Cybercrime

Glossary

The fundamental terms to know about online security and cybercrime, easily available from A to Z.

A

Essentially this is online identity theft. A bad actor will take over the victims online financial and e-commerce accounts and change account details in order to make transactions undetected.

Alternatively, accounts can be held to ransom by bad actors to elicit a payment from the victim.

Adware is a type of software which shows adverts on a computer through banners and pop up windows. These types of banners and pop ups are often included as part of free versions of software and can record personal information and browsing habits and if this is done without the users knowledge it is classed as spyware. The personal information obtained by this software is often sold onto third parties.

These days a lot of software and mobile applications come in an advertisement supported mode and a paid advertisement free mode. The advertisement supported mode is a tempting option for personal customers as well as businesses as they can avoid paying a large sum of money for software.

B

A person who commits cybercrime for purposes of financial gain, personal gain, cyber espionage, protest or other purposes.

Using online adverts to send users to malicious websites. A bad actor can purchase advertising space which is being sold by a legitimate website, once purchased the bad actor will replace the advert with a link that can either be used to download malware or send the victim to a malicious website.

A botnet is a series of connected computers which perform a number of repetitive tasks. With the use of malware a bad actor can add someone’s computer to their botnet with them being completely unaware. Once the malware has been downloaded the bad actors computer will be contacted to let it know that a new computer has been added to the botnet. Botnets are used to carry out distributed denial-of-service attacks, emailing spam or generating fake internet traffic to name just a few.

A bad actor will either infect a legitimate website or lead users to a malicious website which has been created by them.
Once the victim is on the site the bad actor can create a pop up that takes over the users screen and is incredibly hard to close. Often this pop up will claim to be antivirus software stating that a virus has been detected on the victim's computer with a link to a support site or number. This is an attempt to trick the victim into paying them to remove the fake virus with them believing it to be legitimate.

A brute force attack is when a bad actor uses trial and error in an attempt to obtain someone's personal information such as their password to a specific website or pin number. Rather than sit at a computer and try the different combinations themselves a bad actor will tend to use custom made software which will generate a large number of guesses one after another. This software is readily available on the internet for anyone to purchase and performs different techniques depending on what the bad actor requires. The following is a list of just some of the techniques utilised in the software.

C

This is when what can be described as an invisible layer is placed over a website page and includes invisible buttons. For example if you were to be looking at a login page on your screen with a submit button there would be an invisible button over the visible submit button. When someone has entered their login details and clicks submit they are actually unknowingly clicking on the invisible button. This can result in malware being downloaded to the victim's computer, a request for sensitive information which looks legitimate or the transfer of money through fraudulent purchases.
A popular clickjacking attack for bad actors is embedding a facebook like or share button on a malicious website. A transparent frame floats over the button or follows the mouse cursor so that
when the victim clicks on anything it sends the cursor to the like or share buttons.
This also links into a way in which bad actors can obtain information about a victim from Facebook. The embedded facebook like or share on a malicious website can be designed so that once it has been clicked on the victim inadvertently becomes a fan of the bad actors page. When this has been done it allows the bad actor to see the facebook information of the victim such as name, age, gender and facebook id.

This often occurs when someone accesses trusted websites over an unprotected public wi-fi network. The username and password for the site will be encrypted however the session data which travels back and forth, also known as the cookie, will be unencrypted. Using hacking software a bad actor can mimic a cookie over the same network which can allow them access to the site that the user is on.

Depending on the site being accessed at the time this could allow the bad actor to do anything from making posts on social media to transferring money out of a bank account.

This is based on the assumption that people use the same password across multiple websites.
When data containing users login details has been stolen from a streaming website for example, a bad actor will attempt to use those login details on other websites which can potentially give them access to even more sensitive data.

Usually using malware and social engineering an email with a link is sent to the victim which, when clicked on, tricks the victims web browser into completing an unwanted action. This can allow a bad actor to modify the requests which are being made by the browser. For example, if a request for a money transfer is made the bad actor can modify the browser request so that the money is sent into their account instead.

This is when malicious code in the form of script is injected into what is thought of as a trusted website. Scripts cannot be seen by the victim and are what make the website look and behave the way that it does in the users web browser, JavaScript is used to create dynamic websites. In this case when someone visits the website and the script is sent back to their web browser it contains the malicious code which is executed by the web browser as it believes that it has come from a trusted source. Once this has happened the script can then access any cookies and sensitive information which is retained by the web browser and used with that site.

