Professional Documents
Culture Documents
POSTGRADUATE COURSE
M.Sc., Cyber Forensics and Information Security
FIRST YEAR
FIRST SEMESTER
ELECTIVE PAPER - I
WELCOME
Warm Greetings.
I invite you to join the CBCS in Semester System to gain rich knowledge leisurely at
your will and wish. Choose the right courses at right times so as to erect your flag of
success. We always encourage and enlighten to excel and empower. We are the cross
bearers to make you a torch bearer to have a bright future.
DIRECTOR
(i)
M.Sc., Cyber Forensics and Information Security ELECTIVE PAPER - I
FIRST YEAR - FIRST SEMESTER FORMS OF CYBER CRIMES
Dr. N. Kala
Director i/c,
Centre for Cyber Forensics and Information Security
University of Madras, Chepauk,
Chennai – 600 005.
Dr. S. Thenmozhi
Associate Professor
Department of Psychology
Institute of Distance Education
University of Madras
Chepauk Chennnai - 600 005.
(ii)
M.Sc., Cyber Forensics and Information Security
FIRST YEAR
FIRST SEMESTER
Elective Paper - I
Unit 1: Cyber Crime – Introduction – History and Development – Definition, Nature and
Extent of Cyber Crimes in India and other countries - Classification of Cyber Crimes – -
Trends in Cyber Crimes across the world.
Unit 2 : Forms of Cyber Crimes , Frauds – hacking , cracking, DoS – viruses, works,
bombs, logical bombs, time bombs, email bombing, data diddling, salami attacks, phishing,
stegnography, cyber stalking, spoofing, pornography, defamation, computer vandalism,
cyber terrorism, cyber warfare, crimes in social media, malwares, adware, scareware,
ransomware, social engineering, credit card frauds & financial frauds, telecom frauds.
Cloud based crimes – understanding fraudulent behaviour, fraud triangle, fraud detection
techniques, Intellectual Property Rights and Violation of Intellectual Property rights,
Ecommerce Frauds and other forms .
(iii)
M.Sc., Cyber Forensics and Information Security
FIRST YEAR
FIRST SEMESTER
Elective Paper - I
1 Introduction 1
4 Evolution of Cybercrimes 66
6 Cyber Criminals 83
7 Motives of Cybercriminals 98
11 SPAM 166
12 SCAMS 175
(v)
1
LESSON - 1
INTRODUCTION
Learning Objectives
1. its definition
2. its classification
Structure
1.1 Introduction
1.2 Crime
1.4 Summary
2
1.1. Introduction
In this lesson we are going to discuss about crimes, the types of crimes and an overview
of cyber crimes.
1.2. Crime
Crime is commission or omission of an act which constitutes an offence and is
punishable by law.
The state has the power to severely restrict one’s liberty for committing crime.
The traces of materials, known as physical evidence, are found at the scene of
crime and acts as potent clues that become the most eloquent witness subsequently.
In case of a criminal being found guilty, the person who has committed the offence
may be sentenced depending upon the crime and must undergo imprisonment
according to the law of the land.
There are different types of crimes. People will react to each type of crime differently.
Table 1.1 depicts the various types of crimes with a brief description noted against each.
3
The term cyberspace was initially introduced by William Gibson in his 1984 book,
“Neuromancer.” Gibson criticized the term in later years, calling it “evocative and essentially
meaningless.” Nevertheless, the term is still widely used to describe any facility or feature that
is linked to the Internet.
share information,
interact,
swap ideas,
play games,
6
Cyberspace has gained popularity as a medium for social interaction, rather than its
technical execution and implementation.
Cyberspace’s core feature is an interactive and virtual environment for a broad range of
participants. It is a large computer network made up of many worldwide computer networks that
employ Transmission Control Protocol/Internet Protocol (TCP/IP) to aid in communication and
data exchange activities.
Cyber space has transformed the global economy in a phenomenal way. The scale of
cyber space usage and its magnitude and increased acquiescence of internet demonstrates a
global obsession which leads internet to an intrinsic and compelling part of society’s day to day
activities.
email,
chat,
social networking,
internet banking,
gaming,
travel tickets,
and so on only reflects that the society has a paradigm shift from citizens to netizens.
7
Internet, has gone beyond imagination since its inception in 1989, the most significant
technological advancement conceived by TIM Berner Lee “The world wide web” has now caused
the world into a global village. Digital communication and interaction has grown to nearly two
thirds of the world population. This has contributed to a change in society, significant impact on
business, critical infrastructure, and fundamental aspects of modern society.
Driving license,
Land records,
Banking transactions,
Credit Cards,
Railway reservation,
Passport issuance,
Immigration control
and many more are being governed electronically. Citizens are gradually becoming
dependent on computers, networks and the like and transforming into Netizen’s.
A recent study was conducted to find out the dependence of youth on the internet. The
outcome of the survey was that 75% of the youth could not survive without the internet and they
belong to the age group between 16 to 24 years. Despite its useful advancement of technology,
internet provides ample opportunity for unscrupulous individuals performing undesirable activities
caused by the ease of access, open nature, and increased anonymity facilitated in the virtual
world.
Any deviant behaviour, with malicious intent leads to crime in the cyber space. Since the
nature of risks and vulnerabilities are becoming more and more sophisticated today there is an
ever increasing need to create new knowledge and understanding new risks, interactions,
probabilities and costs of such operations so as to tackle cyber crimes with a scientific fervor. In
this connection studying cyber crime from an e-governance perspective is the need of the hour.
It is important to note that cyber spans not only State but National boundaries as well.
8
Cyber crime is going to be a major problem to any country’s law enforcement. These
crimes have no geographic boundaries that are clearly definable, transcends the border of
States and Nations’ physical area that is accessible over computer and telecommunication
networks across the globe within a time frame of milliseconds. Hence, it is difficult to implement
regulations because laws are different in different countries.
The growth of Internet and its proliferation worldwide now increased the need for conducting
cyber crime investigations through efficient and meticulous Cyber Forensics. Extensive
knowledge and skill in computer technology is required for Police, Judiciary, Lawyers, Forensic
experts, Private Investigators and Network Administrators to counter this fraud/menace through
effective training, creation of specialized units, necessary legislations and international co-
operation. Those are some of the steps that require immediate attention of all Governments in
the world.
The global internet usage has raised over two billion people over a span of ten years.
Unclassified and classified networks and foreign intelligence organization are working to acquire
the capacity to disrupt elements of critical information infrastructure.
Computers can be used to commit crimes, and crimes can be recorded on computers,
including violation of company policies, records of embezzlement, email harassment, leaks of
proprietary information, murder and even terrorism.
The tools and techniques used by cyber criminals are increasing in sophistication at an
incredible rate. Beyond government activities, cyber criminals can control botnets with millions
of infected hosts, whether the goal is monetary, access to intellectual property, or disruption of
critical infrastructure systems.
One to prevent the occurrence cyber crime in vulnerable institutions requiring security
from loss, pilferage and mishandling by accidental or intentional manipulations and
The other one is detection and documenting cyber crimes through a disciplined
methodology.
to Law, especially to those of criminal and civil laws that are enforced by Law enforcement
agencies in Criminal) Justice System.
preservation,
identification,
extraction and
stored as data or magnetically encoded information. The computer operating system invariably
leaves behind the computer evidences transparently without the knowledge of computer user
which may be hidden from view.
Special Forensic software tools and techniques are required in order to recognize and
retrieve such evidences. Computer Forensics involves obtaining and analyzing such digital
information for use in civil/criminal or administrative cases. Digital evidence was not considered
as tangible evidence in courts until recently but now they are gaining importance.
During the 10th United Nations Congress on the Prevention of Crime and the Treatment
of Offenders, two definitions were developed within a related workshop: Cybercrime in a narrow
sense (computer crime) covers:
“any illegal behaviour directed by means of electronic operations that target the security
of computer systems and the data processed by them.”
“any illegal behaviour committed by means of, or in relation to, a computer system or
network, including such crimes as illegal possession and offering or distributing information by
means of a computer system or network.”
The easy definition of cyber crime is “crimes directed at a computer or a computer system”.
He further says that the nature of cyber crimes is far more complex as it can take the form of
10
simple snooping into a computer system for which we have no authorization. He says further
that it could be the freeing of a computer virus into the wild or a malicious vandalism by a
disgruntled employee or theft of data, money or sensitive information using a computer system.
Cyber crimes may be generally classified as violent cyber crimes and non-violent cyber
crimes. This has been portrayed in the Figure1.1 as detailed below:
Table 1.3 given below details the types of non-violent cyber crimes and its types
14
5 Malware Adware
Spyware
Scareware
Scumware
The Figure 1.2 portrays geographical location of data breach ranked by share of attacks
and it represents the percentage of data breach country wise as reported by Trustwave in their
security threat report, 2017. According to this report, 43% of attacks have been launched in
North America followed by Asia Pacific (30%). Next in rank comes Europe and Middle East
(24%) and subsequently followed by Latin America and Caribbean which is 4%.
The statistic represented in Figure 1.3 shows the amount of damages caused by cyber
crime reported to the Internet Cybercrime Complaint Centre (IC3) from 2001 to 2016. In the last
reported period, the annual loss of complaints referred to the IC3 amounted to 1.33 billion U.S.
dollars, up from 781.84 million U.S. dollars in 2013. The most costly cyber attack consequences
for global companies in 2016 were losses suffered through business disruption and information
loss. In that year, the majority of data breach incidents were related to identity theft which were
followed by financial and account access.
Figure 1.3: The amount of damages caused by cyber crime reported to the IC3 from
2001 to 2016
India is becoming a digital country. With the digital India initiatives gaining momentum
more and more people are forced to adapt themselves to digital transaction. Cyber crimes are
also on the rise in India. The Table 1.4 represents the cyber attack surface based on various
factors during 2015 and the respective projections thereof for the year 2020.
17
mn – million
The Figure 1.4 represents the attack surface based on various factors. The attack based
on the factors such as increase in population, increase in number of internet users, increase in
number of mobile phone/smart phone users, and also the increase in number of digital
transaction. The numbers are in millions. Due to anonymity of the internet, many innocent
victims are targeted. The number of attacks on computers is less when compared to the number
of mobile/smart phone users. The attacker target attack on mobile transaction and cause damage
to individuals financial resources.
There are several factors that influence the growth of the criminals on the internet and
rate of the cyber crime. They include:
Unlike traditional crime, there is no need to be present physically in the crime scene
Lack of awareness among the users of computers systems, networks, and mobile
devices
Multiple terrorist and cyber attacks on public transportation methods were executed
successfully between 2016 and 2017. Many ransomware attacks during 2017 were
believed to be used for reconnaissance to assess and test, reach effectiveness and
response rates and methods to validate attacks and distribution targets and methods.
Many of these attacks are beta tests for new automated exploits utilizing weaponized
National Security Agency (NSA) Tools and other Artificial Intelligence (AI) code bases.
The Figure 1.5 portrays the year-wise exploit growth of ransomware and it clearly
indicates the staggering rise in the number of attacks.
19
These organizations leverage the intelligence gathered from these beta tests and
reconnaissance missions to launch very thoughtful, targeted, and highly orchestrated
attacks against executives, high profile media personalities, corporations and
organizations that provide critical infrastructure.
These attacks have evolved from basic counterfeiting, coercion, financial and business
fraud, and theft into complex, well planned and orchestrated physical and cyber-attacks that
are used to disrupt business processes, or create counterfeit – fraudulent business processes
within companies and on the web in order to steal payments, customer-employee-supplier-
partner information, or gain access to critical systems or finance and banking accounts. While
these attacks are not new, we believe these attacks will expand across industries and market
segments and will grow exponentially to include online business and brandjacking attacks.
With immature online brand and product-service validation and verification processes and
standards in place across websites, exchanges, marketplaces, social media, and ecommerce
platforms, it can be easily demonstrated to set up and launch counterfeit corporate websites,
webpages, and social media brands that can be used for brandjacking purposes. Figure 1.7
represents how the cyber criminals hack the process of business and compromise enterprises.
The mode through which business process compromise is generally done is through
social engineering. Figure 1.8 illustrates the process of social engineering, the non-technical
way of gathering information followed by hacking. It involves various components such as
intelligence gathering, point of entry, communication through command and control, lateral
movement, maintenance, data exfiltration and data peddling.
21
Approximately 3 billion US Dollars are lost due to business compromise. Figure 1.9,
illustrates the top 5 countries as major countries that were affected in the year 2016-17, namely
United States of America, United Kingdom, Hong Kong, Japan and Brazil due to business email
compromise. The personnel’s who were targeted include, CFO (40.38%), Director (9.62%),
Financial controller (5.77%), Finance Director(3.85) and others(36.53%).
The Digital India Programme launched by the Government of India, which aims to provide
government services digitally and promote digital literacy, besides building secure digital
infrastructure for the country, is driving this transformation.
Digital payments have also seen an upsurge, with mobile banking transactions alone
growing threefold since 2014. It is envisaged that with these initiatives in place, India’s digital
economy will grow from 270 billion USD to around 1 trillion USD in the next 5–7 years.
However, this is also opening up gaps which can be exploited by the adversaries and
deprive us of the benefits of digital technologies. The number of incidents reported by the
Indian Computer Emergency Response (CERT-In) was 27,482 till June 2017.
Cyber attacks can deliver economic blows, derail India from its projected growth trajectory
and worsen relations with our neighbors, unleashing a state of anarchy. Considering both the
benefits of technology and the need to safeguard against cyber attacks, it is imperative for a
growing digital economy like India to focus on cyber security and build a cyber-resilient
environment.
India has taken some initiatives to strengthen its cyberspace. These include awareness
programmes; efforts to create a strong policy environment and strengthen security monitoring
capabilities, and international cooperation; and research and development to promote cyber
security. Some of the key initiatives are mentioned below under:
1. National Cyber Security Policy: The policy provides the vision and strategic direction
to protect the national cyberspace. The policy was released in 2013.
2. National Cyber Security Coordination Centre (NCCC): The NCCC will perform real-
time threat assessment and create situational awareness of potential cyberthreats to the country.
It was made operational in August 2017.
4. Cyber Swachhta Kendra: Launched in early 2017, the Cyber Swachhta Kendra provides
a platform for users to analyse and clean their systems of various viruses, bots/ malware,
Trojans, etc.
6. Promoting research and development: To promote cyber security across the nation,
the government has initiated a programme to offer a public grant worth 1000 crore INR to
companies responsible for innovation and research in cyber security.
7. Sectoral and state CERTs: The government has launched sectoral CERTs, starting
with critical sectors such as power and finance. Further, the government has planned to launch
CERTs in the state-level.
24
8. Security testing: There are plans to set up ten additional Standardization, Testing and
Quality Certification (STQC) testing facilities across the country for the evaluation and certification
of IT products.
Summary
Crime is omission or commission act which constitutes an offence and is punishable
by law. It is a harmful act against people, property and the Nation.
Cyber space refers to the virtual computer world, and more specifically, is an
electronic medium used to form a global computer network to facilitate online
communication.
Cyber crime is defined as any illegal behaviour committed by means of, or in relation
to, a computer system or network, including such crimes as illegal possession and
offering or distributing information by means of a computer system or network. It is
also defined as any illegal behaviour directed by means of electronic operations
that target the security of computer systems and the data processed by them.
Cyber crimes may be generally classified as violent cyber crimes and non-violent
cyber crimes. Internet is the medium for committing cyber crime using computer or
network as a tool, as a target or purposes incidental to a crime.
Potentially violent crimes include cyber terrorism, cyber warfare, cyber stalking,
pornography, child pornography, hacking, virus, worms & Trojans, Malware,
scareware and ransomware. Non-violent cyber crimes, involves cyber trespass,
password cracking, cyber theft, cyber fraud, malware, junk mail and steganography.
………………………………………………………………………………………………………..
8. Non-violent cyber crimes involve cyber trespass, password cracking, cyber theft,
cyber fraud, malware, junk mail and steganography.
Reference
1. https://www.statista.com/topics/2588/us-consumers-and-cyber-crime/
2. https://www.terraverdeservices.com/risk-management/2018-cyber-attack-trends-
and-industry-predictions/
3. https://en.wikipedia.org/wiki/Cyberspace
4. https://whatis.techtarget.com/definition/command-and-control-server-CC-server
26
LESSON - 2
HUMAN ELEMENT AND TECHNOLOGY ELEMENT
Learning Objectives
Structure
2.1 Introduction
2.4 Summary
2.1 Introduction
The word ‘threat’ in information security means anyone or anything that poses danger to
the information, the computing resources, users, or data. The threat can be from ‘insiders’ who
are within the organization, or from ‘outsiders’ who are outside the organization. Studies show
that 80% of security incidents are coming from insiders.
Most organization envisage of cyber threats & cyber crimes that could cause the most
damage to them, immediately think these will be external threats based on the attention
commonly paid to external entities, such as foreign governments, outside adversaries,
competitors or organized crime that target and attack organizations. However it could be an
insider threat. Hence for cybercrime to occur there is both human element and technical element.
Basically computer based crimes can be: one is Type I and other is Type II.
2. Facilitated by crimeware programs like keyloggers, Trojan, Virus, Root kits into the
user’s computer system.
Example of this type of cyber crime include but are not limited to phishing attempts, theft
or manipulation of data or services via hacking, identity theft and ecommerce fraud based on
stolen credentials.
Type II cyber crime on the other end of the spectrum includes but is not limited to activities
such as cyber stalking and harassment, child predation, extortion, blackmail, stock market
manipulation, complex corporate espionage, planning or carrying out terrorist activities online.
