4. The Need for Cybersecurity: Cyber Attacks 75 Passwords can be stolen through tricking the target into logging into a spoofed website. A spoofed website is a fake version of a legitimate website. Because the attacker controls the spoofed website, he can see the information that people submit to it, including usernames and passwords. Website cloning is easy to do because as we learned in Chapter 2, digital assets can be perfectly replicated, and websites are no exception. The difficult aspect of the attack is getting the victim to navigate to the spoofed website instead of the real website. One way this can be done is through a phishing email that includes a link to a login page. If the target is not vigilant, he may click on the link and thoughtlessly enter in his username and password on the spoofed website without taking the time to check the address bar to confirm he is on the correct website. Attackers might return users to the actual login landing page after the victim “logs in” to avoid arousing suspicion. Shoulder surfing is a technique for stealing passwords by observing users entering them. Shoulder surfing can be done in person or via video camera. Video recordings have the advantage of being able to be replayed and played in slow motion so that the keystrokes can be clearly seen. Keystroke logging (keylogging) is another technique for stealing passwords. Keyloggers record all of a user’s keystrokes. Hackers can then sift through the keystrokes to discover passwords typed by the user. (They can also see everything else the user typed, such as emails, search queries, etc.) People are at risk for keylogger attacks whenever they use computers owned by others, whether in public places like a library, or when borrowing a “friend’s” computer. In these situations, people should be careful what they type! Keyloggers can be software-based or hardware-based. Software-based keystroke loggers need to be installed on the target computer and this creates a barrier for hackers—they need access before they can get users’ keystrokes. Therefore, keystroke loggers are sometimes installed on public machines, however, admin-level access is required in order to steal other users’ keystrokes. Once a machine has been hacked, software-based keyloggers are easy to install to spy on the victim’s activities. Hardware keyloggers are small physical devices (see Figure 4.1). For wired keyboards, they sit on the wire between the keyboard and the computer, and act as a man-in-themiddle, copying all the keystrokes that pass through them. They are inexpensive and require little technical expertise to install and use. They are designed to blend in so that they will go unnoticed, and they do not slow down or affect the target computer in any way. One advantage they have over software-based keyloggers is that they do not require login access to the target machine. However, they do require physical access since they have to be physically installed. For wireless keyboards, hardware keyloggers sniff the air waves for the signals transmitted by the keyboard. Wireless keyloggers need to be close to the target but can work through walls, therefore, they can be hidden easily. Some wireless keyboards create an encrypted channel between the keyboard and the computer— keylogger attacks fail in those cases. Some hardware-based keyloggers, whether for wired
RkJQdWJsaXNoZXIy MTM4ODY=