Forms of Cyber Crimes

SPCI105
POSTGRADUATE COURSE
M.Sc., Cyber Forensics and Information Security
FIRST YEAR
FIRST SEMESTER
ELECTIVE PAPER - I
FORMS OF CYBER CRIMES
INSTITUTE OF DISTANCE EDUCATION

UNIVERSITY OF MADRAS
M.Sc., Cyber Forensics and Information Security ELECTIVE PAPER - I
FIRST YEAR - FIRST SEMESTER FORMS OF CYBER CRIMES
WELCOME
Warm Greetings.
It is with a great pleasure to welcome you as a student of Institute of Distance

Education, University of Madras. It is a proud moment for the Institute of Distance education
as you are entering into a cafeteria system of learning process as envisaged by the University
Grants Commission. Yes, we have framed and introduced Choice Based Credit
System(CBCS) in Semester pattern from the academic year 2018-19. You are free to
choose courses, as per the Regulations, to attain the target of total number of credits set
for each course and also each degree programme. What is a credit? To earn one credit in
a semester you have to spend 30 hours of learning process. Each course has a weightage
in terms of credits. Credits are assigned by taking into account of its level of subject content.
For instance, if one particular course or paper has 4 credits then you have to spend 120
hours of self-learning in a semester. You are advised to plan the strategy to devote hours of
self-study in the learning process. You will be assessed periodically by means of tests,
assignments and quizzes either in class room or laboratory or field work. In the case of PG
(UG), Continuous Internal Assessment for 20(25) percentage and End Semester University
Examination for 80 (75) percentage of the maximum score for a course / paper. The theory
paper in the end semester examination will bring out your various skills: namely basic
knowledge about subject, memory recall, application, analysis, comprehension and
descriptive writing. We will always have in mind while training you in conducting experiments,
analyzing the performance during laboratory work, and observing the outcomes to bring
out the truth from the experiment, and we measure these skills in the end semester
examination. You will be guided by well experienced faculty.
I invite you to join the CBCS in Semester System to gain rich knowledge leisurely at
your will and wish. Choose the right courses at right times so as to erect your flag of
success. We always encourage and enlighten to excel and empower. We are the cross
bearers to make you a torch bearer to have a bright future.
With best wishes from mind and heart,
DIRECTOR
(i)
M.Sc., Cyber Forensics and Information Security ELECTIVE PAPER - I
FIRST YEAR - FIRST SEMESTER FORMS OF CYBER CRIMES
COURSE WRITER & EDITOR
Dr. N. Kala
Director i/c,
Centre for Cyber Forensics and Information Security
University of Madras, Chepauk,
Chennai – 600 005.
Dr. S. Thenmozhi
Associate Professor
Department of Psychology
Institute of Distance Education
University of Madras
Chepauk Chennnai - 600 005.
© UNIVERSITY OF MADRAS, CHENNAI 600 005.
(ii)
FIRST YEAR
FIRST SEMESTER
Elective Paper - I

SYLLABUS
Unit 1: Cyber Crime – Introduction – History and Development – Definition, Nature and
Extent of Cyber Crimes in India and other countries - Classification of Cyber Crimes – -
Trends in Cyber Crimes across the world.
Unit 2 : Forms of Cyber Crimes , Frauds – hacking , cracking, DoS – viruses, works,
bombs, logical bombs, time bombs, email bombing, data diddling, salami attacks, phishing,
stegnography, cyber stalking, spoofing, pornography, defamation, computer vandalism,
cyber terrorism, cyber warfare, crimes in social media, malwares, adware, scareware,
ransomware, social engineering, credit card frauds & financial frauds, telecom frauds.
Cloud based crimes – understanding fraudulent behaviour, fraud triangle, fraud detection
techniques, Intellectual Property Rights and Violation of Intellectual Property rights,
Ecommerce Frauds and other forms .
Unit 3 : Modus Operandi of various cybercrimes and frauds – Definition of various

types of cyber frauds – Modus Operandi - Fraud triangle – fraud detection techniques
including data mining and statistical references - countermeasures.
Unit 4: Profile of Cyber criminals – Cyber Crime Psychology – Psychological theories

dealing with cyber criminals
Unit 5: Impact of cybercrimes – to the individual, to the corporate and companies, to

government and the nation.
(iii)
FIRST YEAR
FIRST SEMESTER
Elective Paper - I

SCHEME OF LESSONS
Sl.No. Title Page
1 Introduction 1
2 Human Element and Technology Element 26
3 Broad Classification of Cyber crimes 46
4 Evolution of Cybercrimes 66
5 Emerging Characteristics of Cyber Crime 75
6 Cyber Criminals 83
7 Motives of Cybercriminals 98
8 Impact of Cyber Crimes 123
9 Virus, Worms and Trojans 131
10 Rootkit & Botnets 154
11 SPAM 166
12 SCAMS 175
13 Malware, Spyware and Ransomware 192
14 Cyber Frauds - Part - I - Telecom Frauds 219
15 Cyber Frauds - Par - II - Payment Card Frauds 241
16 Cyber Frauds - Part - III - Ecommerce Frauds 262
17 Cyber Frauds - Part - IV - IT Frauds 275
(v)
1
LESSON - 1
INTRODUCTION
Learning Objectives
After reading this lesson you will be able to
 Understand what is crime and various types of crimes
 Understand what is cyber crime:
1. its definition
2. its classification
3. its nature and extent
4. its trend across the world
Structure
1.1 Introduction
1.2 Crime
1.2.1 Types of crimes
1.3 Cyber crime
1.3.1 Definition of cyber crime
1.3.2 Classification of cyber crime
1.3.2.1 Violent Cyber crime
1.3.2.2 Non-Violent Cyber Crime
1.3.3 Nature and extent of cyber crime
1.3.3.1 Cyber Crime: Global Scenario
1.3.3.2 Cyber Crime: Indian scenario
1.3.3.3 Factors influencing Cyber crime
1.3.4 Trends in cyber crime across the world
1.3.5 Trends in India
1.4 Summary
2
1.1. Introduction
In this lesson we are going to discuss about crimes, the types of crimes and an overview
of cyber crimes.
1.2. Crime
 Crime is commission or omission of an act which constitutes an offence and is
punishable by law.
 It is a harmful act against people, property and the Nation.
 It is an unlawful act that is punishable by a state or authority.
 To be classified as a crime, there should be
o “the act of doing something criminal – (actus resus) and
o must with certain exception be accompanied by the “intention to do something

criminal-(mens rea).
 The state has the power to severely restrict one’s liberty for committing crime.
 Crime is as old as humankind.
 Most crimes leave behind traces of “silent evidence”.
 The traces of materials, known as physical evidence, are found at the scene of
crime and acts as potent clues that become the most eloquent witness subsequently.
 Latest entrant is the digital evidence.
 In case of a criminal being found guilty, the person who has committed the offence
may be sentenced depending upon the crime and must undergo imprisonment
according to the law of the land.
1.2.1. Types of Crimes
There are different types of crimes. People will react to each type of crime differently.
Table 1.1 depicts the various types of crimes with a brief description noted against each.
3
Table 1.1 Types of crimes
S.No Type of Crime Description
1 Antisocial Behaviour This type of a crime portrays the feeling of a

victim being intimidated or distressed by a
person’s behavior towards him/her.
2 Arson Deliberate attempt of someone in setting up

fire to others property either to damage the
property or to injure people.
3 Burglary An attempt by someone breaking into a

building with an ulterior intension of stealing,
hurting and causing unlawful damage to
someone and their property.
4 Child Abuse Abusing children in different ways such as

neglecting them, and abuse them physically,
emotionally and sexually.
5 Crime abroad This includes crimes happening to people

while they are in foreign countries or crimes
on cruise ships.
6 Computer Crime Crimes carried out using computers.
7 Domestic Abuse Negative behaviours exhibited by one person

upon another person either within the families
or relationships .
8 Fraud It is caused by someone in tricking others to

gain a dishonest advantage.
9 Hate Crime It is a prejudice –motivated crime. It occurs

when a perpetrator targets a victim based on
the membership/ perceived membership of the
victim. So much so, it is used to describe an
4
incident or crime against someone based on

a part of their identity. It is also known as bias-
motivated crime or bias crime.
10 Murder or Manslaughter Murder is the unlawful killing of another human

without justification or valid excuse with malice
aforethought. However depending upon
the jurisdiction, murder is distinguished from
other forms of unlawful homicide such
as manslaughter which is a killing committed
in the absence of malice, brought about by
reasonable provocation, or diminished
capacity. Involuntary manslaughter, where it is
recognized, is a killing that lacks all but the
most attenuated guilty intent, recklessness.
11 Rape or Sexual Assault Rape may be referred to as an act which may

be carried out by physical force, coercion,
abuse of authority, or against a person who is
incapable of giving valid consent, such as one
who is unconscious, incapacitated, has
an intellectual disability or is below the
legal age of consent. Whereas on the other
hand sexual assault is an act in which a person
with a sexual intent and behavior touches
another person without that person’s consent.
12 Robbery Robbery is one where in someone stealing

from us with violence or threats (usually - but
not always) in the street or another public
place.
13 Sexual harassment Sexual harassment is an unwanted behaviour

of a sexual nature that makes one feel
humiliated or intimidated, or that creates a
hostile environment.
5
14 Stalking harassment Stalking is persistent and unwanted attention

that makes one feel pestered and harassed.
15 Terrorism An attack which is sudden and unpredictable

in nature schemed by terrorist in order to create
a climate of fear or terror among the public
which could lead to an ongoing feeling of
insecurity.
16 Violent Crimes A violent crimes hurts people physically or

which might include usage of weapon as well.
17 Revenge Porn It refers to the practice of someone who shares

sexually explicit images or videos of another
person without their consent.
1.3. Cyber Crimes

Cyber crimes are crimes which are committed in cyber space. Cyber space refers to the
virtual computer world, and more specifically, is an electronic medium used to form a global
computer network to facilitate online communication.
The parent term of cyberspace is “cybernetics”, derived from the Ancient

Greek meaning steersman, governor, a word introduced
by Norbert Wiener for his pioneering work in electronic communication and control science.
The term cyberspace was initially introduced by William Gibson in his 1984 book,
“Neuromancer.” Gibson criticized the term in later years, calling it “evocative and essentially
meaningless.” Nevertheless, the term is still widely used to describe any facility or feature that
is linked to the Internet.
Cyberspace allows users to
 share information,
 interact,
 swap ideas,
 play games,
6
 engage in discussions or social forums,
 conduct business and
 create intuitive media,
among many other activities.
Cyberspace has gained popularity as a medium for social interaction, rather than its
technical execution and implementation.
Cyberspace’s core feature is an interactive and virtual environment for a broad range of
participants. It is a large computer network made up of many worldwide computer networks that
employ Transmission Control Protocol/Internet Protocol (TCP/IP) to aid in communication and
data exchange activities.
Cyber space has transformed the global economy in a phenomenal way. The scale of
cyber space usage and its magnitude and increased acquiescence of internet demonstrates a
global obsession which leads internet to an intrinsic and compelling part of society’s day to day
activities.
Increased number of communications via
 email,
 chat,
 social networking,
 huge volume of online shopping,
 internet banking,
 gaming,
 purchase of online gifts,
 travel tickets,
 online purchase of property
and so on only reflects that the society has a paradigm shift from citizens to netizens.
7
Internet, has gone beyond imagination since its inception in 1989, the most significant
technological advancement conceived by TIM Berner Lee “The world wide web” has now caused
the world into a global village. Digital communication and interaction has grown to nearly two
thirds of the world population. This has contributed to a change in society, significant impact on
business, critical infrastructure, and fundamental aspects of modern society.
 Driving license,
 Vehicle registration certificate,
 Filing of income tax returns,
 Land records,
 Banking transactions,
 Credit Cards,
 Railway reservation,
 Passport issuance,
 Immigration control
and many more are being governed electronically. Citizens are gradually becoming
dependent on computers, networks and the like and transforming into Netizen’s.
A recent study was conducted to find out the dependence of youth on the internet. The
outcome of the survey was that 75% of the youth could not survive without the internet and they
belong to the age group between 16 to 24 years. Despite its useful advancement of technology,
internet provides ample opportunity for unscrupulous individuals performing undesirable activities
caused by the ease of access, open nature, and increased anonymity facilitated in the virtual
world.
Any deviant behaviour, with malicious intent leads to crime in the cyber space. Since the
nature of risks and vulnerabilities are becoming more and more sophisticated today there is an
ever increasing need to create new knowledge and understanding new risks, interactions,
probabilities and costs of such operations so as to tackle cyber crimes with a scientific fervor. In
this connection studying cyber crime from an e-governance perspective is the need of the hour.
It is important to note that cyber spans not only State but National boundaries as well.
8
Cyber crime is going to be a major problem to any country’s law enforcement. These
crimes have no geographic boundaries that are clearly definable, transcends the border of
States and Nations’ physical area that is accessible over computer and telecommunication
networks across the globe within a time frame of milliseconds. Hence, it is difficult to implement
regulations because laws are different in different countries.
The growth of Internet and its proliferation worldwide now increased the need for conducting
cyber crime investigations through efficient and meticulous Cyber Forensics. Extensive
knowledge and skill in computer technology is required for Police, Judiciary, Lawyers, Forensic
experts, Private Investigators and Network Administrators to counter this fraud/menace through
effective training, creation of specialized units, necessary legislations and international co-
operation. Those are some of the steps that require immediate attention of all Governments in
the world.
The global internet usage has raised over two billion people over a span of ten years.
Unclassified and classified networks and foreign intelligence organization are working to acquire
the capacity to disrupt elements of critical information infrastructure.
Computers can be used to commit crimes, and crimes can be recorded on computers,
including violation of company policies, records of embezzlement, email harassment, leaks of
proprietary information, murder and even terrorism.
The tools and techniques used by cyber criminals are increasing in sophistication at an
incredible rate. Beyond government activities, cyber criminals can control botnets with millions
of infected hosts, whether the goal is monetary, access to intellectual property, or disruption of
critical infrastructure systems.
The pursuit of cyber crime detection has two main objectives.
 One to prevent the occurrence cyber crime in vulnerable institutions requiring security
from loss, pilferage and mishandling by accidental or intentional manipulations and
 The other one is detection and documenting cyber crimes through a disciplined
methodology.
With advancement of technology, computer is both the instrument of crime, as well as

the location of evidence. Forensic Science in its broadest definition is the application of science
9
to Law, especially to those of criminal and civil laws that are enforced by Law enforcement
agencies in Criminal) Justice System.
Cyber Forensics presents the investigation and analysis techniques on computers to

obtain potential legal evidence. It involves the
 preservation,
 identification,
 extraction and
 documentation of computer evidence
stored as data or magnetically encoded information. The computer operating system invariably
leaves behind the computer evidences transparently without the knowledge of computer user
which may be hidden from view.
Special Forensic software tools and techniques are required in order to recognize and
retrieve such evidences. Computer Forensics involves obtaining and analyzing such digital
information for use in civil/criminal or administrative cases. Digital evidence was not considered
as tangible evidence in courts until recently but now they are gaining importance.
1.3.1 Definition of cyber crime
During the 10th United Nations Congress on the Prevention of Crime and the Treatment
of Offenders, two definitions were developed within a related workshop: Cybercrime in a narrow
sense (computer crime) covers:
“any illegal behaviour directed by means of electronic operations that target the security
of computer systems and the data processed by them.”
Cybercrime in a broader sense (computer-related crimes) covers:
“any illegal behaviour committed by means of, or in relation to, a computer system or
network, including such crimes as illegal possession and offering or distributing information by
means of a computer system or network.”
The easy definition of cyber crime is “crimes directed at a computer or a computer system”.
He further says that the nature of cyber crimes is far more complex as it can take the form of
10
simple snooping into a computer system for which we have no authorization. He says further
that it could be the freeing of a computer virus into the wild or a malicious vandalism by a
disgruntled employee or theft of data, money or sensitive information using a computer system.
Internet is the medium for committing cyber crime using
 Computer or network as a tool
 Computer or network as a target
 Purposes incidental to a crime
1.3.2 Classification of Cyber Crime
Cyber crimes may be generally classified as violent cyber crimes and non-violent cyber
crimes. This has been portrayed in the Figure1.1 as detailed below:
Figure 1.1: General Classification of Cyber Crimes

11
1.3.2.1 Violent Cyber Crimes

Table 1.2 given below details the types of violent cyber crimes.
S.No Name of Violent Cyber Crimes Types of violent cyber crimes
1 Cyber Terrorism  Sabotaging vital defence installations

 Email messages from terrorist groups
 Hacktivism – To promote political
agenda or social changel
Ransomware - a type of malicious
software designed to block access to
a computer system until a sum of
money is paid.
 Cyber warfare - the use of computer
technology to disrupt the activities of
a state or organization, especially the
deliberate attacking of information
systems for strategic or military
purposes.
2 Cyber Threats  Email bomb threats
 Email threats to individuals
3 Cyber Stalking  The repeated use of electronic

communications or social networking
sites to harass or frighten someone,
for example by sending threatening
emails.
4 Pornography  Pornography is the portrayal of

obscene graphics and text
5 Child Pornography  Child pornography is a form

of child sexual exploitation
 Child pornography is any visual
depiction of sexually explicit conduct
12
involving a minor (persons less than

18 years old)
6 Hacking  Manipulate data, functionality or steal

data by unauthorized access to
computers/computer networks
 Cyber espionage
 Port scanning and port probing
 Data sniffing and spoofing
 Denial of service attacks
 Web jacking
 Email bombing
 Defacing or redirecting websites
7 Viruses, worms and Trojans  Infecting, spreading of viruses,

worms and Trojans
 Manipulating computer behaviour
 Hostile profiling
8 Malware, Scareware and  Malware aimed at disabling

Adware computers or computer networks
 Malicious computer programs
designed to trick a user into buying
and downloading unnecessary and
potentially dangerous software, such
as fake antivirus protection.
 Adware, or advertising-supported
software, is software that generates
revenue for its developer by
automatically generating online
advertisements
9 Command and Control  A command and control server (C&C

server) is a computer that
issues directives to digital
devices that have been infected
13
with rootkits or other types of

malware, such as ransomware.
 C&C servers can be used to create

powerful networks of infected
devices capable of carrying out
distributed denial-of-service (DDoS)
attacks, stealing data, deleting data
or encrypting data in order to carry
out an extortion scheme.
10 Botnet  A botnet is a number of Internet-

connected devices, each of which is
running one or more bots.
 Botnets can be used to perform

distributed denial-of-service attack
(DDoS attack), steal data, send
spam, and allows the attacker to
access the device and its connection.
 The owner can control the botnet

using command and control (C&C)
software. l The word “botnet” is a
combination of the words “robot” and
“network”. The term is usually used
with a negative or malicious
connotation.
1.3.2.2 Non-violent cyber crimes
Table 1.3 given below details the types of non-violent cyber crimes and its types
14
Table 1.3: Types of non-violent cyber crimes and its types
S.No Name of Non- Violent Types of non-violent

Cyber Crimes cyber crimes
1 Cyber Trespass  Reading personal email message of

others by intruding into their email
account.
 Unauthorized access to computers or

computer networks without causing
damage to the data or infrastructure.
2 Cyber Theft  Embezzlement

 Cyber squatting
 Software piracy
 Copyright infringement
 Identity theft and forgery
 Industrial espionage
 Netspionage
 Spyware, cookies
3 Cyber Fraud  Con games

 Online scams
 Nigerian scams and online lotteries
 Online auction frauds
 Phishing
 Pharming
 Credit/debit card frauds
 Telecom Frauds
 IT Frauds
4 Password cracking  Cracking of passwords f or

unauthorized access
 Password trafficking
 Password sniffing
 Keylogging
15
5 Malware  Adware
 Spyware
 Scareware
 Scumware
6 Junk Mail  Spam

 Spim
7 Steganography  Steganography includes the

concealment of information within
computer files
 In digital steganography, an image or
other files may be hidden inside a
document file, image file, program or
protocol.
1.3.3 Nature and extent of cyber crime

1.3.3.1 Cyber Crimes: Global Scenario
The Figure 1.2 portrays geographical location of data breach ranked by share of attacks
and it represents the percentage of data breach country wise as reported by Trustwave in their
security threat report, 2017. According to this report, 43% of attacks have been launched in
North America followed by Asia Pacific (30%). Next in rank comes Europe and Middle East
(24%) and subsequently followed by Latin America and Caribbean which is 4%.
Figure 1.2: Geographical Location of data breach

(Source: Trustwave security report, 2017)
16
The statistic represented in Figure 1.3 shows the amount of damages caused by cyber
crime reported to the Internet Cybercrime Complaint Centre (IC3) from 2001 to 2016. In the last
reported period, the annual loss of complaints referred to the IC3 amounted to 1.33 billion U.S.
dollars, up from 781.84 million U.S. dollars in 2013. The most costly cyber attack consequences
for global companies in 2016 were losses suffered through business disruption and information
loss. In that year, the majority of data breach incidents were related to identity theft which were
followed by financial and account access.
Figure 1.3: The amount of damages caused by cyber crime reported to the IC3 from
2001 to 2016
1.3.3.2 Indian Scenario
India is becoming a digital country. With the digital India initiatives gaining momentum
more and more people are forced to adapt themselves to digital transaction. Cyber crimes are
also on the rise in India. The Table 1.4 represents the cyber attack surface based on various
factors during 2015 and the respective projections thereof for the year 2020.
17
Table 1.4: Attack surface based on various factors
Factor 2015 2020
Population 1250mn 1350mn
Mobile phone users 1000mn 1200mn
Internet users 300mn 650mn
Smart phone users 240mn 520mn
Digital transaction 0.3mn 171.2mn
mn – million
The Figure 1.4 represents the attack surface based on various factors. The attack based
on the factors such as increase in population, increase in number of internet users, increase in
number of mobile phone/smart phone users, and also the increase in number of digital
transaction. The numbers are in millions. Due to anonymity of the internet, many innocent
victims are targeted. The number of attacks on computers is less when compared to the number
of mobile/smart phone users. The attacker target attack on mobile transaction and cause damage
to individuals financial resources.
Figure 1.4: Cyber Attack Surface (India)

18
1.3.3.3 Factors influencing cyber crime
There are several factors that influence the growth of the criminals on the internet and
rate of the cyber crime. They include:
 Availability of tools to commit crime
 Unlike traditional crime, there is no need to be present physically in the crime scene
 Anonymity in the internet
 Amount of money spent is less
 Availability of masking tools
 Beyond geographic area – jurisdictional concern of cybercrime
 Lack of awareness among the users of computers systems, networks, and mobile
devices
 Impact of social media
1.3.4 Trends in cyber crime across the world

 Rapidly emerging cyber attack trends have unfortunately become a reality including
the growth and evolution of ransomware, the use of botnet and automated
orchestrated cyber attacks/crimes within business process and email compromise
attacks in financial markets and other regulated industry segments.
 Ransomware attacks continues to be an integrated attack including social

engineering, automated botnet and physical attacks that evolve into well planned
and orchestrated “cyber-hostage” attacks and situations.
 Multiple terrorist and cyber attacks on public transportation methods were executed
successfully between 2016 and 2017. Many ransomware attacks during 2017 were
believed to be used for reconnaissance to assess and test, reach effectiveness and
response rates and methods to validate attacks and distribution targets and methods.
 Many of these attacks are beta tests for new automated exploits utilizing weaponized
National Security Agency (NSA) Tools and other Artificial Intelligence (AI) code bases.
 The Figure 1.5 portrays the year-wise exploit growth of ransomware and it clearly
indicates the staggering rise in the number of attacks.
19
Figure 1.5 Growth of Ransomware Exploit
l Cyber-criminals, hacktivist (nation-states) and the criminals underground are using

Ransomware, Botnet, AI and weaponized automated attacks to gather intelligence
and perform reconnaissance on markets, industries, corporations, governments
and individuals.
Figure 1.6: Evolution of Cyber Criminal Syndicate

20
 These organizations leverage the intelligence gathered from these beta tests and
reconnaissance missions to launch very thoughtful, targeted, and highly orchestrated
attacks against executives, high profile media personalities, corporations and
organizations that provide critical infrastructure.
 These enhancements can rapidly evolve into a fully functional Cyber-Criminal

syndicate as such. The Figure 1.6 illustrates the evolution of cyber criminal enterprise
in the dark web.
 Business process compromise
These attacks have evolved from basic counterfeiting, coercion, financial and business
fraud, and theft into complex, well planned and orchestrated physical and cyber-attacks that
are used to disrupt business processes, or create counterfeit – fraudulent business processes
within companies and on the web in order to steal payments, customer-employee-supplier-
partner information, or gain access to critical systems or finance and banking accounts. While
these attacks are not new, we believe these attacks will expand across industries and market
segments and will grow exponentially to include online business and brandjacking attacks.
With immature online brand and product-service validation and verification processes and
standards in place across websites, exchanges, marketplaces, social media, and ecommerce
platforms, it can be easily demonstrated to set up and launch counterfeit corporate websites,
webpages, and social media brands that can be used for brandjacking purposes. Figure 1.7
represents how the cyber criminals hack the process of business and compromise enterprises.
Figure 1.7: Business Process Compromise orchestrated by Cyber Criminals
The mode through which business process compromise is generally done is through
social engineering. Figure 1.8 illustrates the process of social engineering, the non-technical
way of gathering information followed by hacking. It involves various components such as
intelligence gathering, point of entry, communication through command and control, lateral
movement, maintenance, data exfiltration and data peddling.
21
Figure 1.8: Business Process compromise through Social Engineering
Approximately 3 billion US Dollars are lost due to business compromise. Figure 1.9,
illustrates the top 5 countries as major countries that were affected in the year 2016-17, namely
United States of America, United Kingdom, Hong Kong, Japan and Brazil due to business email
compromise. The personnel’s who were targeted include, CFO (40.38%), Director (9.62%),
Financial controller (5.77%), Finance Director(3.85) and others(36.53%).
Figure 1.9: Top 5 countries affected in the year 2016-17

22
1.3.5 Trends in India
The Digital India Programme launched by the Government of India, which aims to provide
government services digitally and promote digital literacy, besides building secure digital
infrastructure for the country, is driving this transformation.
Digital payments have also seen an upsurge, with mobile banking transactions alone
growing threefold since 2014. It is envisaged that with these initiatives in place, India’s digital
economy will grow from 270 billion USD to around 1 trillion USD in the next 5–7 years.
However, this is also opening up gaps which can be exploited by the adversaries and
deprive us of the benefits of digital technologies. The number of incidents reported by the
Indian Computer Emergency Response (CERT-In) was 27,482 till June 2017.
Cyber attacks can deliver economic blows, derail India from its projected growth trajectory
and worsen relations with our neighbors, unleashing a state of anarchy. Considering both the
benefits of technology and the need to safeguard against cyber attacks, it is imperative for a
growing digital economy like India to focus on cyber security and build a cyber-resilient
environment.
Figure 1.10: Digital India Trends

23
Key Cyber Security initiatives launched by Government of India
India has taken some initiatives to strengthen its cyberspace. These include awareness
programmes; efforts to create a strong policy environment and strengthen security monitoring
capabilities, and international cooperation; and research and development to promote cyber
security. Some of the key initiatives are mentioned below under:
1. National Cyber Security Policy: The policy provides the vision and strategic direction
to protect the national cyberspace. The policy was released in 2013.
2. National Cyber Security Coordination Centre (NCCC): The NCCC will perform real-
time threat assessment and create situational awareness of potential cyberthreats to the country.
It was made operational in August 2017.
3. National Critical Information Infrastructure Protection Centre (NCIIPC): The

organisation was created under section 70A of the IT Act. It is designated as a national nodal
agency in respect of critical information infrastructure protection. It aims to protect and safeguard
critical information infrastructure (CII) against cyberterrorism, cyberwarfare and other threats.
4. Cyber Swachhta Kendra: Launched in early 2017, the Cyber Swachhta Kendra provides
a platform for users to analyse and clean their systems of various viruses, bots/ malware,
Trojans, etc.
5. International cooperation: Seeking to secure cyberspace, India has entered into

nine new bilateral agreements with developed nations such as the US, Singapore and Japan in
order to promote research and information sharing on cyber security. These collaborative efforts
will enable India to combat advanced threats.
6. Promoting research and development: To promote cyber security across the nation,
the government has initiated a programme to offer a public grant worth 1000 crore INR to
companies responsible for innovation and research in cyber security.
7. Sectoral and state CERTs: The government has launched sectoral CERTs, starting
with critical sectors such as power and finance. Further, the government has planned to launch
CERTs in the state-level.
24
8. Security testing: There are plans to set up ten additional Standardization, Testing and
Quality Certification (STQC) testing facilities across the country for the evaluation and certification
of IT products.
According to the International Telecommunication Union’s (ITU) Global Cyber Security

Index, India ranked 5th in 2015, but has moved to the 23rd rank among 134 countries in 2017.
The security landscape of the country may be further improved with concrete initiatives and
learning’s from other countries.
Summary
 Crime is omission or commission act which constitutes an offence and is punishable
by law. It is a harmful act against people, property and the Nation.
 Cyber space refers to the virtual computer world, and more specifically, is an
electronic medium used to form a global computer network to facilitate online
communication.
 Cyber crime is defined as any illegal behaviour committed by means of, or in relation
to, a computer system or network, including such crimes as illegal possession and
offering or distributing information by means of a computer system or network. It is
also defined as any illegal behaviour directed by means of electronic operations
that target the security of computer systems and the data processed by them.
 Cyber crimes may be generally classified as violent cyber crimes and non-violent
cyber crimes. Internet is the medium for committing cyber crime using computer or
network as a tool, as a target or purposes incidental to a crime.
 Potentially violent crimes include cyber terrorism, cyber warfare, cyber stalking,
pornography, child pornography, hacking, virus, worms & Trojans, Malware,
scareware and ransomware. Non-violent cyber crimes, involves cyber trespass,
password cracking, cyber theft, cyber fraud, malware, junk mail and steganography.
Check your answers

1. Crime is ………………… or ……………………. of an act which constitutes an
offence and is punishable by law
2. Cyber space refers to the …………………………………., and more specifically, is

an electronic medium used to form a global computer network to facilitate online
communication.
25
3. Cyber crime is defined as any ……………………………..by means of, or in

…………………………. a computer system or network, including such crimes as
……………………….and offering or distributing information by means of a computer
system or network.
4. It is also defined as any illegal behaviour directed by means of electronic operations

that target the security of computer systems and the data processed by them.
5. Cyber crimes may be generally classified as ………………………..and

…………………………. cyber crimes.
6. ………………………. medium for committing cyber crime using computer or network

as a tool, as a target or purposes incidental to a crime.
7. Potentially violent crimes include …………………………………………………….
………………………………………………………………………………………………………..
8. Non-violent cyber crimes involve cyber trespass, password cracking, cyber theft,
cyber fraud, malware, junk mail and steganography.
9. The attack based on the factors such as increase in …………………………………

increase in ………………………………………….., and also the increase in number
of digital transaction.
10. ……………………… attacks continues to be an integrated orchestrated attack.
11. …………………………………………. provides a platform for users to analyse and

clean their systems of various viruses, bots/ malware and Trojans.
Reference
1. https://www.statista.com/topics/2588/us-consumers-and-cyber-crime/
2. https://www.terraverdeservices.com/risk-management/2018-cyber-attack-trends-
and-industry-predictions/
3. https://en.wikipedia.org/wiki/Cyberspace
4. https://whatis.techtarget.com/definition/command-and-control-server-CC-server
26
LESSON - 2
HUMAN ELEMENT AND TECHNOLOGY ELEMENT
Learning Objectives
1. Understand Human Element
2. Understand Technology Element
Structure
2.1 Introduction
2.2 Human Element
2.3 Technology Element
2.4 Summary
2.1 Introduction
The word ‘threat’ in information security means anyone or anything that poses danger to
the information, the computing resources, users, or data. The threat can be from ‘insiders’ who
are within the organization, or from ‘outsiders’ who are outside the organization. Studies show
that 80% of security incidents are coming from insiders.
Most organization envisage of cyber threats & cyber crimes that could cause the most
damage to them, immediately think these will be external threats based on the attention
commonly paid to external entities, such as foreign governments, outside adversaries,
competitors or organized crime that target and attack organizations. However it could be an
insider threat. Hence for cybercrime to occur there is both human element and technical element.
Basically computer based crimes can be: one is Type I and other is Type II.
2.1.1. Type I Cyber Crimes
Type I cyber crime has following characteristics
1. Singular or discrete from victims perspective

27
2. Facilitated by crimeware programs like keyloggers, Trojan, Virus, Root kits into the
user’s computer system.
3. The introduction may or may not be facilitated due to vulnerabilities
Example of this type of cyber crime include but are not limited to phishing attempts, theft
or manipulation of data or services via hacking, identity theft and ecommerce fraud based on
stolen credentials.
Figure 2.1: Categories of Cyber Crime and Crimeware
2.1.2. Type II Cyber Crimes
Type II cyber crime on the other end of the spectrum includes but is not limited to activities
such as cyber stalking and harassment, child predation, extortion, blackmail, stock market
manipulation, complex corporate espionage, planning or carrying out terrorist activities online.
Characteristics of Type II Cyber crimes are:
1. Facilitated by programs that do not fit under the classification of Crimeware/Malware
2. There are repeated contacts or events from the user’s perspective.

28
Cyber stalking for example is a case of cyber crime. Such crimes are by necessity a form
of cybercrime because the computing element fundamentally changes the scope of the crime
even though the cyber element may be quite weak. Areas defined as Cybercrime are very
broad in nature – some crimes have only a peripheral cyber element whereas others exists only
in the virtual world.
2.1.3. Crimeware/Malware
The software used in cyber crime is sometimes referred to as “Crimeware”. It may be

used either directly or indirectly in the commission of the crime and from the users perspective
it is an illegitimate software application and voluntarily enables the crime. As an example Internet
Messenger (IM) client or File Transfer Protocol (FTP) client may be used in the perpetration.
However these applications that use IM/FTP are not crimeware. Illegitimate programs, such as
key loggers, bots, Trojans, Spyware, Malwares, backdoor programs are all Crimeware. The
term crimeware also covers a broad spectrum. The cyber crimes are classified based on the
type as shown in Table.2.1.
Table.2.1: Examples of different cyber crime by type and the crimeware used
S.NO EXAMPLE TYPE Software Crimeware
1 Phishing I Mail Client No
2 Identity Theft I Key Logger,

Trojan Yes
3 Cyber Stalking II Email Clients,

Messenger
Clients No
4 DDoS I Bots Yes
5 Cyber Terrorism II Steganography,

Encryption,
Chat Software No
Cybercrime is a type of crime that involves the abuse of information technology. The term
cybercrime covers a series of crimes which range from cyber terrorism to industrial espionage.
29
It is a widespread observable phenomenon which is articulated through an intricate system of

operators, victims and instruments. Today anyone with minimum technical skills can download
and use instruments in order to carry out all types of attacks, from anywhere in the world.
2.2 Human Element

Cyber crime presents a spectrum of crimes ranging from technological element to human
element. This is represented in the Figure.2.2.
Figure 2.2: Categories of Cyber Crime and Crimeware

(Source: Sara Gordon and Richard Ford)
2.2.1 Internal attacks/Threats
There are two categories of cyber crime, differentiated in terms of how the attack has
taken place:
a. Insider attacks/Threats: involve breach of trust from employees within an

organization.
b. External attacks/Threats: involve hackers hired by either an insider or an external

entity for competitive intelligence.
When most organizations perform risk analysis and look at threats, they often immediately
focus on external threats. The media and cyber professionals often overhype foreign adversaries,
competitors and organized crime as the main source of concern; however, it is important to
understand which threat causes the most damage to an organization: the insider threat.
An insider threat can be defined as a current or former employee, contractor or other

business partner with access to the organisation’s network, system or data and intentionally
misuses them or whose access results in misuse. Most internal cyber-attacks are after employee
30
information, potentially for poaching or recruiting purposes. On the other hand, there are also
cases of disgruntled employees with access to servers and confidential information that tend to
target and steal intellectual property in order to carry out their personal vendetta.
While some internal threats lack intention, in other words the employee acted in such a
way that sensitive data was accidentally compromised; the effect is the same regardless.
Quite often, insider threats are just as problematic in terms of lost data and other
repercussions. It is difficult for organizations to detect the insider threat. But by gaining better
visibility into traffic flow, properly controlling access to critical information and monitoring user
activity, proper protection against the insider threat can be implemented.
The challenge with an insider email attack is that it is very easy to perform and very hard
to detect. The user has no idea that he has been compromised because this type of attack
bypasses most traditional endpoint and network security devices. This is why organizations,
can often be compromised for more than a year and not realize it.
Majority of external attacks happen in order to steal confidential information through the
use of malware such as worms, Trojan horse viruses, phishing. Some cybercriminal groups
such as ‘Anonymous’ carry out attacks against governments and corporates for a variety of
reasons, often to teach them a social or moral lesson. While your business might not be a
target for Anonymous, it is still a target for other cyber intruders. The most common external
attacks targets customer data held by companies, as this personal information has a price tag
on the dark web, and stealing data is an easy way to make a living.
While network security devices are important and play a key role in defense in depth,
effective security also includes studying and acting on user behaviour. There are distinct
differences between legitimate, authorized behaviour and unauthorized activity. By closely
understanding and tracking user behaviour, anomalies can be detected and the amount of
damage caused by an insider threat can be controlled.
Data is no longer just an IT asset; it’s a core strategic asset, and some types of data are
more valuable than others. Confidential business information, which encompasses company
financials along with customer and employee data, is a highly strategic asset and equally a
high-value target. Again this year, confidential business information (57%) takes the top spot
as most vulnerable to insider attacks, followed by privileged account information (52%), and
31
sensitive personal information (49%). This is illustrated in the Figure 2.3. (Cyber Security Insider
threat report, 2018).
Figure 2.3: Data that is vulnerable to insider attack
Quite often, the term insider threats are associated with malicious disgruntled employees
who intend to directly harm, steal, or sabotage organizations information assets. Sometimes
this may also be caused by employees who are negligent unintentionally which may amount to
an equally high number of security breaches and leaks by accident.
2.2.2. Key Findings (Cyber Security insider’s threat report, 2018)
Ninety percent of organizations are vulnerable to insider attacks. The main enabling risk
include too many users with excessive access privileges, an increasing number of devices with
access sensitive data and the increasing complexity of information technology.
A majority of 53% confirmed insider attacks their organization in the previous 12 months
(typically less than five attacks). Twenty seven percent of organizations say insider attacks
have become more frequent.
32
Organizations are shifting their focus on detection of insider threats (64%), followed by
deterrence methods (58%) and analysis and post breach forensics (49%). The use of behaviour
monitoring is accelerating; 94% of organizations deploy some method of monitoring users and
93% monitor access to sensitive data.
The most popular technologies used to deter insider threat are data loss prevention (DLP),
encryption and identity and access management solutions. To better detect active insider threats,
companies deploy intrusion detection and prevention (IDS/IPS), log management and Security
Incident Event Management (SIEM) platforms.
The vast majority (86%) of organizations already have or are building an insider threat
program. Thirty six percent have a formal program in place to respond to insider attacks, while
50% are focused on developing their program.
According to the recent survey, 2018 report, organizations are concerned about accidental/
unintentional data breaches (51%) through user carelessness, negligence or compromised
credentials as they are from deliberate malicious insiders (47%). This is illustrated in the Figure
2.4.
Figure 2.4: What type of insider the organizations are concerned about?
An insider threat can be further divided into
l Malicious/deliberate insider
l Accidental/un-intentional insider
33
2.2.3. Malicious Insider
When most people think of an insider threat, they immediately think of the malicious
insider. This is someone who deliberately causes harm to an organization. Examples include
Edward Snowden and Aldrich Ames, who were deliberate, malicious insiders working as a
contractor and employee, respectively, for the United States government.
Security professionals have unique responsibility to detect, counter and respond to cyber
attacks. The challenge increases if the threats come from within the organization especially
from trusted and authorized users. IT gets tougher to detect whether the privileged users are
doing their job or something illegal/unethical.
The survey further explores the types of insiders who pose a threat to organisation. The
survey results indicate that both regular employees (56%) and privileged IT users (55%) pose
the biggest insider security threat, to organization. This is followed by contractors (42%). This is
illustrated in figure 2.5.
Figure 2.5: what types(s) of insiders pose the biggest security risk to organization?
(Source: Insider Threat Report, 2018, CA Technologies)
Further the survey identifies different IT assets that are more vulnerable to insider attack
as Data bases, File Servers, Cloud applications, Cloud infrastructure, Endpoints, Networks,
Active Directory, Business Applications and Mobile Devices. Amidst these most targeted assets
are Databases and File servers. The same is illustrated in the Figure 2.6.
34
Figure 2.6: IT assets that are most vulnerable to attacks
The main enablers of insider attacks include the following:
Ø Too many users with excessive access privileges
Ø Increasing number of devices with access to sensitive data
Ø Technology is becoming more complex
Ø Increasing amount of sensitive data
Ø Lack of employee training and awareness
In a recent survey conducted amongst cyber security professionals, the percentage of

top enablers for insider attacks is represented in the figure 2.7.
Figure 2.7: Top Enablers for insider threats

35
2.2.4. Accidental/un-intentional insider
An accidental insider is someone who is tricked or manipulated into doing something that
ultimately harms the organization. Some people further categorize the accidental insider threats
into “the infiltrator” and “the ignorant insider.” The infiltrator situation occurs when an adversary
accesses a user’s system or steals credentials to gain access to a system. The ignorant insider
is a situation that occurs when an adversary convinces the user to click on a link or open an
attachment, which ultimately causes the user’s system to be compromised. Since both cases
are caused by a user action that ultimately results in a system or account being compromised,
we group these types of threats together.
The most common culprit of insider threat is accidental exposure by employees.

