Computer Fraud and Abuse Techniques

Copyright © 2015 Pearson Education, Inc.

Computer Fraud and Abuse Techniques

Chapter 6

6-1


Learning Objectives

•Compare and contrast computer attack and abuse tactics.

•Explain how social engineering techniques are used to gain physical or logical access to computer resources.

•Describe the different types of malware used to harm computers.

6-2


Types of Attacks

•Hacking▫Unauthorized access, modification, or use

of an electronic device or some element of a computer system

•Social Engineering▫Techniques or tricks on people to gain

physical or logical access to confidential information

•Malware▫Software used to do harm

6-3


Hacking▫Hijacking

Gaining control of a computer to carry out illicit activities

▫Botnet (robot network) Zombies Bot herders Denial of Service (DoS) Attack

▫Spamming Dictionary attacks

▫Spoofing Makes the communication look as if someone else

sent it so as to gain confidential information.6-4


Forms of Spoofing

•E-mail spoofing•Caller ID spoofing•IP address spoofing•Address Resolution (ARP) spoofing•SMS spoofing•Web-page spoofing (phishing)•DNS spoofing

6-5


Hacking with Computer Code• Zero-day attack

▫An attack between the time a new software vulnerability is discovered and a patch is released.

• Cross-site scripting (XSS)▫Uses vulnerability of Web application that allows the

Web site to get injected with malicious code. When a user visits the Web site, that malicious code is able to collect data from the user.

• Buffer overflow attack▫Large amount of data sent to overflow the input

memory (buffer) of a program causing it to crash and replaced with attacker’s program instructions.

• SQL injection (insertion) attack▫Malicious code inserted in place of a query to get to the

database information 6-6


Other Types of Hacking•Man in the middle (MITM)

▫Hacker is placed in between a client (user) and a host (server) to read, modify, or steal data.

•Masquerading/impersonation•Piggybacking•Password cracking•War dialing and driving•Phreaking•Data diddling•Data leakage

▫podslurping 6-7


Hacking Used for Embezzlement•Salami technique:

▫Taking small amounts at a time Round-down fraud

•Economic espionage▫Theft of information, intellectual property

and trade secrets•Cyber-extortion

▫Threats to a person or business online through e-mail or text messages unless money is paid

6-8


Hacking Used for Fraud

•Cyber-Bullying•Internet Terrorism•Internet misinformation•E-mail threats•Internet auction •Internet pump and dump•Click fraud•Web cramming•Software piracy

6-9


Social Engineering Techniques• Identity theft

▫ Assuming someone else’s identity

• Pretexting▫ Using a scenario to trick

victims to divulge information or to gain access

• Posing▫ Creating a fake business to

get sensitive information• Phishing

▫ Sending an e-mail asking the victim to respond to a link that appears legitimate that requests sensitive data

• Pharming▫ Redirects Web site to a

spoofed Web site• URL

hijacking/Typosquatting▫ Takes advantage of

typographical errors entered in for Web sites and user gets invalid or wrong Web site

• Tabnabbing▫ Secretly changing an

already open browser tab

6-10


Social Engineering Techniques• Scavenging

▫ Searching trash for confidential information

• Shoulder surfing▫ Snooping (either close

behind the person) or using technology to snoop and get confidential information

• Lebanese looping▫ Inserting a sleeve into an

ATM that prevents it from ejecting the card. Then “helping” the victim in order to see their PIN

• Skimming▫ Double swiping credit

card• Chipping

▫ Planting a chip in a card reader

• Eavesdropping▫ Listening to private

communications or tapping into data communications

6-11


Why People Fall Victim• Compassion

▫ Desire to help others• Greed

▫ Want a good deal or something for free• Sex appeal

▫ More cooperative with those that are flirtatious or good looking

• Sloth▫ Lazy habits

• Trust▫ Will cooperate if trust is gained

• Urgency▫ Cooperation occurs when there is a sense of immediate need

• Vanity▫ More cooperation when appeal to vanity

6-12


Minimize the Threat of Social Engineering

•Never let people follow you into restricted areas

•Never log in for someone else on a computer

•Never give sensitive information over the phone or through e-mail

•Never share passwords or user IDs•Be cautious of someone you don’t know

who is trying to gain access through you6-13


Types of Malware• Spyware

▫ Secretly monitors and collects information

▫ Can hijack browser, search requests

▫ adware • Scareware

▫ Software that is sold using scare tactics

▫ ransomware• Keylogger

▫ Software that records user keystrokes

• Trojan Horse▫ Malicious computer

instructions in an authorized and properly functioning program

• Time bomb/logic bomb▫ Program that lies idle until

some specified circumstance or time

• Trap door/back door▫ Set of instructions that allow

the user to bypass normal system controls

• Packet sniffer▫ Captures data as it travels

over the Internet• Steganography

▫ Hides data inside a host file• Rootkit

▫ Conceals system files from the operating system and other programs. Can be used to hide trap doors, sniffers, key loggers, etc.

6-14


Types of Malware• Superzapping

▫ The unauthorized use of a program to bypass regular controls and perform illegal acts.

• Virus▫ A section of self-

replicating code that attaches to a program or file requiring a human to do something so it can replicate itself

• Worm▫ Stand alone self

replicating program

6-15


Cellphone Bluetooth Vulnerabilities

•Bluesnarfing▫Stealing contact lists, data, pictures on

bluetooth compatible smartphones•Bluebugging

▫Taking control of a phone to make or listen to calls, send or read text messages

6-16

Computer Fraud and Abuse Techniques

Documents

Transcript of Computer Fraud and Abuse Techniques