Stealth attack No. 5: Hosts file redirect
Unbeknownst to most of today's computer users is the existence of a DNS-related file named Hosts. Located under C:\Windows\System32\Drivers\Etc in Windows, the Hosts file can contain entries that link typed-in domain names to their corresponding IP addresses. The Hosts file was originally used by DNS as a way for hosts to locally resolve name-to-IP address lookups without having to contact DNS servers and perform recursive name resolution. For the most part, DNS functions just fine, and most people never interact with their Hosts file, though it's there.
Hackers and malware love to write their own malicious entries to Hosts, so that when someone types in a popular domain name — say, bing.com — they are redirected to somewhere else more malicious. The malicious redirection often contains a near-perfect copy of the original desired website, so that the affected user is unaware of the switch.
This exploit is still in wide use today.
Lesson: If you can't figure out why you're being maliciously redirected, check out your Hosts file.
Stealth attack No. 6: Waterhole attacks
Waterhole attacks received their name from their ingenious methodology. In these attacks, hackers take advantage of the fact that their targeted victims often meet or work at a particular physical or virtual location. Then they "poison" that location to achieve malicious objectives.
For instance, most large companies have a local coffee shop, bar, or restaurant that is popular with company employees. Attackers will create fake WAPs in an attempt to get as many company credentials as possible. Or the attackers will maliciously modify a frequently visited website to do the same. Victims are often more relaxed and unsuspecting because the targeted location is a public or social portal.
Lesson: Make sure your employees realize that popular "watering holes" are common hacker targets.
Stealth attack No. 7: Bait and switch
One of the most interesting ongoing hacker techniques is called bait and switch. Victims are told they are downloading or running one thing, and temporarily they are, but it is then switched out with a malicious item. Examples abound.
It is common for malware spreaders to buy advertising space on popular websites. The websites, when confirming the order, are shown a nonmalicious link or content. The website approves the advertisement and takes the money. The bad guy then switches the link or content with something more malicious. Often they will code the new malicious website to redirect viewers back to the original link or content if viewed by someone from an IP address belonging to the original approver. This complicates quick detection and take-down.
Sign up for Computerworld eNewsletters.