In a modern browser it can allow a bad actor access to the users geolocation, webcam, microphone and specific files from the computer file systems. Combined with social engineering this can facilitate cookie theft, planting trojans, keylogging, phishing and identity theft.

How does it work?

  • First the malicious code is injected into a website
  • The user visits the web page with the malicious code. Social engineering or phishing could be used to send a specific person to the website
  • When the user visits the website the code is executed giving the bad actor access.

Cryptojacking is the unauthorised use of someone’s computer to mine cryptocurrency. A malicious email is sent to someone which when opened installs cryptomining code onto a computer or mobile phone. The script runs in the background without the users knowledge and is designed to use the device to mine the internet for cryptocurrency.

D

When a bad actor attempts to guess the password by attempting an exhaustive amount of attempts at different combinations of words and text until they get the right one. There is an element of randomness to this however it can be made easier for the bad actor by using techniques such as phishing and social engineering.

These are two ways of potentially obtaining personal information that someone could be using as part of a password.

Encrypted online content which is not available through the use of conventional search engines such as google. Largely used for criminal activity.

Simply put, a Distributed Denial of Service Attack is when bad actors attack websites and online services by flooding them with too much traffic making them unavailable. The aim is to overwhelm the server or network with more than it can accommodate often by sending messages, requests for connections etc. The primary way of carrying out an attack such as this is with the use of something called bots or zombie computers which when used together are known as botnets. Botnets can give bad actors the use of thousands of computers, with the victims completely unaware, in order to carry out these attacks as well as devices known as IoT (Internet of Things) such as cameras, smart tv’s, printers.

Assembling botnets can be difficult and time consuming so like most things illegal DDoS attacks can be purchased via forums and marketplaces on the dark web. Cybercriminals with the know how will create the botnets and then lease or sell them for as little as a couple of hundred US dollars.

Doxing (sometimes written as Doxxing) is the act of revealing identifying information about someone online, such as their real name, home address, workplace, phone, financial, and other personal information, typically with malicious intent.

E

Emotet is a malware strain and a cybercrime operation based in Russia. Initially released in 2014 as a form of banking trojan aimed at stealing banking credentials from infected hosts, it has since evolved and was deemed one of the most prevalent threats in 2019 (as per Bleeping Computer). Since 2014 the operators of Emotet have developed to function as a more generic 'loader' Trojan, used to gain access to a system so that a bad actor can then deliver additional payloads.

The usual method of infection is through a macro virus within an email attachment, often made to look like a response to an email already sent.

It is known that Emotet has been instrumental in setting up Botnets (per Sophos), access to which is then sold using the Malware-as-a-service . The Emotet operation runs at minimum 3 distinct botnets, Epoch 1, 2 & 3.

Data is translated into another form and can only be read by entering a password

F

A Fake Wireless Access Point is when a bad actor sets up a wireless router with a convincing legitimate looking name in a public area such as the name of a nearby shop or shopping center. Once somebody connects their device to the router the bad actor can monitor what they are doing, steal sensitive data and upload malware.

As well as using a router there is software that can be easily obtained on the internet which will allow someone to set up a fake wireless access point. This access point, like the router, can be named as ‘free wi-fi’ or take the name of a local shop with the aim of attracting people to connect to it without asking questions. Once connected the bad actor can view what devices are connected and monitor their activity.

Malicious java script is injected into a legitimate website in order to take over the functionality of the sites form pages. When someone then enters data onto the form it is collected by a bad actor.

Step 1
The bad actor injects the malicious script into the targeted website

Step 2
A customer loads the website which has had the malicious script injected into it. The customer then enters their details onto a form on the website, for example a form in which details are required to complete a purchase.

Step 3
When the completed form has been submitted it is sent to the legitimate website but a copy is also sent to the bad actor who injected the website with the malicious script.

H

In Internet activism, hacktivism, (derived from combining the words 'Hack' and 'Activism'), is the use of computer-based techniques such as hacking as a form of civil disobedience to promote a political agenda or social change.

K

By using a hardware device which has been covertly connected to a computer or software which has been installed through the use of malware, every key pressed on the users keyboard is logged and sent do a bad actor. This can allow a bad actor to capture personal messages, login credentials, credit card numbers etc.

