November 14, 2017
Glossary of Attack Vectors
Fraudulently accessing/infiltrating another user’s account to steal identity credentials, make fraudulent payments or fraudulently access products/services.
Account validation is a phishing attack which misleads a user into furnishing his/her personal information such as a password to validate or recover a “lost” password, ultimately giving full access of the stolen session to the hacker.
Mostly targeting an organization’s sensitive information, an APT is a network attack where unauthorized persons gain access without being detected for a long period of time. This type of attack can damage data circulating within the infected network or allow the data to be stolen.
An application injection exploits a security vulnerability in an application’s software and allows attackers to relay malicious code by injecting special characters, malicious commands, and/or command modifiers through an application to another system for execution. Types of attacks include calls to the operating system, the use of external programs, and calls to backend databases.
Application tampering consists of altering the original code of an application. SQL injection exploits an application’s data and ultimately allows an attacker to access and change an application database. XML injection compromises an application’s logic and structure and can ultimately cause the insertion of malicious content.
Banking malware often has keyloggers attached in phishing emails. This malware searches for sensitive data and cryptocurrency wallets, enabling a hacker to gain access to targeted bank accounts.
Biometric spoofing involves misleading a biometric identification tool with an artificial object commonly make-up, photographs or a voice recording. When successful these methods allow a hacker to gain full access to a user’s session.
Taking out multiple new accounts (using stolen or spoofed identity data) to take advantage of new player incentives and bonuses, most often in the gaming and gambling industry.
Bots are automated programs that run over the internet and can perform routine tasks, execute commands, or reply to messages. Types of bots include web crawlers, chat bots, and malicious bots. A group of computers controlled from a single source running related software programs and script is referred to as a botnet.
Inflating a loan using other loans before “busting out” or defaulting on payment.
Call center fraud is a form of social engineering in which a fraudster directly calls a target on behalf of an official institution (bank, insurance company, etc.) and manipulates the user into willingly delivering sensitive data.
Card testing is a process in which fraudsters visit online stores to make random purchases for the purpose of verifying stolen credit card information, making sure it is not blocked or canceled or has exceeded the credit limit.
Collusion fraud refers to secretive or illegal cooperation by two or more participants in order to deceive or defraud a third party.
Cybercriminals often target email accounts that users fail to secure. Hackers sometimes manage to manipulate email proxy servers, allowing them to alter email content. Once an email account has been compromised, a hacker can send phishing scams to a victim’s contacts, uncover a victim’s personal information to steal his/her identity, or takeover a victim’s accounts by changing passwords not only to the existing email account but also credit cards, banking and e-commerce sites from which a victim would have prior email communications.
Taking over existing user accounts/registering for fraudulent new accounts to access restricted/gated content.
A replay attack involves stealing a user’s credentials to mislead another user or accessing a platform by acting on behalf of the victim.
A Distributed Denial of Service (DDoS) involves making an online service unavailable, usually by overloading a targeted machine system with irrelevant requests from several connected devices. This type of hack is often used to compromise business/organization activities or to extort money from a victim by demanding payment in exchange for stopping the attack.
Device cloning is a process in which a device’s secured data has been transferred/copied into another device. A cloned device not only allows the defrauder to receive all of the original user’s sensitive information such as password and/or account data, but also to use the victim’s identity.
Device posting or ghosting allows a hacker to observe a victim’s activity on a device without the victim knowing. If the victim is accessing sensitive data, such as bank accounts, credit card information, etc., the hacker is able to view the victim’s usernames and passwords, and in some cases pretend to be the victim.
The documentation forgery concept is very similar to IP spoofing and social engineering. It consists of fooling a user by providing a false document that misleads him/her into ultimately delivering sensitive information.
Drop box shipping fraud occurs when a buyer uses stolen credit card information to purchase product online from a merchant. The product is drop shipped to a location that differs from the billing address. Upon discovering the stolen credit card information, the merchant is still responsible for paying the drop shipper and as a result has lost not only the money but also the product.
Using fraudulent new accounts to register false listings to either improve the success of rival operators or take fraudulent bookings for fake holidays/properties, for example.
Taking out a fraudulent loan with stolen or spoofed identity credentials, often as part of a loan stacking scenario (using one loan to pay off another) to inflate the loan amount before defaulting.
Using stolen/spoofed credentials to apply for a fraudulent insurance policy, either as a ghost broker or to make false claims.
