You are on page 1of 10

CHAPTER 6

COMPUTER FRAUD AND ABUSE TECHNIQUES


Learning Objectives:
1. Compare and contrast computer attack and abuse tactics.
2. Explain how social engineering techniques are used to gain
physical or logical access to computer resources.
3. Describe the different types of malware used to harm computers.

Computer Fraud and Abuse Techniques


Computer Attacks
Hacking is the unauthorized access to and use of computer systems,
usually by means of a personal computer and a telecommunications
network. Most hackers are able to break into systems using known
flaws in operating systems or application programs, or as a result
of poor access controls. Some hackers are motivated by the
challenge of breaking into computer systems and just browse or
look for things to copy and keep. Other hackers have malicious
intentions.
The following examples illustrate hacking attacks and the damage
they cause:
1. Several years ago, Russian hackers broke into Citibanks
system and stole $10 million from customer accounts.
2. During Operation Desert Storm, Dutch hackers broke into
computers at 34 different military sites and extracted
confidential information. Among the information stolen
were the troop movements and weapons used in the Iraq
war. The group offered to sell the information to Iraq,
but the government declined, probably because it feared
it was a setup.
3. A 17-year-old hacker, nicknamed Shadow Hawk, was
convicted of electronically penetrating the Bell
Laboratories national network, destroying files valued at
$174,000, and copying 52 proprietary software programs
worth $1.2 million. He published confidential information
such as telephone numbers, passwords, and instructions
on how to breach AT&Ts computer security systemon
underground bulletin boards. He was sentenced to nine
months in prison and given a $10,000 fine. Like Shadow
Hawk, many hackers are fairly young, some as young as 12
and 13.
Hackers who search for dial-up modem lines by programming
computers to dial thousands of phone lines are referred to
as war dialing.

Page 1 of 10

War driving is driving around looking for unprotected


wireless networks.
Some war drivers draw chalk symbols on sidewalks to mark
unprotected wireless networks, referred to as war chalking.
One enterprising group of researches went war rocketing.
They sent rockets into the air that let loose wireless
access points, each attached to a parachute.
A botnet, short for robot network, is a network of hijacked
computers. Hijacking is gaining control of someone elses
computer to carry out illicit activities without the users
knowledge.
Hackers who control the hijacked computers, called bot
herders, use the combined power of the infected machines,
called zombies.
A denial-of-service attack occurs when an attacker sends so many
e-mail bombs (thousands per second), often from randomly generated
false addresses, that the Internet service providers e-mail
server is overloaded and shuts down. Another denial-of-service
attack is sending so many requests for Web pages that the Web
server crashes.
A good example was when a lot of people were receiving so
many e-mails so fast that they could not even delete them
all; it was just a constant flow of e-mails in which these
people could not do anything else. As a result, some people
now have more than one e-mail provider, one which they only
use to catch the junk emails.
Most denial-of-service attacks are quite easy to accomplish and
involve the following:
1. The attacker infects a botnet with a denial-of-service
program.
2. The attacker activates the program and the zombie
computers begin sending pings (e-mails or requests for
data) to the computer being attacked. The victim computer
responds to each ping, not realizing the zombie computer
sent it a fictitious return address, and waits for a
response that never comes.
3. Because the victim computer is waiting for so many
responses that never come, system performance begins to
degrade until the computer finally freezes (it does
nothing but respond to the pings) or it crashes.
4. The attacker terminates the attack after an hour or two
to limit the victims ability to trace the source of the
attacks.

