
Prevent tracking, surveillance, and censorship
Bypass firewalls, filters, and regional restrictions
Enable anonymous communication, downloads, or Browse
Different tools offer different trade-offs between speed, security, and anonymity.
| Method | Hides IP Address | Encrypts Traffic | Typical Speed | Best Use Case |
|---|---|---|---|---|
| Proxy Server | Yes | Usually No | Fast | Bypassing simple filters or geo-blocks. |
| VPN | Yes | Yes | Medium | Secure, everyday browsing and privacy. |
| Tor Network | Yes (Multi-layer) | Yes (Multi-layer) | Slow | Achieving the highest level of anonymity. |
Cookies
A cookie is a small text file that stores on the user's device by a website. It contains data used to identify or remember the user, track sessions, and store preferences. Cookies help websites recognize returning users, maintain sessions, and personalize experiences.
Types of Cookies
Cookies can be classified based on how long they last, where they come from, and what they do.
By Duration
Session Cookies: Temporary and are deleted as soon as you close your browser. Used to manage a single session, like keeping you logged in.
Persistent Cookies: Stored on your device for a set period. Used to remember your preferences or login information across multiple sessions.
By Origin
First-party Cookies: Set by the website you are directly visiting. These are generally used for essential functions like login and shopping carts.
Third-party Cookies: Set by a different domain than the one you are visiting, typically by ad networks or social media widgets. These are the primary tool for tracking your activity across multiple websites.
By Function
Strictly Necessary: Essential for the website to function (e.g., shopping cart items).
Performance: Collect anonymous data on how users interact with a site (e.g., Google Analytics).
Functional: Remember your choices, like language or region, to provide a personalized experience.
Advertising Cookies: Track your browsing habits to display personalized ads. These are almost always third-party cookies.
By Security
Secure Cookies: Transmitted only over an encrypted HTTPS connection.
HttpOnly Cookies: Cannot be accessed by client-side scripts (like JavaScript), which helps protect against cross-site scripting (XSS) attacks.
Being Anonymous while searching on Google
Google Cookie was the first search engine to use cookies. A cookie places a unique ID number on your hard disk. Anytime you visit Google, the user gets a Google cookie if they don't already have one.
G-Zapper is a privacy tool designed to help users block and remove Google tracking cookies, particularly the Google "PREF" and "NID" cookies which are used for:
Tracking user behavior across websites
Delivering personalized search results and ads
Building a profile of user interests
Phishing
It is believed that phishing is an alternative spelling of fishing, as in "to fish for information". The first documented use of the word "Phishing" was in 1996. Phishing is a form of online fraud in which hackers attempt to get your private information such as passwords, credit cards, or bank account data. This is usually done by sending false emails or messages that appear to be from trusted sources like banks or well-known websites.
How Phishing works:
Planning: Criminals, usually called phishers, decide the target (i.e., a specific business/business house/an individual) and determine how to get the email addresses of the target or customers of that business. Phishers often use mass mailing and address collection techniques as spammers.
Set up: Once phishers know which business/business house to spoof and who their victims are, they will create methods for delivering the message and collecting the data about the target. Most often this involves email addresses and webpages.
Attack: This is the step people are most familiar with - the phisher sends a phony message that appears to be from a reputable source.
Collection: Phishers record the information of victims entering into webpages or pop-up windows.
Identity theft and fraud: Phishers use the information that they have gathered to make illegal purchases or commit fraud.
How to recognize a phishing attack email:
The message uses subdomains, misspelled URLs (also known as typosquatting), or otherwise suspicious URLs.
The recipient uses a Gmail or other public email address rather than a corporate email address.
The message is written to invoke fear or a sense of urgency.
The message includes a request to verify personal information, such as financial details or a password.
The message is poorly written and has spelling or grammatical errors.
Examples of phishing scams: Digital payment-based scams, Work-related phishing scams, Financial related phishing scams
Different types of phishing attacks:
Spear phishing attacks are directed at specific individuals or companies. These attacks usually employ gathered information specific to the victim to more successfully represent the message as being authentic. Spear phishing emails might include references to co-workers or executives at the victim's organization, as well as the use of the victim's name, location or other personal information.
Whaling attacks are a type of spear phishing attack that specifically target senior executives within an organization with the objective of stealing large sums of sensitive data. Attackers research their victims in detail to create a more genuine message, as using information relevant or specific to a target increases the chances of the attack being successful.
Pharming is a type of phishing attack that uses domain name system cache poisoning to redirect users from a legitimate website to a fraudulent one. Pharming attempts to trick users into logging in to the fake website using their personal credentials.
Clone phishing attacks use previously delivered but legitimate emails that contain either a link or an attachment. Attackers make a copy or clone of the legitimate email and replace links or attached files with malicious ones.
Evil twin attacks occur when hackers try to trick users into connecting to a fake Wi-Fi network that looks like a legitimate access point. The attackers create a duplicate hotspot that sends out its own radio signal and uses the same name as the real network.
Phishing techniques:
URL spoofing: Attackers use JavaScript to place a picture of a legitimate URL over a browser's address bar. The URL is revealed by hovering over an embedded link and can also be changed using JavaScript.
Link manipulation: Often referred to as URL hiding, this technique is used in many common types of phishing. Attackers create a malicious URL that's displayed as if it were linking to a legitimate site or webpage, but the actual link points to a malicious web resource.
Link shortening: Attackers can use link shortening services, like Bitly, to hide the link destination. Victims have no way of knowing if the shortened URL points to a legitimate website or to a malicious website.
Homograph spoofing: This type of attack depends on URLs that were created using different characters to read exactly like a trusted domain name.
Covert redirect: Attackers trick victims into providing personal information by redirecting them to a supposed trusted source that asks them for authorization to connect to another website. The redirected URL is an intermediate, malicious page that solicits authentication information from the victim.
Chatbots: Attackers use AI-enabled chatbots to remove obvious grammatical and spelling errors that commonly appear in phishing emails.
AI voice generators: Attackers use AI voice generator tools to sound like a personal authority or family figure over a phone call.
How to prevent phishing:
Antivirus software.
Desktop and network firewalls.
Antispyware software.
Antiphishing toolbar installed in web browsers.
Gateway email filter.
Web security gateway.
Spam filter.
Phishing filters from vendors such as Microsoft.