Cyber stalking for example is a case of cyber crime. Such crimes are by necessity a form
of cybercrime because the computing element fundamentally changes the scope of the crime
even though the cyber element may be quite weak. Areas defined as Cybercrime are very
broad in nature – some crimes have only a peripheral cyber element whereas others exists only
in the virtual world.
2.1.3. Crimeware/Malware
Table.2.1: Examples of different cyber crime by type and the crimeware used
Cybercrime is a type of crime that involves the abuse of information technology. The term
cybercrime covers a series of crimes which range from cyber terrorism to industrial espionage.
29
There are two categories of cyber crime, differentiated in terms of how the attack has
taken place:
When most organizations perform risk analysis and look at threats, they often immediately
focus on external threats. The media and cyber professionals often overhype foreign adversaries,
competitors and organized crime as the main source of concern; however, it is important to
understand which threat causes the most damage to an organization: the insider threat.
information, potentially for poaching or recruiting purposes. On the other hand, there are also
cases of disgruntled employees with access to servers and confidential information that tend to
target and steal intellectual property in order to carry out their personal vendetta.
While some internal threats lack intention, in other words the employee acted in such a
way that sensitive data was accidentally compromised; the effect is the same regardless.
Quite often, insider threats are just as problematic in terms of lost data and other
repercussions. It is difficult for organizations to detect the insider threat. But by gaining better
visibility into traffic flow, properly controlling access to critical information and monitoring user
activity, proper protection against the insider threat can be implemented.
The challenge with an insider email attack is that it is very easy to perform and very hard
to detect. The user has no idea that he has been compromised because this type of attack
bypasses most traditional endpoint and network security devices. This is why organizations,
can often be compromised for more than a year and not realize it.
Majority of external attacks happen in order to steal confidential information through the
use of malware such as worms, Trojan horse viruses, phishing. Some cybercriminal groups
such as ‘Anonymous’ carry out attacks against governments and corporates for a variety of
reasons, often to teach them a social or moral lesson. While your business might not be a
target for Anonymous, it is still a target for other cyber intruders. The most common external
attacks targets customer data held by companies, as this personal information has a price tag
on the dark web, and stealing data is an easy way to make a living.
While network security devices are important and play a key role in defense in depth,
effective security also includes studying and acting on user behaviour. There are distinct
differences between legitimate, authorized behaviour and unauthorized activity. By closely
understanding and tracking user behaviour, anomalies can be detected and the amount of
damage caused by an insider threat can be controlled.
Data is no longer just an IT asset; it’s a core strategic asset, and some types of data are
more valuable than others. Confidential business information, which encompasses company
financials along with customer and employee data, is a highly strategic asset and equally a
high-value target. Again this year, confidential business information (57%) takes the top spot
as most vulnerable to insider attacks, followed by privileged account information (52%), and
31
sensitive personal information (49%). This is illustrated in the Figure 2.3. (Cyber Security Insider
threat report, 2018).
Quite often, the term insider threats are associated with malicious disgruntled employees
who intend to directly harm, steal, or sabotage organizations information assets. Sometimes
this may also be caused by employees who are negligent unintentionally which may amount to
an equally high number of security breaches and leaks by accident.
Ninety percent of organizations are vulnerable to insider attacks. The main enabling risk
include too many users with excessive access privileges, an increasing number of devices with
access sensitive data and the increasing complexity of information technology.
A majority of 53% confirmed insider attacks their organization in the previous 12 months
(typically less than five attacks). Twenty seven percent of organizations say insider attacks
have become more frequent.
32
Organizations are shifting their focus on detection of insider threats (64%), followed by
deterrence methods (58%) and analysis and post breach forensics (49%). The use of behaviour
monitoring is accelerating; 94% of organizations deploy some method of monitoring users and
93% monitor access to sensitive data.
The most popular technologies used to deter insider threat are data loss prevention (DLP),
encryption and identity and access management solutions. To better detect active insider threats,
companies deploy intrusion detection and prevention (IDS/IPS), log management and Security
Incident Event Management (SIEM) platforms.
The vast majority (86%) of organizations already have or are building an insider threat
program. Thirty six percent have a formal program in place to respond to insider attacks, while
50% are focused on developing their program.
According to the recent survey, 2018 report, organizations are concerned about accidental/
unintentional data breaches (51%) through user carelessness, negligence or compromised
credentials as they are from deliberate malicious insiders (47%). This is illustrated in the Figure
2.4.
Figure 2.4: What type of insider the organizations are concerned about?
l Malicious/deliberate insider
l Accidental/un-intentional insider
33
When most people think of an insider threat, they immediately think of the malicious
insider. This is someone who deliberately causes harm to an organization. Examples include
Edward Snowden and Aldrich Ames, who were deliberate, malicious insiders working as a
contractor and employee, respectively, for the United States government.
Security professionals have unique responsibility to detect, counter and respond to cyber
attacks. The challenge increases if the threats come from within the organization especially
from trusted and authorized users. IT gets tougher to detect whether the privileged users are
doing their job or something illegal/unethical.
The survey further explores the types of insiders who pose a threat to organisation. The
survey results indicate that both regular employees (56%) and privileged IT users (55%) pose
the biggest insider security threat, to organization. This is followed by contractors (42%). This is
illustrated in figure 2.5.
Figure 2.5: what types(s) of insiders pose the biggest security risk to organization?
(Source: Insider Threat Report, 2018, CA Technologies)
Further the survey identifies different IT assets that are more vulnerable to insider attack
as Data bases, File Servers, Cloud applications, Cloud infrastructure, Endpoints, Networks,
Active Directory, Business Applications and Mobile Devices. Amidst these most targeted assets
are Databases and File servers. The same is illustrated in the Figure 2.6.
34
An accidental insider is someone who is tricked or manipulated into doing something that
ultimately harms the organization. Some people further categorize the accidental insider threats
into “the infiltrator” and “the ignorant insider.” The infiltrator situation occurs when an adversary
accesses a user’s system or steals credentials to gain access to a system. The ignorant insider
is a situation that occurs when an adversary convinces the user to click on a link or open an
attachment, which ultimately causes the user’s system to be compromised. Since both cases
are caused by a user action that ultimately results in a system or account being compromised,
we group these types of threats together.
Organizations further recognize different types of insiders. The following table 2.2 includes
the type of insiders and their characteristics.
External threats or cybercrimes are caused traditionally by; attackers/hackers who would
scan the public IP address range of an organization to find visible systems. From there, they
would identify services that are opening ports, exploit vulnerability and break into a system that
is believed to be protected. They could then gain access into additional areas of the organization,
causing more damage.
Cyber attacks are generally aimed at targets representing high publicity value on one
hand and on the other hand it might inflict a serious loss. Various phases involved in attack
methodology are Reconnaissance, Information Gathering, gaining access, maintaining access
and clearing tracks. Cyber attacks, primarily consists of four primary categories of attacks.
They are access based; modification based; insertion based; and repudiation based.
a) Access
An access attack is an attempt to gain information that the attacker is not authorized. The
attacks occur wherever there is information either in system, network or in transit. The main
characteristic of this type of attack is against the confidentiality of the Information. There are
different sub-categories, in this access attack. They are snooping, eavesdropping, interception.
41
These categories are accomplished by taking different forms depending upon whether the
information is stored in paper or electronically in a computer system. Paper records require
physical access. They are likely to be found in locations such as filing cabinets, desktop, fax
machines, printer’s trash and in long term storage.
Physical access is the key to gaining access to physical records. On the other hand
electronic information may be stored in desktop machines, in servers, laptops, floppy disks,
compact disk, digital versatile disks, backup tapes, zip disk, memory cards, pendrive and external
storage mediums. Sometimes the physical media may be stolen. If the attacker is having physical
access to the system, then the files in questions might be simply opened with hopes of finding
something interesting. If access controls are in proper place then such unauthorized access will
not be possible. However, an attacker might attempt to elevate his permissions so as to gain
access. Such unauthorized access is made possible and allow intruders because of vulnerabilities
in system. Snooping, eavesdropping and interception come under this type of attack.
Ø Eavesdropping: This type of attack is a passive attack and this attack happens
when the attacker listens to a conversation that he is not a part of. In order to launch
this attack the attacker has to position himself at a location where the information of
interest passes by. This type of attack is often done electronically. For Example:
information may be on file servers, on desktops or laptops, any other storage medium,
to fax machine or information in transit over the internet or phone lines through
communication towers and placing a system or a listening device on wired or wireless
networks.
b) Modification
In an attack of this type, the attacker attempts to modify the information that he is not
unauthorized to modify. This type of attack is an attack against the integrity of information and
can be launched on standalone systems, information in transit and also on the network as well.
42
Modification includes changes, insertion and deletion. Alterations can be done to files with little
evidence, if physical access is available. If it is not available, the attacker would try to gain
access to the system with initial level of access and try to escalate the privilege of access on the
file or remove the restriction/permissions on the file. It is then the attacker launches the
modification.
Ø Changes: The existing information is changed in this type of attack thereby the
information that is already existing in a organization is now incorrect.
Ø Insertion: In this type of modification attack, information that did not exists previously
is inserted. For example historical distortion of data or a transaction record may be
inserted in a banking sector so that the fund is transferred electronically to the
attackers account.
Denial of service attacks are the attacks that deny the use of resources to authorized or
legitimate users of the system, information or services. A denial of service attack launched in
the network, in which the user or organization is deprived of the resources or services that,
would normally otherwise be available. Denial of access falls under three categories:
Ø Denial of Access to system: in this type of DoS attack the system is attacked and
brought down so that denial of access to systems is made. The access to the
system, along with its application are made unavailable and thereby the information
is rendered inaccessible.
43
d) Repudiation
Repudiation attacks are generally targeted against the accountability of information while
access attacks are against confidentiality and modification attacks are on integrity. It is an
attempt to deny that a transaction or an event has transpired or to give false information.
Repudiation is accomplished easily because the documents created in electronic form and sent
across with little or no proof to identity of the sender. Information is more susceptible in credit
card transactions. Repudiation falls under the following categories:
Summary
The word ‘threat’ in information security means anyone or anything that poses danger
to the information, the computing resources, users, or data. The threat can be from
‘insiders’ who are within the organization, or from ‘outsiders’ who are outside the
organization
Two type of computer based crime exists: Type I and Type II cyber crimes.
Technology element of cyber crime involves the use of technology to commit crime.
It may be committed by the use of software that is malicious.
9. ……………………………, ………………………………….,
………………………………, …………………..…,
Reference:
1. Taking Action Against the Insider Threat – SANS Infosec Reading Room, https://
www.sans.org/
3. Defending Against the Wrong Enemy: 2017 SANS Insider Threat Survey - SANS
Infosec Reading Room, https://www.sans.org/
LESSON - 3
BROAD CLASSIFICATION OF CYBER CRIMES
Learning Objectives
Data Espionage
Illegal Interception
Data interference
System Interference
Copyright
Trademark
Identity theft
Misuse of devices
Cyber Terrorism
Cyber Warfare
Phishing
47
Structure
3.1 Offences against the CIA Triad
3.3.1 Copyright
3.3.2 Trademark
3.4.8 Phishing
The term “cybercrime” is used to cover a wide variety of criminal conduct. As recognized
crimes include a broad range of different offences, it is difficult to develop a typology or
classification system for cybercrime. One approach can be found in the Convention on
Cybercrime, which distinguishes between four different types of offences
48
(1) offences against the confidentiality, integrity and availability of computer data and
systems
The term Hacking refers to unauthorized access to computer systems. Today this offence
has become a mass phenomenon with the evolution of internet. From legal perspective, there
is no real difference between “computer hackers” and Computer crackers”. In legal context,
both the terms are used to describe persons who enter computer systems without right. The
main difference is motive. The term “hacker” is used to describe a person who is exploring
details of programmable systems without breaking the law. The term cracker is used to describe
a person who breaks into computer system by violating the law (International Telecommunication
Union, 2009).
these criminals. The increased number of hacking may be attributed to lack of adequate protection
to computer system; increased number of automated software tools that performs the attacks
such as the botnets in which a single perpetrator can target several computer systems using a
single system.
Data stored on private computers are also increasingly targeted. The data that might be
stored in such computers include sensitive information such as bank account details, credit
card information on the system. The gathered information is sold to third party.
Data espionage on business secrets is more profitable than private individuals. This
includes two approaches: first accessing the computer or data storage device and extracting
information; second by manipulating the users to disclose the information or passcodes that
enable the attackers to perform such activity. For example ‘Phishing’ has recently become a
key crime committed in cyberspace and describes attempts to fraudulently acquire sensitive
information such as PIN numbers, passwords etc by masquerading as a trustworthy person or
business/financial institution in a seemingly official electronic communication.
In this type of crime, the perpetrators try to intercept communications between users.
They may also intercept data that is travelling in the net for example when a user is uploading
data onto servers or access web based external storage media. The exchange of information is
recorded. Any kind of communication infrastructure might be the target for instance a fixed line/
a wireless line or any internet service such as email, chat or Voice over Internet Protocol (VoIP)
communication system. With the proliferation of the wireless technology, hotels, restaurants
and the like offers internet access through wireless access points, the perpetrators, might use
these access points and trap the data exchange from any location. Further, they might even
50
use any decryption method even if the wireless communication is encrypted. Sometimes, Rogue
access points might also be setup by perpetrators to capture the data.
Attacks can be targeted on computers and networks. These are targeted by the use of
computer worms or denial of service attacks. Computer worms are self-replicating programs
that harms the computer systems and networks. This type of attack is by targeting the availability
or resources, perpetrators can prevent users from accessing systems, emails etc. for e.g., DoS
attacks launched causes some of the services not available for several hours to days.
51
Spam refers to the use of electronic messaging systems to send out unrequested or
unwanted messages in bulk. The difficulty with stopping spam is that the economics of it are so
compelling. While most would agree that spamming is unethical, the cost of delivering a message
via spam is next to nothing. If even a tiny percentage of targets respond, a spam campaign can
be successful economically.
“Spam” is described as the release of unsolicited bulk messages. The most common
means through which these attacks are targeted is through email. Spam emails sent through
single mail server is technically easy to identify when compared to spams distributed through
the use of botnets to distribute unsolicited email. Identifying spams sent through botnets are
difficult to analyse and track the criminals.
52
c. Other Offences In addition to the above types, Racism, Hate Speech, Glorification of
Violence, Religious Offences, Libel and False Information,
Exchange of copyright protected songs, files and software through file sharing systems
are being done. The basis for this copyright violation is mainly due to the speed with which it is
being done and also the reproduction is accurate. The digital sources are duplicated without
loss of quality. Another method is to circumvent the Digital Rights Management systems. File
sharing is one such method through which these offences are being carried out. The users can
53
share files through network that are peer-per to millions of other users. Once the file sharing
software is installed, the users can share the files of interest. File sharing systems have been
used to share and exchange any kind of computer data such as audio, video and software.
Peer to peer technology plays a vital role in this. For instance copies of movies have appeared
through file sharing systems in internet even before the movies were released officially.
Trade mark violations are similar to copyright violation. Several emails are sent to internet
users resembling emails from legitimate companies including Trade mark. Perpetrators use
brand names and trade mark fraudulently, for example Phishing. Another type of trade mark
violation is domain name related offences. Cybersquatting for instance is the illegal process of
registering a domain name identical or similar to a trade mark of a company. The offenders in
this case seek to sell the domain for a high price. Domain hijacking is yet another offence in
which the domain names that have accidentally lapsed are being registered by attackers who
claim to release the same for a huge sum.
One of the most popular computer related fraud is to convince large number of victims by
sending email enabling them to make huge profits. The strategy used to ensure that the victim’s
financial loss is below a certain limit. In such cases, the victims do not launch a complaint.
Example: Nigerian - Advance fee fraud – a hypothetical scenario.
54
My dear friend,
Let me introduce myself. I am ............... I am the wife of form president of
Republic of .................. My husband died recently in a plane crash. During
cleaning his documents, I found that my husband has 10,000,000 US $ on a
secret account. I would like to transfer this money to my family that is living
in US. Unfortunately, I am not able to transfer the money directly. I would
like to transfer 10,000,000 US $ to your account and ask if you could transfer
9,000,000 US $ to my family. The remaining 1,000,000 US $ will be for you. If
you agree, I would like ask you to transfer first of all 10$ to my account so
that I can verify your bank account information .....................
In this type of fraud, the victim is asked to transfer money as an advance
amount for processing. Although, this is very popular fraud scam, there is no
technology component in it.
Auction Fraud
Online auction fraud is another category that is popular. The difficulty in distinguishing
between genuine users and offenders has resulted in auction fraud. Example: offering non-
existent goods for sale and receiving payment before delivery; buying goods without intention
to pay. With the advent of internet, goods and products are purchased online. Auction Fraud
involves non delivery of products purchased online. It is a fraud involving misrepresentation of
a product which is advertised for sale in the internet. The mode of operation of such auction
fraud involves the seller who is residing in one place, pretends that he is outside of his work
place for business, travel, family reasons etc, responds to the victims by a congratulatory e-
mail requesting the victim to send fund to be transferred to other individuals account. The mode
of money transfer will usually be stated in the email as to be via western union, via bank or
money-gram. The innocent victims will only be there to experience that virtually unrecoverable
money and the product purchased as well. The demand for money at times is also flexible
allowing victims to send part of the money and the rest after receipt of the product.
55
Auction Fraud
Indiatimes.com Auction site. One person posted details of Mobile phones for
auction. Many participated and won auctions. The money was to be paid in the
bank account with ICICI. After payment none got the deliveries. Complaints made
to India Times … no remedy. Reported to CBI. Account was traced to Madurai.
