Đang tải... (xem toàn văn)
As a result, targeted attacks have become a priority threat. In this paper we examine the different stages that are involved in a targeted attack from the reconnaissance phase through to the data exfiltration phase and will explore trends in the tools, tactics and procedures used in such attacks and will conclude with a high-level examination of mitigation strategies.
ISSN:2249-5789 Alok Pandey et al , International Journal of Computer Science & Communication Networks,Vol 4(5),149-159 Study of Emerging Trends of Cyber Attacks in Indian Cyber Space & their Countermeasures Alok Pandey1, Dr Jatinderkumar R Saini2 Senior Systems Manager, BIT(Mesra), Jaipur Campus,alokpandey1965@yahoo.co.in Director (I/C) & Associate Professor, Narmada College of Computer Application, Bharuch, Gujarat, India, saini_expert@yahoo.com Abstract Targeted attack refers to intrusions by attackers who pursue aggressively and compromise specific targets often using social engineering and malware Such attacks maintain a constant presence within the victim’s network and move throughout the target’s network and extract sensitive information Such types of attacks are mainly aimed at civil society organizations, business enterprises, government and military networks As a result, targeted attacks have become a priority threat In this paper we examine the different stages that are involved in a targeted attack from the reconnaissance phase through to the data exfiltration phase and will explore trends in the tools, tactics and procedures used in such attacks and will conclude with a high-level examination of mitigation strategies Keywords: Cyber Crimes, Targeted Attacks, Adware, Malware One of the reports [1] recently published shows that on an average of nearly 2.5 Million Malwares are detected in on a monthly basis in India Fig1.Top 10 Malware Detections in India Another problem that the user are facing is pertaining to Adware Latest trends show that an average Indian user is exposed to several Adwares Introduction Cyber criminals in India are using different tactics They are using targeted attack methods like Web Site Defacement and old and effective exploits, bot-nets and remote administration to exploit the victim computers It has been observed that the Indian community falls prey easily to fake movie download related links and sites One of the latest reports says that India stands at Rank no within the first ten countries where people click movie related links which eventually lead them to the threats Such links may be there in blogs, social networking sites etc One of such latest bug is related to the unfortunate incident at the Delhi Zoo which asks the user to follow certain links to see the unedited version on the incident which is not being shown on TV and other related media Fig.2 Top 10 Adwares Detected in India The report [1] also showed that India stands at No in the list of countries affected with online banking infections 149 ISSN:2249-5789 Alok Pandey et al , International Journal of Computer Science & Communication Networks,Vol 4(5),149-159 Table1 Incidents handled by Cert-IN Fig.3 Online Banking Infections The report [1] also shows that huge numbers of malicious apps are downloaded Fig4.Malicious app downloads in India In its annual report for the year 2013, CERT-In shows that they handled more than 71000 incidents like Spam, Website intrusion & malware propagation, Malicious Code, Phishing and Network Scanning & Probing etc The summary for some previous years as published by CERT- In [2] is given in table Some security threats handled by CERT-IN are:- 1.1 Website Intrusion And Malware Propagations Several incidences of website intrusions and drive-bydownload attacks through compromised websites have been reported Somewhere close to 4250 malicious URLs were tracked in the ― in‖ space Several legitimate web sites were compromised for redirection of visitors to malicious websites which exploit vulnerabilities of client side applications and deliver malware like key loggers and information stealers The malicious websites use attack tool kits like Blackhole, RedKit, Nuclear, Darkleech etc.and include shellcode and Javascripts for exploiting vulnerabilities in Internet Explorer, Java SE/SDK, Adobe Flash, Silverlight etc 1.2 Trojan Cryptolocker Another type of infection that is spreading via malicious hyperlinks shared via spam emails, social media, malicious email attachments (fake FedEx and UPS tracking notices), drive-by download or as a part of dropped file from other malwares is Trojan Cryptolocker A Cryptolocker may encrypt files typically located on the victim‘s storage devices like local drives external hard disks, network file shares or network drives or USB drives or cloud storage drives using RSA public-key cryptography, with its private key stored on the malware's control servers 1.3 Zero Access Botnet One of the widespread multi-component of the malware family of rootkits is Win32/Sirefef a.k.a "Zero Access" 150 ISSN:2249-5789 Alok Pandey et al , International Journal of Computer Science & Communication Networks,Vol 4(5),149-159 which is affects the windows operating systems It spreads mainly by pirated softwares, exploit kits and other malware downloaders It uses the process of disklevel hooking for hiding itself, related files and network activitesand hence its detection and removal is difficult 1.4 DDoS attack Trends It has been observed that vulnerabilities in Content Management Systems like Joomla, Wordpress, etc are being used to exploit websites in the Government and Corporate sectors by launching Distributed Denial of Service attacks during 2013 Different types of attack scripts are hosted and used to launch Distributed Denial of Services attacks using resources of web servers of the compromised websites 1.5Tracking of Indian Website Defacements Around 24000 cases of defacements of Indian websites in the various domains have been tracked by CERT-IN and suitable measures to harden the web servers have been suggested to concerned organizations.[2] Their distribution is shown in the Fig Fig6 Open Proxies 1.7 Botnet Tracking and Mitigation There has been a constant increase in the tracking of Bots and Botnets involving Indian systems by CERTIn After tracking and proper identification of the IP addresses of systems that are part of Botnet, the concerned users and the related Internet Service Providers have been notified and advised proper cleanup of the concerned systems in order to prevent malicious activities using them.[2] Fig shows the graph of increasing numbers of such Bot infected systems tracked in 2013 Fig.7 Botnet Statistics Fig.5 Indian top level domains defaced 1.6 Tracking of Open Proxy Servers CERT-In has tracked more than 2000 open proxy servers existing in India and alerted concerned system administrators to properly configure them so as to reduce spamming and other related malicious activities originating from India Fig shows the month-wise distribution of open proxy servers tracked during 2013 [2] All of the above show that there is a phenomenon growth in the cyber-crimes and related malicious activities in and around the Indian cyber space and establishes the fact that the cyber criminals are working in a more organized way and follow business models for generating revenues and profits out of these cybercrimes Cyber criminals treat cybercrimes as a legitimate business of selling information, tolls and resources not only for profit from data but they also gain by helping the other cyber criminals They often work in groups 151 ISSN:2249-5789 Alok Pandey et al , International Journal of Computer Science & Communication Networks,Vol 4(5),149-159 and follow the organized crime business model Each member of the group is assigned a specific role in the entire process because of which it becomes harder to track them and recover the stolen data / resources They even outsource and hire computer owners to join their botnets In order to generate more and more cyber criminals they even train others who are interested in learning the established techniques and practices and launch more sophisticated attacks Regional underground specialization services like traffic diversion systems pay per install, attack services, Distributed Denial of Services and Compromised Hosts / Bot-nets have been observed One of the increasingly used attacking techniques by the cyber criminals for attacking large business houses, financial institutions and some government related organizations is called targeted attacks It is a well-established technique which is now being used with newer variations Such targeted attacks using social engineering have been ongoing since at least 2002.[8] [9] The first of such campaigns which was covered by the press occurred in March 2004 and is known as Titan Rain.[10] In 2005 these attacks were revealed by TIME magazine which highlighted the beginning of ― cyberespionage‖ and highlighted the threat it posed to government and military networks The New York Times revealed similar cases which happened in 2007 in the Unites States where the systems were compromised using targeted phishing emails.[11] In 2008, Business Week documented such threats to defense contractors and other large, private enterprises.[12] The report revealed that the social engineering techniques were used to lure potential victims into executing malware which allowed the attackers to take full control of the computers Targeted Attacks One such attack which was highly publicized in late Aurora‖ attack on Google and affected 2009 was ― several other companies Prior to this there was hardly any public awareness regarding targeted malware attacks [3] Such attacks are still taking place and are targeted towards government, military, corporate, educational, and civil society networks Countries like U.S., Canadian, South Korean and France have all experienced serious security breaches into sensitive networks [4] [5] In the meantime the connection between targeted malware attacks using social engineering and malicious documents.