M

Malware or Malicious Software is the umbrella term given to any piece of software that was created with the intent of damaging devices and stealing data. Viruses, trojans, spyware and ransomware are examples of different types of malware and are often created by bad actors and then sold on the dark web.

Malware can infect a computer or other device through malicious emails, websites, links, applications, text messages, bluetooth, free software offers, illegal file downloads to name a few. Once downloaded the victim may find that the computer/device has started to run slower than usual.

Malware varies from file to file and will carry out different tasks depending on what file has been downloaded. For example it could steal credit card information by logging every key which has been pressed on the keyboard (keylogging), it could attack the device by producing a large amount of pop up adverts and links to websites, or it could be used to modify or delete data on the computer/device.

In 2000 there was a worm named the Loveletter Virus. When it was released it attacked millions of windows computer via email. The email contained an attachment containing the worm which, when opened, would overwrite the image files on that particular computer and then email itself to all of the contacts in the users address book.

A man in the middle attack is when a bad actor intercepts communications between the victim and the entity in which they are trying to communicate with. For example the victim receives an email from what appears to be their bank directing them to the banks website. When they click on the link they are taken to a website which looks like their banks but is infact a malicious site created by the ‘Man in the Middle’ who is the bad actor. When the victim enters their login credentials instead of logging into the banks website the credentials are being sent to the bad actor.

P

Phishing is a communication sent disguised as being from a known and trusted source. This could be anything from a simple email requesting a password update to the sender doing research on the victim beforehand using social media among other means to find out personal information about them. The information is then used to create an email appearing to be from someone or a business that the recipient knows. This email will request personal and sensitive information from the recipient such as credit card information, usernames and passwords.

In 2017 there was a phishing email which was sent to users of google docs. These emails invited thee recipients to edit documents on google docs however those who followed the links gave the bad actors who had sent the emails access to their Gmail accounts.

In September 2019 creators on YouTube were sent emails which tricked them into entering their login details via a fake website. Their accounts were then hacked and made to appear that they had been deleted. These accounts were then sold on the dark web.

A bad actor will contact a telephone service provider requesting the transfer of service from an old phone to a new one. If successful, the telephone service provider may port the old number to the new device which is in the control of the bad actor. This can give them access to accounts, passwords and the ability to hack into apps, emails, photos and financial sites of the old user of that number.

R

Pre computed tables that store hash values which are pre matched to possible passwords. This is useful because it provides the bad actors with the hash value which will give them access if matched to one stored by the particular website they are attempting to access.
A password hash is when a string of text used for a password is transformed by a website, using a mathematical formula, into another string of scrambled data called the hashed password.

A form of malware, this locks and encrypts someone's computer then demands payment in order to restore access to them. On occasion payment is demanded within a certain timeframe with the threat of access being lost forever. Below are just a few different types of ransomware.

Lockers

Infects the computer's operating system to completely lock the victim out of their computer

Scareware/Rogueware

Acts like antivirus software by finding fake threats and demanding payment to resolve the issues found. Some can lock the computer and others flood the screen with alerts and pop ups. If the fake antivirus is paid for by the user then this will often lead to malware being downloaded onto their device.

Doxware (leakware)

Threatens to publish stolen information if a ransom isn’t paid.

RaaS (Ransomware as a Service)

A type of malware which is hosted by a bad actor. The bad actor will handle the distribution of ransomware, collect the payments and manage the decryptors which is the software that restores the access. This is all done by the bad actor for a percentage of the ransom.

The CryptoLocker ransomware came onto the scene in 2013 and is usually disguised as an email attachment. The ransomware will encrypt files which blocks the user from accessing them, then demanding payment in cryptocurrency in exchange for the encryption key. If payment was not made by the deadline given the key would be deleted meaning that the user would lose access to the data.

Ransomware is known to have first appeared in 1989 by the name of AIDS or the PC Cyborg Trojan. It was spread using a floppy disk. It would count how many times that the computer was rebooted and once that count reached 90 it would encrypt the machine demanding that the user renew their licence with the PC Cyborg Team and to send the renewal fee to a PO Box in Panama.

One of the most common forms of ransomware is police ransomware. The users screen would be locked with a note claiming that they had commit.

Allows a user to connect to another computer from their workstation via a network connection.