Accused, III yr. Engg. student from Madurai arrested. Son of a Contractor, living in
posh area of Madurai. Lust for extra pocket money. Three charge sheets filed.
Pending Trial.
www.Baazee.com.10 Sony Ericsson P900 mobile phones were put up for auction
by one seller. Market Price 40,000/-. Offering price 15,000/-. Posing himself as
Sony Ericsson Importer. Many users placed bids. Seller supplied his bank a/c to
bidders, asked to deposit money in his account. Bidders deposited money, mobiles
never delivered. Accused was traced and arrested. Final Yr. MBBS student at
Bangalore, Malaysian Citizen from affluent family. Could not pass his exams, family
cut pocket expenses. As alternative source of income, indulged in cheating people.
Later on selling Laptops through “www.sulekha.com”. Charge-sheeted.
Criminals
Criminals often send out emails, which look as if they are legitimate emails from financial
institutions. The emails are designed in such a way that it is difficult to assess them as fake
emails. Many victims disclose their personal information during an online transaction. Manipulation
of documents has always been attempted by criminals. With digital forgeries, digital documents
can now be easily manipulated without loss of any quality. It is difficult to prove digital manipulation
for the forensic experts.
56
Counterfeit Currencies
Law enforcement personnel suspected that computers have been used to prepare
counterfeit Indian currencies. The requirement was to examine the storage media
for evidence. Printing of counterfeit currencies was done with the use of high tech
computers, scanners, and specialized printers in conjunction with screen printing
technology. High resolution scanners and cameras are available which reproduce
the exact graphics found in the currency. High quality printers are used which
reproduce the exact colour of the currency images. Frequent practice by
fraudsters, is to scan currency notes using scanners associated with computer
systems. These scanned images are subsequently edited; the number panel is
frequently altered by generating either random numbers or sequential numbers
for the series.
The term identity theft describes the criminal act of fraudulently obtaining and using another
person’s identity. In general the offence described as identity theft contains three different phases
1. The offender obtains identity related information in the first phase. This part of the
offence is carried out by using crimeware (malware) or Phishing.
3. In the third phase, the gathered identity related information is used to commit further
crimes. For example the perpetrator might use the data set such as preparing fake documents;
identity related documents or credit card fraud.
An evolution channel of identity theft includes people, mail, telephones, computers and
smart phones.
57
Dr.Jubal Yennie
In 2013, 18 year old Ira Trey Queensberry III, a student of the Sullivan County
School District in Sullivan County, Tennessee, created a fake twitter account
using the name and likeness of district superintendent, Dr.Yennie. After
Queensberry sent out a series of inappropriate tweets using the account, the real
Dr.Yennie contacted the police, who arrested the student for identity theft.
Cyber crime can be committed using only fairly basic equipment. Committing an online
fraud needs nothing more than a computer and internet access and can be carried out from a
public internet café. However, using specialized software tools more sophisticated offences
can be committed. Software tools needed to commit such sophisticated crimes are quite often
available as freeware. These generally include tools that can be used to launch a denial of
service attacks, craft and design virus, worms and Trojans, decrypt anencrypted communication
and illegally access the systems and networks. Automated tools that enable to carryout multiple
attacks within a short span of time are also available, for example: spam tools kits – that send
out spam emails to anyone. Different internationallegislative initiatives are being undertaken to
address cyber scam software tools.
The accused person submitted 6,000 vouchers to prove the legitimacy of trade and
thought his offence would go undetected but after careful scrutiny of vouchers and
contents of his computers it revealed that all of them were made after the raids were
conducted. It later revealed that the accused was running five businesses under the
guise of one company and used fake and computerised vouchers to show sales records
and save tax.
58
In 1990s the trend was focusing on the Networked based attacks targeted against critical
infrastructure such as energy supply and the use of information technology. There has been a
change in situation after 9/11 attacks. The internet played a role within the preparation of the
offence. Today the information and communication technology is used by terrorists and internet
for propaganda, information gathering, preparation of real world attacks, publication of training
material, communication, terrorists financing and attack against critical infrastructure.
Al Qaeda
Al Qaeda has deemed the Internet “a great medium for spreading the call of Jihad and
following the news of the mujahideen (Islamic warriors).” Thus, the Al Qaeda
operational manual Military Studies in the Jihad Against the Tyrants describes one of its
primary missions as “Spreading rumors and writing statements that instigate people
against the enemy.
Parallel to the term of cyber terrorism is an older term known as information warfare:
Information warfare is defined as a planned attack by nations or their agents against information
and computer systems, computer programs, and data that result in enemy losses (Janczewski
and Colarik, 2008).
“Information warfare specialists at the Pentagon estimate that a properly prepared and
well coordinated attack by fewer than 30 computer virtuosos or skillful persons strategically
located around the world, with a budget of less than $10 million, could bring the United States
to its knees.”
Recent ransomware attack WannaCry has affected 150 countries and were based on
collecting ransom by encrypting the remote computers. This caused many computers affected
and the main motive was to sabotage the systems and networks which occurred in three phases.
WannaCry
The WannaCry ransomware attack was a worldwide cyber-attack by the WannaCry
ransomware cryptoworm, which targets computers running the Microsoft Windows
operating system by encrypting data and demanding ransom payments in the
Bitcoin cryptocurrency. It affected 150 countries worldwide. The conflict type is to
interstate and motive is to sabotage. Phase I appeared prior to Jan 16, 2017. Phase II
in Jan 2017 and phase III in May 2017.
Internet has transformed the traditional money laundering techniques. Online financial
services worldwide provide quick financial transactions. Drug peddlers, organized criminals –
use computers and networks to electronically trade between partners including credit card,
60
internet banking, e-cash , e-wallet. For eg: visa cash, mondrex card – store billions of dollars.
Mobile banking and mobile commerce are growing and this technology can be effective tools in
the hands of money launderers who can transfer money bythe click of a mouse. Anonymity in
the internet is exploited by the criminals. Aims being to conceal the source of money, to avoid
detection by law enforcement and also they are trying to cover up their tracks. Use such money
for drug trafficking, extortion. As far as the banks are considered safe for launders are Cyprus,
Caymand islands, Luxemburg, Switzerland other financial institution like fund managers are
those facilitating Electronic Fund Transfer. In the current global scenario, difficulties arise in
investigation of internet based money laundering techniques which often derive from the use of
virtual currencies and the use of online casinos.
3.4.8. Phishing
Phishing is a process in which the users are misguided to different hyperlink which comes
via mail taking victims to fake websites and stealing important information like credit card details
and pin numbers while victims are using the internet or in other words the attacker sends email
to customers, falsely claiming to be from a legitimate company in the hope of enticing the
customers to a spoofed website.
The spoofed website mimics the legitimate website for the sole purpose of stealing the
personal information of the customers. In this spoofed website the customers are asked to
update their personal information such as name, account number, credit card number, pin
numbers and other information. According to Anti Phishing Working Group report, global phishing
survey 2017 there was 60,926 number of unique phishing sites were detected. Among this
85,744 number of unique phishing email reports(campaigns) received. Nearly 268 numbers of
brands targeted by Phishing campaigns. Most targeted industry sectors in 2017 were software
as a service (SaaS) providers, webmail providers. Also increased attack on the financial and
61
banking targets were staged apart from file hosting and file sharing sites. According to the
report for fourth quarter the countries hosting services, the phishing activity trend is illustrated
in table:
Netherlands 26 47 67 140
Portugal 29 21 43 93
United Kingdom 25 15 48 88
Phishing
Phishing Incidents were found on various platforms or hosting service providers. They
include facebook, Google, Cloudflare, Amazon, websitewelcome, Local webservices, OVH
hosting, Unvierso Online, and other ISPs. Industry wide phishing attacks is illustrated in the
figure 3.2.
Summary
Illegal access: The term Hacking refers to unauthorized access to computer systems.
Today this offence has become a mass phenomenon with the evolution of internet.
From legal perspective, there is no real difference between “computer hackers”
and Computer crackers”.
“Spam” is described as the release of unsolicited bulk messages. The most common
means through which these attacks are targeted is through email.
Exchange of copyright protected songs, files and software through file sharing
systems are being done.
Trademark 0ffences: Perpetrators use brand names and trade mark fraudulently,
for example Phishing.
Advance Fee Fraud One of the most popular computer related fraud is to convince
large number of victims by sending email enabling them to make huge profits.
Auction Fraud: Online auction fraud is another category that is popular. The difficulty
in distinguishing between genuine users and offenders has resulted in auction fraud.
Identity Theft: The term identity theft describes the criminal act of fraudulently
obtaining and using another person’s identity.
Misuse of Devices: Cyber crime can be committed using only fairly basic equipment.
Committing an online fraud needs nothing more than a computer and internet access
and can be carried out from a public internet café.
Cyber Money Laundering: Internet has transformed the traditional money laundering
techniques. Online financial services worldwide provide quick financial transactions.
Drug peddlers, organized criminals – use computers and networks to electronically
trade between partners including credit card, internet banking, e-cash , e-wallet.
Phishing: is a process in which the users are misguided to different hyperlink which
comes via mail taking victims to fake websites and stealing important information
like credit card details and pin numbers while victims are using the internet or in
other words the attacker sends email to customers, falsely claiming to be from a
legitimate company in the hope of enticing the customers to a spoofed website.
64
References
1. https://socialnomics.net/2016/01/13/4-case-studies-in-fraud-social-media-and-
identity-theft/
2. http://www.cyberralegalservices.com/detail-casestudies.php
3. http://gurgaon.haryanapolice.gov.in/citybankspoofing.htm
4. http://satheeshgnair.blogspot.com/2009/06/selected-case-studies-on-cyber-
crime.html
5. https://www.tandfonline.com/doi/full/10.1080/1057610X.2016.1157403?src=recsys
7. https://www.valuewalk.com/2015/06/cyber-attacks-security-and-terrorism-case-
studies/
8. http://web.mit.edu/smadnick/www/wp/2017-10.pdf
9. http://docs.apwg.org/reports/apwg_trends_report_q4_2017.pdf
66
LESSON - 4
EVOLUTION OF CYBERCRIMES
Learning Objectives
Evolution of Cybercrimes
Networked environment
Cybercrime worldwide
Cyber Preparedness
Summary
Structure
4.1. Evolution of cybercrimes
from the fact that up to 1980s data and information were usually communicated through print
media, radio and television. The postal service helped in transacting business documents. In
official administration letters, memos were used to get typed and cabinet filing thereof was in
vogue. Customers of the banking sector had to go personally, for making remittances into their
accounts with their respective banks and this was the same with case of withdrawals of money
from their respective accounts. During those days conversation through telephone was the
most prevalent method used for communication. Hacking of phone systems was in the main
stream then.
In 1990s with the birth of the information super highway everything and everyone went
online which may be rightly termed as the network era. In late 1990s organizations started to
invest in people, process and technology to reduce their risk to compromise. The introduction
of tools namely Netbus and Back orifice by Carl-Fredrik Neikter and the hacker group known as
Cult of the Dead Cow (cDc) coupled with network vulnerabilities helped an attacker to control a
victims computer through the internet and was instrumental in remote access, control and other
detrimental activities. Networks attack vector became a much sought target throughout this
decade.
In the next decade starting from 2000 onwards industries started taking advantage of
gains in their productivity which was offered by internet connectivity. Electronic mail became a
handy tool for individual persons for their personal and business use and for businessmen for
their personal and business use. Attacks on electronic mails, software application and wireless
systems started gaining prominence.
In the recent decade that is from 2010 onwards the cyber world has started witnessing
cyber attacks on client-side, Mobile and Social networking as such in addition to the attacks
such as physical, network, email, application and wireless up to the evolution of new type of
cyber attacks namely bots. The Figure.4.1 depicts the evolution of cyber crimes in the past
decades in a timeline from 1980 to 2010.
68
This comprises of 10% of total size of the internet. All these sites are indexed by
popular search engines and are easily accessible. Examples include: facebook,
Twitter. Size is upto 19Tb/~980,000,000 websites.
2. Deep Web – the Deep Web are regions of the Internet that are hidden from the
public. Marketing SaaS platforms, for instance, are built in the deep web. They
require authentication to access the data within. It refers to the content on the internet
that is not indexed by standard search engines. The deep web contains mostly
innocuous things for example: academic information, medical recrds, legal
documents, government resources. Size includes:-7,500TB/Unknown no of sites.
This space is extremely organized and highly filtered. It is after this 100% anonymity
begins (i.e) darkweb.
3. Dark Web – within the Deep Web are regions of the Internet that are intentionally
and securely hidden from view. It’s an area of the web where anonymity is critical.
Criminal services can be shopped here. Most common access to Dark Web is
through Tor network. Tor is short for The Onion Router. Tor is a non-profit organization
that researches and develops online privacy tools. Tor browsers, makes an individual
to go into an incognito mode thereby disguising ones online activity. It allows one to
access specific ‘.onion’ domains within the dark web. In simple terms, dark web is
the hidden side of the internet. IT forms are part of deepweb which iis not indexed
by search engines such as Google. The dark web forms the deepest layer of the
deepweb. It is believed most of the contents available in this space are considered
to be criminal in nature such as illegal pornography, black markets, hacking groups
and botnet operations that are commonly associated with spam, fraud and malicious
attacks. The deepweb and darkweb put together is 90%. But it is not all that bad
with full of criminal activity. Some of them use the anonymity for good – such as
whistle blowing or activism.
Cyber attacks are profit oriented and they are designed to steal information surreptitiously.
Anonymity in the Internet offers organized criminals to target not only home users, even business,
Government agencies and the like. This can be performed from the international legislation or
cooperation between countries to aid in investigations and arrest. As a result of this nefarious
activity of organized criminals, who operate in the cyberspace, the globe is experiencing a
serious economic crisis. Professional position category versus functional area of operation is
tabulated hereunder in table 4.1:
Table 4.1: Professional positions category versus functions and area of operation
These agencies have been asked to study the web security layout of ‘suspect countries’,
as knowledge of security standards, as well as software and encryption capabilities is required
for unleashing a counter-attack. The mapping of cyber systems of other countries, including
their Internet gateways, routers, IT system layouts, and web routing patterns, was discussed at
meeting of top intelligence officials.
73
Ø Jurisdictional issues;
Law enforcement has to keep pace with technical advancement, distributed acquisition of
evidence, presentation of evidence in courts/jury and periodic training programme to update
their skills and knowledge. It has become inevitable for Law enforcement to understand the
implication of Cyber Crimes and needs a structured formalized approach in Cyber Crime
investigation.
Summary
· Clear Web – the region of the Internet that most of us are familiar with, this is
publicly accessible web pages that are largely indexed on search engines. This is
also known as the Surface Web.
· Deep Web – the Deep Web are regions of the Internet that are hidden from the
public.
74
· Dark Web – within the Deep Web are regions of the Internet that are intentionally
and securely hidden from view.
· ………………… are regions of the Internet that are hidden from the public.
· ……………………. are regions of the Internet that are intentionally and securely
hidden from view.
Reference
1. https://martech.zone/what-is-clear-deep-dark-web/
2. https://www.tandfonline.com/doi/ref/10.1080/15564886.2016.1211404?
scroll=top
75
LESSON - 5
EMERGING CHARACTERISTICS OF CYBER CRIME
After reading this lesson you will be able to
· Exploitation Tactics
o Reconn
o Scanning
o Gaining Access
o Maintaining access
o Clearing tracks
· Attack Platform
· Cyber Forensics
Structure
5.1 Understand the emerging characteristics of cyber crime
5.2.1. Reconn
5.2.2. Scanning
Ø Collection of information;
The magnitude and impact of such targets becomes apparent. Understanding these
objectives and underlying technology involved the task of identification and analysis of such
crimes, have to be broken down into smaller tasks. This becomes important and significant if
the type of attack exhibits polymorphism causing coordinated attacks collecting the evidence,
consideration must be given to electronic evidence that is scattered globally.
5.2.1. Reconnaissance
Telephone reconnaissance: In this type, the attacker exploits the systems in network to
find potential victims using war dialing: a method uses a system to dial several phone numbers
looking for modem carrier having detected modem, it allows to compromise the system that
answers to the call.
5.2.2 Scanning
A method of identifying a quick way to gain access to the network and look for information.
Three phases of scanning:
Pre-attack
The next stage is to gain access. Attackers gain access by entering into the remote
system through vulnerabilities and exploit them through least privilege, subsequently, raising
their privilege to administrator level and compromise the systems using some password cracking
tools. Once the vulnerabilities of system and network are compromised, attacker has full control
over the system/network and the privilege escalation would contribute to perform malicious
activity.
Next stage that follows the gaining access stage is the maintaining access. The attackers
operate to either upload or download the critical information. As long as the information hunted
for is not obtained, attackers maintain their access on the compromised system/network. In
order to enable this, sophisticated tools are being misused by the hackers. In a physical data
theft, the object that has been stolen would not be available, whereas in electronic Media, the
object/data that is lost will be available and stolen too. By the time the victim realizes the incident,
it would be a long way.
Evasion is the process of criminality, wherein the offender tries to avoid detection.
Distributed Network, technical complexity, scattered digital evidence to make concealment and
evasion difficult to detect. Technically savvy offender can clear the entry into the victims system
or the network, leaving little or no traces.
