Glossary | Intel471 Skip to content


Terms and definitions curated by the Intel 471 team.

Homepage Hero

Account Takeover (ATO)

A form of identity theft in which the criminal obtains access to a victim's bank, credit card accounts or business systems — through a data breach, malware or phishing — and uses them to make unauthorized transactions.

Account Takeover (ATO)

Active Directory

A Microsoft technology used to manage computers and other devices on a network. Active Directory allows network administrators to create and manage domains, users, and objects within a network.

ATM Malware

Malicious software designed to steal financial information and/or cash from ATMs by exploiting vulnerabilities in the machine’s hardware or software.

Attack Surface Management

An attack surface is the sum of an organization’s internet-facing entry points that a threat actor can use to infiltrate a network.


Banking Trojan

Malicious software designed to steal account-related information related to card payments, online banking and e-payment gateways.

Blue Team

A group who performs analysis of information systems to identify security flaws, verify the effectiveness of each security measure, and to make certain all security measures will continue to be effective after implementation.

Blue Team


A collection of internet-connected devices, referred to as bots, that are commanded and controlled by malicious actors to carry out nefarious activities.


Brute Force

A credential attack method used to crack the username and password of accounts through repeated trial and error.
Brute Force

Bulletproof Hosting (BPH)

Hosting services that are lenient about the kinds of activity and material they allow their customers to upload and distribute. These services generally are immune to law enforcement or takedown efforts. Malware and illegal websites are commonly hosted on these types of providers.

Business Email Compromise (BEC)

A scam that relies heavily on social engineering tactics to trick unsuspecting employees and executives into executing fraudulent wire transfer payments, mainly through corporate email.
Business Email Compromise (BEC)


Credit or debit card information obtained, sold or used by unauthorized individuals. Also known as "payment card fraud."


The process of transferring illicit proceeds to a threat actor or designated representative. Common methods include ATM withdrawals, purchasing digital currencies, transferring funds to online payment platforms or buying goods or gift cards. Typically at the final stage of a fraudulent scheme.


Malware that targets a computer's clipboard, particularly for the purpose of hijacking a cryptocurrency transaction to swap a wallet address with one owned by the malware author.

Command and Control (C2)

A server in control of a hacker or any cybercriminal, which is maliciously used for commanding the various systems that have already been exploited or compromised by malware. These servers are also used for receiving the desired data by the hacker from the compromised machines covertly on the target network.


The act of making malicious code fully undetectable through encryption, making it more difficult for antivirus signature detection.


With regard to malware, cryptocurrency mining, cryptomining, or cryptojacking is malware designed to use a device’s CPU resources to mine cryptocurrency without authorization.


Cyber Insurance

Cyber insurance is an insurance policy that covers an organization business in the event of a cyber attack or data breach where customer information or business continuity is impacted.
Cyber Insurance

Data Breach

The intentional or unintentional release of secure or private/​confidential information to an untrusted environment.
Data Breach

Data Dump

The transfer of a large amount of data between two systems, often over a network connection.

Denial of Service

An attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor.
Denial of Service

Distributed Denial of Service (DDoS)

A denial of service technique that uses numerous hosts to perform the attack.

Distributed Denial of Service (DDoS)

Document Fraud

Schemes to manufacture, counterfeit, alter, sell and/or use identity documents and other fraudulent documents. Also known as "identity fraud."

Drop Accounts

Bank accounts, typically online banking or e-commerce, used for receiving illicit funds for cashout or laundering purposes. Typically controlled or compromised by threat actors.


A computing device that communicates back and forth with a network to which it is connected.


When malware and/or a malicious actor carries out an unauthorized data transfer from a computer. It is also commonly called data extrusion or data exportation

Exploit Kit

Sets of malicious software, often automated, that utilize compromised websites to divert web traffic, scan for vulnerable browser-based applications and run malware.

Fast Flux

A DNS technique used by bulletproof hosting services that hides phishing and malware delivery sites behind an ever-changing network of hosts.


The practice of collecting and analyzing data from computer systems, networks, wireless communications, and storage devices that supports an investigation.


The full financial information tied to a payment card beyond standard account information. "Fullz" often include a Social Security Number, date of birth and associated publicly identifiable information.



The geographical location of a person based on the digital information given off by their internet-connected device.


Incident Response

The process by which security operations prepare for, identify, contain, and recover from a security event.

Indicator of Compromise (IoC)

Evidence found on a computer network or operating system that, with high confidence, indicates a computer intrusion.

Information Stealer

Malicious software designed to gather information from a system such as login credentials, keystrokes and screenshots of sensitive information.

Insider Threat

The potential for an insider to use their authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities.
Insider Threat

IoT Malware

Malicious software used to compromise networked devices, such IoT devices, then used for nefarious purposes such as forming botnets to launch network attacks.


Internet Protocol (IP) is the communication standard used to uniquely identify systems on a computer network or across the internet. Networked systems are each assigned an IP address, which is used to uniquely identify and locate that system for the purpose of data transmission.


The use of a computer program to record every keystroke made by a computer user, particularly to gain fraudulent access to passwords and other confidential information.


Lateral Movement

Techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gain access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain access. Adversaries might install their own remote access tools to accomplish lateral movement or use legitimate credentials with native network and operating system tools, which may be stealthier.


Malicious software designed to download and/or drop malicious payload code onto an infected computer system. Also referred to as a "dropper."



Malicious spam is a popular method for delivering emails in bulk that contain infected documents or links, redirecting users to websites that contain other malware.


The use of online advertising to spread malware typically involving injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages.

Malware as-a-Service

The lease of software or hardware for developing, testing and/or distributing malware.

Mobile Malware

Malicious software designed to compromise devices such as phones, smartwatches and tablets to steal sensitive financial and personal information and to gain remote access.

Money Mules

A person who transfers money acquired illegally (e.g., stolen) in person, through a courier service, or electronically, on behalf of others. Typically, the mule is paid for services with a small part of the money transferred.

Money Mules

Multi-factor Authentication

An authentication system that requires more than one distinct authentication factor for successful authentication. Multifactor authentication can be performed using a multifactor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.

Network Sniffing

Network sniffing, or packet sniffing, is the practice of gathering, collecting, and logging some or all packets that pass through a computer network, regardless of how the packet is addressed. In this way, every packet, or a defined subset of packets, may be gathered for further analysis.

Password Spraying

A type of brute-force attack in which a malicious actor uses a single password against targeted user accounts before moving to attempt a second password, and so on.

Pay-Per-Install (PPI) Scam

A scam when botnets are used to generate money for their operators. A compromised computer is instructed to install a software package via the bot's command and control system. The bot operator then receives payment and, after a short period of time, uninstalls the software package and installs a new one.

Penetration Testing

An authorized, simulated cyberattack on a computer system, performed to evaluate the security of the system.


Techniques adversaries use to keep access to systems across restarts, changed credentials and other interruptions that could cut off their access. Techniques used for persistence include any access, action or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.


Protected health information (PHI) is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations and payment for healthcare services.


The fraudulent practice of masquerading as a legitimate or reputable entity to trick a victim into revealing personal information, such as passwords or payment card details. Mostly done through email.


Stands for personally identifiable information. Information that when used (alone or with other relevant data) can identify an individual. PII may contain direct information (e.g., passport information) that can identify a person uniquely, or quasi-identifiers (e.g., race) that can be combined with other quasi-identifiers (e.g., date of birth) to successfully recognize an individual.

Point-of-Sale Malware

Malicious software designed to steal information related to financial transactions such as payment card data from compromised PoS (point of sale) devices.

Privilege Escalation

Techniques adversaries use to gain higher-level permissions on a system or network. Adversaries often can enter and explore a network with unprivileged access, but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations and vulnerabilities. These techniques often overlap with persistence techniques, as OS features that let an adversary persist can execute in an elevated context.

Proof-of-Concept (PoC)

A demonstration that in principle shows how a system may be protected or compromised, without the necessity of building a complete working vehicle for that purpose.

Proxy Malware

Malicious software, specifically a type of trojan, used to turn an infected computer system into a proxy server from which an attacker can stage nefarious activities anonymously.