To secure a transaction or login session it is quite common for a web browser to collect information on a user including type of operating system, browser version, plugins, etc., which make up what is called a browser fingerprint. New software, such as Fraudfox or Antidetect, allows an attacker to use VM technology to erase their fingerprint and also copy another user’s fingerprint, permitting them to act on behalf of their victims.
Making a false insurance claim in order to receive a fraudulent payout.
Also known as chargeback fraud, friendly fraud consists of taking advantage of online shop refund systems by requesting a chargeback after receiving purchased goods or services. This type of fraud often occurs when an online shop’s system cannot prove that the customer did in fact receive the purchased item.
Geo spoofing is a process in which a user manages to hide his/her location through a proxy, a VPN or by hacking a GPS. This process allows a hacker to stay anonymous and difficult to track.
A ghost broker is a fraudster who presents him/herself as a legitimate insurance broker. He/she takes payment from a customer for an insurance policy, then buys the policy from an actual insurer with fraudulent payment information. After receiving proof of insurance from the company, the ghost broker passes it on to the customer, but when the check doesn’t clear or the credit card is found out to be stolen, the insurer cancels the policy and the customer is unaware.
Using virtual gift cards to monetize stolen credit cards, stealing virtual gift card credit using account takeover.
Identity farming is the process of producing fake identities through paperwork such as creating false birth certificates and Social Security numbers, waiting for them to “grow” by establishing credit, and then using the fake identities for fraudulent activities.
Assuming the identity of another person using stolen or spoofed identity data.
An identity marketplace is a site on the dark web where it is possible to buy spoofed, fake or stolen identities. The purchase price for identities depends on how complete the information is, whether it has been validated, and/or ability to change associated billing and shipping addresses.
Also referred to as IP spoofing, identity spoofing involves creating a false host IP address either to hide a user’s location or to impersonate someone else by using the same IP. This practice allows a hacker to pretend to be someone else and to be virtually untraceable.
Taking over a trusted user account to make a fraudulent money transfer out of the account/using a Money Mule to launder money between accounts.
Insider recruitment is a process in which cybercriminals enroll employees and contractors who have access to desired information and are willing to support the hacker’s objectives.
Jailbreaking a device is a process in which an owner removes the manufacturer’s restrictions from his/her device to permit installation of unauthorized software. This procedure can ultimately cause installation of harmful applications since they are not manufacturer approved.
Keyloggers are programs that record every keystroke made by an infected user, and are often attached to phishing emails, web scripts or malicious downloads. Keylogging permits a hacker to access a victim’s passwords and confidential information, often leading to compromised identities.
Using one loan to pay off another in order to inflate a loan to the maximum available amount before defaulting on payment.
Bots are automated scripts that simulate human activity to gather information. When they are connected to one another through a network it is called a botnet. Slow-and-low bots are harder to detect than standard ones.
Taking over a trusted user account to access loyalty points/bonuses that can be used to make purchases or sold to others.
Device contaminant software is often disguised in a non-contaminant file that either takes form as a code or a script. The four main types of MA are spyware, trojans, phishing sites and hidden processes. Malicious apps target devices in order to gather personal information or gain access to the infected device system.
Short for malicious software, malware is a program or file used to disrupt computing functions, gather sensitive information, gain access to private computer systems, or monitor a user’s activity. Types of malware include computer viruses, worms, trojan horses and spyware.
A man-in-the-browser attack is a web browser infection made with a trojan horse proxy. Once the web browser is infected, an attacker can add or modify web pages or transactions. Compared to a phishing attack an MitB attack is harder to detect because the hacker uses a URL that is identical to the real website.
An MitM attack occurs when an attacker secretly intercepts communications between two parties who believe they are communicating directly with each other. The attacker eavesdrops and/or impersonates one or both victims to gain access to information such as login credentials, credit card information, etc.
MitMo attacks involve luring a mobile user into installing a fake security application which requests the user’s phone number. Once the malware is installed, a hacker has full access to the infected device’s SMS traffic. This type of attack is very effective when it comes to tackling double-key verification login systems used by banks.
Mobile applications often provide poor security services such as lack of encryption or insufficient data storage service which ultimately make them efficient malware smugglers/coyotes for malicious apps.
Money mules are cybercriminals who transfer stolen money on behalf of others, allowing hackers to make their fraudulent transactions untraceable.
Network hacking is typically done through scripts and other network software in order to manipulate the normal behavior of network connections. A compromised network translates to high risk for any device connected to the infected network, as well as for data exchanged within the network or issued by the infected device.
Using stolen/spoofed credentials to apply for new credit cards, often to make fraudulent purchases that are not repaid.
