The global threat landscape is constantly and rapidly changing—while hackers and bad actors find new and devastating ways of infiltrating networks, leveraging security protocols, and hijacking users computers and systems for their own personal gain.
zvelo is dedicated to providing industry-leading URL categorization (with zveloDB™) and data solutions for some of the world’s most successful endpoint & network security, ad tech, and communications companies. We’ve put together this glossary of cyber threat definitions as a resource for you in your quest to help make the internet a safer place for all!
For a complete list of malicious categories and malicious detection capabilities—as well as to try out our award-winning URL category lookup tool, visit zveloLIVE.
Advanced Persistent Threat (APT)
An Advanced Persistent Threat (APT) is a set of stealthy, well-hidden, and continuous hacking processes designed to infiltrate a system or network and achieve “persistence”. An APT typically targets specific organizations or government agencies for business or political purposes. By leveraging covertness, command and control, and a variety of malicious tactics (malware, phishing campaigns, etc.)—an APT orchestrates continuous monitoring and data extraction over a long period of time. By installing further exploits and malicious code that are left dormant, it can be incredibly difficult to detect and remove an APT from networks/systems.
The ActiveWeb is how zvelo refers to the websites that comprise the publicly-accessible Surface Web – also known as the Visible Web or Indexable Web. To provide a safe and secure internet experience, zvelo focused on classifying these sites for content, malware, phishing, adult and other content, which is licensed to partners on a data subscription model.
A form of malicious software that downloads and installs, or otherwise displays advertising material to generate revenue. Typical adware behavior includes pop-up windows in the user’s browser. In some cases the user may not be able to close the window, or the pop-up may be rendered “off screen” so it is not observable. Some particularly nefarious forms of adware may also install spyware, deactivate a system’s antivirus or anti-malware, or even redirect web browsing traffic to sites that gather marketing data on visitors. Adware can infect all types of computers, tablets, and mobile phones.
Attack surface refers to the total number of points (attack vectors) where a hacker or unauthorized user might be able to exploit a vulnerability and gain access to enter or extract data from the environment. In network and information security, it is critical to keep the attack surface as small as possible—particularly when large amounts of personal data are stored on the network.
Also referred to as “threat vector”, attack vector refers to the path, means, or technique a hacker may use to gain access to a network or computer. A hacker uses this attack vector to deliver a malicious payload or exploit a vulnerabilities in order to infiltrate or infect the computer, network, or system.
A backdoor is a hidden method of bypassing standard authentication for accessing a computer system or device. Backdoors are typically used to secure remote access to plaintext or cryptographic systems. They may come in the form of software, such as rootkits or parts of Operating System (Windows) that allow for remote updates. Alternatively, they may come in the form of hardware embedded in computer systems (e.g. The Clipper Chip).
Another term used for hacker or cybercriminal, bad actor refers to an individual or entity who endeavors to cause trouble, unrest, or otherwise engage in criminal activity.
Refers to an internet-connected device, where the bot (a piece of software/code) performs automated tasks. These tasks are often repetitive and structurally similar in nature (such as scripts, macros, etc)—performing actions with high reliability much faster than a human could perform individually. A bot also refers to an individual device within a larger botnet of connected devices.
The owner/operator of a botnet who is able to remotely control computing and networking functionality of compromised devices by issuing commands through a C&C (command and control) server. A botmaster goes to extraordinary lengths to conceal their identity through IP masking and obfuscation as to avoid identification and criminal prosecution. A botmaster may be an individual bad actor or even a state-sponsored entity in part of a larger espionage campaign.
A network of infected internet-connected devices such as computers, routers, IoT devices, etc that have been compromised and are running one or more bots or instances of malware. Also referred to as “zombie networks”, botnets spread via exploits, viruses, and worms to amass the computing and networking power of hundreds of thousands (if not more) devices. These networks of malicious bots are controlled by a C&C server—and are typically used to spread additional malware that grows the botnet or to facilitate Distributed Denial of Service (DDoS) attacks.