[12][13][14] was demonstrated by some researchers During the security based conferences it was shown that attackers were using exploits in popular software packages to send malicious documents (such as PDFs, DOCs, XLSs and PPTs) using, socially engineered emails to a variety of targets In 2009, the New York Times revealed the existence of GhostNet, a cyber-espionage network that had compromised over 2000 computers in 103 countries.[15] The attackers used socially engineered emails to persuade the victims to click on a malware-laden attachment which in turn permitted the attackers to gain control over the compromised system Subsequently the attackers would instruct the compromised computers to download a Trojan, called gh0st or gh0stRAT, using which the attacker could take real-time control over the compromised computer system We have seen in the recent past that RSA was also compromised using the targeted Malware attack [6] As a result of this the data stolen during the attack might have helped in conducting the subsequent attacks against several other companies and Laboratory.[7] The network was named GhostNet as the attackers‘ used a Remote Access Trojan called gh0stRAT and were able to maintain persistent control over that compromised computers for upto 660 days A year later, the New York Times again reported on the Targeted attacks are the attacks that exploit some kind of vulnerabilities in popular software for compromising specific target systems & are becoming increasingly common Such attacks are neither automated nor are they conducted by amateurs These types of attacks may be well coordinated and include a series of failed and success compromises or a broader campaign, with the prime aim of obtaining sensitive data 152 ISSN:2249-5789 Alok Pandey et al , International Journal of Computer Science & Communication Networks,Vol 4(5),149-159 existence of another cyber-espionage network.[16] that misused a variety of services including Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com etc Around 200 computers were compromised mostly in India which contained Secret, Confidential and Restricted documents In 2010 Stuxnet revealed that targeted malware attacks could be used to interfere with industrial control systems.[17] Stuxnet was actually designed to modify some programmable logic controllers (PLCs).[18] The target of the attack was the Iran‘s uranium enrichment capability.[19] Stuxnet demonstrated that future threats could focus on sabotage rather than just espionage Most Internet users are likely to face common threats such as fake security software (FAKEAV) and banking Trojans (Zeus, SpyEye, Bancos).[20][21][22] There are hardly any boundaries left between online crime and espionage Such developments indicate that attacks of criminal in nature, like targeting of banking credentials of individuals etc may also pose a threat to the government and military sectors as the ultimate aim of attackers is to maximize their financial gain from malware attacks The Targeted attacks are geographically diverse and most of the times aimed at civil society organizations, business enterprises and government/military networks In a targeted attack the victim receives a socially engineered message – like an email or instant message that lures the victim to click on a link or open a file These links or files contain malware that exploits the known vulnerabilities in some popular software such as Adobe Reader (e.g pdf‘s) or Microsoft Office (e.g doc‘s) The payloads of these exploits are malware that gets silently executed on the target‘s computer As a result of which the attacker takes control of and obtain data from the compromised computer The study of different stages of an attack can provide better understanding of the procedures followed by the attackers.[23 [24][25].The targeted attack can be broken down into six sub components: Reconnaissance/Targeting — Involves profiling the victim for acquiring information like defensive mechanisms, other software deployed and understanding of roles and responsibilities of key persons using that system or network Delivery Mechanism - pertains to selection of a delivery mechanism, like Email or IM, along with social engineering and embedding malicious codes and or malware in some kind of a delivery vehicle such as a PDF etc Compromise / Exploit - execution of malicious code with the help of humans which results in a compromise and gives the control of the victims system to the attackers Command and Control - link from the compromised system to a server which is under the attacker‘s control This could be a server component of a Remote Access Trojan (RAT) or any server that using which the attacker could issue commands to further download additional malware on to the compromised system Persistence / Lateral Movement – typical procedures and techniques using which the malware can survive a reboot of the victim machine and continue to provide remote access and provide ability to move laterally