Please enable JavaScript.
Coggle requires JavaScript to display documents.
COMPUTER FRAUD AND ABUSE TECHNIQUE - Coggle Diagram
COMPUTER FRAUD AND ABUSE TECHNIQUE
SOCIAL ENGINEERING
Identify Theft
Assuming someone's identity, usually for economic gain, by illegally obtaining confidential information such as a social security number, bank account, or credit card number
Pretexting
Using an invented scenario that create legitimacy in the target's mind in order to increase the likelihood that a victim will divulge information or do something
Posing
Creating a seemingly legitimate business, collecting personal information while making a sale, and never delivering the product
Phishing
Sending electronic message pretending to be a legitimate company, usually a financial institution, and requesting information or verification of information and often warning of a consequence if it is not provided. The information gathered is used to commit identity theft or to steal funds from the victim's account.
Voice Phishing / Vishing
- It is like phishing except the victim enters confidential data by phone
Carding
Activities performed on stolen credit cards, including making a small online purchase to determine whether the card is still valid and buying and selling stolen credit card numbers.
Pharming
Redirecting website traffic to a spoofed website
Evil twin
A wireless network with the same name (Service Set Identifier) as a legitimate wireless access point. Users are connected to the twin because it has stronger wireless signal or the twin disrupts or disables the legitimate access point. Users are unaware that they connect to the evil twin and the perpetrator monitors the traffic looking for the confidential information.
Typosquatting/ URL Hijacking
Setting up similarly named websites so that users making typographical errors when entering a website name are sent to an invalid site
Scavenging / Dumpster Diving
Searching documents and records to gain access to confidential information. Scavenging methods include searching garbage cans, communal trash bins and city dumps.
Shoulder Surfing
When perpetrators look over a person's shoulders in a public place to get information such as ATM Pin numbers or users IDs and passwords
Lebanese Looping
Inserting a sleeve into an ATM that prevents it from ejecting the card. The perpetrator pretends to help the victim, tricking the person into entering the PIN again. Once the victim gives up, the thief removes the card and uses it and the PIN to withdraw money.
Skimming
Double-swiping a credit card in a legitimate terminal or covertly swiping a credit card in a small, hidden, hand-held card reader that records credit card data for later use
Chipping
Planting a small chip that records transaction data in a legitimate credit card reader. The chip is later removed or electronically accessed to retrieve the data recorded on it.
Eavesdropping
Listening to a private communications or tapping into data transmissions intended for someone else. One way to intercept signals is by setting up a wiretap
COMPUTER ATTACK AND ABUSE
Hacking
unauthorized access, modification, use of an electronic device or some element of a computer systems.
Spamming
Simultaneously sending the same unsolicited message to many people, often in an attempt to sell them something
Software Piracy
The unauthorized copying or distribution of copyrighted software
Click Fraud
Manipulating the number of times an ad is clicked on to inflate advertising bills
Cryptocurrency Fraud
Defrauding investors in variety of cryptocurrency-related fraud schemes, such ass fake initial coin offerings and fake exchanges and wallets
Internet-Pump-and-Dump
Using the internet to pump up the price of a stock and then sell it
Internet Auction Fraud
Using an internet auction site to defraud another person
E-mail Threats
Threats sent to victims by e-mail. The threats usually require some follow-up action, often at great expense to the victim
Internet Misinformation
Using the internet to spread false or misleading information
Sexting
Exchanging sexually explicit text messages and revealing pictures with other people, usually by means of a phone
Cyber-bullying
Using computer technology to support deliberate, repeated, and hostile behavior that torments, threatens, harasses, humiliates, embarrasses or harm other people
Economic Espionage
Theft of information, trade secret and intellectual property
Salami Technique
Stealing tiny slices of money from many different accounts
Round-Down-Fraud
- Instructing the computer to round down all interest calculations to two decimal places. The fraction of a cent rounded down on each calculation is put into the programmer's account
Podslurping
Using a small device with storage capacity to download unauthorized data from a computer
War Dialing
Programming a computer dial a thousand of phones lines searching for dial-up modem lines. Hackers hack into the PC attached to the modem and access the network to which it is connected
War Driving
- Driving around looking for unprotected home or corporate wireless networks.
Phreaking
Attacking phone systems to obtain free phone line access: - Use phone lines to transmit malware and to access, steal and destroy data
Piggybacking
(1) Tapping into a communications line and electronically latching onto a legitimate user who unknowingly carries the perpetrator into the system.
(2) The clandestine use of neighbor's Wi-Fi network.
(3) An authorized person following an authorized person through a secure door, bypassing physical security controls.
Masquerading/Impersonation
Gaining access to a system by pretending to be an authorized user. This requires that the perpetrator know the legitimate user's ID passwords.
