25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

Unit-II
Cyber Threats & Attacks
Content: Malware types: Virus, Worms, Trojans, Ransomware, Spyware,
Phishing, Pharming, and Social Engineering attacks, Denial of Service
(DoS) and Distributed DoS (DDoS), Man-in-the-Middle (MitM) attacks,
SQL Injection, Cross-site scripting (XSS), Case studies of real-world cyber-
attacks.

✅ Study Notes: Malware Type – Virus

🔐 1. Introduction to Malware
Malware (short for Malicious Software) is any program or code intentionally designed to
harm, exploit, or disable computers, systems, networks, or devices.

📌 One of the most common and earliest types of malware is the Virus.

2. What is a Computer Virus?

A computer virus is a type of malware that attaches itself to legitimate programs or files
and spreads to other programs or systems when executed.

Like a biological virus, a computer virus:

 Needs a host to replicate

 Spreads when the host file is opened or run
 Can cause data corruption, system crashes, or unauthorized access

3. Key Characteristics of a Virus

Characteristic Description
Replication Virus copies itself to other programs or files
Activation Trigger Some viruses activate under specific conditions (e.g., on a date)
Payload Delivery Can delete files, corrupt data, display messages, or steal info
Requires Execution Needs the user to run the infected file to spread

DR. S. S. BORCHATE (TKIET) 1

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

📂 4. Types of Computer Viruses

Type Description Example
File Infector
Attaches to executable files like .exe, .com, .dll CIH virus
Virus
Boot Sector Infects the master boot record (MBR) of storage Michelangelo, Stone
Virus devices virus
Written in macro languages, spreads via Melissa, Concept
Macro Virus
documents (e.g., MS Word, Excel) virus
Polymorphic Changes its code to avoid detection by antivirus
Storm Worm
Virus software
Hides in system memory and infects files even if
Resident Virus Randex, CMJ
host program is closed
Multipartite Infects multiple parts – boot sector + executable Invader, Tequila
Virus files virus

💻 5. How a Virus Spreads

1. User downloads or opens an infected file
2. Virus activates and replicates, embedding itself in system files
3. It may remain dormant until triggered or immediately start harming
4. Spreads to other systems via USBs, email attachments, network sharing

🛑 6. Effects and Damage Caused by Viruses

 Slows down system performance
 Corrupts or deletes files
 Steals sensitive data
 Disables software or OS features
 Displays unwanted messages
 Crashes the entire system

DR. S. S. BORCHATE (TKIET) 2

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

7. Prevention and Protection Against Viruses

Strategy Tools/Actions
Use Antivirus Software Norton, McAfee, Bitdefender, Windows Defender
Keep OS and Software Updated Patch known vulnerabilities regularly
Avoid Suspicious Emails Don’t click unknown links or open attachments
Disable Macros by Default Prevent macro viruses in documents
Backup Regularly Recover data in case of infection
Use Firewalls Block unauthorized connections
Scan External Devices Check USBs and external HDDs before opening

📊 8. Real-World Virus Examples

Virus Name Description Impact
Caused $10 billion in damage
ILOVEYOU Email-based VBScript virus in 2000
worldwide
Melissa Macro virus spread via MS Word Slowed down email servers
Virus documents in 1999 globally
Sophisticated virus targeting industrial
Stuxnet Affected Iran’s nuclear program
control systems

🔄 9. Lifecycle of a Virus (Simplified)

1. Creation – Written by malware author
2. Delivery – Through downloads, USB, emails, etc.
3. Execution – User unknowingly runs infected file
4. Replication – Virus spreads to other files/systems
5. Payload Execution – Virus performs malicious activity
6. Detection/Removal – Antivirus detects and removes it (if possible)

🎯 10. Key Takeaways

 A virus is a self-replicating malware that requires user action to spread.
 It can infect program files, documents, or even system memory.
 Regular updates, user awareness, and antivirus tools are critical to protect systems
from viruses.

DR. S. S. BORCHATE (TKIET) 3

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

❓ 11. Quick Quiz / Questions for Students

1. What is the difference between a virus and a worm?
2. What is a macro virus, and how does it spread?
3. Name two viruses and their effects on systems.
4. Why does a virus require a host program?
5. How can an engineer prevent virus attacks on an enterprise system?

👨🏫 12. Teaching Tips

 Show a visual flowchart: How a virus spreads
 Include a live demo (in a controlled virtual machine) of how viruses affect files
 Use case studies (e.g., ILOVEYOU virus incident)
 Introduce basic disinfection techniques with antivirus software

DR. S. S. BORCHATE (TKIET) 4

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

✅ Study Notes: Malware Type – Worms

🐛 1. What is a Worm?
A worm is a type of malware that replicates and spreads itself independently, without
requiring a host program or user action.

Unlike viruses, which need to be attached to a file and activated by the user, worms are self-
contained and can spread across networks automatically.

🔍 2. Key Characteristics of Worms

Feature Description
Self-replicating Can duplicate itself without any user intervention.
Standalone program Does not need a host file to attach to.
Spreads via networks Uses network protocols to move from one system to another.
Consumes bandwidth Generates a large amount of network traffic.
Payload optional Some worms may not be destructive but still cause resource drain.

📊 3. How Worms Work (Step-by-Step)

1. Find a vulnerability in a system or network (e.g., unpatched OS).
2. Exploit the vulnerability to install itself.
3. Scan other devices on the same network or internet.
4. Replicate itself to those systems automatically.
5. May deliver payloads (e.g., data deletion, ransomware, backdoors).

DR. S. S. BORCHATE (TKIET) 5

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

🔗 4. Worm vs. Virus – Key Differences

Criteria Worm Virus
Host needed? ❌ No ✅ Yes
Spreads via Network, email, systems Infected files or applications
User action? ❌ Not required ✅ Required
Speed of spread ⚡ Fast 🐢 Slower
Damage caused Network overload, payloads File corruption, data loss

5. Famous Worm Attacks

Worm Name Year Description Impact
Morris First internet worm; slowed down early Infected 6,000+ UNIX
1988
Worm internet systems
$10B+ damage
ILOVEYOU 2000 Spread via email attachment as a love letter
worldwide
Code Red 2001 Exploited Windows IIS server vulnerability 359,000 systems infected
Blaster
2003 Targeted Windows XP and 2000 systems Slowed down internet
Worm
Spread ransomware using SMB Affected hospitals,
WannaCry 2017
vulnerability in Windows banks, etc.

🌐 6. How Worms Spread

📡 Propagation Methods:

 Email Attachments
 Instant Messaging Links
 Network File Sharing
 USB Devices
 Exploiting open network ports
 Operating System Vulnerabilities

DR. S. S. BORCHATE (TKIET) 6

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

7. Prevention Strategies
Best Practice Description
🔄 Keep systems updated Patch known vulnerabilities.
🔐 Use firewalls Block unauthorized traffic.
🛡️ Install antivirus/antimalware Detect and remove worms.
📥 Be cautious with email attachments Don't open suspicious files.
💼 Use least privilege principle Limit user permissions.
🌐 Network segmentation Isolate critical systems.