throughout the network enumerating file systems and seeking sensitive information Data Ex-filtration – involves locating and transmitting sensitive data using encryption, compression to other locations which are under attacker‘s control Trends in Targeted Attacks The latest patterns in the different stages of the targeted attacks [26] are as mentioned below :- 3.1 Reconnaissance/Targeting One of the most commonly used techniques is the use of social engineering in targeted malware attacks The objective of social engineering is to manipulate individuals into revealing sensitive information or executing malicious code A variety of public sources 153 ISSN:2249-5789 Alok Pandey et al , International Journal of Computer Science & Communication Networks,Vol 4(5),149-159 including business profiles and social networking sites is often used in social engineering Social engineering attacks typically involve current events, subject areas of interest and business functions related to the victim For gaining confidence of the victim the messages are sent which seem to have originated from someone known within the victims organization or social network.[27] [28] The following types of social engineering techniques are seen:• In order to masquerade as a real person who might be known to the victim, the attacker register email addresses with popular webmail services such as Gmail, Yahoo! Mail and Hotmail using the names of the target‘s colleagues • Attacks may be based upon spoofed legitimate business or governmental email addresses which can be easily detected.[29] • The attacker‘s use the personal email addresses as the employees often check their personal email accounts from work and even use these accounts for business purposes.[30] programs, web browsers, remote administration tools, email clients, download managers, and media players etc on the target‘s environment as this information could be used for future attacks for identifying specific applications for appropriate exploit.[32] Attackers can detect security software like antivirus, personal firewalls, PGP encryption software and Microsoft security updates They can also verify the use of virtual machine software, such as VMWare, which might be used at the target end for trapping the attackers The information obtained via social engineering is used by attackers in future attacks • 3.2 Delivery Mechanism Different delivery mechanisms that are used are as follows: • The attacker tries to misuse the authority relationships, such as boss-employee so that the target will open the malicious attachment • To increase the authenticity, attackers also use classification markings of the government and intelligence services.[31] • Attackers are now using techniques such as forwarding legitimate emails, from mailing lists or from emails acquired from previously successful attacks, along with malicious links and attachments • Attackers send two or more files as the victim may scan the first one for detecting the infections If no infections are found then the victim believes that all others are also clean and he downloads or opens the rest of the attached files which may contain the malware • Attackers may use the ― res://‖ protocol for determining the software present, file-sharing The delivery mechanism is mostly through an email or an instant messaging services through which the attacker lures the victim to downloading malware by clicking a malicious link The emails are often sent from webmail accounts, or from any other spoofed email addresses through compromised mail servers.[41] Such emails will contain an attachment either pdf or a doc or an xls or a ppt which contain malicious code which is designed to exploit vulnerabilities of a specific version Adobe‘s PDF reader or Flash and some versions of Microsoft Office An attackers may use exe files as attachments, or provide links to download them A malware that uses Unicode characters to disguise the fact that it is an executable has been recently discovered Using this technique the attackers can change the extension types from exe to say doc and take advantage of default Windows configurations that not show file extensions It has been observed lately that attackers trick users into thinking that EXE files are simply directories by making their executable‘s icon an image of a folder.[33] 154 ISSN:2249-5789 Alok Pandey et al , International Journal of Computer Science & Communication Networks,Vol 4(5),149-159 The attacker may hide EXE files inside of compressed file formats such as ZIP or RAR And they may be encrypted to avoid networkbased malware scanning Another mechanism called as drive by exploits is seen in which the attackers simply includes link to web page that contains exploit code designed to exploit vulnerabilities in browsers or browser plug-ins for installing the malware on the victims machine Rather than send the target to a completely unknown web page, attackers are now compromising legitimate websites that are contextually relevant to the target and embedding ― iframes‖ that silently load exploits from locations under the attackers control.