It is our aim to use the Threat Report email to inform you about trending threats to you, your business and your IT infrastructure. Our mission is to make the Internet a safer place for you, and part of that is to help you understand the threats in a language you understand.
The format of the email is like an executive summary of the key threats to you, your business and your IT infrastructure. Each summary will link through to more detail about specific threats published in the blog on our website. On the blog you can read back-copies of the Threat Report and other articles we publish.
Once subscribed you should receive your copy of Threat Report in your inbox on the 14th of each month. Please make sure you add firstname.lastname@example.org to your white-list or safe senders in Outlook.
In this first issue I’m going to give you a rundown of the key terms you should be familiar with. This is not a complete glossary, it’s intended to give you an awareness of the specific jargon and types of threat you may read about. Over the coming issues we will address all of these terms in detail, showing you how to identify, resolve and prevent them.
Advanced Persistent Threat (APT)
A cyber attack that uses sophisticated techniques to conduct cyber espionage or other malicious activity on an ongoing basis against targets such as governments and companies. Typically conducted by a bad actor with sophisticated levels of expertise and significant resources – frequently associated with nation-state players.
These attacks tend to come from multiple entry points and may use several attack methods (e.g. cyber, physical, deception). Once a system has been breached, it can be very difficult to end the attack.
Anti-virus software is used to monitor a computer or network, to detect cyber security threats ranging from malicious code to malware. As well as alerting you to the presence of a threat, antivirus programs may also remove or neutralise malicious code.
The agent behind a threat: a malicious actor who seeks to change, destroy, steal or disable the information held on computer systems and then exploit the outcome. See also: Bad Actor
The agent behind a threat: a malicious person, group, organisation or nation who seeks to change, destroy, steal or disable the information held on computer systems and then exploit the outcome. See also: Attacker
Bot and Botnet
A computer connected to the Internet that has been compromised with malicious logic to undertake activities under the command and control of a remote administrator. Botnet: A network of infected devices, connected to the Internet, used to commit coordinated cyber attacks without their owner’s knowledge.
The unauthorised access of data, computer systems or networks.
An attack in which computational power is used to automatically enter a vast quantity of variations or an unknown variable, such as a password, in order to discover passwords and gain access.
Cloaked keywords and link hack
The cloaked keywords and link hack automatically creates many pages with nonsensical text, links, and images. These pages sometimes contain basic template elements from the original site, so at first glance, the pages might look like normal parts of your site until you read the content.
Cloaking is the practice of presenting different content or URLs to human users and search engines.
For example, dynamic scripts and .htaccess rules can return status codes based on the requests processed. Using this tactic, hackers hide their tracks by returning a 404 or 500 error code to certain IP addresses or browsers, while serving spam to other IP addresses or browsers.
Cross Site Scripting (XSS)
Cross-site scripting (XSS) is a software vulnerability usually found in Web applications that allows online criminals to inject client-side script into pages that other users view.
The cross-site scripting vulnerability can be employed at the same time by attackers to over-write access controls. This issue can become a significant security risk unless the network administrator or the website owner doesn’t take the necessary security means.
Deliberate and malicious attempts to damage, disrupt or gain access to computer systems, networks or devices, via cyber means.
Cyber security is a collective term used to describe the protection of electronic and computer networks, programs and data against malicious attacks and unauthorised access.
The unauthorised copying or disclosure of information, usually to a party outside the organisation.
Denial of service (DoS)
This is a type of cyber attack that prevents the authorised use of information system services or resources, or impairs access, usually by overloading the service with requests.
Known dictionary words, phrases or common passwords are used by the attacker to gain access to your information system. This is a type of brute force attack.
Distributed denial of service (DDoS)
A denial of service technique where multiple systems are used to perform the attack, overwhelming the service.
Malicious software or a virus that is installed on a device without the user’s knowledge or consent – sometimes known as a drive-by download.
The use of hacking techniques for legitimate purposes – i.e. to identify and test cyber security vulnerabilities. The actors in this instance are sometimes referred to as ‘white hat hackers’.
The transfer of information from a system without consent.
The act of taking advantage of a vulnerability in an information system. Also used to describe a technique that is used to breach network security. Also often used to describe a vulnerability in a system.