Cybersecurity experts view phishing attempts (67%) as the biggest vulnerability for accidental
insider threats. Phishing attacks trick employees into sharing sensitive company information by
posing as a legitimate business or trusted contact, and they often contain malware attachments
or hyperlinks to compromised websites. Other enablers include weak or reused passwords,
unlocked devices, bad password sharing practice and through unsecured WiFi networks.
Organizations further recognize different types of insiders. The following table 2.2 includes
the type of insiders and their characteristics.
Table 2.2: Type of Insiders and their Characteristics.
S. No Type of Insider Characteristics
1 The careless insider  The careless insider is the most common

type of insiderl He is typically a
negligent, non-managerial employee who
causes a breach of confidentiality
unintentionally
 Have no real incentives to violate internal
information security rules.
 These employees pose an unintentional,
non-targeted threat and violate
confidential data storage policies despite
their best intentions.
36
 In spite of good intentions, these types of

data breaches can cause damages on the
same scale as those committed through
corporate espionage. When they realize
they are unable to copy data, this insider
will follow instructions and speak to their
coworkers or the system administrator,
who will explain that taking sensitive data
outside of the office is not permittedl
e.g. The insider often inadvertently loses
a media storage device, or family
members may accidentally gain access
to the data.
2 The naïve insider  Naive and careless insiders can both be

labeled “non-malicious”.
 They believe that they are acting for the
good of the company, but they often feel
as though official procedures only get in
the way.
 While an insider’s actual intent may have
no bearing on the damages that are
ultimately caused, his intent will determine
the actions he takes once he learns he is
unable to obtain data.
 These are loyal employees who will speak
with their coworkers, the technical support
team, or management members to find
out why their attempts to work with data
(and thus breach data security rules) have
been blocked, and they will be told that
the actions in question are prohibited.
 e.g. the naïve insider generally fall a victim
of social engineering
37
3 The saboteur  Saboteurs are employees who attempt to

harm the company for their own personal
reasons.
 They are often disgruntled and feel as

though they are taken for granted: their
salary is low, they are too far down on the
corporate ladder, they aren’t eligible for
certain incentives, or they are angry that
they don’t receive company “perks,” such
as a laptop, a company car, or a secretary.
4 The disloyal insider  The disloyal insider is another type of

malicious insider. Disloyal insiders may
include interns and employees who plan
to leave the company, but have not yet
informed their coworkers or superiors.
 They plan on acting for their own personal

gain, to the detriment of the company.
 Disloyal insiders are a major headache

for managers when it comes to internal
threats.
 For example, it is now common practice

for members of a commercial or financial
department to take a copy of the
company’s client or financial database
with them when they leave the company.
5 The moonlighter  Moonlighters and moles are employees

who target specific information at the
request of their “client.”
 In both cases, these insiders attempt to

conceal their actions (at least until the data
38
theft is successful), although their motives

are different.
 The moonlighter profile can include a wide
range of employees who have decided
to steal information for any number of
reasons: he may need extra money to buy
a car, or he may have been recruited from
someone outside of the company.
 In many cases, the employee was
originally loyal, but was either bought off
or intimidated.
 This is why moonlighters will try anything
they can if they face any complications in
accomplishing the task at hand.
 Depending on the situation, they may stop
trying to steal the data, or they may
pretend they need it for work purposes.
In more extreme cases, they may even
try to hack the information or bribe their
co-workers.
6 The mole  This last insider profile is named after the

notorious spies we know from Cold War-
era espionage thrillers.
 Planting a mole is a common tactic used

in government and industrial espionage.
 For example: a system administrator at a

prominent company receives a very
attractive offer from another company –
a generous salary, excellent benefits, and
a flexible work schedule. l H e
would be crazy not to accept. Meanwhile,
his current employer’s HR department
39
receives an impressive resume from an

IT expert who looks too good to turn down.
 Or, the IT expert may be suggested as a

replacement for the departing sys-admin
(similar to the services offered by a
recruiting agency).
 While the original sys-admin is training

his replacement, the latter quickly gains
access to confidential data and leaks it to
his client.
 Once the damage is done, all traces of

both the recruiting agency and the
replacement sys-admin seem to vanish
into thin air.
 As a result, the company loses its valuable

corporate secrets, and the system
administrator loses his job.
 Moles are especially dangerous – if there

are technical barriers in place making it
difficult or impossible to remove data from
the corporate network, the “employer”
may provide the mole with the devices or
software needed to bypass the security
system.
 The mole will do anything it takes to get

the information he needs. His arsenal
often includes sophisticated techniques
and professional hacking skills.
Different types of insiders who pose as a threat to organizations are pictographically

represented in the figure 2.7.
40
Figure 2.7: Different types of insiders who pose as a threat to organizations
2.3 Technology Element

Technology element of cyber crime involves the use of technology to commit crime. It
may be committed by the use of software that is malicious.
2.3.1 External attacks/Threats
External threats or cybercrimes are caused traditionally by; attackers/hackers who would
scan the public IP address range of an organization to find visible systems. From there, they
would identify services that are opening ports, exploit vulnerability and break into a system that
is believed to be protected. They could then gain access into additional areas of the organization,
causing more damage.
2.3.2 Means through which external cyber attacks are launched
Cyber attacks are generally aimed at targets representing high publicity value on one
hand and on the other hand it might inflict a serious loss. Various phases involved in attack
methodology are Reconnaissance, Information Gathering, gaining access, maintaining access
and clearing tracks. Cyber attacks, primarily consists of four primary categories of attacks.
They are access based; modification based; insertion based; and repudiation based.
a) Access
An access attack is an attempt to gain information that the attacker is not authorized. The
attacks occur wherever there is information either in system, network or in transit. The main
characteristic of this type of attack is against the confidentiality of the Information. There are
different sub-categories, in this access attack. They are snooping, eavesdropping, interception.
41
These categories are accomplished by taking different forms depending upon whether the
information is stored in paper or electronically in a computer system. Paper records require
physical access. They are likely to be found in locations such as filing cabinets, desktop, fax
machines, printer’s trash and in long term storage.
Physical access is the key to gaining access to physical records. On the other hand
electronic information may be stored in desktop machines, in servers, laptops, floppy disks,
compact disk, digital versatile disks, backup tapes, zip disk, memory cards, pendrive and external
storage mediums. Sometimes the physical media may be stolen. If the attacker is having physical
access to the system, then the files in questions might be simply opened with hopes of finding
something interesting. If access controls are in proper place then such unauthorized access will
not be possible. However, an attacker might attempt to elevate his permissions so as to gain
access. Such unauthorized access is made possible and allow intruders because of vulnerabilities
in system. Snooping, eavesdropping and interception come under this type of attack.
Ø Snooping: Snooping is a process of looking through the information in the hope of

finding something interesting. The attacker may open one by one until the information
is found. For this purpose the physical access is required.
Ø Eavesdropping: This type of attack is a passive attack and this attack happens
when the attacker listens to a conversation that he is not a part of. In order to launch
this attack the attacker has to position himself at a location where the information of
interest passes by. This type of attack is often done electronically. For Example:
information may be on file servers, on desktops or laptops, any other storage medium,
to fax machine or information in transit over the internet or phone lines through
communication towers and placing a system or a listening device on wired or wireless
networks.
Ø Interception: Interception is an active attack against information. In this process

the attacker places himself in the path and capturing the information even before it
reaches its destination.
b) Modification
In an attack of this type, the attacker attempts to modify the information that he is not
unauthorized to modify. This type of attack is an attack against the integrity of information and
can be launched on standalone systems, information in transit and also on the network as well.
42
Modification includes changes, insertion and deletion. Alterations can be done to files with little
evidence, if physical access is available. If it is not available, the attacker would try to gain
access to the system with initial level of access and try to escalate the privilege of access on the
file or remove the restriction/permissions on the file. It is then the attacker launches the
modification.
Ø Changes: The existing information is changed in this type of attack thereby the
information that is already existing in a organization is now incorrect.
Ø Insertion: In this type of modification attack, information that did not exists previously
is inserted. For example historical distortion of data or a transaction record may be
inserted in a banking sector so that the fund is transferred electronically to the
attackers account.
Ø Deletion: A deletion attack is caused for the removal of an existing record or

information that is yet to be acted upon. For example a customer information may
be deleted.
c) Denial of Service attack
Denial of service attacks are the attacks that deny the use of resources to authorized or
legitimate users of the system, information or services. A denial of service attack launched in
the network, in which the user or organization is deprived of the resources or services that,
would normally otherwise be available. Denial of access falls under three categories:
Ø Denial of access to information (DoS): In a DoS attack against information, the

information to be unavailable thereby resulting in denial of service. This may be
caused by destruction of the information or modifying the information so that it is
made unusable.
Ø Denial of Access to applications: In this type of attack the target is application,

which is manipulated attacks render the task of performing the routine scheduled
operation is hindered. This causes denial of access to application.
Ø Denial of Access to system: in this type of DoS attack the system is attacked and
brought down so that denial of access to systems is made. The access to the
system, along with its application are made unavailable and thereby the information
is rendered inaccessible.
43
Ø Denial of Access to communications: Different types of denial of access to

communications have been known such as jamming the communication, bandwidth
restriction. In this case the target is the communication medium itself. Lack of
communication prevents access even though the systems, information and network
are untouched.
d) Repudiation
Repudiation attacks are generally targeted against the accountability of information while
access attacks are against confidentiality and modification attacks are on integrity. It is an
attempt to deny that a transaction or an event has transpired or to give false information.
Repudiation is accomplished easily because the documents created in electronic form and sent
across with little or no proof to identity of the sender. Information is more susceptible in credit
card transactions. Repudiation falls under the following categories:
Ø Masquerading: Masquerading is an attack in which an attempt is made to be in

disguise or impersonate someone else or some other system. Generally, this attack
takes place in personal communication, system to system communication or in
transaction.
Ø Denying an Event: It is an event that whereby an attacker disavows an action. For

example a person makes a purchase online and upon receiving the bill from the
credit card company, he repudiates that he had never made the purchase.
Summary
 The word ‘threat’ in information security means anyone or anything that poses danger
to the information, the computing resources, users, or data. The threat can be from
‘insiders’ who are within the organization, or from ‘outsiders’ who are outside the
organization
 Two type of computer based crime exists: Type I and Type II cyber crimes.
 Crimeware/Malware: The software used in cyber crime is sometimes referred to as

“Crimeware”. It may be used either directly or indirectly in the commission of the
crime and from the users perspective it is an illegitimate software application and
voluntarily enables the crime.
44
 An insider threat can be defined as a current or former employee, contractor or

other business partner with access to the organisation’s network, system or data
and intentionally misuses them or whose access results in misuse.
 An accidental insider is someone who is tricked or manipulated into doing something

that ultimately harms the organization. Some people further categorize the accidental
insider threats into “the infiltrator” and “the ignorant insider”.
 External threats or cybercrimes are caused traditionally by; attackers/hackers who

would scan the public IP address range of an organization to find visible systems.
From there, they would identify services that are opening ports, exploit vulnerability
and break into a system that is believed to be protected. They could then gain
access into additional areas of the organization, causing more damage.
 Technology element of cyber crime involves the use of technology to commit crime.
It may be committed by the use of software that is malicious.
 Examples of technology element include access, modification, denial of service

and repudiation based attacks.
Check your answers

1. ................................. are crimeware programs that logs keystrokes.
2. The most common culprit of insider threat is accidental exposure by employees.

Cybersecurity experts view ..............................
3. ............................ element of cyber crime involves the use of technology to commit

crime
4. ................................. is a process of looking through the information in the hope of

finding something interesting.
5. In ........................................ an attacker listens to a conversation that he is not a

part of.
6. ...................., .............................. and .............................. are types of modification

based attacks.
7. Denial of service attacks involve ............................., ..................................,

............................ and .....................
45
8. When accountability of information is compromised ............................ attack takes

place.
9. ……………………………, ………………………………….,
………………………………, …………………..…,
………………………………….. and ………………………………….. are different types of

insiders who pose as a threat to any organization.
Reference:
1. Taking Action Against the Insider Threat – SANS Infosec Reading Room, https://
www.sans.org/
2. The Ticking Time Bomb of Insider Threat – RashmiKnowles – RSA Conference

2015.
3. Defending Against the Wrong Enemy: 2017 SANS Insider Threat Survey - SANS
Infosec Reading Room, https://www.sans.org/
4. Insider Threat Tip Card – Homeland Security – www.dhs.gov/stopthinkconnect
5. Insider Threat Guide, A Compendium of Best Practices to accompany the National

Insider Threat minimum standards, 2017, https://www.dni.gov / index.php/ncsc-
how-we-work/ncsc-nittf
6. Insider Threat manifesto, 2014, https://www.isdecisions.com/insider-threats-

manifesto/
7. Insider threat report, 2018, CA Technologies, www.ca.com

46
LESSON - 3
BROAD CLASSIFICATION OF CYBER CRIMES
Learning Objectives
 Offences against the CIA Triad
 Illegal Access (Hacking, Cracking)
 Data Espionage
 Illegal Interception
 Data interference
 System Interference
 Content Related Offences
 Pornographic Material & Child Pornography
 Spam and related offences
 Copyright and Trademark related offences
 Copyright
 Trademark
 Computer Related Offences
 Fraud and Computer Related Fraud
 Computer related forgery
 Identity theft
 Misuse of devices
 Cyber Terrorism
 Cyber Warfare
 Cyber Money laundering
 Phishing
47
Structure
3.1 Offences against the CIA Triad
3.1.1 Illegal Access (Hacking, Cracking)
3.1.2 Data Espionage
3.1.3 Illegal Interception
3.1.4 Data interference
3.1.5 System Interference
3.2 Content Related Offences
3.2.1 Pornographic Material & Child Pornography
3.2.2 Spam and related offences
3.3 Copyright and Trademark related offences
3.3.1 Copyright
3.3.2 Trademark
3.4 Computer Related Offences
3.4.1 Fraud and Computer Related Fraud
3.4.2 Computer related forgery
3.4.3 Identity theft
3.4.4 Issue of devices
3.4.5 Cyber Terrorism
3.4.6 Cyber Warfare
3.4.7 Cyber Money laundering
3.4.8 Phishing
The term “cybercrime” is used to cover a wide variety of criminal conduct. As recognized
crimes include a broad range of different offences, it is difficult to develop a typology or
classification system for cybercrime. One approach can be found in the Convention on
Cybercrime, which distinguishes between four different types of offences
48
(1) offences against the confidentiality, integrity and availability of computer data and
systems
(2) computer-related offences;
(3) content-related offences;
(4) copyright-related offences.
3.1 Offences against the Confidentiality, Integrity and

Availability (CIA Triad) of computer Data and Systems
The type of offences under this category is targeted against one of the three legal principles
of CIA is carried out.
3.1.1. Illegal Access (Hacking, Cracking)
The term Hacking refers to unauthorized access to computer systems. Today this offence
has become a mass phenomenon with the evolution of internet. From legal perspective, there
is no real difference between “computer hackers” and Computer crackers”. In legal context,
both the terms are used to describe persons who enter computer systems without right. The
main difference is motive. The term “hacker” is used to describe a person who is exploring
details of programmable systems without breaking the law. The term cracker is used to describe
a person who breaks into computer system by violating the law (International Telecommunication
Union, 2009).
Examples of Hacking include
Breaking the password of a protected website (Sieber, 2004); circumventing password

protection on a computer etc. This is achieved by the use of a vulnerable system or by implanting
a software to illegally gain password related information to enter into systems/networks; installing
a hardware based or a software based key loggers that record every keystroke and as a
consequence obtain passwords of system or networks illegally; sometimes a hackers setup
spoofed websites to make users to disclose their passwords. The motivation of Perpetrators
varies. Some Perpetrators restrict their activity to just circumventing the security measures to
prove their abilities and others demonstrate “hacktivism”, through political motivation. The
information retrieved from crimes is used to commit further crimes such as data espionage,
denial of manipulation or denial of service attacks. In most of the cases, illegal access is the
first step. Quite often tracking the abuse of hacked system, leads to abused systems, and not
the perpetrator, which often cause difficulty for the law enforcement agencies to apprehend
49
these criminals. The increased number of hacking may be attributed to lack of adequate protection
to computer system; increased number of automated software tools that performs the attacks
such as the botnets in which a single perpetrator can target several computer systems using a
single system.
3.1.2. Data Espionage
In this type of crime, sensitive information stored in computers/networks is being targeted.

Vast information pertaining to trade secrets are be accessed illegally by perpetrators. The
availability of sensitive information makes data espionage, highly fascinating. Various techniques
are being employed by perpetrators to access victims and these include: use of software to
scan for ports; use of malwares to circumvent the security measures and social engineering
techniques – a method that uses non technical means of gathering information involving human
interaction by tricking people to break normal security procedures.
Data stored on private computers are also increasingly targeted. The data that might be
stored in such computers include sensitive information such as bank account details, credit
card information on the system. The gathered information is sold to third party.
Data espionage on business secrets is more profitable than private individuals. This
includes two approaches: first accessing the computer or data storage device and extracting
information; second by manipulating the users to disclose the information or passcodes that
enable the attackers to perform such activity. For example ‘Phishing’ has recently become a
key crime committed in cyberspace and describes attempts to fraudulently acquire sensitive
information such as PIN numbers, passwords etc by masquerading as a trustworthy person or
business/financial institution in a seemingly official electronic communication.
3.1.3. Illegal Interception
In this type of crime, the perpetrators try to intercept communications between users.
They may also intercept data that is travelling in the net for example when a user is uploading
data onto servers or access web based external storage media. The exchange of information is
recorded. Any kind of communication infrastructure might be the target for instance a fixed line/
a wireless line or any internet service such as email, chat or Voice over Internet Protocol (VoIP)
communication system. With the proliferation of the wireless technology, hotels, restaurants
and the like offers internet access through wireless access points, the perpetrators, might use
these access points and trap the data exchange from any location. Further, they might even
50
use any decryption method even if the wireless communication is encrypted. Sometimes, Rogue
access points might also be setup by perpetrators to capture the data.
3.1.4. Data interference
Data interference involves modification of data either by deletion, alteration, suppression

or restriction to access. Data that are available on computers and networks are vital for private
users and business. It depends on integrity and availability. In this type of crime the perpetrator
violate the integrity of data by either deleting or modifying them. Most popular method of this is
by the use of a computer virus that is being spread through email, chat or any other
communicating medium. Recent viruses are able to install back-doors thereby enabling the
perpetrators to control the victim remotely.
3.1.5. System interference
Attacks can be targeted on computers and networks. These are targeted by the use of
computer worms or denial of service attacks. Computer worms are self-replicating programs
that harms the computer systems and networks. This type of attack is by targeting the availability
or resources, perpetrators can prevent users from accessing systems, emails etc. for e.g., DoS
attacks launched causes some of the services not available for several hours to days.
51
3.2. Content Related Offences

Certain types of subject matter as criminally illegal can be a highly contentious matter,
raising complex definitional issues, questions of causation and human rights concerns, specifically
rights to privacy and freedom of expression. Content-related crimes also raise difficult
enforcement issues, in terms of the technical issues of managing content and the foreign sourcing
of such material. Despite the complexities surrounding content regulation, in recent years we
have witnessed substantial policy and legislative activity in the area, both in terms of expanding
the subject matter considered illegal, and raising the tariff applicable to such offences.
3.2.1. Pornographic Material & Child Pornography
This category of offence includes storage/dissemination of pornographic material that is

lascivious. Sexually related content distributed over the internet, through exchange of media
such as pictures, videos and the like through the internet. The anonymity of the internet have
facilitated the distribution of these materials through: file sharing, online chat. Child pornography,
images of children involved in sexual activities, is traded on the Internet around the clock. Child
pornographers use the Internet’s ease of distribution to sell their material to pedophiles (adults
who are sexually attracted to children). In addition to purchasing child pornography, pedophiles
also visit online chat rooms hoping to lure children into situations for sex. Luring or tricking a
minor into sexual activity is prohibited. For example, chatting with a fifteen-year-old girl over the
Internet, then suggesting a meeting is illegal conduct. Traveling to a minor’s home to engage in
sex after meeting by way of Internet chat rooms is also criminal activity that will be prosecuted.
3.2.2. Spam and Related Threats
Spam refers to the use of electronic messaging systems to send out unrequested or
unwanted messages in bulk. The difficulty with stopping spam is that the economics of it are so
compelling. While most would agree that spamming is unethical, the cost of delivering a message
via spam is next to nothing. If even a tiny percentage of targets respond, a spam campaign can
be successful economically.
“Spam” is described as the release of unsolicited bulk messages. The most common
means through which these attacks are targeted is through email. Spam emails sent through
single mail server is technically easy to identify when compared to spams distributed through
the use of botnets to distribute unsolicited email. Identifying spams sent through botnets are
difficult to analyse and track the criminals.
52
c. Other Offences In addition to the above types, Racism, Hate Speech, Glorification of
Violence, Religious Offences, Libel and False Information,
The internet and illicit drug sales

Since the mid-1990s, the internet has increasingly been used by drug
traffickers to sell illicit drugs or the chemical precursors required to
manufacture such drugs. At the same time, illegal internet pharmacies
advertise illicit sales in prescription medicines, including substances under
international control, to the general public. These substances are controlled
under the three international drug control treaties and include opioid
analgesics, central nervous system stimulants, tranquillizers and other
psychoactive substances. Many pharmaceuticals offered for sale in this way are
either diverted from the licit market or are counterfeit or fraudulent –
constituting a danger to the health of consumers. The fact that illegal internet
pharmacies conduct their operations from all regions of the world and are
able to relocate their business easily when a website is closed down means that
taking effective measures in this area is essential.
3.3. Copyright and Trademark related offences

3.3.1. Copyright related offences
Exchange of copyright protected songs, files and software through file sharing systems
are being done. The basis for this copyright violation is mainly due to the speed with which it is
being done and also the reproduction is accurate. The digital sources are duplicated without
loss of quality. Another method is to circumvent the Digital Rights Management systems. File
sharing is one such method through which these offences are being carried out. The users can
53
share files through network that are peer-per to millions of other users. Once the file sharing
software is installed, the users can share the files of interest. File sharing systems have been
used to share and exchange any kind of computer data such as audio, video and software.
Peer to peer technology plays a vital role in this. For instance copies of movies have appeared
through file sharing systems in internet even before the movies were released officially.
3.3.2 Trade Mark related Offences
Trade mark violations are similar to copyright violation. Several emails are sent to internet
users resembling emails from legitimate companies including Trade mark. Perpetrators use
brand names and trade mark fraudulently, for example Phishing. Another type of trade mark
violation is domain name related offences. Cybersquatting for instance is the illegal process of
registering a domain name identical or similar to a trade mark of a company. The offenders in
this case seek to sell the domain for a high price. Domain hijacking is yet another offence in
which the domain names that have accidentally lapsed are being registered by attackers who
claim to release the same for a huge sum.
3.4. Computer Related Offences

This category covers the following types of frauds.
3.4.1. Fraud and Computer Related Fraud

 Advance fee fraud
One of the most popular computer related fraud is to convince large number of victims by
sending email enabling them to make huge profits. The strategy used to ensure that the victim’s
financial loss is below a certain limit. In such cases, the victims do not launch a complaint.
Example: Nigerian - Advance fee fraud – a hypothetical scenario.
54
My dear friend,
Let me introduce myself. I am ............... I am the wife of form president of
Republic of .................. My husband died recently in a plane crash. During
cleaning his documents, I found that my husband has 10,000,000 US $ on a
secret account. I would like to transfer this money to my family that is living
in US. Unfortunately, I am not able to transfer the money directly. I would
like to transfer 10,000,000 US $ to your account and ask if you could transfer
9,000,000 US $ to my family. The remaining 1,000,000 US $ will be for you. If
you agree, I would like ask you to transfer first of all 10$ to my account so
that I can verify your bank account information .....................
In this type of fraud, the victim is asked to transfer money as an advance
amount for processing. Although, this is very popular fraud scam, there is no
technology component in it.
 Auction Fraud
Online auction fraud is another category that is popular. The difficulty in distinguishing
between genuine users and offenders has resulted in auction fraud. Example: offering non-
existent goods for sale and receiving payment before delivery; buying goods without intention
to pay. With the advent of internet, goods and products are purchased online. Auction Fraud
involves non delivery of products purchased online. It is a fraud involving misrepresentation of
a product which is advertised for sale in the internet. The mode of operation of such auction
fraud involves the seller who is residing in one place, pretends that he is outside of his work
place for business, travel, family reasons etc, responds to the victims by a congratulatory e-
mail requesting the victim to send fund to be transferred to other individuals account. The mode
of money transfer will usually be stated in the email as to be via western union, via bank or
money-gram. The innocent victims will only be there to experience that virtually unrecoverable
money and the product purchased as well. The demand for money at times is also flexible
allowing victims to send part of the money and the rest after receipt of the product.
55
Auction Fraud
Indiatimes.com Auction site. One person posted details of Mobile phones for
auction. Many participated and won auctions. The money was to be paid in the
bank account with ICICI. After payment none got the deliveries. Complaints made
to India Times … no remedy. Reported to CBI. Account was traced to Madurai.
Accused, III yr. Engg. student from Madurai arrested. Son of a Contractor, living in
posh area of Madurai. Lust for extra pocket money. Three charge sheets filed.
Pending Trial.
www.Baazee.com.10 Sony Ericsson P900 mobile phones were put up for auction
by one seller. Market Price 40,000/-. Offering price 15,000/-. Posing himself as
Sony Ericsson Importer. Many users placed bids. Seller supplied his bank a/c to
bidders, asked to deposit money in his account. Bidders deposited money, mobiles
never delivered. Accused was traced and arrested. Final Yr. MBBS student at
Bangalore, Malaysian Citizen from affluent family. Could not pass his exams, family
cut pocket expenses. As alternative source of income, indulged in cheating people.
Later on selling Laptops through “www.sulekha.com”. Charge-sheeted.
3.4.2. Computer Related Forgery
Computer related forgery describes the manipulation of digital documents. Examples

include:
 Creating a document that appears to originate from a reliable institution;
 Manipulating electronic images
 Altering the text documents
 Criminals
Criminals often send out emails, which look as if they are legitimate emails from financial
institutions. The emails are designed in such a way that it is difficult to assess them as fake
emails. Many victims disclose their personal information during an online transaction. Manipulation
of documents has always been attempted by criminals. With digital forgeries, digital documents
can now be easily manipulated without loss of any quality. It is difficult to prove digital manipulation
for the forensic experts.
56
Counterfeit Currencies
Law enforcement personnel suspected that computers have been used to prepare
counterfeit Indian currencies. The requirement was to examine the storage media
for evidence. Printing of counterfeit currencies was done with the use of high tech
computers, scanners, and specialized printers in conjunction with screen printing
technology. High resolution scanners and cameras are available which reproduce
the exact graphics found in the currency. High quality printers are used which
reproduce the exact colour of the currency images. Frequent practice by
fraudsters, is to scan currency notes using scanners associated with computer
systems. These scanned images are subsequently edited; the number panel is
frequently altered by generating either random numbers or sequential numbers
for the series.
3.4.3. Identity theft
The term identity theft describes the criminal act of fraudulently obtaining and using another
person’s identity. In general the offence described as identity theft contains three different phases
1. The offender obtains identity related information in the first phase. This part of the
offence is carried out by using crimeware (malware) or Phishing.
2. In second phase, the offender interacts with identity related information.
For example: Sale of identity related (credit Card records) information.
3. In the third phase, the gathered identity related information is used to commit further
crimes. For example the perpetrator might use the data set such as preparing fake documents;
identity related documents or credit card fraud.
An evolution channel of identity theft includes people, mail, telephones, computers and
smart phones.
57
Dr.Jubal Yennie
In 2013, 18 year old Ira Trey Queensberry III, a student of the Sullivan County
School District in Sullivan County, Tennessee, created a fake twitter account
using the name and likeness of district superintendent, Dr.Yennie. After
Queensberry sent out a series of inappropriate tweets using the account, the real
Dr.Yennie contacted the police, who arrested the student for identity theft.
3.4.4. Misuse of Devices
Cyber crime can be committed using only fairly basic equipment. Committing an online
fraud needs nothing more than a computer and internet access and can be carried out from a
public internet café. However, using specialized software tools more sophisticated offences
can be committed. Software tools needed to commit such sophisticated crimes are quite often
available as freeware. These generally include tools that can be used to launch a denial of
service attacks, craft and design virus, worms and Trojans, decrypt anencrypted communication
and illegally access the systems and networks. Automated tools that enable to carryout multiple
attacks within a short span of time are also available, for example: spam tools kits – that send
out spam emails to anyone. Different internationallegislative initiatives are being undertaken to
address cyber scam software tools.
Andhra Pradesh Tax case

Dubious tactics of a prominent businessman from Andhra Pradesh was exposed after
officials of the department got hold of computers used by the accused person. The
owner of a plastics firm was arrested and Rs 22 crore cash was recovered from his
house by sleuths of the Vigilance Department. They sought an explanation from him
regarding the unaccounted cash within 10 days.
The accused person submitted 6,000 vouchers to prove the legitimacy of trade and
thought his offence would go undetected but after careful scrutiny of vouchers and
contents of his computers it revealed that all of them were made after the raids were
conducted. It later revealed that the accused was running five businesses under the
guise of one company and used fake and computerised vouchers to show sales records
and save tax.
58
3.4.5. Cyber terrorism
In 1990s the trend was focusing on the Networked based attacks targeted against critical
infrastructure such as energy supply and the use of information technology. There has been a
change in situation after 9/11 attacks. The internet played a role within the preparation of the
offence. Today the information and communication technology is used by terrorists and internet
for propaganda, information gathering, preparation of real world attacks, publication of training
material, communication, terrorists financing and attack against critical infrastructure.
Al Qaeda
Al Qaeda has deemed the Internet “a great medium for spreading the call of Jihad and
following the news of the mujahideen (Islamic warriors).” Thus, the Al Qaeda
operational manual Military Studies in the Jihad Against the Tyrants describes one of its
primary missions as “Spreading rumors and writing statements that instigate people
against the enemy.
3.4.6. Cyber warfare
Parallel to the term of cyber terrorism is an older term known as information warfare:
Information warfare is defined as a planned attack by nations or their agents against information
and computer systems, computer programs, and data that result in enemy losses (Janczewski
and Colarik, 2008).
“Information warfare specialists at the Pentagon estimate that a properly prepared and
well coordinated attack by fewer than 30 computer virtuosos or skillful persons strategically
located around the world, with a budget of less than $10 million, could bring the United States
to its knees.”
Historical glimpse of cyber warfare is illustrated in Figure :

59
Figure 3.1: Cyber Warfare – A historical glimpse
Recent ransomware attack WannaCry has affected 150 countries and were based on
collecting ransom by encrypting the remote computers. This caused many computers affected
and the main motive was to sabotage the systems and networks which occurred in three phases.
WannaCry
The WannaCry ransomware attack was a worldwide cyber-attack by the WannaCry
ransomware cryptoworm, which targets computers running the Microsoft Windows
operating system by encrypting data and demanding ransom payments in the
Bitcoin cryptocurrency. It affected 150 countries worldwide. The conflict type is to
interstate and motive is to sabotage. Phase I appeared prior to Jan 16, 2017. Phase II
in Jan 2017 and phase III in May 2017.
g. Cyber Money laundering
Internet has transformed the traditional money laundering techniques. Online financial
services worldwide provide quick financial transactions. Drug peddlers, organized criminals –
use computers and networks to electronically trade between partners including credit card,
60
internet banking, e-cash , e-wallet. For eg: visa cash, mondrex card – store billions of dollars.
Mobile banking and mobile commerce are growing and this technology can be effective tools in
the hands of money launderers who can transfer money bythe click of a mouse. Anonymity in
the internet is exploited by the criminals. Aims being to conceal the source of money, to avoid
detection by law enforcement and also they are trying to cover up their tracks. Use such money
for drug trafficking, extortion. As far as the banks are considered safe for launders are Cyprus,
Caymand islands, Luxemburg, Switzerland other financial institution like fund managers are
those facilitating Electronic Fund Transfer. In the current global scenario, difficulties arise in
investigation of internet based money laundering techniques which often derive from the use of
virtual currencies and the use of online casinos.
GoldQuest Scheme case
Scheme run by Questnet Enterprises. Several people of Kavali Town, Nellore

District were lured by local promoters of the GoldQuest. Many joined the
GoldQuest Scheme by paying Rs 33,000 and Rs 66,000 respectively. But the
accused did not repay the money and cheated people.
3.4.8. Phishing
Phishing is a process in which the users are misguided to different hyperlink which comes
via mail taking victims to fake websites and stealing important information like credit card details
and pin numbers while victims are using the internet or in other words the attacker sends email
to customers, falsely claiming to be from a legitimate company in the hope of enticing the
customers to a spoofed website.
The spoofed website mimics the legitimate website for the sole purpose of stealing the
personal information of the customers. In this spoofed website the customers are asked to
update their personal information such as name, account number, credit card number, pin
numbers and other information. According to Anti Phishing Working Group report, global phishing
survey 2017 there was 60,926 number of unique phishing sites were detected. Among this
85,744 number of unique phishing email reports(campaigns) received. Nearly 268 numbers of
brands targeted by Phishing campaigns. Most targeted industry sectors in 2017 were software
as a service (SaaS) providers, webmail providers. Also increased attack on the financial and
61
banking targets were staged apart from file hosting and file sharing sites. According to the
report for fourth quarter the countries hosting services, the phishing activity trend is illustrated
in table:
Country of hosting Oct Nov Dec Total
United States 2771 1828 5897 10496
Ireland 797 418 1437 2652
Brazil 404 397 968 1769
Germany 96 92 325 513
Canada 129 75 273 477
Netherlands 26 47 67 140
Czech Republic 30 45 50 125
Portugal 29 21 43 93
United Kingdom 25 15 48 88
Other Countries(39) 151 127 9536 16879
Total 4468 3065 18644 26167
Table 3.1: Phishing attacks country wide in fourth quarter, 2017
Phishing
A spoofed email from a reputed financial organization website “ XYZ.com “ was

distributed to many of the organization employees. The email claimed that the employees
credentials namely were about to expire. It also contained instruction to go to the website
to renew the passwords within 24 hrs. While attempting to renew, the employees were
redirected to a fake webpage that appeared to be legitimate, where the employees gave
the credentials. During the process a malicious script was running behind which hijacked
the user credentials which was further used by the attackers to compromise the entire
organizations network.
62
Phishing Incidents were found on various platforms or hosting service providers. They
include facebook, Google, Cloudflare, Amazon, websitewelcome, Local webservices, OVH
hosting, Unvierso Online, and other ISPs. Industry wide phishing attacks is illustrated in the
figure 3.2.
Figure 3.2: Most Targeted Industry Sectors, Q4, 2017
Summary
 Illegal access: The term Hacking refers to unauthorized access to computer systems.
Today this offence has become a mass phenomenon with the evolution of internet.
From legal perspective, there is no real difference between “computer hackers”
and Computer crackers”.
 Data Espionage: Sensitive information stored in computers/networks is being

targeted. Vast information pertaining to trade secrets are be accessed illegally by
perpetrators.
 Illegal Interception: In this type of crime, the perpetrators try to intercept

communications between users.
 Data interference: involves modification of data either by deletion, alteration,

suppression or restriction to access.
63
 System Interference: Attacks can be targeted on computers and networks. These

are targeted by the use of computer worms or denial of service attacks.
 Pornography: This category of offence includes storage/dissemination of

pornographic material that is lascivious.
 “Spam” is described as the release of unsolicited bulk messages. The most common
means through which these attacks are targeted is through email.
 Exchange of copyright protected songs, files and software through file sharing
systems are being done.
 Trademark 0ffences: Perpetrators use brand names and trade mark fraudulently,
for example Phishing.
 Advance Fee Fraud One of the most popular computer related fraud is to convince
large number of victims by sending email enabling them to make huge profits.
 Auction Fraud: Online auction fraud is another category that is popular. The difficulty
in distinguishing between genuine users and offenders has resulted in auction fraud.
 Identity Theft: The term identity theft describes the criminal act of fraudulently
obtaining and using another person’s identity.
 Misuse of Devices: Cyber crime can be committed using only fairly basic equipment.
Committing an online fraud needs nothing more than a computer and internet access
and can be carried out from a public internet café.
 Cyber warfare: Information warfare is defined as a planned attack by nations or

their agents against information and computer systems, computer programs, and
data that result in enemy losses
 Cyber Money Laundering: Internet has transformed the traditional money laundering
techniques. Online financial services worldwide provide quick financial transactions.
Drug peddlers, organized criminals – use computers and networks to electronically
trade between partners including credit card, internet banking, e-cash , e-wallet.
 Phishing: is a process in which the users are misguided to different hyperlink which
comes via mail taking victims to fake websites and stealing important information
like credit card details and pin numbers while victims are using the internet or in
other words the attacker sends email to customers, falsely claiming to be from a
legitimate company in the hope of enticing the customers to a spoofed website.
64
Check Your answers

 The term ……………………………… refers to unauthorized access to computer
systems.
 In ………………………… Sensitive information stored in computers/networks is

being targeted to steal trade secrets are be accessed illegally by perpetrators.
 In ……………………………….. the perpetrators try to intercept communications

between users.
 ……………………….. involves modification of data either by deletion, alteration,

suppression or restriction to access.
 …………………………….aAttacks can be targeted on computers and networks.
 …………………………………… offence includes storage/dissemination of

pornographic material that is lascivious.
 ………………….is described as the release of unsolicited bulk messages.
 Exchange of …………………………. songs, files and software through file sharing

systems are being done.
 Perpetrators use brand names fraudulently and commit ……………………….crime
 ……………………. is one of the most popular computer related fraud is to convince

large number of victims by sending email enabling them to make huge profits.
 The term …………………………. describes the criminal act of fraudulently obtaining

and using another person’s identity.
 Cyber warfare: Information warfare is defined as a planned attack by nations or

their agents against information and computer systems, computer programs, and
data that result in enemy losses
 Internet has transformed the traditional ………………………………..
 …………………………….. is a process in which the users are misguided to different

hyperlink which comes via mail taking victims to fake websites and stealing important
information like credit card details and pin numbers while victims are using the
internet or in other words the attacker sends email to customers, falsely claiming to
be from a legitimate company in the hope of enticing the customers to a spoofed
website.
65
References
1. https://socialnomics.net/2016/01/13/4-case-studies-in-fraud-social-media-and-
identity-theft/
2. http://www.cyberralegalservices.com/detail-casestudies.php
3. http://gurgaon.haryanapolice.gov.in/citybankspoofing.htm
4. http://satheeshgnair.blogspot.com/2009/06/selected-case-studies-on-cyber-
crime.html
5. https://www.tandfonline.com/doi/full/10.1080/1057610X.2016.1157403?src=recsys
6. Anwar al-Awlaki, “44 Ways to Support Jihad,” no. 29, http://www.anwar-alawlaki.com,

The NEFA Foundation released a transcript of this document on 5 February 2009,
available at http://www.nefafoundation.org/ miscellaneous/ FeaturedDocs /nefaal-
Awlaki44wayssupportjihad.pdf (accessed 5 January 2009).
7. https://www.valuewalk.com/2015/06/cyber-attacks-security-and-terrorism-case-
studies/
8. http://web.mit.edu/smadnick/www/wp/2017-10.pdf
9. http://docs.apwg.org/reports/apwg_trends_report_q4_2017.pdf
66
LESSON - 4
EVOLUTION OF CYBERCRIMES
Learning Objectives
After reading this lesson you will be able to learn
 Evolution of Cybercrimes
 Crime and Internet
 Networked environment
 Cybercrime worldwide
 Cybercrime in Indian Scenario
 Cyber Preparedness
 Summary
Structure
4.1. Evolution of cybercrimes
4.2. Crime and Internet
4.3. Networked environment
4.4. Cybercrime worldwide
4.5. Cybercrime in Indian Scenario
4.6. Cyber Preparedness
4.1 Evolution of Cyber Crimes

Cyber Crimes has verily evolved in tune with the growth of information technology and in
particular the World Wide Web connectivity. In the decades where stand alone computers
reigned the information world the perpetrators who did damage to the hardware and software of
the computers had to go physically to the place where the computers were installed. In other
words physical presence of the perpetrators was required to do any attack on computer systems
and the situation was very much same even in the case of local area network. This is evident
67
from the fact that up to 1980s data and information were usually communicated through print
media, radio and television. The postal service helped in transacting business documents. In
official administration letters, memos were used to get typed and cabinet filing thereof was in
vogue. Customers of the banking sector had to go personally, for making remittances into their
accounts with their respective banks and this was the same with case of withdrawals of money
from their respective accounts. During those days conversation through telephone was the
most prevalent method used for communication. Hacking of phone systems was in the main
stream then.
In 1990s with the birth of the information super highway everything and everyone went
online which may be rightly termed as the network era. In late 1990s organizations started to
invest in people, process and technology to reduce their risk to compromise. The introduction
of tools namely Netbus and Back orifice by Carl-Fredrik Neikter and the hacker group known as
Cult of the Dead Cow (cDc) coupled with network vulnerabilities helped an attacker to control a
victims computer through the internet and was instrumental in remote access, control and other
detrimental activities. Networks attack vector became a much sought target throughout this
decade.
In the next decade starting from 2000 onwards industries started taking advantage of
gains in their productivity which was offered by internet connectivity. Electronic mail became a
handy tool for individual persons for their personal and business use and for businessmen for
their personal and business use. Attacks on electronic mails, software application and wireless
systems started gaining prominence.
In the recent decade that is from 2010 onwards the cyber world has started witnessing
cyber attacks on client-side, Mobile and Social networking as such in addition to the attacks
such as physical, network, email, application and wireless up to the evolution of new type of
cyber attacks namely bots. The Figure.4.1 depicts the evolution of cyber crimes in the past
decades in a timeline from 1980 to 2010.
68
Figure.4.1: Evolution of Cyber Crime Attacks in Timeline
4.2 Crime and the Internet

The internet, mobile apps and information technology, social media all are now embedded
in societal structure of finance, health, education and business in many countries throughout
the world. Over 40% of the world population use the internet. Majority of households have
access to the internet worldwide. The accessibility of internet and efficiency of the internet
foster the development of deviant subculture and cyber crime. The internet facilitates deviance
and crime through anonymity. Anonymity and bogus identities during the commission of crimes
is easier in virtual spaces than in real physical space. Apps, avtars, disposable devices and
deepweb facilitates a concealment of criminal transactions, socialization into subcultures, and
networking of those involved in illicit or nonconventional behaviour. Specialized forums and
chat rooms in cyber space have created virtual spaces to network and to form trustworthy
underground markets for illicit drugs, prostitution and child pornography. Forums provide
widespread outreach across the globe establish reputations of sellers of illicit goods or services
through customers reviews, allow the co-operations which allows sharing of evasive strategies
to avoid arrests.
4.3 Networked Environment

1. Clear Web – the region of the Internet that most of us are familiar with, this is
publicly accessible web pages that are largely indexed on search engines. This is
also known as the Surface Web. This is the part that most of us are familiar with.
69
This comprises of 10% of total size of the internet. All these sites are indexed by
popular search engines and are easily accessible. Examples include: facebook,
Twitter. Size is upto 19Tb/~980,000,000 websites.
2. Deep Web – the Deep Web are regions of the Internet that are hidden from the
public. Marketing SaaS platforms, for instance, are built in the deep web. They
require authentication to access the data within. It refers to the content on the internet
that is not indexed by standard search engines. The deep web contains mostly
innocuous things for example: academic information, medical recrds, legal
documents, government resources. Size includes:-7,500TB/Unknown no of sites.
This space is extremely organized and highly filtered. It is after this 100% anonymity
begins (i.e) darkweb.
3. Dark Web – within the Deep Web are regions of the Internet that are intentionally
and securely hidden from view. It’s an area of the web where anonymity is critical.
Criminal services can be shopped here. Most common access to Dark Web is
through Tor network. Tor is short for The Onion Router. Tor is a non-profit organization
that researches and develops online privacy tools. Tor browsers, makes an individual
to go into an incognito mode thereby disguising ones online activity. It allows one to
access specific ‘.onion’ domains within the dark web. In simple terms, dark web is
the hidden side of the internet. IT forms are part of deepweb which iis not indexed
by search engines such as Google. The dark web forms the deepest layer of the
deepweb. It is believed most of the contents available in this space are considered
to be criminal in nature such as illegal pornography, black markets, hacking groups
and botnet operations that are commonly associated with spam, fraud and malicious
attacks. The deepweb and darkweb put together is 90%. But it is not all that bad
with full of criminal activity. Some of them use the anonymity for good – such as
whistle blowing or activism.
4.4 Cybercrime Worldwide

The figure 4.2 illustrates the top 10 cyber crimes reported to internet cyber crime complaint
centre. These include advance fee scam, identity theft, business email compromise, personal
data breach, non-payment or non-delivery, corporate data breach, real estate/rental fraud,
confidence/romance fraud and investment fraud.
70
Figure.4.2: Top 10 crime types reported to IC3 in 2017 by victim loss

(Source: IC3 2017 report)
Cyber attacks are profit oriented and they are designed to steal information surreptitiously.
Anonymity in the Internet offers organized criminals to target not only home users, even business,
Government agencies and the like. This can be performed from the international legislation or
cooperation between countries to aid in investigations and arrest. As a result of this nefarious
activity of organized criminals, who operate in the cyberspace, the globe is experiencing a
serious economic crisis. Professional position category versus functional area of operation is
tabulated hereunder in table 4.1:
Table 4.1: Professional positions category versus functions and area of operation
Sl.No. Professional Functions and area

positions category of Operation
1 Programmers. Develop the exploits and the malware used to

Cyber Crime
2 Distributors Trade and sell stolen data and as voucher for

the goods provided by other specialists
71
3 Technical Experts Maintain the criminal enterprise’s IT

infrastructure such as servers, encryption
technology, database
4 Ethical Hackers Persons who search for and exploit

applications,systems, and network
vulnerabilities.
5 Fraudster Individuals, who create and deploy various

social engineering schemes, such as phishing
and spam
6 Hosted system providers Provide service of hosting of rogue servers and

websites
7 Cashiers Individuals, who control drop accounts and

provide names and accounts to other
criminals for free.
8 Money Mules. Persons who complete wire transfers between

bank accounts
9 Tellers Persons, who are charged with transferring and

laundering illicitly-gained proceeds through
digital currency services
10 Organization leaders Persons without any technical skill, who often

assemble the team and choose the targets.
Leaders, quite often, initiate the indiscriminate
attacks. They may either operate individually
or with others in coordination. For this purpose,
they contract professional programmers and
hackers, who take the task of creating,
propagating the malicious competitive
intelligence and like through phishing, bots, web
defacement, fake web pages, etc.
72
4.5. Cybercrime in Indian Scenario

Cyber crimes in India, is illustrated in the figure 4.3. It shows the number of cases registered
versus the number of persons arrested. According to National Crime Record Bureau, the total
cyber crimes that occurred in India in the year 2016 is, 4,712. Mumbai has reported maximum
of 23.5% followed by Bengauru 18.3% and Jaipur 12.6% during 2016.
Figure 4.3: Cyber Crime statistics in India
4.6. Cyber Preparedness

A barrage of cyber attacks on government websites is compelling the government to
develop a counter-strategy to deal with countries that are behind these assaults. Government
officials suspect Pakistani and Chinese hackers for being responsible for most of these attacks,
and have asked Security Agencies to jointly map out the cyber infrastructure of neighbouring
countries as part of a ‘cyber preparedness’ strategy.
These agencies have been asked to study the web security layout of ‘suspect countries’,
as knowledge of security standards, as well as software and encryption capabilities is required
for unleashing a counter-attack. The mapping of cyber systems of other countries, including
their Internet gateways, routers, IT system layouts, and web routing patterns, was discussed at
meeting of top intelligence officials.
73
Ubiquitous Internet, the range of opportunities, spectrum of infrastructure and access to

devices spread across Internet, has to be viewed as complicated and massive, both in terms of
technology component and human component. Various forces that are to be considered are
social, cultural and skill level of the criminals.
Understanding the complicated issues of technology and human behaviour in order to

analyse and develop a model and its dynamic nature is the need of the hour. Cyber criminals
use sophisticated and rapidly evolving advantage of technology due to anonymity. Globally,
Law Enforcement personnel are experiencing the threat and are reacting appropriately. The
challenges include:
Ø Changing technology provides ample opportunity, if proper security is not

implemented;
Ø Victims are globally spread;
Ø E-crimes are not being reported;
Ø Volatile nature of the technology;
Ø Jurisdictional issues;
but are not limited to the above-mentioned challenges.
Law enforcement has to keep pace with technical advancement, distributed acquisition of
evidence, presentation of evidence in courts/jury and periodic training programme to update
their skills and knowledge. It has become inevitable for Law enforcement to understand the
implication of Cyber Crimes and needs a structured formalized approach in Cyber Crime
investigation.
Summary
· Clear Web – the region of the Internet that most of us are familiar with, this is
publicly accessible web pages that are largely indexed on search engines. This is
also known as the Surface Web.
· Deep Web – the Deep Web are regions of the Internet that are hidden from the
public.
74
· Dark Web – within the Deep Web are regions of the Internet that are intentionally
and securely hidden from view.
· Tor is short for The Onion Router.
Check your answers

