CYBER SECURITY & WEB ATTACKS.
“Security used to be an option sometimes, but now it's a necessity all the time. “
DHANISH SHAH
Babasaheb Gawde Institute of Technology [BGIT]
Mumbai Central.
dhanishshah9@gmail.com
9892225733
Abstract — Network outages, data compromised by hackers,
computer viruses and other incidents affect our lives in ways that
range from inconvenient to life-threatening. As the number of
mobile users, digital applications and data networks increase, so
do the opportunities for exploitation.
What is Cyber Security and what are different Web Attacks?
--------------- Let’s Find Out! ----------------
Keywords— Cyber Security, Attacks, Virus, Precautions.
I. WHAT IS CYBER SECURITY?
Cyber security, also referred to as information technology
security, focuses on protecting computers, networks, programs
and data from unintended or unauthorized access, change or
destruction.
II. WHY IS CYBER SECURITY IMPORTANT?
Governments, military, corporations, financial institutions,
hospitals and other businesses collect, process and store a great
deal of confidential information on computers and transmit that
data across networks to other computers. With the growing
volume and sophistication of cyber attacks, ongoing attention
is required to protect sensitive business and personal
information, as well as safeguard national security.  in the world and in cyber security history, having
During a Senate hearing in March 2013, the nation's top
intelligence officials warned that cyber attacks and digital
spying are the top threat to national security, eclipsing
terrorism.
SAAD GHOJARIA
Babasaheb Gawde Institute of Technology [BGIT]
Mumbai Central.
saadgigani@ymail.com
9637251088
III. THE MOST WANTED CYBER CRIMINALS IN THE
WORLD.
 On FBI’s Most Wanted List for cyber
criminals you will currently find 19 individuals,
each being responsible for consumer losses
ranging from $350,000 to more than $100
million. They are from all over the world and
huge rewards are offered for their capture.
 Starting in September of 2011, the FBI began
investigating a modified version of the Zeus
Trojan, known as GameOver Zeus (GOZ), which
we covered in depth. Thousands of corporations
were infected with GameOver Zeus and as many
as 1.2 million computers were infected prior to
the take down of Zeus. It is believed GameOver
Zeus is responsible for financial losses of more
than $100 million USD.
IV. MYDOOM
 Ever wondered how much damage a computer virus
can do?
 Let us give you a compelling example through this
next cyber security fact.
 MyDoom is considered to be the most expensive virus
caused an estimated financial damage of $38.5
billion!
 MyDoom was first spotted in January 2004 and it
became the fastest-spreading email worm ever,
 exceeding all previous records. The virus’s origins are
believed to be in Russia, but its author was never
discovered. MyDoom Hacked Google also!
V. SOCIAL MEDIA – A HACKERS’ FAVORITE TARGET
Currently, according to in depth statistics, there are more
than 1.6 billion social network users worldwide with more
than 64% of internet users accessing social media services
online. Moreover, social networking is one of the most
popular ways for online users to spend their time, and a
preferred way to stay in contact with friends and families
VI. WHY ARE CYBER ATTACKS ON SOCIAL MEDIA SO
FREQUENT?
Define abbreviations and acronyms the first time they are
used in the text, even after they have been defined in the
abstract. Abbreviations such as IEEE, SI, MKS, CGS, sc, dc,
and rms do not have to be defined. Do not use abbreviations in
the title or heads unless they are unavoidable.
VII. THIS IS PRECISELY WHY CYBER ATTACKERS
LOVE SOCIAL MEDIA AS WELL!
Users that spend a lot of time on social networks are very
likely to click links posted by trusted friends, which hackers
use to their advantage. Here are some of the most popular
types of cyber attacks directed at social media platforms:
 Like-jacking: occurs when criminals post fake
Facebook “like” buttons to webpages. Users who
click the button don’t “like” the page, but instead
download malware.
 Link-jacking: this is a practice used to redirect
one website’s links to another which hackers use
to redirect users from trusted websites to malware
infected websites that hide drive-by downloads or
other types of infections.
 Phishing: the attempt to acquire sensitive
information such as usernames, passwords, and
credit card details (and sometimes, indirectly,
money) by disguising itself as a trustworthy entity
in a Facebook message or Tweet.
 Social spam: is unwanted spam content appearing
on social networks and any website with user-
generated content (comments, chat, etc.). It can
appear in many forms, including bulk messages,
profanity, insults, hate speech, malicious links,
fraudulent reviews, fake friends, and personally
identifiable information.
VIII. SOCIAL ENGINEERING – CYBER CRIMINALS’
FAVORITE WAY TO MANIPULATE VICTIMS
People are the weakest link when it comes to cyber
security, which is why psychological manipulation of cyber
attack victims is so common.
According to the definition, social engineering, in the
context of information security, refers to psychological
manipulation of people into performing actions or divulging
confidential information. This is a type of confidence trick for
the purpose of information gathering, fraud, or system access,
and the first type of attack of this kind known in history is the
Trojan horse itself (not the computer virus, but the Greek
mythical event).