Click fraud is a type of fraud that takes advantage of the common pay-per-click (PPC) online advertising payment structure. Through the use of bots, or sometimes “click farms”, click fraud is a criminal cyber activity used to automate “clicks” and generate increased revenue from online advertising.
Command and Control Server (C2 or C&C)
A Command and Control (also C2, C&C, or CnC) server is a computer that issues commands to devices that have been infected and compromised with a rootkit or other type of malware. The malicious network of infected devices under a C2 server’s control is called a botnet. Traditional botnets are formed by compromising a device with a Trojan Horse that installs and uses Internet Relay Chat (IRC) to communicate with the C2 server. C2 servers, like other malicious threats, typically have a short shelf life and often reside on cloud services. To obscure the source of the C2 server, they are often set up using an automated domain generation algorithm (DGA)—producing an random, unintelligible domain source from which to issue commands. This is a simplified descriptions, as most advanced botnets consist of several C2 servers and other technical components that allow them to avoid detection and remain persistent.
A type of malware designed with the ability to encrypt, obfuscate, and alter other malware—making it significantly more difficult to be detected by antivirus and security programs.
Also referred to as domain squatting, cybersquatting is the practice of registering and using an internet domain name with ill-intent for the purposes of deceiving and/or profiting from unassuming “mistakes” on part of a human web user or computer system. The name is derived from “squatting”—the act of occupying a deserted or uninhabited space without proper permission.
A form of cybersquatting—Bitsquatting is the practice of registering slight variations of popular domain names likely to result from a random memory error in a user’s computer. (e.g. excmple.com or exaeple.com for example.com) The name is derived from “bit” + “typosquatting”.
"aeazon.com" instead of
Also referred to as URL hijacking—Typosquatting is form of cybersquatting. It is the practice of registering slight variations of popular domain names that are likely to be mistyped by users when inputting a website address.
Also see, Homograph Attack for other types of cybersquatting including spoofing attacks using ASCII and Internationalized Domains Names (IDNs).
The Dark Web refers internet content that exists on ‘darknets’—or overlay networks that require specific software and/or non-standard network configurations and communication protocols to access. The Dark Web prioritizes anonymity and encryption to keep communications private. This is purposeful—as the Dark Web is home to a wide range of illicit activities and dealings like illegal marketplaces that sell stolen media and content, hacking tools, drugs, and even child pornography. The Dark Web makes up only a small percentage of the ‘Deep Web’. See Deep Web.
Data Breach refers to the intentional or unintentional release of private or confidential information or data. Other terms for data breach include unintentional information disclosure, data leakage, or data spill. Data compromised during a breach may have been viewed, copied, destroyed, extracted, and used or sold for profit. Some common reasons and methods of data breach include:
- Theft or loss of digital media or property
- Careless disposal of used computer equipment (laptop, hard drives, etc.)
- Failure to encrypt data in transit (sent via email, SMS, etc.)
- Failure to properly secure/authenticate access to an available internet service
- Computer bugs and vulnerabilities (zero-day attacks, etc.)
- Ransomware and phishing attacks
- Social engineering campaigns
Examples of sensitive data may include credit card information, SSNs, usernames/passwords, trade secrets, intellectual property, emails, private customer information such as medical records (personal health information or PHI) or financial documents, and more.
The Deep Web refers to the parts of the internet that are not indexed (not visible) on search engines like Google, Bing, Yahoo, etc. There are a number of legitimate reasons to prevent search engines from indexing content. Much larger than the “Clearnet” (i.e. indexed internet), the Deep Web is made up of content delivery networks (CDNs), servers that support web services, content behind paywalls, email, online banking tools, and much much more. See Dark Web.
Distributed Denial-of-Service (DDoS)
Commonly referred to as DDoS, a distributed denial-of-service attack is the malicious attempt to interrupt network traffic to a target destination, network, or server by overwhelming it with a massive amount of fraudulent traffic from hundreds of thousands (or more) of source locations. Bad actors typically enlist the help of giant botnets of malware-infected routers, IoT devices, and other computers to drive “legitimate” traffic at the target—and thus making it difficult to distinguish the attack from normal traffic.
