Pharming
Pharming refers to attacks that present much like typical phishing attacks, but exploit different technical vulnerabilities in Internet-based routing in order to do so. Like phishing attacks, pharming attacks involve impersonating a trustworthy party that may legitimately ask the would-be victim to take some particular action. However, in pharming attacks, this is achieved not by tricking users into taking an action that brings them to a rogue clone of a legitimate website, but rather by poisoning routing tables and other network infrastructure so that any user who clicks a link to the legitimate website, or even enters the legitimate website’s URL into a browser, will be routed to a criminal’s clone.
Whaling: Going for the “big fish”
Whaling refers to spear phishing that targets high-profile business executives or government officials. (I know that whales are mammals and not fish, but this is about phishing not fishing.) For more on spear phishing, see the section earlier in this chapter.
Messing around with Other People’s Stuff: Tampering
Sometimes attackers don’t want to disrupt an organization’s normal activities, but instead seek to exploit those activities for financial gain. Often, crooks achieve such objectives by manipulating data in transit or as it resides on systems of their targets in a process known as tampering.
In a basic case of tampering with data in transit, for example, imagine that a user of online banking has instructed the bank to wire money to a particular account, but somehow a criminal intercepted the request and changed the relevant routing and account number to the criminal’s own.
A criminal may also hack into a system and manipulate information for similar purposes. Using the previous example, imagine if a criminal changed the payment address associated with a particular payee so that when the Accounts Payable department makes an online payment, the funds are sent to the wrong destination (well, at least it is wrong in the eyes of the payer).
One can also imagine the impact of a criminal modifying an analyst’s report about a particular stock before the report is issued to the public, with the criminal, of course, standing by to buy or sell stocks when the report is released in order to exploit the soon-to-be-reversed impact of the misinformation.
Captured in Transit: Interception
Interception occurs when attackers capture information in transit. In the context of cybersecurity, the transit is usually between computers or other electronic devices, but it could also be between a human and a device as well (such as capturing voice spoken to a voice recognition system). If the data isn’t properly encrypted, the party intercepting it may be able to misuse it. And, of course, data captured directly from humans — such as the aforementioned voice recordings — often cannot be encrypted.
Even properly encrypted data might be at risk. The protection afforded by today’s encryption algorithms and mechanisms may be rendered worthless at some point in the future if vulnerabilities are discovered down the road, or as more powerful computers — especially quantum computers — arrive on the scene. As such, encrypted data that is intercepted may be secure from disclosure today, but may be stored and compromised in the future.
Man-in-the-middle attacks
One special type of interception is known as a man-in-the-middle attack. In this type of an attack, the interceptor proxies the data between the sender and recipient in an attempt to disguise the fact that the data is being intercepted. Proxying in such a case refers to the man-in-the-middle intercepting requests and then transmitting them (either in modified form or unmodified) to their original intended destinations and then receiving the responses from those destination and transmitting them (in modified form or unmodified) back to the sender. By employing proxying, the man-in-the-middle makes it difficult for senders to know that their communications are being intercepted because when they communicate with a server, they receive the responses they expect.
For example, a criminal may set up a bogus bank site (see the earlier “Phishing” section) and relay any information that anyone enters on the bogus site to the actual bank site so that the criminal can respond with the same information that the legitimate bank would have sent. Proxying of this sort not only helps criminals avoid detection — users who provide the crook with their password and then perform their normal online banking tasks may have no idea that anything abnormal occurred during the online banking session — but also helps the criminals ensure that they capture the right password. If a user enters an incorrect password, the criminal will know to prompt for the correct one.
Figure 2-2 shows the anatomy of a man-in-the-middle intercepting and relaying communications.
FIGURE 2-2: A man-in-the-middle interception.
Taking What Isn’t Theirs: Data Theft
Many cyberattacks involve stealing the victim’s data. An attacker may want to steal data belonging to individuals, businesses, or a government agency for one or more of many possible reasons.
People, businesses, nonprofits, and governments are all vulnerable to data theft.
Personal data theft
Criminals often try to steal people’s data in the hope of finding items that they can monetize, including:
Data that can be used for identity theft or sold to identity thieves
Compromising photos or health-related data that may be sellable or used as part of blackmail schemes
Information that is stolen and then erased from the user’s machine that can be ransomed to the user
Password lists that can be used for breaching other systems
Confidential information about work-related matters that may be used to make illegal stock trades based on insider information
Information about upcoming travel plans that may be used to plan robberies of the victim’s home
Business data theft
Criminals can use data stolen from businesses for a number of nefarious purposes:
Making stock trades: Similar to the criminals mentioned earlier in this chapter who tamper with data in order to manipulate financial markets, criminals may also seek to steal data in order to have advance knowledge of how a particular business’s current and yet unreported quarter is going. They then use that insider information to illegally trade stocks or options, thereby potentially making a significant profit.
Selling data to unscrupulous competitors: Criminals who steal sales pipeline information, documents containing details of future products, or other sensitive information can sell that data to unscrupulous competitors or to unscrupulous employees working at competitors whose management may never find out how such employees suddenly improved their performance.
Leaking data to the media: Sensitive data can embarrass the victim and cause its stock to decline (perhaps after selling short some shares).
Leaking data covered by privacy regulations: