Named for section 419 of Nigerian law which makes confidence schemes illegal, this is a scam in which someone pretends to be a wealthy foreigner who wants help moving a large amount of money overseas. Usually, the scammer requests bank account information to pay for fees supposedly incurred in the large-sum transfer. The large sum transfer never happens and the victim is taken for as much "fee" money as possible.
Computer software that attempts to locate, disable and remove from a computer any malicious software (such as viruses and worms). Anti-virus software typically relies on so-called signature files, which allow the software to detect malware based on particular code segments that are only present in unwanted programs. Since it is not possible to know what these code segments are before the malware starts infecting machines on the Internet (and is analyzed by anti-virus companies), this type of prevention mechanism does not help early on as a new malware version spreads. Some types of anti-virus software also perform so-called behavioral checks to detect yet-unseen strains of malware based on what they are trying to do. This is possible since malware is typically accessing and storing data at computer memory locations that other types of software do not.
An attack is an attempt to subvert or bypass a system's security. Attacks may be passive or active. Active attacks attempt to alter or destroy data. Passive attacks try to intercept or read data without changing it. Also see: brute-force attack, Denial of Service, hijacking, password attacks, password sniffing.
A security device carried by an authorized user. The device has a changing value or a secret algorithm that cannot be copied, thus requiring a valid token to be possessed by whomever wants to authenticate. An example of an authentication token is the RSA SecurID token. Also see "second-factor authentication."
A back door is a feature programmers often build into programs to allow special privileges normally denied to users of the program. Often programmers build back doors so they can fix bugs. If hackers or others learn about a back door, the feature may pose a security risk. This is also called a trap door.
Back Orifice is a program developed and released by The Cult of the Dead Cow (cDc). It is not a virus; instead, it is a remote administration tool with the potential for malicious misuse. If installed by a hacker, it has the ability to give a remote attacker full system administrator privileges to your system. It can also “sniff” passwords and confidential data and quietly email them to a remote site. Back Orifice is an extensible program—programmers can change and enhance it over time. Also see: password sniffing.
- Background scanning
- Bayesian filter
The boot record is the program recorded in the boot sector. This record contains information on the characteristics and contents of the disk and information needed to boot the computer. If a user boots a PC with a floppy disk, the system reads the boot record from that disk. Also see: boot sector.
The boot-sector is an area located on the first track of floppy disks and logical disks that contains the boot record. Boot sector usually refers to this specific sector of a floppy disk, whereas the term master boot sector usually refers to the same section of a hard disk. Also see: master boot record.
Boot sector infector (BSI)
A boot-sector infector virus places its starting code in the boot sector. When the computer tries to read and execute the program in the boot sector, the virus goes into memory where it can gain control over basic computer operations. From memory, a boot-sector infector can spread to other drives (floppy, network, etc.) on the system. Once the virus is running, it usually executes the normal boot program, which it stores elsewhere on the disk. It is also called a boot virus, boot-sector virus, or BSI.
Bot network (BotNet)
A bot network is a network of hijacked zombie computers controlled remotely by a hacker. The hacker uses the network to send spam and launch Denial of Service attacks, and may rent the network out to other cyber criminals. Also see: zombie.
A browser hijacker is a type of spyware that allows the hacker to spy on the infected PC’s browsing activity, to deliver pop-up ads, to reset the browser homepage, and to redirect the browser to other unexpected sites. Also see: spyware.
A brute-force attack is an attack in which each possible key or password is attempted until the correct one is found. Also see: attack.
- Cyber criminals
Denial of service (DoS)
A Denial of Service (DoS) attack is an attack specifically designed to prevent the normal functioning of a system and thereby to prevent lawful access to the system by authorized users. Hackers can cause Denial of Service attacks by destroying or modifying data or by overloading the system’s servers until service to authorized users is delayed or prevented. Also see: attack.