The Office of Foreign Asset Control (OFAC), administers and enforces economic and trade sanctions against certain foreign countries and organizations in order to support US national security and foreign policy objectives. All US businesses, as well as many businesses worldwide, (particularly banks), must abide by OFAC regulations. This ties in with Anti-Money Laundering regulations that seek to detect, prevent and report the changing hands of the proceeds of a crime.
Using stolen credit cards / taking over legitimate user accounts to make fraudulent payments.
Often associated with fake websites or malware, phishing is a social engineering attack in which a hacker sends an email on behalf of a widely known company to users, misleading them into revealing personal information such as bank account numbers, credit card information or passwords.
A proxy is a server that acts as an intermediary between an endpoint device and another server from which a user is requesting service or information. There are different types of proxies, which can be used to speed up requests, filter web content, surf the internet anonymously, or capture user information.
An anonymous proxy is used as an intermediary between a user and a web server in order to hide a user’s IP address, allowing him/her to connect to the final server anonymously. Anonymous proxies allow hackers to hide their true location.
A ransomware attack consists of secretly installing malware on a device that can encrypt the user’s personal data which may lock the system and display a message requesting a payment to unlock it.
Recipient fraud is a process in which a criminal pretends to be another person in order to receive goods originally meant for the victim such as money, information, Medicaid, etc.
Usually attached to downloaded programs or emails, RATs are malware programs that create administrative control on a targeted computer. Once the device is infected, a hacker can use the RAT to infect other computers, create a botnet, monitor the user’s behavior, access confidential information, alter files, etc.
Remote desktop is an application that allows its user to gain real-time access and control of another device from afar. A device that is involuntarily remotely controlled can have the same repercussions as those for device cloning.
Rooting is a process that allows an android operating system device to overcome a hardware manufacturer’s limitations, including changing the device operating system. Secure apps such as those used for banking do not function on rooted phones. Root cloaking is a process that permits a user to hide the fact that his/her device is actually rooted.
Similar to anonymous proxies and TOR software, rotating IP proxies allow a user to connect faster to any web server through an IP rotation algorithm. This process allows a hacker to access sensitive data for a short time and also stay anonymous on the web.
Salary staging involves providing convincing fraudulent papers such as bank statements or financial documents as evidence of a specific income. This type of fraud can be used to mislead banks into providing loans or credit to individuals who would not otherwise qualify.
Listing false/nonexistent goods or services to persuade buyers to make a purchase.
Also known as cookie hijacking, session hijacking consists of exploiting a valid computer session by compromising the session token either by stealing it during a user’s attempt to connect to a web server or by predicting a valid session. This allows an attacker to gain unauthorized access to the session.
Similar to session hijacking, session replay consists of intercepting a conversation between a sender and a receiver in order to gather information necessary to replay a user’s session, which allows an attacker to access the user’s views, inputs, logs and so on.
Bots are script-running software programs on the internet which allow hackers to quickly achieve simple structural and repetitive tasks. Bots are mostly used to analyze and gather as much information as possible from web traffic or are used to inject viruses/worms into a computer.
Many banks use texting as two-factor authentication systems and these methods are targets of SMS hijacking. This fraud consists of altering or intercepting SMS content in order to gain access to a user’s session.
Often referred to as tracking software, spyware is a type of software that collects information about a user’s web browsing activity without the user’s knowledge. Spyware can be used maliciously in order to collect personal information such as logins and passwords, credit card or bank information, etc.
Detected by using location signals, a synthetic device is one that fails to accurately portray a real user.
Synthetic identity fraud involves creating a false identity by combining real information from a stolen identity with fabricated information. Hackers use these methods mostly to open bank accounts and obtain credit.
Falsifying information of tax returns to avoid paying full charges/using stolen identity data to evade tax charges.
TOR is a browser that allows a user to connect anonymously by “bouncing communication around a distributed network” which prevents the final website (TOR exit node) from gathering information about a user’s physical location or tracing a user’s activities.
A trojan is a misleading program that allows an attacker to remain furtive. Once installed a trojan can delete, corrupt, and use data from the infected computer. Unlike a true virus, a trojan does not replicate itself or spread through other devices unless sent by the infected user.
A trojan horse is a misleading program that hides its true intent, allowing an attacker to remain furtive. Once installed a trojan can delete, corrupt and use data from the infected computer. Unlike a true virus, a trojan does not replicate itself or spread through other devices unless sent by the infected user.
A VPN is an encrypted network allowing users to hide their information. VPNs allow a user to stay anonymous by encrypting his/her connection, making it difficult to track a user’s identity.