If you’re planning to take the Security+ exam, you should have a basic understanding of various types of attacks such as web browser attacks. By understanding these attacks, you’ll be better prepared to comprehend the improved attacks as they emerge and the improved countermeasures.
For example, can you answer this question?
Q. Security analysts recently discovered that users in your organization are inadvertently installing malware on their systems after visiting the comptai.org web site. Users have a legitimate requirement to visit the comptia.org web site. What is the MOST likely explanation for this activity?
A. Smurf
B. Typo squatting
C. Fuzzing
D. Replay
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Typo Squatting/URL Hijacking
Typo squatting (also called URL hijacking) occurs when someone buys a domain name that is close to a legitimate domain name. People often do so for malicious purposes. As an example, CompTIA hosts the comptia.org web site. If an attacker purchases the name comptai.org with a slight misspelling at the end of comptia, some users might inadvertently go to the attacker’s web site instead of the legitimate web site.
Attackers might buy a similar domain for a variety of reasons, including:
- Hosting a malicious web site. The malicious web site might try to install drive-by malware on users’ systems when they visit.
- Earning ad revenue. The attacker can host pay-per-click ads. When visitors click on the ads, advertisers pay revenue to the attacker.
- Reselling the domain. Attackers can buy domain names relatively cheaply, but resell them to the owner of the original site for a hefty profit.
Remember this
Attackers purchase similar domain names in typo squatting attacks for various malicious purposes. Users visit the typo squatting domain when they enter the URL incorrectly with a common typo.
Watering Hole Attacks
A watering hole attack attempts to discover which web sites employees are likely to visit and then infects those web sites with malware that can infect the visitors. The RSA Advanced Threat Intelligence Team first documented this attack in 2012.
Attackers apparently identified a number of web sites visited by personnel working in financial services. Next, they infected many of these web sites with malware that redirected the users to a malicious site. The malicious site attempted to install a type of remote access tool (RAT). When successful, the RAT allows attackers to remotely access and control infected systems.
Although one of the attacks focused on financial services, similar attacks have targeted other industries, including state and federal governments, educational institutions, and defense contractors. According to the RSA Advanced Threat Intelligence Team, approximately 32,000 users working in over 4,000 different organizations were redirected to the malicious web site.
Users surf the Internet with web browsers. In the context of security, there are some issues related to web browsers that cause some problems and this section addresses many common concerns.
Malicious Add-Ons
Many web browsers support add-ons to enhance the capability of the browser. For example, you can install the Adobe PDF reader add-on into a browser to automatically open PDF files within the browser window. Similarly, some add-ons include pop-up blockers to prevent these pop-ups from appearing.
Although many add-ons are helpful, some are malicious. As an example, the Mozilla Sniffer add-on added malicious capabilities to the Firefox browser. After installation, it intercepted the user’s logon data submitted to any web site and sent it to a remote location, presumably managed by attackers. The add-on was only available for a short time as an experimental add-on, but was downloaded and installed by at least 1,800 users. Users should be cautious when installing new add-ons.
Cookies and Attachments
A cookie is a text file stored on a user’s computer and used for multiple purposes, including tracking a user’s activity. Web sites regularly write cookies on user systems to help remember the user and enhance the user experience.
As an example, Amazon makes frequent use of cookies. When I visit the site and look at different products, it tracks my activity and places ads on the web site based on my previous searches or purchases. In most cases, only the web site can read the cookie. However, cross-site scripting attacks allow attackers to read cookies.
Some web developers store sensitive data, such as usernames or passwords, in cookies. If attackers can read the cookies, they may have access to sensitive data. Additionally, cookies include a session ID that can identify the user session when the user logs on, and this session ID can be used in a session hijacking attack.
Attachments are typically associated with emails. For example, if you want to share a file with someone else, you can attach the file to your email and send it. Attackers often use attachments when sending malicious spam. If the user opens the attachment, it attempts to install malware onto the user’s system. As an example, I received a malicious email today with a PDF file. The subject was “Notice of court attendance.” It indicated I was scheduled to attend a court hearing and encouraged me to thoroughly study the plaintiff note in the attachment. The attachment is a Zip file that includes malware, which installs itself just by opening the Zip file.
Q. Security analysts recently discovered that users in your organization are inadvertently installing malware on their systems after visiting the comptai.org web site. Users have a legitimate requirement to visit the comptia.org web site. What is the MOST likely explanation for this activity?
A. Smurf
B. Typo squatting
C. Fuzzing
D. Replay
Answer is B. Typo squatting (or URL hijacking) uses a similar domain name to redirect traffic. In this scenario, the last two letters in CompTIA are swapped in the malicious domain name, and that site is attempting to download malware onto the user systems.
A smurf attack is unrelated to web sites.
Fuzzing tests an application’s ability to handle random data.
A replay attack attempts to replay data with the intent of impersonating one of the parties.