A way of forcing users to a malicious site by injecting bad data into a domain name server's cache in order to change (for users of that server) the destination a domain resolves to. The effect of DNS poisoning is that the conversion from a URL to an IP address fails. For example, instead of translating the address www.americanexpress.com to the IP address corresponding to the actual site of American Express, a server that has been a victim of DNS poisoning will supply the incorrect IP address. The URL that the user types will still be printed in the address bar, and if the content of the fraudulent Web site to which the translation is done looks the same as that of the legitimate site, then the user will not notice that the attack took place. Moreover, the fraudulent Web site will be able to harvest all the cookies intended for the legitimate Web site, which will allow it to impersonate the user's machine to the real site as well. Also see man-in-the-middle attacks. DNS poisoning is sometimes referred to as pharming, and it can be performed in a large number of ways. One of the recently discovered ways in which an attacker can mount an attack of this sort is by uploading malware to a person's router (or access point). These are devices that have no inherent protection against malware, but are very powerful in that all the user's Internet traffic passes through these machines. Therefore, an infected router can easily cause incorrect IP address information to be returned to an unsuspecting user.
- DNS Server
EICAR Standard Anti-Virus Test File
The EICAR Standard Anti-Virus Test File consists of one line of printable characters; if saved as EICAR.COM, it can be executed and displays the message: "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" This provides a safe and simple way of testing the installation and behavior of anti-virus software without using a real virus.
Fast infector viruses, when active in memory, infect not only executed programs, but also other programs that are open at the same time. Thus, running an application, such as anti-virus software, which opens many programs but does not execute them, can result in all programs becoming infected. Also see: slow infector.
The small icon displayed next to a URL in the address bar of a browser. Phishers can place a "lock" icon here to pretend the connection is secure, or they can set this icon appropriately to mimic a real site. This means that seeing a lock in the address bar does not automatically mean that the corresponding site is secure.
A firewall prevents computers on a network from communicating directly with external computer systems. A firewall typically consists of a computer that acts as a barrier through which all information passing between the networks and the external systems must travel. The firewall software analyzes information passing between the two and rejects it if it does not conform to pre-configured rules.
- Heuristic analysis
In the wild (ITW)
A virus is "in the wild" (ITW) if it is verified as having caused an infection outside a laboratory situation. Most viruses are in the wild and differ only in prevalence. Also see: zoo virus.
A set of four numbers from 0-255 separated by periods (.) that are used to identify each computer on a network. (Example: 188.8.131.52). An IP address instead of a domain name (such as bank.com) can be used in a phishing URL to hide the fact that a given Web site is not legitimate. In a DNS poisoning or pharming attack, the IP address returned by a DNS server is changed to direct victims to a phisher's site.
- Joke programs
- Keyboard Logger (Keylogger)
Library files contain groups of often-used computer code that different programs can share. Programmers who use library code make their programs smaller since they do not need to include the code in their program. A virus that infects a library file automatically may appear to infect any program using the library file.
In Windows systems, the most common library file is the Dynamic Link Library; its extension is DLL.
- Lock Icon
A logic bomb is a type of Trojan horse that executes when specific conditions occur. Triggers for logic bombs can include a change in a file, a particular series of keystrokes, or a specific time or date. Also see: time bomb.
- Mail bomb
Malware is a generic term used to describe malicious software such as viruses, Trojan horses, spyware, virus, worm and malicious active content. Some malware uses technical vulnerabilities (such as buffer overflow) to attack a machine, whereas other types of malware instead uses social vulnerabilities, i.e., attempts to make the victim willingly install and run the software. To do this, various types of deception is used. Commonly, the user is told that the software has a beneficial purpose, such as a screen saver, an Internet optimizer or spyware detector. While the malware may perform some of these functions, it also performs other functions, unbeknownst to the victim user.
- Malicious code
An attack in which an attacker relays all messages back and forth between a client and server. During the attack, messages may be changed or simply recorded for later use. An example of this attack is where a victim contacts a Web server that is controlled by an attacker, thinking that this is his bank. The Web server then immediately establishes a connection to the user's bank. It sends any information it receives from the bank to the victim, who thinks he received the information from the bank. Any information sent from the victim to the attacker's Web server is immediately forwarded to the bank, which then thinks it receives the information from the user in question. There is no noticeable delay, so this is not detectable. As the Web server sends information back and forth, it may also save all the information it receives. While secure sockets layer (see below) may help protect against man-in-the-middle attacks, there are also ways an attacker can cause two sessions to be started by the victim at the same time, where one of them results in a connection with the bank and the other results in the theft of information sent to the bank. Man-in-the-middle attacks can be performed by malware, whether residing on the victim's machine, on a router or access point he connects to, or on another machine on the Internet.