S

Sim Swapping is a type of fraud targeting your personal information so that Bad Actors can impersonate you and access your bank accounts. The victims of this attack wouldn't know they've been compromised until they try to place a call or send an SMS message which usually will not go through.
A SIM swap scam involves Bad Actors taking advantage of a vulnerability in two-factor authentication and verification in which the second step is a text message or call to your phone number.
Sim cards are the storage for user data in Global System for Mobile (GSM) phones. Without a SIM card, your GSM phone wouldn't be authorized to use a mobile network. Therefore, by taking control of your phone number it'd be highly valuable to Bad Actors.
To carry out a "Sim Swap", it involves collecting as much information about the victim as possible. Bad Actors may send phishing emails that impersonate legitimate businesses like banks, or health insurers intended to fool the victims into giving over their legal names, date of birth, addresses and phone numbers. Also, Bad Actors can scrape public domains, social media and breached databases on the Dark Web in the hope of collecting as much information possible of the victim.
Once the Bad Actors gather enough information on a target, they create a false identity. Firstly, they call the victim’s network provider and claim that the SIM card has either been lost or damaged and then ask the customer service to activate a SIM card or number in their possession.
Customer service representatives of the network provider would not accept these requests unless security questions are answered but Bad Actors come well prepared using personal data of the victim collected from across the web to answer those security questions.
Once access is granted to the victim’s phone numbers, Bad Actors target bank accounts. They can read your text messages, see who you're speaking to and what the conversation is all about. As most banks today, they'll send you a code to log in to an account or reset the password via SMS, this ultimately means that a bad actor can request and receive code as well as access your bank account.
The Bad Actor will then create a second account with the same bank under the victim’s name and transfer credit from one to another to make it seem legitimate as the bank's system will view it as the victim transferring funds between two accounts.
SIM Swapping is one of the reasons why a phone number may not be the best-suited verifier of your identity. It's now known as a breachable authenticator. By adding additional layers of protection could help keep your identity and accounts safer.

This is a form of phishing when someone attempts to trick someone into giving them private and sensitive information via SMS message. This uses elements of social engineering.

Social engineering requires contact with a person in order to trick them into divulging personal and sensitive information such as bank account/card details and login details. One example is when a bad actor may contact someone via telephone pretending to be technical support stating that something is wrong with their computer or a virus has been detected. They will request usernames, passwords etc. in the hope that the person will provide them and give them access to their banking, social media, shopping accounts to name just three. Social engineering is used to facilitate phishing and a number of other techniques which are used to deceive people in order to obtain their personal and sensitive information.

Below are some more examples of the ways a bad actor will carry out social engineering:

  • An email claiming to be in a situation in which they need financial aid, such as they are abroad, have been robbed and need money to get home.
  • Requesting donation to a charity.
  • Informing someone that they have won a prize and that they need to click on the attached link to accept it.
    Posing as someone that works for the same company requesting information.

This is when a specific person is targeted rather than a wider group of people. The communication will appear legitimate and contains personal information of the recipient obtained via social media. The fact that this communication has been customised to include the recipient’s personal information makes it look incredibly authentic and can be the first step in acquiring a vast amount of sensitive data.

Spoofing is when a communication is sent disguised as being from a known and trusted source. For example, an email is sent from a false email address pretending to be from a legitimate business. It looks like a legitimate email but contains links or attachments which when opened contain malware. Malware programs can steal, encrypt or delete data as well as monitor someones computer. This can cause significant damage to the computer and network and grant someone access to personal information such as usernames and passwords.
In 2018 football fans were targeted in relation to the FIFA World Cup. Some fans whom appeared to have been identified via social media were sent emails offering a schedule of fixtures and results for the tournament. In fact, the emails contained an attachment containing malware which would infect the recipients device.
Although spoofing emails are common it isn’t just limited to this form of communication. There are a variety of ways in which someone will try and get access to personal and sensitive data. Below is a list of just some of the ways in which spoofing is carried out.

Email Spoofing

As mentioned above, an email is sent from a false email. The email address and its contents are designed to try and fool the recipient into believing it is legitimate and from a particular person or business. These emails are sent with the intention of infecting the recipient’s computer or network with malware and stealing sensitive data.

Telephone Spoofing

This is carried out by changing the caller’s number to trick the recipient’s caller id into thinking that the call has originated from somewhere it hasn’t. This is done to make the recipient believe that the calling number originated in their area or in order to mimic the telephone number of a business or bank with the goal of ascertaining sensitive data from the recipient.