· ………………….the region of the Internet that most of us are familiar with, this is
publicly accessible web pages that are largely indexed on search engines.
· ………………… are regions of the Internet that are hidden from the public.
· ……………………. are regions of the Internet that are intentionally and securely
hidden from view.
· Tor is short for …………………………..
Reference
1. https://martech.zone/what-is-clear-deep-dark-web/
2. https://www.tandfonline.com/doi/ref/10.1080/15564886.2016.1211404?
scroll=top
75
LESSON - 5
EMERGING CHARACTERISTICS OF CYBER CRIME
· Understand the emerging characteristics of cyber crime
· Exploitation Tactics
o Reconn
o Scanning
o Gaining Access
o Maintaining access
o Clearing tracks
· Assesment and Response
· Attack Platform
· Cyber Forensics
Structure
5.1 Understand the emerging characteristics of cyber crime
5.2 Exploitation Tactics
5.2.1. Reconn
5.2.2. Scanning
5.2.3. Gaining Access
5.2.4. Maintaining access
5.2.5. Clearing tracks
5.3 Assesment and Response
5.4 Attack Platform
5.5 Cyber Forensics

76
5.1. Emerging Characteristics of Cyber Crime

Primary objective of a cyber criminal is to target the information that is an asset to any
organization. Crimes are categorized based on malicious intention caused by motivation.
Motivation falls into four categories. Motivation may be due to greed, challenge and malicious
intent. Based on the value of the information asset, different forms of Cyber Crimes are being
committed. These include: cyber-fraud, identity theft, cyber-bullying, denial of service, child
pornography. The means through which these crimes are committed are by malicious software
(crimeware). Crimeware may be a virus, worm, Trojan, key logger, malicious code and the like.
Considering the forms and means through which these attacks are targeted, the main objective
falls into three categories:
Ø Collection of information;
Ø Distribution/dissemination of the information collected thereof; and
Ø Use the information to perform further attacks.
The magnitude and impact of such targets becomes apparent. Understanding these
objectives and underlying technology involved the task of identification and analysis of such
crimes, have to be broken down into smaller tasks. This becomes important and significant if
the type of attack exhibits polymorphism causing coordinated attacks collecting the evidence,
consideration must be given to electronic evidence that is scattered globally.
5.2. Exploitation Tactics

Cyber criminals operate to target information assets available in networked environment
to cause extensive combination of attacks through covert channels. The attacks are caused by
vectors: a crimeware/malware to execute deception techniques. Attack cycle is represented
below in figure 5.1:
77
Figure 5.1: Exploitation Tactics
5.2.1. Reconnaissance
Several forms of information-gathering is done effectively through address, Phone number

system, Internet-based as well as physical reconnaissance-based on the sources from which
information is gathered. Internet-based reconnaissance wherein the ttacker performs a stealth
scan in order to identify the systems on the Net, services running on the remote machine,
operating systems that are running on the remote system, including the vulnerabilities in them.
Telephone reconnaissance: In this type, the attacker exploits the systems in network to
find potential victims using war dialing: a method uses a system to dial several phone numbers
looking for modem carrier having detected modem, it allows to compromise the system that
answers to the call.
Ø Wireless Reconnaissance: Information-gathering using the network information using

the wireless network. Tracing any wireless network by scanning is called war diving.
Ø Social Engineering: A method of gathering information through non-technical means

instead of exploiting through the vulnerabilities or exploits.
78
5.2.2 Scanning
A method of identifying a quick way to gain access to the network and look for information.
Three phases of scanning:
 Pre-attack
 Port scanning / sniffing

 Information extraction
5.2.3. Gaining access
The next stage is to gain access. Attackers gain access by entering into the remote
system through vulnerabilities and exploit them through least privilege, subsequently, raising
their privilege to administrator level and compromise the systems using some password cracking
tools. Once the vulnerabilities of system and network are compromised, attacker has full control
over the system/network and the privilege escalation would contribute to perform malicious
activity.
5.2.4. Maintaining access
Next stage that follows the gaining access stage is the maintaining access. The attackers
operate to either upload or download the critical information. As long as the information hunted
for is not obtained, attackers maintain their access on the compromised system/network. In
order to enable this, sophisticated tools are being misused by the hackers. In a physical data
theft, the object that has been stolen would not be available, whereas in electronic Media, the
object/data that is lost will be available and stolen too. By the time the victim realizes the incident,
it would be a long way.
5.2.5. Evasion Techniques
Evasion is the process of criminality, wherein the offender tries to avoid detection.
Distributed Network, technical complexity, scattered digital evidence to make concealment and
evasion difficult to detect. Technically savvy offender can clear the entry into the victims system
or the network, leaving little or no traces.
5.3 Assessment and Response

Investigation/ analysis includes a thorough assessment of specific cybercrime.
Consideration for wider range of exploits, volatile nature of evidence, makes investigation
inadequate if a generalized approach is sought. There is a growing need for a formalized
approach in investigation of Cyber Crime. A process, that takes its information from initial
assessment. Offences are covered in the Information technology Act (2000, 2008). Indian
79
Penal Code has also been amended to cover various offences. Legal considerations that ensure
Forensic data recovery, lawful evidence-gathering techniques that is rigorous and all-inclusive
is the need of the hour. Jurisdictional issues must also be considered. All these can be achieved
only by way of investigating the Cyber Crime through a formal approach and it should be able
to identify the basic requirements during stages of investigation. Formal approach can be mapped
into the following investigative strategies through Cyber Forensics.
5.4 Attack Platform

5.4.1. Mobile Phones: Smart phones especially those running android operating systems
are the next potential target for cyber attacks. The number of people using mobilephones are
more in number when compared to number of people using computer systems and Laptops.
The hackers find that cyber attacks on mobile users will yield more revenue because of mass
number of users. The ever growing popularity of digital payments and increasing use of mobile
banking apps is leading unsuspecting users closer to the attack perimeter. The lack of seriousness
towards ensuring cyber security means humans are still the weakest link. The top three mobile
threats are:
5.4.2. Rooters – It requests root access to a smart phone or use exploits to obtain root
access, thereby gaining control of the device to spy on the users and steal confidential personally
identifiable information.
5.4.3. Downloaders – Downloaders or droppers use social engineering tactics to trick

victims into installing more malicious apps. Droppers also typically show full screen ads, even
outside of the app itself. These ads are not just annoying, but are often linked to suspicious
sites.
5.4.4. Fake apps – illegitimate apps posing as real ones in order to drive downloads and
expose users to advertisements.
5.5 Cyber Forensics

Cyber Forensics, Computer Forensics, electronic discovery and digital discovery is a
process of methodical examination of computer storage Media for evidence of criminality. A
thorough analysis by a skilled examiner can result in the reconstruction of the activities of a
computer user. In other words, Cyber Forensics/Computer Forensics is the collection,
preservation, analysis and presentation of computer-related Evidence. Computer evidence can
be useful in criminal cases, civil disputes, and human resources/employment proceedings.
80
Examination of systems and networks can be of two types: one being post-incident analysis
and the other is proactive analysis. Once an offence is committed, the storage media are sent
to Forensic lab for analysis. In the case of Proactive Forensics, the computers and networks
used in business, banking and industries, necessitates a proactive examination, involving remote
monitoring of target computers, creating a trackable electronic documents, recovery of theft of
data and the like. Basic forensic tools and techniques and Forensic services infrastructure
becomes mandatory. The pursuit of Cyber Crime detection using Cyber Forensics has two
main objectives:
Ø Detection and documenting Cyber Crimes through a disciplined methodology to

assists the Law Enforcement Agencies to effectively present their case to the judiciary
and punish the criminals.
Ø To prevent the occurrence of Cyber Crime in vulnerable institutions like Industry,

Government organization, aircraft and other critical infrastructure requiring security
from loss, pilferage and mishandling by accidental or intentional manipulations.
Computers or Networks can be used as a tool for committing a crime. Computer or

Networks can be the targets of a crime. Computer or Networks can be used for incidental
purposes related to crime. Digital evidence can be on standalone systems, Networks or Internet.
Good field practice in cyber forensics investigation involves recognition, analysis,

interpretation and presentation in the court of law. Illustration given below represents the evidence
recognition triangle starting from the electronic crime scene till such time the case is tried in the
court.
Figure : Evidence Recognition Triangle

81
A formal Cyber Forensics Methodology is essential for global requirement. Evidence

collected from various sources must be tested for authenticity, reliability, completeness and be
free from interference or contamination. Various phases that are involved in Cyber Forensics
life cycle or, in other words, Digital Forensics processing cycle involve:
Initial assessment of the case under investigation is followed by the collection phase.
Digital evidence collection must be made from varying number of storage devices, perimeter
devices and the Internet. The next stage involves the preservation of the evidence. Since Cyber
Forensics involves evidence collection from different storage media, due care has to undertaken
to ensure evidence integrity and legality. The media from which the information is to be collected
must not be exposed to heat, light or magnetic field. In next phase good evidence processing
documentation method would facilitate solid evidence. Analysis phase involves a trustworthy
effort to thoroughly analyze the findings. Considerations to tools, techniques, chain of custody,
used to perform the analysis, detailed method of analysis be documented, date and time issues
must be correlated and the results of analysis must be properly interpreted. A detailed Plan of
action during analysis will help to prevent committing mistakes, which otherwise could lead to
evidence being inadmissible. Event reconstruction is the next phase, wherein past events are
reconstructed with as little distortion or bias as possible.
Wide range of attacks are targeted against system, networks and critical infrastructure
Home users, social networks, business/corporate network are the operation of communication
through the use of Internet. A major concern of the criminality in the Internet is global economy.
The technical complexity has made Cyber Forensics a major challenge, both for the Law
Enforcement and Forensics personnel as well who are reacting to this growing threat. More
formalized and structured approach facilitated by a way of best practices, policies and procedures
is the need of the hour.
Summary
1. Five major phases of exploitation tactics are Reconnaissance, scanning, gaining
access, maintaining access and clearing tracks.
2. Social engineering is the non-technical way of exploiting humans.
3. The offender tries to evade and avoid detection.
4. Mobile phones, rooters, downloaders and fake apps are major enablers as attack
platform.
82
Check your answers

1. What is Reconnaissance?
2. What are the major phases of exploitation in cyber space?
3. ………………………………………… is non technical way of exploiting humans
4. Criminals ……………………………………. to avoid detection.
5. ……………… , …………………… , ……………………. & …………….. are attack

platforms.
6. Cyber forensics has two main objectives. They are ………………….& ……………...
Reference
1. Kala N. (2005). “Authorship Attribution in Digital Forensics” Tamilnadu Prosecutors
Journal.
2. Kala N. (2009). “Information Gleaned from the Disk Forensics for the use of Magnetic
Swipe Card.”Proceedings of the XX All India Forensic Science Conference.
3. Kala N. (2009). “Tracking Device Trails in Digital Forensics.” Proceedings of the

XIX All India Forensic Science Conference.
4. Kala N. (2010). “New Challenges in Digital Forensics Investigation.” Proceedings

of the XXI All India Forensic Science Conference.
5. Kala N. (2010). “Reconstruction of Events using Windows Special Files.” Proceedings

of XXI All India Forensic Science Conference.
6. Kala N. (2012). “Digital Forensics of Skype Logs Reveals the Cause of Mysterious
Death – A Case Study.” Proceedings of the XXII All India Forensic Science
Conference.
7. Kala N. (2012). “Evidentiary Artefacts of Forensic Significance in i-devices”.

Proceedings of the XXII All India Forensic Science Conference.
83
LESSON - 6
CYBER CRIMINALS
Learning Objectives
After reading this lesson you will be able to understand
 Definition of Cyber Criminals
o Hacker
§ White hat
§ Black hat
§ Grey hat
§ Green hat
§ Red hat
§ Blue hat
§ State Sponsored hackers
o Cracker
o Phone Phreaker
o Social Engineer
o Script Kiddie
o Hacktivist
o Malicious insider
o Whistle blower/insider
Structure
6. Definition of Cyber Criminals
6.1. Hacker
6.1.1. Grey hat
6.1.2. White hat

84
6.1.3. Black hat
6.1.4. Green hat
6.1.5. Red hat
6.1.6. Blue hat
6.1.7. State Sponsored Hackers
6.2. Cracker
6.3. Phone Phreaker
6.4. Social Engineer
6.5. Script Kiddie
6.6. Hacktivist
6.7. Malicious insider/Whistle blower
6. Cyber Criminals
Cybercriminals are individuals or teams of people who use technology to commit malicious
activities on digital systems or networks with the intention of stealing sensitive company
information or personal data, and generating profit.
Cybercriminals are known to access the underground markets found in the deep web to
trade malicious goods and services, such as hacking tools to steal confidential data. Cybercriminal
underground markets are known to specialize in certain products or services.
Laws related to cybercrime continue to evolve across various countries worldwide. Law
enforcement agencies are also continually challenged when it comes to finding, arresting,
charging, and proving cybercrimes.
Cybercriminals also differ greatly from threat actors in various ways, the first of which is
intent. Threat actors are individuals who conduct targeted attacks, which actively pursue and
compromise a target entity’s infrastructure. Cybercriminals are unlikely to focus on a single
entity, but conduct operations on broad masses of victims defined only by similar platform
types, online behaviour, or programs used. Secondly, they differ in the way that they conduct
their operations. Threat actors follow a six-step process, which includes researching targets
85
and moving laterally inside a network. Cybercriminals, on the other hand, are unlikely to follow
defined steps to get what they want from their victims.
Note, however, that cybercriminals have also been known to adopt targeted attack
methodologies in their operations.
Cybercriminal
Definition - What does Cybercriminal mean?
A cybercriminal is an individual who commits cybercrimes, where he/she makes use of

the computer either as a tool or as a target or as both.
Cybercriminals use computers in three broad ways:
 Select computer as their target: These criminals attack other people’s computers to
perform malicious activities, such as spreading viruses, data theft, identity theft,
etc.
 Uses computer as their weapon: They use the computer to carry out “conventional
crime”, such as spam, fraud, illegal gambling, etc.
 Uses computer as their accessory: They use the computer to save stolen or illegal
data.
Techopedia explains Cybercriminal
Cybercriminals often work in organized groups. Some cybercriminal roles are:
 Programmers: Write code or programs used by cybercriminal organization
 Distributors: Distribute and sell stolen data and goods from associated cybercriminals
 IT experts: Maintain a cybercriminal organization’s IT infrastructure, such as servers,

encryption technologies and databases
 Hackers: Exploit systems, applications and network vulnerabilities
 Fraudsters: Create and deploy schemes like spam and phishing
 System hosts and providers: Host sites and servers that possess illegal contents
 Cashiers: Provide account names to cybercriminals and control drop accounts
 Money mules: Manage bank account wire transfers

86
 Tellers: Transfer and launder illegal money via digital and foreign exchange methods.
 Leaders: Often connected to big bosses of large criminal organizations. Assemble

and direct cybercriminal teams, and usually lack technical knowledge.
Clearly, there is much overlap between roles, but as cybercrime becomes a greater issue,
more specialization is being seen as organized crime gets in the picture. For example, hackers
were once more often than not hobbyists who broke into systems for personal gratification.
While white-hat hacking hasn’t disappeared, it’s much more common now to see hackers as
professionals who sell their services to the highest bidder.
The stereotypical cybercriminal is running botnets, stealing bank accounts, hacking into
major companies to steal trade secrets, and performing other nefarious high-profile crimes that
capture the fancy of major news organizations, but the problem is really far more insidious than
most people realize.
In state/nation sponsored hacking, politicians will be enablers. In some countries, politicians

are the beneficiaries of cybertheft and have no incentive to decrease cybercrime.
Before the Internet, criminals had to dig through people’s trash or intercept their mail to
steal their personal information. Now that all of this information is available online, criminals
also use the Internet to steal people’s identities, hack into their accounts, trick them into revealing
the information, or infect their devices with malware.
Cyber criminals are a network of criminals. Most cyber crimes are committed by individuals
or small groups. However, large organized crime groups also take advantage of the Internet.
These “professional” criminals find new ways to commit old crimes, treating cyber crime like a
business and forming global criminal communities. Recently there are certain underworld cyber
criminals who offer Cybercrime-as-a-Service. They operate from the darkweb where cyber
criminals can buy and sell stolen information and identities
Criminal communities share strategies and tools and can combine forces to launch
coordinated attacks. It’s very difficult to crack down on cyber criminals because the Internet
makes it easier for people to do things anonymously and from any location on the globe. Many
computers used in cyber attacks have actually been hacked and are being controlled by someone
far away. Crime laws are different in every country too, which can make things really complicated
when a criminal launches an attack in another country.
87
Attack Techniques
Here are a few types of attacks cyber criminals use to commit crimes.
 Bots, or botnets are a network of software that spreads automatically.
 Fast Flux - moving data quickly among the computers in a botnet to make it difficult
to trace the source of malware or phishing websites.
 Zombie Computers: Computer that has been hacked by malicious attacks and
control the victim computers into zombies and makes it a part of the botnet through
command and control servers.
 Denial of Service attacks - flooding a network or server with traffic in order to

make it unavailable to its users
 Skimmers - Devices that steal credit card information when the card is swiped
through them. This can happen in stores or restaurants when the card is out of the
owner’s view, and frequently the credit card information is then sold online through
a criminal community.
 Identity thieves targets organizations that store people’s personal information, like
schools or credit card companies. But most cyber criminals will target home
computers rather than trying to break into a big institution’s network because it’s
much easier.
 Social engineering is a tactic used by cyber criminals that uses lies and manipulation
to trick people into revealing their personal information. Social Engineering relies
on manipulation to trick people into revealing their personally identifiable information.
Phishing is a form of social engineering. Social engineering attacks frequently involve
very convincing fake stories to lure victims into their trap. Common social engineering
attacks include:
 Sending victims an email that claims there’s a problem with their account and has a
link to a fake website. Entering their account information into the site sends it straight
to the cyber criminal (Phishing).
 Trying to convince victims to open email attachments that contain malware by

claiming it is something they might enjoy or need
 Pretending to be a network administrator or account administrator and asking for

the victim’s password to perform maintenance
88
 Claiming that the victim has won a prize but must give their credit card information
in order to receive it
 Asking for a victim’s password for an Internet service and then using the same
password to access other accounts and services since many people re-use the
same password
 Promising the victim they will receive millions of dollars, if they will help out the
sender by giving them money or their bank account information
Like other hacking techniques, social engineering is illegal in the United States and other
countries. To protect from social engineering, it is advisable not to trust any emails or messages
that is received requesting any sort of personally identifiable information. Most banks or
companies never ask customers for personal information through email.
6.1 Hackers
Who is a Hacker? Types of Hackers
Hacking does not necessarily count as a cybercrime; as such, not all hackers are
cybercriminals. Cybercriminals hack and infiltrate computer systems with malicious intent, while
hackers only seek to find new and innovative ways to use a system, be it for good or bad.
A Hacker is a person who finds and exploits the weakness in computer systems and/or
networks to gain access. Hackers are usually skilled computer programmers with knowledge of
computer security.
Hackers are classified according to the intent of their actions. The following list classifies
hackers according to their intent. For a hacker who wants to come clean and turn away from
crime, one option is to work for the people they used to torment, by becoming a security
consultant. These hackers-turned-good-guys are called Grey Hat Hackers.
In the past, they were Black Hat Hackers, who used their computer expertise to break
into systems and steal information illegally, but now they are acting as White Hat Hackers, who
specialize in testing the security of their clients’ information systems. For a fee, they will attempt
to hack into a company’s network and then present the company with a report detailing the
existing security holes and how those holes can be fixed.
89
The advantage of this is that they can use their skills for a good cause and help stop
other cyber criminals. Keeping up with security is a full-time job, and many companies can’t
afford to have someone completely dedicated to it. Grey Hat Hackers have real-world hacking
experience and know more methods of infiltrating networks than most computer security
professionals. However, since they used to be criminals there’s always going to be a question
of trust.
6.1.1. White Hat
White Hat hackers are also known as ethical hackers, and they’re the good guys of the
hacker world. They help you remove viruses, perform pen tests and generally help people
understand where their vulnerabilities are and fix them. Most White Hat hackers will hold some
form of computer or security related qualification, and often pursue careers in hacking and
cyber security. They love the challenge of finding the holes but have no interest in doing anything
with them. There are even a number of qualifications specifically for them – Offensive Security
Certified Professional (OSCP), CREST Certified Infrastructure Tester and CREST Certified
Application Security Tester.
6.1.2. Black Hat
Black Hat hackers, or ‘crackers’ are the types of people you often hear about on the news
and from businesses trying to sell cyber services. They find banks and big companies with
weak security systems and steal credit card information, confidential data or money. Their
methods are varied but actually fairly basic most of the time.
6.1.3. Grey Hat
As with everything in this world, nothing is just black and white. Grey Hat hackers don’t
steal information or money like Black Hat hackers (though they may sometimes deface a website
for fun), nor do they help people out like white hack hackers. Instead, they spend most of their
time just playing around with systems, without doing anything harmful. This type of hacker
actually makes up most of the hacking community, even though Black hat hackers garner most
of the media’s attention.
90
6.1.4. Green Hat
Green Hat hackers are the babies of the hacker world. They are new to the game and
mainly use script, like Script Kiddies, but they have aspirations of becoming full blown hackers.
They are often found asking questions of fellow hackers and listening with childlike curiosity.
6.1.5. Red Hat
Red Hat hackers are the vigilantes of the hacker world. They’re like white hats in the
sense that they put a stop to Black hat attacks, but they are downright scary in how they do it.
Instead of reporting the malicious hacker they find lurking inside a business, they shut them
down by uploading viruses, DoSing and accessing their computer to destroy it form the inside
out. Red hats use many different aggressive methods to force the cracker out and potentially
even kill their computer. The good news is, businesses don’t need to worry about these.
6.1.6. Blue Hat
And finally, we have the Blue Hat hackers. If a Script Kiddie ever took revenge, he would
become a Blue Hat Hacker. Blue Hat hackers will seek vengeance on anyone who has made
them angry. Most Blue Hat hackers are fairly new to the hacking world, but unlike green hats
they have no desire to learn.
6.1.7. State sponsored hackers
State or Nation sponsored hackers are those who have been employed by their state or
Nation’s government to snoop in and penetrate through full security to gain confidential
information from other governments to stay at the top online. E.g. Stuxnet attack on Iranian
Nuclear Plant.
6.2. Cracker
A cracker is an individual who accesses a computer or network in an unauthorized, illegal
manner with an intention to destroy data, steal information and other malicious action. They
have advanced computer and network skills.
Five distinct kinds of crackers are identified and are as follows in figure 6.1:
 Novice: These entry-level crackers tend to be only 12 to 14 years old. They usually
comprehend cracking as mischievous and fun; in their eyes, it is mainly play.
91
 Student: These crackers follow the practice of 1970s MIT students. They usually
have a deep interest in computers and programming. Their desire for illegal computer
access is normally fairly harmless.
 Tourist: Tourists are yet another kind of relatively harmless cracker and are mainly
looking for a challenge. They break into systems to see if they can, then log off.
Tourists can certainly be dangerous if they pass details to thieves or malicious
crackers about how to crack a specific system.
 Crasher: Crashers’ main objective is to satisfy their desire to boast by bringing

systems to a crashing halt. This helps them to make their mark among their victims.
Crashers usually make themselves known to the victim, although they keep their
personal identities secret.
 Thief: This type of cracker is the real criminal. The thieves may make use of bribery
or blackmail to obtain the required information to gain access to computer systems
or networks. Thieves usually do cracking for monetary gain. Thieves tend to be
linked to electronic sabotage and espionage. In addition, they are considered the
most professional of all the crackers.
Figure 6.1: Different Kinds of Crackers

92
Hacker vs. cracker
Hacker - A computer enthusiast refers to someone who accesses a computer or network

illegally.
A cracker access computer or network illegally but intention is to destroy data, steal
information or something malicious.
6.3 Phone Phreakers

Phone phreaking started in early 1950s in United States. Phone phreaks spent a lot of
time dialing around the telephone network to:
 Understand how the phone system worked
 Engaged in activities such as listening to the pattern of tones
 Figure out how calls were routed
 Read obscure telephone company technical journals,
 Learn how to impersonate operators and telephone company personnel
 Digging through telephone company trash bins to find secret documents
 Sneaking into the telephone company buildings in the night
 Wiring up their own telephones
 Building electronic devices called blue boxes, black boxes and red boxes to help
them the network and make free phone calls
 Hanging out on early conference call circuits and loop arounds to communicate
with one another and writing their own newsletter to spread information.
 Phreaking consisted of techniques to evade long distance charges. This evasion

was illegal and was called “toll fraud”.
The timeline of phone phreaking is illustrated in figure 6.2.

93
Figure 6.2: Evolution of Phone Phreaking
6.4. Social Engineer

Social engineers are another type of attackers who use their tactics to exploit ones
weakness that found in each and every organization with a spectrum of malicious activity to
infiltrate into protected system and compromise sensitive data. They seek to obtain personal
information such as names, address and security numbers. They use hyperlinks by embedding
in email, chat or SMS that redirects users to suspicious websites that appears to be legitimate.
Social engineering is an attack vector that relies heavily on human interaction and often involves
tricking people into breaking normal security procedures. Different types of social engineering
are:
 Phishing:- Phishing is the most common type of social engineering.
 Spear Phishing:- A social engineering technique known as Spear Phishing can be

assumed as a subset of Phishing.
 Vishing:- It is sometimes referred to as ‘vishing’, a word that is combination of “voice”

and phishing. Voice phishing exploits the public’s trust in landline telephone services,
which have traditionally terminated in physical locations known to the telephone
company.
 SMShing:- The term SMShing is a term used to describe phishing text messages
(SMS phishing). These phishing text messages are sent to a cell phone in an
attempt to get the cell phone owner to give up sensitive information.
 Pretexting:- is another form of social engineering where attackers focus on creating

a good pretext, or a fabricated scenario, that they can use to try and steal their
victims’ personal information. These types of attacks commonly take the form of a
94
scammer who pretends that they need certain bits of information from their target
in order to confirm their identity.
 Baiting:- is in many ways similar to phishing attacks. However, what distinguishes

them from other types of social engineering is the promise of an item or good that
hackers use to entice victims. Baiters may offer users free music or movie downloads,
if they surrender their login credentials to a certain site.
 Quid Pro Quo: Similarly, quid pro quo attacks promise a benefit in exchange for
information. This benefit usually assumes the form of a service, whereas baiting
frequently takes the form of a good.
 Tailgating: Another social engineering attack type is known as tailgating or

“piggybacking.” These types of attacks involve someone who lacks the proper
authentication following an employee into a restricted area. In a common type of
tailgating attack, a person impersonates a delivery driver and waits outside a building.
When an employee gains security’s approval and opens their door, the attacker
asks that the employee hold the door, thereby gaining access off of someone who
is authorized to enter the company.
 Waterholing: A watering hole” attack consists of injecting malicious code into the
public Web pages of a site that the targets used to visit. The method of injection is
not new, and it is commonly used by cyber criminals and hackers. The attackers
compromise websites within a specific sector that are ordinary visited by specific
individuals of interest for the attacks.
 Whaling attack: Whaling is another evolution of phishing attacks that uses

sophisticated social engineering techniques to steal confidential information, personal
data, access credentials to restricted services/resources, and specifically information
with relevant value from an economic and commercial perspective.
6.5. Script Kiddie

Script kiddies perform their malicious computer techniques simply for the thrill of it, and to
brag to their peers about their computer prowess. Because script kiddies are professional hackers
in the making, or merely because they lack technical skill, they often leave behind evidence of
their work. If they foolishly decide to hack big companies’ computers, the tight computer security
therein easily lead to their being caught. Script Kiddies don’t really care about hacking into
95
systems and stealing things. They simply copy code and use it for a virus, SQLi or something
else. Script Kiddies will never hack for themselves, they will just download some overused
software (such as LOIC or Metasploit) and watch a YouTube video on how to use it. A very
common Script Kiddie attack would be a DOS (Denial of Service) or DDOS (Distributed Denial
of Service), where they flood an IP with so much useless information that it collapses, preventing
other people from using it.
6.6. Hactivist
Hacktivism is the act of hacking a website or computer network in an effort to convey a
social or political message. The person who carries out the act of hacktivism is known as a
hacktivist. Hackitivists is a social activists propagandizing a social, political or religious agenda
in online medium. Hactivists is a hacker or group of anonymous hackers who think they can
bring about social changes and often hack government and organization to gain attention or
share their displeasure over opposing their line of thought.
6.7. Malicious insider: Whistle blower/insider

A whistleblower is a person who exposes any kind of information or activity that is deemed
illegal, unethical, or not correct within an organization that is either private or public. The
information of alleged wrongdoing can be classified in many ways: violation of company policy/
rules, law, regulation, or threat to public interest/national security, as well as fraud,
and corruption. Those who become whistleblowers can choose to bring information or allegations
to surface either internally or externally. Internally, a whistleblower can bring his/her accusations
to the attention of other people within the accused organization such as an immediate supervisor.
Externally, a whistleblower can bring allegations to light by contacting a third party outside of an
accused organization such as the media, government, law enforcement, or those who are
concerned. Whistleblowers, however, take the risk of facing stiff reprisal and retaliation from
those who are accused or alleged of wrongdoing. Whistle blower or malicious insider may be
any one of the following:
 An employee who is disgruntled with grudge
 Strategic employee compromised
 Hired by rivals for competitive intelligence
 To garner trade secrets of their opponents to stay on top of their game

96
 They take privilege from their easy access to information
 They misuse their role within the organization by hacking the system
Summary
 Cybercriminals are individuals or teams of people who use technology to commit
malicious activities on digital systems or networks with the intention of stealing
sensitive company information or personal data, and generating profit. A cybercriminal
is an individual who commits cybercrimes, where he/she makes use of the computer
either as a tool or as a target or as both.
 A Hacker is a person who finds and exploits the weakness in computer systems
and/or networks to gain access. Hackers are usually skilled computer programmers
with knowledge of computer security.
 Fast Flux - moving data quickly among the computers in a botnet to make it difficult
 Zombie Computers are computer that has been hacked by malicious attacks and
control the victim computers into zombies and makes it a part of the botnet through
command and control servers.
 Skimmers are devices that steal credit card information when the card is swiped
through them.
 Hackitivists is a social activists propagandizing a social, political or religious agenda

in online medium.
 A whistleblower is a person who exposes any kind of information or activity that is

deemed illegal, unethical, or not correct within an organization that is either private
or public
Check your answers

 ………………..are individuals or teams of people who use technology to commit
sensitive company information or personal data, and generating profit. A cybercriminal
is an individual who commits cybercrimes, where he/she makes use of the computer
either as a tool or as a target or as both.
 A …………………… is a person who finds and exploits the weakness in computer

systems and/or networks to gain access.
97
 ………………… moves data quickly among the computers in a ……………to make

it difficult to trace the source of malware or phishing websites.
 …………………. are computer that has been hacked by malicious attacks and control
the victim computers into zombies and makes it a part of the botnet through command
and control servers.
 Skimmers are devices that steal credit card information when the card is swiped
through them.
 …………………….. is a social …………………. propagandizing a social, political or

religious agenda in online medium.
 A ………………………. is a person who exposes any kind of information or activity

that is deemed illegal, unethical, or not correct within an organization that is either
private or public
 Different types of hackers include ………………., ………………………..,

………………………., ………………………….., ………………………….. .
Reference
1. https://en.wikipedia.org/wiki/Cybercrime
2. https://searchsecurity.techtarget.com/definition/hacker
3. https://en.wiktionary.org/wiki/cracker
4. https://searchsecurity.techtarget.com/definition/phreak
5. https://krebsonsecurity.com/all-about-skimmers/
6. https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/
98
LESSON - 7
MOTIVES OF CYBERCRIMINALS
Learning Objectives
After reading this lesson you will be able to understand:
· Motives of cyber criminals
o Challenge
o Greed
o Malicious intent
o Emotional
o Monetary gain
o Anonymity
o Hackers forum
o Attack surface
o Competence
o Politics
o Peer pressure
o Revenge
o Risk to reward
o Laws and Jurisdiction
o Feeling of powerlessness
o Social media motivation
o Fame
o Thrill
99
Structure
7. What motivates a cyber criminal?
7.1. Challenge
7.2. Greed
7.3. Malicious intent
7.4. Emotional
7.5. Monetary gain
7.6. Anonymity
7.7. Hacker Forum
7.8. Attack surface
7.9. Competence
7.10. Politics
7.11. Peer pressure
7.12. Revenge
7.13. Risk to Reward
7.14. Laws and Jurisdiction
7.15. Feeling of powerlessness
7.16. Social media motivation
7.17. Fame
7.18. Thrill
7. What motivates Cybercriminal?

Motivation
Motivation is the key component in understanding the hackers. Motivation helps to answer
several questions, such as:
 What makes a computer/network interesting for the malicious hacker?
 Is the system of interest is valuable or enticing?

100
 Is the attack targeted for financial gain or competitive intelligence?
Answering these questions will provide for a better risk assessment and risk mitigation
strategies. Motivation generally falls into following categories:
 Challenge
 Greed
 Malicious intent
7.1. Challenge
Breaking into computer systems or Network, was a challenge and still it is one of the
most common motivation. Another aspect of challenge motivation is the challenge of being first
to hack a network.
7.2. Greed
Oldest form of known criminality. Motivation of hacking includes desire for financial gain,
services, goods and information. A hacker, motivated by greed, will seek specific information
that can be targeted.
7.3. Malicious Intent

Malicious attacks are targeted to be focused on particular organization, denying the use
of system resources to the legitimate owners. Cyber attacks on organization of interest may be
launched by hackers, through the use of malicious software or malware. Malicious intent leads
to a specific behaviour and will form a major part in investigating a crime. The threat caused by
malicious attacker may be either disgruntled internal employee or a hired hacker, in order to
launch attack against information asset.
7.4. Emotional
a) Search for emotions
o Modern hackers are curious, they are bored and want to test out their abilities
o They carry out these attacks as a personal challenge, something to show off or
merely to prove themselves a point
101
7.5. Monetary gain

o Reasons to target business
o It’s a personal goal
o It’s done for personal gain
o It’s a form of vandalism
o How do they choose victims
o Weak link in the chain of business
o Target was the administrators (the ones with direct access to servers and databases)
o The figure 7.1 and 7.2 illustrates the mindset of the cyber criminal.
Figure 7.1: Inside the mind of Cyber Criminal
• Cyberattacks are done with the aim of identity or economic theft.
• Finance played a major part as a motive to commit a cybercrime.
• Ransomware attacks costs escalated to $5 Billion in 2017.
• That’s a number which has increased 15 times in two years from 2015 and will
quadruple by 2020.
• Organizations will endure ransomware attack every 14 seconds by that time.

102
• The average amount demanded after a ransomware attack is $1,077.
Figure 7.2: Monetary Gain
Facing consequences
• Majority were convinced that they wouldn’t have to face the consequences of their
cyber attacks, which also lead them to continue doing what they do.
7.6. Anonymity
1. Definition
Anonymity is that alternate lever which creates the capacity for abuse, anonymity allows
it to be committed with impunity. Freedom in the internet and lack of proper monitoring has
made internet anonymous. There are different degrees of anonymity. Following these steps do
not guarantee 100% anonymity. Anonymity is sometimes for the good. Those who are on the
outlook of privacy would want to go into incognito mode. They might use browsers that are
privacy enabled. There are also proxy computers for e.g. a web proxy to browse the web that
allows the users to use an alternated computer to load a website and display the results on the
browser.
103
2. Identity Scale
There are different types of identity
a. Legal name
b. Location identification
c. Pseudonyms that can be linked
d. Pseudonyms that can’t be linked
e. Pattern Knowledge
f. Social categorization
3. Types of descriptive information connectable to individuals

a. Individual Identification – “the who question”
b. Shared Identification – “the typification question”
c. Geographical Location – “ the where question – beyond geography and how to

reach”
d. Temporal - “ the when question”
e. Network and Relationships – “the who else question”
f. Objects – “ the whose is it question”
g. Behavioural – “the what happened question”
h. Beliefs , attitudes and emotions – “ the inner presumed ‘real’ person question”
i. Measurement characteristics – (predictions, potential) – “the kind of person question”
4. Anonymity – Identity scale on the internet
Fully anonymous status: This status is quite difficult to attain and maintain, and therefore
it is almost nonexistent. Can be achieved when even some data necessary for TCP-IP
protocol are suppressed or forged. Thus it’s usable just for one-way communication,
since there is no way to trace back the originator to deliver reply.
Almost anonymous status: Just basic data required by technical communication protocol
are provided - without any intervention (or intention) of a user. The user just abstains from
providing any useful information about him by himself, but lets the computer give away its
104
information such as IP address, physical Ethernet address of network device, DNS name.
This is the most common conception of anonymity between regular internet users. However
providing these sensitive information means that we cannot talk about anonymity any
more.
The usage of assigned single-use disposable nicknames or generic nicknames

(guest, anonymous, etc.): This allows the user to be addressed and communicate at
the moment, but prevents long-lasting or repetitious contact – so such accounts serve
just for ad hoc purposes. System administrators usually grant to such accounts also
restricted rights with lower priority.
The usage of permanent nickname: Into this category belong things like anonymous
account on freemail servers (hotmail.com, yahoo.com, post.cz) as well as nicknames on
chat servers or “screen names” of direct instant message systems. These nicknames are
usually protected by password an only one user can access them. This is the highest
level of anonymity that allows continuous communication over the longer period of time.
In other words, it is pseudo anonymity.
Corporate identity: The usage of corporate identity provides a strong link between the
internet persona and real world entity (corporation). Every corporation, government
department, non-profit organisation, educational institution, health-care facility, banking
or financial organisation etc. covers its own employees (computer users) with its own
reputation. Once the user uses corporate e-mail address (or just registered corporate
computer), it’s understandable that after some effort can be discovered and reached in
real world reality. The same applies to the corporate web pages and information displayed
there. That’s why the information found on corporate web-pages is usually more reliable,
because they are backed up by the organization.
Identity (proved by providing information): This is the most common way how to identify
oneself on the internet today. No special tools or programs are needed. The possession
of some knowledge is sufficient. You can identify yourself for instance by providing a
phone number. Anonymity on the internet Anonymity and Pseudonymity versus Identity -
where you can be reached, your social security number / student login name / credit card
number, address where you can be located, or some other personal information, which is
known only to you. This method is easy and usually free of costs, but has some serious
105
disadvantages. It leads easily to information abuse and identity fraud/theft. This occurs
when one person gains control of credentials, which belong to another, thus becoming
able to masquerade as the “stolen” identity.
Identity (proved by electronic /digital/ signature) This is used to authenticate the identity
of the sender of a message or the signer of a document, and possibly to ensure that the
original content of the message or document that has been sent is unchanged. Digital
signatures are usually protected by password, cannot be imitated by someone else, and
can be automatically time-stamped. A digital signature can be used with any kind of
message, whether it is encrypted or not, simply so that the receiver can be sure of the
sender’s identity and that the message arrived intact. A digital certificate contains the
digital signature of the certificate-issuing authority so that anyone can verify that the
certificate is real. The certificate-issuing authority guarantees the link between the digital
signature and real world person. Unfortunately, digital signature is still quite expensive,
so it’s used mainly in the corporate sphere.
Figure 7.5 illustrates the anonymity in the internet. Ways of enabling anonymity includes
proxy servers, Tor Web and Virtual Private Networks.
Figure 7.3: Anonymity in the internet

106
7.7. Hackers Forum

In current global scenario, everyone wants to learn hacking. The basic knowledge about
computers and network security is not an easy task. There are two types of hacking: one is
ethical hacking and other is unethical hacking. While the ethical hacking may be regarded as
legal, unethical hacking is considered as illegal. Many hackers forum are available online both
ethical as well as unethical. Beginners with an intention to hack, desires to join a hacker’s
forum & they gain the trust of the forum. After getting the credentials from the hackers forum
they learn the tools and techniques available from the forum and attempts to hack with the
information. It then they start indulging in criminal activities. This is illustrated in the Figure 7.4.
Figure 7.4: Hacker’s Forum
Some of the hackers forum are listed below

 EC-Council – Ethical Hacking:- International Council of Electronic Commerce
Consultants(EC-Council) is a member supported professional organization. Its best
known certification is Certified Ethical Hacker which provides certification to complete
ethical hacking and network security courses to learn white hat hacking.
 SecTools:- As the name suggests SecTools means security tools. This site is devoted
to provide significant tricks regarding network security to fight against threat.
 Hackaday:- It is one of the top ranked sites that provides hacking news and all
kinds of tutorials for hacking and networks. It provides users mixed content such
as hardware hacking, signals, computer networks.
107
 Evilzone Forum:- This Forum discusses about hacking and cracking. One should
be a member to learn ethical hacking.
 HackThisSite:- commonly referred to as HTS, is an online website that aims to
provide the users to learn, practice hacking skills through a series of challenges in
a sage leagal environment.
 Break The security:- The motive of the site is explained in its name. Break The
Security provides all kind of hacking stuff such as hacking news, hacking attacks
and hacking tutorials. It also has different kind of useful courses that can make you
a certified hacker. This site is very helpful if you are looking to choose the security
and field of hacking and cracking.
 Hack in the Box:- A popular website that provides security news and activities from
the hacker underground.. In this community the users are allowed to discuss hacking
tips.
 Null-Byte Wonderhowto is a white hat hacker forum where hacking techniques such
as facebook hacks, password cracking, wifi hacking are described.
 Hack5: The information security industry, by educating, equipping and encouraging
this all-inclusive community – one where all hackers belong.
 Exploit database:- The Exploit Database is the ultimate archive of public exploits
and corresponding vulnerable software, developed for use by penetration testers
and vulnerability researchers. Its aim is to serve as the most comprehensive collection
of exploits gathered through direct submissions, mailing lists, and other public
sources, and present them in a freely-available and easy-to-navigate database.
The Exploit Database is a repository for exploits and proof-of-concepts rather than
advisories, making it a valuable resource for those who need actionable data right
away.
 Cellphone Hacks Forum:- Active forum discussion about all types of cell
phone service providers and ... Forums include AT&T, Verizon, T-Mobile, Sprint,
Nokia, LG, Motorola, Samsung, Sony Ericsson, Palm, BlackBerry, Audiovox, Sanyo,
and more. ... Phone hacking!!!
 HackSociety – Grey hat hacking forum
 HackForums – Hacks and Exploits
 SecruriTeam – Vulnerabilities Team
 Secz0ne.su – Russian Hacker Forum
 Darknet:- The dark web is the W orld W ide W eb content that exists
on darknets, overlay networks that use the Internet but require specific software,
108
configurations or authorization to access. The dark web forms a small part of the deep
web, the part of the Web not indexed by web search engines, although sometimes
the term deep web is mistakenly used to refer specifically to the dark web. The
darknets which constitute the dark web include small, friend-to-friend peer-to-
peer networks, as well as large, popular networks like Tor, Freenet,
I2P and Riffle operated by public organizations and individuals. Users of the dark
web refer to the regular web as Clearnet due to its unencrypted nature. The Tor
dark web may be referred to as onionland, a reference to the network’s top-level
domain suffix .onion and the traffic anonymization technique of onion routing.
7.8. Competence
• Competence of the offender and the lack of it on the other side
• Skill set
• Knowledge
• Tools at the disposal
• Time
• Today’s hackers are more adaptable than ever and this allows for multiple attacks
on multiple systems, increasing the levels of success without increasing the risk”.
The same is illustrated in figure 7.5.
Figure 7.5: Competence

109
7.9 Politics
Today cyber attacks are politically motivated. According to Computer Business Review,
2016, following are five major politically motivated cyber attacks. With the example of US
Government currently planning to elevate its cyber command within Department of Defence, it
is obvious that cyber threats are taken more seriously.
· The US Democratic Party, 2016 – The democratic national committee saw its
private emails stolen in a breach. The emails were released comprising of information
regarding fundraising body for the democrats on the website Wikileaks. Information
available included details of donors – names, email address and credit card details.
· Operation Cleaver, 2014 – It was a cyber attack on critical infrastructure in 16

countries around the globe, linked to Iranian hackers. Cyber Security firm Cylance
documented Operation Clear in two-year investigation. It was so named because
the word ‘cleaver’ was used several times in the software that was used in the
attack. There were 50 targets including variety of critical industries including airlines,
airports, energy, oil and gas, telecommunicationc companies, government agencies
and universities. The hacking team directed a construction engineering based
company in Tehran. Huge volume of data were extracted including confidential
employee information, schedule details, identification photos, information about
airport and airline security, and pdfs of network, housing, telecom and electricity
diagrams.
· G20, 2011 – The Group of 20 Summit in February 2011 was rocked by a cyber
attack involved an email delivering malware to French government computers. This
malware was aimed at the French Finance Ministry. It affected 17,000 computers.
Delivery of the malware was through a PDF document with an embedded malware.
The G20 Summit involved the central bank governors of the respective countries
rather than the heads of the government.
· US Government Cyber attack, 2010: - This attack started in the year 2008 when
USB stick infected with malware was placed in a car park at a US military base in
Middle East. This flash drive was inserted into a military laptop, with the code
promptly loading itself onto a network run by the US Central Command. The code
spread undetected. Channeling data to servers under the attackers control. The
attack led to the establishment of US Cyber Command (USCYBERCOM).
110
· Shadow Network, 2010: - It is an espionage operation that stole classified document

from the Indian government and the office of the Dalai Lama, amongst other targets.
These documents included documents related to Indian security, embassies abroad
and NATO troop activity in Afghanistan. Used in the attacks were social network
and cloud computing platforms. It was uncovered by Information Warfare Monitor
with the use of Palantir technology. The Shadow Network is based in China.
The following are the means through which such politically motivated cyber attacks are
being committed. The same is illustrated in the Figure
· Advanced Persistent Threat (illustrated in Figure 7.6)
· Social Media Campaigns
· Change in the course of an election
Figure 7.6: Advanced Persistent Threat
Similarly Voter information manipulation during election times also occurs. The same is
illustrated in the figure 7.7.
111
Figure 7.7: Politics behind cyber crime
7.10 Peer Pressure