Master boot record
The master boot record (MBR) is the 340-byte program located in the master boot sector. This program reads the partition table, determines what partition to boot, and transfers control to the program stored in the first sector of that partition. There is only one master boot record on each physical hard disk. It is also called the partition table. Also see: boot record.
- Not in the wild
- On-access scanner
A password attack is an attempt to obtain or decrypt a legitimate user's password. Hackers can use password dictionaries, cracking programs, and password sniffers in password attacks. Defense against password attacks is rather limited but usually consists of a password policy including a minimum length, unrecognizable words, and frequent changes. Also see: password sniffing.
Password sniffing is the use of a sniffer to capture passwords as they cross a network. The network could be a local area network, or the Internet itself. The sniffer can be hardware or software. Most sniffers are passive and only log passwords. The attacker must then analyze the logs later. Also see: sniffer.
In computer security, this is an attack where an attacker compromises domain name values and redirects many people to the wrong IP for a given domain. Often this is accomplished with DNS poisoning or by modifying the host's files on peoples' computers. This is a special case of DNS poisoning, and is often the result of malware infections.
Tricking someone into giving up private data by masquerading as an authority. This is mostly accomplished using e-mail or instant messages, directing the recipient to a fraudulent Web site that appears legitimate. Phishing is related to conning, but is taking place at a much grander scale, due to the use of the Internet, and it is harder to track back to the criminal.
Phishing IQ Test
A test where e-mails are displayed to a participant who is then asked to classify each as fraud or real. Usually these tests are used to illustrate the difficulty of identifying phishing e-mails. Recent research shows that phishing IQ tests are not measuring susceptibility to phishing very well, but rather, simply measure fear of phishing.
- Program infector
A phishing attack targeting the clients of a small financial institution, typically with very limited geographical coverage. Smaller institutions typically have lesser resources to fight phishing attacks than large banks do, and their clients are less accustomed to being targeted. This makes puddle phishing often more successful for the phisher.
- Real-time scanner
- Screen Scraper
Second Factor Authentication
Second factor authentication demands more than just a password from a user logging in. It could be something he or she knows, something he or she has, or something he or she is. Examples of these three possibilities are: knowing one's mother's maiden name; to have a device that displays frequently changing passwords only known by the service provider and the person with the device; and use of a thumbprint to provide evidence of identity. There are many other forms of second factors, but not all are equally secure. Recent banking regulation demands that banks use some form of second factor authentication, but do not specify what type.
Secure Sockets Layer (SSL)
A communication protocol developed by Netscape that is used to establish cryptographically secure communications between a client (usually a Web browser) and server. This protects against data from being stolen by eavesdroppers. Additionally, when a Web browser starts an SSL session, a small lock is displayed in the frame of the browser. However, phishers know that it can be hard to know exactly where the lock should be placed, and even though phishers cannot easily place locks in the browser frame, it is trivial to place lock images in the content portion of the Webpage. Many people do not notice the difference.
Signature-based Malware Detection
A method of detecting malware that identifies malware by analyzing behavior of software, configuration and software patterns. Also see: malware.
Slow infectors are active in memory and only infect new or modified files. Also see: fast infector.
Spam is unsolicited or undesired bulk electronic messages. There is email spam, instant messaging spam, Usenet newsgroup spam, web search-engine spam, spam in blogs, and mobile phone-messaging spam. Spam includes legitimate advertisements, misleading advertisements, and phishing messages designed to trick recipients into giving up personal and financial information.
A spam filter is a program used to detect unsolicited email to prevent spam from making it to a user's inbox. Filters use heuristics, keyword scans, whitelists and blacklists, and other processes. The filters are placed on email and ISP servers, in anti-spam software, and in anti-phishing browsers. Also see: Bayesian filter, heuristic analysis.