Domain Generated Algorithm (DGA)
These algorithms are used in a variety of malware types to create a large number of domain names for use in communication with command and control (C&C) servers. In order to achieve autonomous update capabilities, C&C server destinations are often hard-coded into the malware itself—making it easier for law enforcement and cybersecurity forces to find and shut down. DGA’s create a large number of potential communication points, and allows malware to reach out to any number of those points—at random—to request updates.
Also referred to as DNS Cache Poisoning, DNS Spoofing is a of cyber attack (and form of Pharming)—aimed at compromising and manipulating Domain Name System data in a DNS resolver’s cache—resulting in a DNS server returning an incorrect result and routing internet traffic to a website or location chosen by the hacker.
A method of cyber attack that encodes the data of programs or protocols into DNS queries—creating a two-way communication pathway using only DNS. DNS tunneling is a network layer attack, bypassing most security measures (such as firewalls, anti-virus, etc.) that protect against threats in the exchanged content/code.
Also referred to as DNS Data Exfiltration, this is the practice of removing data from a network by encoding information into DNS requests. DNS Exfiltration allows hackers to remove data from a network without the need for a direct and open connection. DNS exfiltration has proven effective since it requires active monitoring of network traffic to detect and in many cases, most security infrastructures are more concerned with attacks originating from outside the network.
An attack on a computer system that takes advantage of a particular bug or vulnerability—typically used to gain unauthorized access to a system. Exploits may come in the form of software (malware), uniquely formatted data blocks, or even a series of commands.
External Threat Hunting
External Threat Hunting is used to deliver an analysis of an organization’s exposed assets providing a view of an organization’s attack surface from an adversarial point of view. This is often used by organizations to understand how an adversary might view them to identify threats or exposures they are not aware of. This also helps to identify and contain emerging threats in the earliest stages — before they escalate and result in security breaches. Some organizations may choose to leverage external threat hunting services in lieu of, or sometimes prior to, penetration testing so that the weaknesses and vulnerabilities can be identified and fixed.
Homograph Attack (ASCII)
Also known as a homoglyph attack, this homograph attack uses Cybersquatting and “script spoofing”—exploiting characters that appear similar (or nearly identical) to deceive users into connecting to an unknown remote server. ASCII characters are commonly used since there are a number of characters that appear similar or even identical, such as uppercase “i” and lowercase “L” (example: “google.com” vs “googIe.com”). Alternatively, there are a variety of character combinations that mimic other single characters—particularly with narrow-spaced fonts. For example when combining “r” + “n” (see below).
"microsoft.com" (Both examples in ASCII)
Homograph Attack (IDN)
In an internationalized domain name (IDN) homograph attack, a threat actor leverages and exploits the similarities of different character scripts (non-ASCII) to fool users into visiting a phony/illegitimate site. In these attacks, the actor will register an internationalized domain (see Cybersquatting), often for the purpose of phishing, spreading malware, and other reasons. Character scripts such as Cyrillic, Greek, Latin, Chinese, and Japanese are most common in these forms of attacks. By far the most popular is the Cyrillic script which includes 11 lowercase glyphs that are nearly identical to the Latin versions. For example, the Unicode character U+043E, Cyrillic small letter o (“о”) may look identical to the Unicode character U+006F, Latin small letter o (“o”) used in English.
In the example below
"www.amazon.com" (Cyrillic vowels used in one of these examples)
Just for fun.. try this: Perform a search on this page for “amazon.com”.. You’ll notice only one of the above examples is highlighted—showing the true Latin script. (‘ctrl + f’ on PC, ‘cmd + f’ on Mac)
The InActiveWeb is made up of all the websites which are expired or have an unreachable status. Over time, legitimate websites may become inactive because they are no longer used, the business no longer exists, or the domain name registration simply expired. The InActiveWeb also includes sites which were flagged as malicious or phishing and have been taken down by law enforcement. This particular segment is unique because, while it’s not inherently dangerous, this is where the Malicious Cyber Actors (MCAs) carve a path into the ActiveWeb. As zvelo moves these domains to the InActiveWeb they are still tracked in case they become active again.
