Chapter 6

Computer Fraud and Abuse Techniques

6-1
Copyright © 2012 Pearson Education
 Learning Objectives

 Compare and contrast computer attack and

abuse tactics.
 Explain how social engineering techniques are
used to gain physical or logical access to
computer resources.
 Describe the different types of malware used to
harm computers.

Copyright © 2012 Pearson Education 6-2

 Computer Attacks and Abuse

 Hacking
 Unauthorized access, modification, or use of a computer system or other
electronic device

 Social Engineering
 Techniques, usually psychological tricks, to gain access to sensitive data
or information
 Used to gain access to secure systems or locations

 Malware
 Any software which can be used to do harm

Copyright © 2012 Pearson Education 6-3

 Types of Computer Attacks
 Botnet—Robot Network
 Network of hijacked computers
 Hijacked computers carry out processes without users knowledge
 Zombie—hijacked computer

 Denial-of-Service (DoS) Attack

 Constant stream of requests made to a Web-server (usually via a Botnet)
that overwhelms and shuts down service

 Spoofing
 Making an electronic communication look as if it comes from a trusted
official source to lure the recipient into providing information

Copyright © 2012 Pearson Education 6-4

 Types of Spoofing
 E-mail
 E-mail sender appears as if it  SMS
comes from a different source  Incorrect number or name appears,
similar to caller-ID but for text
 Caller-ID messaging
 Incorrect number is displayed
 Web page
 IP address  Phishing (see below)
 Forged IP address to conceal
identity of sender of data over the  DNS
Internet or to impersonate another  Intercepting a request for a Web
computer system service and sending the request to
a false service
 Address Resolution Protocol (ARP)
 Allows a computer on a LAN to
intercept traffic meant for any
other computer on the LAN

Copyright © 2012 Pearson Education 6-5

 Hacking Attacks
 Cross-Site Scripting (XSS)
 Unwanted code is sent via dynamic Web pages disguised as user input.

 Buffer Overflow
 Data is sent that exceeds computer capacity causing program instructions
to be lost and replaced with attacker instructions.

 SQL Injection (Insertion)

 Malicious code is inserted in the place of query to a database system.

 Man-in-the-Middle
 Hacker places themselves between client and host.

Copyright © 2012 Pearson Education 6-6

 Additional Hacking Attacks
 Password Cracking
 Penetrating system security to steal passwords

 War Dialing
 Computer automatically dials phone numbers looking for modems.

 Phreaking
 Attacks on phone systems to obtain free phone service.

 Data Diddling
 Making changes to data before, during, or after it is entered into a system.

 Data Leakage
 Unauthorized copying of company data.

Copyright © 2012 Pearson Education 6-7

 Hacking Embezzlement Schemes
 Salami Technique
 Taking small amounts from many different accounts.

 Economic Espionage
 Theft of information, trade secrets, and intellectual property.

 Cyber-Bullying
 Internet, cell phones, or other communication technologies to support
deliberate, repeated, and hostile behavior that torments, threatens, harasses,
humiliates, embarrasses, or otherwise harms another person.

 Internet Terrorism
 Act of disrupting electronic commerce and harming computers and
communications.

 Internet Misinformation

Copyright © 2012 Pearson Education 6-8

 Hacking for Fraud

 Internet Misinformation
 Using the Internet to spread false or misleading information

 Internet Auction
 Using an Internet auction site to defraud another person
 Unfairly drive up bidding
 Seller delivers inferior merchandise or fails to deliver at all
 Buyer fails to make payment

 Internet Pump-and-Dump
 Using the Internet to pump up the price of a stock and then selling it

Copyright © 2012 Pearson Education 6-9

 Social Engineering Techniques
 Identity Theft  Typesquatting
 Assuming someone else’s identity  Typographical errors when entering a
Web site name cause an invalid site to be
 Pretexting accessed
 Inventing a scenario that will lull someone
into divulging sensitive information
 Tabnapping
 Changing an already open browser tab
 Posing
 Using a fake business to acquire sensitive  Scavenging
information  Looking for sensitive information in
items thrown away
 Phishing
 Posing as a legitimate company asking for  Shoulder Surfing
verification type information: passwords,  Snooping over someone’s shoulder for
accounts, usernames sensitive information

 Pharming
 Redirecting Web site traffic to a spoofed
Web site.

Copyright © 2012 Pearson Education 6-10

 More Social Engineering

 Lebanese Loping
 Capturing ATM pin and card numbers

 Skimming
 Double-swiping a credit card

 Chipping
 Planting a device to read credit card information in a credit card reader

 Eavesdropping
 Listening to private communications

Copyright © 2012 Pearson Education 6-11

 Type of Malware
 Spyware
 Secretly monitors and collects personal information about users and sends it to someone
else
 Adware
 Pops banner ads on a monitor, collects information about the user’s Web-surfing,
and spending habits, and forward it to the adware creator

 Key logging
 Records computer activity, such as a user’s keystrokes, e-mails sent and received, Web
sites visited, and chat session participation

 Trojan Horse
 Malicious computer instructions in an authorized and otherwise properly functioning
program
 Time bombs/logic bombs
 Idle until triggered by a specified date or time, by a change in the system, by a
message sent to the system, or by an event that does not occur

Copyright © 2012 Pearson Education 6-12

 More Malware
 Trap Door/Back Door
 A way into a system that bypasses normal authorization and authentication
controls

 Packet Sniffers
 Capture data from information packets as they travel over networks
 Rootkit
 Used to hide the presence of trap doors, sniffers, and key loggers; conceal
software that originates a denial-of-service or an e-mail spam attack; and
access user names and log-in information

 Superzapping
 Unauthorized use of special system programs to bypass regular system
controls and perform illegal acts, all without leaving an audit trail

Copyright © 2012 Pearson Education 6-13