Text Message Spoofing

This is when someone will send a text message using someone else’s phone number. By doing this they hide their true identity and can pose as a legitimate business requesting details from the recipient. Generally, they will contain links to fake websites or a link which infects the recipient’s device with malware.

Website Spoofing

This is also known as URL spoofing and its aim is to make a website look like a legitimate one. This will often be a part of an email spoofing scam whereby the recipient is asked to update their password via a link which takes them to a fake website. This website will look legitimate and users will have to log on as normal which then provides the creator of the website with their username and password.

DNS Spoofing

Often sent via emails this attempts to frighten people into clicking onto a URL which then infects their computer. Ads and images are also used which direct people to a malicious website which looks real. Once there the user is exposed to malware allowing a bad actor to steal personal and sensitive information.

This type of malware sits on a computer and steals the internet usage details and sensitive information. Usually the aim is to track and sell internet usage data, credit card data, bank information and to commit identity theft by tracking login and password information.

Simply put SQL (Structured Query Language) is language that is used to communicate with a database and to perform tasks such as update data on a database or to retrieve data. A bad actor can take advantage of SQL on websites which have forms that require someone to input data in order to retrieve information. For example if someone was to go onto a website in order to track a package that they have ordered. What would normally happen is someone would enter their unique tracking number into the form and then using SQL the website would retrieve the information from it’s database and present it for the user.

A bad actor would take advantage of this system by entering data in addition to a tracking number so that when the website uses SQL to retrieve the data from the database instead of just retrieving the information relating to the tracking number, it could potentially retrieve all of the information in the database. This could give the bad actor access to a large amount of sensitive information and allow them to change or delete data.

T

Typosquatting or URL hijacking is a form of a cyberattack which relies on mistakes such as typos made by internet users when inputting a website address into a web browser.

Trojans are a type of malware which have been disguised as legitimate software. When the trojan has been downloaded by the victim the malware hidden inside is transferred to their device which could be a computer, laptop, tablet, phone etc. Once activated the malware can allow bad actors to spy, steal sensitive data, gain access to computer systems and potentially carry out the following:

Delete data
Block data
Modify data
Copy data
Disrupt the performance of a computer or network

V

A virus is malicious code or a program which can alter the way in which a computer operates. It is designed to attach or insert itself to a legitimate programme or document on the infected computer /device in order to execute it’s code. The programme in which the virus is delivered needs to be run on a computer for the code to be executed, meaning that it could be a computer lying dormant in a document or file waiting to be opened. Once a computer has been infected other computers on the same network can be infected via a file or document resulting in passwords being stolen, data corrupted and email spamming the victims contacts to name a few.

W

A watering hole attack targets a specific group of people by infecting the websites that they are known to visit with malicious code. Generally, the aim of this type of attack is to gain access to the victims computers and to gain access to the network at their place of employment. Popular targets are employees of large companies, human rights groups and government officials.

As suggested by the name this is when a legitimate website is hijacked by a bad actor. The legitimate website is cloned and a link placed somewhere on the legitimate site. When this link is clicked on by the owner of the website a malicious web server replaces the one which the legitimate website uses and slightly changes the domain name with the hope that the owner of the site doesn’t notice. The cloned website is now using the legitimate server and the owner of the legitimate website has lost all access and control of it.

Once a bad actor has control over the legitimate website they will have access to any personal and sensitive information which comes with it. For example if it is an online shop then they will have access to any stored credit card details. The bad actor can also demand a ransom from the owner of the website, threatening to change any information on the site or post items of an obscene nature if it isn’t paid.

A virus is malicious code or a program which can alter the way in which a computer operates. It is designed to attach or insert itself to a legitimate programme or document on the infected computer/device in order to execute it’s code. The programme in which the virus is delivered needs to be run on a computer for the code to be executed, meaning that it could be a computer lying dormant in a document or file waiting to be opened. Once a computer has been infected other computers on the same network can be infected via a file or document resulting in passwords being stolen, data corrupted and email spamming the victims contacts to name a few.

Z
This is when there is a security flaw with software which is known about by the vendor but doesn’t yet have a patch in place to fix the flaw which opens the software up to exploitation. Codes are written by hackers to create malware which takes advantage of the vulnerability in order to compromise the computer system. This can result in personal and sensitive information being stolen, bad actors gaining control of a computer and providing them with access to contact lists which can be used by the bad actor to send spam emails potentially infecting further computers with malware.