Page 2 of 10

Spamming is e-mailing the same unsolicited message to many


people at the same time, often in an attempt to sell them
something.
Spammers use very creative means to find valid e-mail
addresses. They scan the Internet for addresses posted
online and also hack into company databases and steal
mailing lists. In addition, spammers stage dictionary
attacks (also called direct harvesting attacks)
designed to uncover valid e-mail addresses.
Hackers also spam blogs, which are Websites containing
online journals, by placing random or nonsensical
comments to blogs that allow visitor comments.
Splogs, or spam blogs, promote affiliated Websites to
increase their Google Page Rank, a measure of how
often a Web page is referenced by other Web pages.
Spoofing is making an e-mail message look as if
someone else sent it.
A former Oracle employee was charged with breaking
into the companys computer network, falsifying
evidence, and committing perjury for forging an
e-mail message to support her charge that she was
fired for ending a relationship with the companys
chief executive. The employee was found guilty of
forging the e-mail message and faced up to six years
in jail.
A zero-day attack (or zero-hour attack) is an attack
between the time a new software vulnerability is
discovered and the software developers and the
security vendors release software, called a patch,
that fixes the problem.
Password cracking is penetrating a systems defenses,
stealing the file containing valid passwords,
decrypting them and using them to gain access to
programs, files, and data.
In masquerading, or impersonation, the perpetrator gains
access to the system by pretending to be an authorized user.
This approach requires a perpetrator to know the legitimate
users ID number and password.
Piggybacking is tapping into a telecommunications line and
latching on to a legitimate user before the user logs into a
system. The legitimate user unknowingly carries the
perpetrator into the system.
Piggybacking has several meanings:
1.

The clandestine use of a neighbors Wi-Fi network;


this can be prevented by enabling the security
feature in the wireless network.

Page 3 of 10

2.

Tapping into a telecommunications line and


electronically latching on to a legitimate user
before the user enters a secure system; the
legitimate user unknowingly carries the perpetrator
into the system.

3.

An unauthorized person passing through a secure


door when an authorized person opens it, thereby
bypassing physical security controls such as
keypads, ID cards, or biometric identification
scanners.

Data diddling is changing data before, during, or after it is


entered into the system. The change can be made to delete, alter,
or add key system data.
Data leakage refers to the unauthorized copying of company data.
A fraud perpetrator can use the salami technique, to embezzle
large sums of money a salami slice at a time from many different
accounts (tiny slices of money are stolen over a period of time).
The round-down fraud technique is used most frequently in
financial institutions that pay interest. In the typical scenario,
the programmer instructs the computer to round down all interest
calculation to two decimal places. The fraction of a cent that is
rounded down on each calculation is put into the programmers
account or one that he or she controls.
Phreaking is attacking phone systems to obtain free phone line
access. Phreakers also use the telephone lines to transmit viruses
and to access, steal, and destroy data.
Economic espionage is the theft of information, trade secrets, and
intellectual property. This has increased by 323 percent during
one five-year period. The U.S. Department of Justice estimates
that intellectual property theft losses total $250 billion a year.
Almost 75 percent of these losses are to an employer, former
employer, contractor, or supplier.
A growing problem is cyber-extortion, in which fraud perpetrators
threaten to harm a company if it does not pay a specified amount
of money.
Internet terrorism occurs when hackers use the Internet to disrupt
electronic commerce and to destroy company and individual
communications.
Internet misinformation is using the Internet to spread false or
misleading information about people or companies. This can be done
in a number of ways, including inflammatory messages in online
chats, setting up Websites and spreading urban legends.
Fraud perpetrators are beginning to use unsolicited e-mail threats
to defraud people. For example, Global Communications sent a

Page 4 of 10

message to many people threatening legal action if an unspecified


overdue amount was not paid within 24 hours.
Many companies advertise online and pay based on how many users
click on ads that take them to the companys Website. Advertisers
pay from a few cents to more than $10 for each click. Click fraud
is intentionally clicking on these ads numerous times to inflate
advertising bills.
Software piracy is copying software without the publishers
permission. It is estimated that for every legal copy of software
there are seven to eight illegal ones. I have seen some places
where this is almost like an acceptable practice.

Social Engineering
In social engineering, perpetrators trick employees into giving
them the information they need to get into the system.
Identity theft is assuming someones identity, usually for
economic gain, by illegally obtaining and using confidential
information such as the persons Social Security number or their
bank account or credit card number. Identity thieves benefit
financially by taking funds out of the victims bank accounts,
taking out mortgages or other loan obligations, and taking out
credit cards and running up large debts.
In one case, a convicted felon incurred $100,000 of credit card
debt, took out a home loan, purchased homes and consumer goods,
and then filed for bankruptcy in the victims name.
In pretexting, people act under false pretenses to gain
confidential information. For example, they might conduct a
security investigation and lull the person into disclosing
confidential information by asking 10 innocent questions before
asking the confidential ones.
Posing is creating a seemingly legitimate business, collecting
personal information while making a sale, and never delivering a
product.
Phishing is sending out an e-mail, instant message, or text
message pretending to be a legitimate company, usually a financial
institution, and requesting information. The recipient is asked to
either respond to the e-mail request or visit a Web page and
submit the data or respond to a text message.
The IRS has set up a Website and an e-mail address
(phishing@irs.gov) where people can forward for investigation
suspicious e-mails that purport to be from the IRS.
In voice phishing, or vishing, e-mail recipients are asked to call
a specified phone number, where a recording tells them to enter
confidential data.

Page 5 of 10

Phished (and otherwise stolen) credit card numbers can be bought


and sold, which is called carding.
Pharming is redirecting a Websites traffic to a bogus (spoofed)
Website, usually to gain access to personal and confidential
information. So how does pharming work? If you dont know
someones phone number, you look it up in a phone book. If you
could change XYZ Companys number in the phone book to your phone
number, people calling XYZ Company would reach you instead. You
could then ask them to divulge information only they would know to
verify their identity.
An evil twin is when a hacker sets up a wireless network with the
same name (called Service Set Identifier, or SSID) as the wireless
access point at a local hot spot or a corporations wireless
network.
Typosquatting, also called URL hijacking, is setting up Websites
with names very similar to real Websites so when users make
mistakes, such as typographical errors, in entering a Website name
the user is sent to an invalid site.
The typosquatters site may do the following:
1. Trick the user into thinking she is at the real site by
using a copied or a similar logo, Website layout, or
content. These sites often contain advertising that would
appeal to the person looking for the real domain name.
The typosquatter might also be a competitor.
2. Send the user to a site very different from what was
wanted. In one famous case, a typosquatter sent people
looking for sites that appealed to children to a
pornographic Website.
3. Use the false address to distribute viruses, adware,
spyware, or other malware.
Scavenging, or dumpster diving, is gaining access to confidential
information by searching corporate or personal records. Some
identity thieves search garbage cans, communal trash bins, and
city dumps to find documents or printouts with confidential
company information. They also look for personal information such
as checks, credit card statements, bank statements, tax returns,
discarded applications for reapproved credit cards, or other
records that contain Social Security numbers, names, addresses,
telephone numbers, and other data that allow them to assume an
identity. Be sure to tear up (or preferably shred) your personal
correspondence from banks and credit card companies to the point
that the number cannot be read, before you throw it in to the
trash; especially in a public trash container.
Shoulder surfing is watching people as they enter telephone
calling card or credit card numbers or listening to conversations
as people give their credit card number over the telephone or to
sales clerks.

Page 6 of 10

Skimming is double-swiping a credit card in a legitimate terminal


or covertly swiping a credit card in a small, hidden, handheld
card reader that records credit card data for later use.
Chipping is posing as a service engineer and planting a small chip
in a legitimate credit card reader.
Eavesdropping enables perpetrators to observe private
communications or transmissions of data. One way to intercept
signals is by setting up a wiretap.

Malware
This section describes malware, which is any software that can be
used to do harm. A recent study shows that malware is spread using
several simultaneous approaches, including file sharing (used in
72 percent of attacks), shared access to files (42 percent), email attachments (25 percent), and remote access vulnerabilities
(24 percent).
Pages 160165 list various malware types.
Spyware software secretly collects personal information about
users and sends it to someone else without the users permission.
The information is gathered by logging keystrokes, monitoring
computing habits such as Websites visited, and scanning documents
on the computers hard disk.
Spyware infections, of which users are usually unaware, come from
the following:
1. Downloads such as file sharing programs, system
utilities, games, wallpaper, screensavers, music, and
videos.
2. Websites that secretly download spyware when they are
visited. This is call drive-by downloading.
3. A hacker using security holes in Web browsers and other
software.
4. Programs masquerading as anti-spyware security software.
5. A worm or virus.
6. Public wireless network. For example, users receive a
message they believe is from the coffee shop or hotel
where they are using wireless technology. Clicking on the
message inadvertently downloads a Trojan horse or spyware
application.
One type of spyware, called adware (short for advertising
supported software), does two things: First, it causes banner ads
to pop up on your monitor as you surf the Net. Second, it collects
information about the users Web-surfing and spending habits and