Also referred to as “keystroke logging”, keyloggers are used maliciously to harvest keyboard inputs of users. Keyloggers may be used to gather specific types of inputs—or be triggered by certain keywords/phrases. When used in coordination with bots—keyloggers can be running on thousands of connected computers all over the world to help cybercriminals gather enormous amounts of sensitive information, such as usernames and passwords.
Living Off The Land at Scale (LOTLS)
LOTLS is the abbreviation for what zvelo calls Living Off The Land at Scale. Traditionally, Living Off The Land has been used to describe the actions of a threat actor who wants to remain in an environment long-term and avoid detection. In an enterprise network, threat actors would “live off the land” using the tools available and allowed in the environment, such as Powershell, psexec, Windows Management Interface Command-Line (WMIC), and even Group Policy Objects (GPO) — a more recent addition to this mix. In short, threat actors infiltrate the target environment and discover which tools they can use, and which ones are not well monitored so they can just hang out. LOTLS takes this concept and expands it by using cost effective, if not free, offerings to support their campaigns.
Low Quality Traffic (LQT)
Generally speaking, Low Quality Traffic is defined as traffic (web visitors) that do not engage, interact, or convert with the content on a web page. This type of traffic may come from bots/scripts/etc. (also Non-Human Traffic, NHT), click farms (companies paid to have employees manually click through websites to artificially inflate traffic), or because web content is not optimized for user intent—therefore they bounce. Low Quality Traffic can be identified by the source IP and algorithmically measuring on-page engagement.
Malicious is characterized as the intent to do harm. In Cybersecurity, or IT in general, malicious is a term used to refer URLs, or websites, which are used by malicious cyber attackers (MCAs) to host viruses, exploits, malware, phishing scams, or other threats that can potentially cause hard to devices, networks and systems.
Malicious Cryptocurrency Mining
The malicious act of cryptocurrency mining refers to software applications and malware designed to “hijack” a computer’s resources (CPU and GPU cycles) to mine cryptocurrency without the user’s explicit permission.
Malicious Cyber Actors (MCA)
Malicious Cyber Actors (MCA), refer to individuals or entities that perform malicious acts against others – entities or individuals. MCAs may be responsible for malicious incident which impact, or have the potential to impact, the safety or security of another. MCAs are also referred to as threat actors, malicious actors, or bad actors.
Malvertising is the practice of using online advertising to spread malicious software (“malware”). In most cases, it is executed by injecting malicious advertisements into legitimate advertising networks where it compromises the browsers of web visitors—or prompts the user to agree to terms via modals, forms, or pop-ups.
The word malware is derived from the combination “malicious” and “software”. Malware is any software intentionally designed to cause harm or make changes to a computer, system, or data—without appropriate consent. There are a number of types of malware—to list a few: adware, bots, ransomware, rootkits, spyware, trojans, viruses, and worms.
Malware Analysis is performed to discover hidden attackers actively working to exploit an organization’s network, identify latent infections, and analyze the captured payload. Malware analysis may be used by threat intelligence professionals or cyber defenders to identify Indicators of Compromise (IOCs) and malicious threats specific to an organization’s environment. This can be done proactively to assist an organization with developing appropriate incident response plans prior to being attacked. This may also be done during or after an attack to identify the scope of an incident, and receive guidance on follow up actions for the containment and remediation phases.
Malware Call-Home occurs when active malware on a computer or network contacts—or attempts to contact—a remote “home” server (also known as C&C, command and control) to check for updates. Malware often attempts to reach out to remote servers to check for updates that will help it change/update code to hide from detection by anti-virus software.