Penal Code has also been amended to cover various offences. Legal considerations that ensure
Forensic data recovery, lawful evidence-gathering techniques that is rigorous and all-inclusive
is the need of the hour. Jurisdictional issues must also be considered. All these can be achieved
only by way of investigating the Cyber Crime through a formal approach and it should be able
to identify the basic requirements during stages of investigation. Formal approach can be mapped
into the following investigative strategies through Cyber Forensics.
5.4.2. Rooters – It requests root access to a smart phone or use exploits to obtain root
access, thereby gaining control of the device to spy on the users and steal confidential personally
identifiable information.
5.4.4. Fake apps – illegitimate apps posing as real ones in order to drive downloads and
expose users to advertisements.
Examination of systems and networks can be of two types: one being post-incident analysis
and the other is proactive analysis. Once an offence is committed, the storage media are sent
to Forensic lab for analysis. In the case of Proactive Forensics, the computers and networks
used in business, banking and industries, necessitates a proactive examination, involving remote
monitoring of target computers, creating a trackable electronic documents, recovery of theft of
data and the like. Basic forensic tools and techniques and Forensic services infrastructure
becomes mandatory. The pursuit of Cyber Crime detection using Cyber Forensics has two
main objectives:
Initial assessment of the case under investigation is followed by the collection phase.
Digital evidence collection must be made from varying number of storage devices, perimeter
devices and the Internet. The next stage involves the preservation of the evidence. Since Cyber
Forensics involves evidence collection from different storage media, due care has to undertaken
to ensure evidence integrity and legality. The media from which the information is to be collected
must not be exposed to heat, light or magnetic field. In next phase good evidence processing
documentation method would facilitate solid evidence. Analysis phase involves a trustworthy
effort to thoroughly analyze the findings. Considerations to tools, techniques, chain of custody,
used to perform the analysis, detailed method of analysis be documented, date and time issues
must be correlated and the results of analysis must be properly interpreted. A detailed Plan of
action during analysis will help to prevent committing mistakes, which otherwise could lead to
evidence being inadmissible. Event reconstruction is the next phase, wherein past events are
reconstructed with as little distortion or bias as possible.
Wide range of attacks are targeted against system, networks and critical infrastructure
Home users, social networks, business/corporate network are the operation of communication
through the use of Internet. A major concern of the criminality in the Internet is global economy.
The technical complexity has made Cyber Forensics a major challenge, both for the Law
Enforcement and Forensics personnel as well who are reacting to this growing threat. More
formalized and structured approach facilitated by a way of best practices, policies and procedures
is the need of the hour.
Summary
1. Five major phases of exploitation tactics are Reconnaissance, scanning, gaining
access, maintaining access and clearing tracks.
4. Mobile phones, rooters, downloaders and fake apps are major enablers as attack
platform.
82
6. Cyber forensics has two main objectives. They are ………………….& ……………...
Reference
1. Kala N. (2005). “Authorship Attribution in Digital Forensics” Tamilnadu Prosecutors
Journal.
2. Kala N. (2009). “Information Gleaned from the Disk Forensics for the use of Magnetic
Swipe Card.”Proceedings of the XX All India Forensic Science Conference.
6. Kala N. (2012). “Digital Forensics of Skype Logs Reveals the Cause of Mysterious
Death – A Case Study.” Proceedings of the XXII All India Forensic Science
Conference.
LESSON - 6
CYBER CRIMINALS
Learning Objectives
o Hacker
§ White hat
§ Black hat
§ Grey hat
§ Green hat
§ Red hat
§ Blue hat
o Cracker
o Phone Phreaker
o Social Engineer
o Script Kiddie
o Hacktivist
o Malicious insider
o Whistle blower/insider
Structure
6. Definition of Cyber Criminals
6.1. Hacker
6.2. Cracker
6.6. Hacktivist
6. Cyber Criminals
Cybercriminals are individuals or teams of people who use technology to commit malicious
activities on digital systems or networks with the intention of stealing sensitive company
information or personal data, and generating profit.
Cybercriminals are known to access the underground markets found in the deep web to
trade malicious goods and services, such as hacking tools to steal confidential data. Cybercriminal
underground markets are known to specialize in certain products or services.
Laws related to cybercrime continue to evolve across various countries worldwide. Law
enforcement agencies are also continually challenged when it comes to finding, arresting,
charging, and proving cybercrimes.
Cybercriminals also differ greatly from threat actors in various ways, the first of which is
intent. Threat actors are individuals who conduct targeted attacks, which actively pursue and
compromise a target entity’s infrastructure. Cybercriminals are unlikely to focus on a single
entity, but conduct operations on broad masses of victims defined only by similar platform
types, online behaviour, or programs used. Secondly, they differ in the way that they conduct
their operations. Threat actors follow a six-step process, which includes researching targets
85
and moving laterally inside a network. Cybercriminals, on the other hand, are unlikely to follow
defined steps to get what they want from their victims.
Note, however, that cybercriminals have also been known to adopt targeted attack
methodologies in their operations.
Cybercriminal
Select computer as their target: These criminals attack other people’s computers to
perform malicious activities, such as spreading viruses, data theft, identity theft,
etc.
Uses computer as their weapon: They use the computer to carry out “conventional
crime”, such as spam, fraud, illegal gambling, etc.
Uses computer as their accessory: They use the computer to save stolen or illegal
data.
Distributors: Distribute and sell stolen data and goods from associated cybercriminals
System hosts and providers: Host sites and servers that possess illegal contents
Tellers: Transfer and launder illegal money via digital and foreign exchange methods.
Clearly, there is much overlap between roles, but as cybercrime becomes a greater issue,
more specialization is being seen as organized crime gets in the picture. For example, hackers
were once more often than not hobbyists who broke into systems for personal gratification.
While white-hat hacking hasn’t disappeared, it’s much more common now to see hackers as
professionals who sell their services to the highest bidder.
The stereotypical cybercriminal is running botnets, stealing bank accounts, hacking into
major companies to steal trade secrets, and performing other nefarious high-profile crimes that
capture the fancy of major news organizations, but the problem is really far more insidious than
most people realize.
Before the Internet, criminals had to dig through people’s trash or intercept their mail to
steal their personal information. Now that all of this information is available online, criminals
also use the Internet to steal people’s identities, hack into their accounts, trick them into revealing
the information, or infect their devices with malware.
Cyber criminals are a network of criminals. Most cyber crimes are committed by individuals
or small groups. However, large organized crime groups also take advantage of the Internet.
These “professional” criminals find new ways to commit old crimes, treating cyber crime like a
business and forming global criminal communities. Recently there are certain underworld cyber
criminals who offer Cybercrime-as-a-Service. They operate from the darkweb where cyber
criminals can buy and sell stolen information and identities
Criminal communities share strategies and tools and can combine forces to launch
coordinated attacks. It’s very difficult to crack down on cyber criminals because the Internet
makes it easier for people to do things anonymously and from any location on the globe. Many
computers used in cyber attacks have actually been hacked and are being controlled by someone
far away. Crime laws are different in every country too, which can make things really complicated
when a criminal launches an attack in another country.
87
Attack Techniques
Here are a few types of attacks cyber criminals use to commit crimes.
Fast Flux - moving data quickly among the computers in a botnet to make it difficult
to trace the source of malware or phishing websites.
Zombie Computers: Computer that has been hacked by malicious attacks and
control the victim computers into zombies and makes it a part of the botnet through
command and control servers.
Skimmers - Devices that steal credit card information when the card is swiped
through them. This can happen in stores or restaurants when the card is out of the
owner’s view, and frequently the credit card information is then sold online through
a criminal community.
Identity thieves targets organizations that store people’s personal information, like
schools or credit card companies. But most cyber criminals will target home
computers rather than trying to break into a big institution’s network because it’s
much easier.
Social engineering is a tactic used by cyber criminals that uses lies and manipulation
to trick people into revealing their personal information. Social Engineering relies
on manipulation to trick people into revealing their personally identifiable information.
Phishing is a form of social engineering. Social engineering attacks frequently involve
very convincing fake stories to lure victims into their trap. Common social engineering
attacks include:
Sending victims an email that claims there’s a problem with their account and has a
link to a fake website. Entering their account information into the site sends it straight
to the cyber criminal (Phishing).
Claiming that the victim has won a prize but must give their credit card information
in order to receive it
Asking for a victim’s password for an Internet service and then using the same
password to access other accounts and services since many people re-use the
same password
Promising the victim they will receive millions of dollars, if they will help out the
sender by giving them money or their bank account information
Like other hacking techniques, social engineering is illegal in the United States and other
countries. To protect from social engineering, it is advisable not to trust any emails or messages
that is received requesting any sort of personally identifiable information. Most banks or
companies never ask customers for personal information through email.
6.1 Hackers
Who is a Hacker? Types of Hackers
Hacking does not necessarily count as a cybercrime; as such, not all hackers are
cybercriminals. Cybercriminals hack and infiltrate computer systems with malicious intent, while
hackers only seek to find new and innovative ways to use a system, be it for good or bad.
A Hacker is a person who finds and exploits the weakness in computer systems and/or
networks to gain access. Hackers are usually skilled computer programmers with knowledge of
computer security.
Hackers are classified according to the intent of their actions. The following list classifies
hackers according to their intent. For a hacker who wants to come clean and turn away from
crime, one option is to work for the people they used to torment, by becoming a security
consultant. These hackers-turned-good-guys are called Grey Hat Hackers.
In the past, they were Black Hat Hackers, who used their computer expertise to break
into systems and steal information illegally, but now they are acting as White Hat Hackers, who
specialize in testing the security of their clients’ information systems. For a fee, they will attempt
to hack into a company’s network and then present the company with a report detailing the
existing security holes and how those holes can be fixed.
89
The advantage of this is that they can use their skills for a good cause and help stop
other cyber criminals. Keeping up with security is a full-time job, and many companies can’t
afford to have someone completely dedicated to it. Grey Hat Hackers have real-world hacking
experience and know more methods of infiltrating networks than most computer security
professionals. However, since they used to be criminals there’s always going to be a question
of trust.
White Hat hackers are also known as ethical hackers, and they’re the good guys of the
hacker world. They help you remove viruses, perform pen tests and generally help people
understand where their vulnerabilities are and fix them. Most White Hat hackers will hold some
form of computer or security related qualification, and often pursue careers in hacking and
cyber security. They love the challenge of finding the holes but have no interest in doing anything
with them. There are even a number of qualifications specifically for them – Offensive Security
Certified Professional (OSCP), CREST Certified Infrastructure Tester and CREST Certified
Application Security Tester.
Black Hat hackers, or ‘crackers’ are the types of people you often hear about on the news
and from businesses trying to sell cyber services. They find banks and big companies with
weak security systems and steal credit card information, confidential data or money. Their
methods are varied but actually fairly basic most of the time.
As with everything in this world, nothing is just black and white. Grey Hat hackers don’t
steal information or money like Black Hat hackers (though they may sometimes deface a website
for fun), nor do they help people out like white hack hackers. Instead, they spend most of their
time just playing around with systems, without doing anything harmful. This type of hacker
actually makes up most of the hacking community, even though Black hat hackers garner most
of the media’s attention.
90
Green Hat hackers are the babies of the hacker world. They are new to the game and
mainly use script, like Script Kiddies, but they have aspirations of becoming full blown hackers.
They are often found asking questions of fellow hackers and listening with childlike curiosity.
Red Hat hackers are the vigilantes of the hacker world. They’re like white hats in the
sense that they put a stop to Black hat attacks, but they are downright scary in how they do it.
Instead of reporting the malicious hacker they find lurking inside a business, they shut them
down by uploading viruses, DoSing and accessing their computer to destroy it form the inside
out. Red hats use many different aggressive methods to force the cracker out and potentially
even kill their computer. The good news is, businesses don’t need to worry about these.
And finally, we have the Blue Hat hackers. If a Script Kiddie ever took revenge, he would
become a Blue Hat Hacker. Blue Hat hackers will seek vengeance on anyone who has made
them angry. Most Blue Hat hackers are fairly new to the hacking world, but unlike green hats
they have no desire to learn.
State or Nation sponsored hackers are those who have been employed by their state or
Nation’s government to snoop in and penetrate through full security to gain confidential
information from other governments to stay at the top online. E.g. Stuxnet attack on Iranian
Nuclear Plant.
6.2. Cracker
A cracker is an individual who accesses a computer or network in an unauthorized, illegal
manner with an intention to destroy data, steal information and other malicious action. They
have advanced computer and network skills.
Five distinct kinds of crackers are identified and are as follows in figure 6.1:
Novice: These entry-level crackers tend to be only 12 to 14 years old. They usually
comprehend cracking as mischievous and fun; in their eyes, it is mainly play.
91
Student: These crackers follow the practice of 1970s MIT students. They usually
have a deep interest in computers and programming. Their desire for illegal computer
access is normally fairly harmless.
Tourist: Tourists are yet another kind of relatively harmless cracker and are mainly
looking for a challenge. They break into systems to see if they can, then log off.
Tourists can certainly be dangerous if they pass details to thieves or malicious
crackers about how to crack a specific system.
Thief: This type of cracker is the real criminal. The thieves may make use of bribery
or blackmail to obtain the required information to gain access to computer systems
or networks. Thieves usually do cracking for monetary gain. Thieves tend to be
linked to electronic sabotage and espionage. In addition, they are considered the
most professional of all the crackers.
A cracker access computer or network illegally but intention is to destroy data, steal
information or something malicious.
Building electronic devices called blue boxes, black boxes and red boxes to help
them the network and make free phone calls
Hanging out on early conference call circuits and loop arounds to communicate
with one another and writing their own newsletter to spread information.
SMShing:- The term SMShing is a term used to describe phishing text messages
(SMS phishing). These phishing text messages are sent to a cell phone in an
attempt to get the cell phone owner to give up sensitive information.
scammer who pretends that they need certain bits of information from their target
in order to confirm their identity.
Quid Pro Quo: Similarly, quid pro quo attacks promise a benefit in exchange for
information. This benefit usually assumes the form of a service, whereas baiting
frequently takes the form of a good.
Waterholing: A watering hole” attack consists of injecting malicious code into the
public Web pages of a site that the targets used to visit. The method of injection is
not new, and it is commonly used by cyber criminals and hackers. The attackers
compromise websites within a specific sector that are ordinary visited by specific
individuals of interest for the attacks.
systems and stealing things. They simply copy code and use it for a virus, SQLi or something
else. Script Kiddies will never hack for themselves, they will just download some overused
software (such as LOIC or Metasploit) and watch a YouTube video on how to use it. A very
common Script Kiddie attack would be a DOS (Denial of Service) or DDOS (Distributed Denial
of Service), where they flood an IP with so much useless information that it collapses, preventing
other people from using it.
6.6. Hactivist
Hacktivism is the act of hacking a website or computer network in an effort to convey a
social or political message. The person who carries out the act of hacktivism is known as a
hacktivist. Hackitivists is a social activists propagandizing a social, political or religious agenda
in online medium. Hactivists is a hacker or group of anonymous hackers who think they can
bring about social changes and often hack government and organization to gain attention or
share their displeasure over opposing their line of thought.
They misuse their role within the organization by hacking the system
Summary
Cybercriminals are individuals or teams of people who use technology to commit
malicious activities on digital systems or networks with the intention of stealing
sensitive company information or personal data, and generating profit. A cybercriminal
is an individual who commits cybercrimes, where he/she makes use of the computer
either as a tool or as a target or as both.
A Hacker is a person who finds and exploits the weakness in computer systems
and/or networks to gain access. Hackers are usually skilled computer programmers
with knowledge of computer security.
Fast Flux - moving data quickly among the computers in a botnet to make it difficult
to trace the source of malware or phishing websites.
Zombie Computers are computer that has been hacked by malicious attacks and
control the victim computers into zombies and makes it a part of the botnet through
command and control servers.
Skimmers are devices that steal credit card information when the card is swiped
through them.
…………………. are computer that has been hacked by malicious attacks and control
the victim computers into zombies and makes it a part of the botnet through command
and control servers.
Skimmers are devices that steal credit card information when the card is swiped
through them.
Reference
1. https://en.wikipedia.org/wiki/Cybercrime
2. https://searchsecurity.techtarget.com/definition/hacker
3. https://en.wiktionary.org/wiki/cracker
4. https://searchsecurity.techtarget.com/definition/phreak
5. https://krebsonsecurity.com/all-about-skimmers/
6. https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/
98
LESSON - 7
MOTIVES OF CYBERCRIMINALS
Learning Objectives
o Challenge
o Greed
o Malicious intent
o Emotional
o Monetary gain
o Anonymity
o Hackers forum
o Attack surface
o Competence
o Politics
o Peer pressure
o Revenge
o Risk to reward
o Feeling of powerlessness
o Fame
o Thrill
99
Structure
7. What motivates a cyber criminal?
7.1. Challenge
7.2. Greed
7.4. Emotional
7.6. Anonymity
7.9. Competence
7.10. Politics
7.12. Revenge
7.17. Fame
7.18. Thrill
Motivation is the key component in understanding the hackers. Motivation helps to answer
several questions, such as:
Answering these questions will provide for a better risk assessment and risk mitigation
strategies. Motivation generally falls into following categories:
Challenge
Greed
Malicious intent
7.1. Challenge
Breaking into computer systems or Network, was a challenge and still it is one of the
most common motivation. Another aspect of challenge motivation is the challenge of being first
to hack a network.
7.2. Greed
Oldest form of known criminality. Motivation of hacking includes desire for financial gain,
services, goods and information. A hacker, motivated by greed, will seek specific information
that can be targeted.