Peer pressure is defined as the influence that is placed on probably youngsters by a peer
group. It can be a positive peer pressured which encourages someone to engage in an action
for betterment, or it can be a negative peer pressure that encourages someone to engage in a
criminal act. Peer Pressure fosters the cyber criminals to launch an attack. . In the case of
adolescents, immaturity has been found to be positively correlated to how much the negative
influence of others can impact us to engage in destructive behaviour, such as becoming involved
in crimes. immaturity found in juveniles around the ages of 16 to 19, can lead to impulsivity and
aggressive behaviour. This in turn leaves teenagers more vulnerable to peer influence that can
lead them to commit crimes. Adolescent children are more likely to engage in juvenile cybercrimes
such as hacking and online bullying if their friends are into it. Lack of self control is a major
predictor of children’s committing cyber crime. Cybercrimes include digital piracy, such as
“stealing” music or movie files by downloading them without paying, or online bullying and
harassment, which can consist of sending threatening or sexual messages via email or text
message. Computer hacking, also known as cyber trespassing, and viewing online pornography,
which is illegal for those under 18, are also cybercrimes. Some of the main causes of peer
pressure are related to age-appropriate behaviour. Adolescents develop a strong desire to fit in
112
with their peers and be accepted by them. Peer pressure occurs when group of people coerce
each other to go along with certain beliefs or behaviours. Reasons for peer pressure are
illustrated in the figure 7.8.
Figure 7.8: Peer Pressure as Motive for Hackers
7.11 Revenge
Revenge hacking encompasses the expansive set of motivations behind cybercrime.
Every victimized industry has seen some form of cyber-attack backed that links back to their
own hostile actions or policies toward the attackers. Motives range from low profile disgruntled
ex-employees to self-publicizing groups like Anonymous providing occasional media updates
about their attacks on ISIS cyber targets Sovereign states have long been suspected of hacking
behaviour. Sexual revenge or jealousy was behind the infamous theft of subscriber data from
the dating site specifically set up to facilitate affairs involving married individuals. The figure 7.9
& 7.10 illustrates revenge as a motive for cyber criminals.
113
Figure 7.9: Revenge
Figure 7.10: Revenge as motive
7.12 Risk of Detection and Risk to Reward

Another important factor is that in a conventional crime the probability of detection is very
high whereas in a cyber crime, the probability of detection is very low. The same is illustrated in
7.11 & 7.12. Earlier committing a cyber crime was very difficult because the cost of equipment
was very high. In current global scenario, there are multiple ways to learn from hacker’s forum.
It is also affordable and hard to detect. Moreover, a hacker is rewarded with huge amount of
114
money. Well known social engineer Kevin Mitnick who hacked many computers was in prison
for five years for computer related offenses. Today, he is a security consultant of Mitnick Security
Consulting which helps test companies’ security strengths, weaknesses, and potential loopholes.
Figure 7.11: Risk of Detection is Low
Figure 7.12: Risk to Reward
7.13 Laws and Jurisdiction

It is difficult to handle cyber crime cases because
• Myriad of laws
• Legal, statutory and regulatory
115
• Different countries have different laws

• Language as barrier
• Jurisdictions – beyond geographic boundaries (Fig 7.13)
Figure 7.13: Jurisdiction
In majority of cases no one namely, the Judges, the Prosecutors, the Defense Council
understands what others are saying, so the advantage is to cyber criminals. The same is illustrated
in 7.14.
Figure 7.14: Justice

116
So the need is extensive training for all the stake holders in order to enable justice.
Going Dark
• Law enforcement at all levels has the legal authority to intercept and access
communications and information pursuant to court orders.
• It often lacks the technical ability to carry out those orders because of a fundamental
shift in communications services and technologies.
• This scenario is often called the “Going Dark” problem.
• Law enforcement faces two distinct Going Dark challenges.
• The first concerns real-time court-ordered interception of data in motion, such as

phone calls, e-mail, text messages, and chat sessions.
• The second challenge concerns data at rest—court-ordered access to data stored

on devices, like e-mail, text messages, photos, and videos.
• Both real-time communications and stored data are increasingly difficult for law
enforcement to obtain with a court order or warrant.
• This is eroding law enforcement’s ability to quickly obtain valuable information that
may be used to identity and save victims, reveal evidence to convict perpetrators,
or exonerate the innocent.
7.14 The feeling of powerlessness

• Fueling the feeling of powerlessness is the belief that ‘faceless’ criminals are the
main perpetrators of crime and do not expect cybercriminals to be brought to justice.
• Many criminals reside in a foreign country so it’s no surprise that people regard
them as ‘faceless’ - they physically are.
• And because international cybercrime is hard to uncover and prosecute, people

genuinely aren’t seeing justice being done.”
• Lack of justice against faceless criminals
7.15 Crime and Social Media Motivation

As the salience of social media platforms in our daily lives increases, social media has
become an important attack vector that enterprises can no longer ignore. Although social media
117
sites themselves are largely out of control of enterprise security teams, they provide a perfect
gateway into your networks through social engineering, malware and phishing attempts. As
company operations continue to undergo a digital transformation, new risks related to social
media usage by employees and customers emerge. In fact, 13% of large organizations had
experienced a breach relating to social media sites in 2016, and this number is likely to grow
going forward. Different social media such as Facebook, Twitter, Instagram, WhatsApp are
targets of cyber attacks. The figure 7.17 illustrates the number of users in social media.
Figure 7.15: Social Media Usage every minute
Cyber bullying, fake identities, cyber stalking are some of the examples of social media
crimes. The individual factors that lead to such crimes include:
• Internet Self Efficacy
– Belief in one’s capabilities to organize and execute online actions
– Use internet confidently and competently to achieve their desired outcomes
• Need for Cognition
– Desire to employ cognitive effort and to enjoy the rewards of that effort
– Need to belong
• To form, maintain positive and significant relationships
– Social networking sites

118
• Collective self esteem
– An aspect of one’s self identity from their sense of belonging to one or more
groups
– Sense of group belongingness
Groups – Online
• Groups in cyberspace
• Time, culture and social status may not be important in an online world
• Communication involves just text
• Absence of non-verbal cues.
• This helps online groups with unique characteristics when compared to offline.
7.16 Fame
• Hackers would like to get the Hall of Fame. They risk their future for cheap thrill
and money. E.g. Snowden; Kevin Mitnick. The figure 7.16 illustrates fame as one of
the motive of cybercrime.
Figure 7.16: Fame as one of the motivation for hackers

119
7.17 Thrill
In the beginning, it’s all about excitement and thrill. To do something different from the
routine, teenagers would exploit and crack video games, which is a low level crime. In the
second stage, the chat forums and online communities where teens exchange malicious software
programs, knowledge of hacking and sometimes stolen information and data. The daring ones
would look for exploits and virus code that can help them to hack into social networking accounts.
Having a criminal record may be a reason for thrill and fame in teenage years, but the future of
these kids becomes extremely difficult. The criminal record stays with them. The chances for
being hired in an organization become bleak for teenagers in later life. Kids need to understand
that getting a criminal record is the worst possible move. In absence of sense of responsibility
among teenagers, parents would have to up their game in protecting their kids from their acts of
naivety carelessness. Parents should make themselves familiar with technology and gadgets,
so that they should know how to stop cyber crime. One way is to install online parental control
software in the home PC and personal gadgets of their teens to stay up to date of their online
activities. In case, technology fails, then parents would have to resort to traditional means of
communicating and building trust with their teens, so that they can detect suspicious or unusual
changes in their teen’s activities and behaviour. Parental control software are available to monitor
the children online behaviour. Some of the examples of parental control software are Qustodio,
Net Nanny, Kaspersky safe kids, Symantec Norton Family Premier, Circle with Disney, Clean
Routerm, Mobicip, OpenDNS Home VIP, uKnowKids Premier, Safe DNS but are not limited
these.
Summary
· Cybercriminals are individuals or teams of people who use technology to commit
sensitive company information or personal data, and generating profit.
· A Hacker is a person who finds and exploits the weakness in computer systems
and/or networks to gain access. Hackers are usually skilled computer programmers
with knowledge of computer security.
· Fast Flux - moving data quickly among the computers in a botnet to make it difficult
· Social engineering is a tactic used by cyber criminals that uses lies and manipulation
to trick people into revealing their personal information.
120
· White Hat hackers are also known as ethical hackers, and they’re the good guys
of the hacker world.
· Black Hat hackers, or ‘crackers’ are the types of people you often hear about on
the news and from businesses trying to sell cyber services
· Grey Hat hackers don’t steal information or money like Black Hat hackers (though
they may sometimes deface a website for fun), nor do they help people out like
white hack hackers.
· Green Hat hackers are the babies of the hacker world.
· Red Hat hackers are the vigilantes of the hacker world.
· Blue Hat hackers will seek vengeance on anyone who has made them angry.
· State or Nation sponsored hackers are those who have been employed by their
state or Nation’s government to snoop in and penetrate through full security to gain
confidential information from other governments to stay at the top online.
· Hacktivist is a social activist propagandizing a social, political or religious agenda

in online medium.
· A cracker is an individual who accesses a computer or network in an unauthorized,

illegal manner with an intention to destroy data, steal information and other malicious
action. They have advanced computer and network skills.
· Social Engineers are another type of attackers who use their tactics to exploit
ones weakness that found in each and every organization with a spectrum of
malicious activity to infiltrate into protected system and compromise sensitive data.
· Script Kiddies perform their malicious computer techniques simply for the thrill of
it, and to brag to their peers about their computer prowess.
Check your answers

· ………………………. are individuals or teams of people who use technology to
commit malicious activities on digital systems or networks with the intention of stealing
sensitive company information or personal data, and generating profit.
· A …………………………… is a person who finds and exploits the weakness in

computer systems and/or networks to gain access. Hackers are usually skilled
computer programmers with knowledge of computer security.
121
· ……………………. moving data quickly among the computers in a botnet to make

it difficult to trace the source of malware or phishing websites.
· ……………………………. is a tactic used by cyber criminals that uses lies and

manipulation to trick people into revealing their personal information.
· ……………………….. are also known as ethical hackers, and they’re the good guys
of the hacker world.
· ……………………….., are the types of people you often hear about on the news
and from businesses trying to sell cyber services
· ………………………………. don’t steal information or money like Black Hat hackers

though they may sometimes deface a website for fun, nor do they help people out
like white hack hackers.
· ………………………………… are the babies of the hacker world.
· …………………………….. are the vigilantes of the hacker world.
· ……………………… will seek vengeance on anyone who has made them angry.
· …………………………………. are those who have been employed by their state or

Nation’s government to snoop in and penetrate through full security to gain
confidential information from other governments to stay at the top online.
· ……………………….. is a social activist propagandizing a social, political or religious

agenda in online medium.
· A ……………… is an individual who accesses a computer or network in an

unauthorized, illegal manner with an intention to destroy data, steal information and
other malicious action. They have advanced computer and network skills.
· ………………… are another type of attackers who use their tactics to exploit ones
weakness that found in each and every organization with a spectrum of malicious
activity to infiltrate into protected system and compromise sensitive data.
· ……………………. perform their malicious computer techniques simply for the thrill
of it, and to brag to their peers about their computer prowess.
122
Reference
1. https://online.norwich.edu/academic-programs/masters/information-security-
assurance/resources/articles/who-are-cyber-criminals
2. https://www.trendmicro.com/vinfo/us/security/definition/cybercriminals
3. https://www.malwarefox.com/types-of-hackers/
4. https://www.guru99.com/what-is-hacking-an-introduction.html
5. https://sorry.vse.cz/~pavlant/sources/Dissertation-Pavlicek-Anonymity.pdf
6. https://www.cbronline.com/business/cybergate-5-major-political-cyber-attacks-
4973433/
7. http://in.pcmag.com/parental-control-monitoring/90793/guide/the-best-parental-
control-software-of-2018
Credits for the Figures: second year M.Sc CFIS students (2017-19 Batch) - Abdul Nasar,
Mohamed Azeemullah Shariff, Sathish Kumar, Tabrace Baig, Abhinayaa, Sreejaa.
123
LESSON - 8
IMPACT OF CYBER CRIMES
Learning Objectives
After reading this lesson you will be able to learn the following:
· Impact of Cybercrimes
o Effect of Cybercrimes on society
o Cybercrimes against People
o Cybercrimes against Property
o Cybercrimes against Business
o Cybercrimes against Nation
Structure
8. Impact of Cybercrimes
8.1. Effect of Cybercrimes on society
8.2. Cybercrimes against People
8.3. Cybercrimes against Property
8.4. Cybercrimes against Business
8.5. Cybercrimes against Nation
8.6 Notable Cyber Crimes against Nations
8. Impact of Cybercrimes
The impact of a single successful cyber attack can have far reaching implications including
financial losses, theft of intellectual property, and loss of consumer confidence and trust. The
overall monetary loss is estimated to be billions of dollars a year. This is increasing day by day.
Criminals take advantage of technology in many different ways. The internet is a great tool for
scammers and other miscreants due to anonymity in the internet.
124
8.1. Effect of Cybercrimes on society

Cyber crime affects society in a number of different ways. It may be through online or
offline. Online victims of cyber crime have long lasting effects on life. Fake mail, phishing,
identity theft requesting personal information it allows the criminal to access bank and credit
accounts modifies, deletes or alters the personal information. The financial institutes/individuals
are affected by this.
The investment of businesses, on cyber security, to tackle cyber crimes is also becoming
huge. Attackers may compromise servers to steal confidential information. The companies
have to spend huge amount to keep intruders away from such confidential information of their
customers for example Banking Industry. The overall monetary losses from cyber crime can be
immense. According to a report by Symantec, 2012 more than 1.5 million people fall victim to
some sort of cybercrime every day ranging from simple password theft to extensive siphoning
of money. Cyber criminals have developed new techniques involving mobile devices, social
networks, IoT devices to keep their illicit gains flowing. Cyber criminals take full advantage of
anonymity, secrecy and interconnectedness provided by internet thereby attacking the society.
Law enforcement officials struggle to keep pace with perpetrators. Emotional impact of cyber
crimes is another factor that affects the society. A study on this factor by Norton reveals that
there is a staggering prevalence of cyber crime. According to this report, 65% of internet users
globally and 73% of web surfers have fallen victim to cyber crimes. As most victimized nations,
America ranks 3rd after China (83%) and Brazil and India (76%). Strongest reactions to cyber
crimes are anger, annoyance, feeling cheated and sometimes they blame themselves for being
cheated.
8.2. Cybercrimes against People

Cyber crimes committed against persons include various crimes like transmission of child-
pornography, cyber porn, harassment of a person using a computer such as through e-mail,
fake escrow scams. The trafficking, distribution, posting and dissemination of obscene material
including pornography and indecent exposure, constitutes one of the most important Cyber
crimes known today. The potential harm of such a crime to humanity can hardly be explained.
Cyber-harassment is a distinct Cyber crime. Various kinds of harassment can and do occur in
cyberspace, or through the use of cyberspace. Different types of harassment can be sexual,
racial, religious, or other. Persons perpetuating such harassment are also guilty of cyber crimes.
125
Cyber harassment as a crime also brings us to another related area of violation of privacy of
citizens. Violation of privacy of online citizens is a Cyber crime of a grave nature. No one likes
any other person invading the invaluable and extremely touchy area of his or her own privacy
which the medium of internet grants to the citizen. Harassment email, cyber stalking, defamation,
hacking, cracking, spoofing, smashing, vishing, phishing, carding, child pornography, assault
by threat are examples of cyber crime against persons.
8.3. Cybercrimes against Property

The next category is that of Cyber crimes against all forms of property. These crimes
include computer vandalism (destruction of others’ property) and transmission of harmful viruses
or programs. Transmission of virus, worms, Trojans, bots, ransomware are some of the methods
using which the criminals sabotage the property of others. IPR related crimes, cyber squatting,
cyber vandalism, hacking, cyber trespass, internet time thefts are common attacks against
property. A Mumbai-based upstart engineering company lost a say and much money in the
business when the rival company, an industry major, stole the technical database from their
computers with the help of corporate cyber spy software.
8.4. Cybercrimes against Business

A successful cyber attack can cause major damage to your business. It can affect bottom
line, of business’ standing and consumer trust. The impact of a security breach can be broadly
divided into three categories: financial, reputational and legal.
Cyber attacks often result in substantial financial loss arising from:
· theft of corporate information
· theft of financial information (eg bank details or payment card details)
· theft of money
· disruption to trading (eg inability to carry out transactions online)
· loss of business or contract
Businesses that suffered a cyber breach will also generally incur costs associated with
repairing affected systems, networks and devices. Trust is an essential element of customer
relationship. Cyber attacks can damage business’ reputation and erode the trust the customers
have for you. This, in turn, could potentially lead to:
126
· loss of customers
· loss of sales
· reduction in profits
The effect of reputational damage can even impact on suppliers, or affect relationships
you may have with partners, investors and other third parties vested in business.
Data protection and privacy laws require you manage the security of all personal data
that is held whether on your staff or your customers. If this data is accidentally or deliberately
compromised, and you have failed to deploy appropriate security measures, you may
face fines and regulatory sanctions.. According to recently collected data on cyber security, over
159 million sensitive records were compromised in 2015 alone. The loss of this information
racks up larger bills than just the initial data recovery and added security measures. A breach
can lead to potential fines, penalties and litigation for a business.
In May 2017, Target paid out a $18.7 million settlement over a large-scale data breach
that took place in 2013. The company said that the total cost of the breach was over $202
million. It’s estimated that cybercrime will cost approximately $6 trillion per year on average
through 2021.
The even bigger issue is that a large percentage of sensitive records taken are usually
filled with customer data. When a company has a data breach, it undermines a customer’s trust
in the company and their confidence in the company’s ability to keep their financial information
out of the wrong hands.
It’s a big enough red flag when a company loses its own data, but customer data is a
different ball game. Identity theft is a real concern for consumers, and customers may feel less
inclined to shop with companies that could mishandle their information.
Companies not only lose valuable digital assets followed by a cyber attack apart from
losing their customers. They also lose we can say brand bleeds into all aspects of business,
growth, revenue and reputation. All of those brand loyalist who purchased from a company
because they liked the brand. Once the company is unable to keep their personal and financial
information safe, then the game is over. With the click of a mouse the attackers can ruin the
perception of a brand overnight. Businesses that are affected are financial services, airlines,
shipping, transportation, telecom, critical infrastructure, aerospace & defence and retail.
127
8.5. Cybercrimes against Nation

The latest form that war between two countries has taken is cyber attacks. Simply put, a
cyber attack is a deliberate exploitation of computer systems, technology-dependent enterprises
and networks. While, no clear definition of cyber attack has yet been adopted internationally, it
mostly refers to actions by a nation-state to penetrate another nation’s computers or networks
for the purposes of causing damage or disruption. The impact of these kinds of attacks is only
growing. The next form of war the US could face was a “Cyber-Pearl Harbour”.
8.6 Notable Cyber Crimes against Nations

Various cyber crimes against other nations are listed below:
Tempora is the codeword for a formerly secret computer system that is used by the
British Government Communications Headquarters (GCHQ). This system is used to buffer
most Internet communications that are extracted from fibre-optic cables, so these can be
processed and searched at a later time. It was tested since 2008 and became operational in the
autumn of 2011. Tempora uses intercepts on the fibre-optic cables that make up the backbone
of the Internet to gain access to large amounts of Internet users’ personal data, without any
individual suspicion or targeting. The intercepts are placed in the United Kingdom and overseas,
with the knowledge of companies owning either the cables or landing stations.
The existence of Tempora was revealed by Edward Snowden, a former American

intelligence contractor who leaked information about the program to
former Guardian journalist Glenn Greenwald in May 2013, as part of his revelations of
government-sponsored mass surveillance programs.
PRISM is a code name for a program under which the United StatesNational Security
Agency (NSA) collects internet communications from various U.S. internet companies. The
program is also known by the SIGAD US-984XN. PRISM collects stored internet communications
based on demands made to internet companies such as Google Inc. under Section 702 of
the FISA Amendments Act of 2008 to turn over any data that match court-approved search
terms. The NSA can use these PRISM requests to target communications that were encrypted
when they travelled across the internet backbone, to focus on stored data that telecommunication
filtering systems discarded earlier, and to get data that is easier to handle, among other things.
128
XKeyscore (XKEYSCORE or XKS) is a formerly secret computer system first used by

the United States National Security Agency for searching and analyzing global Internet data,
which it collects on a daily basis. The program has been shared with other spy agencies including
the Australian Signals Directorate, Canada’s Communications Security establishment, New
Zealand’s Government Communications Security Bureau, Britain’s Government Communications
Headquarters, Japan’s Defense Intelligence Headquarters and the German
Bundesnachrichtendienst (federal intelligence service, Germany).
MUSCULAR (DS-200B), located in the United Kingdom, is the name of a surveillance

programme jointly operated by Britain’s Government Communications Headquarters (GCHQ)
and the U.S. National Security Agency (NSA) that was revealed by documents which were
released by Edward Snowden and interviews with knowledgeable officials. GCHQ is the primary
operator of the program. GCHQ and the National Security Agency have secretly broken into
the main communications links that connect the data centers of Yahoo! and Google. Substantive
information about the program was made public at the end of October 2013.
Optic Nerve - A program started in 2008, Optic Nerve allowed secret access to a Yahoo!
webcam chats. In one six month period in 2008 it spied on 1.8 MILLION Yahoo! users and took
one still image every five minutes of video per user. Between 3-11% of the images captured by
Optic Nerve captured were sexually explicit “undesirable nudity”.
Mystic - Mystic spies on every single phone call made in five target countries. In the
Philippines, Kenya and Mexico, Mystic ‘only’ records the metadata (who called who, when the
call happened, for how long and the location of the call if it was made on a mobile). In Afghanistan
and the Bahamas, it records the content of every call made and stores it for 30 days. That’s a
combined population of 250 million people whose phone calls are being secretly monitored by
the NSA.
Operation Socialists - GCHQ targeted Belgacom, Belgium’s largest telecommunications

provider, with spyware called Regin, a malicious piece of software designed to break into
Belgaom’s networks. The purpose of the GCHQ hack was to spy on phones and internet users
using the Belgacom network.
Gemalto Hacking - Gemalto is the largest SIM Card manufacturer in the world, producing
two billion sim cards a year. It has 400 mobile network operator partners with 700 million
subscribers. GCHQ attacked its network to steal the sim card encryption keys that protect
129
conversations from being listened to. Gemalto said it detected attacks in 2010 and 2011 and
repelled them. When intelligence agencies break the locks on communications infrastructure
like SIM cards, they don’t just leave the doors open for government spying, they leave the doors
open for identity thieves, hackers and organised criminals too.
Summary
· Cyber criminals have developed new techniques involving mobile devices, social
networks, IoT devices to keep their illicit gains flowing.
· Different types of harassment can be sexual, racial, religious, or other. Persons

perpetuating such harassment are also guilty of cyber crimes.
· Cyber crimes committed against persons include various crimes like transmission
of child-pornography, cyber porn, harassment of a person using a computer such
as through e-mail, fake escrow scam.
· Strongest reactions to cyber crimes are anger, annoyance, feeling cheated and
sometimes they blame themselves for being cheated.
· IPR related crimes, cyber squatting, cyber vandalism, hacking, cyber trespass,
internet time thefts are common attacks against property.
· The impact of a security breach can be broadly divided into three categories: financial,
reputational and legal.
· Data protection and privacy laws require you manage the security of all personal
data that is held whether on staff or customers.
Check your answer:

· __________ have developed new techniques involving mobile devices, social
networks, IoT devices to keep their illicit gains flowing.
· Different types of harassment can be _________, ______, __________
· Cyber crimes committed against persons include various crimes like transmission
of ____________, _____________ harassment of a person using a computer such
as through e-mail, fake escrow scam.
· Strongest ___________ to cyber crimes are anger, annoyance, feeling cheated

and sometimes they blame themselves for being cheated.
130
· __________ related crimes, cyber squatting, cyber vandalism, hacking, cyber

trespass, internet time thefts are common attacks against property.
· The impact of a security breach can be broadly divided into three categories:
_____________, ________________ and _______________.
· _______________ And ______________ require you manage the security of all

personal data that is held whether on staff or customers.
Reference
· https://thefinancialexpress.com.bd/views/cyber-crime-affects-society-in-different-
ways
· https://www.nibusinessinfo.co.uk/content/impact-cyber-attack-your-business
· https://www.forbes.com/sites/theyec/2017/07/13/the-true-cost-of-cybercrime-for-
businesses/#587658004947
· https://securingtomorrow.mcafee.com/business/economic-impact-cybercrime-cyber-
espionage-isnt-just-militarys-problem/
· https://www.nibusinessinfo.co.uk/content/impact-cyber-attack-your-business
· https://www.crowdstrike.com/blog/cybercrime-cybersecurity-affects-nations-
geopolitics/https://gcn.com/articles/2011/07/27/international-cyber-crime-threat-to-
us.aspx
· https://securingtomorrow.mcafee.com/business/economic-impact-cybercrime-cyber-
espionage-isnt-just-militarys-problem/
· https://en.wikipedia.org/wiki/PRISM_(surveillance_program)
· https://www.amnesty.org/en/latest/campaigns/2015/03/10-spy-programmes-with-
silly-codenames-used-by-gchq-and-nsa/
131
LESSON - 9
VIRUS, WORMS AND TROJANS
Learning Objectives:
· Virus
· Worms
· Trojans
Structure
9.1 Virus
9.1.1 Definition
9.1.2. Types of Virus
9.1.3. Evolution of Virus
9.1.4. Countermeasure
9.2. Worms
9. 2.1.Definition
9.2.2. Types of Worms
9.2.3. Evolution of Worms
9.3. Trojan
9.3.1. Definition
9.3.2. Types of Trojans
132
9.1 Virus
A computer virus is a malicious code that replicates by copying itself to another program,
computer boot sector or document and changes how a computer works. The virus requires
someone to knowingly or unknowingly spread the infection without the knowledge or permission
of a user or system administrator. Spreading of a virus happens
· when a user opens an email attachment

· clicks an executable file
· visiting or viewing a an infected website
· infected USB drive
Once a virus has infected the host, a virus
· it can infect system software

· Infect resources
· Modify or disable core functions or applications
· Modify or disable core functions or applications
· Copy, alter, delete or encrypt data
Many viruses also include evasion or obfuscation capabilities that are designed to bypass
modern antivirus and antimalware software and other security defenses. The rise of polymorphic
malware development, which can dynamically change its code as it spreads, has also made
viruses more difficult to detect and identify.
Some viruses will begin replicating the host they infect while others will be dormant until
a specific trigger causes malicious code to be executed by the device or system.
9.1.1. Definition
· A computer virus crime usually involves the intent to cause damage through the
creation and/or distribution of a destructive computer program.
· A computer virus is a malicious software program loaded onto a user’s computer

without the user’s knowledge and performs malicious actions.
· A software program capable of reproducing itself and usually capable of causing

great harm to files or other programs on the same computer; “a true virus cannot
spread to another computer without human assistance.
133
9.1.2. Types of Virus
Variants of viruses exist: based on their functionality. They are illustrated in the Figure
9.1.
Figure 9.1: Computer Viruses
File Infectors
Virus belonging to this category, infects the files and attach themselves to program files.
The common targets are ‘.com’, or ‘.exe’. some virus can infect any program for which execution
is requested. This includes ‘.sys’, ‘.ovl’ , ‘.prg’, and ‘.mnu’. whenever the program gets loaded
, the virus also gets loaded. Sometimes programs are sent as an email attachment.
Macro Virus
It is a popular belief that most of Microsoft programs uses macros. Macros are sequences
of actions/command/keystrokes that are embedded in documents which are sin a saved state
which can be used for automating. A macro virus, specifically targets the commands in
applications like Microsoft word and other programs. Recent Microsoft word applications are
having their macros disabled by default.
Overwrite Virus
Viruses are designed specifically to destroy a file or application’s data. After infecting a
system, an overwrite virus begins overwriting files with its own code. These viruses can target
specific files or applications or systematically overwrite all files on an infected device. An overwrite
virus can install new code in files and applications that programs them to spread the virus to
additional files, applications and systems.
134
Polymorphic viruses
A polymorphic virus is a type of malware that has the ability to change or mutate its
underlying code without changing its basic functions or features. This process helps a virus
evade detection from many antimalware and threat detection products that rely on identifying
signatures of malware; once a polymorphic virus’ signature is identified by a security product,
the virus can then alter itself so that it will no longer be detected using that signature.
Resident viruses
This type of virus embeds itself in the memory of a system. The original virus program
isn’t needed to infect new files or applications; even if the original virus is deleted, the version
stored in memory can be activated when the operating system loads a specific application or
function. Resident viruses are problematic because they can evade antivirus and antimalware
software by hiding in the system’s RAM.
Rootkit viruses
A rootkit virus is a type of malware that installs an unauthorized rootkit on an infected

system, giving attackers full control of the system with the ability to fundamentally modify or
disable functions and programs. Rootkit viruses were designed to bypass antivirus software,
which typically scanned only applications and files. More recent versions of major antivirus and
antimalware programs include rootkit scanning to identify and mitigate these types of viruses.
System or boot-record infectors
These viruses infect executable code found in certain system areas on a disk. They
attach to the DOS boot sector on diskettes and USB thumb drives or the Master Boot Record
on hard disks. In a typical attack scenario, the victim receives storage device that contains a
boot disk virus. When the victim’s operating system is running, files on the external storage
device can infect the system; rebooting the system will trigger the boot disk virus. An infected
storage device connected to a computer can modify or even replace the existing boot code on
the infected system so that when the system is booted next, the virus will be loaded and run
immediately as part of the master boot record. Boot viruses are less common now as today’s
devices rely less on physical storage media.
135
Email Virus
An email virus consists of malicious code that is distributed in email messages, and it can
be activated when a user clicks on a link in an email message, opens an email attachment or
interacts in some other way with the infected email message.
Viruses and other malware distributed by email can wreak all kinds of havoc, including
the following:
· the distribution and execution of ransomware attacks;
· enlisting the victim system into a botnet;
· crashing victim systems;
· providing remote access to victims’ devices;
· theft of personal data or destruction of files on the victim storage media;
· creating unwanted pop-ups; and
· adding the victim system to a malvertisement
Email viruses often spread by causing the attachment or malicious message to be sent to
everyone in the victim’s address book.
Email viruses can be packaged and presented in a variety of different ways. Some can
easily be spotted as malicious by virtue of subject lines that don’t make sense, suspicious
sender or other header fields and body content that looks off in some way. Other email messages
containing malware can be more difficult for recipients to identify, as they reflect considerable
effort by the malicious actor to make the email message appear to be sent from a trusted and
known sender. This is particularly true for phishing attacks carried out to further business email
compromise attacks.
Email viruses are often connected with phishing attacks in which hackers send out malicious
email messages that look as if they are originated from legitimate sources, including the victim’s
bank, social media, internet search sites or even friends and co-workers. The attacker’s goal, in
these cases, is to trick users into revealing personal information, such as the victim’s usernames,
full names and addresses, passwords, Social Security numbers or payment card numbers.
These types of email virus cause phishing attacks.
136
Types of email virus
Email viruses can take many different forms, and malicious actors work tirelessly to improve
their malicious email messages and methods for email hacking, as well as the accompanying
malware.
Email spam, also known as unwanted or unsolicited email, usually spreads malware through
links in the message that lead to phishing websites or other sites hosting malware.
Virus hoax email messages, which contain a false warning about a nonexistent threat,
are considered a form of socially engineered email virus or worm. Virus hoax messages may
instruct the recipient to take some action, including forwarding the warning to all of their contacts.
One variant of the virus hoax email builds on the tech support phone scam, in which a malicious
actor attempts to engage the victim to defraud the victim.
Macro viruses are viruses written in a macro language used by other software programs,
especially Microsoft Excel and Microsoft Word macros. Macro malware is transmitted through
phishing email messages that contain malicious attachments, which contain the malicious
macros.
Spambot programs are programs designed to harvest email addresses to build mailing
lists for sending spam. While spambot programs are not usually distributed through email, they
are instrumental in gathering valid email addresses to be used for the distribution of email
viruses.
The table 9.1 illustrates the name, type, mode of distribution and year of release of the
popular viruses.
Table 9.1 List of Virus and Year of Distribution
S.No Name of Virus Type of Virus Affects Mode of Year of

distribution release
1 Creeper Self replicating Copied itself to

network and
spread to remote
system Experimental 1971
137
2 Rabbit Fork Bomb Single computer Clogs the

system,
reduces system
performance 1974
3 Elk Cloner Apple systems Vulnerable to Large scale

storage of OS virus 1981
4 Backdoor Source code UNIX OS Insertion of

code in login
command 1984
5 Brain Boot Sector Boot sector IBM PC MS DOS File

Allocation Table 1986
6 Vienna Virus IBM Platform 1987
7 Jerusalem Virus Executables Infected machines Triggers on

every Friday
the 13th 1988
8 Ping pong Boot Sector MS-DOS 1988
9 Michelangelo Impacted about March 6th, the Hard drives.

Virus 10,000 systems. birthday of the The virus was
It was a hype famed at the center
but significantly Renaissance of a wild media
raised public artist. storm with
awareness of panicked 1991
computer viruses reporters
10 Melissa Macro virus Word 97 - 2000 Resends -

spreads to
other systems
to each of the
address books 1999
138
11 I LOVE YOU Email Virus Shuts down The email virus

email (45 million carried the “I
users/day) LOVE YOU”
in the subject
header 2000
12 Pikachu virus Attachment to VB 6 – Virus geared

Email pikachupokemon.exe at children –
Pikachu is your
friend. Restarts
computer 2000
13 Anna Email Spread this nasty

Kournikova virus that
Virus purported
to contain
pictures of the
very attractive
female tennis
player, but in
fact hid the
malicious
malware. 2001
14 Simile virus Metamorphic virus Assembly

language 2002
15 Cabir Virus mobile phone Noteworthy Mobile

virus Virus 2004
16 Koobface Virus Malware to Propagate to social Also targeted

infect PCs networking sites. Other SNS like
If you rearrange MySpace and
the letters in Twitter.
“Koobface”
you get “Facebook.” 2005
139
9.1.4. Counter measures:

1. Install antivirus software that discovers and eliminates malicious content.
2. Create an anti-virus policy rule for safeguarding computer systems and distribute it
around the organization
3. Provide attention to the instructions before downloading and installing any programs
from the Internet.
4. Update the antivirus software regularly, so that it is aware of the new malware
signatures.
5. Evade opening the attachments received from an unidentified source as it is much

likely to spread viruses via email.
6. After installing the antivirus software, schedule regular scans for all drives in the
host system.
7. Only accept media devices or files post-scanning with the updated antivirus program.
9.2. Worms
WORM is the abbreviation for ‘write once read many’. It describes a data storage device
in which information once written, cannot be modified. This write protection affords the assurance
that the data cannot be tampered with once it is written onto the device. Worms are a malicious
program that is capable of self replicating. It spreads via networks and remote machines when
and controls remote systems without the knowledge of the user. Most worms are spread as
files as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC
message, Via P2P file sharing networks. Some worms spread network packets; these directly
penetrate the computer memory and the worm code is then activated. Mode of penetration
techniques include: Social Engineering; exploiting network vulnerability, configuration errors,
exploit loopholes in OS and application security
9.2.1.Definition
A computer worm is a standalone malware computer program that replicates itself in order
to spread to other computers. Often, it uses a computer network to spread itself, relying on
security failures on the target computer to access it. Worms almost always cause at least some
harm to the network, even if only by consuming bandwidth, whereas viruses almost always
corrupt or modify files on a targeted computer.
140
Many worms that have been created are designed only to spread, and do not attempt to
change the systems they pass through. However, as the Morris worm and Mydoom showed,
even these “payload-free” worms can cause major disruption by increasing network traffic and
other unintended effects.
On November 2, 1988, Robert Tappan Morris, a Cornell University computer science

graduate student, unleashed what became known as the Morris worm, disrupting a large number
of computers then on the Internet, guessed at the time to be one tenth of all those connected.
The U.S. Court of Appeals estimated the cost of removing the virus from each installation at
between $200 and $53,000.
An Internet worm is type of malicious software (malware) that self-replicates and distributes
copies of itself to its network. These independent virtual viruses spread through the Internet,
break into computers, and replicate without intervention from and unbeknownst to computer
users.
Internet worms can be included in any type of virus, script or program. These worms
typically infect systems by exploiting bugs or vulnerabilities that can often be found in legitimate
software. Unlike Trojans or other viruses that require user intervention to spread, Internet worms
can spread on their own. This makes them extremely dangerous.
Internet worms are also known as computer worms. Internet worms use various techniques
to multiply over the Internet. Initial worms just scanned local network hard drives and folders,
and then inserted themselves into programs.
9.2.2. Types of Worms
Types of worms include:
· Net – worm
Net-worms propagates through computer networks. The distinguishing feature of this

type of worm is that it does not require users action in order to spread. It searches for critical
vulnerabilities in software running on network computers. In order to infect the computers on
the network, the worm sends a specially crafted network packet (called an exploit) and as a
result the worm code (or part of the worm code) penetrates the victim computer and activates.
Sometimes the network packet only contains the part of the worm code which will download
and run a file containing the main worm module. Some network worms use several exploits
141
simultaneously to spread, thus increasing the speed at which they find victims.
· P2P worm
P2P Worms spread via peer-to-peer file sharing networks (such as Kazaa, Grokster,
EDonkey, FastTrack, Gnutella, etc.). Most of these worms work in a relative simple way: in
order to get onto a P2P network, all the worm has to do is copy itself to the file sharing directory,
which is usually on a local machine. The P2P network does the rest: when a file search is
conducted, it informs remote users of the file and provides services making it possible to download
the file from the infected computer. There are also more complex P2P-Worms that imitate the
network protocol of a specific file sharing system and responds positively to search queries; a
copy of the P2P-Worm is offered as a match.
· Email Worm
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an
email message or a link to its file on a network resource (e.g. a URL to an infected file on a
compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened
(launched). In the second case, the code is activated when the link to the infected file is opened.
In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
· using a direct connection to a SMTP server using the email directory built into the
worm’s code
· using MS Outlook services
· using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected
emails will be sent:
· the address book in MS Outlook
· a WAB address database
· ‘.txt’ files stored on the hard drive: the worm can identify which strings in text files
are email addresses
142
· emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other
sources of email addresses, such as address books associated with web-based email services.
· IM worm
IM Worms spread via instant messaging systems (such as ICQ, MSN Messenger, AOL
Instant Messenger, Yahoo Pager, Skype, etc.). In order to spread, IM-Worms usually send a
link (URL) to a list of message contacts. The link leads to a network resource where a file
containing the body of the worm has been placed. This tactic is almost exactly the same as that
used by Email-Worms.
· IRC worm
This type of worm spreads via Internet Relay Chat. Like email worms, IRC Worms have
two ways of spreading via IRC channels. The first involves sending an URL which leads to a
copy of the worm. The second technique is to send an infected file to an IRC channel user.
However, the recipient of the infected file has to accept the file, save it to disk, and open
(launch) it.

Morris Worm
The first active Internet worm that required no human intervention to spread was the
Morris worm released in 1988. It spread very rapidly, infecting all vulnerable machines in a
matter of hours. Most recent active worms use the techniques pioneered by Robert Morris. The
Morris Worm infected multiple types of machines (Sun 3s and VAXes), attacked multiple security
holes (including a buffer overflow in fingerd, debugging routines in Sendmail, and password
cracking), and used multiple streams of execution to improve its throughput when attacking
other machines.
Code Red Worm
Code Red, demonstrated how swiftly a relatively simple worm can spread on the current
Internet infrastructure: it effectively achieved complete infection in a little over twelve hours,
even with the aborted early release of a buggy version. Code Red exploited a recently discovered
(but patchable) buffer overflow attack in Microsoft’s Internet Information Server. It spread far
143
and fast because of the “on by default” nature of IIS with many versions of Windows NT and
2000. It also included multithreaded scanning routines that improve throughput and effectively
keep it from being trapped by tarpits (such as LaBrea), which are blocks of IP addresses that
attempt to slow down scanning by automated tools by seeming to respond to connection requests
while actually doing nothing.
Code Red 2 ended up being significantly more disruptive then Code Red even if the
change in infection strategy was relatively mild. Instead of searching only randomly selected
addresses, Code Red 2 preferentially probed for machines on the same subnet and nearby
subnets. As a result, once a single machine within a corporate firewall was infected, it would
quickly probe virtually every machine within the firewall and since it was attacking an on-by-
default service, Code Red 2 quickly infested entire corporate networks.
Nimda
The latest worm of note, Nimda, did not really bring anything new to the table. It simply
resurrected the idea of multimode operation: it was an e-mail worm, it attacked old bugs in
Explorer and Outlook, spread through Windows shares, and an old buffer overflow in IIS. It also
borrowed Code Red 2’s preference for logically adjacent IP addresses in its scanning routines.
The net result was a highly virulent, highly effective worm that revealed that several old bugs
can be used even if each hole is patched by most machines: one needs all patches and
vulnerabilities closed to stop a Nimda-like worm. Such a worm is also somewhat easier to write,
as one can use many well-known exploits to get wide distribution instead of discovering new
attacks.
Warhol
Warhol worms and Flash worms for methods that, with various amounts of preparation,
may allow a worm to infect all vulnerable machines in minutes) but have not yet been seen in
practice. It is questionable whether someone interested in writing a superworm would need to
bother with such techniques, since although significantly faster, greater speed may not be
necessary.
2000 - ILOVEYOU Worm: Spreading by way of an email sent with the seemingly benign
subject line, “ILOVEYOU,” the worm infected an estimated 50 million computers. Damages
caused major corporations and government bodies, including portions of the Pentagon and
British Parliament, to shut down their email servers. The worm spread globally and cost more
than $5.5 billion in damages.
144
2003 – SQL Slammer Worm: One of the fastest spreading worms of all time, SQL
Slammer infected nearly 75,000 computers in ten minutes. The worm had a major global effect,
slowing Internet traffic worldwide via denial of service.
2003 – SQL Slammer Worm: One of the fastest spreading worms of all time, SQL
Slammer infected nearly 75,000 computers in ten minutes. The worm had a major global effect,
slowing Internet traffic worldwide via denial of service.
2008 – Conficker Worm: A combination of the words “configure” and “ficker”, this
sophisticated worm caused some of the worst damage seen since Slammer appeared in 2003.
1. Install antivirus software that discovers and eliminates malicious content.
2. Create an anti-virus policy rule for safeguarding computer systems and distribute it
around the organization
3. Provide attention to the instructions before downloading and installing any programs
from the Internet.
4. Update the antivirus software regularly, so that it is aware of the new malware
signatures.
5. Evade opening the attachments received from an unidentified source as it is much

likely to spread viruses via email.
6. After installing the antivirus software, schedule regular scans for all drives in the
host system.
7. Only accept media devices or files post-scanning with the updated antivirus program.
9.3. Trojan
9.3.1. Definition : Trojans
· A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software.
Trojans can be employed by cyber-thieves and hackers trying to gain access to users’ systems.
Users are typically tricked by some form of social engineering into loading and executing Trojans
on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your
sensitive data, and gain backdoor access to your system. a Trojan horse is a malicious program
that is disguised as or embedded within legitimate software.
145
· They may look useful or interesting (or at the very least harmless) to an unsuspecting
user, but are actually harmful when executed
These actions can include:
 Deleting data
 Blocking data
 Modifying data
· Copying data
· Disrupting the performance of computers or computer networks
· Denial of Service
Figure 9.1: Actions of a Trojan

 There are two common types of Trojan horses.
 Software that appears to be genuine software that has been corrupted by a Cracker
inserting malicious code that executes while the program is used. Examples include
various implementations of weather alerting programs, computer clock setting
software, and peer to peer file sharing utilities.
 The other type is a standalone program that masquerades as something else, like
a game or image file, in order to trick the user into some misdirected complicity that
is needed to carry out the program’s objectives.
 Trojan horse programs cannot operate autonomously in contrast to some other

types of malware, like viruses or worms
146
 programs depend on actions by the intended victims
 If Trojans replicate and even distribute themselves, each new victim must run the
program/Trojan.
 Their virulence is of a different nature, depending on successful implementation of

Social Engineering concepts rather than flaws in a computer system’s security design
or configuration.
 Example of simple Trojan horse: “waterfalls.scr.exe” claiming to be a free waterfall

screensaver which, when ran, instead begins erasing all the files on the victim’s
computer.
Advanced Trojan horse

 An attacker might attach a Trojan horse with an innocent-looking filename to an
email message which entices the recipient into opening the file. Would typically be
Windows executable program. Must have an executable filename such as .exe,
.com, .scr, .bat, or .pif. Sometimes the extension that might be “masked” for eg
‘Readme.txt.exe’.
 With file extensions hidden, the user would only see ‘Readme.txt’ and could mistake
it for a harmless text file.
 Icons can also be chosen to imitate the icon associated with a different and benign
program, or file type.
 When the recipient double clicks the attachment
 Superficially do what the user expects it to do (open a text file, for example)
 Keep the victim unaware of its real, concealed, objectives
 Might discreetly
 Modify or delete files
 Change the configuration of the computer
 Even use the computer as a base
 Attack local or other N/W
 Possibly joining many other similarly infected computers as part of a DDOS
 Almost always designed to do various harmful things, but could be harmless.

