Introduction to attack vectors

This article gives you an introduction and a basic understanding of some attack vectors.
Attack vectors are possibilities by which a malicious hacker can gain access to computers or network servers in order to put or run malware on them.

Hacking

Hacking, in the context of this document, is what you do when you break security to gain access to a computer and/or network.

Exploit

This is a software that takes advantage of a vulnerability of an operating system. Bear in mind that exploits are not always malicious, because they are also developed by investigators who try to demonstrate that a vulnerability exists.

Zero day exploits

A zero day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability is discovered.

Browser exploit

A browser exploit means basically that a Website uses malicious code to exploit certain vulnerabilities in your Web browser. The code makes the browser do something unexpected, like crash, read / write local files or install malware.

Browser hijacker

A browser hijacker is a form of malware that alters your browser’s settings. A browser hijacker may be installed via an infected e-mail, file share or download. Most browser hijackers alter the default browsers home page to generate traffic on another Website. They can also add bookmarks for unwanted Websites to the browser’s bookmark collection or generate unwanted pop-ups.

Drive by download

Drive by download means the download of any kind of malware without the knowledge of the user. Drive by download is using the security holes of the operating system and/or browser to put and execute malware on your computer. A drive by download may happen by visiting a Website, viewing an e-mail message or by clicking on a deceptive pop-up window.

Clickjacking

Clickjacking is based on front end vulnerabilities in the browser, Adobe Flash player, etc. This is an exploit in which malicious code is hidden “behind” clickable content on a Website like a button. A clickjacking attack can gain access to your computer’s hardware (webcam, microphone…) and it can be used as an entry point for other attacks.

Man in the browser

The basic malware infection can happen in tricking the user into clicking on a link, visiting a malicious Website to trigger a “drive by download” attack, opening a malicious attachment, etc.
At this moment, the “Man in the browser” malware resides in the end user’s browser.
When the malware is activated :

• it may manipulate the Web page being loaded by injecting extra fields into the Web page to collect sensitive data
• it may act as a key logger to intercept the typed-in data
• it may hide fraudulent money transfers

See more about key logger in my article : malware

Phishing

Phishing is the process of attempting to acquire sensitive information such as user names, passwords and credit card details by masquerading as a trustworthy Website.
Phishing is an e-mail fraud method in which the perpetrator sends out a legitimate-looking e-mail in an attempt to gather personal and financial information from recipients. Typically, the e-mails appear to come from well known, trustworthy Websites.

Buffer overflow

Buffer overflow is a type of attack that sends more data than a buffer was intended to hold; surplus data will overflow the buffer, corrupting or overwriting valid data. Data sent may include malicious code which can eventually control the whole system by root access. A Trojan or other malware can be the source of a buffer overflow attack.

Denial of service attack (DoS)

Denial of Service attacks are centered around the concept that one machine is flooding the target with useless traffic. The target will then ultimately slow down, crash or be forced to shut down.
Many DoS attacks are exploiting limitations of the TCP/IP protocol.

Distributed denial of service attack (DDoS)

A Distributed Denial of Service attack is a DoS attack that comes from more than one machine at the same time.

DNS rebinding

DNS rebinding is an exploit in which the attacker uses JavaScript in a malicious Web page to gain control of the victim’s network. This attack can be used on the victim’s machine for spamming, distributed denial of service attacks, etc. Even routers, which use a default password and Web based administration, can be easily attacked.

DNS poisoning

DNS poisoning is also called DNS cache poisoning. It refers to the corruption of DNS tables so that a domain name points to a malicious IP address. Once the browser is re-directed to the malicious IP address, the PC can be infected with malware.

Pharming

Pharming redirects victims to a malicious Website even if the victim has used the correct Web address. The malicious Website is masquerading as a trustworthy one. This attack allows to acquire sensitive information such as user names, passwords, credit card details and other confidential information.
The primary Pharming method is based on DNS poisoning (see above).

Spoofing

Spoofing refers tricking or deceiving computers or users. This is typically done by hiding one’s identity or by faking it.
There are a variety of ways computers and users can be fooled :

• E-mail spoofing
  E-mail spoofing is sending messages from a bogus e-mail address or faking the e-mail address of another user. This can be used for spam, Phishing, etc. (Phishing see above)
• IP spoofing
  IP spoofing means hiding or faking a computer’s IP address. This is often used for denial of service attacks.
• Identity spoofing
  This can be done by simply faking a user name, for example in a forum.