Man-in-the-Middle (MITM) Attack
A cyber attack (also known as “attack surface”) in which the hacker compromises the communication between two parties while the data is en route. The hacker then impersonates one or both parties to intercept sensitive and confidential information before relaying information on to the intended destination. Though the hacker maintains the ability to alter or inject communications into the pathway, typically the hacker receives and relays most communications unaltered to its intended destination—so as to not be detected.
An attack surface in which a hacker leverages vulnerabilities in a device’s storage to silently install unrequested and malicious applications, code, etc. “Man-in-the-Disk” was coined after researchers found vulnerabilities in the careless use of external storage by applications in the Android ecosystem.
Non-Human Traffic (NHT)
Non-Human Traffic is web traffic generated by bots, scripts, and code—programmed to “surf” the web without any human guidance. Non-Human Traffic is a key identifier for ad fraud, a tremendous problem in the ad tech industry—inflating web traffic and engagement metrics like CPM and CPC (Cost Per Impression and Cost Per Click, respectively). Non-Human Traffic can be algorithmically identified with page-level tools that look for: browser window-size, cursor movement, time on page, number of clicks, and more.
The element or elements of program that are specifically designed to cause harm or perform malicious actions to a computer, network, or system.
Pharming is a cyber attack designed to redirect internet traffic to an unintended site or location. Hackers and bad actors can reroute internet requests and traffic by compromising the hosts file on a victim’s computer or through exploitation of a vulnerability in DNS software. By compromising a DNS server—hackers can temporarily override DNS data—thereby redirecting traffic. Compromised DNS servers are often referred to as “poisoned”.
See DNS Spoofing.
Phishing is a “scam” and form of internet fraud, in which bad actors attempt to deceive internet users into unveiling sensitive personal information. In its original and most common form, the attack is initiated via an email purporting to be from a reputable or legitimate source. Inside the email, the attacker urges the victim to act in some way and includes (“hides”) a malicious link. When clicked, that link takes the victim to a fraudulent or compromised webpage. From there, the victim is prompted to enter sensitive personal information (i.e. username, email, password, credit card information, etc.). Phishing webpages can appear nearly identical to their authentic counterparts. Mobile phishing attacks that take advantage of simplified user interfaces and design choices intended to improve “usability” on smaller devices have become particularly effective.
Over the years, phishing attacks have grown increasingly sophisticated—and are now executed using a variety of communication methods including email, apps, SMS text messages (aka “SMiShing”), and even via phone calls (referred to as Voice Phishing, or “Vishing”).
The ProActiveWeb is a segment which is a precursor to sites becoming part of the ActiveWeb. Our zveloPI service is focused on detecting and analyzing the ProActiveWeb for threats and suspicious activity proactively before they become part of the ActiveWeb. Think of this as the “pre-history” of the ActiveWeb. zvelo actively monitors signals from the ProActiveWeb like Top Level Domain (TLD) registration activity and a range of signals using predictive threat intelligence insights to detect threats before they become part of the ActiveWeb, providing partners with unique insights and a competitive edge in their respective markets.
Ransom malware, or ransomware, is malicious software that prevents users from accessing their system, personal files, and other data—typically through encryption—while demanding a ransom payment to reinstate access. Alternatively, ransomware campaigns may threaten to publish personal or sensitive materials if a ransom is not paid.
Remote Code Execution
The ability of a hacker to access a computer or device and make changes or execute code from a remote location—regardless of the computer/device’s geographic location.
A Rootkit is a set of software tools enabling an unauthorized user to gain control of a computer system—typically without any form of notification—making it difficult to detect. Rootkits are a critical utility employed by an Advanced Persistent Threat (APT).
Short for SMS Phishing, SMiShing is a form of phishing attack where the hacker tricks the user into clicking a link, disclosing sensitive information, or downloading a trojan, virus, or other piece of malware using the text—or SMS—features on their cellular phone or mobile device.