7.4. Emotional
a) Search for emotions
o Modern hackers are curious, they are bored and want to test out their abilities
o They carry out these attacks as a personal challenge, something to show off or
merely to prove themselves a point
101
o Target was the administrators (the ones with direct access to servers and databases)
o The figure 7.1 and 7.2 illustrates the mindset of the cyber criminal.
• That’s a number which has increased 15 times in two years from 2015 and will
quadruple by 2020.
Facing consequences
• Majority were convinced that they wouldn’t have to face the consequences of their
cyber attacks, which also lead them to continue doing what they do.
7.6. Anonymity
1. Definition
Anonymity is that alternate lever which creates the capacity for abuse, anonymity allows
it to be committed with impunity. Freedom in the internet and lack of proper monitoring has
made internet anonymous. There are different degrees of anonymity. Following these steps do
not guarantee 100% anonymity. Anonymity is sometimes for the good. Those who are on the
outlook of privacy would want to go into incognito mode. They might use browsers that are
privacy enabled. There are also proxy computers for e.g. a web proxy to browse the web that
allows the users to use an alternated computer to load a website and display the results on the
browser.
103
2. Identity Scale
a. Legal name
b. Location identification
e. Pattern Knowledge
f. Social categorization
h. Beliefs , attitudes and emotions – “ the inner presumed ‘real’ person question”
Fully anonymous status: This status is quite difficult to attain and maintain, and therefore
it is almost nonexistent. Can be achieved when even some data necessary for TCP-IP
protocol are suppressed or forged. Thus it’s usable just for one-way communication,
since there is no way to trace back the originator to deliver reply.
Almost anonymous status: Just basic data required by technical communication protocol
are provided - without any intervention (or intention) of a user. The user just abstains from
providing any useful information about him by himself, but lets the computer give away its
104
information such as IP address, physical Ethernet address of network device, DNS name.
This is the most common conception of anonymity between regular internet users. However
providing these sensitive information means that we cannot talk about anonymity any
more.
The usage of permanent nickname: Into this category belong things like anonymous
account on freemail servers (hotmail.com, yahoo.com, post.cz) as well as nicknames on
chat servers or “screen names” of direct instant message systems. These nicknames are
usually protected by password an only one user can access them. This is the highest
level of anonymity that allows continuous communication over the longer period of time.
In other words, it is pseudo anonymity.
Corporate identity: The usage of corporate identity provides a strong link between the
internet persona and real world entity (corporation). Every corporation, government
department, non-profit organisation, educational institution, health-care facility, banking
or financial organisation etc. covers its own employees (computer users) with its own
reputation. Once the user uses corporate e-mail address (or just registered corporate
computer), it’s understandable that after some effort can be discovered and reached in
real world reality. The same applies to the corporate web pages and information displayed
there. That’s why the information found on corporate web-pages is usually more reliable,
because they are backed up by the organization.
Identity (proved by providing information): This is the most common way how to identify
oneself on the internet today. No special tools or programs are needed. The possession
of some knowledge is sufficient. You can identify yourself for instance by providing a
phone number. Anonymity on the internet Anonymity and Pseudonymity versus Identity -
where you can be reached, your social security number / student login name / credit card
number, address where you can be located, or some other personal information, which is
known only to you. This method is easy and usually free of costs, but has some serious
105
disadvantages. It leads easily to information abuse and identity fraud/theft. This occurs
when one person gains control of credentials, which belong to another, thus becoming
able to masquerade as the “stolen” identity.
Identity (proved by electronic /digital/ signature) This is used to authenticate the identity
of the sender of a message or the signer of a document, and possibly to ensure that the
original content of the message or document that has been sent is unchanged. Digital
signatures are usually protected by password, cannot be imitated by someone else, and
can be automatically time-stamped. A digital signature can be used with any kind of
message, whether it is encrypted or not, simply so that the receiver can be sure of the
sender’s identity and that the message arrived intact. A digital certificate contains the
digital signature of the certificate-issuing authority so that anyone can verify that the
certificate is real. The certificate-issuing authority guarantees the link between the digital
signature and real world person. Unfortunately, digital signature is still quite expensive,
so it’s used mainly in the corporate sphere.
Figure 7.5 illustrates the anonymity in the internet. Ways of enabling anonymity includes
proxy servers, Tor Web and Virtual Private Networks.
Evilzone Forum:- This Forum discusses about hacking and cracking. One should
be a member to learn ethical hacking.
HackThisSite:- commonly referred to as HTS, is an online website that aims to
provide the users to learn, practice hacking skills through a series of challenges in
a sage leagal environment.
Break The security:- The motive of the site is explained in its name. Break The
Security provides all kind of hacking stuff such as hacking news, hacking attacks
and hacking tutorials. It also has different kind of useful courses that can make you
a certified hacker. This site is very helpful if you are looking to choose the security
and field of hacking and cracking.
Hack in the Box:- A popular website that provides security news and activities from
the hacker underground.. In this community the users are allowed to discuss hacking
tips.
Null-Byte Wonderhowto is a white hat hacker forum where hacking techniques such
as facebook hacks, password cracking, wifi hacking are described.
Hack5: The information security industry, by educating, equipping and encouraging
this all-inclusive community – one where all hackers belong.
Exploit database:- The Exploit Database is the ultimate archive of public exploits
and corresponding vulnerable software, developed for use by penetration testers
and vulnerability researchers. Its aim is to serve as the most comprehensive collection
of exploits gathered through direct submissions, mailing lists, and other public
sources, and present them in a freely-available and easy-to-navigate database.
The Exploit Database is a repository for exploits and proof-of-concepts rather than
advisories, making it a valuable resource for those who need actionable data right
away.
Cellphone Hacks Forum:- Active forum discussion about all types of cell
phone service providers and ... Forums include AT&T, Verizon, T-Mobile, Sprint,
Nokia, LG, Motorola, Samsung, Sony Ericsson, Palm, BlackBerry, Audiovox, Sanyo,
and more. ... Phone hacking!!!
HackSociety – Grey hat hacking forum
HackForums – Hacks and Exploits
SecruriTeam – Vulnerabilities Team
Secz0ne.su – Russian Hacker Forum
Darknet:- The dark web is the W orld W ide W eb content that exists
on darknets, overlay networks that use the Internet but require specific software,
108
configurations or authorization to access. The dark web forms a small part of the deep
web, the part of the Web not indexed by web search engines, although sometimes
the term deep web is mistakenly used to refer specifically to the dark web. The
darknets which constitute the dark web include small, friend-to-friend peer-to-
peer networks, as well as large, popular networks like Tor, Freenet,
I2P and Riffle operated by public organizations and individuals. Users of the dark
web refer to the regular web as Clearnet due to its unencrypted nature. The Tor
dark web may be referred to as onionland, a reference to the network’s top-level
domain suffix .onion and the traffic anonymization technique of onion routing.
7.8. Competence
• Competence of the offender and the lack of it on the other side
• Skill set
• Knowledge
• Tools at the disposal
• Time
• Today’s hackers are more adaptable than ever and this allows for multiple attacks
on multiple systems, increasing the levels of success without increasing the risk”.
The same is illustrated in figure 7.5.
7.9 Politics
Today cyber attacks are politically motivated. According to Computer Business Review,
2016, following are five major politically motivated cyber attacks. With the example of US
Government currently planning to elevate its cyber command within Department of Defence, it
is obvious that cyber threats are taken more seriously.
· The US Democratic Party, 2016 – The democratic national committee saw its
private emails stolen in a breach. The emails were released comprising of information
regarding fundraising body for the democrats on the website Wikileaks. Information
available included details of donors – names, email address and credit card details.
· G20, 2011 – The Group of 20 Summit in February 2011 was rocked by a cyber
attack involved an email delivering malware to French government computers. This
malware was aimed at the French Finance Ministry. It affected 17,000 computers.
Delivery of the malware was through a PDF document with an embedded malware.
The G20 Summit involved the central bank governors of the respective countries
rather than the heads of the government.
· US Government Cyber attack, 2010: - This attack started in the year 2008 when
USB stick infected with malware was placed in a car park at a US military base in
Middle East. This flash drive was inserted into a military laptop, with the code
promptly loading itself onto a network run by the US Central Command. The code
spread undetected. Channeling data to servers under the attackers control. The
attack led to the establishment of US Cyber Command (USCYBERCOM).
110
The following are the means through which such politically motivated cyber attacks are
being committed. The same is illustrated in the Figure
Similarly Voter information manipulation during election times also occurs. The same is
illustrated in the figure 7.7.
111
with their peers and be accepted by them. Peer pressure occurs when group of people coerce
each other to go along with certain beliefs or behaviours. Reasons for peer pressure are
illustrated in the figure 7.8.
7.11 Revenge
Revenge hacking encompasses the expansive set of motivations behind cybercrime.
Every victimized industry has seen some form of cyber-attack backed that links back to their
own hostile actions or policies toward the attackers. Motives range from low profile disgruntled
ex-employees to self-publicizing groups like Anonymous providing occasional media updates
about their attacks on ISIS cyber targets Sovereign states have long been suspected of hacking
behaviour. Sexual revenge or jealousy was behind the infamous theft of subscriber data from
the dating site specifically set up to facilitate affairs involving married individuals. The figure 7.9
& 7.10 illustrates revenge as a motive for cyber criminals.
113
money. Well known social engineer Kevin Mitnick who hacked many computers was in prison
for five years for computer related offenses. Today, he is a security consultant of Mitnick Security
Consulting which helps test companies’ security strengths, weaknesses, and potential loopholes.
In majority of cases no one namely, the Judges, the Prosecutors, the Defense Council
understands what others are saying, so the advantage is to cyber criminals. The same is illustrated
in 7.14.
So the need is extensive training for all the stake holders in order to enable justice.
Going Dark
• Law enforcement at all levels has the legal authority to intercept and access
communications and information pursuant to court orders.
• It often lacks the technical ability to carry out those orders because of a fundamental
shift in communications services and technologies.
• Both real-time communications and stored data are increasingly difficult for law
enforcement to obtain with a court order or warrant.
• This is eroding law enforcement’s ability to quickly obtain valuable information that
may be used to identity and save victims, reveal evidence to convict perpetrators,
or exonerate the innocent.
• Many criminals reside in a foreign country so it’s no surprise that people regard
them as ‘faceless’ - they physically are.
sites themselves are largely out of control of enterprise security teams, they provide a perfect
gateway into your networks through social engineering, malware and phishing attempts. As
company operations continue to undergo a digital transformation, new risks related to social
media usage by employees and customers emerge. In fact, 13% of large organizations had
experienced a breach relating to social media sites in 2016, and this number is likely to grow
going forward. Different social media such as Facebook, Twitter, Instagram, WhatsApp are
targets of cyber attacks. The figure 7.17 illustrates the number of users in social media.
Cyber bullying, fake identities, cyber stalking are some of the examples of social media
crimes. The individual factors that lead to such crimes include:
– Desire to employ cognitive effort and to enjoy the rewards of that effort
– Need to belong
– An aspect of one’s self identity from their sense of belonging to one or more
groups
Groups – Online
• Groups in cyberspace
• Time, culture and social status may not be important in an online world
• This helps online groups with unique characteristics when compared to offline.
7.16 Fame
• Hackers would like to get the Hall of Fame. They risk their future for cheap thrill
and money. E.g. Snowden; Kevin Mitnick. The figure 7.16 illustrates fame as one of
the motive of cybercrime.
7.17 Thrill
In the beginning, it’s all about excitement and thrill. To do something different from the
routine, teenagers would exploit and crack video games, which is a low level crime. In the
second stage, the chat forums and online communities where teens exchange malicious software
programs, knowledge of hacking and sometimes stolen information and data. The daring ones
would look for exploits and virus code that can help them to hack into social networking accounts.
Having a criminal record may be a reason for thrill and fame in teenage years, but the future of
these kids becomes extremely difficult. The criminal record stays with them. The chances for
being hired in an organization become bleak for teenagers in later life. Kids need to understand
that getting a criminal record is the worst possible move. In absence of sense of responsibility
among teenagers, parents would have to up their game in protecting their kids from their acts of
naivety carelessness. Parents should make themselves familiar with technology and gadgets,
so that they should know how to stop cyber crime. One way is to install online parental control
software in the home PC and personal gadgets of their teens to stay up to date of their online
activities. In case, technology fails, then parents would have to resort to traditional means of
communicating and building trust with their teens, so that they can detect suspicious or unusual
changes in their teen’s activities and behaviour. Parental control software are available to monitor
the children online behaviour. Some of the examples of parental control software are Qustodio,
Net Nanny, Kaspersky safe kids, Symantec Norton Family Premier, Circle with Disney, Clean
Routerm, Mobicip, OpenDNS Home VIP, uKnowKids Premier, Safe DNS but are not limited
these.
Summary
· Cybercriminals are individuals or teams of people who use technology to commit
malicious activities on digital systems or networks with the intention of stealing
sensitive company information or personal data, and generating profit.
· A Hacker is a person who finds and exploits the weakness in computer systems
and/or networks to gain access. Hackers are usually skilled computer programmers
with knowledge of computer security.
· Fast Flux - moving data quickly among the computers in a botnet to make it difficult
to trace the source of malware or phishing websites.
· Social engineering is a tactic used by cyber criminals that uses lies and manipulation
to trick people into revealing their personal information.
120
· White Hat hackers are also known as ethical hackers, and they’re the good guys
of the hacker world.
· Black Hat hackers, or ‘crackers’ are the types of people you often hear about on
the news and from businesses trying to sell cyber services
· Grey Hat hackers don’t steal information or money like Black Hat hackers (though
they may sometimes deface a website for fun), nor do they help people out like
white hack hackers.
· Blue Hat hackers will seek vengeance on anyone who has made them angry.
· State or Nation sponsored hackers are those who have been employed by their
state or Nation’s government to snoop in and penetrate through full security to gain
confidential information from other governments to stay at the top online.
· Social Engineers are another type of attackers who use their tactics to exploit
ones weakness that found in each and every organization with a spectrum of
malicious activity to infiltrate into protected system and compromise sensitive data.
· Script Kiddies perform their malicious computer techniques simply for the thrill of
it, and to brag to their peers about their computer prowess.
· ……………………….. are also known as ethical hackers, and they’re the good guys
of the hacker world.
· ……………………….., are the types of people you often hear about on the news
and from businesses trying to sell cyber services
· ……………………… will seek vengeance on anyone who has made them angry.
· ………………… are another type of attackers who use their tactics to exploit ones
weakness that found in each and every organization with a spectrum of malicious
activity to infiltrate into protected system and compromise sensitive data.
· ……………………. perform their malicious computer techniques simply for the thrill
of it, and to brag to their peers about their computer prowess.
122
Reference
1. https://online.norwich.edu/academic-programs/masters/information-security-
assurance/resources/articles/who-are-cyber-criminals
2. https://www.trendmicro.com/vinfo/us/security/definition/cybercriminals
3. https://www.malwarefox.com/types-of-hackers/
4. https://www.guru99.com/what-is-hacking-an-introduction.html
5. https://sorry.vse.cz/~pavlant/sources/Dissertation-Pavlicek-Anonymity.pdf
6. https://www.cbronline.com/business/cybergate-5-major-political-cyber-attacks-
4973433/
7. http://in.pcmag.com/parental-control-monitoring/90793/guide/the-best-parental-
control-software-of-2018
Credits for the Figures: second year M.Sc CFIS students (2017-19 Batch) - Abdul Nasar,
Mohamed Azeemullah Shariff, Sathish Kumar, Tabrace Baig, Abhinayaa, Sreejaa.
123
LESSON - 8
IMPACT OF CYBER CRIMES
Learning Objectives
After reading this lesson you will be able to learn the following:
· Impact of Cybercrimes
Structure
8. Impact of Cybercrimes
8. Impact of Cybercrimes
The impact of a single successful cyber attack can have far reaching implications including
financial losses, theft of intellectual property, and loss of consumer confidence and trust. The
overall monetary loss is estimated to be billions of dollars a year. This is increasing day by day.
Criminals take advantage of technology in many different ways. The internet is a great tool for
scammers and other miscreants due to anonymity in the internet.
124
The investment of businesses, on cyber security, to tackle cyber crimes is also becoming
huge. Attackers may compromise servers to steal confidential information. The companies
have to spend huge amount to keep intruders away from such confidential information of their
customers for example Banking Industry. The overall monetary losses from cyber crime can be
immense. According to a report by Symantec, 2012 more than 1.5 million people fall victim to
some sort of cybercrime every day ranging from simple password theft to extensive siphoning
of money. Cyber criminals have developed new techniques involving mobile devices, social
networks, IoT devices to keep their illicit gains flowing. Cyber criminals take full advantage of
anonymity, secrecy and interconnectedness provided by internet thereby attacking the society.
Law enforcement officials struggle to keep pace with perpetrators. Emotional impact of cyber
crimes is another factor that affects the society. A study on this factor by Norton reveals that
there is a staggering prevalence of cyber crime. According to this report, 65% of internet users
globally and 73% of web surfers have fallen victim to cyber crimes. As most victimized nations,
America ranks 3rd after China (83%) and Brazil and India (76%). Strongest reactions to cyber
crimes are anger, annoyance, feeling cheated and sometimes they blame themselves for being
cheated.
Cyber harassment as a crime also brings us to another related area of violation of privacy of
citizens. Violation of privacy of online citizens is a Cyber crime of a grave nature. No one likes
any other person invading the invaluable and extremely touchy area of his or her own privacy
which the medium of internet grants to the citizen. Harassment email, cyber stalking, defamation,
hacking, cracking, spoofing, smashing, vishing, phishing, carding, child pornography, assault
by threat are examples of cyber crime against persons.
· theft of money
Businesses that suffered a cyber breach will also generally incur costs associated with
repairing affected systems, networks and devices. Trust is an essential element of customer
relationship. Cyber attacks can damage business’ reputation and erode the trust the customers
have for you. This, in turn, could potentially lead to:
126
· loss of customers
· loss of sales
· reduction in profits
The effect of reputational damage can even impact on suppliers, or affect relationships
you may have with partners, investors and other third parties vested in business.
Data protection and privacy laws require you manage the security of all personal data
that is held whether on your staff or your customers. If this data is accidentally or deliberately
compromised, and you have failed to deploy appropriate security measures, you may
face fines and regulatory sanctions.. According to recently collected data on cyber security, over
159 million sensitive records were compromised in 2015 alone. The loss of this information
racks up larger bills than just the initial data recovery and added security measures. A breach
can lead to potential fines, penalties and litigation for a business.
In May 2017, Target paid out a $18.7 million settlement over a large-scale data breach
that took place in 2013. The company said that the total cost of the breach was over $202
million. It’s estimated that cybercrime will cost approximately $6 trillion per year on average
through 2021.
The even bigger issue is that a large percentage of sensitive records taken are usually
filled with customer data. When a company has a data breach, it undermines a customer’s trust
in the company and their confidence in the company’s ability to keep their financial information
out of the wrong hands.
It’s a big enough red flag when a company loses its own data, but customer data is a
different ball game. Identity theft is a real concern for consumers, and customers may feel less
inclined to shop with companies that could mishandle their information.
Companies not only lose valuable digital assets followed by a cyber attack apart from
losing their customers. They also lose we can say brand bleeds into all aspects of business,
growth, revenue and reputation. All of those brand loyalist who purchased from a company
because they liked the brand. Once the company is unable to keep their personal and financial
information safe, then the game is over. With the click of a mouse the attackers can ruin the
perception of a brand overnight. Businesses that are affected are financial services, airlines,
shipping, transportation, telecom, critical infrastructure, aerospace & defence and retail.
127
Tempora is the codeword for a formerly secret computer system that is used by the
British Government Communications Headquarters (GCHQ). This system is used to buffer
most Internet communications that are extracted from fibre-optic cables, so these can be
processed and searched at a later time. It was tested since 2008 and became operational in the
autumn of 2011. Tempora uses intercepts on the fibre-optic cables that make up the backbone
of the Internet to gain access to large amounts of Internet users’ personal data, without any
individual suspicion or targeting. The intercepts are placed in the United Kingdom and overseas,
with the knowledge of companies owning either the cables or landing stations.
PRISM is a code name for a program under which the United StatesNational Security
Agency (NSA) collects internet communications from various U.S. internet companies. The
program is also known by the SIGAD US-984XN. PRISM collects stored internet communications
based on demands made to internet companies such as Google Inc. under Section 702 of
the FISA Amendments Act of 2008 to turn over any data that match court-approved search
terms. The NSA can use these PRISM requests to target communications that were encrypted
when they travelled across the internet backbone, to focus on stored data that telecommunication
filtering systems discarded earlier, and to get data that is easier to handle, among other things.
128
Optic Nerve - A program started in 2008, Optic Nerve allowed secret access to a Yahoo!
webcam chats. In one six month period in 2008 it spied on 1.8 MILLION Yahoo! users and took
one still image every five minutes of video per user. Between 3-11% of the images captured by
Optic Nerve captured were sexually explicit “undesirable nudity”.
Mystic - Mystic spies on every single phone call made in five target countries. In the
Philippines, Kenya and Mexico, Mystic ‘only’ records the metadata (who called who, when the
call happened, for how long and the location of the call if it was made on a mobile). In Afghanistan
and the Bahamas, it records the content of every call made and stores it for 30 days. That’s a
combined population of 250 million people whose phone calls are being secretly monitored by
the NSA.
Gemalto Hacking - Gemalto is the largest SIM Card manufacturer in the world, producing
two billion sim cards a year. It has 400 mobile network operator partners with 700 million
subscribers. GCHQ attacked its network to steal the sim card encryption keys that protect
129
conversations from being listened to. Gemalto said it detected attacks in 2010 and 2011 and
repelled them. When intelligence agencies break the locks on communications infrastructure
like SIM cards, they don’t just leave the doors open for government spying, they leave the doors
open for identity thieves, hackers and organised criminals too.
Summary
· Cyber criminals have developed new techniques involving mobile devices, social
networks, IoT devices to keep their illicit gains flowing.
· Cyber crimes committed against persons include various crimes like transmission
of child-pornography, cyber porn, harassment of a person using a computer such
as through e-mail, fake escrow scam.
· Strongest reactions to cyber crimes are anger, annoyance, feeling cheated and
sometimes they blame themselves for being cheated.
· IPR related crimes, cyber squatting, cyber vandalism, hacking, cyber trespass,
internet time thefts are common attacks against property.
· The impact of a security breach can be broadly divided into three categories: financial,
reputational and legal.
· Data protection and privacy laws require you manage the security of all personal
data that is held whether on staff or customers.
· Cyber crimes committed against persons include various crimes like transmission
of ____________, _____________ harassment of a person using a computer such
as through e-mail, fake escrow scam.
· The impact of a security breach can be broadly divided into three categories:
_____________, ________________ and _______________.
Reference
· https://thefinancialexpress.com.bd/views/cyber-crime-affects-society-in-different-
ways
· https://www.nibusinessinfo.co.uk/content/impact-cyber-attack-your-business
· https://www.forbes.com/sites/theyec/2017/07/13/the-true-cost-of-cybercrime-for-
businesses/#587658004947
· https://securingtomorrow.mcafee.com/business/economic-impact-cybercrime-cyber-
espionage-isnt-just-militarys-problem/
· https://www.nibusinessinfo.co.uk/content/impact-cyber-attack-your-business
· https://www.crowdstrike.com/blog/cybercrime-cybersecurity-affects-nations-
geopolitics/https://gcn.com/articles/2011/07/27/international-cyber-crime-threat-to-
us.aspx
· https://securingtomorrow.mcafee.com/business/economic-impact-cybercrime-cyber-
espionage-isnt-just-militarys-problem/
· https://en.wikipedia.org/wiki/PRISM_(surveillance_program)
· https://www.amnesty.org/en/latest/campaigns/2015/03/10-spy-programmes-with-
silly-codenames-used-by-gchq-and-nsa/
131
LESSON - 9
VIRUS, WORMS AND TROJANS
Learning Objectives:
· Virus
· Worms
· Trojans
Structure
9.1 Virus
9.1.1 Definition
9.1.4. Countermeasure
9.2. Worms
9. 2.1.Definition
9.2.4. Countermeasure
9.3. Trojan
9.3.1. Definition
9.3.4. Countermeasure
132
9.1 Virus
A computer virus is a malicious code that replicates by copying itself to another program,
computer boot sector or document and changes how a computer works. The virus requires
someone to knowingly or unknowingly spread the infection without the knowledge or permission
of a user or system administrator. Spreading of a virus happens
Many viruses also include evasion or obfuscation capabilities that are designed to bypass
modern antivirus and antimalware software and other security defenses. The rise of polymorphic
malware development, which can dynamically change its code as it spreads, has also made
viruses more difficult to detect and identify.
Some viruses will begin replicating the host they infect while others will be dormant until
a specific trigger causes malicious code to be executed by the device or system.
9.1.1. Definition
· A computer virus crime usually involves the intent to cause damage through the
creation and/or distribution of a destructive computer program.
Variants of viruses exist: based on their functionality. They are illustrated in the Figure
9.1.
File Infectors
Virus belonging to this category, infects the files and attach themselves to program files.
The common targets are ‘.com’, or ‘.exe’. some virus can infect any program for which execution
is requested. This includes ‘.sys’, ‘.ovl’ , ‘.prg’, and ‘.mnu’. whenever the program gets loaded
, the virus also gets loaded. Sometimes programs are sent as an email attachment.
Macro Virus
It is a popular belief that most of Microsoft programs uses macros. Macros are sequences
of actions/command/keystrokes that are embedded in documents which are sin a saved state
which can be used for automating. A macro virus, specifically targets the commands in
applications like Microsoft word and other programs. Recent Microsoft word applications are
having their macros disabled by default.
Overwrite Virus
Viruses are designed specifically to destroy a file or application’s data. After infecting a
system, an overwrite virus begins overwriting files with its own code. These viruses can target
specific files or applications or systematically overwrite all files on an infected device. An overwrite
virus can install new code in files and applications that programs them to spread the virus to
additional files, applications and systems.
134
Polymorphic viruses
A polymorphic virus is a type of malware that has the ability to change or mutate its
underlying code without changing its basic functions or features. This process helps a virus
evade detection from many antimalware and threat detection products that rely on identifying
signatures of malware; once a polymorphic virus’ signature is identified by a security product,
the virus can then alter itself so that it will no longer be detected using that signature.
Resident viruses
This type of virus embeds itself in the memory of a system. The original virus program
isn’t needed to infect new files or applications; even if the original virus is deleted, the version
stored in memory can be activated when the operating system loads a specific application or
function. Resident viruses are problematic because they can evade antivirus and antimalware
software by hiding in the system’s RAM.
Rootkit viruses
These viruses infect executable code found in certain system areas on a disk. They
attach to the DOS boot sector on diskettes and USB thumb drives or the Master Boot Record
on hard disks. In a typical attack scenario, the victim receives storage device that contains a
boot disk virus. When the victim’s operating system is running, files on the external storage
device can infect the system; rebooting the system will trigger the boot disk virus. An infected
storage device connected to a computer can modify or even replace the existing boot code on
the infected system so that when the system is booted next, the virus will be loaded and run
immediately as part of the master boot record. Boot viruses are less common now as today’s
devices rely less on physical storage media.
135
Email Virus
An email virus consists of malicious code that is distributed in email messages, and it can
be activated when a user clicks on a link in an email message, opens an email attachment or
interacts in some other way with the infected email message.
Viruses and other malware distributed by email can wreak all kinds of havoc, including
the following:
Email viruses often spread by causing the attachment or malicious message to be sent to
everyone in the victim’s address book.
Email viruses can be packaged and presented in a variety of different ways. Some can
easily be spotted as malicious by virtue of subject lines that don’t make sense, suspicious
sender or other header fields and body content that looks off in some way. Other email messages
containing malware can be more difficult for recipients to identify, as they reflect considerable
effort by the malicious actor to make the email message appear to be sent from a trusted and
known sender. This is particularly true for phishing attacks carried out to further business email
compromise attacks.
Email viruses are often connected with phishing attacks in which hackers send out malicious
email messages that look as if they are originated from legitimate sources, including the victim’s
bank, social media, internet search sites or even friends and co-workers. The attacker’s goal, in
these cases, is to trick users into revealing personal information, such as the victim’s usernames,
full names and addresses, passwords, Social Security numbers or payment card numbers.
These types of email virus cause phishing attacks.
136
Email viruses can take many different forms, and malicious actors work tirelessly to improve
their malicious email messages and methods for email hacking, as well as the accompanying
malware.
Email spam, also known as unwanted or unsolicited email, usually spreads malware through
links in the message that lead to phishing websites or other sites hosting malware.
Virus hoax email messages, which contain a false warning about a nonexistent threat,
are considered a form of socially engineered email virus or worm. Virus hoax messages may
instruct the recipient to take some action, including forwarding the warning to all of their contacts.
One variant of the virus hoax email builds on the tech support phone scam, in which a malicious
actor attempts to engage the victim to defraud the victim.
Macro viruses are viruses written in a macro language used by other software programs,
especially Microsoft Excel and Microsoft Word macros. Macro malware is transmitted through
phishing email messages that contain malicious attachments, which contain the malicious
macros.
Spambot programs are programs designed to harvest email addresses to build mailing
lists for sending spam. While spambot programs are not usually distributed through email, they
are instrumental in gathering valid email addresses to be used for the distribution of email
viruses.
The table 9.1 illustrates the name, type, mode of distribution and year of release of the
popular viruses.
2. Create an anti-virus policy rule for safeguarding computer systems and distribute it
around the organization
3. Provide attention to the instructions before downloading and installing any programs
from the Internet.
4. Update the antivirus software regularly, so that it is aware of the new malware
signatures.
6. After installing the antivirus software, schedule regular scans for all drives in the
host system.
7. Only accept media devices or files post-scanning with the updated antivirus program.
9.2. Worms
WORM is the abbreviation for ‘write once read many’. It describes a data storage device
in which information once written, cannot be modified. This write protection affords the assurance
that the data cannot be tampered with once it is written onto the device. Worms are a malicious
program that is capable of self replicating. It spreads via networks and remote machines when
and controls remote systems without the knowledge of the user. Most worms are spread as
files as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC
message, Via P2P file sharing networks. Some worms spread network packets; these directly
penetrate the computer memory and the worm code is then activated. Mode of penetration
techniques include: Social Engineering; exploiting network vulnerability, configuration errors,
exploit loopholes in OS and application security
9.2.1.Definition
A computer worm is a standalone malware computer program that replicates itself in order
to spread to other computers. Often, it uses a computer network to spread itself, relying on
security failures on the target computer to access it. Worms almost always cause at least some
harm to the network, even if only by consuming bandwidth, whereas viruses almost always
corrupt or modify files on a targeted computer.
140
Many worms that have been created are designed only to spread, and do not attempt to
change the systems they pass through. However, as the Morris worm and Mydoom showed,
even these “payload-free” worms can cause major disruption by increasing network traffic and
other unintended effects.
An Internet worm is type of malicious software (malware) that self-replicates and distributes
copies of itself to its network. These independent virtual viruses spread through the Internet,
break into computers, and replicate without intervention from and unbeknownst to computer
users.
Internet worms can be included in any type of virus, script or program. These worms
typically infect systems by exploiting bugs or vulnerabilities that can often be found in legitimate
software. Unlike Trojans or other viruses that require user intervention to spread, Internet worms
can spread on their own. This makes them extremely dangerous.
Internet worms are also known as computer worms. Internet worms use various techniques
to multiply over the Internet. Initial worms just scanned local network hard drives and folders,
and then inserted themselves into programs.
· Net – worm
simultaneously to spread, thus increasing the speed at which they find victims.
· P2P worm
P2P Worms spread via peer-to-peer file sharing networks (such as Kazaa, Grokster,
EDonkey, FastTrack, Gnutella, etc.). Most of these worms work in a relative simple way: in
order to get onto a P2P network, all the worm has to do is copy itself to the file sharing directory,
which is usually on a local machine. The P2P network does the rest: when a file search is
conducted, it informs remote users of the file and provides services making it possible to download
the file from the infected computer. There are also more complex P2P-Worms that imitate the
network protocol of a specific file sharing system and responds positively to search queries; a
copy of the P2P-Worm is offered as a match.
· Email Worm
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an
email message or a link to its file on a network resource (e.g. a URL to an infected file on a
compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened
(launched). In the second case, the code is activated when the link to the infected file is opened.
In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
· using a direct connection to a SMTP server using the email directory built into the
worm’s code
Email-Worms use a number of different sources to find email addresses to which infected
emails will be sent:
· ‘.txt’ files stored on the hard drive: the worm can identify which strings in text files
are email addresses
142
· emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other
sources of email addresses, such as address books associated with web-based email services.
· IM worm
IM Worms spread via instant messaging systems (such as ICQ, MSN Messenger, AOL
Instant Messenger, Yahoo Pager, Skype, etc.). In order to spread, IM-Worms usually send a
link (URL) to a list of message contacts. The link leads to a network resource where a file
containing the body of the worm has been placed. This tactic is almost exactly the same as that
used by Email-Worms.
· IRC worm
This type of worm spreads via Internet Relay Chat. Like email worms, IRC Worms have
two ways of spreading via IRC channels. The first involves sending an URL which leads to a
copy of the worm. The second technique is to send an infected file to an IRC channel user.
However, the recipient of the infected file has to accept the file, save it to disk, and open
(launch) it.
The first active Internet worm that required no human intervention to spread was the
Morris worm released in 1988. It spread very rapidly, infecting all vulnerable machines in a
matter of hours. Most recent active worms use the techniques pioneered by Robert Morris. The
Morris Worm infected multiple types of machines (Sun 3s and VAXes), attacked multiple security
holes (including a buffer overflow in fingerd, debugging routines in Sendmail, and password
cracking), and used multiple streams of execution to improve its throughput when attacking
other machines.
Code Red, demonstrated how swiftly a relatively simple worm can spread on the current
Internet infrastructure: it effectively achieved complete infection in a little over twelve hours,
even with the aborted early release of a buggy version. Code Red exploited a recently discovered
(but patchable) buffer overflow attack in Microsoft’s Internet Information Server. It spread far
143
and fast because of the “on by default” nature of IIS with many versions of Windows NT and
2000. It also included multithreaded scanning routines that improve throughput and effectively
keep it from being trapped by tarpits (such as LaBrea), which are blocks of IP addresses that
attempt to slow down scanning by automated tools by seeming to respond to connection requests
while actually doing nothing.
Code Red 2 ended up being significantly more disruptive then Code Red even if the
change in infection strategy was relatively mild. Instead of searching only randomly selected
addresses, Code Red 2 preferentially probed for machines on the same subnet and nearby
subnets. As a result, once a single machine within a corporate firewall was infected, it would
quickly probe virtually every machine within the firewall and since it was attacking an on-by-
default service, Code Red 2 quickly infested entire corporate networks.
Nimda
The latest worm of note, Nimda, did not really bring anything new to the table. It simply
resurrected the idea of multimode operation: it was an e-mail worm, it attacked old bugs in
Explorer and Outlook, spread through Windows shares, and an old buffer overflow in IIS. It also
borrowed Code Red 2’s preference for logically adjacent IP addresses in its scanning routines.
The net result was a highly virulent, highly effective worm that revealed that several old bugs
can be used even if each hole is patched by most machines: one needs all patches and
vulnerabilities closed to stop a Nimda-like worm. Such a worm is also somewhat easier to write,
as one can use many well-known exploits to get wide distribution instead of discovering new
attacks.
Warhol
Warhol worms and Flash worms for methods that, with various amounts of preparation,
may allow a worm to infect all vulnerable machines in minutes) but have not yet been seen in
practice. It is questionable whether someone interested in writing a superworm would need to
bother with such techniques, since although significantly faster, greater speed may not be
necessary.
2000 - ILOVEYOU Worm: Spreading by way of an email sent with the seemingly benign
subject line, “ILOVEYOU,” the worm infected an estimated 50 million computers. Damages
caused major corporations and government bodies, including portions of the Pentagon and
British Parliament, to shut down their email servers. The worm spread globally and cost more
than $5.5 billion in damages.
144
2003 – SQL Slammer Worm: One of the fastest spreading worms of all time, SQL
Slammer infected nearly 75,000 computers in ten minutes. The worm had a major global effect,
slowing Internet traffic worldwide via denial of service.
2003 – SQL Slammer Worm: One of the fastest spreading worms of all time, SQL
Slammer infected nearly 75,000 computers in ten minutes. The worm had a major global effect,
slowing Internet traffic worldwide via denial of service.
2008 – Conficker Worm: A combination of the words “configure” and “ficker”, this
sophisticated worm caused some of the worst damage seen since Slammer appeared in 2003.
9.2.4. Countermeasure
1. Install antivirus software that discovers and eliminates malicious content.
2. Create an anti-virus policy rule for safeguarding computer systems and distribute it
around the organization
3. Provide attention to the instructions before downloading and installing any programs
from the Internet.
4. Update the antivirus software regularly, so that it is aware of the new malware
signatures.
6. After installing the antivirus software, schedule regular scans for all drives in the
host system.
7. Only accept media devices or files post-scanning with the updated antivirus program.
9.3. Trojan
9.3.1. Definition : Trojans
· A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software.
Trojans can be employed by cyber-thieves and hackers trying to gain access to users’ systems.
Users are typically tricked by some form of social engineering into loading and executing Trojans
on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your
sensitive data, and gain backdoor access to your system. a Trojan horse is a malicious program
that is disguised as or embedded within legitimate software.
145
· They may look useful or interesting (or at the very least harmless) to an unsuspecting
user, but are actually harmful when executed
Deleting data
Blocking data
Modifying data
· Copying data
· Denial of Service
Software that appears to be genuine software that has been corrupted by a Cracker
inserting malicious code that executes while the program is used. Examples include
various implementations of weather alerting programs, computer clock setting
software, and peer to peer file sharing utilities.
The other type is a standalone program that masquerades as something else, like
a game or image file, in order to trick the user into some misdirected complicity that
is needed to carry out the program’s objectives.
If Trojans replicate and even distribute themselves, each new victim must run the
program/Trojan.
With file extensions hidden, the user would only see ‘Readme.txt’ and could mistake
it for a harmless text file.
Icons can also be chosen to imitate the icon associated with a different and benign
program, or file type.
Superficially do what the user expects it to do (open a text file, for example)
Might discreetly
Destructive Trojans
Proxy Trojans
FTP Trojans
Allowing remote access to the victim’s computer. This is called a rat. Remote
administration tool
Spreading other malware, such as viruses.(in this case the trojan horse is called a
‘dropper’ or ‘vector’. )
Spying on the user of a computer and covertly reporting data like browsing habits to
other people
Make screenshots.
Logging keystrokes to steal information such as passwords and credit card numbers
(key logger)
Phish for bank or other account details, which can be used for criminal activities.
Methods of infection
user was tricked into running an infected program
Websites
Open ports
help to mitigate the problem of remote trojan insertion via open ports
Famous Trojans
Back Orifice
NetBus
SubSeven
Downloader-EV
Mode of Transmission
Ø E-Mail Attachments
Ø Physical Access
Wrappers
Ø Wrappers are a type of software “glueware” that is used to attach together other
software components.
Unlike computer viruses and worms, Trojans are not able to self-replicate.
Trojans are classified according to the type of actions that they can perform on your
computer:
Backdoor
A backdoor Trojan gives malicious users remote control over the infected computer. They
enable the author to do anything they wish on the infected computer – including sending,
receiving, launching and deleting files, displaying data and rebooting the computer. Backdoor
Trojans are often used to unite a group of victim computers to form a botnet or zombie network
that can be used for criminal purposes.
Exploit
Exploits are programs that contain data or code that takes advantage of a vulnerability
within application software that’s running on your computer.
150
Rootkit
Rootkits are designed to conceal certain objects or activities in your system. Often their
main purpose is to prevent malicious programs being detected – in order to extend the period in
which programs can run on an infected computer.
Trojan-Banker
Trojan-Banker programs are designed to steal your account data for online banking
systems, e-payment systems and credit or debit cards.
Trojan-DDoS
These programs conduct DoS (Denial of Service) attacks against a targeted web address.
By sending multiple requests – from your computer and several other infected computers – the
attack can overwhelm the target address leading to a denial of service.
Trojan-Downloader
Trojan-Downloaders can download and install new versions of malicious programs onto
your computer – including Trojans and adware.
Trojan-Dropper
These programs are used by hackers in order to install Trojans and / or viruses – or to
prevent the detection of malicious programs. Not all antivirus programs are capable of scanning
all of the components inside this type of Trojan.
Trojan-FakeAV
Trojan-FakeAV programs simulate the activity of antivirus software. They are designed to
extort money from you – in return for the detection and removal of threats… even though the
threats that they report are actually non-existent.
Trojan-GameThief
This type of program steals user account information from online gamers.
151
Trojan-IM
Trojan-IM programs steal your logins and passwords for instant messaging programs –
such as ICQ, MSN Messenger, AOL Instant Messenger, Yahoo Pager, Skype and many more.
Trojan-Ransom
This type of Trojan can modify data on your computer – so that your computer doesn’t run
correctly or you can no longer use specific data. The criminal will only restore your computer’s
performance or unblock your data, after you have paid them the ransom money that they demand.
Trojan-SMS
These programs can cost you money – by sending text messages from your mobile
device to premium rate phone numbers.
Trojan-Spy
Trojan-Spy programs can spy on how you’re using your computer – for example, by
tracking the data you enter via your keyboard, taking screen shots or getting a list of running
applications.
Trojan-Mailfinder
o Trojan-ArcBomb
o Trojan-Clicker
o Trojan-Notifier
o Trojan-Proxy
o Trojan-PSW
152
Trojans are also classified as Keyloggers, hardware based, remote access, password
stealing, destructive and resource stealing Trojans based on their functionality.
Countermeasures
By installing effective anti-malware software, you can defend your devices – including
PCs, laptops, Macs, tablets and smartphones – against Trojans. A rigorous anti-malware solution
– such as Kaspersky Anti-Virus – will detect and prevent Trojan attacks on your PC, while
Kaspersky Mobile Security can deliver world-class virus protection for Android smartphones.
Kaspersky Lab has anti-malware products that defend the following devices against Trojans:
· Windows PCs
· Linux computers
· Apple Macs
· Smartphones
· Tablets
Summary
· A computer virus is a malicious code that replicates by copying itself to another
program, computer boot sector or document and changes how a computer works.
153
References
https://searchsecurity.techtarget.com/definition/email-virus
https://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms
https://securelist.com/threats/im-worm/
https://www.kaspersky.co.in/resource-center/threats/trojans
154
LESSON - 10
ROOTKIT & BOTNETS
Learning Objectives:
Rootkit
Symptoms of rootkit
Types of Rootkit
o Kernel rootkit
o Firmware rootkit
o Application rootkit
o Memory rootkit
o Bootkit rootkit
o Persistent rootkit
o Library rootkits
o Countermeasures
Botnets
o Botnet architecture
o Notable botnets
o Types of attacks
o Countermeasures
Structure
10. Rootkit
10.2.8. Countermeasures
10.3. Botnets
10.3.4. Countermeasures
10. Rootkit
A rootkit is a clandestine computer program designed to provide continued privileged
access to a computer while actively hiding its presence. The term root kit is a connection of the
two words “root” and “kit.” Originally, a root kit was a collection of tools that enabled administrator-
level access to a computer or network. Root refers to the Admin account on UNIX and Linux
systems, and kit refers to the software components that implement the tool. Today rootkits are
generally associated with malware – such as Trojans, worms, viruses – that conceal their
existence and actions from users and other system processes.
A rootkit allows someone to maintain command and control over a computer without the
computer user/owner knowing about it. Once a root kit has been installed, the controller of the
rootkit has the ability to remotely execute files and change system configurations on the host
machine. A rootkit on an infected computer can also access log files and spy on the legitimate
computer owner’s usage.
One of the primary objectives of a rootkit is to avoid detection in order to remain installed
and accessible on the victim system, so rootkit developers aim to keep their malware
156
undetectable, which means there may not be many detectable symptoms that flag a rootkit
infection.
One common symptom of a rootkit infection is that antimalware protection stops working.
An antimalware application that just stops running indicates that there is an active rootkit infection.
Another symptom of a rootkit infection can be observed when Windows settings change
independently, without any apparent action by the user. Other unusual behavior, such as
background images changing or disappearing in the lock screen or pinned items changing on
the taskbar, could also indicate a rootkit infection.
Finally, unusually slow performance or high CPU usage and browser redirects may also
indicate the presence of a rootkit infection.
Just like different types of malware, rootkit infections usually are accompanied with some
typical signs, which include antivirus stopping to function, Windows Settings changing
independently, background images changing or pinned items to the task bar disappearing for
no reason. It is important to check for slow system performance. All these are usually indicative
of root kit infection.
10.2.1. Kernel Rootkit: these are rootkits which operate at the kernel level (the core of
the operating system) and have a serious effect on the system. These rootkits are usually
difficult to detect since they operate at the kernel, meaning they have the same privileges like
that of the operating system.
10.2.2. Firmware Rootkit: these rootkits affect the firmware devices like network devices.
These rootkits are usually booted when the machine gets booted and is available as long as the
device is. This too is hard to detect.
10.2.3. Application Rootkit: these rootkits operate at the application level. That is, they
don’t infect the kernel but the application files inside your computer. These usually replace the
applications files (which they are trying to infect) with the rootkit files or change the behavior of
the application by injecting code.
157
10.2.4. Memory Rootkit: these rootkits usually hide themselves and operate from the
computer’s memory. That is RAM (Random Access Memory).
10.2.5. Boot kit Rootkits: These rootkits – also known as Boot Loader Level kits – infect
the legitimate boot loader of your system with the respective rootkit, so that they get activated
whenever the operating system is started. Obviously, these rootkits too pose a serious threat to
your system.
10.2.6. Persistent Rootkits: Another rootkit which starts up and stays active until the
system is shut down. What’s more is the fact that this rootkit has the ability to restart the system
processes.
10.2.7. Library Rootkits: As the name suggests, these rootkits affect the ‘library files’ in
your computer (system library). For example, windows ddls. Similar to other rootkits, these too
intercept specific files and replace them with its own code.
10.2.8. Countermeasures
Antivirus which comes equipped with impressive security features is easily the best antivirus
software in the IT security market. It is effective in preventing not just rootkit infections but the
entire gamut of malware types like adware, Trojan, keyloggers, ransomware and more. Moreover,
it pretty effective against zero-day threats as well. All because of the patented ‘Default Deny
Approach’ implemented via its Containment technology.
Default Deny Approach: Technology which ensures all files or applications are denied
entry into your PC(s) by default, whether they are known good (white listed ones), known bad
(blacklisted ones) or unknown (not identified or encountered so far), until they prove themselves
to be harmless.
Host Intrusion Protection System (HIPS): Antivirus also ships with a default HIPS rule-
set which offer protection to your PC(s). HIPS protect system critical files or folders from malware
infections by enforcing a set of security rules that offer high levels of protection. HIPS rule-set
is highly customizable.
Virus monitors: this technology basically monitors all the processes running on computer
and alerts when a process behaves abnormally or has gone rogue (indications of malware
infection). Using such monitors users can potentially reverse or undo such undesirable processes.
158
Other crucial security features like protection against file-less malware, rescue disk,
protection against Man-in-the-Middle (MITM) attacks and much more.
Rootkits may be troublesome and persistent, but in the end they are just programs like
many other types of malware. Infection takes place only after the malicious program that carries
the rootkit.
Here are some basic steps that should be followed if infected with a rootkit, and thus
avoid all of these painful and time consuming steps to remove one.
Phishing is one of the most frequently used methods to infect people with malware. The
malicious hackers simply spam a huge email list with messages designed to trick you into
clicking a link or opening an attachment. The fake message can be anything really, from a
Nigerian prince asking for help to retrieve his gold, to really well-crafted ones such as fake
messages from Google. The attachment can be anything, such as a Word or Excel document,
a regular .exe program or an infected JPEG.
Outdated software is one of the biggest sources of malware infection. Like any human
creation, software programs are imperfect by design, meaning they come with many bugs and
vulnerabilities that allow a malicious hacker to exploit them. For this reason, keeping ones
software up-to-date at all times is one of the best practices to stay safe on the Internet and
prevent a malicious hacker from malware infection.
Antivirus software hasn’t had a good time lately. Many of the more recent so called “second
generation malware” come with many defensive measures such as obfuscation that prevents
or makes detection difficult. Despite this however, an antivirus still brings real value to the fight
on malware.
Traffic filtering - One major flaw of antivirus is that the malware has to effectively touch
your PC before it becomes useful. Traffic filtering software on the other hand scans inbound
and outbound traffic to make sure no malware program is about to come to land on computers
and prevent private and confidential information from leaking to any suspicious receivers
10.3. Botnet
The term botnet is derived from the words robot and network. A bot in this case is a device
infected by malware, which then becomes part of a network, or net, of infected devices controlled
by a single attacker or attack group.
159
Infected devices are controlled remotely by threat actors, often cybercriminals, and are
used for specific functions, so the malicious operations stay hidden to the user. Botnets are
commonly used to send email spam, engage in click fraud campaigns and generate malicious
traffic for distributed denial-of-service attacks. This is illustrated in figure 10.1.
The botnet malware typically looks for vulnerable devices across the internet, rather than
targeting specific individuals, companies or industries. The objective for creating a botnet is to
infect as many connected devices as possible, and to use the computing power and resources
of those devices for automated tasks that generally remain hidden to the users of the devices.
For example, a malicious botnet that infects a user’s PC will take over the system’s web
browsers to divert fraudulent traffic to certain online advertisements. However, to stay concealed,
the botnet won’t take complete control of the web browsers, which would alert the user. Instead,
the botnet may use a small portion of the browser’s processes, often running in the background,
to send a barely noticeable amount of traffic from the infected device to the targeted ads.
On its own, that fraction of bandwidth taken from an individual device won’t offer much to
the cybercriminals running the ad fraud campaign. However, a botnet that combines millions of
devices will be able to generate a massive amount of fake traffic for ad fraud, while also avoiding
detection by the individuals using the devices.
160
Botnet infections are usually spread through malware, such as a Trojan horse. Botnet
malware is typically designed to automatically scan systems and devices for common
vulnerabilities that haven’t been patched, in hopes of infecting as many devices as possible.
Botnet malware may also scan for ineffective or outdated security products, such as firewalls
or antivirus software.
Once the desired number of devices is infected, attackers can control the bots using two
different approaches. The traditional client/server approach involves setting up a command-
and-control (C&C) server and sending automated commands to infected botnet clients through
a communications protocol, such as internet relay chat (IRC). The bots are often programmed
to remain dormant and await commands from the C&C server before initiating any malicious
activities. The same is illustrated in figure 10.2.
The other approach to controlling infected bots involves a peer-to-peer network. Instead
of using C&C servers, a peer-to-peer botnet relies on a decentralized approach. Infected devices
may be programmed to scan for malicious websites, or even for other devices in the same
botnet. The bots can then share updated commands or the latest versions of the botnet malware.
The peer-to-peer approach is more common today, as cybercriminals and hacker groups
try to avoid detection by cybersecurity vendors and law enforcement agencies, which have
often used C&C communications as a way to monitor for, locate and disrupt botnet operations.
161
The Zeus malware, first detected in 2007, is one of the best-known and widely used
malware types in the history of information security.
Zeus uses a Trojan horse program to infect vulnerable devices and systems, and variants
of this malware have been used for various purposes over the years, including to spread Crypto
Locker ransomware.
Srizbi
The Srizbi botnet, which was first discovered in 2007, was, for a time, the largest botnet
in the world. Srizbi, also known as the Ron Paul spam botnet, was responsible for a massive
amount of email spam — as much as 60 billion messages a day, accounting for roughly half of
all email spam on the internet at the time. In 2007, the Srizbi botnet was used to send out
political spam emails promoting then-U.S. Presidential candidate Ron Paul.
Gameover Zeus
Approximately a year after the original Zeus botnet was disrupted, a new version of the
Zeus malware emerged, known as Gameover Zeus.