Cross-Site Scripting (XSS)

Cross-site scripting (XSS) is a vulnerability in Web applications, in which the attacker inserts malicious code. Usually this attack is used to get sensitive data such as login information, etc.

Cross-Site Request forgery (CSRF)

A Cross-site request forgery attack is also known as CSRF or XSRF. Cross-site request forgery attacks occur when a malicious Web site causes a user’s browser to perform an unwanted action on a trusted Web site. Cross-site request forgery attacks are possible because Web applications authenticate the browser, not the user.
Cross-site request forgery vulnerabilities allow an attacker to compromise user accounts like transfer money of user bank accounts, harvest user e-mail addresses, violate user privacy.

SQL injection

Normally, a user enters his name and password into the Web form input boxes, those values are then inserted into a database. Some Web forms have no mechanisms to block input other than the expected one. This opens the door for a SQL injection attack.
SQL injection is a type of security exploit in which the attacker adds an SQL query into a Web form input box to gain illegal access to the database. An SQL query is a request for some action to be performed on a database.

Brute force attack

A brute force attack consists of trying every possible code, combination or password until the right one is found. For example, a simple brute force attack may have a dictionary of all words or commonly used passwords and browse through those words until it gains access to the account.

Man in the middle attack

A “man in the middle attack” is a type of attack where a malicious hacker inserts himself into a conversation between two persons or systems and gains access to information that the two send each other. A “man in the middle attack” allows a malicious hacker to intercept, send and receive data meant for somebody else.

Port scan

Port scanning is an approach to probe a remote computer for open ports. Essentially, a port scan consists of sending a message to each port. When a port is open, it can be exploited by a known vulnerability.
The majority of uses of a port scan are not attacks, they are simple probes to determine if services are available on a remote machine’s port.

Scam

Scam describes any fraudulent business or scheme that takes money or other goods from an unsuspecting person.
Example :
Once a scammer gains access to a social media account, he can send messages to the victim’s online friends like : “Hey, please send 20 text messages to this number so I can win this beauty contest”. This will cost the caller “a lot of money” for the scammer’s gain.

Social engineering

Social engineering is a non-technical kind of intrusion that relies on human interaction and involves tricking other people to bypass normal security.

Social engineering is a component of many types of exploits :

• Virus writers use social engineering tricks to persuade people to run malware via e-mail attachments
• Phishers use social engineering to convince people to divulge sensitive information
• Social engineering is used in scareware to frighten people into running software that is combined with malware

Backdoor

A backdoor is a method of bypassing authentication procedures. A backdoor can be installed by malicious software to allow attackers and malware to enter.
A backdoor can also be installed by a system administrator in order to have access to the computer system for troubleshooting or other purposes. A backdoor is always a security risk !

Botnets

Botnets are coordinated and infected computers controlled by an attacker. The attacker can give instructions to all the infected computers simultaneously. Attackers use botnets to send out spam, spread viruses, attack Web servers, etc.
An infected computer is referred to as a zombie or bot (the term bot is short for robot) .

Example : Drive by download -> Trojans are installed on multiple computers -> the Trojans open a backdoor -> attackers are controlling the computers (botnet) -> attackers start a coordinated DoS attack on a Web server -> the Web server breaks down.

Spam

E-mail spam is also known as junk e-mail. Spam is the abuse of e-mail to send bulk messages indiscriminately. Spam is sending identical e-mails (or nearly identical) to numerous recipients. Botnets (see above) are used to send about 80% of spam. Spam can be annoying but harmless, but some spam can be part of an identity theft or other attacks (see below).

Directory harvest attack

This is a method spammers use to obtain valid e-mail addresses. Random names are generated and sent out to valid domains. If an undeliverable message does not return, the name is assumed to be genuine. The valid e-mails are then added to a spam database.
An aggressive “directory harvest attack” can place such intense demands on the e-mail server that it slows down. This has a similar effect as a “denial of service attack” (see above).