⚠️ 8. Effects of Worm Infections

 Network congestion or failure
 Slowing down or crashing systems
 File corruption or deletion
 Opening backdoors for other malware
 Unauthorized access to data
 Ransomware payload delivery

🎯 9. Key Takeaways
 A worm is a dangerous, self-replicating program that spreads without human
interaction.
 It can infect thousands of systems in minutes.
 Early detection, regular updates, and network monitoring are essential for
protection.

❓ 10. Quiz / Class Discussion Questions

1. What makes a worm more dangerous than a virus?
2. How did the Morris Worm impact the early internet?
3. What steps can you take to protect a network from worm attacks?
4. Can worms exist without delivering a malicious payload?
5. Differentiate between email-based worms and network-based worms.

👨11. Teaching Tips:

 Use animated flowcharts to show how worms propagate.
 Demonstrate a simulated worm attack in a sandbox or virtual environment.
 Use case studies like WannaCry for real-world context.
 Discuss patch management and how delays contribute to worm success.

DR. S. S. BORCHATE (TKIET) 7

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

✅ Study Notes: Malware Type – Trojans

🐴 1. What is a Trojan?
A Trojan Horse (Trojan) is a type of malware disguised as legitimate software.
It tricks users into installing it, often appearing harmless (e.g., a free game, utility, or
attachment).

Unlike worms and viruses, a Trojan cannot self-replicate but relies on social engineering to
spread.

🔍 2. Key Characteristics of Trojans

Feature Description
Disguised software Pretends to be useful/legit but hides malicious code.
No self-replication Needs user to install/run it.
Payload delivery Opens backdoors, steals data, installs more malware.
User deception Relies on tricking users (phishing emails, fake apps).
Stealthy Works silently without alerting the victim.

📊 3. How Trojans Work (Step-by-Step)

1. Delivery → Trojan is delivered via email, malicious website, fake app, or USB.
2. Installation → User downloads/executes the software believing it is safe.
3. Execution → Malicious code runs in the background, hidden from the user.
4. Payload Activation → Opens backdoor, keylogger, ransomware, or system control.
5. Exfiltration/Control → Attacker gains remote access or steals sensitive data.

DR. S. S. BORCHATE (TKIET) 8

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

4. Types of Trojans
Trojan Type Description Example Impact
Unauthorized control of
Backdoor Trojan Opens remote access for hackers.
system.
Banking Trojan Targets online banking credentials. Theft of money/accounts.
Downloader Downloading
Installs additional malware.
Trojan ransomware/spyware.
Monitors user activities (keylogging,
Spy Trojan Credential theft.
screenshots).
Rootkit Trojan Hides malicious files/processes. Makes malware undetectable.
Ransom Trojan Encrypts files and demands ransom. Data loss until ransom paid.
Pretends to be antivirus, but installs
Fake AV Trojan User pays for fake protection.
malware.
Targets gamers to steal in-game
Game Trojan Virtual asset theft.
accounts.

5. Trojan vs. Virus vs. Worm

Criteria Trojan Virus Worm
✅ Yes (needs host
Self-replication ❌ No ✅ Yes (standalone)
file)
User deception, Networks,
Spreads via Infected files
downloads vulnerabilities
Requires user
✅ Yes ✅ Yes ❌ No
action
Deception & backdoor Fast spreading
Main purpose File corruption
control infection

6. Famous Trojan Attacks

Trojan Name Year Description Impact
Banking Trojan stealing Stole millions from bank
Zeus Trojan 2007
credentials. accounts.
Trojan downloader spreading Global banking &
Emotet 2014
ransomware. government breaches.
RATs (Remote Gives hackers full control of Corporate & personal
Ongoing
Access Trojans) victim system. spying.
Millions tricked into
FakeAV Trojans 2010s Pretended to be antivirus.
paying.

DR. S. S. BORCHATE (TKIET) 9

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

⚠️ 7. Effects of Trojan Infection

 Data theft (passwords, bank accounts, personal files).
 Remote access for hackers (RATs).
 Installation of more malware (worms, ransomware).
 Disabling of security software.
 Financial fraud & identity theft.
 System slowdown or crashes.

8. Prevention Strategies
Best Practice Description
🛡️ Use trusted software only Download from official websites/app stores.
📧 Beware of phishing Don’t open suspicious email attachments/links.
🔄 Update OS & applications Patch vulnerabilities regularly.
🔐 Use strong endpoint security Antivirus, firewalls, intrusion detection.
👤 Educate users Awareness about social engineering attacks.
🌐 Network monitoring Detect unusual outbound connections.

🎯 9. Key Takeaways
 A Trojan is malware in disguise, dependent on social engineering.
 Unlike viruses/worms, it does not replicate but is equally or more dangerous.
 Trojans often serve as gateways for ransomware, spyware, or remote hacking.
 User awareness + security practices are the best defense.

❓ 10. Quiz / Class Discussion Questions

1. Why is a Trojan named after the “Trojan Horse” from Greek mythology?
2. How is a Trojan different from a worm?
3. What is the role of social engineering in Trojan attacks?
4. Give examples of how Trojans can be disguised.
5. How can users protect themselves against banking Trojans?

👨🏫 11. Teaching Tips

 Use a Trojan Horse diagram (good-looking exterior with malicious interior).
 Show a real-world case study like Zeus or Emotet.
 Create a classroom demo of fake software installation in a virtual lab.
 Emphasize social engineering tricks (pop-ups, fake software, phishing).?

DR. S. S. BORCHATE (TKIET) 10

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

🔐 Study Notes: Malware – Ransomware

1. What is Ransomware?
 Definition:
Ransomware is a type of malware that encrypts files, systems, or locks users out of
devices and then demands a ransom payment (usually in cryptocurrency) to restore
access.
 Key Idea: “Your data is locked until you pay us.”
 It is one of the most profitable and dangerous cyber threats.

🔍 2. Key Characteristics of Ransomware

Feature Description
Encryption-based attack Uses strong cryptography to lock files or systems.
Ransom demand Attacker demands payment (Bitcoin, Monero).
Extortion tactics Threatens to delete or leak stolen data if unpaid.
Targets individuals &
Especially hospitals, banks, government, corporates.
organizations
Spreads through phishing & Email attachments, malicious downloads, unpatched
exploits systems.

📊 3. How Ransomware Works (Attack Lifecycle)

1. Infection / Delivery
o Phishing emails with attachments
o Malicious downloads
o Exploiting vulnerabilities
o Drive-by downloads from compromised websites
2. Execution
o Malware installs itself on the victim system.
o Starts encrypting important files (documents, databases, servers).
3. Encryption
o Uses advanced algorithms (AES, RSA).
o Generates a unique encryption key per victim.

DR. S. S. BORCHATE (TKIET) 11

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

4. Ransom Demand
o Ransom note displayed on screen.
o Instructions for payment in cryptocurrency.
5. (Optional) Double / Triple Extortion
o Data stolen before encryption.
o Threatens to leak or sell data if ransom not paid.