Malicious software used to perpetually block access to a computer system or specific data until a ransom is paid or indefinitely. Attackers often use ransomware to lock systems and then threaten to publish the victim’s data.


Ransomware-as-a-Service (RaaS)

Services typically sold or leased as an affiliate program to other cybercriminals for launching ransomware attacks and sharing profits.


The process of identifying critical technical, personnel and organizational elements of intelligence in order to learn how to best attack an network (in the case of a bad actor) or set up defense for a network (in the case of a defensive security team).


Red Team

A group that performs the role of a threat actor in order to provide security feedback.
Red Team

Remote Access Trojan (RAT)

Malicious software designed to allow attackers to monitor and control a computer system or network remotely.
Remote Access Trojan (RAT)

Remote Desktop Protocol (RDP)

A network communications protocol developed by Microsoft, which allows users to remotely connect to another computer. Often a target for adversaries, used as a primary way to enter a network system.


The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cyber resources.

Risk Management

The detection, assessment, and prioritization of risks through the implementation of choices to track, control, and minimize the possibility or effect of unfortunate events.

Rogue Certificate

Stolen digital certificates actors use to sign malicious software or impersonate legitimate websites.

Security Operations

The practices and teams devoted to preventing, detecting, assessing, monitoring, and responding to cybersecurity threats and incidents inside enterprises.


A form of payment card fraud whereby a payment page on a website is compromised using a malicious script.


The fraudulent practice of tricking a user into revealing sensitive personal data or sending money via a text or SMS message.

Social Engineering

The fraudulent practice of tricking social media users into revealing sensitive personal data or sending money. Types include romance scams, sextortion, imposter scams and more.

Spear Phishing

The fraudulent practice of sending emails ostensibly from a known or trusted sender to induce targeted individuals to reveal confidential information.
Spear Phishing


Secure Shell Protocol is a cryptographic network protocol for operating network services securely over an unsecured network.



A class of monitoring software or spyware that is used to stalk a victim.

Subscriber Identity Module (SIM) Swapping

A type of account takeover fraud that targets a weakness in short message service (SMS)-based two-factor authentication (2FA) and two-step verification by tricking a target’s mobile carrier into transferring someone’s wireless service to a device controlled by an illicit actor.


A network protocol that allows a user on one computer to log into another computer that is part of the same network.

Third-Party Breaches

A third-party breach occurs when an attacker targets an organization through its connections with third-party suppliers, vendors, contractors, or partners.

Third-Party Compromised Credentials

Credentials in terms of cyber threat intelligence (CTI) refer to methods used to verify a users identity, commonly these are a username and password. These credentials are classified as compromised credentials when an unauthorized user gains possession of them.

Third-Party Risk

The risk that arises from organizations relying on outside parties to perform services or activities on their behalf, particularly associated with cybersecurity.

Third-Party Vulnerabilities

The leveraged vulnerability that enables a devastating data breach or launches an expensive ransomware attack may not even be within your own organization.

Threat Hunting

The process of proactively searching through networks to detect and isolate advanced threats that evade existing security solutions.
Threat Hunting

Traffic Redistribution System

Services that buy and sell web traffic to direct web users from one website to another, typically to distribute malware.


The fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies to induce individuals to reveal personal information, such as bank details and credit card numbers.


Virtual network computing (VNC) is a graphical desktop-sharing application that uses a remote frame buffer protocol to remotely control another computer. This form of desktop sharing transmits keyboard and mouse events from one system to another over the network based on screen updates.


Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat actor.


Web Injects

Modules or packages used in financial malware that typically inject hypertext markup language (HTML) or JavaScript code into content before it’s rendered on a web browser, altering what the unsuspecting user sees on the browser, as opposed to what’s actually sent by the server.


A class of malware which wipes the hard drive of the computer it infects.


A self-replicating, stand-alone software program designed to spread throughout a network without human assistance.

A Ransomware Forecast for 2023


There were signs of change in 2022 for ransomware. We explore what defenders may see this year.

Read full article

GIR Handbook

Get our Cyber Underground Handbook.