Cybersecurity For Dummies. Joseph Steinberg
Читать онлайн книгу.DDoS attack can render inaccessible a site that a person plans on using. On October 21, 2016, for example, many users were unable to reach several high-profile sites, including Twitter, PayPal, CNN, HBO Now, The Guardian, and dozens of other popular sites, due to a massive DDoS attack launched against a third party providing various technical services for these sites and many more. The possibility of DDoS attacks is one of the reasons that you should never wait until the last minute to perform an online banking transaction — the site that you need to utilize may be inaccessible for a number of reasons, one of which is an ongoing DDoS attack.
A DDoS attack can lead users to obtain information from one site instead of another. By making one site unavailable, Internet users looking for specific information are likely to obtain it from another site — a phenomenon that allows attackers to either spread misinformation or prevent people from hearing certain information or vantage points on important issues. As such, DDoS attacks can be used as an effective mechanism — at least over the short term — for censoring opposing points of view.
Botnets and zombies
Often, DDoS attacks use what are known as botnets. Botnets are a collection of compromised computers that belong to other parties, but that a hacker remotely controls and uses to perform tasks without the legitimate owners’ knowledge.
Criminals who successfully infect one million computers with malware can, for example, potentially use those machines, known as zombies, to simultaneously make many requests from a single server or server farm in an attempt to overload the target with traffic.
Data destruction attacks
Sometimes attackers want to do more than take a party temporarily offline by overwhelming it with requests — they may want to damage the victim by destroying or corrupting the target’s information and/or information systems. A criminal may seek to destroy a user’s data through a data destruction attack — for example, if the user refuses to pay a ransomware ransom that the crook demands. Of course, all the reasons for launching DDoS attacks (see preceding section) are also reasons that a hacker may attempt to destroy someone’s data as well.
Wiper attacks are advanced data destruction attacks in which a criminal uses malware to wipe the data on a victim’s hard drive or SSD, in such a fashion that the data is difficult or impossible to recover.
To put it simply, unless the victim has backups, someone whose computer is wiped by a wiper is likely to lose access to all the data and software that was previously stored on the attacked device.
Is That Really You? Impersonation
One of the great dangers that the Internet creates is the ease with which mischievous parties can impersonate others. Prior to the Internet era, for example, criminals could not easily impersonate a bank or a store and convince people to hand over their money in exchange for some promised rate of interest or goods. Physically mailed letters and later telephone calls became the tools of scammers, but none of those earlier communication techniques ever came close to the power of the Internet to aid criminals attempting to impersonate law-abiding parties.
Creating a website that mimics the website of a bank, store, or government agency is quite simple and can sometimes be done within minutes. Criminals can find a near-endless supply of domain names that are close enough to those of legitimate parties to trick some folks into believing that a site that they are seeing is the real deal when it’s not, giving crooks the typical first ingredient in the recipe for online impersonation.
Sending an email that appears to have come from someone else is simple and allows criminals to perpetrate all sorts of crimes online. I myself demonstrated over 20 years ago how I could defeat various defenses and send an email that was delivered to recipients on a secure system — the message appeared to readers to have been sent from
[email protected]
.
Phishing
Phishing refers to an attempt to convince a person to take some action by impersonating a trustworthy party that reasonably may legitimately ask the user to take such action.
For example, a criminal may send an email that appears to have been sent by a major bank and that asks recipients to click on a link in order to reset their passwords due to a possible data breach. When users click the link, they are directed to a website that appears to belong to the bank, but is actually a replica run by the criminal. As such, the criminal uses the fraudulent website to collect usernames and passwords to the banking site.
While phishing attacks have been around for many years, they show no signs of going away. Some experts believe that a majority of medium- and large-sized businesses in the United States now suffer some form of successful phishing attack every year.
Spear phishing
Spear phishing refers to phishing attacks that are designed and sent to target a specific person, business, or organization. If a criminal seeks to obtain credentials into a specific company’s email system, for example, the attacker may send emails crafted specifically for particular targeted individuals within the organization. Often, criminals who spear phish research their targets online and leverage overshared information on social media in order to craft especially legitimate-sounding emails.
For example, the following type of email is typically a lot more convincing than, “Please login to the mail server and reset your password”:
Hi, I am going to be getting on my flight in ten minutes. Can you please log in to the Exchange server and check when my meeting is? For some reason, I cannot get in. You can try to call me by phone first for security reasons, but if you miss me, just go ahead, check the information, and email it to me — as you know that I am getting on a flight that is about to take off.
CEO fraud
CEO fraud is similar to spear phishing (see preceding section) in that it involves a criminal impersonating the CEO or other senior executive of a particular business, but the instructions provided by “the CEO” may be to take an action directly, not to log in to a system, and the goal may not be to capture usernames and passwords or the like.
The crook, for example, may send an email to the firm’s CFO with instructions to issue a wire payment to a particular new vendor or to send all the organization’s W2 forms for the year to a particular email address belonging to the firm’s accountant.
CEO fraud often nets significant returns for criminals and makes employees who fall for the scams appear incompetent. As a result, people who fall prey to such scams are often fired from their jobs. CEO fraud increased during the COVID-19 pandemic as people worked from home and were unable to verify the veracity of communications with as much ease as they could prior to the arrival of the novel coronavirus.
Smishing
Smishing refers to cases of phishing in which the attackers deliver their messages via text messages (SMS) rather than email. The goal may be to capture usernames and passwords or to trick the user into installing malware.
Vishing
Vishing, or voice-based phishing, is phishing via POTS — that stands for “plain old telephone service.” Yes, criminals use old, time-tested methods for scamming people. Today, most such calls are transmitted by Voice over Internet Protocol (VoIP) systems, but in the end, the scammers are calling people on regular telephones