4. Types of Ransomware
Type Description Example
WannaCry,
Crypto-Ransomware Encrypts files & demands payment.
CryptoLocker
Locks the system/device, blocking Police Locker
Locker Ransomware
access. Ransomware
Scareware Fake warnings that demand money. Fake AV ransomware
Doxware / Leakware Threatens to publish stolen data. Maze Ransomware
Ransomware-as-a-Service Cybercriminals “rent” ransomware kits
REvil, DarkSide
(RaaS) on dark web.
Mobile Ransomware Locks Android / iOS devices. Koler, Svpeng

⚔️ 5. Famous Ransomware Attacks

Attack Year Impact
Affected 200,000+ systems in 150 countries, exploiting
WannaCry 2017
Windows vulnerability.
Masqueraded as ransomware but acted as destructive wiper
Petya / NotPetya 2017
malware.
Ryuk 2018 Targeted hospitals, municipalities; demanded high ransoms.
Maze 2019 Introduced “double extortion” – encrypt + leak data.
Colonial Pipeline
2021 DarkSide ransomware disrupted U.S. fuel supply chain.
Attack

⚠️ 6. Effects of Ransomware
 Financial losses (ransom payment + recovery costs).
 Business downtime & productivity loss.
 Data theft & potential public leaks.
 Reputation damage for organizations.
 Legal penalties (data privacy laws).
 In critical sectors (healthcare, energy) → life-threatening consequences.

DR. S. S. BORCHATE (TKIET) 12

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

7. Prevention Strategies
Strategy Explanation
Regular backups Keep offline & cloud backups; test restoration process.
Patch management Update OS & software regularly to fix vulnerabilities.
Email security Use spam filters, scan attachments.
Zero Trust security model Restrict user privileges, segment networks.
Teach employees to recognize phishing & suspicious
Awareness training
links.
Endpoint protection Antivirus, EDR, intrusion detection systems.
Multi-factor authentication
Reduce credential theft risks.
(MFA)

🛠️ 8. Response to Ransomware Attack

1. Isolate affected systems immediately.
2. Do not pay ransom (encourages attackers & no guarantee of data return).
3. Report to law enforcement agencies.
4. Restore data from clean backups.
5. Forensic investigation to identify attack vector.
6. Strengthen security to prevent recurrence.

🎯 9. Key Takeaways
 Ransomware is malware that locks files or systems and demands money.
 It has evolved into double and triple extortion models.
 WannaCry & Colonial Pipeline attacks show its global impact.
 Backups, patches, awareness, and Zero Trust models are the best defenses.

❓ 10. Quiz / Discussion Questions

1. How does ransomware differ from Trojans and worms?
2. What is “double extortion” in ransomware attacks?
3. Why do attackers demand cryptocurrency payments?
4. What lessons were learned from the WannaCry attack?
5. If your company is hit by ransomware, what immediate steps should you take?

👨🏫 11. Teaching Tips

 Use real-world case studies (WannaCry, Colonial Pipeline).
 Show a ransom note screenshot for impact.
 Create a flowchart of ransomware lifecycle for clarity.
 Discuss ethical dilemma: Should organizations pay ransom or not?

DR. S. S. BORCHATE (TKIET) 13

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

🕵️ Study Notes: Malware Type – Spyware

1. What is Spyware?
 Definition:
Spyware is a malicious software designed to secretly monitor, collect, and transmit
user data without their knowledge or consent.
 It spies on user behavior, keystrokes, browsing habits, login credentials, banking
info, and personal files.
 Unlike ransomware (which locks) or worms (which spread), spyware operates silently
in the background.

🔍 2. Key Characteristics of Spyware

Feature Description
Stealthy operation Runs in the background, hard to detect.
Data collection Captures keystrokes, screenshots, browsing history, passwords.
System slowdown Consumes CPU/memory resources.
Persistence Often hides in system files or registry.
User unawareness Victims usually don’t realize they’re infected.

📊 3. How Spyware Works (Infection Lifecycle)

1. Delivery / Infection
o Bundled with free software (freeware, shareware).
o Malicious email attachments.
o Exploiting vulnerabilities.
o Drive-by downloads from infected websites.
2. Installation
o Installs secretly without permission.
o Modifies registry entries for persistence.
3. Monitoring
o Captures keystrokes (keyloggers).
o Records browsing history.
o Takes screenshots or activates webcam/microphone.
4. Exfiltration
o Sends stolen information to attacker’s server.

DR. S. S. BORCHATE (TKIET) 14

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

4. Types of Spyware
Type Description Example
Zeus Trojan
Keyloggers Records every keystroke typed.
keylogger
Password stealers Steal credentials (emails, banking, social media). TrickBot
Banking Trojans Intercept financial transactions. Emotet
Infostealers Collect general personal & system information. RedLine Stealer
Adware (spyware- Tracks browsing behavior to display targeted
Gator / GAIN
like) ads.
Legitimate but sometimes misused to spy on Persistent HTTP
Tracking cookies
browsing habits. cookies

⚔️ 5. Famous Spyware Incidents

Incident Year Impact
Early Hijacked browsers, redirected to malicious
CoolWebSearch
2000s websites.
FinFisher (Govt spyware) 2011+ Sold to governments for surveillance.
Pegasus Spyware (NSO 2016 to Used to spy on journalists, activists via phone
Group) 2021 exploits.
Targeted business travelers through hotel Wi-Fi
DarkHotel Campaign 2014
spyware.

⚠️ 6. Effects of Spyware
 Theft of sensitive data (passwords, credit cards, bank logins).
 Financial fraud & identity theft.
 Corporate espionage → loss of intellectual property.
 Privacy invasion (monitoring personal life, chats, calls).
 System slowdown & instability.
 Loss of trust in digital systems.

🛠️ 7. Response to Spyware Infection

1. Detect & Remove using anti-spyware / antivirus.
2. Disconnect from internet to stop data transmission.
3. Change all passwords from a clean device.
4. Update software to patch vulnerabilities.
5. Reinstall OS (if needed) for severe infections.
6. Audit permissions on apps, extensions, and software.

DR. S. S. BORCHATE (TKIET) 15

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

8. Prevention Strategies
Strategy Explanation
Install legitimate software only Avoid pirated or cracked software.
Windows Defender, Malwarebytes, Spybot Search &
Use anti-spyware tools
Destroy.
Keep OS & applications
Prevent exploitation of known vulnerabilities.
updated
Browser security Block pop-ups, disable suspicious extensions.
Network monitoring Detect abnormal outbound traffic.
User awareness Do not click suspicious links or attachments.
Mobile app permissions Check permissions before installing apps.

🎯 9. Key Takeaways
 Spyware = silent data thief that monitors and transmits user activities.
 Types include keyloggers, password stealers, banking Trojans, adware.
 Pegasus spyware case shows real-world political & ethical concerns.
 Prevention relies on security awareness, software hygiene, and strong endpoint
protection.

