https://JosephSteinberg.com
into your web browser, DNS directs your connection to an address taking the form of four numbers less than 256 and separated by periods, such as 104.18.45.53
.
By inserting incorrect information into DNS tables, a criminal can cause a DNS server to return an incorrect IP address to a user’s computer. Such an attack can easily result in a user’s traffic being diverted to a computer of the attacker’s choice instead of the user’s intended destination. If the criminal sets up a phony bank site on the server to which traffic is being diverted, for example, and impersonates on that server a bank that the user was trying to reach, even a user who enters the bank URL into a browser (as opposed to just clicking on a link) may fall prey after being diverted to the bogus site. (This type of attack is known as DNS poisoning or pharming.)
Network infrastructure attacks take many forms. Some seek to route people to the wrong destinations. Others seek to capture data, while others seek to effectuate denial-of-service conditions. The main point to understand is that the piping of the Internet is quite complex was not initially designed with security in mind, and is vulnerable to many forms of misuse.
Malvertising
Malvertising is an abbreviation of the words malicious advertising and refers to the use of online advertising as a vehicle to spread malware or to launch some other form of a cyberattack.
Because many websites display ads that are served and managed by third-party networks and that contain links to various other third parties, online advertisements are a great vehicle for attackers. Even companies that adequately secure their websites may not take proper precautions to ensure that they do not deliver problematic advertisements created by, and managed by, someone else.
As such, malvertising sometimes allows criminals to insert their content into reputable and high-profile websites with large numbers of visitors (something that would be difficult for crooks to achieve otherwise), many of whom may be security conscious and who would not have been exposed to the criminal’s content had it been posted on a less reputable site.
Furthermore, because websites often earn money for their owners based on the number of people who click on various ads, website owners generally place ads on their sites in a manner that will attract users to the ads. As such, malvertising allows criminals to reach large audiences via a trusted site without having to hack anything.
Some malvertising requires users to click on the ads in order to become infected with malware; others do not require any user participation — users’ devices are infected the moment the ad displays.
Drive-by downloads
Drive-by downloads is somewhat of a euphemism that refers to software that users download without understanding what they are doing. A drive-by download may occur, for example, if users download malware by going to a poisoned website that automatically sends the malware to the users’ device when they open the site.
Drive-by downloads also include cases in which users know that they are downloading software, but is not aware of the full consequences of doing so. For example, if a user is presented with a web page that says that a security vulnerability is present on their computer and that tells the user to click on a button that says “Download to install a security patch,” the user has provided authorization for the (malicious) download — but only because the user was tricked into believing that the nature of the download was far different than it truly is.
Stealing passwords
Criminals can steal passwords many different ways. Two common methods include
Thefts of password databases: If a criminal steals a password database from an online store, anyone whose password appears in the database is at risk of having their password compromised. (If the store properly encrypted its passwords, it may take time for the criminal to perform what is known as a hash attack, but nonetheless, passwords — especially those that are likely to be tested early on — may still be at risk. To date, stealing passwords is the most common way that passwords are undermined.
Social engineering attacks: Social engineering attacks are attacks in which a criminal tricks people into doing something they would not have done had they realized that the person making the request was tricking them in some way. One example of stealing a password via social engineering is when a criminal pretends to be a member of the target’s tech support department and tells the target that the target must reset a particular password to a particular value to have the associated account tested as is needed after the recovery from some breach, and the target obeys. (For more information, see the earlier section on phishing.)
Credential attacks: Credential attacks are attacks that seek to gain entry into a system by entering, without authorization, a valid username and password combination (or other authentication information as needed). These attacks fall into four primary categories:Brute force: Criminals use automated tools that try all possible passwords until they hit the correct one.Dictionary attacks: Criminals use automated tools to feed every word in the dictionary to a site until they hit the correct one.Calculated attacks: Criminals leverage information about a target to guess the target’s password. Criminals may, for example, try someone’s mother’s maiden name because they can easily garner it for many people by looking at the most common last names of their Facebook friends or from posts on social media. (A Facebook post of “Happy Mother’s Day to my wonderful mother!” that includes a user tag to a woman with a different last name than the user is a good giveaway.)Blended attacks: Some attacks leverage a mix of the preceding techniques — for example, utilizing a list of common last names, or performing a brute force attack technology that dramatically improves its efficiency by leveraging knowledge about how users often form passwords.
Malware: If crooks manage to get malware onto someone’s device, it may capture passwords. (For more details, see the section on malware, earlier in this chapter.)
Network sniffing: If users transmit their password to a site without proper encryption while using a public Wi-Fi network, a criminal using the same network may be able to see that password in transit — as can potentially other criminals connected to networks along the path from the user to the site in question.
Credential stuffing: In credential stuffing, someone attempts to log in to one site using usernames and passwords combinations stolen from another site.
Exploiting Maintenance Difficulties
Maintaining computer systems is no trivial matter. Software vendors often release updates, many of which may impact other programs running on a machine. Yet, some patches are absolutely critical to be installed in a timely fashion because they fix bugs in software — bugs that may introduce exploitable security vulnerabilities. The conflict between security and following proper maintenance procedures is a never-ending battle — and security doesn’t often win.
As a result, the vast majority of computers aren’t kept up to date. Even people who do enable automatic updates on their devices may not be up to date — both because checks for updates are done periodically, not every second of every day, and because not all software offers automatic updating. Furthermore, sometimes updates to one piece of software introduce vulnerabilities into another piece of software running on the same device.
Advanced Attacks
If you listen to the news during a report of a major cyberbreach, you’ll frequently hear commentators referring to advanced attacks. While some cyberattacks are clearly more complex than others and