Terms and definitions curated by the Intel 471 team.
Account Takeover (ATO)
A form of identity theft in which the criminal obtains access to a victim's bank, credit card accounts or business systems — through a data breach, malware or phishing — and uses them to make unauthorized transactions.
Malicious software designed to steal account-related information related to card payments, online banking and e-payment gateways.
Bulletproof Hosting (BPH)
Hosting services that are lenient about the kinds of activity and material they allow their customers to upload and distribute. These services generally are immune to law enforcement or takedown efforts. Malware and illegal websites are commonly hosted on these types of providers.
Business Email Compromise (BEC)
Credit or debit card information obtained, sold or used by unauthorized individuals. Also known as "payment card fraud."
Malware that targets a computer's clipboard, particularly for the purpose of hijacking a cryptocurrency transaction to swap a wallet address with one owned by the malware author.
Command and Control (C2)
A server in control of a hacker or any cybercriminal, which is maliciously used for commanding the various systems that have already been exploited or compromised by malware. These servers are also used for receiving the desired data by the hacker from the compromised machines covertly on the target network.
With regard to malware, cryptocurrency mining, cryptomining, or cryptojacking is malware designed to use a device’s CPU resources to mine cryptocurrency without authorization.
Denial of Service
Distributed Denial of Service (DDoS)
A denial of service technique that uses numerous hosts to perform the attack.
Schemes to manufacture, counterfeit, alter, sell and/or use identity documents and other fraudulent documents. Also known as "identity fraud."
A DNS technique used by bulletproof hosting services that hides phishing and malware delivery sites behind an ever-changing network of hosts.
The practice of collecting and analyzing data from computer systems, networks, wireless communications, and storage devices that supports an investigation.
The full financial information tied to a payment card beyond standard account information. "Fullz" often include a Social Security Number, date of birth and associated publicly identifiable information.
The geographical location of a person based on the digital information given off by their internet-connected device.
The process by which security operations prepare for, identify, contain, and recover from a security event.
Indicator of Compromise (IoC)
Evidence found on a computer network or operating system that, with high confidence, indicates a computer intrusion.
Malicious software designed to gather information from a system such as login credentials, keystrokes and screenshots of sensitive information.
Malicious software used to compromise networked devices, such IoT devices, then used for nefarious purposes such as forming botnets to launch network attacks.
The use of a computer program to record every keystroke made by a computer user, particularly to gain fraudulent access to passwords and other confidential information.
Techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gain access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain access. Adversaries might install their own remote access tools to accomplish lateral movement or use legitimate credentials with native network and operating system tools, which may be stealthier.
Malicious software designed to download and/or drop malicious payload code onto an infected computer system. Also referred to as a "dropper."
Malicious spam is a popular method for delivering emails in bulk that contain infected documents or links, redirecting users to websites that contain other malware.
A person who transfers money acquired illegally (e.g., stolen) in person, through a courier service, or electronically, on behalf of others. Typically, the mule is paid for services with a small part of the money transferred.
A type of brute-force attack in which a malicious actor uses a single password against targeted user accounts before moving to attempt a second password, and so on.
Pay-Per-Install (PPI) Scam
A scam when botnets are used to generate money for their operators. A compromised computer is instructed to install a software package via the bot's command and control system. The bot operator then receives payment and, after a short period of time, uninstalls the software package and installs a new one.
An authorized, simulated cyberattack on a computer system, performed to evaluate the security of the system.
Protected health information (PHI) is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations and payment for healthcare services.
Stands for personally identifiable information. Information that when used (alone or with other relevant data) can identify an individual. PII may contain direct information (e.g., passport information) that can identify a person uniquely, or quasi-identifiers (e.g., race) that can be combined with other quasi-identifiers (e.g., date of birth) to successfully recognize an individual.
Malicious software designed to steal information related to financial transactions such as payment card data from compromised PoS (point of sale) devices.
Techniques adversaries use to gain higher-level permissions on a system or network. Adversaries often can enter and explore a network with unprivileged access, but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations and vulnerabilities. These techniques often overlap with persistence techniques, as OS features that let an adversary persist can execute in an elevated context.
A demonstration that in principle shows how a system may be protected or compromised, without the necessity of building a complete working vehicle for that purpose.
Malicious software, specifically a type of trojan, used to turn an infected computer system into a proxy server from which an attacker can stage nefarious activities anonymously.
Malicious software used to perpetually block access to a computer system or specific data until a ransom is paid or indefinitely. Attackers often use ransomware to lock systems and then threaten to publish the victim’s data.
Services typically sold or leased as an affiliate program to other cybercriminals for launching ransomware attacks and sharing profits.
The process of identifying critical technical, personnel and organizational elements of intelligence in order to learn how to best attack an network (in the case of a bad actor) or set up defense for a network (in the case of a defensive security team).
Remote Access Trojan (RAT)
Remote Desktop Protocol (RDP)
A network communications protocol developed by Microsoft, which allows users to remotely connect to another computer. Often a target for adversaries, used as a primary way to enter a network system.
The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cyber resources.
The detection, assessment, and prioritization of risks through the implementation of choices to track, control, and minimize the possibility or effect of unfortunate events.
A form of payment card fraud whereby a payment page on a website is compromised using a malicious script.
Secure Shell Protocol is a cryptographic network protocol for operating network services securely over an unsecured network.
A class of monitoring software or spyware that is used to stalk a victim.
Subscriber Identity Module (SIM) Swapping
A network protocol that allows a user on one computer to log into another computer that is part of the same network.
Traffic Redistribution System
Virtual network computing (VNC) is a graphical desktop-sharing application that uses a remote frame buffer protocol to remotely control another computer. This form of desktop sharing transmits keyboard and mouse events from one system to another over the network based on screen updates.
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat actor.
A class of malware which wipes the hard drive of the computer it infects.
Get our Cybercrime Underground General Intelligence Requirements Handbook (CU-GIRH).