❓ 10. Quiz / Discussion Questions

1. How does spyware differ from a Trojan?
2. Why is spyware often harder to detect than viruses?
3. What was the significance of the Pegasus spyware case?
4. How can browser extensions act as spyware?
5. Should governments be allowed to use spyware for surveillance? Discuss ethical
aspects.

👨11. Teaching Tips

 Show diagram of spyware infection lifecycle.
(delivery → monitoring → exfiltration).
 Discuss Pegasus spyware as a real-world case study.
 Do a live demo with a safe keylogger simulation in lab to show how keystrokes can
be captured.
 Contrast spyware with ransomware and Trojans for clarity.

DR. S. S. BORCHATE (TKIET) 16

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

🎣 Study Notes: Malware Type – Phishing

1. What is Phishing?
 Definition:
Phishing is a social engineering attack where attackers deceive users into revealing
sensitive information (e.g., usernames, passwords, credit card details) by pretending
to be a trusted entity.
 Usually carried out through emails, websites, SMS, phone calls, or social media
messages.
 Goal: Steal personal data, spread malware, or gain unauthorized access.

🔍 2. Key Characteristics of Phishing

Feature Description
Deceptive Fake emails, websites, or messages resembling trusted
communication organizations.
Urgency & fear tactics “Your account will be suspended!”
Impersonation Banks, e-commerce sites, government agencies.
Data theft Credentials, credit card details, identity info.
Wide reach Targets millions via mass emails (“phishing campaigns”).

📊 3. How Phishing Works (Attack Lifecycle)

1. Baiting / Lure
o Victim receives a fraudulent message (email, SMS, social media).
o Message looks official with logos, sender spoofing, urgent tone.
2. Hook
o Victim clicks on malicious link or opens an infected attachment.
3. Credential Harvesting / Malware Delivery
o Redirects to fake login page → victim enters credentials.
o OR malware is installed silently.
4. Exploitation
o Attackers use stolen information for fraud, identity theft, account takeover,
or financial theft.

DR. S. S. BORCHATE (TKIET) 17

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

4. Types of Phishing
Type Description Example
Email “Reset your bank password
Mass emails with fake links/attachments.
Phishing here.”
Spear Targeted phishing aimed at specific
CFO receiving fake invoice.
Phishing individuals/organizations.
Fake CEO email ordering wire
Whaling Attacks targeting top executives (“big fish”).
transfer.
“Your ATM card blocked,
Smishing Phishing via SMS.
click link to verify.”
Fraudsters posing as bank
Vishing Voice phishing via phone calls.
officers.
Clone Duplicate of a legitimate email with
Fake PayPal notification.
Phishing malicious link.
Redirecting users to fake websites via DNS Visiting [Link] but landing
Pharming
manipulation. on fake page.

⚔️ 5. Famous Phishing Incidents

Incident Year Impact
Spear-phishing email led to theft of SecurID
RSA Security Breach 2011
tokens, impacting defense contractors.
2013 to Attackers stole $100M via fake invoices and
Google & Facebook Scam
2015 phishing emails.
COVID-19 Phishing Fake WHO/CDC emails tricking users into
2020+
Scams downloading malware.
ICICI Bank Phishing
Ongoing Fake banking emails & SMS targeting customers.
Campaign (India)

⚠️ 6. Effects of Phishing
 Identity theft & financial fraud.
 Unauthorized access to corporate networks.
 Malware infections (Trojans, ransomware).
 Reputational damage for impersonated organizations.
 Data breaches in enterprises via spear phishing.

DR. S. S. BORCHATE (TKIET) 18

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

7. Prevention Strategies
Strategy Explanation
Awareness training Educate users to spot phishing attempts.
Check URLs & sender details Look for HTTPS, spelling errors, domain mismatches.
Don’t click suspicious links Hover over links before clicking.
Multi-factor authentication (MFA) Adds extra security layer even if password is stolen.
Spam filters & email security Detect and block phishing messages.
Regular updates & patches Prevent malware installation via vulnerabilities.
Incident reporting Report suspicious emails to IT/security teams.

🛠️ 8. Response to Phishing Attack

1. Disconnect device from internet if malware suspected.
2. Change all passwords immediately.
3. Enable MFA on compromised accounts.
4. Report phishing to IT/security team or cert-in (in India).
5. Monitor financial activity for fraud.
6. Restore system if infected with malware.

🎯 9. Key Takeaways
 Phishing = most common cyber-attack method (over 90% of breaches start)
 Variants = email phishing, spear phishing, whaling, smishing, vishing, pharming.
 Real-world attacks (RSA, Google/Facebook) show its corporate impact.
 User awareness + MFA + email security are the best defenses.

❓ 10. Quiz / Discussion Questions

1. How is spear phishing different from regular phishing?
2. What is the role of DNS in pharming attacks?
3. Why do phishing emails often use urgency and fear tactics?
4. Can SMS-based phishing (smishing) be more dangerous than email phishing? Why?
5. How would you design a corporate training program to prevent phishing?

👨11. Teaching Tips

 Show examples of real phishing emails (with suspicious links, grammar errors).
 Demonstrate a phishing simulation tool in lab.
 Compare phishing with malware like ransomware (phishing = entry point,
ransomware = payload).
 Case Study: RSA breach or COVID-19 scams.
 Conduct a classroom phishing test (mock emails to see if students identify phishing)

DR. S. S. BORCHATE (TKIET) 19

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

🖥Study Notes: Malware Type – Pharming

1. What is Pharming?
 Definition:
Pharming is a cyber-attack technique where attackers redirect users from
legitimate websites to fraudulent ones without their knowledge, even if the user
typed the correct URL.
 The goal is to harvest sensitive information (login credentials, credit card data,
banking details) by tricking victims into believing they are on a trusted site.
 Considered an advanced form of phishing because the deception happens at the
system or network level, not just via fake emails.

🔍 2. Key Characteristics of Pharming

Characteristic Description
Silent redirection User enters a correct URL but is redirected to a fake site.
Difficult to detect Victim may not notice as the page looks authentic.
System-level manipulation Uses malware or DNS poisoning to hijack browsing.
Credential theft Targets online banking, e-commerce, and email services.

⚙️ 3. How Pharming Works - Two main methods

1. Host File Manipulation (Local Pharming)
o Malware modifies the victim’s hosts file (local DNS mapping).
o Example: When user types [Link], system redirects to attacker's IP.
2. DNS Cache Poisoning (DNS Pharming)
o Attackers compromise a DNS server (used to resolve domain names).
o Redirects all users querying that server to the fake malicious site.
o More dangerous since it can affect thousands of users at once.

📊 4. Pharming Attack Lifecycle

1. Victim types the correct website address (e.g., [Link]).
2. DNS resolution is hijacked (via malware or poisoned DNS server).
3. User lands on a look-alike fraudulent site.
4. Victim enters sensitive details (username, password, PIN, card number).
5. Attacker collects and uses information for fraud, identity theft, financial loss.