147
The seven main types of Trojan horses are:

 Remote Access Trojans
 Data Sending Trojans
 Destructive Trojans
 Proxy Trojans
 FTP Trojans
 Security software disabler Trojans
 Denial-of-service attack (DoS) Trojans
Actions performed by Trojans

 Erasing or overwriting data on a computer.
 Encrypting files in a cryptoviral extortion attack.
 Corrupting files in a subtle way.
 Upload and download files.
 Allowing remote access to the victim’s computer. This is called a rat. Remote
administration tool
 Spreading other malware, such as viruses.(in this case the trojan horse is called a
‘dropper’ or ‘vector’. )
 Setting up networks of zombie computers in order to launch ddos and send a

spam
 Spying on the user of a computer and covertly reporting data like browsing habits to
other people
 Make screenshots.
 Logging keystrokes to steal information such as passwords and credit card numbers
(key logger)
 Phish for bank or other account details, which can be used for criminal activities.
 Installing a backdoor on a computer system.
 Opening and closing cd-rom tray.

148
 Harvest e-mail addresses and use them for spam
 Restarts the computer whenever the infected program is started
“Time bombs” activate on particular dates and/or times.
“Logic bombs” activate on certain conditions met by the computer
Methods of infection
 user was tricked into running an infected program
 unexpected attachments on emails
 Instant Message, downloaded from a Web site or by FTP
 delivered on a CD or floppy disk (physical access)
 Websites
 Email
 Open ports
 Computers running their own servers (HTTP, FTP, or SMTP
 Windows file sharing
 running programs that provide filesharing capabilities such as Instant Messengers

(AOL, Win messenger) A firewall may be used to limit access to open ports
 widely used in practice
 help to mitigate the problem of remote trojan insertion via open ports
Famous Trojans
 Back Orifice
 Back Orifice 2000
 NetBus
 SubSeven
 Downloader-EV
are not a totally impenetrable solution, either.

149
Mode of Transmission
Ø E-Mail Attachments
Ø Internet Relay Chat (IRC)
Ø I Seek You (ICQ)
Ø Physical Access
Ø NETBIOS (File Sharing)
Ø Un-trusted Sites and Freeware Software
Wrappers
Ø How does an attacker implant any trojan on the victim’s computer?
Ø The answer is through wrappers
Ø Wrappers are a type of software “glueware” that is used to attach together other
software components.
Unlike computer viruses and worms, Trojans are not able to self-replicate.
9.3.2. Types of Trojans
Trojans are classified according to the type of actions that they can perform on your
computer:
Backdoor
A backdoor Trojan gives malicious users remote control over the infected computer. They
enable the author to do anything they wish on the infected computer – including sending,
receiving, launching and deleting files, displaying data and rebooting the computer. Backdoor
Trojans are often used to unite a group of victim computers to form a botnet or zombie network
that can be used for criminal purposes.
Exploit
Exploits are programs that contain data or code that takes advantage of a vulnerability
within application software that’s running on your computer.
150
Rootkit
Rootkits are designed to conceal certain objects or activities in your system. Often their
main purpose is to prevent malicious programs being detected – in order to extend the period in
which programs can run on an infected computer.
Trojan-Banker
Trojan-Banker programs are designed to steal your account data for online banking
systems, e-payment systems and credit or debit cards.
Trojan-DDoS
These programs conduct DoS (Denial of Service) attacks against a targeted web address.
By sending multiple requests – from your computer and several other infected computers – the
attack can overwhelm the target address leading to a denial of service.
Trojan-Downloader
Trojan-Downloaders can download and install new versions of malicious programs onto
your computer – including Trojans and adware.
Trojan-Dropper
These programs are used by hackers in order to install Trojans and / or viruses – or to
prevent the detection of malicious programs. Not all antivirus programs are capable of scanning
all of the components inside this type of Trojan.
Trojan-FakeAV
Trojan-FakeAV programs simulate the activity of antivirus software. They are designed to
extort money from you – in return for the detection and removal of threats… even though the
threats that they report are actually non-existent.
Trojan-GameThief
This type of program steals user account information from online gamers.
151
Trojan-IM
Trojan-IM programs steal your logins and passwords for instant messaging programs –
such as ICQ, MSN Messenger, AOL Instant Messenger, Yahoo Pager, Skype and many more.
Trojan-Ransom
This type of Trojan can modify data on your computer – so that your computer doesn’t run
correctly or you can no longer use specific data. The criminal will only restore your computer’s
performance or unblock your data, after you have paid them the ransom money that they demand.
Trojan-SMS
These programs can cost you money – by sending text messages from your mobile
device to premium rate phone numbers.
Trojan-Spy
Trojan-Spy programs can spy on how you’re using your computer – for example, by
tracking the data you enter via your keyboard, taking screen shots or getting a list of running
applications.
Trojan-Mailfinder
These programs can harvest email addresses from your computer.
Other types of Trojans include:
o Trojan-ArcBomb
o Trojan-Clicker
o Trojan-Notifier
o Trojan-Proxy
o Trojan-PSW
152
Figure 9.3: Types of Trojans
Trojans are also classified as Keyloggers, hardware based, remote access, password
stealing, destructive and resource stealing Trojans based on their functionality.
Countermeasures
By installing effective anti-malware software, you can defend your devices – including
PCs, laptops, Macs, tablets and smartphones – against Trojans. A rigorous anti-malware solution
– such as Kaspersky Anti-Virus – will detect and prevent Trojan attacks on your PC, while
Kaspersky Mobile Security can deliver world-class virus protection for Android smartphones.
Kaspersky Lab has anti-malware products that defend the following devices against Trojans:
· Windows PCs
· Linux computers
· Apple Macs
· Smartphones
· Tablets
Summary
· A computer virus is a malicious code that replicates by copying itself to another
program, computer boot sector or document and changes how a computer works.
153
· A computer worm is a standalone malware computer program that replicates itself

in order to spread to other computers.
· A Trojan horse or Trojan is a type of malware that is often disguised as legitimate

software. Trojans can be employed by cyber-thieves and hackers trying to gain
access to users’ systems. Users are typically tricked by some form of social
engineering into loading and executing Trojans on their systems.
Check your answers

1. A ………………………………….. is a malicious code that replicates by copying itself
to another program, computer boot sector or document and changes how a computer
works.
2. A …………………………….. is a standalone malware computer program that

replicates itself in order to spread to other computers.
3. A …………………………….. is a type of malware that is often disguised as legitimate

software.
References
 https://searchsecurity.techtarget.com/definition/email-virus
 https://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms
 https://securelist.com/threats/im-worm/
 http://etutorials.org/Misc/computer+book/Part 2 Dangerous Threats on the Internet/

Chapter 8 Trojan Horses Beware of Geeks Bearing Gifts/TYPES OF
TROJAN+HORSES
 https://www.kaspersky.co.in/resource-center/threats/trojans
154
LESSON - 10
ROOTKIT & BOTNETS
Learning Objectives:
After reading this lesson you will be able to know about
 Rootkit
 Symptoms of rootkit
 Types of Rootkit
o Kernel rootkit
o Firmware rootkit
o Application rootkit
o Memory rootkit
o Bootkit rootkit
o Persistent rootkit
o Library rootkits
o Countermeasures
 Botnets
o Botnet architecture
o Notable botnets
o Types of attacks
o Countermeasures
Structure
10. Rootkit
10.1. Symptoms of rootkit
10.2. Types of Rootkit
10.2.1. Kernel rootkit

155
10.2.2. Firmware rootkit
10.2.3. Application rootkit
10.2.4. Memory rootkit
10.2.5. Bootkit rootkit
10.2.6. Persistent rootkit
10.2.7. Library rootkit
10.2.8. Countermeasures
10.3. Botnets
10.3.1. Botnet architecture
10.3.2. Notable botnets
10.3.3. Types of attacks
10. Rootkit
A rootkit is a clandestine computer program designed to provide continued privileged
access to a computer while actively hiding its presence. The term root kit is a connection of the
two words “root” and “kit.” Originally, a root kit was a collection of tools that enabled administrator-
level access to a computer or network. Root refers to the Admin account on UNIX and Linux
systems, and kit refers to the software components that implement the tool. Today rootkits are
generally associated with malware – such as Trojans, worms, viruses – that conceal their
existence and actions from users and other system processes.
A rootkit allows someone to maintain command and control over a computer without the
computer user/owner knowing about it. Once a root kit has been installed, the controller of the
rootkit has the ability to remotely execute files and change system configurations on the host
machine. A rootkit on an infected computer can also access log files and spy on the legitimate
computer owner’s usage.
10.1. Symptoms of rootkit infection
One of the primary objectives of a rootkit is to avoid detection in order to remain installed
and accessible on the victim system, so rootkit developers aim to keep their malware
156
undetectable, which means there may not be many detectable symptoms that flag a rootkit
infection.
One common symptom of a rootkit infection is that antimalware protection stops working.
An antimalware application that just stops running indicates that there is an active rootkit infection.
Another symptom of a rootkit infection can be observed when Windows settings change
independently, without any apparent action by the user. Other unusual behavior, such as
background images changing or disappearing in the lock screen or pinned items changing on
the taskbar, could also indicate a rootkit infection.
Finally, unusually slow performance or high CPU usage and browser redirects may also
indicate the presence of a rootkit infection.
Just like different types of malware, rootkit infections usually are accompanied with some
typical signs, which include antivirus stopping to function, Windows Settings changing
independently, background images changing or pinned items to the task bar disappearing for
no reason. It is important to check for slow system performance. All these are usually indicative
of root kit infection.
10.2. Types of Rootkits
Some of the most popular rootkits include:
10.2.1. Kernel Rootkit: these are rootkits which operate at the kernel level (the core of
the operating system) and have a serious effect on the system. These rootkits are usually
difficult to detect since they operate at the kernel, meaning they have the same privileges like
that of the operating system.
10.2.2. Firmware Rootkit: these rootkits affect the firmware devices like network devices.
These rootkits are usually booted when the machine gets booted and is available as long as the
device is. This too is hard to detect.
10.2.3. Application Rootkit: these rootkits operate at the application level. That is, they
don’t infect the kernel but the application files inside your computer. These usually replace the
applications files (which they are trying to infect) with the rootkit files or change the behavior of
the application by injecting code.
157
10.2.4. Memory Rootkit: these rootkits usually hide themselves and operate from the
computer’s memory. That is RAM (Random Access Memory).
10.2.5. Boot kit Rootkits: These rootkits – also known as Boot Loader Level kits – infect
the legitimate boot loader of your system with the respective rootkit, so that they get activated
whenever the operating system is started. Obviously, these rootkits too pose a serious threat to
your system.
10.2.6. Persistent Rootkits: Another rootkit which starts up and stays active until the
system is shut down. What’s more is the fact that this rootkit has the ability to restart the system
processes.
10.2.7. Library Rootkits: As the name suggests, these rootkits affect the ‘library files’ in
your computer (system library). For example, windows ddls. Similar to other rootkits, these too
intercept specific files and replace them with its own code.
Antivirus which comes equipped with impressive security features is easily the best antivirus
software in the IT security market. It is effective in preventing not just rootkit infections but the
entire gamut of malware types like adware, Trojan, keyloggers, ransomware and more. Moreover,
it pretty effective against zero-day threats as well. All because of the patented ‘Default Deny
Approach’ implemented via its Containment technology.
Default Deny Approach: Technology which ensures all files or applications are denied
entry into your PC(s) by default, whether they are known good (white listed ones), known bad
(blacklisted ones) or unknown (not identified or encountered so far), until they prove themselves
to be harmless.
Host Intrusion Protection System (HIPS): Antivirus also ships with a default HIPS rule-
set which offer protection to your PC(s). HIPS protect system critical files or folders from malware
infections by enforcing a set of security rules that offer high levels of protection. HIPS rule-set
is highly customizable.
Virus monitors: this technology basically monitors all the processes running on computer
and alerts when a process behaves abnormally or has gone rogue (indications of malware
infection). Using such monitors users can potentially reverse or undo such undesirable processes.
158
Other crucial security features like protection against file-less malware, rescue disk,
protection against Man-in-the-Middle (MITM) attacks and much more.
Rootkits may be troublesome and persistent, but in the end they are just programs like
many other types of malware. Infection takes place only after the malicious program that carries
the rootkit.
Here are some basic steps that should be followed if infected with a rootkit, and thus
avoid all of these painful and time consuming steps to remove one.
Phishing is one of the most frequently used methods to infect people with malware. The
malicious hackers simply spam a huge email list with messages designed to trick you into
clicking a link or opening an attachment. The fake message can be anything really, from a
Nigerian prince asking for help to retrieve his gold, to really well-crafted ones such as fake
messages from Google. The attachment can be anything, such as a Word or Excel document,
a regular .exe program or an infected JPEG.
Outdated software is one of the biggest sources of malware infection. Like any human
creation, software programs are imperfect by design, meaning they come with many bugs and
vulnerabilities that allow a malicious hacker to exploit them. For this reason, keeping ones
software up-to-date at all times is one of the best practices to stay safe on the Internet and
prevent a malicious hacker from malware infection.
Antivirus software hasn’t had a good time lately. Many of the more recent so called “second
generation malware” come with many defensive measures such as obfuscation that prevents
or makes detection difficult. Despite this however, an antivirus still brings real value to the fight
on malware.
Traffic filtering - One major flaw of antivirus is that the malware has to effectively touch
your PC before it becomes useful. Traffic filtering software on the other hand scans inbound
and outbound traffic to make sure no malware program is about to come to land on computers
and prevent private and confidential information from leaking to any suspicious receivers
10.3. Botnet
The term botnet is derived from the words robot and network. A bot in this case is a device
infected by malware, which then becomes part of a network, or net, of infected devices controlled
by a single attacker or attack group.
159
A botnet is a collection of internet-connected devices, which may include PCs, servers,

mobile devices and internet of things devices that are infected and controlled by a common
type of malware. Users are often unaware of a botnet infecting their system.
Figure 10.1: Botnet Infection
Infected devices are controlled remotely by threat actors, often cybercriminals, and are
used for specific functions, so the malicious operations stay hidden to the user. Botnets are
commonly used to send email spam, engage in click fraud campaigns and generate malicious
traffic for distributed denial-of-service attacks. This is illustrated in figure 10.1.
The botnet malware typically looks for vulnerable devices across the internet, rather than
targeting specific individuals, companies or industries. The objective for creating a botnet is to
infect as many connected devices as possible, and to use the computing power and resources
of those devices for automated tasks that generally remain hidden to the users of the devices.
For example, a malicious botnet that infects a user’s PC will take over the system’s web
browsers to divert fraudulent traffic to certain online advertisements. However, to stay concealed,
the botnet won’t take complete control of the web browsers, which would alert the user. Instead,
the botnet may use a small portion of the browser’s processes, often running in the background,
to send a barely noticeable amount of traffic from the infected device to the targeted ads.
On its own, that fraction of bandwidth taken from an individual device won’t offer much to
the cybercriminals running the ad fraud campaign. However, a botnet that combines millions of
devices will be able to generate a massive amount of fake traffic for ad fraud, while also avoiding
detection by the individuals using the devices.
160
10.3.1. Botnet architecture
Botnet infections are usually spread through malware, such as a Trojan horse. Botnet
malware is typically designed to automatically scan systems and devices for common
vulnerabilities that haven’t been patched, in hopes of infecting as many devices as possible.
Botnet malware may also scan for ineffective or outdated security products, such as firewalls
or antivirus software.
Once the desired number of devices is infected, attackers can control the bots using two
different approaches. The traditional client/server approach involves setting up a command-
and-control (C&C) server and sending automated commands to infected botnet clients through
a communications protocol, such as internet relay chat (IRC). The bots are often programmed
to remain dormant and await commands from the C&C server before initiating any malicious
activities. The same is illustrated in figure 10.2.
Figure 10.2: Botnet Architecture
The other approach to controlling infected bots involves a peer-to-peer network. Instead
of using C&C servers, a peer-to-peer botnet relies on a decentralized approach. Infected devices
may be programmed to scan for malicious websites, or even for other devices in the same
botnet. The bots can then share updated commands or the latest versions of the botnet malware.
The peer-to-peer approach is more common today, as cybercriminals and hacker groups
try to avoid detection by cybersecurity vendors and law enforcement agencies, which have
often used C&C communications as a way to monitor for, locate and disrupt botnet operations.
161
10.3.2. Notable botnet attacks

Zeus
The Zeus malware, first detected in 2007, is one of the best-known and widely used
malware types in the history of information security.
Zeus uses a Trojan horse program to infect vulnerable devices and systems, and variants
of this malware have been used for various purposes over the years, including to spread Crypto
Locker ransomware.
Srizbi
The Srizbi botnet, which was first discovered in 2007, was, for a time, the largest botnet
in the world. Srizbi, also known as the Ron Paul spam botnet, was responsible for a massive
amount of email spam — as much as 60 billion messages a day, accounting for roughly half of
all email spam on the internet at the time. In 2007, the Srizbi botnet was used to send out
political spam emails promoting then-U.S. Presidential candidate Ron Paul.
Gameover Zeus
Approximately a year after the original Zeus botnet was disrupted, a new version of the
Zeus malware emerged, known as Gameover Zeus.
Instead of relying on a traditional, centralized C&C operation to control bots, Gameover

Zeus used a peer-to-peer network approach, which initially made the botnet harder for law
enforcement and security vendors to pinpoint and disrupt. Infected bots used the domain
generation algorithm (DGA) to communicate.
Methbot
An extensive cybercrime operation and ad fraud botnet known as Methbot was revealed
in 2016 by cybersecurity services company White Ops. According to security researchers,
Methbot was generating between $3 million and $5 million in fraudulent ad revenue daily last
year by producing fraudulent clicks for online ads, as well as fake views of video advertisements.
Mirai
Several powerful, record-setting distributed denial-of-service (DDoS) attacks were observed

in late 2016, and they later traced to a new brand of malware known as Mira. The DDoS traffic
was produced by a variety of connected devices, such as wireless routers and CCTV cameras.
162
10.3.3. Types of Attacks

Denial of Service Attacks
A botnet can be used as a distributed denial of service weapon. A botnet attacks a network
or a computer system for the purpose of disrupting service through the loss of connectivity or
consumption of the victim network’s bandwidth and overloading of the resources of the victim’s
computer system. Botnet attacks are also used to damage or take down a competitor’s website.
Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites
behind an ever-changing network of compromised hosts acting as proxies.
Any Internet service can be a target by botnets. This can be done through flooding the
website with recursive HTTP or bulletin-board search queries. This mode of attack in which
higher level protocols are utilized to increase the effects of an attack is also termed as spidering.
Spyware
It’s software which sends information to its creators about a user’s activities – typically
passwords, credit card numbers and other information that can be sold on the black market.
Compromised machines that are located within a corporate network can be worth more to the
bot herder, as they can often gain access to confidential information held within that company.
There have been several targeted attacks on large corporations with the aim of stealing sensitive
information, one such example is the Aurora botnet.
Adware: Its exists to advertise some commercial entity actively and without the user’s
permission or awareness, for example by replacing banner ads on web pages with those of
another content provider.
Spamming and Traffic Monitoring
A botnet can also be used to take advantage of an infected computer’s TCP/IP’s SOCKS
proxy protocol for networking applications. After compromising a computer, the botnet
commander can use the infected unit (a zombie) in conjunction with other zombies in his botnet
(robot network) to harvest email addresses or to send massive amounts of spam or phishing
emails.
Moreover, a bot can also function as a packet sniffer to find and intercept sensitive data
passing through an infected machine. Typical data that these bots look out for are usernames
163
and passwords which the botnet commander can use for his personal gain. Data about a
competitor botnet installed in the same unit is also mined so the botnet commander can hijack
this other botnet.
Access number replacements are where the botnet operator replaces the access numbers
of a group of dial-up bots to that of a victim’s phone number. Given enough bots partake in this
attack, the victim is consistently bombarded with phone calls attempting to connect to the internet.
Having very little to defend against this attack, most are forced into changing their phone numbers
(land line, cell phone, etc.).
Key loggers
Encryption software within the victims’ units can deter most bots from harvesting any real
information. Unfortunately, some bots have adapted to this by installing a keylogger program in
the infected machines. With a key logger program, the bot owner can use a filtering program to
gather only the key sequence typed before or after interesting keywords like PayPal or Yahoo
mail. This is one of the reasons behind the massive PayPal accounts theft for the past several
years.
Bots can also be used as agents for mass identity theft. It does this through phishing or
pretending to be a legitimate company in order to convince the user to submit personal information
and passwords. A link in these phishing emails can also lead to fake PayPal, eBay or other
websites to trick the user into typing in the username and password.
Botnet Spread: Botnets can also be used to spread other botnets in the network. It does
this by convincing the user to download after which the program is executed through FTP,
HTTP or email.
Pay-Per-Click Systems Abuse
Botnets can be used for financial gain by automating clicks on a pay-per-click system.
Compromised units can be used to click automatically on a site upon activation of a browser.
For this reason, botnets are also used to earn money from Google’s Adsense and other affiliate
programs by using zombies to artificially increase the click counter of an advertisement.
164
1. Avoid clicking any suspicious links not even the ones you received from friends or
family or social network buddies. Their accounts might have been compromised, so
it’s safer to be patient and ask them what it’s all about, before rushing into clicking
on the links.
2. Avoid downloading any attachments.
3. Avoid downloading bogus antivirus software- Avoid online ads that are telling
you that your computer was infected – these are malware in disguise.
4. Check for updates -Do a full, in-depth scan with the antivirus. Sometimes, a bot
code will deactivate your antivirus.
5. Ensure firewall is on- Set it to the maximum security level – this will require all
applications seeking internet access to notify you, enabling you to track incoming
and outgoing traffic.
6. Check for browser updates and other software such as Adobe Flash, Adobe
Reader and Java. These are the most vulnerable ones – and also the most exploited
by cyber criminals to recruit computers into botnet.
Summary
· A rootkit allows someone to maintain command and control over a computer without
the computer user/owner knowing about it.
· Types of rootkit include Kernel rootkit, Firmware rootkit, Application rootkit, Memory
rootkit, Bootkit rootkit, Persistent rootkit, Library rootkits
· A botnet is a collection of internet-connected devices, which may include PCs,

servers, mobile devices and internet of things devices that are infected and controlled
by a common type of malware. Users are often unaware of a botnet infecting their
system.
Check your answers

· A …………….. allows someone to maintain command and control over a computer
without the computer user/owner knowing about it.
165
· Types of rootkit include ……………….. rootkit, …………..rootkit, ……………….

rootkit, ……………….rootkit, …………….. rootkit, ……………. rootkit,
………………rootkits.
· A …………………. is a collection of internet-connected devices, which may include

PCs, servers, mobile devices and internet of things devices that are infected and
controlled by a common type of malware.
Reference
1. https://www.webroot.com/us/en/resources/tips-articles/what-are-bots-
botnets-and-zombies
2. https://www.pandasecurity.com/mediacenter/security/what-is-a-botnet/
3. https://searchsecurity.techtarget.com/definition/botnet
166
LESSON - 11
SPAM
Learning Objectives
 Spam
 Spammers
 Motivation of spammers
 Impact of Spam
 Spam Statistics
 Spam Filters
 Spam Score
 SPIM
 SPIT
Structure
11. Spam
11.1. Spammers
11.2. Motivation of spammers
11.3. Impact of Spam
11.4. Spam Statistics
11.5. Spam Filter
11.6. Spam Score
11.7. SPIM
11.8. Spimmers
11.9. SPIT
167
11. Spam
Spam messages are the unsolicited commercial mail that fills the inbox. These messages
are unsolicited emails constantly peddling various products and services for example, earn
easy money, lose weight in 21 days, online casinos, free iPods
The First Spam Message
The first spam message was the “Green Card” spam sent in 1994 to Usenet groups. This
was sent by a group of lawyers (Canter and Siegel) trying to drum up business. With that the
Pandora’s Box was opened.
What is spam?
Spam is an unsolicited email message or posting, commercial in nature, that is sent to

multiple recipients and does not contain a valid opt-out. Spam is always commercial advertising,
often dubious products, get rich quickly, or quasi legal services or pornography. It is also known
as junk mail, unsolicited email(UCE). Spam mails are a big nuisance worldwide. An email
message is classified as spam only if it is unsolicited as well as it comes in bulk. Spam is
annoying because the content of the message is applicable to every recipient while making the
personal identity and context of the recipient irrelevant. Spam is all about the consent, not
content. Spam has become the bane on the Internet. Example of spam includes the following
but are not restricted to them:
· Bulk Emailing services for sending spam

· Advertisements
· Online casinos, gambling and astrology
· Online social clubs (e.g. Dating, matrimony, classmates database)
· Chain letters with forwarding request
· Pyramid schemes
· Multilevel marketing schemes (MLM)
· Get Rich quick, Make Money Fast
· Pre – approved loans, credit cards, credit reports, insurance
· Stock offerings for unknown start up ventures
· Online job racket
· Sale of pirated software at cheap prices
168
· Urban legends
· Quack health products, remedies and online pharmacies
· Phishing Links to pornographic sites
11.1 Spammers
Spammers are unscrupulous person or group of individuals who send unsolicited bulk
emails to victims. Sometimes spammers also make computers as a zombies using automated
software programs that send bulk emails. Spammers could be individuals, malicious gangs or
e-marketers organized into spamming networks.
11.2 Motivation for spammers

Generally spammers are motivated for the following reasons:
· E-marketing – to sell various unsolicited products and services through the internet.
· Online Fraud – Pyramid schemes, soliciting personal information like credit card
number, phone number, bank account number for defrauding the recipient out of
his money
· Malicious intent – to disable the recipients email account, server by sending bulk
email messages to paralyze the bandwith and inbox.
· Bulk mailing of news, information and chain letters
· Spreading of viruses over the internet is attributed to spam messages. When a
victim opens an unsuspecting email along with attachment, virus activates and
unleashes its destructive abilities either by causing harm to the computer or networks.
It also reads the contact information and mass mails to the contacts in address box.
It requires a lot of effort, time and money. Loss of critical data runs into billions of
dollars. Cost of cleaning up viruses and retrieving critical information is high .
· Spam mails contains undesirable and objectionable content that is not advisable for
the young.
· Advertisement of contraband goods, pirated software and illegal activities are impacts
of spam mails. They aim at conning the victims their money, private and privileged
information from the recipients themselves.
· Most ISPs have to invest heavily on spam filter on a day to day basis leading to
huge monetary loss of resources and necessitates deployment of technical personnel
to do the 24/7 surveillance.
169
· Anti-spam filters are used to protect the inbox from spam messages and they are
costing heavily.
11.3 Impact of spam

· It clogs the inbox and fills up the mail storage space
· It clogs up bandwidth. Bandwidth is amount of data that can be transmitted over a

fixed amount of time.
· It slows down transmission and causes Denial of Service (DoS).
· It reduces the availability of the connectivity
· Recipients is constrained to spend his valuable time and energy in unproductive

tasks like checking, deleting, blocking and reporting spam resulting in huge
productivity loss for employees in corporate environment.
Spammers get to know the email account information through any one of the mode such
as breached email Id, harvesting software, online groups, usenet, cookies, chat rooms, IRC,
cold calling, online profiles, hacking the email id through virus, worms, Trojans through hacking.
Figure 11.1 illustrates the mode through which spammers to get email id of vitims.
Figure 11.1: How Spammers get your email?

170
11.4 Spam Statistics

The statistics shows the share of global spam volume as percentage of total e-mail traffic
as of September 2017, sorted by month. As of the most recently reported period, spam messages
accounted for 59.56 percent of e-mail traffic worldwide. In 2016, the United States accounted
for the majority of unsolicited spam e-mails with 12.08 percent of global spam volume. The most
common types of spam e-mail were healthcare and dating spam.
Figure 11.2 Global Spam rate from 2012 to 2017
The statistics shows the global email spam rate from 2012 to 2017. In the most recently
observed period, it was found that the spam accounted for 55% of all the email messages,
same as during the previous year (Fig 11.2 & 11.3).
171
Figure 11.3 Percentage of email traffic from January 2014 to September 2017
11.5 Spam Filter

A spam filter is a program that is used to detect unsolicited and unwanted email and
prevent those messages from getting to a user’s inbox. Like other types of filtering programs, a
spam filter looks for certain criteria on which it bases judgments. For example, the simplest and
earliest versions (such as the one available with Microsoft’s Hotmail) can be set to watch for
particular words in the subject line of messages and to exclude these from the user’s inbox.
This method is not especially effective, too often omitting perfectly legitimate messages (these
are called false positives) and letting actual spam through. More sophisticated programs, such
as Bayesian filters or other heuristic filters, attempt to identify spam through suspicious word
patterns or word frequency. Spam filters look for metadata associated with email, IP address,
Content and format and code.
11.6 Spam Score

To decide if an email is a spam or not, several hundred rules are applied to each email.
Each rule describes some attributes of a spam and has some numerical value associated with
172
it, based on the likelihood that the attribute is a spam. The resulting value is the spam score for
the message. This score is then tested against a sensitivity threshold set by an individual’s
spam filter. And thus, it is categorized as a spam or valid email. The table 11.1 represents the
spam score and their rating. The ratings are ranging from 5 to 15 for Low/Medium/ High likelihood
to be a scam.
Table 11.1: Spam Score and Rating
11.7 SPIM
SPIM is short for spam over instant messaging. It is a type of spam that targets instant
messaging. It is delivered through instant messaging system instead of through email messaging.
11.8 Spimmers
Spimmers are individuals or organized networks of individuals who indulge in spimming.
Their motive is to get financial gain. Instant messaging services such as MSN messenger, AIM,
ICQ, Yahoo! Messenger are all targets. Users of different public IM systems, using public profiles
are quite likely to receive unsolicited advertising messages from spimmers. Spim messages
usually trick the users with the hyperlink that drives the users to a website of spimmers. Since
Spim bypasses anti-virus software and firewalls. Hence, they can easily spread viruses and
malware. Spim or messaging is perpetrated by bots that harvest IM. It uses IM as medium of
communication. It simulates human user by sending spam via an instant message. Bots are
173
robotic automatic programs simulating human users and send spam messages to pre-determined
set of IM user names which are generated randomly or by harvesting from the internet.
11.9 Spam over Internet Telephony (SPIT)

As the name suggests, SPIT is spam over internet telephony. It offers spammers a low
cost alternative to unsolicited advertisement. With a click of a mouse, the individuals who cause
this type of attack accomplish automated mass marketing through automated voice messages.
Summary
· Spam Messages are unsolicited message that fills the inbox.
· Examples of spam messages include but are not limited to bulk emailing,
advertisements, Advertisements online casinos, gambling and astrology, online
social clubs (e.g. Dating, matrimony, classmates database), chain letters with
forwarding request, Pyramid schemes, multilevel marketing schemes (MLM), get
rich quick, make money fast, pre – approved loans, credit cards, credit reports,
insurance, stock offerings for unknown start up ventures, online job racket, sale of
pirated software at cheap prices, urban legends, quack health products, remedies
and online pharmacies, phishing links to pornographic sites.
· Spammers are unscrupulous person or group of individuals who send unsolicited

bulk emails to victims.
· Motivation for spammers include but are not restricted to E-marketing, Online Fraud,
Malicious intent, chain letters.
· Impact of spam clogs the inbox and fills up the mail storage space, clogs bandwidth,
slows down transmission by reducing the availability component of information
security triad and causes Denial of Service, Recipients is constrained to spend his
valuable time and energy in unproductive tasks .
· A spam filter is a program that is used to detect unsolicited and unwanted email and
prevent those messages from getting to a user’s inbox.
· Spam Score has some numerical value associated with it, based on the likelihood
that the attribute is a spam
174
Check your answers

1. .........................................................are unsolicited message that fills the inbox.
2. ................................................................, ..........................................................,
.....................................are examples f spam messages.
3. ................................ are ...................................person or group of individuals who

send unsolicited bulk emails to victims.
4. Motivation for spammers include but are not restricted to ...........................,

..........................., ........................ , ...................................... letters.
5. Impact of spam ............................. the inbox and fills up the mail storage space,
clogs bandwidth, slows down transmission by reducing the availability component
of information security triad and causes.
6. Unsolicited messages in Instant Messages is called as

..................................................................
7. .................................................. is unsolicited messages in internet over telephony.
8. A ............... is a program that is used to detect unsolicited and unwanted email and
prevent those messages from getting to a user’s inbox.
9. ................................. has some numerical value associated with it, based on the
likelihood that the attribute is a spam.
References
1. https://mailchimp.com/help/about-spam-filters/
2. https://www.totalsend.com/understanding-email-spam-score/
3. https://searchmidmarketsecurity.techtarget.com/definition/spam-filter
175
LESSON - 12
SCAMS
Learning Objectives
o Definition of Scams
o Broad classification of scams
o SCAM statistics
Structure
12.1 Scam
12.2 Broad Classification of Scam
12.2.1. Attempts to gain personal information
12.2.2. Buying or selling
12.2.3. Fake charities
12.2.4. Dating and Romance Scams
12.2.5. Investments
12.2.6. Job and employment
12.2.7. Threats and extortion
12.2.8. Unexpected money
12.2.9. Rebate Scams
12.2.10. Cryptojacking
12.3. Scam Statistics
12.4. Summary
12.1. Scams
Scam is a dishonest schema or fraud that is committed with an aim to swindle money. It
is an illegal trick usually with a purpose of stealing money from people, evasion of tax. It may
176
also be defined as a fraudulent or deceptive act or operation. The internet is littered with scams
such as pop-ups ads or email spam ads.
12.2. Broad classification of scams based on their motive

12.2.1. Attempts to gain personal information:
Scammers use all kinds of sneaky or stealthy approaches to steal confidential/personal

information. The stolen identity information can be further used to commit fraudulent activities
such as stealing credit information or to open a bank account.
o Hacking: Occurs when a scammer gains access to personally identifiable information

using technology to break into computers, networks and mobile devices.
o Identity theft: It is a type of fraud that involved to perform identity theft to steal
money or gain other benefits.
o Phishing: This type of scam are attempts to trick victims to revel their personal
information such as bank account, pin numbers, passwords and credit card numbers
by redirecting to fake websites.
o Remote access scams: Remote access scams operate by sending convincing

messages stating that there is a computer or internet problem and that one needs
to fix the problem.
12.2.2. Buying or selling

· Classified scams: In this type of scam tricks online shoppers on classified websites
into thinking that they are dealing with a legitimate contact by is actually a scammer.
· False billing: False billing scam request victims and their business to pay fake invoices
for directory listings, advertising, domain name renewals or office supplies that
was never ordered.
· Health & medical products: Health and medical product scam may sell victims
healthcare products at very low prices, by giving false promises about cure-all
products, medicines and treatments.
· Mobile premium services: Scammers create SMS competitions or trivia scams to

trick the victims into paying extremely high call or text rates when replying to an
unsolicited text message on mobile/smart phones.
177
· Online shopping scams: Online shopping scams involves scammers pretending to

be legitimate online sellers, either with a fake website, fake advertisement, or a
genuine retailer site.
· Over payment: Scammers perform overpayment scams by asking their victims to

refund the amount overpaid for an item that is sold by the victims.
· Psychic and clairvoyant scams: psychic or clairvoyant scams are designed to trick
victims into giving away their money usually by offering ‘help’ in exchange for a fee.
12.2.3. Fake charities
Scammers impersonate genuine charities and ask for donations or contact victims to
claim to collect money after natural disasters or major events. Fake charity scams takes
advantage of victim’s generosity and compassion for others in need. Scammers will steal victims
of their money by posing as a genuine charity. This also, divests much needed donations away
from genuine charities. Scammers will either pretend to be agents of legitimate charities or
create their own charity name. Quite often the scammers take advantage of real natural disaster
or emergencies such as flood, cyclone earthquake, tsunami or fire. They also play around
emotions by claiming to help children who are ill.
12.2.4. Dating and Romance Scams:
Scammers take advantage of people looking for romantic partners, often via dating
websites, apps or social media by pretending to be prospective companions. They play on
emotional triggers to get victims to provide money, gifts or personal details. Scammers typically
create fake online profiles to lure victims by using fictional names, false identity of real trusted
people such as military personnel, aid workers or professional working background by expressing
strong emotional convincing messages over a short period of time through private channel,
such as phone, email or instant messaging.
12.2.5. Investments
Betting & sports investment scam: scammers convince their victims to invest in foolproof
systems and software that can guarantee profit by betting in sports events and investments.
The scammer will try to sell prediction software promising to accurately predict the sporting
results for sporting events such as Cricket, Football, and Horse racing. Software that predicts
horse racing, for instance claims to identify predictions based on weather condition, the state of
the horse, the draw or the condition of the jockey. The scammers will try and convince their
178
victims to join “Betting syndicates”. Victims are forced to pay a huge sum for joining and open
a sports betting account. Syndicate members are usually promised a huge profit.
Investment scams: The scammers drive their victims to invest money with false promise
of a questionable financial opportunity. The scammers targets small business operators,
professionals, retired persons with funds to invest and operate through a business mail, phone
call or letter. The scammer will use technical or financial terms to make it legitimate investments
such as:
o Sports arbitrage
o Sports betting,
o Sports wagering
o Sports tipping
o Sports trading
The figure 12.1 illustrates the latest sports SCAM – spear phishing attacks that occurred
globally.
Figure 12.1: Sports Scam (Source: Kaspersky Labs, 2018)

179
12.2.6. Job and employment

· Jobs & employment scams: In jobs and employment scam, the scammers trick the
victims by offering them a guaranteed high profile job with little effort. The scammers
contact their victims via phone, email or letter. In order to accept the victims will be
asked to a pay for a starter kit or materials relevant to the job or scheme. Another
job scam requests the victim to share their bank accounts to receive and pass on
payments for a foreign company. A percentage of profit id promised as a commission
for each payment the victims passes on ( a kind of money laundering). It is also
called money mules which are a criminal offence.
· Pyramid schemes: pyramid schemes are illegal and very risky that can end up
costing the victims a lot of money. The operation is called “get-rich-quick”. In a
pyramid scheme the victims have to pay money to join. The scheme relies on
convincing the victims to make a profit. For this purpose the victims need to supply
new members endlessly. Such pyramid scheme promotes disguise their true purpose
by introducing products that are overpriced, poor quality, difficult to sell or of little
value. The scammers pocket the fees and other payments made by those who join
the scheme It is against the law to promote or participate in a pyramid scam.
12.2.7. Threats and extortion

o Malware: Malware tricks the victims by installing a malicious software that allows
the scammers to access victims file and track what they are doing. Scammers use
this information to steal credentials, confidential and personally identifiable
information to commit fraudulent activities. They may further make unauthorized
purchases using victims credit card or use their identity to open new accounts or
sometimes illegal business under the name of their victims. They may also take out
loan in the name of their victims. Sometimes scammers also share the stolen
information with criminals.
o Ransomware: It is a malicious program that encrypts systems, files and other critical
information. It demands payment to unlock computers of files.
o Threats to life, arrest or other: In this type of scam, the scammers provoke the
victims to pay a huge money if they do not cooperate. Infected computers display
messages to the victims computer convincingly threatening the victims to pay the
ransom. The message carries the following information:
180
“if you pay the ransom, we give you the key to unlock your computer”. However there is
no guarantee that victims computer will be unlocked even after paying the ransom.
(source: https://www.scamwatch.gov.au/types-of-scams/unexpected-money)
Hitman scam: Here is an example of a life threat scam. In this type the scammer will send
a threatening message scaring individual victims and claim money.
Figure 12.2: Screenshot of Hitman scam
12.2.8. Unexpected money

o Inheritance scam:
These scams offers the victims false promise of an inheritance by tricking into parting
with money or sharing the victims bank or credit card details. The scammer contacts the victim
stating that the victim can claim a large inheritance from a distant relative or a wealthy benefactor
either through phone, email or social networking sites. Generally the scammers pose themselves
as foreign officials, bankers, auditors or lawyers claiming that the deceased left no other
beneficiaries. Further scammers may add to state that the victims are legally entitled to claim
the inheritance.
181
Figure 12.3: Screen shot of inheritance scam
· Nigerian scam
Nigerian scams involve someone overseas offering you a large sum of money or a payment
on condition that the victims should help them to transfer money out of their country. While
these scams originated in Nigeria, they now come from all over the world. The scammer will
that large amount of their money is trapped in the banks during civil wars often in countries
currently in the news or they may hoax about a large inheritance that is difficult to access
because of restrictions or taxes in their country. If the victim responds to such letter, the scammer
will trick to offer a huge sum of money. These scams are also known as Nigerian 419/
182
Overpayment scams. The number “419” refers to the section in Nigerian law regarding con
artistry and fraud and is associated with requests for help facilitating the transfer of money. The
sender of the “419” letter or email offers the recipient a commission or share in the profits of a
transfer of money, but will first request the recipient send money to pay for some of the costs
associated with the transfer. The recipient may be sent a payment and instructed to keep a
portion of the payment, but send the rest on to another individual or business.
Figure 12.4: Example of Nigerian Scam

(Source: http://www.aston.ac.uk/ict/it-security/scams/nigerian/nigerian-example2/)
183
Figure 12.5: Example of Nigerian 419 Scam
Rebate scams
Rebate scams try to convince the victims that they are entitled to a rebate or reimbursement
from the government, a bank or trusted organization.
The scammer approaches the victims with a false claim that they are entitled to a
reimbursement or rebate, such as for overpaid taxes, bank fees or some sort of compensation.
The contact may come by mail, telephone, email, text message or social media. They will
pretend to be from the government, a bank or trusted organisation, and will ask the victims to
make a small initial payment to cover ‘administration fees’ or taxes, in order to claim the amount
owed to you. If victims are responding to this kind of email, and hand over the money to scammers,
they are sure to lose it and not receive any rebate. If the victims provide their credit card or
banking details, victims may find that more is taken out than expected.
Unexpected winnings
· Scratchie scams
Scratchie scams take the form of fake scratchie cards that promise some sort of prize, on
the condition that the ‘winner’ pays a collection fee. Scratchie cards are sometimes used in
promotions, lotteries or competitions, beckoning users to ‘scratch and win an instant prize’, for
example travel or holidays. While some scratchie cards may represent legitimate lotteries or
184
competitions, you should be extremely suspicious of any scratchie card that requires a payment
to claim a prize. Scratchie scams will offer victims an instant prize, but when the victims contact
the trader to claim it, they will be asked to provide payment for various ‘fees’ via wire transfer or
preloaded money card. The scammer may request bank details and photo identification. In
some rare cases the victims may be asked to travel overseas to collect their winning prize.
Travelling Scam Scraties Strike again – Tunes Travelling
Recently there has been an escalation in reports to WA ScamNet of a scratchie

card scam. The scam is sent through the mail and as you can see by the look of
scratchy card and brochure it is quite convincing. Consumers are receiving two
scratch cards and a brochure. One scratch card is winner of the $160000 2nd prize
and the other is just a thank you. On trying to claim the prize consumers are asked to
pay approximately $5000 to join the club because the prize is only for club members.
The scammers are asking for the money to be sent via wire transfer. The scammers
are also asking for personal information and identification documents.
WA ScamNet is advising consumers to continue to be on the lookout for scam

scratchie cards in their letterbox.
It is advised not responding to these letters as any money sent via wire transfer will
be lost and you will not receive any prize money. Do not send any personal
information as it could be used in identity theft scams.
Victims generally think they are a big winner but scammers will ask the victims for
thousands to claim a prize that never arrives.
Figure 12.6: Example of a Scratchie Scam
The scam package includes prof essional looking brochures, often f or

accommodation, which are designed by tricking the victims into thinking the competition is
legitimate. It may include contact details for a business overseas and a web address for a
fraudulent but professional-looking website.
The up-front payment requested can be as high as a few thousand dollars. If the victims
pay money, it is unsure that they will receive the prize, and the victims will never see their
money again. If in case the victims provide their personal details, they may be used for further
fraudulent activity such as an identity theft.
185
· Travel prize scams
Travel prize scams are attempts to trick the victims into parting with their money to claim
a ‘reward’ such as a free or discounted holiday.
· Unexpected prize & lottery scams
Unexpected prize and lottery scams work by asking the victims to pay some sort of fee in
order to claim their prize or winnings from a competition or lottery they never entered. In a
lottery promotion scam the victims receive an email claiming that they have won a lottery and
are asked for personal detail. The victims may also be asked to release the funds such as
money release fee, processing fee, currency exchange. It is advisable that individuals need not
be victimised by replying back to such mails which are on lookout of personal details.
Figure 12.7: Example of a lottery promotion scam

186
RBI Scam
Figure 12.8: RBI Scam

187
 RBI Scam
Sometimes the messages will be sent as an attachment stating the RBI governor is asking
the victims to furnish the details as represented in figure 12.7 and is known as RBI scam.
12.2.10 Cryptojacking scams
Cryptojacking scams have continued to evolve, and they don’t even need you to install
anything. Scammers can use malicious code embedded in a website or an ad to infect your
device. Then the malicious code assists device’s processor without the victims knowledge. One
might make an unlucky visit to a website that uses cryptojacking code, click a link in a phishing
email, or mistype a web address. Any of those could lead to cryptojacking. While the scammer
cashes out, victims device may slow down, burn through battery power, or crash. A cryptocurrency
mining bot called “Digimine” that spreads via Facebook Messenger for Google Chrome desktop
version. South Korea is the first region where the security firm spotted Digimine, followed by
Vietnam, Azerbaijan, Ukraine, Philippines, Thailand, and Venezuela. The same is illustrated in
the figure:12.8.
Figure 12.9: Cryptojacking

(Source:https://fossbytes.com/cryptojacking-bot-digimine-google-chrome-desktop/)
188
12.3. Scam Statistics

