Information Technology Reference
In-Depth Information
exceed $1 trillion [41]. Given the amount of money changing hands, it's not surprising
that organized crime is active on the Internet. The economic importance of Internet-
based activities also makes Internet infrastructure an attractive target for politically mo-
tivated attacks.
We begin this section by reviewing three common Internet-based attacks. We then
explore how these attacks have been used as a means to achieve criminal or political
ends.
7.4.1 Phishing and Spear Phishing
A phishing (pronounced “fishing”) attack is a large-scale effort to gain sensitive infor-
mation from gullible computer users. An attacker sends out millions of email messages
from a botnet. The messages inform the recipients that one of their accounts has been
compromised and directs them to connect to a Web site to resolve the problem. Targeted
users that click on the link encounter an impostor Web site designed to resemble the gen-
uine ecommerce site. Once on the site, they are asked for a login name, password, and
other private information. Information collected by the imposter site can then be used
for identity theft.
According to an industry study, there were at least 67,000 phishing attacks world-
wide in the second half of 2010. An interesting development is the increase in phishing
attacks on Chinese ecommerce sites, indicating the growing importance of the Chinese
economy [42].
Spear phishing is a variant of phishing in which the attacker selects email addresses
that target a particular group of recipients. For example, an attacker may target elderly
people judged to be more gullible or members of a group that have access to valuable
information [43].
7.4.2 SQL Injection
SQL injection is a method of attacking a database-driven Web application that has im-
proper security. The attacker accesses the application like any other client of the appli-
cation, but by inserting (injecting) an SQL query into a text string from the client to the
application, the attacker can trick the application into returning sensitive information.
7.4.3 Denial-of-Service and Distributed Denial-of-Service Attacks
A denial-of-service (DoS) attack is an intentional action designed to prevent legitimate
users from making use of a computer service [44]. A DoS attack may involve unautho-
rized access to one or more computer systems, but the goal of a DoS attack is not to steal
information. Instead, the aim of a DoS attack is to disrupt a computer server's ability
to respond to its clients. Interfering with the normal use of computer services can result
in significant harm. A company selling products and services over the Internet may lose
business. A military organization may find its communications disrupted. A government
or nonprofit organization may be unable to get its message out to the public.
A DoS attack is an example of an “asymmetric” attack, in which a single person can
harm a huge organization, such as a multinational corporation or even a government.
 
 
 
 
Search WWH ::




Custom Search