DR. S. S. BORCHATE (TKIET) 20

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

5. Difference Between Phishing & Pharming

Aspect Phishing Pharming
Social engineering via fake Technical manipulation of DNS or
Attack method
emails/links host files
User action Yes – victim must click
No – victim is redirected silently
needed? malicious link
Difficulty of Easier to detect (typos, fake
Harder to detect (URL looks correct)
detection emails)
Can affect thousands via DNS
Scale Affects individuals
poisoning

⚔️ 6. Famous Pharming Incidents

Incident Year Impact
Brazil Banking Pharming Thousands redirected from bank websites via DNS
2007
Attack poisoning.
PayPal DNS Pharming 2008 Users redirected to malicious sites mimicking PayPal.
DNS poisoning attack redirected users to malware-
South Korea DNS Attack 2011
hosting sites.
Massive DNS pharming campaign targeting online
Brazil (Again) 2015
banking customers.

⚠️ 7. Effects of Pharming
 Large-scale credential theft.
 Financial fraud (bank accounts drained).
 Identity theft using stolen data.
 Reputational damage for financial institutions.
 Trust issues with DNS infrastructure.

🛠️ 8. Response to Pharming Attack

1. Stop using compromised system/network.
2. Scan for malware and restore default hosts file.
3. Flush DNS cache and reset DNS settings.
4. Change all passwords (preferably on a clean device).
5. Contact ISP or network admin if DNS poisoning suspected.
6. Enable MFA on accounts to reduce fraud risk.

DR. S. S. BORCHATE (TKIET) 21

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

9. Prevention & Defense Mechanisms

Strategy Explanation
Use DNSSEC (Domain Name System Ensures DNS records are authenticated and not
Security Extensions) tampered.
Keep systems updated Patch DNS servers and OS vulnerabilities.
Antivirus & anti-malware tools Detects host file modifications.
Verify padlock 🔒 and certificate details before
Use HTTPS (SSL/TLS certificates)
entering credentials.
ISP monitoring ISPs can detect unusual DNS behavior.
Pharming attacks are easier on insecure
Avoid public / Untrusted Wi-Fi
networks.
Teach users to check for SSL padlock and
User awareness
suspicious redirects.

🎯 10. Key Takeaways

 Pharming = advanced phishing through DNS or host file manipulation.
 Harder to detect since URL appears correct.
 Can be local (host file malware) or global (DNS server poisoning).
 Defense requires DNSSEC, HTTPS, anti-malware, and user vigilance.

❓ 11. Quiz / Discussion Questions

1. How does DNS cache poisoning differ from host file manipulation?
2. Why is pharming considered harder to detect than phishing?
3. How can DNSSEC help prevent pharming attacks?
4. What real-world industries are most vulnerable to pharming?
5. Can pharming and phishing be used together in a hybrid attack?

👨12. Teaching Tips

 Draw a diagram of normal DNS resolution vs. pharming attack (hosts file & DNS
poisoning).
 Compare phishing vs pharming with examples (email vs DNS hijack).
 Show a real HTTPS certificate check in browser to students.
 Conduct a lab demo: modify the hosts file (on a controlled lab system) to show how
pharming works.
 Use case study: Brazil banking pharming attack.

DR. S. S. BORCHATE (TKIET) 22

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

💻 Study Notes: Malware Type – Social

Engineering Attacks

1. What is Social Engineering?

 Definition:
Social Engineering is a psychological manipulation technique used by cyber
attackers to trick individuals into revealing confidential information, granting access,
or performing actions that compromise security.
 Instead of exploiting technical vulnerabilities, attackers exploit human psychology
(trust, fear, curiosity, urgency).
 Often the first step in launching malware, phishing, ransomware, or other
cyberattacks.

🔍 2. Key Characteristics
Characteristic Explanation
Psychological trickery Manipulates emotions (fear, greed, urgency, trust).
Low-cost attack Does not always require advanced tools.
Targeted at people Exploits the "human factor" of security.
Entry point for malware Can deliver viruses, trojans, or ransomware.
Multi-channel Works via email, phone, SMS, or face-to-face.

⚙️ 3. Common Types of Social Engineering Attacks

1. Phishing – Fake emails/websites trick users into revealing credentials.
2. Spear Phishing – Targeted phishing aimed at specific individuals (e.g., CEOs).
3. Whaling – Attacks directed at high-profile executives (“big fish”).
4. Smishing – Phishing via SMS messages.
5. Vishing – Voice-based phishing via phone calls pretending to be officials.
6. Pretexting – Attacker pretends to be someone else (IT staff, HR, bank) to extract
info.
7. Baiting – Attackers leave infected USB drives/CDs in public, tempting users to plug
them in.
8. Quid Pro Quo – Offering fake help or services in exchange for sensitive data.
9. Tailgating (Piggybacking) – Physically following authorized personnel into
restricted areas without authentication.
10. Impersonation – Pretending to be a trusted person to bypass security.

DR. S. S. BORCHATE (TKIET) 23

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

📊 4. Social Engineering Attack Lifecycle

1. Research – Attacker gathers information about target (OSINT).
2. Hook – Attacker creates trust (fake email, phone call, physical disguise).
3. Play – Victim is tricked into revealing information or performing an action.
4. Exit – Attacker uses stolen data to launch further attacks or financial fraud.

🎭 5. Real-Life Examples
 2011 RSA Security Breach – Attackers sent phishing emails with malware-infected
Excel files.
 Target Data Breach (2013) – Hackers gained access via phishing HVAC contractors.
 Twitter Bitcoin Scam (2020) – Social engineering used to trick Twitter employees
into handing over internal access.

⚠️ 6. Effects of Social Engineering

 Unauthorized access to systems and networks.
 Data breaches (personal info, financial details, trade secrets).
 Spread of malware (via phishing attachments).
 Financial losses (fraud, ransom payments).
 Reputational damage for organizations.

7. Prevention & Defense Strategies

Strategy Explanation
Security Awareness Training Educate employees about phishing, vishing, baiting.
Multi-Factor Authentication
Prevents account takeover even if password is stolen.
(MFA)
Email/SMS Filtering Detects suspicious links and attachments.
Verify Identity Always confirm requests for sensitive info.
Stop tailgating, check ID cards, secure restricted
Physical Security Controls
areas.
Least Privilege Principle Users should only have access to what they need.
Incident Reporting Culture Encourage employees to report suspicious activity.

DR. S. S. BORCHATE (TKIET) 24

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

🛠️ 8. Response to a Social Engineering Attack

1. Recognize the attempt (phishing email, fake call, suspicious request).
2. Do not click on suspicious links or attachments.
3. Report immediately to IT/security team.
4. Disconnect compromised systems from the network.
5. Change credentials and enable MFA.
6. Conduct forensic investigation to assess damage.