Man-in-The-Middle (MITM) Attack
A hacker placing himself between a client and a host to intercept communications between them
SQL Injection (insertion) Attack
Inserting a malicious SQL query in input such that it is passed to and executed by an application program. This allows a hacker to convince the application to run SQL code that it was not intended to execute.
Buffer Overflow Attack
When the amount of data entered into a program is greater that the amount of the input buffer. The input overflow overwrites the next computer instruction, causing the system to crash. Hackers exploit this by crafting the input so that the overflow contains code that tells the computer what to do next.
Zero-day Attack
An attack between the time a new software vulnerability is discovered and "released into the wild" and the time a software developer releases a patch to fix the problem
Spoofing
Altering some part of an electronic communication to make it look as if someone else sent the communication in order to gain the trust of the recipient
E-mail Spoofing
- Making a sender address and other parts of an e-mail header appear as though the e-mail originated from a different source.
Caller ID Spoofing
- Displaying an incorrect number on the recipient's caller ID display to hide the caller's identity.
IP Address Spoofing
- Creating Internet Protocol packets with a forged IP address to hide the sender's identity or to impersonate another computer system.
SMS Spoofing
- Using short message service (SMS) to change the name or number a text message appears to come from.
Web-page Spoofing
Dictionary Attack
Software that generates user ID and password guesses using a dictionary of possible uses IDs and passwords to reduce the number of guesses required.
Bruce Force Attack
Trial-and-error method that uses software to guess information, such as the user ID and the password, needed to gain access to a system
Password Cracking - Recovering passwords by trying every possible combination of letters, numbers, and special characters and comparing them to a cryptographic hash of the password.
Denial-of-service (DoS) Attack
Attackers sends so many e-mail bombs or web page requests, often from randomly generated false addresses, that the internet service provider's e-mail server or the web server is overloaded and shut down.
Hijacking
Gaining control of someone else's computer to carry out illicit activities (sending spam without the computer user's knowledge)
Botnet
- A network of powerful and dangerous hijacked computers that are used to attack systems or spread malware
Zombies
- Hijacked computers, typically part of a botnet, that are ised to launch a variety of internet attacks.
6 Steps Criminal Use To Attack Information Systems
Conduct Reconnaissance
To learn as much as possible about the target
To identify potential vulnerabilities
Attempt Social Engineering
Can take place in countless ways, limited only by the creativity of attacker.
Via email, telephone or by leaving USB drives in the targeted organization's restroom.
Cover Tracks
Most attackers attempt to cover their tracks and create "back door" to know if their initial attack is discovered
Execute The Attack
The criminal take advantage of vulnerability to obtain unauthorized access to the information system.
Research
Learn how to take advantage of the target after learning about software which running on them.
Scan and Map The Target
If (2) unsuccessful, more detailed reconnaissance can be conducted to identify potential points of remote entry.
MALWARE
(Any software that is used to do harm)
Spyware
Software that secretly monitors computer usage, collects personal information about users and sends it to someone else, often without the computer user's permission
Adware
- Spyware that causes banner ads to pop up on a monitor, collects information about the user's web-surfing and spending habits, and forwards it to the adware creator, often an advertising or media organization. Adware usually comes bundled with freeware and shareware downloaded from the internet
Torpedo Software
Software that destroys competing malware. This sometimes results in "malware warfare" between competing malware developers
Scareware
Malicious software of no benefit that is sold using scare tactics
Ransomware
Software that encrypts programs and data until a ransom is paid to remove it
Keylogger
Software that records computer activity, such as a user's keystrokes, e-mails sent and received, websites visited, and chat session participation
Trojan Horse
A set of unauthorized computer instructions in an authorized and otherwise properly functioning program
Time Bomb/ Logic Bomb
A program that lies idle until some specified circumstance or a particular time triggers it. Once triggered, the program sabotages the system by destroying programs or data
Trap Door/ Back Door
A set of computer instructions that allows a user to bypass the system's normal controls
Packet Sniffers
Programs that capture data from information packets as they travel over the internet or company networks. Captured data is sifted to find confidential or proprietary information
Rootkit
A means of concealing system components and malware from the operating system and other programs; can also modify the operating system
Steganography Program
A program that can merge confidential information with a seemingly harmless file, password protect the file, and send it anywhere in the world, where the file is unlocked and the confidential information is reassembled. The host file can still be heard or viewed because humans are not sensitive enough to pick up the slight decrease in image or sound quality
Bluesnarfing
Stealing (snarfing) contact list, image and other data using flaws in Bluetooth applications
Bluebugging
Taking control of someone else's phone to make or listen calls, send or read text messages, connect to the internet, forward the victim's calls, and call numbers that charge fees
Virus
A segment of executable code that attaches itself to a file, program or some other executable system component. When the hidden program is triggered , it makes unauthorized alterations to the way a system operates.
Worm
Similar to a virus, except that it is a program rather than a code segment hidden in a host program. A worm also copies itself automatically and actively transmit itself directly to other system