[34] The attackers use instant messaging and social networking platforms like Facebook messages as delivery mechanisms The New York Times reported that the ― Aurora‖ attack on Google originated with an instant message.[35][36] 3.3 Compromise and Exploit 3.4 Command and Control The trends and patterns observed in the command and control centres are as follows:A malware is executed on the target‘s system but it reports to one or more servers which are in control of the attackers Command and control mechanisms allow the adversary to confirm that an attack has been successful, The latest patterns of compromising are as follows: For installing malware on the victim‘s computer, attackers will use malicious code designed to exploit a vulnerability, or ― bug,‖ of particular software They often exploit flaws in Adobe‘s PDF reader, Adobe Flash and Microsoft Office A recent attack involved embedding a malicious Flash object inside a Microsoft Excel spreadsheet.[37] Another pattern that has been observed is that the Vulnerabilities in webmail services are being exploited to compromise email accounts Personal email are becoming a target as users check their personal email accounts from office.[38] Attackers have exploited the vulnerability of MHTML as reported by Google in order to target political activists who use Google‘s services.[39] Recently one of the researchers in Taiwan revealed a phishing attack based upon a vulnerability in Microsoft‘s Hotmail service Just by simply previewing the malicious email message the user‘s account may be compromised.[40] It has been recently seen that Cookies can also be used to launch a Targeted attack The malware also provides information about the target‘s computer and network and allows the attackers To issue commands to the compromised target The installed malware acts as a dropper in such way that the attacker can instruct the compromised computer to download some more components that have additional functionality by downloading second stage malware like remote access tool/Trojan (RAT) which allows the attackers to gain real time control of the system For keeping the communication channel open between the compromised machine and the command and control server the controls may be transferred to some other C&C center Malware is making use of cloud-based command and control so as to blend in to normal network traffic.[41][42] Some attackers register domains names for exclusive use while some attackers rely on DDNS services for free sub-domains The free sub-domains provided by Dynamic DNS services are used with off-the-shelf RAT‘s such as ghost and poison ivy As the attackers are offline, the domain names will be resolve to localhost or invalid IP addresses, but when they come online the domains will resolve to 155 ISSN:2249-5789 Alok Pandey et al , International Journal of Computer Science & Communication Networks,Vol 4(5),149-159 the IPs of the attackers Third-party locations can be used to update these RATs as needed Customized DLLs are being created for specific targets and the other RATs Persistence / Lateral Movement After getting inside the target‘s network, the adversary maintains constant access to the targets network and moves laterally throughout the network locating data of interest for ex-filtration In order to maintain persistence, the initial malware payload has some mechanism to ensure that it is restarted after a reboot of the compromised computer using simple methods like adding the malware executable to the windows ― startup‖ folder, modifying the Run keys in the Windows Registry or installing an application as a Windows Service It has been reported that 97 % of the malware use one of these three methods to survive a reboot of the target system The attacker downloads Remote Access Trojans (RATs) or tools that allow him to execute shell commands in real time on the compromised host An attacker may escalate privileges to that of an administrator using techniques like “pass the hash‖ and aim at mail servers.[43] The attackers often download and use tools to ― bruteforce‖ attack database servers, extract email from Exchange servers and try to gain VPN credentials, so that they may maintain access to the network even if their malware is discovered 3.6 Data Ex-filtration The main aim of the attackers is to gain access to sensitive data and transmit them to locations which are under the attacker‘s control For doing so the attackers will collect the desired data and may compress it using RAR or Zip tools or even split the compressed file into small portions so that they can be transmitted to different locations which under the attacker‘s control Different transmission methods that are used like FTP and HTTP Attackers are now using the Tor anonymity network.