🎯 9. Key Takeaways
 Social engineering = hacking the human mind.
 Relies on trust, fear, urgency, or greed to manipulate victims.
 Can be digital (phishing, vishing) or physical (tailgating, impersonation).
 Strong training, policies, and technical safeguards are essential to minimize risks.

❓ 10. Quiz / Discussion Questions

1. Why is social engineering considered the "weakest link" in cybersecurity?
2. How does spear phishing differ from normal phishing?
3. Give a real-world example of a successful social engineering attack.
4. Why is MFA effective against credential theft from social engineering?
5. How can organizations detect and stop tailgating?

👨🏫 11. Teaching Tips

 Role-Play Activity: Simulate phishing or pretexting in the classroom.
 Diagram: Show attack lifecycle (Research → Hook → Play → Exit).
 Case Study: Explain RSA or Twitter hack as real-world examples.
 Lab Demo: Send mock phishing emails (safe simulation) to demonstrate.
 Discussion: Ask students if they ever encountered phishing attempts.

DR. S. S. BORCHATE (TKIET) 25

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

🖥 Study Notes: Denial of Service (DoS)

Attack

1. What is a DoS Attack?

 Definition:
A Denial of Service (DoS) attack is a malicious attempt to disrupt the normal
functioning of a system, network, or website by overwhelming it with excessive
traffic or resource requests.
 Goal:
o Make a service unavailable to legitimate users.
o Cause slowdowns, crashes, or complete shutdowns.
 DoS = attack from one source, while Distributed Denial of Service (DDoS) = attack
from multiple compromised systems (botnets).

🔍 2. Key Characteristics of DoS

Feature Explanation
Resource Exhaustion Consumes CPU, memory, bandwidth, or disk space.
High Traffic Flooding Sends massive fake requests to overload the server.
Single Point of Origin Typically originates from one system (unlike DDoS).
Service Disruption Prevents legitimate users from accessing resources.

⚙️ 3. Types of DoS Attacks

1. Volume-Based Attacks
o Flood the network with huge traffic.
o Example: ICMP Flood (Ping Flood).
o Measured in bits per second (bps).
2. Protocol Attacks
o Exploit weaknesses in network protocols.
o Example: SYN Flood, Smurf Attack.
o Measured in packets per second (pps).
3. Application-Layer Attacks
o Target specific applications (like web servers).
o Example: HTTP GET/POST Flood.
o Measured in requests per second (rps).

DR. S. S. BORCHATE (TKIET) 26

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

🛠️ 4. Common DoS Techniques

 Ping Flood – Attacker floods target with ICMP echo requests.
 SYN Flood – Attacker sends multiple half-open TCP connections to exhaust
resources.
 Smurf Attack – Uses spoofed IP with ICMP broadcast to overwhelm the victim.
 Buffer Overflow – Overloads system memory with malicious data.
 Teardrop Attack – Sends fragmented packets that crash target systems.

🎭 5. Real-Life Examples of DoS Attacks

 Yahoo (2000): One of the first major DoS attacks, shutting down Yahoo’s site.
 GitHub (2018): Targeted by the largest DDoS attack (1.35 Tbps traffic).
 AWS (2020): Amazon reported largest DDoS attack peaking at 2.3 Tbps.

⚠️ 6. Effects of DoS Attacks

 Service downtime – Legitimate users cannot access services.
 Financial losses – Business disruption and downtime costs.
 Reputation damage – Customers lose trust.
 Exploitation window – Attackers may use DoS as a distraction for other attacks (e.g.,
data breach).

7. Defense Mechanisms
Defense Description
Filter malicious traffic using access control lists
Firewalls & Routers
(ACLs).
Intrusion Detection/Prevention
Detect abnormal traffic patterns.
Systems (IDS/IPS)
Rate Limiting Limits number of requests per user.
Redundancy Distribute services across multiple servers.
Services like Cloudflare, AWS Shield mitigate
Cloud DDoS Protection
large-scale DoS/DDoS.
Traffic Filtering Drop suspicious packets (e.g., spoofed IPs).

DR. S. S. BORCHATE (TKIET) 27

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

🔄 8. Steps in a DoS Attack

1. Attacker identifies target (website, server, network).
2. Launches flood of traffic (requests, packets, pings).
3. Resources get overloaded (CPU, bandwidth, memory).
4. Service crashes or becomes unusable for legitimate users.

📊 9. DoS vs DDoS
Feature DoS DDoS
Source Single machine Multiple machines (botnet)
Power Limited Very powerful
Detection Easier Harder (distributed)
Single attacker floods server with Botnet attacks GitHub with terabits of
Example
pings traffic

🎯 10. Key Takeaways

 DoS = Denial of Service → disrupts normal service.
 Targets availability in the CIA triad.
 Comes in volume-based, protocol-based, and application-layer forms.
 Prevention: IDS/IPS, firewalls, redundancy, cloud-based protection.

❓ 11. Quiz / Discussion Questions

1. How does a SYN Flood attack exhaust server resources?
2. What is the main difference between DoS and DDoS?
3. Why are cloud-based protections (like Cloudflare) effective against DoS?
4. Can DoS attacks be used as a distraction for other attacks? Give an example.
5. Which layer of the OSI model do protocol-based attacks usually target?

👨12. Teaching Tips

 Diagram: Show server overwhelmed by fake requests (visualize traffic flood).
 Demo: Use simulation tools (like LOIC in a controlled lab) to demonstrate traffic
floods.
 Case Study: Discuss GitHub or AWS DoS incidents.
 Analogy: Compare DoS to a crowd blocking the entrance to a shop—customers
cannot enter.

DR. S. S. BORCHATE (TKIET) 28

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

🌐 Study Notes: Distributed Denial of

Service (DDoS) Attack

1. What is a DDoS Attack?

 Definition:
A Distributed Denial of Service (DDoS) attack is a coordinated cyberattack
where multiple compromised systems (often part of a botnet) flood a target (website,
server, or network) with massive traffic to exhaust resources and make services
unavailable to legitimate users.
 Key Idea:
o DoS = single attacker.
o DDoS = multiple distributed attackers working simultaneously.

🔍 2. Characteristics of DDoS
Feature Explanation
Scale Involves hundreds, thousands, or millions of machines.
Source
Traffic comes from many geographic locations.
Diversity
High Intensity Much stronger than single-source DoS.
Compromised devices (PCs, IoT, routers, smartphones) used to launch
Botnets
cyber-attacks.
Difficult to
Harder to identify attacker due to distributed sources.
Trace

⚙️ 3. Types of DDoS Attacks

1. Volume-Based Attacks
o Overwhelm bandwidth.
o Examples: UDP Floods, ICMP Floods, Amplification Attacks.
o Measured in bps (bits per second).
2. Protocol Attacks
o Exploit vulnerabilities in network protocols.
o Examples: SYN Flood, Smurf Attack, Ping of Death.
o Measured in pps (packets per second).
3. Application-Layer Attacks (Layer 7 Attacks)
o Target application processes (e.g., web servers, APIs).
o Examples: HTTP GET/POST Flood, Slowloris attack.
o Measured in rps (requests per second).