A set of computer programs designed to discover vulnerabilities in software apps and use them to gain access to a system or network. Once they have infiltrated a system they will feed it with harmful code or steal services.
The gibberish hack automatically creates many pages with nonsensical sentences filled with keywords on your site. These are pages that you didn’t create, but have URLs that might be compelling for users to click. Hackers do this so the hacked pages show up in Google Search. Then, if people try to visit these pages, they’ll be redirected to an unrelated page, like a porn site. Hackers make money when people visit these unrelated pages.
Hacker and Hacking
Someone who breaks into computers, systems and networks. Hacking is the act of breaking into computers, systems or networks.
A tactic used by attackers to supply a false IP address in an attempt to trick the user or a cyber security solution into believing it is a legitimate actor.
Japanese keyword hack
The Japanese keyword hack
typically creates new pages or permalinks with auto-generated Japanese text on your site in randomly generated directory names. These pages are monetised using affiliate links to stores selling fake brand merchandise and then shown in Google search.
A type of software or hardware that tracks keystrokes and keyboard events to monitor user activity.
A piece of code that carries a set of secret instructions. It is inserted in a system and triggered by a particular action. The code typically performs a malicious action, such as deleting files. See also: Wabbits
A type of malicious code that uses the macro programming capabilities of a document’s application to carry out misdeeds, replicate itself and spread throughout a system.
Program code designed for evil. Intended to hurt the confidentiality, integrity or availability of an information system.
The use of online advertising to deliver malware.
Short for malicious software. Malware is any software or mobile application specifically designed to harm a computer, a mobile device, the software it’s running, or its users. Malware exhibits malicious behaviour that can include installing software without user consent and installing harmful software such as viruses. Webmasters sometimes don’t realise that their downloadable files are considered malware, so these binaries might be hosted inadvertently.
Cyber criminals interpose themselves between the victim and the website the victim is trying to reach, either to harvest the information being transmitted or alter it. Sometimes abbreviated as MITM, MIM, MiM, MiMA or MITMA.
Software designed to monitor and record network traffic. It can be used for good or evil – either to run diagnostics and troubleshoot problems, or to snoop in on private data exchanges, such as browsing history, downloads, etc.
Attackers try to gain access to confidential information in order to extract it. Because they’re not trying to change the data, this type of attack is more difficult to detect – hence the name ‘passive’.
A technique used to harvest passwords by monitoring or snooping on network traffic to retrieve password data. Often also linked with key-loggers
Applying updates (patches) to software or firmware, to improve security, fix bugs or improve performance.
The element of malware that performs the malicious action – the cyber security equivalent of a missile warhead. Sometimes it only delivers part of a greater piece of malware, which when assembled makes the final payload significantly more damaging.
An attack on network infrastructure where a user is redirected to an illegitimate website, despite having entered the right address, creating a man-in-the-middle attack
Phishing is a form of social engineering that tricks users into giving away sensitive information (for instance, user names or passwords) by masquerading as a trusted source. For example, a phisher will email a potential victim pretending to be their bank and ask for their bank account credentials.
Ransomware is a type of malware (malicious software) which typically encrypts all or some of the data on a PC or mobile device, blocking the data owner’s access to it.
After the infection happens, the victim receives a message that tells him/her that a certain amount of money must be paid (usually in Bitcoins) in order to get the decryption key. Usually, there is also a time-limit for the ransom to be paid. There is no guarantee that the decryption key will be handed over if the victim pays the ransom. The most reliable solution is to back up your data in at least three different places (for redundancy) and keep those backups up to date, so you don’t lose your important data.
Remote Access Trojan
Remote Access Trojans (RATs) use the victim’s access permissions and infect computers to give cyber attackers unlimited access to the data on the PC.
Cyber criminals can use RATs to exfiltrate confidential information. RATs include backdoors into the computer system and can enlist the PC into a botnet, and spread to other devices. Current RATs can bypass strong authentication and can access sensitive applications, which are later used to exfiltrate information to cyber criminal-controlled servers and websites.
A set of software tools with administrator-level access privileges installed on an information system and designed to hide the presence of the tools, maintain the access privileges, and conceal the activities conducted by the tools.
