The 'monsters' of cybersecurity — and how to slay them

Maybe the monster under your bed wasn’t real, but nefarious villains really do lurk in the dark corners of the internet.

This October, Arizona State University experts are celebrating the 20th anniversary of Cybersecurity Awareness Month and the spookiest time of the year by explaining how monsters seek out victims in a digital age. Grab your torches and pitchforks — er, touchpads and keyboards — and arm yourself against the things that go bump in cyberspace.

The Phisherman

He trawls the dark expanse of the internet, casting about for targets. Sometimes his nets are wide, such as an email blast purporting to be from a credible company. Other times, it’s a targeted spear: a personal message that appears to be from a trusted individual. In either case, these seemingly innocuous communiques supply a link for you to log in to a personal or work account. If you do, you become the latest victim of the "Phisherman."

Phishing attacks steal user data, such as login, financial or personally identifiable information by posing as a trusted entity and tricking victims into opening a malicious link. A false login page then copies your login credentials or otherwise tricks you into divulging sensitive information such as your social security number.

“Once attackers have your username and password, what we’re finding is they can link to other personal information on the dark web and can build more of a holistic profile of you, to commit fraud in your name,” says Adam Doupé, director of the Center for Cybersecurity and Trusted Foundations in ASU’s Global Security Initiative.

RELATED: Read about CTF’s work to identify and address critical vulnerabilities in anti-phishing tools

Phishing often relies on social engineering — the manipulation, influence or deception of a victim by posing as a trusted entity, such as a close friend, colleague or maybe the company they work for.

“If you have a public profile on Facebook or on Twitter, an attacker can see who you hang out with, what you do, where you go,” says Rakibul Hasan, an assistant professor in School of Computing and Augmented Intelligence at the Ira A. Fulton Schools of Engineering. “Then they can craft a message which is more personalized and believable to you.”

Hasan heads the PERSUE Computing Lab at ASU, which studies the intersection of privacy, security and stability of computing technologies. His lab incorporates artificial intelligence, machine learning and elements of cognitive psychology into their research.

While phishing is nearly as old as the internet itself, it remains the most common way people and companies are victimized on the internet.

Doupé and Hasan note there are steps you can take to avoid the Phisherman’s hook:

• Enable two-factor authentication on all high value accounts. That way, they’re safe even if an attacker gains your username and password.
• Be skeptical. If you receive a message out of the blue that claims you need to update your payment information or you need to verify your personal or financial information, odds are it’s a scam.  
• Don’t click on just any link that’s sent your way. Malicious links are the barbed hooks and rusty spears of the Phisherman’s grisly trade — consider them with caution.
• Trust the cybersecurity measures in place. If you get a big, scary red message that warns you of malicious activity, Doupé urges you to heed that warning. 
• Lower your digital footprint. Social engineering is important to phishing, so make those details harder to obtain. Hasan recommends setting social accounts to private and being judicious about the details you broadcast to the world.

The Snatcher

He lurks in the dark recesses of the internet, obscuring his identity and eyeing his marks. One day, you log on to your home computer and find yourself locked out of all your files — your tax documents, your email, even your family photos. A menacing pop-up threatens: “All your files are encrypted. Send Bitcoin to this address or you’ll never access them again.”

If that sounds like a ransom note, it’s because you’ve been hit with ransomware, courtesy of the "Snatcher." Ransomware is a constantly evolving subset of malware that denies users access to their files unless the attacker receives payment.

“For most people, it's anywhere from $500 to $1,000,” says Doupé, who is also an associate professor in the School of Computing and Augmented Intelligence. “While that's scary on an individual level, it gets really scary when they do this to a company, because then they can start to demand much more money.” 

Say a company doesn’t want to play ball, because they have robust backups of their data. Ransomware can still pose a significant threat, because the attackers can steal proprietary information or threaten to leak information publicly if the ransom is not paid.

So how can users avoid their files getting stuffed into an unmarked van? Doupé says basic data hygiene goes a long way in keeping the Snatcher’s hands off your data. 

• Install security updates as soon as possible. The origin of many ransomware attacks are unaddressed, exploitable gaps in security.
• Back up your files and store them separately. Individuals with routine backups on an external hard drive can rest easy if they’re hit with ransomware.

The Vampire

At first glance, this monster looks enticing and inviting. It can take a variety of innocuous forms: an online clothing shop, a cryptocurrency exchange or a charity website. But lurking beneath its attractive exterior is a creature yearning to part you with your hard-earned money and bleed you dry — a "Vampire."