According to scam statistics provided by government of Australia, Scam statistics for the
year 2018 till the month of May is detailed in the graph below. According to this information,
maximum number of amount lost is due to the romance scam, followed by investment scam.
Similarly the amount lost gender wise is also illustrated. 57% of male have lost their money and
female have lost to about 23%, and the remaining being X gender. Further, the percentage of
delivery method maximum by phone (44%) followed by email(24%) , text messages (16%) and
other methods.
Figure 12.10: Amount lost gender-wise, delivery method and type of scams
(source: https://www.scamwatch.gov.au/types-of-scams)
Summary
Advanced Fee: In advance fee schemes, the perpetrator informs a victim that the victim
has qualified for a large financial loan or has won a large financial award, but must first pay the
189
perpetrator taxes or fees in order to access the loan or award. The victim pays the advance fee,
but never receives the promised money. Auction: A fraudulent transaction or exchange that
occurs in the context of an online auction site. Business Email
Compromise/Email Account Compromise: BEC is a scam targeting businesses working

with foreign suppliers and/or businesses regularly performing wire transfer payments. EAC is a
similar scam that targets individuals. These sophisticated scams are carried out by fraudsters
compromising email accounts through social engineering or computer intrusion techniques to
conduct unauthorized transfer of funds.
Charity: Perpetrators set up false charities, usually following natural disasters, and profit
from individuals who believe they are making donations to legitimate charitable organizations.
Civil Matter: Civil lawsuits are any disputes formally submitted to a court that is not criminal.
Confidence/Romance Fraud: A perpetrator deceives a victim into believing the perpetrator

and the victim have a trust relationship, whether family, friendly or romantic. As a result of that
belief, the victim is persuaded to send money, personal and financial information, or items of
value to the perpetrator or to launder money on behalf of the perpetrator. Some variations of
this scheme are romance/dating scams or the grandparent’s scam. Other variants to this scam
are matrimony scam, marriage scams.
Corporate Data Breach: A leak or spill of business data that is released from a secure
location to an untrusted environment. It may also refer to a data breach within a corporation or
business where sensitive, protected, or confidential data is copied, transmitted, viewed, stolen
or used by an individual unauthorized to do so.
Credit Card: Credit card fraud is a wide-ranging term for fraud committed using a credit
card or any similar payment mechanism as a fraudulent source of funds in a transaction.
Crimes Against Children: Anything related to the exploitation of children, including child
abuse.
Criminal Forums: A medium where criminals exchange ideas and protocols relating to
intrusion.
Denial of Service: An interruption of an authorized user’s access to any system or network,

typically caused with malicious intent.
190
Employment: An individual believes they are legitimately employed, and loses money or
launders money/items during the course of their employment.
Extortion: Unlawful extraction of money or property through intimidation or undue exercise

of authority. It may include threats of physical harm, criminal prosecution, or public exposure.
Gambling: Online gambling, also known as Internet gambling and iGambling, is a general
term for gambling using the Internet.
Government Impersonation: A government official is impersonated in an attempt to

collect money.
Hacktivist: A computer hacker whose activity is aimed at promoting a social or political

cause.
Harassment/Threats of Violence: Harassment occurs when a perpetrator uses false

accusations or statements of fact to intimidate a victim. Threats of Violence refers to an expression
of an intention to inflict pain, injury, or punishment, which does not refer to the requirement of
payment.
Health Care Related: A scheme attempting to defraud private or government health care
programs, usually involving health care providers, companies, or individuals. Schemes may
include offers for fake insurance cards, health insurance marketplace assistance, stolen health
information, or may involve medications, supplements, weight loss products, or diversion/pill
mill practices. These scams are often initiated through spam email, Internet advertisements,
links in forums or social media, and fraudulent websites.
IPR/Copyright and Counterfeit: The theft and illegal use of others’ ideas, inventions,
and creative expressions, to include everything from trade secrets and proprietary products to
parts to movies, music, and software.
Identity Theft/Account Takeover: Identify theft involves a perpetrator stealing another

person’s personal identifying information, such as name or Social Security number, without
permission to commit fraud. Account Takeover is when a perpetrator obtains account information
to perpetrate fraud on existing accounts. Investment:
191
Check your answers

1. The ……………………………… can be further used to commit fraudulent activities
such as stealing credit information or to open a bank account.
2. …………………………… scam request victims and their business to pay fake

invoices for directory listings, advertising, domain name renewals or office supplies
that was never ordered.
3. ………………………………… takes advantage of victim’s generosity and

compassion for others in need. Scammers will steal victims of their money by posing
as a genuine charity.
4. Scammers take advantage of people looking for …………………….., often via dating
websites, apps or social media by pretending to be prospective companions.
5. In a …………………………..scam, scammers convince their victims to invest in

foolproof systems and software that can guarantee profit by betting in sports events
and investments.
6. In ……………………….. scam, the scammers trick the victims by offering them a

guaranteed high profile job with little effort by contacting their victims via phone,
email or letter.
7. …………………………….. is a malicious program that encrypts systems, files and

other critical information. It demands payment to unlock computers of files.
8. …………………………….. refers to the section in Nigerian law regarding con artistry

and fraud and is associated with requests for help facilitating the transfer of money.
9. …………………………..scams try to convince the victims that they are entitled to a

rebate or reimbursement from the government, a bank or trusted organization
References
1. https://heimdalsecurity.com/blog/top-online-scams/
2. https://www.scamwatch.gov.au/types-of-scams
3. https://www.scamnet.wa.gov.au/scamnet/Scam_types-Unexpected_winnings-
Scratchie_scams-Tunes_Travelling_scratchie_scam.htm
4. https://fossbytes.com/cryptojacking-bot-digimine-google-chrome-desktop/
192
LESSON - 13
MALWARE, SPYWARE AND RANSOMWARE
Learning Objectives
· Malware
· Brief History of Malware
· The Early Years
· State Sponsored Sophisticated and Profitable
· Anatomy of Stuxnet
· Anatomy of wannacry
o External Reconnaissance
o Internal Reconnaissance
o Target Manipulation
· Mobile Malware
· Spyware
· Adware
· Ransomware
o Encrypting Ransomware
o Locker Ransomware
o Crypto Ransomware
o Notable Ransomware
Structure
13. Malware
13.1. Brief History of Malware
13.2. The Early Years

193
13.3. State Sponsored Sophisticated and Profitable
13.4. Anatomy of Stuxnet
13.5. Mobile Malware
13.6. Spyware
13.7. Adware
13.8. Ransomware
13.8.1. Encrypting Ransomware
13.8.2. Locker Ransomware
13.8.3. Crypto Ransomware
13.8.4. Notable Ransomware
13.8.5. Anatomy of wannacry
13.8.5.1. External Reconnaissance
13.8.5.2. Internal Reconnaissance
13.8.5.3. Target Manipulation
13 Malware
Malware is any software intentionally designed to cause damage to a computer, server
or computer network. Malware is short for malicious software, meaning software that can be
used to compromise computer functions, steal data, bypass access controls, or otherwise cause
harm to the host computer. Malware is a broad term that refers to a variety of malicious programs
such as malware; viruses, worms, Trojan horses, adware, spyware bots, bugs and rootkits.
Sony sold the Sony rootkit, which contained a Trojan horse embedded into CDs that
silently installed and concealed itself on purchasers’ computers with the intention of preventing
illicit copying. It also reported on users’ listening habits, and unintentionally created vulnerabilities
that were then exploited by unrelated malware. Sony BMG partially addressed the scandal with
consumer settlements, a recall of about 10% of the affected CDs, and the suspension of CD
copy protection efforts in early 2007.
194
Malware does the damage after it is implanted or introduced in some way into a target’s
computer and can take the form of executable code, scripts, active content, and other
software. The code is described as computer viruses, worms, Trojan horses, ransomware,
spyware, adware, and scareware, among other terms. Malware has a malicious intent, acting
against the interest of the computer user—and so does not include software that causes
unintentional harm due to some vulnerability, which is typically described as a software bug.
Malware is used by both black hat hackers and governments, to steal personal, financial,
or business information. Malware is sometimes used broadly against government or corporate
websites to steal confidential information, or to disrupt their operation in general. However,
malware can be used against individuals to gain information such as personal identification
numbers or details, bank or credit card numbers, and passwords. Malware by categories is
illustrated in Figure 13.1.
Figure 13.1: Malware by category, 2011
13.1. Brief History of Malware

A brief look at the history of malware shows us that this malicious menace has been with
us since the dawn of computing itself. According to Scientific American, the idea of a computer
virus extends back to 1949, when early computer scientist John von Neumann wrote the “Theory
and Organization of Complicated Automata,” a paper that postulates how a computer program
could reproduce itself. In the 1950s, employees at Bell Labs gave life to von Neumann’s idea
195
when they created a game called “Core Wars.” In the game, programmers would unleash
software “organisms” that competed for control of the computer.
The earliest documented viruses began to appear in the early 1970s. Historians often
credit the “Creeper Worm,” an experimental self-replicating program written by Bob Thomas at
BBN Technologies - the first virus. Creeper gained access via the ARPANET and copied itself to
remote systems where it displayed the message: “I’m the creeper, catch me if you can!”
The term “virus” however, wasn’t introduced until the mid-eighties. Fred Cohen, often
considered the father of what we know today as a computer virus, coined the term in 1986. He
defined a “virus” in a single sentence as: “A program that can infect other programs by modifying
them to include a, possibly evolved, version of it.”
From these simple and benign beginnings, a massive and diabolical industry was born.
Today, according to The Anti-Phishing Workgroup, malware has infected one-third of the world’s
computers. The consequences are staggering. Cybersecurity Ventures reports that losses due
to cybercrime, including malware, are anticipated to hit $6 trillion annually by 2021.
13.2. The Early Years

Early malware was primitive, often spreading entirely offline via floppy disks carried from
computer to computer by human hands. As networking and the internet matured, malware
authors were quick to adapt their malicious code and take advantage of the new communication
medium.
13.3. State Sponsored, Sophisticated and Profitable

Between 2010 and the present time, it is observed significant evolution in the sophistication
of malware. Organized crime and state sponsors upped the game dramatically with large, well-
funded development teams. These malicious workgroups continue to evolve today, developing
advanced malware with evasion tactics that outsmart many conventional anti-malware systems.
Infiltrating factories and military systems became a common reality, and the monetization of
malware grew rapidly with dramatic growth in ransomware and other illegal schemes.
Here are some notable varieties of malware that have had a major impact between 2010
and today.
196
2010 – Stuxnet Worm: Shortly after its release, security analysts openly speculated that
this malicious code was designed with the express purpose of attacking Iran’s nuclear program
and included the ability to impact hardware as well as software. The incredibly sophisticated
worm is believed to be the work of an entire team of developers, making it one of the most
resource-intensive bits of malware created to date.
2011 — Zeus Trojan: Although first detected in 2007, the author of the Zeus Trojan
released the source code to the public in 2011, giving the malware new life. Sometimes called
Zbot, this Trojan has become one of the most successful pieces of botnet software in the world,
impacting millions of machines. It is often used to steal banking information by man-in-the-
browser keystroke logging and form grabbing.
2013 – Cryptolocker: One of many early ransomware programs, Cryptolocker had a

significant impact globally and helped fuel the ransomware era.
2014 – Backoff: Malware designed to compromise Point-of-Sale (POS) systems to steal

credit card data.
2016 – Cerber: One of the heavy-hitters in the ransomware sphere. It’s also one of the
most prolific crypto-malware threats. At one point, Microsoft found more enterprise PCs infected
with Cerber than any other ransomware family.
2017 – WannaCry Ransomware: Exploiting a vulnerability first uncovered by the National

Security Agency, the WannaCry Ransomware brought major computer systems in Russia, China,
--the UK, and the US to their knees, locking people out of their data and demanding they pay a
ransom or lose everything. The virus affected at least 150 countries, including hospitals, banks,
telecommunications companies, warehouses, and many other industries.
13.4. Anatomy of Stuxnet

(Source:http://comp590fall2016grp1.web.unc.edu/2016/10/how-stuxnet-works/)
The stuxnet targeted Iranian Centrifuges. Firstly, it attacked Microsoft Windows system
and network repeatedly replicating itself an unzipping an LNK file with an executable program,
it attempted to replicate and spread across local networks. Next, it searched for a specific type
of Programmable Logic Controller (PLC) Siemens Step7 Software, an industrial control system
made by the German conglomerate Siemens. If it did not encounter Step7 software, stuxnet
197
would be dormant without harming the computer. Step7 software is used to program logic
controllers which are used in automating industrial process ranging from motor vehicles, industrial
assembly and centrifuges for nuclear energy. Upon encountering step7 software, stuxnet
attempted to access internet to download its new version and was also able to evade detection
through stolen SSL certificates from valid signed sources. SSL certificates are used to digitally
bind a cryptographic key to a known identity or organization as a form of authentication. The
stuxnet activated its payload only under specific circumstance that suggests its creator had
access to accurate and sensitive intelligence. The Iranian centrifuges at Natanz were controlled
by PC logic controllers that communicated with processors that routed the commands to the
machines. Frequency converters ensured that the centrifuges spun at the correct speed and
fed log data back to the router. In order for Stuxnet to execute, the targeted computer had to be
connected to an S7-315 Siemens PLC. Each of its six Network Module, had to be connected to
at least 31 frequency converters for a total of 155 converters. The design of the Natanz cascade
controlled 160 converters, and the creators of the Stuxnet virus must have known this condition.
Next, the virus lied dormant inside the system for 13 days to ensure that the motors are
running as normal between 807Hz and 1210Hz, and collected this log data. After that period
elapsed, Stuxnet raised the spin rate to 1410Hz for 15 minutes, followed by sleep for 27 days. This
caused damage to the centrifuges; 1380Hz is a resonance frequency for the centrifuge
enrichment tubes that can cause the tubes to shatter. After that, it slowed the spin rate to 2Hz
for 50 mins, and set it to sleep for 27 days and repeated this whole process in a loop. In order
to evade detection, Stuxnet retrieved the log files collected during the 13 days of normal
activity and sent those back to the system to create the false impression that nothing was
amiss.
In the end, Stuxnet was able to successfully penetrate the Natanz nuclear enrichment
plant and evade detection for over a year. The Institute for Science and International Security
states that “It is increasingly accepted that, in late 2009 or early 2010, Stuxnet destroyed about
1,000 IR-1 centrifuges out of about 9,000 deployed at the site.”(ISIS 2010) Stuxnet provides an
interesting case study on the impact of computer security in cyberterror and international relations,
and perhaps serves as a call for greater investment in security research and infrastructure.
Various steps involved in damaging of Iranian Nuclear Power Plant are:
· Initial infection through USB device
· Searching Industrial Control System

198
· Updates by connecting to the internet
· Compromises Programming logic control system (PLCs)
· Controls the target
· Deceives and destroys the target.
The anatomy of stuxnet is illustrated in the figure.13.2.
Figure 13.2: Anatomy of Stuxnet (source: David Kushner)
13.5. Mobile Malware

Malicious software which is designed specifically to target a mobile device system, such
as a tablet or smartphone to damage or disrupt the device. Most mobile malware is designed to
disable a mobile device, allow a malicious user to remotely control the device or to steal personal
information stored on the device. A mobile phone virus is the equivalent to a computer virus,
only it infects consumer cellphones and spreads by way of MMS attachments, Bluetooth
transfers, and Internet downloads.
199
The first known cellphone virus was called Cabir and was detected in June 2004 by
Kaspersky Labs. The Cabir worm was coded to infect Symbian OS cellphones. Cabir was
designed to scan for all accessible phones using Bluetooth technology, and send a copy of
itself to the first one found. Setting your phone into a non-discoverable (hidden) Bluetooth
mode will protect your phone from the Cabir worm. But, once the phone is infected it will try to
infect other systems even after disabling Bluetooth from system settings. In 2005 Cabir’s source
code became widely available on the Internet
A type of cellphone virus that became known as mosquito was distributed as a part of a
downloadable game. It makes mobile phones to send text messages to premium-rate numbers
without the user’s approval or knowledge.
Smartphones are becoming increasingly popular and more technologically advanced,

making them targets for digital criminals who seek to plant malicious software, Trojans, or
viruses onto your mobile devices. Android users are at the greatest risk compared to other
providers like Apple and have recently been the subject of digital attacks.
Timifonica
Timifonica was part of the first generation of viruses back in 2000. The worm was a Visual
Basic Script, or VBS-based e-mail chain letter that would deliver text messages of 160 characters
or less to random cellphones in Europe, according to PCWorld. The virus did not steal data or
destroy files. It seemed to just be a nuisance.
SymbOS.Skull
This Trojan is written for those running the Symbian OS. Under the guise of a theme
package, SymbOS.Skull replaces all system files on the mobile device, including replacing the
application icons with skulls, shown on the left. It was discovered in 2004, according to a Symantec
security report.
Zitmo
Malware is also targeting other phones as well. The Zitmo Trojan, which works in
conjunction with Zeus malware, is meant to hack users’ bank accounts by mobile device. The
Trojan targets Blackberry and Symbian devices.
200
Plankton
Google had to pull 10 applications from the official Android market in June due to their
being hijacked by malware called Plankton – probably nothing like the actual organism seen
here. Plankton, hid itself in apps that addressed themselves as supplementary programs to
Angry Birds, but when in the device would steal user browser data and could access a remote
server to add even more malicious files to the device.
Ikee
Jailbroken iPhones – or iPhones that have been worked to run unauthorized software –
became the victim of Ikee in 2009, a worm that changed the user’s wallpaper to 1980s pop
singer Rick Astley, pictured here in 2008, as a prank similar to the “Rickrolling” phenomenon on
Youtube. The worm was allegedly written by an out-of-work programmer who admitted he was
a “little naive” about the resulting response.
DroidDream
This piece of malware, discovered in March 2011, has packaged itself inside legitimate
applications in the official Android market that were released under developers “Kingmall2010,”
“we20090202,” and “Myournet,”. The malware can then send user information to a remote
server. A new variant of DroidDream – called DroidDreamLight – was discovered in May 2011.
Android.Pjapps
Some Trojans can disguise themselves as legitimate applications. One example is

Android.Pjapps, which hijacked the Steamy Windows app on Android, according to Symantec.
The malicious app is similar to the legitimate one and even works – fogging up the screen – but
it works in the background to send text messages to premium rate numbers, which in turn pays
the creators of the Trojan.
HongTouTou
HongTouTou was discovered in February 2011. The worm was spotted in repackaged, or
cracked, apps for smartphones on Chinese websites. The worm was found, for example in a
pirated version of RoboDefense, a game for Android phones. HongTouTou is seemingly designed
to generate search engine counts for the people who created the Trojan.
201
Geinimi
China Android phones were affected by a piece of malicious code called Geinimi in late
2010, which is spread to devices on third party apps from the Android market, according to
MobileCrunch. The Trojan sends out a user’s location and app list to a remote server and can
download apps.
DroidKungFu
This piece of malware is unique in that it is able to avoid detection by antimalware

software. It installs a backdoor in the Android OS that allows hackers to gain full control over a
user’s mobile device.
Figure 13.3: Mobile Threats
Routing Malware
For the last few years, rooting malware has been the biggest threat to Android users.
These Trojans are difficult to detect, boast an array of capabilities, and have been very popular
among cybercriminals. Their main goal is to show victims as many ads as possible and to
silently install and launch the apps that are advertised. In some cases, the aggressive display of
pop-up ads and delays in executing user commands can render a device unusable.
202
Rooting malware usually tries to gain super-user rights by exploiting system vulnerabilities
that allow it to do almost anything. It installs modules in system folders, thus protecting them
from removal. In some cases – Ztorg, for example – even resetting the device to factory settings
won’t get rid of the malware. It’s worth noting that this Trojan was also distributed via the Google
Play Store.
WAP Trojans
These Trojans generally work in the following way: they receive a list of links from the
C&C, follow them (usually unnoticed by the user) and ‘click’ on page elements using a specially
created JS file. In some cases, the malware visits regular advertising pages (i.e., they steal
money from advertisers, rather than from the user); in other cases, they visit pages with WAP
subscriptions, with the money being taken from the user’s mobile account.
IoT
Although malware gained much of its initial footing by infecting computers like PCs, today
virtually anything with a microprocessor is at risk. Researchers have demonstrated how malware
can infect hundreds of new targets, including wearables (like watches and Fitbits), light
bulbs, automobiles, water supply systems, and even airliners.
Moving from research and theory to reality, cybercriminals have already successfully
deployed malware that compromised everything from simple devices to complex industrial
complexes, including mobile phones, ATM machines, security cameras, TVs, e-
cigarettes, vending machines, and nuclear plants. Most wars involve a specific set of countries
and have a defined beginning and end. Regrettably, the war with malware impacts everyone
across the globe and has no end in sight.
While the cybersecurity industry is feverishly working to control malware—and succeeding

in many ways, cybercriminals show no signs of defeat, or even of slowing down. When
cybercriminals are thwarted in one area, they quickly develop new tactics and attack in
another. As a precursor to what may happen in the near future.
In all probability, most of the history of malware lies in front of us, not behind us. We can
expect to see cybercrime continue to cause unprecedented damage to both private and public
enterprises.
203
Fortunately, those organizations that diligently deploy the latest anti-malware solutions
stand a good chance of avoiding much of the damage that malware will no doubt inflict on the
masses.
Ways of Spread
Drive-by download: The unintended download of computer software from the Internet.
It either refers to the download that happens without the knowledge of a user, or the download
that a person authorizes but without the understanding of the consequences.
Homogeneity: A setup where all the systems are running on the same operating system
and connected to the same network. This increases the chances of a worm in one computer to
easily spread to others on that network.
Vulnerability: A security defect in software that can be attacked by a malware. It could

be a design flaw, programming error, or some other kind of inherent weakness in a software
implementation, application or operating system.
Backdoor: An opening or break left in a software, hardware, network or system security

by design, usually for debugging purposes.
Types of Malware attacks
0-Day: A zero-day vulnerability is an undisclosed flaw that hackers can exploit. It’s called
0-day because it is not publicly reported or announced before becoming active.
Exploit: A threat made real via a successful attack on an existing vulnerability. Also
refers to software that is developed to target the loopholes on a particular device.
Privilege escalation: Situation where the attacker gets escalated access to restricted
data that is on a higher level of security.
Evasion: The techniques malware maker design to avoid detection and analysis of their
malware by security systems and software.
Blended threat: A malware package that combines the characteristics of multiple types
of malware like Trojans, worms or viruses, seeking to exploit more than one system vulnerability.
204
Important Terminologies
Botnet: A number of Internet connected devices that are running one or more bots. Botnets
are used to perform distributed denial of service attacks, send spam, and steal data.
Containment: The process of stopping the spread of malware, and preventing further
damage to hosts.
Endpoint: A security approach to the protection of computer networks that are remotely
bridged to client devices. Devices that are not in compliance can thereby be provisioned with
limited access.
Payload: The part of the malware program that actually does the damage.
Privilege: In computing, privilege means the access to modify a system.
Signature: Signs that is specific to either a certain type of behaviour or a specific item of
malware.
Threat: In computing security, a computer or network is deemed under threat when it

harbours persistent software vulnerabilities, thereby increasing the possibility or certainty of a
malicious attack.
Track: Evidence of an intrusion into a system or a network. Advanced malware can clean
folders, clear event logs, and hide network traffic to cover their tracks.
Zombie: A computer connected to the Internet that has been compromised by a hacker,
computer virus or Trojan horse. It can be used to perform malicious tasks.
Figure 13.4: illustrates various malware threat vectors in the year 2017. It was found that
adclick fraud was the most common scam that is targeting users on the Google Play Store.
Similarly, global spike in cryptomining malware started around the same time there was a price
spike in Bitcoin prices.
205
Figure 13.4: Malware Threat Vectors
13.6. Spyware
Spyware is unauthorized software which spies or gathers confidential information about
individuals, organization and delivers it to hackers. Generally it runs in the background and
monitors surfing habit of individuals, captures keystrokes, typed on your keyboard, gather
information from computers and networks. Spyware does not harm computers or networks.
They just monitor the activities. What makes a spyware malicious is primarily it is installed
without direct consent.
How spyware works?
One of the most common ways to get spyware on systems is by installing software from
questionanle sources. Many freeware and shareware applications or peer-to-peer filesharing
programs, install spyware application in background. Some provide notification about the
software buurried within the End User License Agreement (EULA). Only few users read the
EULA in its entirety.
InstaFinder is an example of an adware/spyware that does in fact, explain up front what

the software will do. The EULA for InstaFinder details the activities done by the software most
of the users simply click ‘OK’ without understanding the legalities.
206
Figure 13.5: EULA statement in KAZAA Desktop
InstaFinder is an example of an adware/spyware that does in fact; explain up front that

the software will do. The EULA for InstaFinder details the activities done by the software most
of the users simply click ‘OK’ without understanding the legalities.
Morpheus
Morpheus was a file sharing and searching peer-to-peer client for Microsoft windows and
distributed by the company StreamCast. Morpheus neither shows nor references any license
for its own software. However, Morpheus shows a Direct Revenue license agreement and installs
Direct Revenue software. At 4,492 words and 44 on-screen pages, Morpheus’s DR license is
the shortest of the license agreements analyzed in this article. But reading the license could be
burdensome nonetheless. According to research conducted by Human Factors International,
the average adult’s reading speed is 250 to 300 words per minute, such that this license would
still require 15 to 18 minutes to read in full.
Figure 13.6: Morpheus showing direct revenue EULA

207
Camouflaged spyware
Spyware installs itself in the background. Users are left with no indication that installation
is going on. The application file name of the executable that actually runs the software is quite
often disguised to appear as though it is a harmless file – for example, calling the file
svchost32.exe or msexplorer.exe.
13.7. Adware
Adware (short for advertising-supported software) is a type of malware that automatically
delivers advertisements. Common examples of adware include pop-up ads on websites and
advertisements that are displayed by software. Often times software and applications offer
“free” versions that come bundled with adware. Most adware is sponsored or authored by
advertisers and serves as a revenue generating tool. While some adware is solely designed to
deliver advertisements, it is not uncommon for adware to come bundled with spyware (see
below) that is capable of tracking user activity and stealing information. Due to the added
capabilities of spyware, adware/spyware bundles are significantly more dangerous than adware
on its own.
The following table 13.1 represents the name of various adwares and their activity &
exploiting targets & exploitable vulnerability.
Table 13.1: List of Spyware/adware, their activity, target and vulnerability
Name of the Activity Targets Vulnerability

Spyware
CoolWebSearch Hijack Web searches, HTML application

(CWS) home page, and security flaws
other Internet
Explorer settings.
Gator (GAIN) Adware Display banner Bundled with freewares

advertisements filesharing programs
including Kazaa
208
180search Assistant Adware Delivers targeted Separate browser

pop-up window displaying an
advertisements t advertiser’s Web page
ISTbar/AUpdate Toolbar used Display Hijack user

for searching pornographic homepages and
pornographic pop-ups and Internet searches.
web sites
Transponder (vx2) Browser Helper Monitors requested Delivers targeted

Object Web pages and advertisements.
data entered into
online forms
Internet Optimizer Hijacks Hijacks error Redirects them to its

pages and. own controlling server
at http://www.internet-
optimizer.com
Blaze Find Redirect Web Web searches, Change other Internet

searches home page Explorer settings.
and other
Internet Explorer
settings.
Hot as Hell Dialler Program Connects a user’s Significant long

computer from a distance phone
local Internet calls
provider and
reconnect the
user to the Internet
using an expensive
toll or international
phone number.
209
Advanced Take Screen Monitor

Keylogger shots keystrokes
TIBS Dialer hijack a user’s

modem dial toll
numbers that
access paid,
pornographic
Web sites.
13.8. Ransomware
Ransomware is a sophisticated piece of malware that blocks the victim’s access to his/
her files, and the only way to regain access to the files is to pay a ransom.
There are two types of ransomware in circulation:
13.8.1. Encrypting ransomware, which incorporates advanced encryption

algorithms. It’s designed to block system files and demand payment to provide the victim with
the key that can decrypt the blocked content. Examples include CryptoLocker, Locky and
Cryptowall and more.
13.8.2. Locker ransomware, which locks the victim out of the operating system,
making it impossible to access the desktop and any apps or files. The files are not encrypted in
this case, but the attackers still ask for a ransom to unlock the infected computer. Example:
WinLocker.
Some locker versions can even infect the Master Boot Record (MBR). The MBR is the
section of a PC’s hard drive which enables the operating system to boot up. When MBR
ransomware strikes, the boot process can’t complete as usual and prompts a ransom note to
be displayed on the screen. Examples Satana and Petya families
13.8.3. Crypto-ransomware Encryptors are usually known, is the most widespread ones
among the cyber security community agrees that this is the most prominent and worrisome
cyber threat of the moment.
210
13.8.4. Notable Ransomware events In 2017, a massive ransomware attack targeted wide
range of sectors such as government, telecommunications, health care. Wanacry compromised
300,000 systems in over 150 countries. Most affected countries Russia, China and UK. The
spread of the ransomware “kill switch” in its code. New variants of the malware “Uiwix” do not
have this kill switch.
Table 13.2: List of Notable Ransomware
Name of the Year of Activity Targeted Amount loss

Ransomware Appearance
Reveton Used Payload to Displayed a

display alert message footage from
on infected system victims webcam
CryptoLocker 2014 Encrypted files C & C server to Australian

and folders RSA encrypt data and Broadcasting
key pair then asked for Corporation
ransom
CryptoWall 2014 Website: gaining access Payload ran $18 million in

through exploited the cryptowall damage
browser plugins, script – infecting
download the payload the computer
– steganographic
approach
TeslaCrypt Feb 2015 Most seen ransomware Online games 75K
TOX May 2015 Ransomware as a Developers get Minimum $50

service (RaaS) kit a percentage of
ransom
Fusob April 2015 Mobile malware Accounted for

more than half
of the infected
mobile phones
211
Sleeper May 2015 Infected windows

ransomware machine
locker
Chimera Sept 2015 Threaten to leak

the encrypted
files if ransom
is not paid
Ransom32 Jan 2016 RaaS written in Windows,

Java script MacOS, and
Linux
7ev3n Jan 2016 Destroy Files Asks for 13 bitcoins,

highest ransom about $5,000
Locky Feb 2016 Aggressive Uses Dridex $17,000

Phishing infrastructure. ransom
campaign Most notorious
ransomware
targeted hospital
in Hollywood
Locky My 2016 Hospitals in

California hit
with Locky
Samsam Mar 2016 JBoss Servers It allows for

the attacker to
communicate
with to the victim
in real victim
in real time using
a tor browser
Petya Apr 2016 Overwrite Master Delivered by

boot record (MBR) Dropbox
212
Shadow Brokers Dumping campaign Expose the

Double Pulsar and
the EternalBlue
exploits
Shadow Broker Aug 2016 Leaing tools and

exploits Used by NSA
WannaCry May 2017 Impacted 300,000

systems 150 countries
BadRabbit Oct 2017 Fake Adobe Lures users into

Flash Player downloading it.
Ukraine, U.S,
Turkey, Germany
The Figure 13.7 illustrates the most popular ransomware between april to October 2017.
Wannacry and Cerber were far more active ransomware families.
Figure 13.7: Most Popular Ransomware

213
13.8.5. Anatomy of Wannacry. Wannacry targeted its victim in two phases followed by
command and control.
13.8.5.1. Phase I: External Attack – In this phase five stage operation was carried out. These
stages are:
External Reconnaissance – wannacry searches for organizations with open port 445
(SMB over IP)endpoints and exploitable with EternalBlue which is an exploit developed by
National Security Agencies (NSA). Eternal Blue was leaked by the shadow brokers – a hacker
group in 2017, and was used part of wordwide WannaCry attack.
Weaponization - Creation of artifacts like the code to be injected in SMB process and
KILL-Switch mechanism.
Delivery & Exploitation – Exploit vulnerability with ExternalBlue, a hacking tool stolen to
NSA.
Installation - It injects the code into SMB system process and becomes persistent by
creating an entry in Windows Registry.
Command & Control – Wait for the domain controllers order to act. New variant without
Kill- Switch.
13.8.5.2. Stage 2: Internal Reconnaissance – Search for endpoints within the network with
open port 445 endpoints and exploitable with EternalBlue.
Internal Exploitation – Exploit vulnerability with EternalBlue. It injects code into the SMB
System process and becomes persistent by creating an entry in Windows Registry.
Lateral Movement – It copies itself to those vulnerable endpoints by exploiting a variant

of the DoublePulsar payload. The process starts again on every infected computer. The capacity
of propagation within the network is enormous.
13.8.5.3. Target Manipulation

Ø Gets access to system files and deletes existing Shadow Copy folders to prevent
the user from retrieving information
Ø Does not allow booting in system recovery mode. Hides the recycle bin
214
Ø It kills the processes that have open database to guarantee access to the encryption
of such databases(mysql, sql server and exchange)
Ø Proceeds to encrypt the files and directories of the system using on AES algorithm,
which can be decrypted if private RSA key is available.
Ø When the file encryption finishes, it shows a dialog box to the user requesting
ransom
The figure 13.8: illustrates various stages of wannacry.
Figure 13.8: Timeline of Wannacry
Ransomware has some key characteristics that set it apart from other malware:
· It features unbreakable encryption, which means that decrypting the files would be
difficult. It has the ability to encrypt all kinds of files, from documents to pictures,
videos, audio files and other things that reside on a PC.
· It can scramble file names, so you can’t know which data was affected. This is one
of the social engineering tricks used to confuse and coerce victims into paying the
ransom;
215
· It will add a different extension to files, to sometimes signal a specific type of

ransomware strain.
· It will display an image or a message that lets you know your data has been encrypted
and that you have to pay a specific sum of money to get it back;
· It requests payment in Bitcoins because this crypto-currency cannot be tracked by

cyber security researchers or law enforcements agencies;
· Usually, the ransom payments have a time-limit, to add another level of psychological
constraint to this extortion scheme. Going over the deadline typically means that
the ransom will increase, but it can also mean that the data will be destroyed and
lost forever.
· It uses a complex set of evasion techniques to go undetected by traditional antivirus

(more on this in the “Why ransomware often goes undetected by antivirus” section).
· It often recruits the infected PCs into botnets so cyber criminals can expand their
infrastructure and fuel future attacks.
· It can spread to other PCs connected to a local network, creating further damage.
· It frequently features data exfiltration capabilities, which means that it can also extract
data from the affected computer (usernames, passwords, email addresses, etc.)
and send it to a server controlled by cyber criminals; encrypting files isn’t always the
endgame.
· It sometimes includes geographical targeting, meaning the ransom note is translated

into the victim’s language, to increase the chances for the ransom to be paid.
· As families and variants multiply, there is a dire need to understand that at least
baseline protection to avoid data loss is required.
· Encrypting ransomware is a complex and advanced cyber threat which uses all the
tricks available because it makes cyber criminals a huge amount of money.
Figure 13.9 illustrates timeline of Ransomware
216
217
Summary
· Malware is any software intentionally designed to cause damage to a computer,
server or computer network.
· Cryptolocker: One of many early ransomware programs, Cryptolocker had a

· Spyware is unauthorized software which spies or gathers confidential information

about individuals, organization and delivers it to hackers.
· Adware is a type of malware that automatically delivers advertisements.
· Ransomware is a sophisticated piece of malware that blocks the victim’s access to

his/her files, and the only way to regain access to the files is to pay a ransom.
Check your answers

· …………………….is any software intentionally designed to cause damage to
a computer, server or computer network.
· ………………… one of many early ransomware programs, Cryptolocker had a

· ……………… is unauthorized software which spies or gathers confidential
· ……………… is a type of malware that automatically delivers advertisements.
· ……………………….. is a sophisticated piece of malware that blocks the victim’s

access to his/her files, and the only way to regain access to the files is to pay a
ransom.
Reference
1. https://www.floridatechonline.com/blog/information-technology/a-brief-history-of-
cyber-crime/
2. www.benedelman.org/spyware/p2p/
3. https://heimdalsecurity.com/blog/what-is-ransomware-protection /
#ransomwaredefinition
4. https://www.malwarefox.com/malware-types/
5. https://www.veracode.com/blog/2012/10/common-malware-types-cybersecurity-101
218
6. https://secure2.sophos.com/en-us/security-news-trends/whitepapers/gated-wp/
exploits-intercepted.aspx
7. https://go.lastline.com/rs/373-AVL-445/images /Lastline _Intro_to Advanced
Malware_WP.pdf
8. https://www.pandasecurity.com/mediacenter/news/whatsapp-coupon-scams/
9. https://securelist.com/mobile-malware-review-2017/84139/
10. https://en.wikipedia.org/wiki/Mobile_malware
11. https://heimdalsecurity.com/blog/what-is-ransomware-protection /
#ransomwaredefinition
12. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-mobile-threat-report-
2018.pdf
13. https://sophosnews.files.wordpress.com/2017/10/infographic-of-ransomware-
stats.png
14. https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
15. https://www.pandasecurity.com/mediacenter/src/uploads/2017/05/WC-info_ckc-
en.pdf
219
LESSON 14
CYBER FRAUDS - PART – I
TELECOM FRAUDS
· Frauds
· Fraud Triangle
· Cyber Frauds – Telecom Frauds
Structure
14. Cyber Frauds
14.1. Fraud
14.2. Fraud Triangle
14.3. Cyber Frauds - Telecom frauds
14.1. Fraud
Fraud is wrongful or criminal deception intended t result in financial or personal gain.. A
person or thing intended to deceive others, typically by unjustifiably claiming or being credited
with accomplishments or qualities. In other words it is an act or course of deception, an intentional
concealment, omission or perversion of truth to gain:
1. Gain unlawful or unfair advantage
2. Induce another to part with some valuable item or surrender a legal or
3. Inflict injury in some manner
Fraud takes place when a person deliberately practices deception in order to gain
something unlawfully or unfairly. The act of fraud is can be classified as either a civil or a
criminal wrong. It occurs for the purpose of deceiving another person or entity. According to the
association of fraud examiners, fraud is defined as any intentional or deliberate act to deprive
another or property or money by guile, deception or any other unfair means. Fraud is the deliberate
misrepresentation of fact for the purpose of depriving victims of property. Examples include
220
· Corruption: conflicts of interest, bribery, illegal gratuities and economic extortion
· Cash asset misappropriation: larceny, skimming, check tampering and fraudulent

disbursements, including billing, payroll, and expense reimbursement schemes.
· Non-cash asset misappropriation: larceny, false asset requisitions, removal or

inappropriate use of records and equipment, inappropriate disclosure of confidential
information and document forgery or alteration.
· Fraudulent statements: Financial Reporting, Employment Credentials, and external

reporting.
· Fraudulent actions by customers, vendors or other parties include bribers or

inducements and fraudulent invoices from a supplier or information from a customer.
14.2. Fraud triangle

The fraud triangle is a model for explaining the factors that cause someone to commit
occupational fraud. It consists of three components which, together, lead to fraudulent behavior:
1. Perceived un-shareable financial need
2. Perceived opportunity
3. Rationalization
The fraud triangle originated from Donald Cressey’s hypothesis:
“Trusted persons become trust violators when they conceive of themselves as having a
financial problem which is non-shareable, are aware this problem can be secretly resolved by
violation of the position of financial trust, and are able to apply to their own conduct in that
situation verbalizations which enable them to adjust their conceptions of themselves as trusted
persons with their conceptions of themselves as users of the entrusted funds or property.”
The fraud triangle
It is a framework designed to explain the reasoning behind a person committing fraud.

The three stages, categorized by the effect on the individual can be summarised as pressure,
opportunity and rationalisation.
221
Perceived Pressure: It is the motivation behind the crime and it can be either personal
financial pressure such as debt problems, or work pressure or short fall in revenue. The pressure
is seen by individual as unsolvable. A common example of a period of perceive un-shareable
financial problem is gambling debt.
Opportunity: the opportunity to commit fraud s the circumstances that allow fraud to
occur and is the only condition over which the organization has complete control . Opportunities
to commit fraud are commonly present in organizations that have poor internal controls can be
overridden by management. If internal control is designed in a way that risk of getting caught is
too high, it is likely that the employee will not exploit the perceived opportunity for his or her
personal gain. Without opportunity fraud can never happen.
Rationalization: Rationalization of committing fraud is the most difficult condition to

observe because it takes place in the mind of the perpetrator. Rationalization has to do with
justifying the fraud. Since many fraudsters view themselves as honest, ordinary people and not
as criminals, they have to come up with some reasoning to make the act of committing fraud
more acceptable to them. Some common rationalization statements are “I’ll just take this money
now and pay it back later,” “No one will notice,” or “I deserve this after all these years with this
company.” Some fraudsters rationalize his or her behaviour by reframing their definition of
wrongdoing to exclude his or her actions.
This means the individual will defraud the organization. In order for a fraud to occur all
three must be present but they may be in varying degrees.
Figure 14.1: Fraud Triangle

222
14.3. Cyber Frauds - Telecom frauds

In the current global scenario, there is a staggering increasing in cellular networks and it
has become ubiquitous. As with every industrial revolution so has there is new type of fraud
being communicated fuelling the revolution in the telecommunication industry. This phenomenal
growth has brought along with it, an increase in variety and complexity of fraudulent activities
on mobile networks. Within the telecommunication industry, fraud is an ever increasing and
most prolific threat. The telecom frauds have become more pervasive and sophisticated as
additional means of communication have been introduced, while the implementation of these
modern forms of communications has promised greater revenue. It has created severe
international problems and the loss to service providers and its impact has been observed to be
in billions of US dollars.
Factors that lead to telecom fraud
· Criminal greed
· Disgruntled employees
· Complexity in technology
· Failure to understand the complexity of new technologies
· Weakness in operating system
· Failure of business models
· Money laundering
· Free financial gain
· Political and ideological factors
· Ineffective audit systems leading to telecom pirates
Telecommunication fraud can be defined as the theft of services or deliberate abuse of

voice or data networks. Any transmission of voice or data across a telecommunications network,
where the intent of the sender is to avoid or reduce legitimate call charges broadly means,
misuse, dishonest intention.
223
Telecommunication frauds may be broadly classified as technical and non technical frauds.
The technical frauds may further be classified as external frauds and internal frauds. Technical
external frauds are committed externally (from outside the network) and are executed by gaining
access into the network systems such as hacking. Examples of external technical frauds include
automatic telephone line isolators to penetrate into the secret code, password STD lock and
personal identification number. Technical internal frauds are committed by gaining access to
internal telecommunication network systems. Internal fraud reveals breakdown of internal system.
Quite often they are committed by disgruntled employees. Generally this happens if there are
lack of proper internal controls. Examples include but are not limited to manipulation of databases
of billing, charging, routing, and subscribers. Non technical frauds are committed without
accessing or interfering with the network system. Examples include subscription fraud, clip
fraud and call forwarding frauds.
Figure 14.2: Types of Telecom Frauds- Broad classification
The communication Fraud Control Association periodically conducts a survey of fraud

around the world and the latest survey revealed that the fraud amounts to 1.7% of revenues in
communication industry annually. In particular, the survey identified roaming as being identified
specifically vulnerable to fraud.
224
Figure 14.3: Fraud Attacks and Major Types Detected

(Source: Syniverse Report)
14.3.1. Evolution of Telecom Frauds and Modus Operandi
The history of fraud in the communication industry has two distinct lines. Frauds in traditional
fixed line networks, has been around for many decades. However, it was the fraud in the newer
mobile networks that got most of the initial attention. In the current global scenario, the problem
of fraud is becoming well understood by all providers of the communication services. With the
evolution of technology security of networks, have improved but ingenious hackers have found
a way through. With the advancement of technology the fraudsters too have gone high tech
and fraud techniques and types have continuously evolved. From simple teeing in fraud to SIM
cloning and tumbling in analog networks, fraudsters have also advanced in being technical and
sophisticated.
225
Figure 14.4: Evolution of Telecom Fraud
14.3.1.1. Phreaking
Phreaking or telecommunication fraud is the process of gaining unauthorized access

into a secured telecommunication system for exploiting the services such as phone networks
and copying the dialing tones. Phreak is a combination of phone and freak. Phreakers include
customers, geeks and communication service providers.
Switch hooking was the first phreaking method used. In this method calls were made by
disabling the rotary keypad. It was accomplished by pressing and releasing the switch hoot to
open and close the circuit quickly.
226
14.3.1.2. War dialing is a technique to automatically scan a list of telephone numbers, usually
dialing every number in a local area code to search for modems, computers, bulletin board
systems (computer servers) and fax machines. Hackers use the resulting lists for various
purposes: hobbyists for exploration, and crackers – malicious hackers who specialize in
breaching computer security – for guessing user accounts (by capturing voicemail greetings),
or locating modems that might provide an entry-point into computer or other electronic systems.
It may also be used by security personnel, for example, to detect unauthorized devices, such as
modems or faxes, on a company’s telephone network.
14.3.1.3. Private Branch Exchange (PBX) is an internal telephone system that directs calls
from one person to another within an enterprise. In this type of fraud, the criminals performs an
act of breaking into the PBX system and selling long distance call to third parties around the
world. In the current global scenario, PBX is software driven, such as voice mail, maintenance
port and direct inward system access(DISA). Phreakers use administrator account to forward
voice calls to unauthorized users and also change the configuration and access codes of the
PBX maintenance port that affects the operation of enterprise. DISA enables remote users to
access an outside line using PBX systems with authorization codes. Phreakers access the
authorization code to make calls at the cost of an enterprise.
14.3.1.4. Network Frauds
Telecommunication fraud encompasses a variety of illegal activities. There are types of

frauds, which adversely affect the carrier providers, not only financially but also in terms of
extensive voice bandwidth and network resources. These may include roaming, premium service
(phishing), and subscription frauds. Most prevalent types of network frauds. All of these have
equal negative influence on operators, regulators, and customers.
· Interconnect Bypass Fraud
· International Revenue Sharing Fraud (IRSF)
· False Answer Fraud
· “A” Number Pass-through / Interconnect Agreement Compliance Testing
14.3.1.5. Interconnect Bypass Fraud
Internet bypass fraud is one of the most complicated fraud types in the recent times.
Telecom regulators and mobile operators are face a staggering revenue loss since bypass
227
fraud is proving to be the most prolific and costly frauds. The gateway equipments such as
fixed, VOIP, GSM, CDMA, VOIP to GSM, fixed line gateway are used to terminate international
inbound calls to local subscribers by deviating traffic away from legal interconnect gateways.
Operators sending outbound international traffic connect to interconnect operators with lower
rates, leading to termination of network operator loss of revenue. Bypass fraud is considered
illegal since those who undertake it are not licensed to provide telecommunication services.
Sometimes this bypass fraud is also considered as a nation security threat.
A call via a legitimate path/route will be bypassed so that there is a revenue loss. Generally
for making national or international calls, rates are fixed by regulators in a country or by an
individual or group of operators. Bypass fraud is prevalent in countries where there is a difference
in rates between the retail calling, national calling and international calling. Moreover in some
countries, international gateways are monopolized by government operators. The fraudsters
make use of difference in rates and ensure that there is enough profits for them and serves as
the key motivating factor to invest in procuring the equipments and GSM connections for
conducting a large scale Bypass fraud. In countries where the international to national terminating
charge margins are low, nil or negative, the bypass fraud either does not exists or is conducted
a very low scale. It is one of the latest and most severe threats to a telecom operator’s revenue.
It is an unauthorized exploitation or manipulation of an operator’s network. This can happen in
two ways:
1. SIM Box Interconnect Fraud
2. GSM Gateway Fraud
Such methods make fraudsters gain incentives to evade such high tariff interconnects
and deliver costly international calls illicitly. Fraudsters use Voice Over Protocol – Global System
for Mobile Communications (VOIP-GSM) gateways also called as “SIM Boxes”, which are used
to receive incoming calls (via wired connections) and deliver them to a cellular voice network. It
appears as if it is through a local call appearing from a customer’s phone. This practice not only
dramatically degrades the network experience for legitimate customers violating the
telecommunication laws in many countries but also extremely profitable for simboxers/fraudsters
resulting in revenue loss significantly.
SIMBox is a device used as part of a VoIP gateway installation. It contains a number

of SIM cards, which are linked to the gateway but housed and stored separately from it. A SIM
box can have SIM cards of different mobile operators installed, permitting it to operate with
228
several GSM gateways located in different places. The SIM box operator can route international
calls through the VoIP connection and connect the call as local traffic, allowing the box’s operator
to bypass international rates and often undercut prices charged by local mobile network operator’s
that connects VoIP calls to GSM voice network. It does not use data network.
SIMBox device requires one or more SIM cards to wirelessly connect VoIP call to GSM
network. A SIMBox acts as a VoIP client whose audio input and output are connected to a
Mobile Phone. These devices have strong market in private enterprise telephone networks.
Such private enterprise use GSM gateways with the permission of the licensed
telecommunications provider and this causes to tariff reduction enabling them to pay often at
lower cost for terminating a call. However, this is possible and legal only for domestic calls. It is
enabled by Voice over Internet Protocol (VOIP) Global System for Mobile Communication (GSM).
The equipment is called SIM Boxes and the same is illustrated in Figure 1. In this process
Simboxing connects the VOIP calls to a local cellular voice network through a collection of SIM
cards and cellular radios. In a normal course the calls will be received by the network service
provider and call tariffs will be charged. In Simboxing, calls will bypass the normal course of
connection, appearing to originate from customer phone, to a network provider. The calls are
delivered at a subsidized domestic rate instead or international rate. Such an activity has its
negative impact availability, reliability and quality of service for legitimate consumers. Moreover,
it also creates network hotspots by injecting huge volume of tunneled calls, thereby causing
revenue loss to network operators.
Figure 14.5: Interconnect bypass fraud using SIMBoxing
Most common implementation of interconnect bypass fraud is known as SIM Boxing.