Phishing via SMS: mass text messages sent to users asking for sensitive information (eg bank details) or encouraging them to visit a fake website.
Manipulating people into carrying out specific actions or divulging information that is of use to an attacker. Manipulation tactics include lies, psychological tricks, bribes, extortion, blackmail, impersonation and other type of threats. Social engineering is often used to extract data and gain unauthorised access to systems, either personal or belonging to organisations.
The abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.
Spear phishing is a cyber attacks that aims to extract sensitive data from a victim using a very specific and personalised message designed to look like it’s from a person the recipient knows and/or trusts.
This message is usually sent to individuals or companies, and it is extremely effective because it’s very well planned. Attackers invest time and resources into gathering information about the victim (interests, activities, personal history, etc.) in order to create the spear phishing message (which is usually an email). Spear phishing uses the sense of urgency and familiarity (appears to come from someone you know) to manipulate the victim, so the target doesn’t have time to double check the information.
Faking the sending address of a transmission to gain unauthorised entry into a secure system.
Spyware is a type of malware designed to collect and steal the victim’s sensitive information, without the victim’s knowledge. Trojans, adware and system monitors are different types of spyware. Spyware monitors and stores the victim’s Internet activity (keystrokes, browser history, etc.) and can also harvest usernames, passwords, financial information and more. It can also send this confidential data to servers operated by cyber criminals so it can be used in consequent cyber attacks.
This is a tactic that uses code injection to attack applications that are data-driven. The maliciously injected SQL code can perform several actions, including dumping all the data in a database in a location controlled by the attacker. Through this attack, malicious hackers can spoof identities, modify data or tamper with it, disclose confidential data, delete and destroy the data or make it unavailable. They can also take control of the database completely.
A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorisations of a system entity that invokes the program. The name is taken from the mythical Trojan horse.
This is a cyber security threat that employs a Man-in-the-middle attack
in order to inject advertising into certain web pages a user visits while using a public network, like a public, non-encrypted WiFi hotspot. In this case, the computer being used doesn’t need to have adware on it, so installing a traditional antivirus can’t counteract the threat. While the ads themselves can be non-malicious, they can expose users to other threats. For example, the ads could promote a fake antivirus that is actually malware or a phishing attack.
A URL (or link) injection is when a cyber criminal creates new pages on a website owned by someone else that contain spam words or links. Sometimes, these pages also contain malicious code that redirects your users to other web pages or makes the website’s web server contribute to a DDoS attack. URL injection usually happens because of vulnerabilities in server directories or software used to operate the website, such as an outdated WordPress or plugins.
Programs that can self-replicate and are designed to infect legitimate software programs or systems. A form of malware.
A weakness, or flaw, in software, a system or process. An attacker may seek to exploit a vulnerability to gain unauthorised access to a system.
Wabbits, rabbits or fork bombs
is one of four main classes of malware, among viruses, worms and Trojan horses. It’s a form of computer program that repeatedly replicates on the local system. Wabbits can be programmed to have malicious side effects. A fork bomb is an example of a wabbit: it’s a form of DoS attack against a computer that uses the fork function. A fork bomb quickly creates a large number of processes, eventually crashing the system. Wabbits don’t attempt to spread to other computers across networks.
Watering hole or Water-holing
is a computer attack strategy, in which the victim is of a particular group (organisation, industry, or region). In this attack, the attacker guesses or observes which websites the group often uses and infects one or more of them with malware. Eventually, some member of the targeted group becomes infected. Hacks looking for specific information may only attack users coming from a specific IP address range. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.
Highly targeted phishing attacks (masquerading as a legitimate emails) that are aimed at senior executives.
A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself.
Recently discovered vulnerabilities (or bugs), not yet known to vendors or antivirus companies, that hackers can exploit.
A zombie computer is one connected to the Internet that, in appearance, is performing normally, but can be controlled by a hacker with remote access to it who sends commands through an open port. Zombies are mostly used to perform malicious tasks, such as spreading spam or other infected data to other computers, or launching DoS (Denial of Service) attacks, with the owner being unaware of it.
In next month’s issue I will covering the following topics which could affect your computer or website, and consequently your business’ ability to make sales.