Sniffing, in the context of network security, is the act of capturing network traffic (data, packets, and information) for monitoring and analysis. A sniffing attack refers to the interception or theft of network traffic information for malicious purposes—whether to gain insights into network habits and vulnerabilities, or for some form of ransomware campaign.
A form of phishing, spear phishing is a “targeted” attack—sending fraudulent emails purporting to be from a reputable and trustworthy source in order to trick or reveal vulnerabilities or sensitive information from a particular individual or group (company).
Spy malware is a generic term used for unwanted software—designed and intended to infiltrate computer, device, or network. Once it infects a system, it will maintain a presence their while it gathers information about browser and internet usage habits and other data. That data can be used against the target in malicious campaigns or sold for profit by the spyware orchestrator.
Social engineering is the practice of using psychological manipulation as well as social norms to deceive individuals into revealing sensitive and confidential information—including providing access to computer or systems that may have access to those types of information. The creation of fake accounts on social media platforms, targeted phishing attacks, and telephone/ransom scams are all examples of social engineering at work.
Tor is an acronym for “The Online Router” and is a free an anonymous communication network. It is supported by volunteers worldwide who maintain an overlay network that is used to route internet traffic anonymously—thereby circumventing unwanted traffic surveillance and analysis.
A Trojan horse, or Trojan, is any malicious software program that deceives users of its true intent—to infiltrate and compromise the computer, network, device and spread malware. Trojans are typically spread through forms of social engineering and phishing to propagate malware.
Tactics, Techniques, and Procedures (TTP)
Tactics, Techniques, and Procedures (TTPs) is a key concept in cybersecurity and threat intelligence. The purpose is to identify patterns of behavior which can be used to defend against specific strategies and threat vectors used by malicious actors.
The equivalent of a phishing attack using a telephone or VOIP (Voice Over Internet Protocol) network. Vishing attacks are fraudulent attempts to scam a victim into revealing sensitive information used for identity theft, credit card fraud, and more.
A malicious program or piece of code designed alter the standard behavior of a computer and spread from host to host, replicating itself to infect more and more devices. Viruses use computer files and programs in order to execute code and reproduce. Viruses may be programmed to damage systems and files through corruption. Common signs from an infected machine are: increased CPU usage, spam emails, frequent pop-up windows, computer crashes, changes to an operating system or interfaces on other programs.
In War Driving, groups and individuals drive around looking for available Wireless Access Points (WAP) and test default credentials to gain access. War Drivers then report their discoveries to a community of users, via sites such as Wigle, looking to take advantage of free WIFI. While some members of the community are just seeking to take advantage of someone else’s WiFi, others are specifically looking for vulnerabilities which can be used to exploit home or business networks.
A targeted phishing attack used by cybercriminals, purporting to be an executive or senior official with an organization for the purposes of deceiving senior members of another organization for the purposes of stealing money, sensitive information, or otherwise gaining access to computer systems.
A computer worm is a form of malicious software that replicates (reproduces) itself for the purpose of spreading from machine to machine. Worms often rely on vulnerabilities in network security protocol and the network itself to propagate.
A Zero-day is a computer or software vulnerability that is unknown to computer security professionals who may be able to mitigate any damaging effects. Zero-day attacks are events when hackers take advantage of an exploit or vulnerability before the Zero-day “event” is known to security professionals. Zero-day may refer to before the vulnerability has ever been revealed—or after the initial revealing, but before the vulnerability has been mitigated.
Zombie refers to an internet-connected computer that has been compromised by a hacker using a trojan horse, virus, or worm. The computer/device then performs malicious tasks and attempts to compromise systems or other computers without physical engagement from an operator. The hacker or bad actor can remotely operate a compromised “zombie” computer. Devices that contribute to DDoS attacks are forms of zombies.
We hope that this list of definitions has been helpful! The threat landscape is constantly changing with new vulnerabilities appearing almost daily. If you’d like to help contribute to this growing definitions list, contact our support team.
If you’d like to learn more about zvelo’s award-winning solutions, check out the following: