Chapter 6:
Computer Fraud & Abuse Techniques

Computer Attacks & Abuse

Hacking- unauthorized access, modification, or use of electronic device or some element of a computer system

hijacking- gaining control of someone else's computer to carry out illicit activities, such as sending spam without computer user's knowledge

botnet- a network of powerful and dangerous hijacked computers that are used to attack system or to spread malware

zombie- a hijacked computer, typically part of botnet, that is used to launch a variety of internet attacks

bot herder- the person who creates a botnet by installing software on PCs that responds to the bot header's electronic instructions

denial-of-service (DoS) attack- the attacker sends so many e-mail bombs sends so many email bombs or web page requests, often from randomly generated false addresses, that the internet service provider's email server or the web server is overloaded and shuts down

spamming- simultaneously sending the same unsolicited message to many people, often in an attempt to sell them something

dictionary attack- using special software to guess company email addresses and send them blank email messages. Unreturned messages are usually valid email addresses that can be added to spammer email lists

splog- spam blogs created to increase a website's Google PageRank, which is how often a web page is reference by other web pages

spoofing- altering some part of an electronic communication to make it look as if someone else sent the communication in order to gain the trust of the reciepent

MAC address- A Media Access Control address is a hardware address that uniquely identifies each node on a network

caller ID spoofing- displaying an incorrect number on the recipient's caller ID display to hide the caller's identity

email spoofing- making a sender address and other parts of an email header appear as though the email originated from a different source

IP address spoofing - creating Internet Protocol packets with a forged IP address to hide the sender's identity or to impersonate another computer system

Address Resolution Protocol (ARP) spoofing- sending fake ARP messages to an Ethernet LAN. ARP is a computer networking protocol for determining a network host's hardware address when only its IP or network address in unknown

SMS spoofing - using short message service (SMS) to change the name or number a text message appears to come from

web-page spoofing- see phising

DNS spoofing - sniffing the ID of Domain Name System (DNS, the "phone book" of the Internet that converts a domain, or website name, to an IP address) request and replying before the real DNS server

zero-day attack - an attack between the time a new software vulnerability is discovered and "released into the wild" and the time a software developer releases a patch to fix the problem

patch- code released by software developers that fixes a particular software vulnerability

cross-site scripting (XSS)- a vulnerability in dynamic web pages that allows an attacker to bypass a browser's security mechanisms and instruct the victim's browser to execute code, thinking it came from the desired website

buffer overflow attack- when the amount of data entered into a program is greater than the amount of the input buffer. The input overflow overwrites the next computer instruction, causing the system to crash. Hackers exploit this by crafting the input so that the overflow contains code that tells the computer what to do next. This code could open a back door into the system

SQL injection (insertion) attack- inserting a malicious SQL query in input such that is passed to and executed by an application program. This allows the application to run SQL code that is not intended to execute

man-in-the-middle (MITM)- a hacker placing himself between a client and a host to intercept communications between them

masquerading/impersonation- gaining access to a system by pretending to be an authorized user. This requires that the perpetrator know the legitimate user's ID and passwords

piggybacking

  • tapping into a communications line and electronically latching onto a legitimate user who unknowingly carries the perpetrator into the system
  • the clandestine use of a neighbor's Wi-Fi network
  • an unauthorized person following an authorized person through a secure door, bypassing physical security controls

password cracking- when an intruder penetrates a system's defenses, steals the file containing valid passwords, decrypts them, and uses them to gain access to programs, files and data

war dialing- programming a computer to dial thousands of phone lines searching for dial-up modem lines. Hackers attached to the modem and access the network to which it is connected

war driving- driving around looking for unprotected home or corporate wireless networks

war rocketing- using rockets to let loose wireless access points attached to parachutes that detect unsecured wireless networks

phreaking- attacking phone systems to obtain free phone line access; use phone lines to transmit malware; and to access, steal and destroy data.

data diddling- changing data before or during entry into a computer system in order to delete, alter, add or incorrectly update key system data.

data leakage- the unauthorized copying of company data, often without leaving any indication that it was copied

podslurping- using a small device with a storage capacity (iPod, flash drive) to download unauthorized data from a computer.

salami technique- stealing tiny slices of money from many different accounts

round-down fraud- instructing the computer to round down all interest calculations to two decimal places. The fraction of a cent rounded down on each calculation is put into the programmer's account

economic espionage- theft of information, trade secrets and intellectual property

cyber-extortion- threatening to harm a company or a person if a specified amount of money is not paid

cyber-bullying- using computer technology to support deliberate, repeated and hostile behavior that torments, threatens, harasses, humiliates, embarrasses, or otherwise harms another person

sexting- exchanging sexually explicit text messages and revealing pictures with other people, usually by means of a phone

internet terrorism- using the internet to distrupt electronic commerce and harm computer and communications

internet misinformation- using the internet to spread false or misleading information

email threats- threats sent to victims by email. The threats usually require some follow-up action, often at great expense to the victim

internet auction fraud- using the internet auction site to defraud another person

internet pump-and-dump fraud- using the internet to pump up the price of a stock and sell it

click fraud- manipulating the number of times an ad is clicked on to inflate advertising bills

web cramming- offering a free website for a month, developing a worthless website, and charging the phone bill of the people who accept the offer for months, whether they want to continue using the websites or not

software piracy- the unauthorized copying or distribution of copyrighted software