[44] The malware sends directory and file listings to the command and control server where the attacker may select specific files or directories to be uploaded The attackers who use RATs may use the built-in file transfer functionality for doing so Detection and Mitigation Defence against targeted attacks should be focused on detection and mitigation rather than simply on prevention The ultimate objective of targeted attacks is the acquisition of sensitive data so defensive strategies need to include the identification and classification of sensitive data and appropriate access controls can be placed on such data.[45] Developing threat intelligence based upon indicators that can be used to identify the tools, tactics and procedures of attack will help in defending against targeted attacks The information like domain names and IP addresses used by attackers to send spear phishing emails or to host their command and control servers must be properly recorded and updated from time to time Detection and monitoring of suspicious behaviors that indicate targeted attacks will help in mitigation of such attacks should be based upon the following:Logs from endpoints, servers and network monitoring should be carefully studied and can be aggregated to provide a view of activity within an organization that can be processed for anomalous behaviors that could indicate a targeted malware attack In order to maintain persistence, malware will make modifications to the file system and registry Monitoring such changes can indicate the presence of malware Security analysts with access to real-time views of the security posture of their organization should be in place to detect, analyze and remediate targeted attacks 156 ISSN:2249-5789 Alok Pandey et al , International Journal of Computer Science & Communication Networks,Vol 4(5),149-159 Education and training programs combined with explicit policies and procedures that provide avenues for reporting and a clear understanding of roles and responsibilities is an essential component of defence Sensitive information is not only stored in databases but also in the cloud and is accessible through a variety of methods including mobile devices While securing the network layer is an important component, it is also critically important to specifically protect data as well Identifying and classifying sensitive data allows the introduction of access controls and enhanced monitoring and logging technologies that can alert defenders of attempts to access or transport sensitive data.[46] Conclusion Targeted attacks are high priority threats which are difficult to defend Such attacks use social engineering and malware which exploit vulnerabilities in software to penetrate traditional defenses Such attacks are often seen as isolated events but they are parts of a larger campaign, or a series of failed and successful intrusions After getting inside the network, the attackers are able to move laterally for locating and targeting sensitive information for ex-filtration The defensive strategies can be greatly improved by understanding how targeted attacks work and their trends and the tools, tactics and procedures that they use As these attacks focus on the acquisition of sensitive data, so defense should focus on protecting the data itself, wherever it resides By effectively using threat intelligence derived from external and internal sources combined with context-aware data protection and security tools that empower and inform human analysts, organizations are better are better positioned to detect and mitigate targeted attacks References [1] Myla Pilao,– ― Divergence Of Cyberattacks :A Look Into The Cybercriminal Underground‖, Trend Micro [2] Annual Report, 2013,CERT-In [3] http://googleblog.blogspot.com/2010/01/new-approachto-china.html [4] www.cbc.ca/news/technology/story/ 2011/02/17/cyberattacks-harper142.html [5]www.computerworld.com/s/article/9213741/Frenchgovt_g gives_more_details_of_hack_150_PCs_compromised, [6] www.rsa.com/node.aspx?id=3872010/01/new-approachto-china.html, www.comodo.com/Comodo-Fraud-Incident2011-03-23.html [7] www.wired.com/threatlevel/2011/04/oak-ridge-lab-hack/, www.reuters.com/article/2011/07/06/us-energylab-hackersidUSTRE7654GA20110706 [8] http://cablesearch.org/cable/view.php?id= 08STATE116943 [9] www.threatchaos.com/ home-mainmenu-1/16-blog/571strategic-industries-should-go-on-high-alert [10] www.time.com/time/printout/0,8816,1098961,00.html [11]www.nytimes.com/2007/12/09/us/nationalspecial3/09hac k.html?ref=technology [12] www.businessweek.com/print/magazine/content/08_16 / b4080032218430.htm [13]http://events.ccc.de/congress/2007/Fahrplan/attachments/ 1008_Crouching_Powerpoint_Hidden_ Trojan_24C3.pdf, [14] http://isc.sans.org/presentations/SANSFIRE2008Is_Troy_Burning_Vanhorenbeeck.pdf, [15]http://isc.sans.edu/diary.html?storyid=4177 [16] www.nytimes.com/2009/03/29/technology/29spy.html, www.nartv.org/mirror/ghostnet.pdf [17] http://threatinfo.trendmicro.com/vinfo/web_attacks/ Stuxnet Malware Targeting SCADA Systems.html [18] www.symantec.com/connect/blogs/stuxnet-breakthrough [19] http://threatpost.com/en_us/blogs/report-iran-resortsrip-and-replace-kill-stuxnet-072211 [20] Cybercrime: http://us.trendmicro.com/imperia/md/content/us/trendwatch/r esearchandanalysis/ wp04_cybercrime_ 1003017us.pdf 157 ISSN:2249-5789 Alok Pandey et al , International Journal of Computer Science & Communication Networks,Vol 4(5),149-159 [21]Zeus: http://us.trendmicro.com/imperia/md/content/us/trendwatch/ researchandanalysis/ zeusapersistentcriminalenterprise.pdf [22] FAKEAV: http://us.trendmicro.com/imperia/md/ content/us/ trendwatch/ researchandanalysis/ unmasking_fakeav_ _ june_2010_.pdf [23] http://computerforensics.sans.org/blog/2009/10/14/security-intelligenceattacking-the-kill-chain/ [24]http://computer-forensics.sans.org/blog/2010/06/21/ security-intelligence-knowing-enemy [25] www.rsa.com/innovation/docs/SBIC_RPT_0711.pdf [26]http://www.trendmicro.com/cloud content/us/ pdfs/ security-intelligence/white-papers/wp_trends-in-targetedattacks.pdf [27] www.nartv.org/mirror/shadows-in-the-cloud.pdf [28]http://portal.acm.org/citation.cfm?id=1290 958.1290968&coll=GUIDE&dl=GUIDE&CF ID=74760848&CFTOKEN=96817982 [29] www.computerworld.com/s/article/print/9015092/ White_House_use_of_outside_e_mail_raises_red_ flags?taxonomyName=IT+ in+ Government & taxonomyId=13 [30] www.computerworld.com/s/article/print/ 9114934/Update_Hackers_claim_to_break_into_ Palin_s_Yahoo_Mail_account ? taxonomyName= Networking&t axonomyId=16 [31] www.nartv.org/2010/09/09/crime-or-espionage-part-2/ [32] http://blog.trendmicro.com/how-sophisticated-aretargeted-malware-attacks/ [33] www.nartv.org/2010/03/07/malware-attacks-on-solidoak-after-dispute-with-greendam/ [34] www.nartv.org/2010/07/29/human-rights-and-malwareattacks/ [35]www.nytimes.com/2010/04/20/technology/ 20google.html [36] http://blogs.aljazeera.net/asia/ 2011/03/23/china-andgoogle-detailed-look [37] http://contagiodump.blogspot.com/2011/03/cve-20110609-adobe-flash-player.html [38] http://blog.trendmicro.com/targeted-attack-exposes-riskof-checking-personal-webmail-at-work/ [39] http://googleonlinesecurity.blogspot.com/2011/03/mhtmlvulnerability-under-active.html [40] http://blog.trendmicro.com/trend-micro-researchersidentify-vulnerability-in-hotmail [41] www.nartv.org/2010/10/22/command-and-control-inthe-cloud/ [42] http://blog.zeltser.com/ post/7010401548/botscommand-and-control-via-social-media [43] www.mandiant.com/products/services/m-trends/ [44] www.nartv.org/mirror/shadows-in-the-cloud.pdf [45] http://us.trendmicro.com/imperia/md/content/us/pdf/ products/enterprise/datalossprevention/ esg_outsidein_approach.pdf [46] http://us.trendmicro.com/imperia/md/content/us/pdf/ products/enterprise/leakproof/ wp01_leakproof_dlp_100105us.pdf Acknowledgements:We sincerely thank and acknowledge CERT-IN and the guidance and support from Ms Myla Pilao, Director, Trendlabs, Trend Micro The authors are highly thankful to them as the present review and study paper is largely based upon their reports, white papers and publications and as without it this paper would not have been possible AUTHORS’ PROFILE Alok Pandey is Senior Systems Manager at B.I.T.(MESRA),Jaipur Campus His qualifications include B.E.(EEE), MBA He is also MCSE, CCNA, RHCE, IBM Certified E-Commerce and has also done diploma in Cyber law He has Networking and System Administration experience of about 15 years He is teaching subjects like, Data Communication & Computer Networks and Network Security He is also a member of IAENG and ISOC His research interests include and Network Security & Computer networks 158 ISSN:2249-5789 Alok Pandey et al , International Journal of Computer Science & Communication Networks,Vol 4(5),149-159 Dr Jatinderkumar R Saini is Ph.D from Veer Narmad South Gujarat University, Surat, Gujarat, India He secured first rank in all three years of MCA in college and has been awarded gold medals for this He is also a recipient of silver medal for B.Sc (Computer Science).He is an IBM Certified Data Associate- DB2 as well as IBM certified Associate Developer- RAD He has presented 14 papers in international and national conferences supported by agencies like IEEE, AICTE, IETE,ISTE, INNS etc One of his papers has also won the ‗Best Paper Award‘.9 of his papers have been accepted for publication at international level and 13 papers have been accepted for national level publication He is a chairman of many academic committees He is also a member of numerous national and international professional bodies and scientific research academies and organizations 159 ... social engineering in targeted malware attacks The objective of social engineering is to manipulate individuals into revealing sensitive information or executing malicious code A variety of public... , International Journal of Computer Science & Communication Networks,Vol 4(5),149-159 including business profiles and social networking sites is often used in social engineering Social engineering... in the cyber- crimes and related malicious activities in and around the Indian cyber space and establishes the fact that the cyber criminals are working in a more organized way and follow business