IX. WEB ATTACKS.
New web-based attack types and vectors are coming out
every day, this is causing businesses, communities and
individuals to take security seriously now more than they ever
have in the past. This is a huge win for the World Wide Web
and it’s a trend that is pushing technology further towards
more robust and securely developed web applications.
Mainly, web attacks take place due to software
vulnerabilities.
B. Cross-Site Scripting (XSS)
Often misunderstood, and even more often underestimated,
XSS is a style of attack where the front of the website acts as a
launching point for attacks on other users visiting the website.
This happens when developers don’t properly test their code
for the possibility of allowing scripts to be injected. The
scripts can then be executed without the site’s original
functionality intending them to be.
If an XSS vulnerability is present on a website, then an
attacker can craft code that executes when other users open the
same website. This causes the new users to interact with the
malicious background entity created by the attacker. Once a
connection has been initiated, usually via social-engineering
tactics convincing a user to do something they shouldn’t, the
attacker is able to infiltrate your website visitors’ computers.

SOFTWARE VULNERABILITIES.
A. SQL Injection
Injection vulnerabilities are rated as the number one
problem on the list of top 10 security issues put out by Open
Web Application Security Project (OWASP) and continue to
be a major source of concern for application and web
developers looking to utilize the benefits of storing usable
information in a local database.
Due to the predictable nature of these types of
applications, an attacker can craft a string using specific
Structured Query Language (SQL) commands, and know it
can be used to force the database to give up the goods. These
strings can be entered in places like search boxes, login forms,
and even directly into a url to negate simple client-side
security measures on the page itself.
C. Local File Inclusion
 By targeting ‘include’ parameters in PHP code,
intruders can request an alternative file be used in
the specified request instead of the file meant to
go along with the program. This can lead to
unintended access to internal files and logs.
Where a script should work like this – 
http://site.com/web-app.php?nextStep=goodfile.php 
 –A vulnerable application can be changed to
target an sensitive system file, or worse,
something that is infected –
 http://site.com/web-app.php?nextstep=/etc/passwd
 Where this can get even messier is when dealing
with a highly sophisticated intruder that knows X. A FEW THINGS TO CONSIDER AS A WEBSITE
how to manipulate internal files. By sending
OWNER:
malicious payloads to the site, without intending
for them to work, a hacker can load log files with
their own code. By pointing a vulnerable include  Who can you engage if you are unfamiliar with
parameter to a code injected log file by using an the terms presented in this post?
LFI technique, a devastating attack can be
launched.  How does your Host offer you security services,
if at all?
 How do you know if your website currently
houses one of these vulnerabilities?
 How do you know a vulnerability is not currently
being exploited?
 What are you doing right now to protect your
website?

XI. STEPS FOR PRECAUTION.

 Perform required software updates for your

D. Remote File Inclusion
 A very sneaky method of running malicious
software on a victim’s server is by simply asking
it to go somewhere else on the Internet to find a
dangerous script, and then run it from that
location. This scary scenario is called a Remote
File Inclusion (RFI) attack. An RFI can occur
when functions are improperly crafted, allowing
users to modify the URL parameters when web
apps are launching components for their own
purposes.
operating system and web browser. Hackers
attack where they see weakness. ...
 Install a firewall on your computer. ...
 Change your passwords often. ...
 Purchase or download anti-virus software. ...
 Install anti-spyware/adware programs onto your
system. ...
 Delete emails from unknown sources….

 By changing the intended process in order to

activate a far away malicious payload sitting on a
public server, the attacker may be able to activate
a piece of code that will give them a shell through
a held connection between the victim site and the
remote server that holds the designated file.
Including a script in this way opens up a number
of options that a hacker can use against you.
Acknowledgment
We would like to Thank our Professor, Head of
Department Computer Technology, Mr. Ajit Parab, and Prof.
Asif Ansari for giving us this opportunity to present a paper on
this enticing topic and their guidance which helped us develop
this paper.
 References

i. https://blog.sucuri.net
ii. www.thestudymaterial.com
iii. http://www.umuc.edu/cybersecurity
iv. www.forensicscontrol.com
v. http://www.ijais.org/research/volume9/number5/senhaji-
2015-ijais-451408.pdf
vi. http://pubs.sciepub.com/iteces/3/1/1/iteces-3-1-1.pdf
vii. http://www.sersc.org/journals/IJSIA/vol9_no3_2015/30.pdf
viii. http://www.academicscience.co.in/admin/resources/project/
paper/f201503111426090873.pdf
ix. http://www.ibs.ro/~bela/Papers/IEEESystems.pdf

[1] Paper Referred - Rev. Date: 01/03/2016 Scientific Advice

Mechanism Scoping Paper: Cybersecurity.
[2] Paper Referred - by SANS Institutea and InfoSec Reading
Room.Dated -- 29/06/2016.
[3] Paper Referred - International Telecommunication Union
Dated - 12/04/2016.
[4] Paper Referred - WSIS Thematic Meeting on Cybersecurity
Dated – 19/03/2016.