Social Engineering

meaning- the techniques or psychological tricks used to get people to comply with the perpetrator's wishes in order to gain physical or logical access to a building, computer, server, or network. It is usually to get the information needed to obtain confidential data

human traits to entice a person

  1. compassion
  2. greed
  3. sex appeal
  4. sloth
  5. trust
  6. urgency
  7. vanity

ways to minimize social engineering

  1. never let people follow you into restricted building
  2. never log in for someone else on a computer, especially if you have administrative access
  3. never give sensitive information over the phone or through e-mail
  4. never share passwords or user IDs
  5. be cautious of anyone you do not know who is trying to gain access through you

identity theft- assuming someone's identity, usually for economic gain, by illegally obtaining confidential information such as Social Security number or a bank account or a credit card number

pretexting- using an invented scenario (the pretext) that creates legitimacy in the target's mind in order to increase the likelihood that a victim will divulge information or do something

phising- sending an electronic message pretending to be a legitimate company, usually a financial institution, and requesting information or verification of information and often warning of a consequence if it is not provided. The request is bogus, and the information gathered is used to commit identity theft or to steal funds from the victim's account

posing creating a seemingly legitimate business, collecting personal information while making a sale, and never delivering the product

vishing- voice phishing; it is like phishing except that the victim enters confidential data by phone

carding- activities performed on stolen credit cards, including making a small online purchase to determine whether the card is still valid and buying and selling stolen credit card numbers

pharming- redirecting website traffic to a spoofed website

evil twin- a wireless network with the same name (Service Set Identifier) as a legitimate wireless access point. Users are connected to the twin because it has a stronger wireless signal or the twin disrupts or disables the legitimate access point. Users are unaware that they connect to the evil twin and the perpetrator monitors the traffic looking for confidential information

typosquatting/URL hijacking- setting up similarly named websites so that users making typographical errors when entering a website name are sent to an invalid site

QR barcode replacements- fraudsters cover valid Quick Response codes with stickers containing a replacement QR code to fool people into going to an unintended site that infects their phones with malware

tabnapping secretly changing an already open browser tab in order to capture user IDs and passwords when the victim logs back into the site

scavenging / dumpster diving- searching documents and records to gain access to confidential information. Scavenging methods include searching garbage cans, communal trash bins, and city dumps

shoulder surfing- when perpetrators look over a person's shoulder in a public place to get information such as ATM PIN numbers or user IDs and passwords

lebanese looping- inserting a sleeve into a ATM that prevents it from ejecting the card. The perpetrator pretends to help the victim, tricking the person into entering the PIN again. Once the victim gives up, the thief removes the card and uses it and the PIN to withdraw money

skimming- double-swiping a credit card in a legitimate terminal or covertly swiping a credit card in a small, hidden, hand-held card reader that records credit card data for later use

chipping- planting a small chip that records transaction data in a legitimate credit card reader. The chip is later removed or electronically accessed to retrieve the data recorded on it

eavesdropping- listening to private communications or tapping into data transmissions intended for someone else. One way to intercept signals is by setting up a wiretap

Malware

meaning- any software that is used to do harm

spyware- software that secretly monitors computer usage, collects personal information about users, and sends it to someone else, often without the computer user's permission

causes

  • download such as file-sharing programs, system utilities, games, wallpaper, screen savers, music and videos
  • websites that secretly download spyware, called drive-by downloading
  • hacker using security holes in web browsers and other software
  • malware masquerading as antispyware security software
  • worm or virus
  • public wireless network

adware- spyware that causes banner ads to pup up on a monitor, collects information about the user's web-surfing and spending habits, and forwards it to the adware creator, often an advertising or media organization.
-comes bundled with freeware and shareware downloaded from the internet

torpedo software- software that destroys competing malware
-results in "malware warfare" between competing malware developers

scareware- malicious software of not benefit that is sold scare tactics

ransomware- software that encrypts program and data until a ransom is paid to remove it

keylogger- software that records computer activity, such as a user's keystrokes, email sent and received, website visited and chat session participation

trojan horse- a set of unauthorized computer instructions in an authorized and otherwise properly functioning program

time/logic bomb- a program that lies idle until some specified circumstances or a particular time triggers it. once triggered, the program sabotages the system by destroying programs and data

trap/back door- a set of computer instructions that allows a user to bypass the system's normal controls

packet sniffers- programs that capture data from information packets as they travel over the internet or company networks
-to find confidential or proprietary information

steganography program- program that can merge confidential information with a seemingly harmless file, password protect the file, and send it anywhere in the world, where the file is unlocked and the confidential information is reassembled

rootkit- concealing system components and malware from operating system and other programs; can also modify the operating system

supperzapping- unauthorized use of a special system program to bypass regular system controls and perform illegal acts

  • originally written to handle emergencies, such as restoring crashed system

virus- segment of executable code that attaches itself to a file, program or some other executable system component
-when hidden program is triggered, it makes unauthorized alterations to the way a system operates

worm- similar to virus, except that it is a program rather than a code segment hidden in a host program
-copied itself automatically and actively transmits itself directly to other systems

bluesnarfing- stealing (snarfing) contact lists, images and other data using flaws in Bluetooth applications

bluebugging- taking control of someone else's phone to make or listen to calls, send or read text messages, connect to the victim's calls, and call numbers that charges fees