Sign Up
Instructions

Cyber attacks against private users and ways to protect against them OnlineSim

  • Sep 14, 2023, 9:19 PM
  • 11 minutes

Common types of cyber attacks against private users and ways to protect against them. Part 2

In the previous article, we talked about phishing, cryptojacking and man-in-the-middle (MITM) cyber attacks.

In this article, we will discuss different types of malware and how hackers use them to steal information and money.


Before you start reading, have a look at which industries undergo the most frequent cyber attacks.

https://www.statista.com/statistics/223517/malware-infection-weekly-industries/ 


Malware

Hackers launch cyber attacks by spreading malware through email or messengers. They would typically add an accompanying text to the email telling the victim about a big win, a surprise inheritance or something else that would entice them to download and open the attached file or follow the provided link.

The attached file in most cases contains a malicious program. Even if the file appears secure and does not look like a suspicious RAR archive, it may still contain a virus. For example, a Word document may contain a malicious script written in Visual Basic, a programming language in Microsoft Office. 

When the user opens such a document, Microsoft Office would prompt him/her to run some scripts. If the user agrees, malware will be downloaded from the attackers’ website and installed on the victim computer. The malicious program will launch, scan the network and the local memory for stored files and steal, compromise or encrypt different files.

Another scenario is infection through LNK files which are commonly known as file shortcuts. In Windows, they are used as links to original files. This file type has information about the file name, location and the software with which the file can be opened.

LNK files crafted by attackers execute malicious VBScript or Powershell scripts that are embedded in them.This method helps to bypass Windows security systems and infect PCs.

PowerShell is a special Windows engine that helps to:
  • Change settings of the operating system 
  • Control services and processes 
  • Configure server roles and components 
  • Install software.
Diagram of malware propagation



Malware propagation via LNK files occurs as follows:

  • The victim user receives a phishing email with an attached ZIP archive. The archive contains a malicious LNK shortcut.

  • The user opens the archive and clicks on the shortcut, which, in turn, runs a Powershell script which downloads a malicious DLL with a malicious loader. 

  • The loader allocates an area of memory where the DLL is loaded and a specific resource is decrypted. 

There are several kinds of malware, as described below.


Rootkits

A rootkit is malware that attacks a victim computer and enables remote control over it, most often without being detected by the user or an antivirus. 

If a user installs a rootkit, the attackers can remotely launch files, steal user’s files, install other malware and control the infected computer as part of a botnet. It can also modify the software installed on the victim computer, including the software that can detect the rootkit.

Back in 2012, experts reported on the rootkit Flame which was used by hackers for carrying cyber espionage in the Middle East.Flame connected to the victim PC and launched various processes, including explorer.exe — the Windows Explorer process that can be used to open folders, copy and delete files.Besides, Flame ran other processes through which it monitored network traffic, captured screenshots and logged keystrokes. There is no exact information about how much damage the hackers have caused. It is known, however, that 80 servers on three continents were used to access the infected computers. 


Spyware

Spyware attacks victim machines and stealthily monitors user actions. Such malicious programs can collect data about the user's cyber activity, log the keystrokes, collect information about accounts, logins, passwords and financial data.

Spyware, just like rootkits, in most cases changes the security settings of PCs or browsers. It is commonly spread in combination with Trojans, using social engineering or phishing techniques.

Social engineering is a cyber security threat and method of acquiring the victim user's confidential information through psychological manipulation. The acquired information is used to withdraw money from the victim’s bank card, gain control over the victim's accounts or pressure him/her to do something.

In November 2021, Zimperium zLabs released a report in which they described a piece of spyware from South Korea that was named PhoneSpy. The malicious program infected Android devices and masqueraded as regular software, such as a yoga or messaging app. It spread with the help of phishing.When the user installed the malicious app, the spyware enabled remote control and stole information from the infected devices. Here is what the attackers did with phones using PhoneSpy:
  • Steal account credentials, photos, contact lists, call logs and messages
  • Take photos and capture videos with the devices’ front and rear cameras.
  • Download files and documents from the command-and-control (C&C) server under hackers’ control
  • View device information: IMEI, model name, device name and Android version.
It is estimated that PhoSpy infected more than 1,000 Android devices.
Permissions requested by PhoneSpy



Trojans

Trojans are a type of malware that infiltrates computers under the guise of a regular and safe application. Trojans act surreptitiously and lull the users into a false sense of security, just like the Trojan horse that was given as a present to the inhabitants of Troy in ancient Greece.

Unlike viruses and worms which spread spontaneously, a Trojan can capture information only after a user has installed it. Once downloaded and installed, Trojans can give the attackers remote access to the victim computers, steal information, such as credentials, financial data and even electronic money, or install other malicious applications. 

In 2017, the Astaroth Trojan emerged. It spread via emails containing .zip or .ini attachments and some text prompting the user to open them.The Trojan watched the victim user’s cyber activities and could steal information from the clipboard, capture keystrokes and system messages. It could also retrieve credentials for various services and financial accounts.

For a detailed technical description of how the Trojan operated, which codes and system commands it used, please see the Microsoft security writeup. Provided below is a diagram of how it worked.


Viruses

A virus is another kind of malware that can replicate itself and propagate between computers. Viruses can spread via documents, web scripts or applications. They are used for stealing information or money, creating botnets, hidden mining etc.

Melissa is an amusing example of a virus. In 1999, the virus infected thousands of computers around the world. It spread via emails with a malicious .doc attachment.The emails had the subject line “Important Message from [the sender’s username]”, and the body text read "Here is that document you asked for ... don't show anyone else ;-)". The attached .doc file contained a list of passwords for various porn websites that required memberships. The virus automatically emailed the same infected document to the first fifty people in the user's contact list and disabled several security features in Microsoft Word and Microsoft Outlook.The virus did not cause any damage to ordinary users, but it slowed down e-mail systems by overloading Microsoft Outlook and Microsoft Exchange servers. 