Fraudsters use simbox bypass the international calls and make it appear as if it is a domestic
call causing revenue loss to telecom operators. There is a high demand for GSM-VoIP gateways
spanning a wide range of features, number of concurrent calls are supported. Some of them
229
have only limited functionality, while others hold several simcards and also supports a variety of
audio codecs in a “SIM server”. Sometimes one or more radio interfaces calls using the “Virtual
SIM cards” from the server. This prevents location based fraud detection. Miscreants, utilize
this and commits the fraud.
The cost of a simbox equipment goes upto 200,000 USD. A typical international call
which is routed through a regulated licensed. Let us assume client A is located in India and
client B is located in UK. In a typical call, when client A is calling client B, the call is routed
through the telephone network in India (labeled as “Foreign PSTN core”) to an interconnect
between client A and client B network in UK. This passes through client B’s domestic network
(labeled as “Domestic PSTN Core”) and communication establishes between client A and
client B. If client A and client B are not in neighbouring countries, there can be many interconnects
and intermediary networks. This is very critical the connections are heavily monitored for billing
purpose and quality. It can be seen that VoIP calls initiated from services such as Skype that
terminates on a mobile phone also passes through regulated interconnect.
Figure 14.6: Typical international call routed through regulated licensed interconnect
(Source: Bradley Reaves et al)
A SIMBox call is represented in Figure 14.6 A SIMBoxed international call avoids regulated
interconnect by routing the call to a SIMbox which completes the call using the local cellular
network. In a simbox case, client A call is routed through domestic network, but instead of
passing through the regulated interconnect, the call is routed over internet protocol (VoIP) to
simbox in the destination country. In doing so, the simbox places a separate call on the cellular
network in the destination country, then routes the audio from IP call into the cellular call, which
is routed to client B through the domestic network. The same is illustrated in figure 14.7.
Figure 14.7: A SIM Box international call (Source: Bradley Reaves et al)
230
The main disadvantage here is neither of end users is aware that the call is being routed
through a simbox. This causes a contractual breach of trust between two Internet Service
Providers (ISPs) who have agreed to route traffic between their networks. The intermediaries
own profit from reduced prices. Two types of attack can take place. Firstly, hijacking of
international call; secondly, hijacking and re-injecting of an international call. First type has
been described above. In the second type, Simboxes re-inject telecom voice traffic into the
mobile network masked as mobile customers and operator has to pay for the re-injected calls.
In general there are three types of routes that are used in communication networks. They are:
o White Route: both source and destination have legal termination.
o Black Route: both source and destination have illegal termination.
o Grey Route: the termination is legal for one entity or country, but illegal for the
other end.
GSM gateway interconnect devices
Interconnect systems, such as gateways, allows voice interoperability between otherwise

incompatible radio communications systems. Interoperability is achieved by retransmitting voice
over interconnected radio subscriber both mobile as well as portable units. Linking incompatible
radio frequency bands and systems can be relatively easy and effective. Interconnect deployment
requires a new strategy and operational procedures. The gateway approach to interoperability
has significant potential, considering the ease of gateway deployment and relatively low cost
when compared to wide area radio system. A gateway is a type of interconnect system. They
can also connect trunked talk groups, encrypted networks, public telephone systems, and cellular
or satellite phone connections. Most gateway devices are mobile and portable, but many are
used in permanent configurations.
· Interconnect Bypass Fraud Global Scenario
According to a survey conducted by Communication Fraud Control Association(CFCA),

in the year 2015, the revenue loss amounts to $3.77 Billion USD. According to this survey, top
10 countries where the fraudulent calls originated, is listed in Table 14.1.
231
Table 14.1: Country wise fraudulent calls in percentage based on call origin
(source: CFCA Survey Report 2015)
Countries Fraudulent calls Percentage
United states 5%
Pakistan 4%
Spain 4%
Cuba 3%
Italy 3%
Philippines 3%
Somalia 3%
United Kingdom 2%
Dominican Republic 1%
Egypt 1%
Further survey points out the percentage of top five frauds, in which interconnect Bypass
fraud in network is around 5%, whereas in roaming status, interconnect bypass fraud amounts
between 20 – 25%. This can be seen evidently from the following figure 14.8.
Figure 14.8: Percentage comparison of SIMBox fraud in Network Vs. Roaming

(Source: Communication Fraud Control Association - CFCA- Survey Report 2015)
Authorities in US say that the hackers were involved in an international crime ring that
scammed telecommunication companies out of an estimated $50million USD in last few years.
232
FBI most wanted list of cyber criminals have been arrested by authorities in their native Pakistan.
Serbian Police cracks down on illegal SIM Box Scheme. According to Serbia’s interior Ministry
in cooperation with the special department of cyber crime of Prosecutor’s Office and the Ministry
of Interior Macedonia have identified miscreats using Simboxes to bypass international
communications via VoIP and making low-cost calls in Serbia. More than 40,000 SIM cards
were found in Macedonia of mobile operators from Serbia, Croatia, Slovenia, Albania, Bosnia
and Herzegovina. There are incidents in Ghana where the fraudsters connived with partners
abroad to route internet calls via VoIP to make it appear as if the call is a local one. Even. The
seized SIMcards and connecting devices are illustrated in figure 14.9. There has been incidence
where even women has been arrested for alleged simbox fraud.
Figure 14.9: Seized SIM cards and SIMBox (Source: http://pulse.com.gh/telecom/

fighting-fraud-we-will-root-out-simbox-fraud-in-ghana-afriwave-id4389721.html)
· Interconnect Bypass Fraud Indian Scenario
Recently, in India, a techie has been arrested for operating telephone exchange for a
Pakistan spy. According to the sources the Uttar Pradesh Anti-Terrorism squad have busted an
illegal telephone exchange and spying racket causing national security threat. This act has
been committed by a software engineer from south delhi and ten others from Lucknow and
other parts of UP. The exchanges were not only making lakhs of rupees by routing international
calls bypassing the legal gateways. These systems were used for Pakistan’s Inter-Service
Intelligence (ISI) to call Army officials to elicit information from them. The racket was busted
after the defence ministry and Army alerted the military intelligence in Jammu & Kashmir. ISI
has been spying over and innocent victims have been sharing information. Intelligence officials
unearthed the racket and found illegal network was using SIMbox to carry out their spying
233
activities. The callers based in Pakistan, Bangladesh made calls using VoIP through Simbox
and connected to receivers in India. The receivers in India could only see Indian numbers on
their phone screens. The law enforcement authorities have recovered 16 SIM BOX units, 140
prepaid cards, 10 mobile phone and 28 data cards and five laptops. The SIM Box recovered
from the suspects is illustrated in Figure 14.10.
Figure 14.10: SIM BOX recovered from Accused

(Source: Times of India:http://timesofindia.indiatimes.com/india/uttar-pradesh-ats-
busts-international-call-racket-spying-on-army-units-11-arrested/articleshow/
56781030.cms?)
Hardware used to facilitate bypass fraud are:
· SIMBOX
· VOIP gateways
· Session Internet Protocol Devices
· International Revenue Sharing Fraud (IRSF)
International Revenue Sharing Fraud (IRSF) is one of the most persistent types of fraud
within the telecom industry. In the case of IRSF, telecom pirates often utilize illegal resources to
234
gain access to an operator s network in order to bring traffic to phone numbers obtained from
an International Premium Rate Number provider. This devious activity boosts subscribers and
draws them to use attractive services offered by calling a telephone line. This results in substantial
charges to the caller.
Different types include
· Premium rate stuffing
· SIM Chip Theft and Call Generation
· “Free” Conference Call Services
· Actual Pay-per-Call Fraudulent Services
14.3.1.6. Phishing
Phishing is a very popular form of hacking. It is simply the attempt to acquire personal
information such as usernames, passwords, credit card account information, and other sensitive
information by posing as a legitimate company. This can be done via email in its most popular
form, phone calls, or even text messages. Phishing attacks in 2012 accounted for an estimated
$1.5 billion in losses.
Email phishing is when hackers send fake emails that are often almost identical to emails
that you would receive from legitimate financial, e-commerce, or social websites. These emails
often contain links that direct users to websites that either contains malware or to websites with
login pages that look very similar to the login pages of legitimate companies.
In this increasingly digital world, users can use online services for paying bills, making
purchases, applying for a loan, paying that loan back, paying taxes, paying for traffic violations,
and so many other things. Because of this rise in online transactions, phishing is increasingly
prevalent. What’s more, email phishing is easy to automate. Everything can be done online and
on a massive scale, attacking thousands of users at once.
14.3.1.7. SMISHING
SMS phishing (often called “smishing”) operates in a similar fashion as its more wellknown
cousin, email phishing. Instead of using an email to bait victims to send sensitive information
such as bank, credit card, or Social Security numbers, and usernames or passwords, fraudsters
use text messages. SMS phishing is particularly easy to manifest as there is no junk filter like
with email and SMS messages are not as intricate as email spoofing. What’s more, users are
235
charged for receiving these texts. Luckily though, it’s fairly easy to report fraudulent texts to
your phone carrier or to the FTC. Smishing attacks can come in many different forms, from
offers for a gift card from a major retailer, or even deals on mortgages, to the aforementioned
alerts about accounts or cards.
14.3.1.8. VISHING
Voice phishing is the criminal practice of using social engineering over the telephone
system to gain access to private personal and financial information from the public for the
purpose of financial reward. It is sometimes referred to as ’vishing’, a word that is a combination
of “voice” and phishing. Voice phishing exploits the public’s trust in landline telephone services,
which have traditionally terminated in physical locations known to the telephone company, and
associated with a bill-payer. Voice phishing is typically used to steal credit card numbers or
other information used in identity theft schemes from individuals. Some fraudsters use features
facilitated by Voice over IP (VoIP). Features such as caller ID spoofing (to display a number of
their choosing on the recipients phone line), and automated systems (IVR). Voice phishing is
difficult for legal authorities to monitor or trace. To protect themselves, consumers are advised
to be highly suspicious when receiving messages directing them to call and provide credit card
or bank numbers—vishers can in some circumstances intercept calls that consumers make
when trying to confirm such messages.
14.3.1.9. Premium rate service fraud
Premium rate service fraud is the second largest contributor to the $46.3 billion problem
of mobile fraud. It rakes in $4.73 billion globally and $1.35 in North America of losses for
subscribers annually. This type of fraud directly attacks subscribers by getting them to make
calls to a premium rate telephone number
The most common occurrences of premium rate service fraud directly attack phone
companies through the subscription fraud method. It is a fairly basic scheme that takes advantage
of phone billing cycles. Fraudsters set up a premium-rate phone number through a carrier and
subscribe for one or multiple phone lines through a different carrier using false information.
They then run autodialers on the subscriber lines that call the premium rate numbers, running
up extremely large bills. They don’t pay the subscription bills, but receive the profits from the
premiumrate line. This goes on until the phone company begins to investigate a bill for
nonpayment, and then the fraudsters simply close out their services – leaving the bills unpaid at
the expense of the phone company.
236
14.3.1.10. Roaming Fraud
Roaming is one of the highest revenue earners in the telecommunications industry, which
means that it is also the most vulnerable to fraudulent attacks. Every year, the telecommunications
industry loses $46.3 billion to fraud, and roaming fraud takes the biggest hit: about $6 billion
globally and almost $2 billion in North America, according to the Communications Fraud Control
Association’s most recent survey. These losses can contribute to rises in cell phone carrier
rates, which in turn has repercussions on a company’s brand and customer satisfaction.
Roaming fraud can happen when a subscriber that used the services of the visiting network
refuses to pay for them either by claiming ignorance, insufficient knowledge of the additional
costs, or by claiming that the service was never requested. It is fraud in its most basic form.
14.3.1.11. Subscription fraud
In the case of identity theft subscription fraud, it is often difficult for the victim to resolve
the fraud as he or she may not discover it for a long time due to the nature of monthly phone
bills. Additionally, phone carriers are weary of customers claiming subscription fraud and victims
may find it difficult to prove that they did not actually make the calls they were billed for.
The reason why subscription fraud is so pervasive is that it lends itself to many different
types of mobile fraud. For example, scammers gain access to a phone line via subscription
fraud to rack up charges on roaming networks, which is called roaming fraud
14.3.1.12. Wangiri Fraud
In Japanese, “wan” means “one” and “giri” means “hang up.” This form of fraud, also
known as “one ring and cut,” targets millions of mobile phone users by making random calls
from premium-rate phone lines, letting the call ring once, and then hanging up. By leaving a
“missed call” message on a user’s phone, the scammers hope that the users will call back.
When they do, they find themselves listening to advertisements like subscriptions to premium
chat lines or Internet services. The scammer pockets the revenue from the call, since they are
hardly charged for receiving a phone call. The charge goes onto the user’s phone bill – which
often times isn’t seen until weeks or months later, if ever. This extremely successful fraud
method that originated in Japan has caused $2 billion of losses globally and $570 million in
North America in the last year. Wangiri fraud is a fairly new form of mobile fraud, especially in its
more organized forms. When paired with international revenue share fraud, Wangiri fraud can
cause serious damage. Mobile phone users see a missed call from a domestic-looking number
237
(usually one with a three-digit area code), but the number is in fact connected to an international
premium-rate service line. Many consumers are not aware that many three-digit area codes
connect callers to international lines (often in the Caribbean), which is why this generates
exponentially more revenue for the scammers. Additionally, Wangiri fraud used to be operated
manually, but has been automated. Specialized fraud firms were common in the early 2000s,
making thousands of calls a day with the use of autodialers.
14.3.2. Fraud methods

14.3.2.1. Slamming and Cramming
Slamming refers to when phone carriers illegally change customers’ telephone service
without their permission. Telephone service providers are obligated by law to obtain customers’
permission before switching them to a different provider.
Cramming refers to when phone carriers illegally add charges to customers’ telephone
bills for services they did not authorize. Similar to slamming, telephone service providers are
obligated by law to obtain customers’ permission before placing charges on their telephone bill.
14.3.3. Private Branch Exchange (PBX)
It is a private telephone network used within a company. Rather than requiring a line for
each employee, which can be costly, a PBX system switches calls between users on local lines
while allowing them to share several external phone lines for making calls outside of the PBX.
Phone calls within the company are typically made by dialing a three or four digit extension. The
term PBX was first introduced in the time of switchboards, where operators would manually
connect calls but over time, the process has become standardized.
Summary
· Fraud takes place when a person deliberately practices deception in order to gain
something unlawfully or unfairly. The act of fraud is can be classified as either a civil
or a criminal wrong. It occurs for the purpose of deceiving another person or entity.
· Trusted persons become trust violators when they conceive of themselves as having
a financial problem which is non-shareable, are aware this problem can be secretly
resolved by violation of the position of financial trust, and are able to apply to their
own conduct in that situation verbalizations which enable them to adjust their
conceptions of themselves as trusted persons with their conceptions of themselves
as users of the entrusted funds or property.
238
· Perceived Pressure: It is the motivation behind the crime and it can be either
personal financial pressure such as debt problems, or work pressure or short fall
in revenue. The pressure is seen by individual as unsolvable. A common example
of a period of perceive un-shareable financial problem is gambling debt.
· Opportunity: the opportunity to commit fraud s the circumstances that allow fraud
to occur and is the only condition over which the organization has complete control
. Opportunities to commit fraud are commonly present in organizations that have
poor internal controls can be overridden by management. If internal control is
designed in a way that risk of getting caught is too high, it is likely that the employee
will not exploit the perceived opportunity for his or her personal gain. Without
opportunity fraud can never happen.
· Rationalization: Rationalization of committing fraud is the most difficult condition

to observe because it takes place in the mind of the perpetrator. Rationalization has
to do with justifying the fraud. Since many fraudsters view themselves as honest,
ordinary people and not as criminals, they have to come up with some reasoning to
make the act of committing fraud more acceptable to them. Some common
rationalization statements are “I’ll just take this money now and pay it back later,”
“No one will notice,” or “I deserve this after all these years with this company.” Some
fraudsters rationalize his or her behaviour by reframing their definition of wrongdoing
to exclude his or her actions.
· Factors that lead to telecom fraud are Criminal greed; Disgruntled employees;
Complexity in technology; Failure to understand the complexity of new technologies;
Weakness in operating system; Failure of business models; Money laundering;
Free financial gain; Political and ideological factors; Ineffective audit systems leading
to telecom pirates
· Telecommunication fraud can be defined as the theft of services or deliberate abuse

of voice or data networks. Any transmission of voice or data across a
telecommunications network, where the intent of the sender is to avoid or reduce
legitimate call charges broadly means, misuse, dishonest intention.
· Phreaking or telecommunication fraud is the process of gaining unauthorized access

into a secured telecommunication system for exploiting the services such as phone
networks and copying the dialing tones. Phreak is a combination of phone and
freak. Phreakers include customers, geeks and communication service providers.
239
· Switch hooking was the first phreaking method used. In this method calls were
made by disabling the rotary keypad. It was accomplished by pressing and releasing
the switch hoot to open and close the circuit quickly.
· War dialing is a technique to automatically scan a list of telephone numbers, usually

dialing every number in a local area code to search for modems, computers, bulletin
board systems (computer servers) and fax machines.
· Private Branch Exchange (PBX) is an internal telephone system that directs calls
from one person to another within an enterprise. In this type of fraud, the criminals
performs an act of breaking into the PBX system and selling long distance call to
third parties around the world. In the current global scenario, PBX is software driven,
such as voice mail, maintenance port and direct inward system access(DISA).
· Network fraud comprises of Interconnect Bypass Fraud; International Revenue

Sharing Fraud (IRSF); False Answer Fraud; “A” Number Pass-through / Interconnect
Agreement Compliance Testing
· Internet bypass fraud is one of the most complicated fraud types in the recent
times. Telecom regulators and mobile operators are face a staggering revenue loss
since bypass fraud is proving to be the most prolific and costly frauds.
· In Simboxing, calls will bypass the normal course of connection, appearing to

originate from customer phone, to a network provider. The calls are delivered at a
subsidized domestic rate instead or international rate. Such an activity has its negative
impact availability, reliability and quality of service for legitimate consumers.
· The most common occurrences of premium rate service fraud directly attack phone
companies through the subscription fraud method. It is a fairly basic scheme that
takes advantage of phone billing cycles. Fraudsters set up a premium-rate phone
number through a carrier and subscribe for one or multiple phone lines through a
different carrier using false information.
Check your answers

1. What is fraud?
2. What is fraud triangle?
3. What is perceived pressure?
4. What is telecommunication fraud?

240
5. What are the different types of telecom frauds?
6. What is switch hooking?
7. What is PBX fraud?
8. What is interconnect Fraud?
9. What is SIMBoxing?
10. What is meant by Premium service rate fraud?
Reference
1. https://internalaudit.ku.edu/what-fraud
2. h t t p s : / / ww w. s y n iv e r s e . c o m / a s s e ts / f i l e s / c u s t o m_ c o n t e n t /
global_mobile_fraud_trends_report.pdf
3. https://jotopr.com/chargebacks911-dissects-key-types-of-credit-card-fraud-identity-
theft-to-friendly-fraudcybershoplifting/
4. http://www.businessdictionary.com/definition/fraud.html
6. Donald R. Cressey, Other People’s Money (Montclair: Patterson Smith, 1973 p. 30.
241
LESSON - 15
CYBER FRAUDS - PART - II - PAYMENT CARD FRAUDS
Learning objectives
 Cyber Frauds – Payment Card Frauds
 Evolution of Payment cards
o Debit Card
o Credit Card
 Master Card
 Maestro Card
 Visa Card
 Rupay Card
 EMV Chip Technology
 Global Scenario
 Indian Scenario
 Payment Card Frauds
 Counter measures
Structure
15. Cyber Frauds – Payment Card Frauds
15.1. Evolution of Payment Cards
15.1.1. Debit Card
15.1.2. Credit Card
15.2. Master Card
15.3. Maestro Card
15.4. Visa Card

242
15.5. Rupay Card
15.6. EMV Chip Technology
15.7. Global Scenario
15.8. Indian Scenario
15.9. Payment Card Frauds
15.10. Countermeasures
15. Payment card frauds

15.1. Evolution of Payment cards
Payment cards are part of a payment system issued by financial institutions, such as bank,
to a customer that enables its owner (the cardholder) to access the funds in the customer’s
designated bank accounts, or through a credit account and make payments by electronic funds
transfer and access automated teller machines (ATMs). Most payment cards, such
as debit and credit cards can also function as ATM cards, although ATM-only cards are also
available. The use of a credit card to withdraw cash at an ATM is treated differently to
a POS transaction, usually attracting interest charges from the date of the cash
withdrawal. Interbank networks allow the use of ATM cards at ATMs of private operators and
financial institutions other than those of the institution that issued the cards.
15.1.1. Debit Card
A debit card (also known as a bank card or cheque card) provides an alternative payment
method to cash when making purchases. Functionally, it can be called an electronic cheque, as
the funds are withdrawn directly from either the bank account, or from the remaining balance
on the card. In most of the countries the use of debit cards has become so widespread that their
volume of use has overtaken or entirely replaced the cheque and, in some instances, cash
transactions. Like credit cards, debit cards are used widely for telephone and Internet purchases
and, unlike credit cards, the funds are transferred immediately from the bearer’s bank account
instead of having the bearer pay back the money at a later date. Debit cards may also allow for
instant withdrawal of cash, acting as the ATM card for withdrawing cash and as a check guarantee
card. Merchants may also offer cash back facilities to customers, where a customer can withdraw
cash along with their purchase.
243
15.1.2. Credit Card
A credit card is issued to users as a system of payment. It allows its holder to buy goods
and services based on the holder’s promise to pay for these goods and services. The issuer of
the card creates a revolving account and grants a line of credit to the consumer (or the user)
from which the user can borrow money for payment to a merchant or as a cash advance to the
user.
Most credit cards are issued by banks or credit unions. Table 15.1 below gives a comparison
for better understanding of the difference between a credit card, debit card and a prepaid card.
Table 15.1: Comparison between credit/debit and prepaid card
Information Credit Card Debit Card Prepaid card
What it is A credit card A debit card is linked There are a variety

is a loan. to the customer’s bank of prepaid cards,
account and is  General Purpose
issued by your bank. Reloadable” (GPR)
cards carries a brand of
a card network (Visa or
MasterCard), used
where that brand is
accepted.
 Payroll cards
 Gift cards.
How it  Borrowed funds Money spent is taken

Works? using a credit directly from linked bank
card, must be account. Useful for
paid back.  Pay small and routine
interest if not purchases. Considered
repaid in full. less beneficial than
Useful if bank credit cards for major
account balance purchases or buying
is low or to take tems online because
advantage of a i of the more limited
244
no-interest protections in cases Allow consumers to

introductory of unauthorized spend only the money
period. transactions or deposited onto them
disputes. May have a number of
different features.
Consumer Protections Available
Liability for Liability for losses. Liability for losses. Liability depends on
Unauthorized the type of funds on
Transactions the card.
Disclosures Credit card Banks must Disclosures depend on

solicitations must disclose any fees the type of card.
disclose certain associated with
information, using the debit
including the card as well
annual percentage as its error
rate (APR), resolution process.
variable rate,
penalty rate,
fees, etc
Periodic Credit card issuers Banks must Payroll cards -

Statements must provide provide a periodic statement or
a periodic statement for account balance;
statement for each monthly electronic transaction
each billing cycle in which history. GPR cards
cycle. a transaction - periodic statement.
has occurred.
245
Information Credit Card Debit Card Prepaid card
Change in Credit card Banks must provide Payroll cards must

Terms issuers must notice before making provide notice before
provide sufficient changes to fees making changes to
notice before charged or the fees charged or the
making any liability limits for liability limits for
significant unauthorized unauthorized
changes to transactions. transactions.
the account, GPR cards and gift
such as the cards do not require
interest rate any notice.
or fees charged.
Interest Rate Generally, There are no  GPR cards and

and Fee Limits credit card specific requirements gift cards have
issuers cannot related to certain restrictions
increase the debit cards. on dormancy
annual percentage fees charged.
rate (APR) There are no
or fees within specific requirements
the first year related to
of account payroll cards
opening (although
there are
some exceptions
to this rule).
Reevaluate
interest rate
every 6 months.
15.2. What is a ‘MasterCard Card’?

A MasterCard card is any electronic payment card that uses the MasterCard network for
processing transaction communications. These cards are typically branded with a MasterCard
logo. They can be credit, debit or prepaid cards.
246
Mastercard, originally known as Interbank/Master Charge, was created by several

California banks as a competitor to the BankAmericard issued by Bank of America, which later
became the Visa credit card issued by Visa Inc. From 1966 to 1979, Mastercard was called
“Interbank” and “Master Charge”.
MasterCard Worldwide is an American multinational corporation with its headquarters in

the MasterCard International Global Headquarters in Harrison, New York, United States.
Throughout the world, its principal business is to process payments between the banks of
merchants and the card issuing banks or credit unions of the purchasers who use the
“MasterCard” brand debit and credit cards to make purchases.
MasterCard itself is a financial services business that partners with financial institutions to
issue MasterCard branded cards that are processed through the MasterCard network. The
issuing financial institution usually pays the cost of producing the cards and mailing them to
customers with specific card terms. When a financial institution partners with MasterCard then
it means that all transaction processing communications must be done through MasterCard as
the network processor.
MasterCard does not have a financial business component for credit card underwriting or
banking deposit services. Therefore MasterCard serves as a networking processing servicer
but they do not have the capability to underwrite credit or offer deposit accounts on their own.
This requires them to partner with financial institutions for all card issuance.
15.3. Maestro
Maestro is a multi-national debit card service owned by MasterCard, and was founded in
1990. Maestro cards are obtained from associate banks and can be linked to the card holder’s
current account, or they can be prepaid cards. Within the EU and certain other countries, Maestro
is MasterCard’s main debit brand and is the equivalent of signature debit card which does not
require electronic authorization, similar to the Visa Debit card. In most other countries, Maestro
is equivalent to a Visa Electron and is MasterCard’s tertiary card. It requires electronic
authorization much like a Solo debit card, i.e. not only must the information stored in either the
chip or the magnetic stripe be read, this has to be sent from the Merchant to the issuing bank,
the issuing bank then has to respond with an affirmative authorization. If the information is not
read, the issuer will decline the transaction, regardless of any disposable amount on the
connected account. This is different from other debit and credit cards, where the information
247
can be entered manually into the terminal (i.e. by punching the 13 to 19 digits and the expiry
date on the terminal) and still be approved by the issuer or stand-in processor.
15.4. What is a Visa card?

Visa Inc. is a global payments technology company headquartered in San Francisco,
California. It facilitates electronic funds transfers throughout the world, most commonly through
Visa-branded credit card and debit cards. Visa does not issue cards, extend credit or set rates
and fees for consumers; rather, Visa provides financial institutions with Visa-branded payment
products that they then use to offer credit, debit, prepaid and cash-access programs to their
customers.
Visa Debit
Visa Debit is a major debit card issued by Visa in the United Kingdom, the Republic of
Ireland and other nations of the European Union. Prior to October 2004, the debit card was
known as Visa Delta. Since June 2009, the major banks in the UK have begun issuing Visa
Debit. Barclays, Bank of Scotland/Halifax, Lloyds TSB, and Santander have already issued the
card. HSBC, RBS (including NatWest and Ulster Bank) are currently in the process of migrating
to the card from the Maestro debit card.
Visa Electron
Visa Electron is a debit or credit card available across most of the world, with the exception
of Canada, Australia, Ireland and the United States. The card was introduced by VISA in the
1980s and is a sister card to the Visa Debit card. The difference between Visa Electron and
Visa Debit is that payments with Visa Electron require that all the funds be available at the time
of transfer, i.e., Visa Electron card accounts may not be overdrawn. Visa Debit cards, on the
other hand, allow transfers exceeding available funds up to a certain limit. Some online stores
and all offline terminals (like on trains and aircraft) do not support Visa Electron because their
systems cannot check for the availability of funds.
15.5. RuPay Card

RuPay is an Indian domestic card scheme conceived and launched by the National
Payments Corporation of India (NPCI). It was created to fulfill the Reserve Bank of India’s desire
to have a domestic, open loop, and multilateral system of payments in India. In India, 90 per
248
cent of credit card transactions and almost all debit card transactions are domestic; however,
the cost of transactions was high due to monopoly of foreign gateways like Visa and Mastercard.
RuPay facilitates electronic payment at all Indian banks and financial institutions.
The IndiaPay scheme was conceived by the National Payments Corporation of India as
an alternative to the MasterCard and Visa card schemes, and to consolidate and integrate
various payment systems in India. It was renamed to RuPay to avoid naming conflicts with
other financial institutions using the same name.
The RuPay card was launched on 26 March 2012. NPCI entered into a strategic partnership
with ”Discover Financial Services” (DFS) for RuPay Card, enabling the acceptance of RuPay
Global Cards on Discover’s global payment network outside of India. Some of the unique benefits
offered by RuPay card are:
· Low cost and affordability
· Customized product offerings
· Personal data protection & Insurance
· Interoperability
15.6. The EMV Chip Technology

EMV chip technology is becoming the global standard for credit card and debit card
payments. Named after its original developers (Europay, MasterCard and Visa), this technology
features payment instruments (cards, mobile phones, etc.) with embedded microprocessor
chips that store and protect cardholder data. This standard has many names worldwide and
may also be referred to as: “chip and PIN” or “chip and signature” “chip-and-choice”, or generally
as “chip technology.” Chip-enabled cards are standard bank cards that are embedded with a
micro computer chip. Some may require a PIN instead of a signature to complete the transaction
process. Chip technology is an evolution in our payment system. EMV is the most recent
advancement in a global initiative to combat fraud and protect sensitive payment data in the
card-present environment. Some of the advantages are:
· Increased security
· Reduce card-present fraud
· Enable the use of future value-added applications.
· Payment data is more secure on a chip-enabled payment card than on a magnetic
stripe (magstripe) card, as the former supports dynamic authentication, while the
latter does not (the data is static).
249
· Consequently, data from a traditional magstripe card can be easily copied (skimmed)
with a simple and inexpensive card reading device – enabling criminals to reproduce
counterfeit cards for use in both the retail and the CNP environment.
· Chip (EMV) technology is effective in combating counterfeit fraud with its dynamic
authentication capabilities (dynamic values existing within the chip itself that, when
verified by the point-of-sale device, ensure the authenticity of the card).
· In addition to the reduction of fraud and related chargebacks, there are other cost
savings associated with EMV acceptance.
The chip technology standard for payment was first used in France in 1992. Today, there
are more than 1 billion chip cards used around the world. Preventing the growth of card-present
fraudulent activity is one of the main reasons the industry is moving toward EMV technology.
Chip cards make it difficult for fraud organizations to target cardholders and businesses alike.
As a result, more and more chip cards are being introduced by financial institutions in order to
support and switch over to this technology. The flow chart of payment card chart is illustrated in
the figure 15.1.
Figure 15.1: Flow Chart of Payment Card Transaction

250
15.7. Global Scenario

The purchase transaction worldwide is expected to grow by approximately five times as
per the Nilson report Jan 2018. In 2026 global brand credit, debit, and prepaid cards are projected
to reach 767 billion purchase transactions for goods and services worldwide, considering the
rate of proliferation of the global brand cards like Visa, Mastercard, UnionPay, American Express,
Discover/Diners Club, and JCB.
E-payments are forecasted to grow at a CAGR of 17.6% from 2015–2019), due to adoption
of instant payments and growth in emerging markets. However, the year-on-year growth rate of
e-payments is expected to slow down from 19.2% in 2016 to 15.3% in 2019. It is expected that
the slowdown is primarily due to the growing acceptance of m-payments and a shift of transaction
volumes from e-payments to m-payments. Purchase transaction worldwise is illustrated in
Figure 15.2.
Figure 15.2: Worldwide Purchase Transactions 2016 vs. 2026

251
15.8. Indian Scenario: Expanding foot prints of Payment Cards

15.8.1. Debit Cards
According to the statistics recently released by RBI and reported by Medianama in, there
are 842.50 million debit cards in India Card by Feb 2018 out of which 480.70 million are those
issued by the top five banks. Between Dec2016 and Dec 2017 an estimated 81.4 million debit
cards have been added. Among the top five banks, approx 278.2 million debit cards have been
issued by SBI alone, which is more than the other four banks put together (202.6 million). This
of course is because of the huge customer base of SBI. Expanding number of Credit Card in
India is illustrated in Figure 15.3.
Figure 15.3: Expanding number of Debit Cards
15.8.2. Credit Cards
According to the Reserve Bank of India, by Jan 2018, the number of credit cards increased
to 855.4 million, with 8.7 million new cardholders. While a total of 36.94 million credit cards
were in operation, an addition of 0.74 million cards in Jan 2018 was reported (Figure: 15.4).
252
Figure 15.4: Expanding number of Credit Cards
15.8.3. The power of plastic money
The power of plastic money is represented in the figure 15.5.
Figure 15.5: Power of Plastic Money

253
15.9. Payment Card Frauds

Credit Card Frauds
Credit card fraud is a wide-ranging term for theft and fraud committed using or involving
a payment card, such as a credit card or debit card, as a fraudulent source of funds in a
transaction. The purpose may be to obtain goods without paying or to obtain unauthorized
funds from an account. Credit card fraud is also an adjunct to identity theft. Card fraud happens
either with the theft of the physical card or with the compromise of data associated with the
account, including the card account number or other information that would routinely and
necessarily be used for a legitimate transaction. The compromise can occur because of many
common reasons and can usually be conducted without tipping off the cardholder, the merchant,
or the issuer at least until the account is ultimately used for fraud. The exponential growth of
credit card use on the Internet has made database security lapses particularly costly; in some
cases, millions of accounts have been compromised.
Stolen cards can be reported quickly by cardholders, but a compromised account can be
hoarded by a thief for weeks or months before any fraudulent use, making it difficult to identify
the source of the compromise. The cardholder may not discover fraudulent use until receiving
a billing statement, which may be delivered infrequently. Cardholders can mitigate this fraud
risk by checking their account frequently to ensure constant awareness in case there are any
suspicious, unknown transactions or activities.
Credit Card Fraud and ID Theft Statistics
(a) Data breaches
The first surge of major corporate data breaches was reported in 2014 and 2015, and
many Americans hoped it was a just a brief trend. Those hopes faded as even bigger and
established companies became the target of cybercriminals, with the most recent being the
massive data breach at the credit bureau Equifax in September 2017.
Tracking by the Identity US based Identity Theft Resource Center (ITRC) and CyberScout
indicate that there was more than 750 data breach cases reported in the U.S. by the end of
June 2017, an increase of 29% over the same period in 2016. At this rate, the ITRC estimated
that the number of breaches will reach 1,500 by the end of 2017. The official figures are yet to
be declared though. The number of data breaches (USA) upto 2017
254
Figure 15.6: Number of Data Breaches (USA)
(b) Identity Theft
The US Federal Trade Commission’s online database of consumer complaints has

compiled 13 million complaints from 2012 to 2016, with 3 million in 2016 alone. Of those, 42
percent were fraud related, and 13 percent were identity theft complaints
Almost 1.3 million complaints were related to frauds. Consumers reported paying over
$744 million in those fraud complaints; the median amount paid was $450. Fifty-one percent of
the consumers who reported a fraud-related complaint also reported an amount paid.
More than half (55 percent) of the fraud-related complaints listed a method of initial contact,
and of those, 77 percent were contacted by phone, while only 8 percent were first reached by
email. Only 3 percent were contacted by mail.
Figure 15.7: Number of Identity Theft Complaints (USA)

255
According to Nilson Report 2017, the year 2016 has actually seen a considerable drop in
the worldwide card related frauds as can be seen from the graph given at figure 15.8. The
projected worldwide card fraud impact in $billion is illustrated at figure 15.9.
Figure
15.8: Worldwide Growth in Figur15.9: A: Worldwide Projected

Card Fraud Card Fraud
The US Identity Theft Resource Center’s report, “Identity Theft: The Aftermath 2016”
found that nearly 20 percent of Americans surveyed were the victim of some kind of criminal
identity theft in 2015. Of those, 9.2 percent said their identity was used to commit a financial
crime that resulted in an arrest warrant.
The effects of this criminal identity theft are staggering. Fifty-five percent of victims missed
time from work, and 44 percent said they lost out on an employment opportunity. Additionally,
60.7 percent had to borrow money, and 29.5 percent had to request government assistance,
such as welfare or food stamps.
Impact of EMV Chip
As EMV technology is adopted in the card present space, it is expected that fraud will also
shift to the least secure channels, including CNP. From an online fraud perspective, it’s important
that CNP businesses be prepared for this anticipated shift, as experienced in other regions that
have already migrated toward chip card technology. While EMV chip cards have cut counterfeit
fraud, “card not present” (CNP) fraud is rising. CNP fraud includes telephone, internet and mail
order transactions in which the cardholder does not physically present the card to the merchant.
256
15.10 Modus Operandi

Today credit card fraud is one of the biggest threats to the business world. In simple
terms, credit card fraud is defined and is committed in the following ways:
a) An act of criminal deception (mislead with intent) by use of unauthorized account/

personal information;
b) Illegal or unauthorized use of account for personal gain;
c) Misrepresentation of account information to obtain goods and/or services.
Credit card frauds can be broadly classified into three categories: card related frauds,
merchant related frauds and internet related frauds. Different credit card frauds are as follows:
a) Application Fraud: This type of fraud occurs when a person falsifies an application to
acquire a credit card. Application fraud can be committed in three ways:
a) assumed Identity, whereby an individual illegally obtains personal information of another

individual and opens account in his or her name, using partially legitimate information.
b) Financial Fraud, where an individual provides false information about his or her financial
status to acquire credit.
c) Non-received items (NRIs) also called postal intercepts occur when the card is stolen
from the postal service’s before it reaches its owner’s destination.
b) Lost/Stolen cards: This type of fraud occurs when a legitimate cardholder loses the
card or someone steals the card for criminal purpose
c) Amount Takeover: This type of fraud occurs when a fraudster illegally obtains all the
personal confidential information of any bonafide person. Then being impersonate as the genuine
cardholder, he/she informs the bank that his residential or office address is hanged. Next, he/
she reports that his credit card is lost and request for mailing of a new card to his new address.
He/she receives the card and thus the criminal is able to successfully takeover the account.
d) Counterfeit Card Fraud (also known as Skimming): A counterfeit, cloned or skimmed

card is one that has been printed, embossed or encoded without permission from the card
company or one that has been validly issued and then altered or recorded. Most cases of
counterfeit fraud involve skimming, a process where the genuine data on a cards’ magnetic
stripe is electronically copied on to another card, without the knowledge of the legitimate
cardholder. Skimming can occur at retail outlets – particularly bars, restaurants and petrol stations.
257
e) Card-not-present (CNP) Fraud: This type of fraud is conducted over the Internet, by
telephone, fax and mail order. It occurs when criminals obtain card details by the theft of card
details of any individual from discarded receipts or by copying down details of cardholder during
a transaction without the legitimate cardholders’ knowledge. It is now seen largely in UK. The
problem in countering this type of fraud is that neither the card nor the cardholder is present at
a still point in a shop.
f) Triangulation: It occurs when a fraudster acts as a bogus intermediary to connect

legitimate customer and the merchant. He advertises and sells an item, receives the payment
and then fulfills the order by using stolen credit card details.
g) Mail Non-Receipt Fraud: It occurs when a criminal intercepts a replacement card

sent to a legitimate cardholder and uses it.
h) Identity Fraud: It occurs when someone illegally obtains personal information and
repeatedly uses it to open new account or to initiate transaction in the name of legitimate
customer. Majority of identity thefts occur offline like stealing the wallets, intercepting the mail
or rummaging through the trash.
i) Phasing: It occurs when the criminal solicits sensitive information like the cardholders’
financial data or other account related information through e-mail posting to be the cardholders’
banker or seller where the cardholder as made recent purchases. Credit card fraud has become
regular on Internet. Through all the agencies involved in the transactions i.e. cardholders’
merchants and the card issuers suffer losses, but among them merchants are the most affected
in credit card fraud.
15.11 Countermeasures
There are different key measures, which are used for detecting and preventing credit
card frauds. Some of them are as follows:
1. Address Verification Service (AVS): This technique matches the cardholders’ billing
address and ZIP code information given for delivering the purchases against the bank record.
This system is available in the USA and in a few countries of Europe. However, this technique
has different weaknesses i.e. the address information is available online; it makes the bankers
work boring in preventing the fraud; it cannot check the entire informational card. Only American
Express bank has the facility to check all the international frauds through its AVVS system.
258
2. Credit Verification Values (CVV): This technology checks 3-4 digit number embossed
codes on credit card. This technology has advantage that it requires physical possession of
card but this advantage can be nullified by phasing. It also cannot protect the merchant from
transactions placed on physically stolen cards.
3. Negative Databases: This technology checks the order against fraud attempts.
4. Fraud Rates: This technology checks for recognized patterns associated with the fraud.
It carries the advantage that it is easy to configure and understand, but the disadvantage is that
in case the fraud patterns are changed. A new fraud pattern may not be recognized.
5. Relocation: This technology checks the consumers’ geographic location based on IP

addresses. It is advantageous as it can block or flag orders originating from high-risk countries.
However, negative aspect is non-applicability on IP proxies and satellite.
6. 3D-Secure: This technology works on the principle of authenticating the consumer via
previously established password. The positive side of this system is that the fraudster needs
legitimate cardholders’ password to complete the transaction. However, this advantage can
also be neglected as the passwords can be hacked.
7. Chip and PIN: The smart cards introduced to prevent credit card fraud by using this
technology. The credit card has an encrypted EMV chip storing all information and a PIN instead
of a signature, which are used to prove that you are the genuine cardholder. Thus, this technique
minimizes fraud.
8. Biometrics: This is the most recent and sophisticated technology to prevent credit card
frauds. It records a unique characteristic of the cardholder like fingerprints, voice, signature,
iris, and other similar biological components so that a computer can read it. Then the computer
compares the stored characteristics with that person who presents the card for ensuring that
he/she is the legitimate cardholder. Negative aspect of this technology is that it carries additional
costs and customers are still reluctant to accept it.
9. Expertise: A team, having the responsibility of managing the infrastructure, handling

over verification, processing of charge back, analyzing the transactions, etc., is required to
ensure that the technology is well managed.
10. Collaboration: The whole industry has to work in collaboration to prevent fraud. This is
the right time when a united group is required to combat fraud and safeguard the business.
259
Summary
· Payment cards are part of a payment system issued by financial institutions, such
as bank, to a customer that enables its owner (the cardholder) to access the funds
in the customer’s designated bank accounts, or through a credit account and make
payments by electronic funds transf er and access automated teller
machines (ATMs).
· A debit card (also known as a bank card or cheque card) provides an alternative
payment method to cash when making purchases. Functionally, it can be called an
electronic cheque, as the funds are withdrawn directly from either the bank account,
or from the remaining balance on the card.
· A credit card is issued to users as a system of payment. It allows its holder to buy
goods and services based on the holder’s promise to pay for these goods and
services. The issuer of the card creates a revolving account and grants a line of
credit to the consumer (or the user) from which the user can borrow money for
payment to a merchant or as a cash advance to the user.
· A MasterCard card is any electronic payment card that uses the MasterCard network
for processing transaction communications. These cards are typically branded with
a MasterCard logo. They can be credit, debit or prepaid cards.
· Visa Inc. is a global payments technology company headquartered in San Francisco,