Page 7 of 10

forwards it to the company gathering the data, often an


advertising or large media organization.
In a recent survey, 55 percent of companies had experienced a
spyware, adware, or some other malware infection. In larger
organizations, the average cost of getting rid of spyware is more
than $1.5 million a year.
Another form of spyware, called a key logger, records computer
activity, such as a users keystrokes, e-mails sent and received,
Websites visited, and chat session participation.
A Trojan horse is a set of malicious, unauthorized computer
instructions in an authorized and otherwise properly functioning
program. Some Trojan horses give the creator the power to remotely
control the victims computer. Unlike viruses and worms, the code
does not try to replicate itself.
Time bombs and logic bombs are Trojan horses that lie idle until
triggered by a specified time or circumstance. Once triggered, the
bomb goes off, destroying programs, data or both.
Company insiders, typically disgruntled programmers or other
systems personnel who want to get even with their company, write
many bombs.
A trap door, or back door, is a way into a system that bypasses
normal system controls. Programmers use trap doors to modify
programs during systems development and normally remove them
before the system is put into operation.
Packet sniffers are programs that capture data from information
packets as they travel over the Internet or company networks.
Captured data is sifted to find confidential information such as
user IDs and passwords, and confidential or proprietary
information that can be sold or otherwise used.
Stenography programs hide data from one file inside a host file,
such as a large image or sound file. There are more than 200
different stenographic software programs available on the
Internet.
A rootkit is software that conceals processes, files, network
connections, memory addresses, systems utility programs, and
system data from the operating system and other programs. Rootkits
often modify parts of the operating system or install themselves
as drivers.
Superzapping is the unauthorized use of special system programs to
bypass regular system controls and perform illegal acts.
A computer virus is a segment of self-replicating, executable code
that attaches itself to software. Many viruses have two phases. In
the first phase, the virus replicates itself and spreads to other
systems or files when some predefined event occurs. In the attack
phase, also triggered by some predefined event, the virus carries
out its mission.

Page 8 of 10

In one survey, almost 90 percent of the respondents said their


company was infected with a virus within the prior 12 months.
During the attack phase, triggered by some predefined event,
viruses destroy or alter data or programs, take control of the
computer, destroy the hard disks file allocation table, delete or
rename files or directories, reformat the hard disk, or change the
content of files.
Symptoms of a computer virus include computers that will not start
or execute; unexpected read or write operations; an inability to
save files; long program load times; abnormally large file sizes;
slow systems operation; and unusual screen activity, error
messages, or file names.
The Sobig virus, written by Russian hackers, infected an estimated
1 of every 17 e-mails several years ago.
The MyDoom virus infected 1 in 12 e-mails and did $4.75 billion in
damages.
It is estimated that viruses and worms cost businesses more than
$20 billion a year.
Most viruses attack computers, but all devices connected to the
Internet or that are part of a communications network run the risk
of being infected. Recent viruses have attacked cell phones and
personal digital assistants. These devices are infected through
text messages, Internet page downloads, and Bluetooth wireless
technology.
Flows in Bluetooth applications have opened up the system to
attack. Bluesnarfing is stealing (snarfing) contact lists, images,
and other data from other devices using Bluetooth. Bluebugging is
taking control of someone elses phone to make calls or send text
messages, or to listen to phone calls and monitor text messages
received.
A computer worm is a self-replicating computer program similar to
a virus except for the following three differences:
1.

A virus is a segment of code hidden in or attached to a host


program or executable file, whereas a worm is a stand-alone
program.

2.

A virus requires a human to do something (run a program,


open a file, etc.) to replicate itself, whereas a worm does
not and actively seeks to send copies of itself to other
devices on a network.

3.

Worms harm networks (if only by consuming bandwidth),


whereas viruses infect or corrupt files or data on a
targeted computer.

Worms often reside in e-mail attachments, which, when opened or


activated, can damage the users system.

Page 9 of 10

A worm usually does not live very long, but it is quite


destructive while alive.
More recently, MySpace had to go offline to disable a worm that
added more than 1 million friends to the hackers site in less
than a day.

Page 10 of 10

You might also like