Worms

Worms are among the most common types of malware. They replicate by spreading their own copies across a cyber network through exploitation of operating system vulnerabilities. They are usually used to launch cyber attacks against and damage host networks through congestion of bandwidth and overloading of servers.  Sometimes, worms contain code to help steal data from computers, delete files or create botnets.

Worms propagate across networks using two mechanisms:

  • Exploitation of security vulnerabilities and administration errors in installed software. Such worms can propagate automatically by launching attacks against computers on their own.

  • Social engineering, when the attackers trick a person into running a malicious program. Such worms are most often distributed through spam mailings, social networks etc.

There is another classification of worms according to their mechanism of propagation:

  • Email worms propagate via emails

  • IM worms propagate via Facebook, Skype or WhatsApp

  • IRC worms propagate via IRC (Internet relay chat) channels. Internet relay chat is a cyber protocol that allows users to connect to the server using a dedicated client, access channels or chats and exchange messages in real time by typing them on the keyboard. 

  • Net worms or network worms propagate across networks and do not rely on the user as a link in their distribution chain.

  •  P2P worms propagate via any peer-to-peer file sharing network, such as Kazaa, Grokster, EDonkey, FastTrack or Gnutella.

2007 statistics on growth rates for different types of worms 



A prominent example is the ILOVEYOU worm that masqueraded as a love letter and propagated via email. The malicious email contained an attachment with a text file and a Visual Basic script (VBS). If the user opened the email, the script ran and stole user passwords for various services.ILOVEYOU is considered one of the first cases of social engineering used in cyber attacks. Once launched, it could automatically email itself to the victim's contacts.he worm infected more than 45 million users and caused more than $15 billion in damages.


Ransomware attacks

Ransomware is a type of malware that attacks the victim computer, blocks access to it or encrypts data on it. In order to get the computer back to its previous working state, victims are demanded to pay a ransom. 

Several hundred millions of such attacks occur per year, according to analysis by Statista.



Most of such attacks are launched via an email containing malicious links to the attackers' website. When users follow the link, they download the malware. Alternatively, the email may contain an attachment with a malicious file that will download the ransomware as soon as the user opens it.

There are two types of ransomware. A description of each type follows.


Non-encrypting ransomware

This type of malware attacks the victim computer and blocks its most basic functions, for example it can partially disable the mouse and keyboard and/or restrict access to the desktop. The computer will remain in this state until the victim user pays the ransom to the hackers' account.

Non-encrypting ransomware is not always dangerous as such malicious programs usually do not have the goal of stealing important files. Their goal is simply to block the victim device and wait for the ransom.


Encrypting ransomware

Such a malicious program attacks the victim computer and encrypts important data on it, such as personal information or photos, without affecting the computer’s operation. In this case, the hackers play on the victim's fear, as the user sees the files are physically on the computer, but cannot use them.

Files are typically encrypted using the AES algorithm with a key size of 128/196/256 bits. Such a key is practically impossible to break by direct search. Some ransomware programs use cryptographic systems with a public/private key, such as RSA.

To learn more about encryption and how it works, read the article "What is VPN and how it works".

When the files are encrypted, a window will be displayed to the victim with a text, such as "Pay the ransom within an hour, or all encrypted files will be deleted". Thus, the user will have to pay the ransom to have his/her files decrypted.

However, even when the victim has paid the ransom, there are no guarantees he/she will receive the decryption key from the attackers. So, there is a risk that the files can remain encrypted forever.

In 2017, an attackers’ group called Shadow Brokers distributed the WannaCry ransomware in more than 150 countries. When WannaCry ran on the victim computer, it exploited a vulnerability in the operating system and blocked the computer. The attackers demanded a ransom in bitcoins. About 230,000 devices around the world were affected, and the hackers managed to extract some $4 billion in ransom.
WannaCry ransom screen. Source: GDataSoftware



How to protect against malware and ransomware

Keep your software up to date. Software manufacturers always collect information about security problems and release new versions with patches addressing those problems.

Install an antivirus and have it running at all times — it will protect you against the most types of attacks, such as installing malware and following dangerous links. If someone sends you a malicious application, the antivirus will block the malware. The same goes for a malicious link — the antivirus will detect it and prevent you from following it. 

Better yet, don't download or run any suspicious files at all. Your antivirus may not detect some malicious programs until they run. Thus, they can damage some important file of the operating system and affect your computer’s operation.

Check who sends you links. Don't click on links sent by strangers or your friends without any accompanying text. If you receive a link in the name of someone you know, contact them personally and ask them what they sent. Their account may have been hacked, and spam may be sent in their name.

Also, you can check links on dedicated services like AVG Threatlabs or Kaspersky VirusDesk.

Some antiviruses block websites containing malicious code. When the user tries to visit such a resource, the antivirus will automatically prevent access to it.

Make regular backups of your system and all important files. You can copy files to physical media or in the cloud. Cloud is preferable than physical media, as it is protected from malware, breaking and similar problems.

As an option, you can set up automatic backups using third-party services, such as Redo Backup and Recovery, EASEUS Todo Backup Free or Cobian Backup. Remember, though, that cloud storage is not completely secure either — data leaks can occur there, too.

In 2014, for example, attackers distributed links to phishing sites, which users visited and gave away their passwords to various services, including iCloud.

As a result, naked photos of Jennifer Lawrence, Rihanna, and dozens of other celebrities were leaked. According to some estimates, the attackers hijacked 300 accounts in Apple iCloud and Gmail over the period from November 2013 to August 2014.

It should be also remembered that cloud services sometimes can go down, so your information in the cloud can become unavailable for some time.