because websites often earn money for their owners based on the number of people who click on various ads, website owners generally place ads on their sites in a manner that will attract users to the ads. As such, malvertising allows criminals to reach large audiences via a trusted site without having to hack anything.
Some malvertising requires users to click on the ads in order to become infected with malware; others do not require any user participation — users’ devices are infected the moment the ad displays.
Drive-by downloads
Drive-by downloads is somewhat of a euphemism that refers to software that users download without understanding what they are doing. A drive-by download may occur, for example, if users download malware by going to a poisoned website that automatically sends the malware to the users’ device when they open the site.
Drive-by downloads also include cases in which users know that they are downloading software, but is not aware of the full consequences of doing so. For example, if a user is presented with a web page that says that a security vulnerability is present on their computer and that tells the user to click on a button that says “Download to install a security patch,” the user has provided authorization for the (malicious) download — but only because the user was tricked into believing that the nature of the download was far different than it truly is.
Stealing passwords
Criminals can steal passwords many different ways. Two common methods include
Thefts of password databases: If a criminal steals a password database from an online store, anyone whose password appears in the database is at risk of having their password compromised. (If the store properly encrypted its passwords, it may take time for the criminal to perform what is known as a hash attack, but nonetheless, passwords — especially those that are likely to be tested early on — may still be at risk. To date, stealing passwords is the most common way that passwords are undermined.
Social engineering attacks: Social engineering attacks are attacks in which a criminal tricks people into doing something they would not have done had they realized that the person making the request was tricking them in some way. One example of stealing a password via social engineering is when a criminal pretends to be a member of the target’s tech support department and tells the target that the target must reset a particular password to a particular value to have the associated account tested as is needed after the recovery from some breach, and the target obeys. (For more information, see the earlier section on phishing.)
Credential attacks: Credential attacks are attacks that seek to gain entry into a system by entering, without authorization, a valid username and password combination (or other authentication information as needed). These attacks fall into four primary categories:Brute force: Criminals use automated tools that try all possible passwords until they hit the correct one.Dictionary attacks: Criminals use automated tools to feed every word in the dictionary to a site until they hit the correct one.Calculated attacks: Criminals leverage information about a target to guess the target’s password. Criminals may, for example, try someone’s mother’s maiden name because they can easily garner it for many people by looking at the most common last names of their Facebook friends or from posts on social media. (A Facebook post of “Happy Mother’s Day to my wonderful mother!” that includes a user tag to a woman with a different last name than the user is a good giveaway.)Blended attacks: Some attacks leverage a mix of the preceding techniques — for example, utilizing a list of common last names, or performing a brute force attack technology that dramatically improves its efficiency by leveraging knowledge about how users often form passwords.
Malware: If crooks manage to get malware onto someone’s device, it may capture passwords. (For more details, see the section on malware, earlier in this chapter.)
Network sniffing: If users transmit their password to a site without proper encryption while using a public Wi-Fi network, a criminal using the same network may be able to see that password in transit — as can potentially other criminals connected to networks along the path from the user to the site in question.
Credential stuffing: In credential stuffing, someone attempts to log in to one site using usernames and passwords combinations stolen from another site.
Exploiting Maintenance Difficulties
Maintaining computer systems is no trivial matter. Software vendors often release updates, many of which may impact other programs running on a machine. Yet, some patches are absolutely critical to be installed in a timely fashion because they fix bugs in software — bugs that may introduce exploitable security vulnerabilities. The conflict between security and following proper maintenance procedures is a never-ending battle — and security doesn’t often win.
As a result, the vast majority of computers aren’t kept up to date. Even people who do enable automatic updates on their devices may not be up to date — both because checks for updates are done periodically, not every second of every day, and because not all software offers automatic updating. Furthermore, sometimes updates to one piece of software introduce vulnerabilities into another piece of software running on the same device.
Advanced Attacks
If you listen to the news during a report of a major cyberbreach, you’ll frequently hear commentators referring to advanced attacks. While some cyberattacks are clearly more complex than others and require greater technical prowess to launch, no specific, objective definition of an advanced attack exists. That said, from a subjective perspective, you may consider any attack that requires a significant investment in research and development to be successfully executed to be advanced. Of course, the definition of significant investment is also subjective. In some cases, R&D expenditures are so high and attacks are so sophisticated that there is near universal agreement that an attack was advanced. Some experts consider any zero-day attack to be advanced, but others disagree.
Advanced attacks may be opportunistic, targeted, or a combination of both.
Opportunistic attacks are attacks aimed at as many possible targets as possible in order to find some that are susceptible to the attack that was launched. The attacker doesn’t have a list of predefined targets — the attacker’s targets are effectively any and all reachable systems that are vulnerable to the launched attack. These attacks are similar to someone firing a massive shotgun in an area with many targets in the hope that one or more pellets will hit a target that it can penetrate.
Targeted attacks are attacks that target a specific party and typically involve utilizing a series of attack techniques until one eventually succeeds in penetrating into the target. Additional attacks may be launched subsequently in order to move around within the target’s systems.
Opportunistic attacks
The goal of most opportunistic attacks is usually to make money — which is why the attackers don’t care whose systems they breach; money is the same regardless of whose systems are breached in order to make it.
Furthermore, in many cases, opportunistic attackers may not care about hiding the fact that a breach occurred — especially after they’ve had time to monetize the breach, for example, by selling lists of passwords or credit card numbers that they stole.
While not all opportunistic attacks are advanced, some certainly