California. It facilitates electronic funds transfers throughout the world, most
commonly through Visa-branded credit card and debit cards.
· RuPay is an Indian domestic card scheme conceived and launched by the National
Payments Corporation of India (NPCI).
· EMV chip technology is becoming the global standard for credit card and debit card
payments. Named after its original developers (Europay, MasterCard and Visa),
this technology features payment instruments (cards, mobile phones, etc.) with
embedded microprocessor chips that store and protect cardholder data.
Check your answers

· ………………….. are part of a payment system issued by financial institutions, such
as bank, to a customer that enables its owner (the cardholder) to access the funds
in the customer’s designated bank accounts, or through a credit account and make
payments by electronic funds transf er and access automated teller
260
machines (ATMs).
· A ……………………….. (also known as a bank card or cheque card) provides an

alternative payment method to cash when making purchases.
· A ……………….. is issued to users as a system of payment. It allows its holder to

buy goods and services based on the holder’s promise to pay for these goods and
services.
· A …………………………. is any electronic payment card that uses the MasterCard

network for processing transaction communications. These cards are typically
branded with a MasterCard logo. They can be credit, debit or prepaid cards.
· …………………… is a global payments technology company headquartered in

San Francisco, California. It facilitates electronic funds transfers throughout the
world, most commonly through …………………….card and ……………….. cards.
· ………………… is an Indian domestic card scheme conceived and launched by

the National Payments Corporation of India (NPCI).
· ………………. is becoming the global standard for credit card and debit card
payments.
Reference
2. https://www.syniverse.com/assets/files/custom_content/global_mobile_fraud_
trends_report.pdf
3. http://indianresearchjournals.com/pdf/IJMFSMR/2013/March/16.pdf
4. https://ecommerceguide.com/guides/ecommerce-fraud/
5. https://jotopr.com/chargebacks911-dissects-key-types-of-credit-card-fraud-identity-
theft-to-friendly-fraudcybershoplifting/
6. https://www.chargify.com/blog/friendly-fraud-vs-chargeback-fraud/
7. https://krebsonsecurity.com/tag/triangulation-fraud/
8. https://chargebacks911.com/affiliate-fraud/
9. https://www.finextra.com/blogposting/14769/three-types-of-merchant-fraud-a-guide-
for-merchant-acquirers
261
10. https://www.consumer.ftc.gov/blog/2018/06/protecting-your-devices-cryptojacking
11. http://niiconsulting.com/checkmate/2014/06/it-act-2000-penalties-offences-with-
case-studies/
12. Dictionary.com
13. http://www.businessdictionary.com/definition/fraud.html
15. Donald R. Cressey, Other People’s Money, Montclair: Patterson Smith, 1973 p. 30.
262
LESSON - 16
CYBER FRAUDS - PART-III - ECOMMERCE FRAUDS
Learning Objectives
 Ecommerce fraud
 Identity Theft
 Charge Back fraud
 Friendly Fraud
 Clean Fraud
 Triangulation fraud
 Affiliate Fraud
 Merchant Identity Fraud
o Bust out Fraud
o Identity Swap
o Transaction Laundering
 Credit card Fraud
 Card Testing
 Refund Fraud
 Phishing
 Advance Fee Fraud
 Signs of Ecommerce Fraud
Structure
16. Ecommerce fraud
16.1. Identity Theft
16.2. Charge Back fraud
16.3. Friendly Fraud

263
16.4. Clean Fraud
16.5. Triangulation fraud
16.6. Affiliate Fraud
16.7. Merchant Identity Fraud
16.7.1 Bust out Fraud
16.7.2. Identity Swap
16.7.3. Transaction Laundering
16.8. Credit card Fraud
16.9. Card Testing
16.10. Refund Fraud
16.11. Phishing
16.12. Advance Fee Fraud
16.13. Signs of Ecommerce Fraud
16. E-commerce Fraud

E-commerce Fraud can most succinctly be defined as illegal activity wrought by a cyber
criminal on a website. It results in unauthorized or otherwise fraudulent transactions, stolen
merchandise and/or wrongful requests for a refund.
E-commerce is one of the most breached areas by cyber criminals. Losses caused by
online frauds are about EUR 4 billion, with an increase of 15% per year. Any online retailer
should provide a protection system in order to limit damages caused by online threats.
The best scenario would be to prevent fraud from occurring. The first step is to monitor
and check every order, being careful to the matching of IP, email and shipping addresses.
Since most of credit card fraud cases are from foreign buyers, care had to be taken when
transactions are international. Attention is to be paid if the billing and shipping addresses don’t
match. And last but not least, business should be equipped with a fraud protection service. In
any case, the best defense for online business is being aware of the threats that are out there
and knowing what to look for.
264
Any company that decides to start an online business or to move into a multi-channel
approach, making its offer available online, is going to deal with new issues and threats. Online
frauds are radically different from ones typically seen in brick-and-mortar businesses. The first
fundamental difference is that you can’t see your transactions’ counter-party. This fact makes it
harder to verify the identity of the person purchasing on your site. Fraudsters may be interested
to obtain funds, merchandise or expensive items to resell.
Modus Operandi
Here are some of the most common types of fraudulent activities that plague online
merchants everywhere.
16.1. Identity theft

Identity theft is the most well known form of ecommerce fraud. Retailers are more
concerned about this type of fraud. This results in a cyber criminal stealing another person’s
confidential information and using it to conduct transactions on ecommerce sites as the victim.
These transactions are typically paid for by the retailer, as the credit card companies will initiate
chargebacks on behalf of the victim. This leaves a retailer without merchandise and without the
money to cover the loss. It is highly unusual to recover the stolen merchandise or prosecute the
criminal.
Modus operandi
Prejacking – It is an activity in which a cyber criminal can redirect a customer from

legitimate website to an illegitimate website where the customer will leave their login or other
information.
Hacking – a hacker may be able to gain access to communications between the customer
and merchant about their confidential data. A hacker may also gain access through third parties
that the retailer does business with.
16.2. Chargeback fraud

Infiltrating the Target Network
The hackers gained access to Target’s network by first stealing credentials from a third
party heating and ventilation company based in Pittsburgh called Fazio Mechanical Services.
Fazio Mechanical Services’ system had access to Targets network so that they could monitor
265
and maintain their systems. It is more efficient for target to simply give contractors access to
their network, rather than hiring a target employ to moitor the system in house. Fazio Mechanical
Services was comprised by a spear phishing attack made by the hackers a few months before
the attack on Target. Using the HVAC company’s credentials, they first installed the malware on
the point of sale (POS) devices in a select few stores to first test the efficiency of the software
from November 15 to November 28, 2014 before expanding to the majority of the stores. The
malware copied data from credit cards and stored it in on a compromised Target server.
Chargeback fraud is one of the simplest forms of fraud and does not necessarily involve
identity theft. A customer orders items from the website using a payment method that can easily
be pulled (think credit or debit card). Once the items are safely shipped or otherwise out of the
retailer’s control, the customer initiates a chargeback, stating that their identity was stolen.
They then keep the merchandise for free. Many times, the customer is using their own, legitimate
credit card.
16.3. Friendly fraud

A customer who commits friendly fraud isn’t a menace or a threat to business. Instead,
the friendly fraudster is likely confused, misguided, or even forgetful. Customers who commit
friendly fraud do so1 as the result of an honest mistake. Friendly fraud is nearly identical to
chargeback fraud, except that it is done without malicious intent. In the case of friendly fraud,
the transaction was placed by a true customer, and the chargeback is initiated for something
innocent like believing their package to be stolen or not recognizing the merchant’s name on
their credit card statement. Subscription retailers face this type of fraud often with customers
who didn’t understand there would be recurring charges.
16.4. Clean fraud

Organize.com
One example of an online store that has to deal with multiple cases of chargeback fraud
is Organize.com, a company that does around $10 million a year in online sales.
A cyber-criminal perpetrating clean fraud uses a stolen credit card in such a way that they
are able to avoid alerting the fraud detectors. Often this is because the criminal has stolen
enough information about the credit card holder that they can easily pass the transaction off as
legitimate. As an ecommerce vendor, this type of fraud can be hard to spot because the data is
so clean, hence the name.
266
16.5. Triangulation fraud

Triangulation fraud is an exciting name for a complex form of fraudulent activity that
involves three different steps.
For the first step, the hacker sets up a fake online store to collect a customer’s full data.
Once the victim has “placed an order,” the hacker then commits clean fraud on an ecommerce
store’s site to ship the desired item to the customer, frequently using a different victim’s card
information. It is illustrated in figure 16.1.
One fast-growing ecommerce merchant (it was part of InternetRetailer.com’s Top 500
online retailers for 2 years) who wanted to remain anonymous, told Brian Krebs in 2015 that it
was hit with multiple fraudulent transactions because of triangulation fraud.
According to KrebsonSecurity:
“The company was hit with over 40 orders across three weeks for products that later
traced back to stolen credit card data. The victimized retailer said it was able to stop a few of the
fraudulent transactions before the items shipped, but most of the sales were losses that the
victim firm had to absorb.”
Many criminals use eBay to commit triangulation fraud. Here’s how some of them do it:
The fraudster would create an auction to sell an item they don’t own yet. A customer unwittingly
purchases the item through eBay, thus giving the “seller” (i.e. the fraudster) their information.
The criminal then use stolen credit card information to purchase the item from an ecommerce
site (i.e. the victim) and ship the item to the eBay shopper, leaving the merchant to absorb the
loss.
Figure 16.1: Triangulation Fraud (source: ebay enterprise )

267
16.6. Affiliate fraud

Affiliate fraud is one of a number of fraudulent activities that do not focus on a payment
method. Affiliate fraud means that a cyber-criminal manipulates the data collected by the affiliate
link given to them by a retailer to make the retailer pay them far more than they are owed. This
can be done through an automated process or it can be accomplished by real people using
fake profiles. Frequently, the criminal uses a variety of methods in order to avoid setting off any
red flags. It is a deliberate attempt to make illegitimate money off an advertiser’s affiliate
marketing. It is illustrated in Figure 16.2.
Figure 16.2: Affiliate marketing

It is one of the costliest threats for ecommerce business. Much of affiliate marketing
processing is automated. In general terms, affiliate marketing is where one company or individual
(the “affiliate,” or “publisher”) uses its website to recommend the products or services of another
company (the “advertiser”) to potential customers. In return, the advertising company pays a
commission on any sales (or sometimes just leads) that come from the affiliate’s site.
The fraudsters hijack the proceedings through following methods illustrated in Table 16.1.
Table 16.1: Different Types of Affiliate Fraud
ADWARE Programs such as spyware, pop-ups, or

layered secretly installed on users
computers without their permission or
knowledge. These programs are used to
artificially inflate traffic figures reported to
an advertiser
COOKIE STUFFING The affiliate loads cookies onto the user’s

computer simply because the user visited
the site. After that, the affiliate scores a
commission for potential future purchases,
whether the user clicked the affiliate link
or not.
268
DOMAIN SQUATTING The fraudster takes a successful merchant

site, then registers multiple similar domains
with minor changes. Users reach the site
through a typo and see a page that looks
genuine and which directs them to the real
site…along with a cookie that credits the
bogus affiliate with any sales.
IP SPOOFING The attacker creates a fake IP address to

hide the sender’s identity. This could allow
affiliates to artificially inflate the traffic they
drive to an advertiser’s site by repeatedly
clicking links on their own sites.
IFRAME The fraudster includes a 1-pixel square

iFrame script in an ad. When users view
the page, another (hidden) link is loaded
through the pixel. The user never sees the
ad—it’s too small—but the advertiser will
still be charged for the impression.
POSTBACK A method of directing and tracking

conversion data. If fraudsters can obtain
the transaction ID and address for
approval, they can attempt to bypass the
actual advertiser and claim commissions
for conversions that never happened.
DISCOUNT CODES Users may click through to an advertiser

from an honest affiliate, then leave to
search for a discount code prior to
checkout. The dishonest affiliate who
provides the coupon drops a cookie on the
user’s browser, giving them credit for the
sale.
269
16.7. Merchant identity fraud

Merchant identity fraud is rather simple: the cyber-criminal sets up an online store and
entices a victim to purchase something, which they typically list for an impossibly low price.
Then they disappear and never ship the item.
While merchant fraud is mostly something individual consumers should be wary of, it can
affect ecommerce stores as well. Hackers will occasionally run this scam in the wholesale
industry to target businesses, and these kinds of scams also erode the trust consumers have in
legitimate online retailers. Merchant fraud exposes acquirers to the liability of facilitating criminal
activity – placing them at risk of chargebacks, fines, brand or reputational damage, regulatory
sanctions, and even legal action. There are three types of Merchant Fraud. They are bustout
fraud, identity swap,
16.7.1. Bust Out Fraud
In this fraud scheme, a merchant applies for a merchant account without any intention of
actually operating a legitimate business. These merchant accounts are then used to process
fraudulent transactions or to acquire lines of credit before abandoning the account altogether.
The aim of this type of fraud is simple: process as many fraudulent transactions as possible
within a short amount of time, and before being caught, simply abandon the account. In the
online world, it is extremely easy to falsify identities and set up fake businesses.
16.7.2. Identity Swap
Certain individuals, for example individuals on the AML/ATF watch lists, merchants from
countries on which economic sanctions are imposed or those belonging to certain extremist
groups are prohibited from opening merchant accounts with major acquirers. To circumvent
these prohibitions, merchants often use a fake or stolen identity or set up a bogus online storefront
in order to secure a merchant account.
In this case, the business itself may be legitimate, and chargebacks won’t necessarily be
an issue. However, regulators expect acquirers to demonstrate due care and due diligence in
preventing merchants from acquiring fraudulent accounts through identity theft. Failure to do so
can result in steep fines and severe reputational damage.
270
16.7.3. Transaction laundering
Transaction laundering occurs when an unknown business uses an approved merchant’s

payment credentials to process payments for products and services that the acquirer is not
aware of.
Proliferation of micro merchants and instant on-boarding, as well as the explosion of

different payment methods contribute to data overload and difficulty in monitoring merchant
portfolios. It is estimated that around $352 Billion is being laundered this way every year in the
US alone.
16.8. Credit Card Fraud

Fraudsters often make online purchases using stolen credit cards details. Sometimes
they may be in physical possession of the card, other times they could have gained all the
information electronically. The moment the transaction is concluded and payment approved,
the business is responsible for ensuring that the customer was who he said he was. The card
owner may seek reimbursement to the Company equal to the amount of the payment.
16.9. Card Testing

Card testing fraud is the practice of creating and testing the validity of a credit card number,
in order to use it on another website to commit fraud. Fraudster target websites which give a
different response for each type of decline: for example, when a card is declined due to an
incorrect expiration date, a different response is given, so they know they just need to find the
expiration date.
16.10. Refund Fraud

In this case, fraudster using a stolen credit card makes an overpayment on purpose. After
which, he contacts the business to signal an accidental overpayment and asks for a
reimbursement. He will ask to refund of the excess amount, claiming his credit card is closed so
they need to send the money using an alternative method. That means that the original charge
of the credit card is not refunded and the business is responsible to the card owner of the full
amount.
271
16.11. Phishing
In this case an email asks for user ID, passwords, credit card details and other personal
information. The sender seems to be a credit institution that needs a confirmation of some
information due to a change in the system. Phishing allows criminals to get access to bank or
other accounts and it can be used for identity theft.
16.12. Advanced fee and wire transfer scams

This is the classic “Nigerian Prince” scam. The cyber-criminal asks for money upfront, in
return for a lot more money later. While the Nigerian Prince scam is formulated to specifically
target individuals, scammers have come up with a practice that targets businesses, specifically
ones that provide services.
The general formula is that the scammer reaches out to the business via email as a
prospective client. They say they want an impressive amount of work from the business, but
first, they’re working with a third party company who they need to pay and, for some reason,
can’t. These reasons may even sound legitimate: they’re overseas and have a limited number
of international transfers, for instance. They’ll ask you to send the third party business some
money, which they assure you will be paid back and far more.
Are there more ecommerce fraud problems with international transactions?
Research shows that ecommerce fraud does seem to be more common overseas.
Indonesia has the highest rate of fraudulent purchases, with over 30% of Indonesian online
purchases have proved to be fraudulent. Venezuela is a close second, and South Africa sees
about 25% of purchases as fraudulent. Brazil and Romania round out the top five. Ten percent
of purchases made in those countries are illegal.
In terms of continents, Africa represents the highest level of false purchases followed by
South America. Asia and North America represent the median level of ecommerce fraud, while
Europe is the safest continent for online sellers.
While none of this information means that you should or shouldn’t sell to people in a
particular location, it does mean that you may choose to be more vigilant about some places
over others.
272
16.13. The Signs of Ecommerce Fraud

Is ecommerce fraud easy to detect? That depends on the skill and ingenuity of the cyber-
criminal. That said, there are many common signs of fraud that you and your staff should know
about and continually watch for.
Inconsistent order data
A basic and major red flag for fraud is inconsistent data within an order. This contradictory
information could be that the zip code and city don’t match up, or that the IP and email addresses
don’t line up. While a real customer can certainly make typos, it’s far more likely that a cyber-
criminal will make a mistake by guessing wrong information.
First-time customers
As exciting as it is to get a new customer, scammers typically appear as first-time

customers. They don’t often return to victimize the same company more than once, so as to
avoid generating suspicion. While being a first-time shopper alone should not necessarily attract
your attention, you may want to ensure that your security features carefully monitor your first-
time buyers.
Customers who make multiple orders from different credit cards
Most consumers have no more than three credit cards, so you should be suspicious of
shoppers who use more than three cards when shopping on your site — especially if they try to
use those cards one after another. If a customer puts in multiple orders on many different credit
cards, whether in one sitting or over a long period of time, you could be dealing with a cyber-
criminal.
Variations on this sign include:
· Multiple transactions under the same billing address going to different shipping
addresses.
· Multiple transactions under the same billing address going to different shipping
addresses.
· Multiple credit cards used on the same IP address, even if they are not billed or sent
to the same person.
273
· Multiple transactions on the same card in a short period.
Unexpectedly large orders (especially those that contain duplicates of products)
Scammers are known to drop significant amounts of money when they make fraudulent
purchases – usually, far more than any of your typical customers would spend. A large order
may be exciting at first, but you’ll certainly want to look into it. If they have paid for expedited
shipping on that large order, that’s even more of a red flag. It indicates that the scammer is
interested in getting their hands on the goods before they get caught.
Any data that’s clearly fake
This probably sounds obvious, but you want to watch out for any data that seems made
up. It’s not that difficult to catch fake email addresses (has no@yahoo.com ever been a real
address?), and fake phone numbers can even be found by sight alone. For instance, any
number with the area code “555” is a fake.
Multiple declined transactions to the same customer
Again, while people do make typos during a transaction, one person attempting to use
the same card while inputting the numbers wrong several times can indicate someone who’s
trying to guess at a few of the numbers.
Summary
· E-commerce Fraud can most succinctly be defined as illegal activity wrought by a
cyber criminal on a website. It results in unauthorized or otherwise fraudulent
transactions, stoen merchandise and/or wrongful requests for a refund.
· Identity theft is the most well known form of ecommerce fraud. Retailers are more
concerned about this type of fraud.
· A customer who commits friendly fraud isn’t a menace or a threat to business.

Instead, the friendly fraudster is likely confused, misguided, or even forgetful.
· Chargeback fraud is one of the simplest forms of fraud and does not necessarily
involve identity theft.
· A cyber-criminal perpetrating clean fraud uses a stolen credit card in such a way
that they are able to avoid alerting the fraud detectors.
274
· Affiliate fraud is one of a number of fraudulent activities that do not focus on a

payment method. Affiliate fraud means that a cyber-criminal manipulates the data
collected by the affiliate link given to them by a retailer to make the retailer pay them
far more than they are owed.
· Merchant identity fraud is rather simple: the cyber-criminal sets up an online store
and entices a victim to purchase something, which they typically list for an impossibly
low price. Then they disappear and never ship the item.
Reference
https://people.carleton.edu/~carrolla/story.html
275
LESSON - 17
CYBER FRAUDS – PART-IV
IT FRAUDS
 IT Frauds
o Occupation Fraud
o Corporate Fraud
o Asset Stripping
o Fraudulent Trading
o Share Ramping
o Publishing False Information
o Public Sector Fraud
o Investment fraud
o Share scams (boiler room fraud)
o Recovery Room Fraud
o Other Investment fraud
o Bribery and corruption
o Other frauds
Structure
17. IT Frauds
17.1. Occupation Fraud
17.2. Corporate Fraud
17.3. Asset Stripping
17.4. Fraudulent Trading
17.5. Share Ramping
17.6. Publishing False Information

276
17.7. Public Sector Fraud
17.8. Investment fraud
17.9. Share scams (boiler room fraud)
17.10. Recovery Room Fraud
17.11. Other Investment fraud
17.12. Bribery and corruption
17.13. Other frauds
17 IT Frauds
Computer Fraud is the use of Information Technology to commit fraud. This includes
covering all components of IT starting from the end user computing devices like laptops, desktops,
mobile equipment’s to networking devices like routers, switches, wireless devices to software’s
and applications etc. Fraud is often difficult to detect and even harder to prove in a court of law.
Common practices are applicable to practicing professionals who are auditing fraud in an
information technology (IT) environment.
17.1. Occupational Fraud
Melissa
David L Smith a 31 year old New Jersey programmer was accused of unleashing
the “Melissa” computer virus, a Visual Basic for Applications based worms. This
virus was propagated by deliberately posting an infected document to an
Usenet Newsgroup from a stolen AOL account. He constructed the virus to
evade anti virus software and to infect computers through Microsoft Windows
and Word programs. The Mellissa virus appeared on thousands of email
systems on March 26, 1999, disguised as an important message from a
colleague or friend.
The term “occupational fraud” is defined as: “the use of one’s occupation for personal
enrichment through the deliberate misuse or misapplication of the employing organization’s
277
resources or assets. IT Fraud is a type of criminal activity, defined as: ‘abuse of position, or
false representation, or prejudicing someone’s rights for personal gain’. Put simply, fraud is an
act of deception intended for personal gain or to cause a loss to another party.
The general criminal offence of fraud can include:

Ø deception whereby someone knowingly makes false representation
Ø or they fail to disclose information
Ø or they abuse a position.
Key indicators of fraud include:
Ø Significant changes in behaviour that has been noticed.
Ø Fraudsters have large personal debts/financial losses, & a desire for personal gain.
Ø Audit findings deemed to be errors or irregularities.
Ø Transactions will generally be taking place that were at an odd time, odd frequency,
unusual amount or to odd recipients.
Ø When internal controls are not enforced, or often compromised by higher authorities.
Ø Discrepancies in accounting records and unexplained items on reconciliations
Ø Missing documents, or only photocopied documents available
Ø Inconsistent, vague or implausible responses arising from inquiries
Ø Unusual discrepancies between the client’s records and confirmation replies
Ø Missing inventory or physical assets
Ø Excessive voids or credits
Ø Common names or addresses of payees or customers
Ø Alterations on documents (back-dating, for example)
Ø Duplications (duplicate payments, for example)
Ø Collusion among employees, where there is little or no supervision
Ø One employee has control of a process from start to finish with no segregation of
duties
278
Types of Fraud
Ø Corporate Fraud
Ø Asset stripping
Ø Fraudulent trading
Ø Share ramping
Ø Publishing false information
Ø Public Sector Fraud
Ø Investment fraud
Ø Share scams (boiler room fraud)
Ø Recovery Room Fraud
Ø Other Investment fraud
Ø Bribery and corruption
Ø Other frauds
17.2. Corporate Fraud

Corporate Fraud involves deliberate dishonesty to deceive the public, investors or lending
companies, usually resulting in financial gain to the criminals or organization. Corporate fraud
may include asset stripping, fraudulent trading, share ramping, and the publishing of false
information.
17.3. Asset stripping

Asset stripping is taking company funds or assets of value while leaving behind the debts.
Company directors transfer only the assets of one company to another and not the liabilities.
The result is a dormant company with large liabilities that cannot be met and it has to be put into
liquidation. Stripping of company assets is normally done for two main reasons:
Ø The fraudsters deliberately target a company or companies to take ownership, move

the assets and then put the stripped entity into liquidation
Ø “Phoenixing” – directors move assets from one limited company to another to ‘secure’
the benefits of their business and avoid the liabilities.
279
Ø Most or all the directors will usually be the same in both companies.
Ø This usually arises as a way of ‘rescuing’ the assets of a failing business rather than
targeting a company
17.4. Fraudulent trading

Fraudulent trading is where a company carries on a business with the intention of defrauding
creditors or for any fraudulent purposes. This applies whether
Ø the company is trading,
Ø has ceased trading or
Ø is in the process of being wound up.
17.5. Share Ramping

Share ramping (also known as ‘pump and dump’ and ‘book ramping’) is where criminals
influence the share price of a company and then take advantage of it. It is commonly done by
bringing a company to the market with false expectations of its profitability.
Alternatively it can be done by buying shares in a company when they are at a low price
and then starting a rumour that the company is being taken over. When the share price rises,
the shares are sold at a profit.
17.6. Publishing false information

Publishing false information is a type of fraud committed when a criminal creates, destroys,
conceals, or falsifies an account, record or report which is deliberately misleading on the
company’s financial position. This is usually done to mislead investors and creditors and to
keep a failing company trading.
17.7. Public Sector Fraud

Public Sector fraud is where criminals seek to exploit Government grant and compensation
schemes for their personal gain. This type of fraud affects all taxpayers by stealing public
money.
280
The criminals will produce fake documents and applications to deliberately deceive and
exploit certain schemes which are in place to provide help to genuine applicants. Examples of
Public Sector fraud include:
Ø Abuse of the right-to-buy system
Ø Legal aid fraud
Ø Grant for Business Investment (GBI) fraud

Investment frauds target individuals with convincing arguments to make them part with
their savings.
These types of fraudsters usually want you to invest your money in a company or
opportunity which seems to be offering very high rates of return.
17.9. Share scams (boiler room fraud)

A boiler room is an operation selling shares to investors in companies which are usually a
fake or are not successfully trading. Scammers typically cold-call people and use hard-sell
tactics to sell shares in overseas based companies that prove to be worthless. Boiler rooms are
usually operated from overseas locations. The scammers profit by either just taking investors’
money without providing shares or selling the shares to them at highly inflated prices.
17.10. Recovery Room Fraud

Often those that run boiler rooms will share their contact lists with others. Therefore if
victim has given his/her information to one company they may well receive calls from other
companies suggesting they can assist to sell victims shares or offering further purchases.
What are the warning signs?
Ø Have you been contacted about investing in shares?
Ø Have you never heard of the company before?
Ø Were you promised high rates of return?

281

Investment Frauds could include you offered the chance to invest in a new company or an
exciting investment opportunity. The fraudsters will often show a series of professional-looking
documents to back up their claims and entice investors. One of the most common investment
frauds are ‘Ponzi’ or pyramid scheme will typically involve an investment offer which promises
to provide a higher rate of return than usually offered. For example, a 30% return on investment
is claimed when a more realistic return is 5-10%.
17.12. Bribery and corruption

Corruption is where the integrity of a person, Government, or company is manipulated
and compromised for their own personal gain. There are two main types of corruption:
Political corruption – dysfunction of a political system or institution in which government

officials, political officials or employees seek illegitimate personal gain through actions such as
bribery, extortion, cronyism, patronage and embezzlement.
Corporate corruption – e.g. where bribes are offered to agencies/institutions/individuals

in order to win a contract
Other frauds include:
· Tax and excise fraud
· Identity fraud
· Benefit fraud
· Civil matters (negligence, for example)
· Contractual dispute
· Advance fee frauds

282
Case Study #1
The Trust was concerned that a doctor was running a private practice using government
resources. This was a sensitive issue -work had to be done covertly to take a forensic image of
his laptop so as not to raise suspicion or alarm other staff. Dozens of emails were extracted
showing that the subject had made private appointments over the previous year at times that he
should have been working for the Government. This evidence formed a key part of a tribunal
hearing that awarded damages.
Case Study #2
A complex, high-value case, where multiple computers and servers held evidence of the
systematic deletion of important data. The person accused of the deletion was a highly
experienced IT administrator who had gone to significant lengths to cover his tracks. Low-level
deletion software had been renamed, run remotely over the company network and then deleted,
leaving minimal artefacts.
Case Study #2
Computer forensic specialists recreated these conditions on their test network and were
able to produce the same artefacts that were found on the original computers and servers. This
information helps client to refute the explanations provided by the IT administrator in a very high
value litigation case.
Case Study #3
A large financial institution had dismissed a senior managing director due to performance
issues. The dismissed employee began legal proceedings against his former employer, claiming
unfair dismissal. Forensic Lookup on the computers revealed thousands of pornographic images
that had been downloaded to his work laptop and then transferred to personal USB drives.
283
Case Study #3
Time-line analysis revealed that the searching and downloading of the images was
exclusively carried out during office hours. Also found evidence of the subject using the laptop
to order illegal items which provided client the evidence to reject the claim of unfair dismissal.
Case Study #4
A case involving data breach – Analysis revealed a scheme to produce and distribute
sensitive material on a global scale. The data extracted revealed the suspect’s production
sources, distribution lists and order books.
Case Study #5
A large firm of insolvency practitioners based in central London to examine twelve servers
and three PCs from a recently liquidated company. The computer equipment required to be
examined had been removed from the company premises and had been piled into a corner of
a room. The equipment was old, had been switched off for months and several had been
marked ‘faulty’ by their previous owners.
Case Study #5
No passwords had been provided and the liquidated company’s former IT administrator
was unwilling to help; additionally it was understood that attempts had been made to wipe data
from the disks. Despite these circumstances computer forensic investigators managed to
recover 100% of the available data.
Case Study #6
Working closely with the insolvency practice, the mass of recovered data were extracted
- relevant emails, spreadsheets, document and internet history. The evidence extracted helped
prove the misconduct of the directors of the liquidators which the insolvency firm had long
suspected.
284
Roles of IT Auditor in Fraud Control
Auditors have the
· responsibility for detecting fraud and
· assessing antifraud programs
The Statement on Auditing Standards (SAS) 99 of the American Institute of Certified

Public Accountants (AICPA) emphasizes auditors exercising their professional scepticism to
identify risks that may result in a material misstatement due to fraud.
The US Public Company Accounting Oversight Board (PCAOB) also requires auditors to
evaluate fraud-related activities as a component of an internal audit function.
With rapid advancements in information communications and technologies (ICT) and an

increasingly mobile accessible environment (i.e., wireless networking), it is no surprise that
companies are increasingly reliant on IT equipment and applications for the delivery of company
operations.
285
IT audit provides a vital role in the prevention, detection and investigation of fraud.
To make a valuable contribution toward fraud control, requirements need to be elaborated

on and understood by the IT auditor with respect to the various IT processes and types of fraud,
each of which contributes to the development of fraud risk assessment.
IT Processes
Control Objectives for Information and related Technology (COBIT) provides excellent
coverage of IT processes. The COBIT 5 framework for the governance and management of
enterprise IT is a leading-edge business optimization and growth roadmap that leverages proven
practices, global thought leadership and ground-breaking tools to inspire IT innovation and fuel
business success. IT process, according to COBIT, can be classified into one of four specific
domains:
· Plan and Organize (PO)
· Acquire and Implement (AI)
· Deliver and Support (DS)
· Monitor and Evaluate (ME)
Five main principles of COBIT 5 are:
Audit and Assurance – Manage Vulnerabilities and ensure compliance
Risk Management
Fraud Risk Assessment
The fraud risk assessment begins with ranking the likelihood and significance of fraud
activities associated with IT processes. PCAOB Auditing Standard (AS) No. 2 provides an
286
example of the probability of a risk and its corresponding significance. This PCAOB standard
specifies three risk levels:
· Remote
· More than remote
· Probable
The PCAOB standard also defines significance of a risk into three categories:
· Inconsequential
· More than inconsequential
· Material
Upon the completion of ranking fraud activities associated with IT processes, the fraud
risk assessment process can map the IT processes with types of fraud and controls in place (if
any).
Fraud risk assessments

· allow organizations to easily visualize the areas for occurrence of fraud and
· prioritize their resources against these potential fraud areas.
Since both the business and IT environments are changing rapidly, the fraud risk
assessment should be carried out on a regular basis or whenever there is a major change in an
IT process.
Furthermore, in identifying an IT process for fraud rik assessment, an auditor may use
history patterns of fraud within the company as a benchmark reference.
Some e.g. of Frauds survey by E.Y
Employee embezzlement fraud
An employee of a large software services company in India was able to steal the password
of the bank account of the company and embezzle an amount in excess of US$4 million.
287
Intellectual property infringement fraud
An employee of a software development company in India sold off the source code of the
new software developed by the company to its competitors.
Forex fraud
An employee of a leading software company in India without proper authorization hedged

the foreign exchange receivable by the company outside the normal course of the company’s
hedging process, which resulted in a loss of US$20 million to the company.
Data theft
An employee of a Gurgaon (India)-based BPO company is believed to have sold a CD,

which is suspected to contain some confidential data pertaining to the customers of a British
bank.
Refund fraud
Two employees working in a Chennai (India)-based BPO misused their authority and
created 30 dummy customer e-mail IDs and embezzled more than US$91,000, which was
supposed to be paid as refund for dissatisfied customers.
Procurement fraud
Two employees of a Bangalore-based technology company were sacked for allegedly

showing preference to certain vendors/service providers and demanding favors from certain
other vendors in lieu of the timely processing of their invoices/bills and the renewal of contracts.
Recruitment fraud
The entire recruitment team at the Indian subsidiary of a large IT company was sacked
for allegedly accepting bribes from prospective employees and recruitment consultants.
Payroll fraud
An employee of a Hyderabad-based company drew salary even after six months of leaving
the company.
288
Misappropriation of funds
Few employees from the Pune center of a large Indian BPO opened several dummy
accounts to transfer the customer funds to these fictitious accounts.
Section 43 – Penalty and Compensation for damage to computer, computer system, etc
Related Case: Mphasis BPO Fraud: 2005In December 2004, four call centre employees,
working at an outsourcing facility operated by MphasiS in India, obtained PIN codes from four
customers of MphasiS’ client, Citi Group. These employees were not authorized to obtain the
PINs. In association with others, the call centre employees opened new accounts at Indian
banks using false identities. Within two months, they used the PINs and account information
gleaned during their employment at MphasiS to transfer money from the bank accounts of
CitiGroup customers to the new accounts at Indian banks.
By April 2005, the Indian police had tipped off to the scam by a U.S. bank, and quickly
identified the individuals involved in the scam. Arrests were made when those individuals
attempted to withdraw cash from the falsified accounts, $426,000 was stolen; the amount
recovered was $230,000.
Verdict: Court held that Section 43(a) was applicable here due to the nature of unauthorized
access involved to commit transactions.
Section 66 – Computer Related offenses- Related Case: Kumar v/s Whiteley.
In this case the accused gained unauthorized access to the Joint Academic Network
(JANET) and deleted, added files and changed the passwords to deny access to the authorized
users. Investigations had revealed that Kumar was logging on to the BSNL broadband Internet
connection as if he was the authorized genuine user and ‘made alteration in the computer
database pertaining to broadband Internet user accounts’ of the subscribers. The CBI had
registered a cyber crime case against Kumar and carried out investigations on the basis of a
complaint by the Press Information Bureau, Chennai, which detected the unauthorised use of
broadband Internet. The complaint also stated that the subscribers had incurred a loss of Rs
38,248 due to Kumar’s wrongful act. He used to ‘hack’ sites from Bangalore, Chennai and other
cities too, they said.
289
Verdict: The Additional Chief Metropolitan Magistrate, Egmore, Chennai, sentenced N G

Arun Kumar, the techie from Bangalore to undergo a rigorous imprisonment for one year with a
fine of Rs 5,000 under section 420 IPC (cheating) and Section 66 of IT Act (Computer related
Offense).
Section 66C – Punishment for identity theft
Relevant Cases:
The CEO of an identity theft protection company, Lifelock, Todd Davis’s social security
number was exposed by Matt Lauer on NBC’s Today Show. Davis’ identity was used to obtain
a $500 cash advance loan.
Li Ming, a graduate student at West Chester University of Pennsylvania faked his own
death, complete with a forged obituary in his local paper. Nine months later, Li attempted to
obtain a new driver’s license with the intention of applying for new credit cards eventually.
Section 66D – Punishment for cheating by impersonation by using computer resource
Relevant Case: Sandeep Vaghese v/s State of Kerala
A complaint filed by the representative of a Company, which was engaged in the business
of trading and distribution of petrochemicals in India and overseas, a crime was registered
against nine persons, alleging offenses under Sections 65, 66, 66A, C and D of the Information
Technology Act along with Sections 419 and 420 of the Indian Penal Code. The company has
a web-site in the name and and style ‘www.jaypolychem.com’ but, another web site
‘www.jayplychem.org’ was set up in the internet by first accused Samdeep Varghese @ Sam,
(who was dismissed from the company) in conspiracy with other accused, including Preeti and
Charanjeet Singh, who are the sister and brother-in-law of ‘Sam’ Defamatory and malicious
matters about the company and its directors were made available in that website. The accused
sister and brother-in-law were based in Cochin and they had been acting in collusion known
and unknown persons, who have collectively cheated the company and committed acts of
forgery, impersonation etc. Two of the accused, Amardeep Singh and Rahul had visited Delhi
and Cochin. The first accused and others sent e-mails from fake e-mail accounts of many of the
customers, suppliers, Bank etc. to malign the name and image of the Company and its Directors.
The defamation campaign run by all the said persons named above has caused immense
damage to the name and reputation of the Company.
290
The Company suffered losses of several crores of Rupees from producers, suppliers and
customers and were unable to do business.
Section 66E – Punishment for violation of privacy
Relevant Cases:
Jawaharlal Nehru University MMS scandal In a severe shock to the prestigious and
renowned institute – Jawaharlal Nehru University, a pornographic MMS clip was apparently
made in the campus and transmitted outside the university.Some media reports claimed that
the two accused students initially tried to extort money from the girl in the video but when they
failed the culprits put the video out on mobile phones, on the internet and even sold it as a CD
in the blue film market.
Nagpur Congress leader’s son MMS scandal On January 05, 2012 Nagpur Police arrested
two engineering students, one of them a son of a Congress leader, for harassing a 16-year-old
girl by circulating an MMS clip of their sexual acts. According to the Nagpur (rural) police, the
girl was in a relationship with Mithilesh Gajbhiye, 19, son of Yashodha Dhanraj Gajbhiye, a zila
parishad member and an influential Congress leader of Saoner region in Nagpur district.
Fraud Investigation
· Generation and/or reconciliation of report
· Identification/retrieval of evidence and missing records on computer system
· Conducting of computer forensics analysis
Summary
· The term “occupational fraud” is defined as: “the use of one’s occupation for personal
enrichment through the deliberate misuse or misapplication of the employing
organization’s resources or assets.
· Types of frauds are Corporate Fraud, Publishing false information, Public Sector
Fraud, Investment fraud, Share scams (boiler room fraud), Recovery Room Fraud,
Other Investment fraud, Bribery and corruption.
291
Check your answers

· The term ……………………………… is defined as: “the use of one’s occupation for
personal enrichment through the deliberate misuse or misapplication of the employing
organization’s resources or assets.
· Types of frauds are ………………, ……………….., ……………………………,

…………………….etc
Reference
1. https://www.slideshare.net/padmajanaidu16/cyber-law-sections-under-itc-act-cases
2. https://www.scribd.com/doc/190389306/Case-studies-under-Indian-IT-Act-2000
3. http://niiconsulting.com/checkmate/2014/06/it-act-2000-penalties-offences-with-
case-studies/
292
MODEL QUESTION PAPER
M.SC CYBER FORENSICS AND INFORMATION SECURITY
FIRST YEAR- FIRST SEMESTER
ELECTIVE PAPER-I
Time:3 hours Maximum : 80
Section-A
Answer any 10 of the following in 50 words in each (10 x 2 = 20)
1. What is Cyber space?
2. What is cybercrime?
3. Human element vs. technology element with respect cybercrimes.
4. List down different types of insider.
5. What is data espionage?
6. What is cyber terrorism?
7. What are the emerging characteristics of cybercrimes?
8. Who are cyber criminals?
9. Who is a whistleblower?
10. What is denial of service?
11. Define Ransomware
12. What are types of credit/debit cards?

293
Section-B
Answer any five of the following in 250 words in each (5 x 6 = 30)
1. Explain the characteristics of Hacker and Cracker.
2. Write short notes on evolution of cybercrimes.
3. What are the impact of cybercrimes?
4. Define virus, worms and trojans. List down mode of distribution of all.
5. Describe botnet architecture?
6. What is spam and scam? Give examples
SECTION – C
Answer any THREE questions in about 500 words each (3 x 10 = 30 )
1. What is malware? What are different types of malware? List down notable malwares
in timeline.
2. What is fraud? What are different types of telecom frauds? Give examples.
3. Explain various types of payment card frauds. What are the countermeasures?
4. What is ecommerce fraud? What are different types of ecommerce frauds? Give
examples.
5. What is IT frauds? What are key indicators of IT frauds? Give examples

Forms of Cyber Crimes

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Forms of Cyber Crimes

Uploaded by

Copyright:

Available Formats

SPCI105

FORMS OF CYBER CRIMES

INSTITUTE OF DISTANCE EDUCATION

It is with a great pleasure to welcome you as a student of Institute of Distance

With best wishes from mind and heart,

COURSE WRITER & EDITOR

© UNIVERSITY OF MADRAS, CHENNAI 600 005.

FORMS OF CYBER CRIMES

Unit 3 : Modus Operandi of various cybercrimes and frauds – Definition of various

Unit 4: Profile of Cyber criminals – Cyber Crime Psychology – Psychological theories

Unit 5: Impact of cybercrimes – to the individual, to the corporate and companies, to

FORMS OF CYBER CRIMES

Sl.No. Title Page

2 Human Element and Technology Element 26

3 Broad Classification of Cyber crimes 46

5 Emerging Characteristics of Cyber Crime 75

8 Impact of Cyber Crimes 123

9 Virus, Worms and Trojans 131

10 Rootkit & Botnets 154

13 Malware, Spyware and Ransomware 192

14 Cyber Frauds - Part - I - Telecom Frauds 219

15 Cyber Frauds - Par - II - Payment Card Frauds 241

16 Cyber Frauds - Part - III - Ecommerce Frauds 262

17 Cyber Frauds - Part - IV - IT Frauds 275

After reading this lesson you will be able to

 Understand what is crime and various types of crimes

 Understand what is cyber crime:

3. its nature and extent

4. its trend across the world

1.2.1 Types of crimes

1.3 Cyber crime

1.3.1 Definition of cyber crime

1.3.2 Classification of cyber crime

1.3.2.1 Violent Cyber crime

1.3.2.2 Non-Violent Cyber Crime

1.3.3 Nature and extent of cyber crime

1.3.3.1 Cyber Crime: Global Scenario

1.3.3.2 Cyber Crime: Indian scenario

1.3.3.3 Factors influencing Cyber crime

1.3.4 Trends in cyber crime across the world

1.3.5 Trends in India

 It is a harmful act against people, property and the Nation.

 It is an unlawful act that is punishable by a state or authority.

 To be classified as a crime, there should be

o “the act of doing something criminal – (actus resus) and

o must with certain exception be accompanied by the “intention to do something

 Crime is as old as humankind.

 Most crimes leave behind traces of “silent evidence”.

 Latest entrant is the digital evidence.

1.2.1. Types of Crimes

Table 1.1 Types of crimes

S.No Type of Crime Description

1 Antisocial Behaviour This type of a crime portrays the feeling of a

2 Arson Deliberate attempt of someone in setting up

3 Burglary An attempt by someone breaking into a

4 Child Abuse Abusing children in different ways such as

5 Crime abroad This includes crimes happening to people

6 Computer Crime Crimes carried out using computers.

7 Domestic Abuse Negative behaviours exhibited by one person

8 Fraud It is caused by someone in tricking others to

9 Hate Crime It is a prejudice –motivated crime. It occurs

incident or crime against someone based on

10 Murder or Manslaughter Murder is the unlawful killing of another human