If you find yourself under this creature’s thrall, you’ve fallen victim to a fraudulent e-commerce website. These websites are a rising class of online scams that steal users’ money while promising bogus products or services.

“These sites pose a challenge to the anti-phishing ecosystem, because the anti-phishing detection systems can’t effectively recognize them,” Doupé says. “They aren’t impersonating a trusted site like Netflix or PayPal — they simply appear to be another online storefront or charity.”

These scam websites draw consumers in with good deals or rare items, says Marzieh Bitaab, a doctoral student in the Laboratory of Security Engineering for Future Computing at the School of Computing and Augmented Intelligence, who researches these scams.

“They try to give you a sense of urgency — ‘We only have a few items left!’ or ‘Someone just bought this item, hurry up before they’re all gone!’” Bitaab says.

However, this class of scams preys on more than just consumers’ desire for a good deal.

“They target people emotionally,” Doupé says. “We published a paper looking at how the criminal underground pivoted towards targeting people during the COVID-19 pandemic with fake CDC donation pages and phony storefronts for PPE.”

ASU researchers, including Bitaab and Doupé, are developing methods to automatically detect such scam websites. In the meantime, Bitaab has some consumer tips to act as garlic, crosses and holy water against fraudulent e-commerce sites:

• Do some research. Before you purchase a product or service from an unknown vendor, try to learn more about them. If the vendor’s domain was activated recently or if the website has a lot of broken links, it may be fraudulent.
• Check their social media accounts. Look for when they were created, the number of followers and the overall activity of the account. While possible, it is hard to convincingly fake an organic social media presence, Bitaab says.
• Look for other customers’ experiences. Bitaab recommends looking at the scams subreddit, where users ask for advice about a vendor or warn others of scams.
• If it seems too good to be true ... it probably is.

The Horde



A surging, unrelenting swarm of attackers from all directions overwhelms devices or networks, grinding all activity to a halt. This shambling, single-minded "Horde" is a plague to businesses big and small alike — a distributed denial of service (DDoSdistributed denial-of-service) attack.  

DDoS attacks direct massive amounts of requests to a target, overwhelming it and rendering a website or application unavailable to legitimate users. These attacks marshal many compromised computer systems to make these requests — anything with an internet connection can become an unwitting zombie in a DDoS attack.

These attacks usually target companies, which can severely damage operations and profits. While massive corporations can often fend off such offensives, small and medium-sized businesses don’t have the same resources.

“People running small businesses don’t have huge IT departments, so attackers take down a site and then send an email offering to help fix the problem,” Doupé says. “It’s like a mob shakedown. ‘Hey, we specialize in DDoS protection. Pay us!’”

Fortunately, individuals are unlikely to be the target of a DDoS attack. But there is something you can do to help mitigate them: make sure your internet connected devices are up to date.

“That way, you're not inadvertently a zombie in this Horde,” Doupé says.

The Werewolf

Much of the time, this monster isn’t a monster at all. It’s a harmless and even helpful Internet of Things (IoT) device. But once infected, it strikes, transforming from an innocuous helper into a bloodthirsty beast — the "Werewolf."

Over the last 10 years, internet-connected devices have become ubiquitous in our homes. Everything from appliances and doorbells to lightbulbs and thermostats promise convenience and automation. But with that convenience comes risk: any one internet-connected device represents an exploitable entry point into your home network and other devices.

“The problem is that IoT devices often have less security mechanisms, which can make it easier for attackers to exploit it,” Doupé says. “The other problem is they don't get security updates from the manufacturers, so they're just sitting in your network, waiting for somebody to discover some bug or vulnerability and take them over.”

Fortunately, Doupé and Hasan have some silver bullets to keep this particular monster at bay:

• Change default passwords. A 2021 survey found that 33% of people surveyed don’t take this step. It’s a bit like handing out copies of your house keys to anyone who asks.
• Update your software. Staying on top of security updates lowers the risk of an attacker finding an exploit.
• Keep them on a separate network. Create a guest or secondary network solely for your IoT devices that is unconnected to primary devices such as phones and computers. That way, if an IoT device is compromised, it can’t access sensitive information. 
• Evaluate products on their own merits. For privacy-minded Hasan, the convenience of connected devices is often not worth the inherent risk.

Illustrations by Andy Keena/ASU