6point6 Prep Document

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 5

Cyber-prep

Spoofing the url:


What is it? URL spoofing is a form of social engineering where a hacker will
create a website that is, or looks like, a copy of legitimate website (such as a bank).
Once the targeted individual is on the false website one of two can happen, one the
user is immediately attacked and infected by malware or the target is baited into
clicking on a install link, which then install the malware.
There are multiple types of URL Spoofing, including but not limited to:
Copy-catting
Domian Spoofing
Typo-squatting
Homoglyph
Fake-url
In the UK, there has been an uptick in the amount of cases of URL spoofing of
banks website, recent research done by Brandshield indicates that since October
2022, there has been 1,600 illegitimate web domains of banks, with Barclays,
Lloyds and HSBC suffering the brunt of these spoofs. This has caused millions of
pounds of damage to customers and can utterly shatter trust in these institutions.

Common signs to look out for:


A misspelled link: for instance, natwest.com is instead natwact.com
A shortened url, this can be used to hide, this will hide any malicious intent,
alongside this, a lengthened url can also be used to the same result.
Using words to hide a link can trick people who might be reading phishing emails
and will assume the legitimacy of the link, especially if they have already assumed
the false email is legit.
Usage of specialty characters, these characters which are rarely used in common
urls, might be used to seem more legit, especially when buying from oversea or
communicating with oversea clients. Be wary of non-Latin characters.
Counters to spoofed urls for both website users:
Hover over a link which will show the whole URL, and if they do not match the
known URL.
Make sure that the link is secured using HTTPS (Hypertext Transfer Protocol
Secure), if is not, do not click unless 100% sure.
Use common sense, question if the email is legit/make sense

Counters to spoofed urls for website owners:


There are three primary ways that a business can defend both itself and their
customers.
One is to employ domain monitoring software, which is software which effectively
scans for websites that are similar to yours in name or URL (think a spoofed URL
of 6point6 being 6.6).
Another is a step often already taken by most companies, which is to register both
copyright and trademark. This not only allows for the removing of spoofed URL
with legal action, but the mere threat alone can scare off some of those who might
attempt to scam those less knowing.
The third way is quite simple, these banks could and should educate their
customers of these threats and simple yet effective ways to protect themselves
whilst utilising the banks online services.

Data manipulation
Data manipulation is quite simple as it is the changing of data. This form of attack
is used by criminal elements or other threat actors to compromise the integrity of
the bank’s ability to do business with both individual customers and other’s
businesses, such as shops. This type of data manipulation shall be referred to as
hostile data manipulation
Common ways data manipulation can be used to harm banks is by various means
as while the out-right stealing of data is easily noticed, data manipulation is not so
easily noticed. But this means that potentially it can cause more damage as data
manipulation could impact not only short-term operations but long-term as well by
potentially changing the course of the impacted bank. And if it is caused, the data
manipulation is treated as a violation of GDPR, leading to large fines, with the
average data breach in the UK being 3.33 million pounds.
A common way for data manipulation to occur is often from former employee who
might have taken dismissal poorly, as happened with tesla in 2018, where an
employee both stole and sabotaged gigabytes of tesla data.

Ways to counter data manipulation


There are a handful of ways in which we can counter/mitigate data manipulation,
the most useful being to implement a plan on what to do if a breach and
manipulation happen based on the MITRE ATTACK framework, whilst each one
will need to be unique to deal with the individual challenges that each business
have, when these are developed whilst looking at common TTPs that those attack
banks use, such as phishing emails to employees, we can develop them to be able
put in place safeguards and protocols which are designed to keep out those who
shouldn’t have access, such as routine log inspections for abnormal usage
alongside software defences like firewalls and multiple-factor authentication.
A second mitigation-technique we can use to counter data manipulation is to create
back-up and to create them frequently, this can be done either weekly or biweekly,
though good practice dictates the former. We can also implement threat
assessments on the data using a risk assessment matrix, the data can be split into
separate groups based on type of data or by client the data belongs to.

Cross-site request forgery


Cross-site request forgery (also known as one-click attack) are a type of attack in
which an end user is forces to execute unwanted commands via or from a web
application that they are authenticated to use.
The attack works by effectively piggy backing off the victim’s own rights and
privileges and is then able to use that to submit malicious and harmful requests to
the server, effectively bypassing any firewall the target website might have. Since
websites will almost always make requests of any users that visits, such as
requesting session cookies, IP address or domain credentials, and the CSRF will
blend in with the legitimate requests.
CSRF works by having fake URLs made which will look like they are processing
the desired result but will instead have changed urls which do as the attacker want,
often to get victims to this url, they will be tricked by clicking on corrupted links or
images.
Once in, the CSRF will target what can change on a server, such as an email
address. This could lead, in an example, with the CSRF changing the email from
the victims to the attackers and then tricking the victim (using social engineering
done beforehand) into adding their details onto this new account, such as
passwords or credit card details.
Since CSRF attacks bypass firewall and the most common forms of cyber security,
it can show real problems as it can effectively allow a keen attacker access into
secure systems with legitimate credentials or high jacking potential payments.

Countering CSRF
Since CSRF can bypass the most common cyber-security methods, a more tailored
method will be needed, this is called synchroniser token method. But before this is
done, you use a CSRF scanner to see if the website in question is vulnerable to
CSRF.
Synchroniser token is done by the following:
- The web server generates a token and stores it.
- The token is set as a hidden form
- The form is submitted by the user.
- The token is included in the POST request data
- The application/website will compare its own token with the one sent in the
request.
- If the tokens match, the request is considered valid, if they don’t the request
is rejected.

Banking Trojans
Banking trojans are pieces of malware that attempts to steal financial information
from a financial institution or steal individual’s credentials. This is done by
attempting to spoof a website of the victim's bank. They are delivered and function
like normal trojans.
Once these banking trojans have control over one or more of your customers'
accounts, there could be no end to what could happen without immediate
intervention, from draining the accounts of all funds to using them for illegal
purposes or to launder money.
These theoretical scenarios have come true with the Gozi/RATBANK and
Sharkbots incidents in 2015 and 2021, respectfully.
Gozi was a key piece of the framework for e-payment and commerce, which had
its source code leaked, which led to a multitude of accounts being comprised, some
of whom had as 1.5 million euros. Due to the criminal's ability to not only navigate
the internal banking systems and evade much of the 2FA used for authentication
and a host of phishing schemes, they were able to take over and control over 200
identified accounts.
Sharkbots was the name given to an Android-based banking trojan, which was able
to initate money transfer via the ATS (Automatic Transfer Systems), and able to
bypass MFA (Multifactor Authentication). It also had the capability to commence
overlay attacks, stealing both login information and credit card info, as well as hide
and suppress legitimate communication from the actual bank.

You might also like