DR. S. S. BORCHATE (TKIET) 29

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

🛠️ 4. Common DDoS Techniques

 Botnets: Large networks of infected devices controlled remotely.
 Amplification Attacks: Small requests trigger large responses (e.g., DNS
amplification).
 SYN Flood: Repeated half-open TCP requests to exhaust server memory.
 HTTP Flood: Overloading web servers with numerous requests.

🎭 5. Real-Life Examples of DDoS Attacks

 GitHub (2018): Largest DDoS attack recorded at 1.35 Tbps using Memcached
amplification.
 Dyn DNS Attack (2016): Took down Twitter, Netflix, PayPal, Reddit by targeting
DNS provider.
 AWS (2020): Reported massive 2.3 Tbps DDoS attack.
 Estonia (2007): National-scale attack affecting government and banking services.

⚠️ 6. Impact of DDoS Attacks

 Downtime: Websites and services become unavailable.
 Revenue Loss: E-commerce and online businesses face huge losses.
 Reputation Damage: Customers lose trust.
 Collateral Damage: Internet infrastructure like DNS servers can be affected.
 Secondary Attacks: Attackers may use DDoS as a smokescreen for data theft or
ransomware.

7. Defense Mechanisms
Defense Description
Traffic Filtering Block illegitimate packets.
Rate Limiting Restrict number of requests per user.
Load Balancing Distribute requests across multiple servers.
CDN (Content Delivery Network) Caches data globally to absorb traffic spikes.
Cloud-Based DDoS Protection Services like Cloudflare, Akamai, AWS Shield.
Anycast Routing Distributes traffic across multiple data centers.
Detection Tools IDS/IPS monitor unusual traffic patterns.

DR. S. S. BORCHATE (TKIET) 30

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

🔄 8. Steps in a DDoS Attack

1. Attacker builds botnet by infecting devices with malware.
2. Botnet controlled via Command-and-Control (C&C) servers.
3. Coordinated traffic flood launched against target.
4. Target overwhelmed, legitimate users unable to access service.

📊 9. DoS vs. DDoS

Feature DoS DDoS
Source Single machine Multiple machines (botnet)
Strength Limited Very powerful
Traceability Easier Very hard
Detection Simpler Complex
Cost to Attacker Low Higher (requires botnet)

🎯 10. Key Takeaways

 DDoS = Large-scale DoS using multiple compromised systems.
 Targets the Availability component of the CIA Triad.
 Includes Volume, Protocol, and Application-level attacks.
 Defenses include cloud-based protection, CDNs, load balancing, and traffic
filtering.
 Real-world DDoS incidents show economic and national-level risks.

❓ 11. Quiz / Discussion Questions

1. How is a botnet created for DDoS attacks?
2. Why are amplification attacks (like DNS amplification) more dangerous than simple
floods?
3. What is the difference between SYN Flood and HTTP Flood?
4. Why are DDoS attacks hard to trace back to the original attacker?
5. How does Anycast routing help in mitigating DDoS?

👨12. Teaching Tips

 Diagram: Show botnet structure → attacker → multiple infected devices → target
server.
 Demo: Use controlled lab simulations with low-traffic DoS tools.
 Case Study: Discuss GitHub (2018) or Dyn DNS (2016) incident.
 Analogy: Compare DDoS to hundreds of people calling a call center at once,
blocking real customers.

DR. S. S. BORCHATE (TKIET) 31

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

🔐 Study Notes: Man-in-the-Middle (MitM)

Attacks

1. What is a Man-in-the-Middle (MitM) Attack?

 Definition:
A Man-in-the-Middle (MitM) attack occurs when a malicious actor secretly
intercepts and possibly alters communication between two parties who believe they
are directly communicating with each other.
 Key Idea:
The attacker “sits in the middle” of the communication path between a client and a
server, spying, modifying, or injecting malicious data without detection.

🔍 2. How MitM Works

1. Victim (User) tries to communicate with a legitimate server (e.g., bank, website).
2. Attacker positions themselves between victim and server.
3. Attacker intercepts communication:
o Can eavesdrop (read data).
o Can alter the content before forwarding.
o Can impersonate one of the parties.

👉 Example: If Alice sends money to Bob, the attacker can modify details so money goes to
attacker’s account.

3. Techniques Used in MitM Attacks

(A) Interception Techniques

 Packet Sniffing: Capture unencrypted data packets on a network.

 Rogue Wi-Fi Hotspot: Attacker sets up a fake Wi-Fi with a legitimate-sounding
name (e.g., Free_Airport_WiFi).
 IP Spoofing: Attacker impersonates a trusted IP address.
 ARP Spoofing: Sending false ARP messages to link attacker’s MAC with victim’s
IP.
 DNS Spoofing: Redirect victim’s traffic to a fake website.

(B) Decryption Techniques

 SSL Stripping: Downgrade HTTPS connection to HTTP to steal sensitive data.

 Session Hijacking: Stealing authentication cookies/tokens to impersonate a user.

DR. S. S. BORCHATE (TKIET) 32

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

4. Types of MitM Attacks

1. Eavesdropping Attack – Attacker listens without altering communication.
2. Session Hijacking – Stealing user sessions (cookies/tokens).
3. Man-in-the-Browser (MitB) – Malware inside browser intercepts communications.
4. Email Hijacking – Intercepting email communication between users and institutions.
5. Wi-Fi Eavesdropping – Using fake Wi-Fi networks to intercept data.

📊 5. Real-Life Examples
 NSA PRISM Program (2013): Accused of intercepting data from major internet
companies.
 Turkish ISP DNS Hijacking (2014): Government intercepted Google DNS traffic.
 Equifax Hack (2017): Some MitM vulnerabilities exploited in data breaches.
 Hotel Wi-Fi Attacks: Hackers often use rogue Wi-Fi hotspots to steal guest logins.

⚠️ 6. Impact of MitM Attacks

 Data Theft: Passwords, banking details, credit card numbers stolen.
 Identity Theft: Attacker impersonates user for fraudulent activities.
 Financial Loss: Online transactions modified to benefit attacker.
 Loss of Trust: Users lose confidence in online platforms.
 Corporate Espionage: Sensitive company data leaked.

🛡️ 7. Defense Mechanisms
Defense Description
Encryption (HTTPS/TLS/SSL) Ensures data can’t be read even if intercepted.
VPN (Virtual Private Network) Encrypts internet traffic, reducing risk on public Wi-Fi.
Strong Authentication (MFA) Prevents session hijacking.
Secure Wi-Fi Practices Avoid public Wi-Fi without VPN, disable auto-connect.
Certificate Pinning Prevents SSL stripping by validating server certificates.
IDS/IPS Systems Detect unusual traffic patterns indicating MitM.
DNS Security (DNSSEC) Prevents DNS spoofing attacks.