This attack is to phishing what targeted advertising is to advertising. In spear phishing, the attacker infers or manipulates the context of his intended victim and then "personalizes" his attack. It is possible for attackers to learn information about the victim in many ways, and it is difficult to know when this has taken place. This makes spear phishing very dangerous.
Assuming the identity of another person while sending e-mail; often used to disguise the actual sender of a message. It is trivial to spoof an e-mail, and it can be done to make the e-mail appear to come from anywhere, whether it is your best friend, your system administrator, your bank or whitehouse.gov.
Spoofed web site
A spoofed web site is one that mimics a real company’s site—mainly financial services sites—in order to steal private information (passwords, account numbers) from people that are tricked into visiting it. Phishing emails contain links to the counterfeit site, which looks exactly like the real company’s site, down to the logo, graphics, and detailed information. Also see: phishing.
Spyware is a wide range of unwanted programs that exploit infected computers for commercial gain. They can deliver unsolicited pop-up advertisements, steal personal information (including financial information such as credit card numbers), monitor web-browsing activity for marketing purposes, or route HTTP requests to advertising sites.
A form submission that originates from an unencrypted "http" page but posts to an encrypted page (https). Encryption only occurs in this case after the submission button is pressed. Some phishers try to make it appear that the sites they manage (and which impersonate legitimate brands) perform SSL posts, whereas they do not. It is difficult for typical users to determine whether a given Webpage will perform an SSL post or not, which makes SSL posts less secure than traditional SSL connections.
- Synthetic Identity Fraud
A time bomb is a malicious action triggered at a specific date or time. Also see: logic bomb.
- Trojan horse
Tunneling is a virus technique designed to prevent anti-virus applications from working correctly. Anti-virus programs work by intercepting the operating system before it can execute a virus. Tunneling viruses try to intercept the actions before the anti-virus software can detect the malicious code. New anti-virus programs can recognize many viruses with tunneling behavior.
A variant is a modified version of a virus. It is usually produced on purpose by the virus author or another person amending the virus code. If changes to the original are small, most anti-virus products will also detect variants. However, if the changes are large, the variant may go undetected by anti-virus software.
A virus is a computer program file capable of attaching to disks or other files and replicating itself repeatedly, typically without user knowledge or permission. Some viruses attach to files so when the infected file executes, the virus also executes. Other viruses sit in a computer's memory and infect files as the computer opens, modifies, or creates the files. Some viruses display symptoms, and others damage files and computer systems, but neither is essential in the definition of a virus; a non-damaging virus is still a virus.
There are computer viruses written for several operating systems including DOS, Windows, Amiga, Macintosh, Atari, UNIX, and others. McAfee.com presently detects more than 57,000 viruses, Trojans, and other malicious software. Also see: boot sector infector, file viruses, macro virus, companion virus, worm. Also see: Virus definition
Virus hoaxes are not viruses, but are usually emails warning people about a virus or other malicious software program. Some hoaxes cause as much trouble as viruses by causing massive amounts of unnecessary email.
Most hoaxes contain one or more of the following characteristics:
- Warnings about alleged new viruses and their damaging consequences
- Demands that the reader forward the warning to as many people as possible
- Pseudo-technical "information" describing the virus
- Bogus comments from officials: FBI, software companies, news agencies, etc.
If you receive an email message about a virus, check with a reputable source to ensure the warning is real. Click here(http://us.mcafee.com/VirusInfo/VIL/hoaxes.html) to learn about hoaxes and the damage they cause. Sometimes hoaxes start out as viruses and some viruses start as hoaxes, so both viruses and virus hoaxes should be considered a threat.
The percentage of targets in a scam that fall victim. If an e-mail asking for credit card details is sent to 100 people and two of them respond, the yield is 2 percent. Phishers, of course, hope for a high yield. It is not known exactly what the yield of phishing attacks are, but researchers and security specialists believe that it is in the range of a few percent, but believe that the increased use of spear phishing can increase the yield well above 20 percent. Given that phishers target huge numbers of potential victims at the same time, even a yield of just a few percent create a sufficient profit for the phishers to be attracted to committing this crime again and again.