DR. S. S. BORCHATE (TKIET) 33

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

🔄 8. Step-by-Step Example of an MitM Attack

1. Victim connects to a public Wi-Fi hotspot.
2. Attacker controls the hotspot and intercepts traffic.
3. Victim tries to log in to online banking.
4. Attacker captures username, password, and session cookies.
5. Attacker either steals money directly or sells credentials on the dark web.

9. MitM vs. Phishing

Feature MitM Phishing
Approach Direct interception of traffic Trick user into giving data
User User may spot suspicious
Hard to detect
Awareness links/emails
Target Network communication Human behavior
Technical (uses spoofing, sniffing,
Automation Social engineering
malware)

🎯 10. Key Takeaways

 MitM attacks compromise confidentiality and integrity of the CIA Triad.
 Attacks rely on intercepting and manipulating communication.
 Common methods: ARP spoofing, DNS spoofing, SSL stripping, rogue Wi-Fi.
 Defense = Encryption + Authentication + Secure Networks.
 Awareness of unsafe Wi-Fi and fake websites is crucial for prevention.

❓ 11. Quiz / Discussion Questions

1. How does ARP spoofing enable a Man-in-the-Middle attack?
2. Why is SSL stripping dangerous in public Wi-Fi networks?
3. Explain the difference between MitM and MitB (Man-in-the-Browser).
4. Suggest 3 best practices to avoid MitM when using free Wi-Fi.
5. How does DNSSEC prevent MitM attacks?

👨12. Teaching Tips

 Diagram: Show two users (Alice & Bob) communicating with attacker in between
intercepting messages.
 Demo: Use Wireshark (controlled lab environment) to show how packet sniffing
works.
 Case Study: Discuss real-world Wi-Fi hotspot attacks.
 Analogy: Compare to a postman opening and altering letters before delivering.

DR. S. S. BORCHATE (TKIET) 34

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

🔐 Study Notes: SQL Injection (SQLi)

1. What is SQL Injection?

 Definition:
SQL Injection (SQLi) is a code injection attack where an attacker inserts malicious
SQL statements into an input field to manipulate the database behind a web
application.
 Key Idea:
The attacker “injects” SQL code into queries to:
o Retrieve unauthorized data.
o Modify or delete data.
o Bypass authentication.
o Even take complete control of the database.

👉 Example: If a login form is not properly secured, an attacker can log in without a
password by injecting SQL code.

🔍 2. How SQL Injection Works

Normal Query (Expected Behavior):
SELECT * FROM users WHERE username = 'Alice' AND password = '12345';

Malicious Query (Injection):

If attacker inputs:
' OR '1'='1

Query becomes:

SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '';

 '1'='1' is always true, so attacker gains unauthorized access.

3. Types of SQL Injection

(A) In-Band SQL Injection (Most Common)

 Error-Based SQLi: Uses database error messages to extract data.

 Union-Based SQLi: Combines results of malicious queries with legitimate queries.

DR. S. S. BORCHATE (TKIET) 35

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

(B) Blind SQL Injection

 Application does not show errors, so attacker infers results based on true/false
responses.
o Boolean-based: Tests conditions (AND 1=1, AND 1=2).
o Time-based: Forces delays (IF (condition, SLEEP (5), 0)).

(C) Out-of-Band SQL Injection

 Data is extracted using external channels like DNS or HTTP requests.

 Less common but used when responses are restricted.

4. Real-Life Examples
 2009 Heartland Payment Systems Breach: SQLi led to theft of 130 million credit
card numbers.
 2012 Yahoo Voices Breach: Hackers used SQLi to leak 450,000 email addresses
and passwords.
 2017 Equifax Breach: SQLi vulnerabilities exposed sensitive data of 147 million
people.
 OWASP Top 10: SQL Injection has consistently ranked among the most critical
web application risks.

⚠️ 5. Impact of SQL Injection

 Data Theft: Attackers read sensitive customer data.
 Data Manipulation: Modify or delete critical records.
 Authentication Bypass: Login without valid credentials.
 Database Corruption: Insert malicious data.
 System Compromise: Sometimes used to gain remote system access.
 Financial and Reputational Loss: Huge fines, lawsuits, and customer distrust.

6. Example of Safe Query (Prepared Statement)

Unsafe (Vulnerable to SQLi):

[Link]("SELECT * FROM users WHERE username='" + user + "' AND

password='" + pwd + "'");

Safe (Prepared Statement):

[Link]("SELECT * FROM users WHERE username=? AND password=?",

(user, pwd));

DR. S. S. BORCHATE (TKIET) 36

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

🛡️ 6. Prevention Techniques
Prevention Method Description
Parameterized Queries (Prepared Use placeholders (?) instead of string concatenation
Statements) in SQL queries.
Stored Procedures Encapsulate SQL code to reduce injection risk.
Reject suspicious inputs (', --, ;, keywords like
Input Validation & Sanitization
DROP, SELECT).
Database accounts should not have unnecessary
Least Privilege Principle
permissions.
Do not display raw database error messages to
Error Handling
users.
Web Application Firewalls (WAFs) Detect and block SQL injection attempts.
Regular Security Testing Use penetration testing and vulnerability scanners.

🔄 8. SQL Injection Attack Steps (Typical Scenario)

1. Attacker finds an input field (e.g., login, search box).
2. Tests for vulnerability using ' OR '1'='1.
3. If vulnerable, attacker extracts table names, columns, and data.
4. Escalates attack to modify or delete data.
5. Sometimes uses SQLi as a gateway to further attacks (Privilege Escalation, RCE).

📊 9. SQL Injection vs Other Attacks

Attack Cross-Site Request
SQL Injection Cross-Site Scripting (XSS)
Type Forgery (CSRF)
Target Database Browser (user) User’s session
Data theft,
Goal Inject scripts Force actions
manipulation
Example OR 1=1 <script>alert(1)</script> Auto money transfer

🎯 10. Key Takeaways

 SQL Injection is one of the oldest and most dangerous web attacks.
 Exploits improper handling of user input.
 Can lead to unauthorized access, data theft, financial damage.
 Defenses include prepared statements, sanitization, WAFs, and least privilege.
 Still relevant in 2025 — developers must follow secure coding practices.

DR. S. S. BORCHATE (TKIET) 37

 25UG-PCC-CS301: FOUNDATION OF CYBER SECURITY

❓ 11. Quiz / Discussion Questions

1. Why is ' OR '1'='1 a common SQL injection payload?
2. Explain the difference between error-based and blind SQL injection.
3. How do prepared statements prevent SQL injection?
4. Name two real-life SQL injection breaches and their impacts.
5. Why is showing database error messages to users dangerous?

👨12. Teaching Tips

 Whiteboard Demo: Show difference between a normal query and an injected query.
 Lab Exercise: Use a sample vulnerable website (like DVWA - Damn Vulnerable
Web App) to show SQLi in action.
 Case Study: Discuss Yahoo/Equifax breaches and consequences.
 Analogy: SQL Injection is like writing an extra line in someone’s “order form” to get
unauthorized benefits.

DR. S. S. BORCHATE (TKIET) 38