Methbot
An extensive cybercrime operation and ad fraud botnet known as Methbot was revealed
in 2016 by cybersecurity services company White Ops. According to security researchers,
Methbot was generating between $3 million and $5 million in fraudulent ad revenue daily last
year by producing fraudulent clicks for online ads, as well as fake views of video advertisements.
Mirai
A botnet can be used as a distributed denial of service weapon. A botnet attacks a network
or a computer system for the purpose of disrupting service through the loss of connectivity or
consumption of the victim network’s bandwidth and overloading of the resources of the victim’s
computer system. Botnet attacks are also used to damage or take down a competitor’s website.
Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites
behind an ever-changing network of compromised hosts acting as proxies.
Any Internet service can be a target by botnets. This can be done through flooding the
website with recursive HTTP or bulletin-board search queries. This mode of attack in which
higher level protocols are utilized to increase the effects of an attack is also termed as spidering.
Spyware
It’s software which sends information to its creators about a user’s activities – typically
passwords, credit card numbers and other information that can be sold on the black market.
Compromised machines that are located within a corporate network can be worth more to the
bot herder, as they can often gain access to confidential information held within that company.
There have been several targeted attacks on large corporations with the aim of stealing sensitive
information, one such example is the Aurora botnet.
Adware: Its exists to advertise some commercial entity actively and without the user’s
permission or awareness, for example by replacing banner ads on web pages with those of
another content provider.
A botnet can also be used to take advantage of an infected computer’s TCP/IP’s SOCKS
proxy protocol for networking applications. After compromising a computer, the botnet
commander can use the infected unit (a zombie) in conjunction with other zombies in his botnet
(robot network) to harvest email addresses or to send massive amounts of spam or phishing
emails.
Moreover, a bot can also function as a packet sniffer to find and intercept sensitive data
passing through an infected machine. Typical data that these bots look out for are usernames
163
and passwords which the botnet commander can use for his personal gain. Data about a
competitor botnet installed in the same unit is also mined so the botnet commander can hijack
this other botnet.
Access number replacements are where the botnet operator replaces the access numbers
of a group of dial-up bots to that of a victim’s phone number. Given enough bots partake in this
attack, the victim is consistently bombarded with phone calls attempting to connect to the internet.
Having very little to defend against this attack, most are forced into changing their phone numbers
(land line, cell phone, etc.).
Key loggers
Encryption software within the victims’ units can deter most bots from harvesting any real
information. Unfortunately, some bots have adapted to this by installing a keylogger program in
the infected machines. With a key logger program, the bot owner can use a filtering program to
gather only the key sequence typed before or after interesting keywords like PayPal or Yahoo
mail. This is one of the reasons behind the massive PayPal accounts theft for the past several
years.
Bots can also be used as agents for mass identity theft. It does this through phishing or
pretending to be a legitimate company in order to convince the user to submit personal information
and passwords. A link in these phishing emails can also lead to fake PayPal, eBay or other
websites to trick the user into typing in the username and password.
Botnet Spread: Botnets can also be used to spread other botnets in the network. It does
this by convincing the user to download after which the program is executed through FTP,
HTTP or email.
Botnets can be used for financial gain by automating clicks on a pay-per-click system.
Compromised units can be used to click automatically on a site upon activation of a browser.
For this reason, botnets are also used to earn money from Google’s Adsense and other affiliate
programs by using zombies to artificially increase the click counter of an advertisement.
164
10.3.4. Countermeasures
1. Avoid clicking any suspicious links not even the ones you received from friends or
family or social network buddies. Their accounts might have been compromised, so
it’s safer to be patient and ask them what it’s all about, before rushing into clicking
on the links.
3. Avoid downloading bogus antivirus software- Avoid online ads that are telling
you that your computer was infected – these are malware in disguise.
4. Check for updates -Do a full, in-depth scan with the antivirus. Sometimes, a bot
code will deactivate your antivirus.
5. Ensure firewall is on- Set it to the maximum security level – this will require all
applications seeking internet access to notify you, enabling you to track incoming
and outgoing traffic.
6. Check for browser updates and other software such as Adobe Flash, Adobe
Reader and Java. These are the most vulnerable ones – and also the most exploited
by cyber criminals to recruit computers into botnet.
Summary
· A rootkit allows someone to maintain command and control over a computer without
the computer user/owner knowing about it.
· Types of rootkit include Kernel rootkit, Firmware rootkit, Application rootkit, Memory
rootkit, Bootkit rootkit, Persistent rootkit, Library rootkits
Reference
1. https://www.webroot.com/us/en/resources/tips-articles/what-are-bots-
botnets-and-zombies
2. https://www.pandasecurity.com/mediacenter/security/what-is-a-botnet/
3. https://searchsecurity.techtarget.com/definition/botnet
166
LESSON - 11
SPAM
Learning Objectives
Spam
Spammers
Motivation of spammers
Impact of Spam
Spam Statistics
Spam Filters
Spam Score
SPIM
SPIT
Structure
11. Spam
11.1. Spammers
11.7. SPIM
11.8. Spimmers
11.9. SPIT
167
11. Spam
Spam messages are the unsolicited commercial mail that fills the inbox. These messages
are unsolicited emails constantly peddling various products and services for example, earn
easy money, lose weight in 21 days, online casinos, free iPods
The first spam message was the “Green Card” spam sent in 1994 to Usenet groups. This
was sent by a group of lawyers (Canter and Siegel) trying to drum up business. With that the
Pandora’s Box was opened.
What is spam?
· Urban legends
· Quack health products, remedies and online pharmacies
· Phishing Links to pornographic sites
11.1 Spammers
Spammers are unscrupulous person or group of individuals who send unsolicited bulk
emails to victims. Sometimes spammers also make computers as a zombies using automated
software programs that send bulk emails. Spammers could be individuals, malicious gangs or
e-marketers organized into spamming networks.
· E-marketing – to sell various unsolicited products and services through the internet.
· Online Fraud – Pyramid schemes, soliciting personal information like credit card
number, phone number, bank account number for defrauding the recipient out of
his money
· Malicious intent – to disable the recipients email account, server by sending bulk
email messages to paralyze the bandwith and inbox.
· Bulk mailing of news, information and chain letters
· Spreading of viruses over the internet is attributed to spam messages. When a
victim opens an unsuspecting email along with attachment, virus activates and
unleashes its destructive abilities either by causing harm to the computer or networks.
It also reads the contact information and mass mails to the contacts in address box.
It requires a lot of effort, time and money. Loss of critical data runs into billions of
dollars. Cost of cleaning up viruses and retrieving critical information is high .
· Spam mails contains undesirable and objectionable content that is not advisable for
the young.
· Advertisement of contraband goods, pirated software and illegal activities are impacts
of spam mails. They aim at conning the victims their money, private and privileged
information from the recipients themselves.
· Most ISPs have to invest heavily on spam filter on a day to day basis leading to
huge monetary loss of resources and necessitates deployment of technical personnel
to do the 24/7 surveillance.
169
· Anti-spam filters are used to protect the inbox from spam messages and they are
costing heavily.
Spammers get to know the email account information through any one of the mode such
as breached email Id, harvesting software, online groups, usenet, cookies, chat rooms, IRC,
cold calling, online profiles, hacking the email id through virus, worms, Trojans through hacking.
Figure 11.1 illustrates the mode through which spammers to get email id of vitims.
The statistics shows the global email spam rate from 2012 to 2017. In the most recently
observed period, it was found that the spam accounted for 55% of all the email messages,
same as during the previous year (Fig 11.2 & 11.3).
171
Figure 11.3 Percentage of email traffic from January 2014 to September 2017
it, based on the likelihood that the attribute is a spam. The resulting value is the spam score for
the message. This score is then tested against a sensitivity threshold set by an individual’s
spam filter. And thus, it is categorized as a spam or valid email. The table 11.1 represents the
spam score and their rating. The ratings are ranging from 5 to 15 for Low/Medium/ High likelihood
to be a scam.
11.7 SPIM
SPIM is short for spam over instant messaging. It is a type of spam that targets instant
messaging. It is delivered through instant messaging system instead of through email messaging.
11.8 Spimmers
Spimmers are individuals or organized networks of individuals who indulge in spimming.
Their motive is to get financial gain. Instant messaging services such as MSN messenger, AIM,
ICQ, Yahoo! Messenger are all targets. Users of different public IM systems, using public profiles
are quite likely to receive unsolicited advertising messages from spimmers. Spim messages
usually trick the users with the hyperlink that drives the users to a website of spimmers. Since
Spim bypasses anti-virus software and firewalls. Hence, they can easily spread viruses and
malware. Spim or messaging is perpetrated by bots that harvest IM. It uses IM as medium of
communication. It simulates human user by sending spam via an instant message. Bots are
173
robotic automatic programs simulating human users and send spam messages to pre-determined
set of IM user names which are generated randomly or by harvesting from the internet.
Summary
· Spam Messages are unsolicited message that fills the inbox.
· Examples of spam messages include but are not limited to bulk emailing,
advertisements, Advertisements online casinos, gambling and astrology, online
social clubs (e.g. Dating, matrimony, classmates database), chain letters with
forwarding request, Pyramid schemes, multilevel marketing schemes (MLM), get
rich quick, make money fast, pre – approved loans, credit cards, credit reports,
insurance, stock offerings for unknown start up ventures, online job racket, sale of
pirated software at cheap prices, urban legends, quack health products, remedies
and online pharmacies, phishing links to pornographic sites.
· Motivation for spammers include but are not restricted to E-marketing, Online Fraud,
Malicious intent, chain letters.
· Impact of spam clogs the inbox and fills up the mail storage space, clogs bandwidth,
slows down transmission by reducing the availability component of information
security triad and causes Denial of Service, Recipients is constrained to spend his
valuable time and energy in unproductive tasks .
· A spam filter is a program that is used to detect unsolicited and unwanted email and
prevent those messages from getting to a user’s inbox.
· Spam Score has some numerical value associated with it, based on the likelihood
that the attribute is a spam
174
2. ................................................................, ..........................................................,
.....................................are examples f spam messages.
5. Impact of spam ............................. the inbox and fills up the mail storage space,
clogs bandwidth, slows down transmission by reducing the availability component
of information security triad and causes.
8. A ............... is a program that is used to detect unsolicited and unwanted email and
prevent those messages from getting to a user’s inbox.
9. ................................. has some numerical value associated with it, based on the
likelihood that the attribute is a spam.
References
1. https://mailchimp.com/help/about-spam-filters/
2. https://www.totalsend.com/understanding-email-spam-score/
3. https://searchmidmarketsecurity.techtarget.com/definition/spam-filter
175
LESSON - 12
SCAMS
Learning Objectives
o Definition of Scams
o SCAM statistics
Structure
12.1 Scam
12.2.5. Investments
12.2.10. Cryptojacking
12.4. Summary
12.1. Scams
Scam is a dishonest schema or fraud that is committed with an aim to swindle money. It
is an illegal trick usually with a purpose of stealing money from people, evasion of tax. It may
176
also be defined as a fraudulent or deceptive act or operation. The internet is littered with scams
such as pop-ups ads or email spam ads.
o Identity theft: It is a type of fraud that involved to perform identity theft to steal
money or gain other benefits.
o Phishing: This type of scam are attempts to trick victims to revel their personal
information such as bank account, pin numbers, passwords and credit card numbers
by redirecting to fake websites.
· False billing: False billing scam request victims and their business to pay fake invoices
for directory listings, advertising, domain name renewals or office supplies that
was never ordered.
· Health & medical products: Health and medical product scam may sell victims
healthcare products at very low prices, by giving false promises about cure-all
products, medicines and treatments.
· Psychic and clairvoyant scams: psychic or clairvoyant scams are designed to trick
victims into giving away their money usually by offering ‘help’ in exchange for a fee.
Scammers impersonate genuine charities and ask for donations or contact victims to
claim to collect money after natural disasters or major events. Fake charity scams takes
advantage of victim’s generosity and compassion for others in need. Scammers will steal victims
of their money by posing as a genuine charity. This also, divests much needed donations away
from genuine charities. Scammers will either pretend to be agents of legitimate charities or
create their own charity name. Quite often the scammers take advantage of real natural disaster
or emergencies such as flood, cyclone earthquake, tsunami or fire. They also play around
emotions by claiming to help children who are ill.
Scammers take advantage of people looking for romantic partners, often via dating
websites, apps or social media by pretending to be prospective companions. They play on
emotional triggers to get victims to provide money, gifts or personal details. Scammers typically
create fake online profiles to lure victims by using fictional names, false identity of real trusted
people such as military personnel, aid workers or professional working background by expressing
strong emotional convincing messages over a short period of time through private channel,
such as phone, email or instant messaging.
12.2.5. Investments
Betting & sports investment scam: scammers convince their victims to invest in foolproof
systems and software that can guarantee profit by betting in sports events and investments.
The scammer will try to sell prediction software promising to accurately predict the sporting
results for sporting events such as Cricket, Football, and Horse racing. Software that predicts
horse racing, for instance claims to identify predictions based on weather condition, the state of
the horse, the draw or the condition of the jockey. The scammers will try and convince their
178
victims to join “Betting syndicates”. Victims are forced to pay a huge sum for joining and open
a sports betting account. Syndicate members are usually promised a huge profit.
Investment scams: The scammers drive their victims to invest money with false promise
of a questionable financial opportunity. The scammers targets small business operators,
professionals, retired persons with funds to invest and operate through a business mail, phone
call or letter. The scammer will use technical or financial terms to make it legitimate investments
such as:
o Sports arbitrage
o Sports betting,
o Sports wagering
o Sports tipping
o Sports trading
The figure 12.1 illustrates the latest sports SCAM – spear phishing attacks that occurred
globally.
· Pyramid schemes: pyramid schemes are illegal and very risky that can end up
costing the victims a lot of money. The operation is called “get-rich-quick”. In a
pyramid scheme the victims have to pay money to join. The scheme relies on
convincing the victims to make a profit. For this purpose the victims need to supply
new members endlessly. Such pyramid scheme promotes disguise their true purpose
by introducing products that are overpriced, poor quality, difficult to sell or of little
value. The scammers pocket the fees and other payments made by those who join
the scheme It is against the law to promote or participate in a pyramid scam.
o Ransomware: It is a malicious program that encrypts systems, files and other critical
information. It demands payment to unlock computers of files.
o Threats to life, arrest or other: In this type of scam, the scammers provoke the
victims to pay a huge money if they do not cooperate. Infected computers display
messages to the victims computer convincingly threatening the victims to pay the
ransom. The message carries the following information:
180
“if you pay the ransom, we give you the key to unlock your computer”. However there is
no guarantee that victims computer will be unlocked even after paying the ransom.
(source: https://www.scamwatch.gov.au/types-of-scams/unexpected-money)
Hitman scam: Here is an example of a life threat scam. In this type the scammer will send
a threatening message scaring individual victims and claim money.
These scams offers the victims false promise of an inheritance by tricking into parting
with money or sharing the victims bank or credit card details. The scammer contacts the victim
stating that the victim can claim a large inheritance from a distant relative or a wealthy benefactor
either through phone, email or social networking sites. Generally the scammers pose themselves
as foreign officials, bankers, auditors or lawyers claiming that the deceased left no other
beneficiaries. Further scammers may add to state that the victims are legally entitled to claim
the inheritance.
181
· Nigerian scam
Nigerian scams involve someone overseas offering you a large sum of money or a payment
on condition that the victims should help them to transfer money out of their country. While
these scams originated in Nigeria, they now come from all over the world. The scammer will
that large amount of their money is trapped in the banks during civil wars often in countries
currently in the news or they may hoax about a large inheritance that is difficult to access
because of restrictions or taxes in their country. If the victim responds to such letter, the scammer
will trick to offer a huge sum of money. These scams are also known as Nigerian 419/
182
Overpayment scams. The number “419” refers to the section in Nigerian law regarding con
artistry and fraud and is associated with requests for help facilitating the transfer of money. The
sender of the “419” letter or email offers the recipient a commission or share in the profits of a
transfer of money, but will first request the recipient send money to pay for some of the costs
associated with the transfer. The recipient may be sent a payment and instructed to keep a
portion of the payment, but send the rest on to another individual or business.
Rebate scams
Rebate scams try to convince the victims that they are entitled to a rebate or reimbursement
from the government, a bank or trusted organization.
The scammer approaches the victims with a false claim that they are entitled to a
reimbursement or rebate, such as for overpaid taxes, bank fees or some sort of compensation.
The contact may come by mail, telephone, email, text message or social media. They will
pretend to be from the government, a bank or trusted organisation, and will ask the victims to
make a small initial payment to cover ‘administration fees’ or taxes, in order to claim the amount
owed to you. If victims are responding to this kind of email, and hand over the money to scammers,
they are sure to lose it and not receive any rebate. If the victims provide their credit card or
banking details, victims may find that more is taken out than expected.
Unexpected winnings
· Scratchie scams
Scratchie scams take the form of fake scratchie cards that promise some sort of prize, on
the condition that the ‘winner’ pays a collection fee. Scratchie cards are sometimes used in
promotions, lotteries or competitions, beckoning users to ‘scratch and win an instant prize’, for
example travel or holidays. While some scratchie cards may represent legitimate lotteries or
184
competitions, you should be extremely suspicious of any scratchie card that requires a payment
to claim a prize. Scratchie scams will offer victims an instant prize, but when the victims contact
the trader to claim it, they will be asked to provide payment for various ‘fees’ via wire transfer or
preloaded money card. The scammer may request bank details and photo identification. In
some rare cases the victims may be asked to travel overseas to collect their winning prize.
It is advised not responding to these letters as any money sent via wire transfer will
be lost and you will not receive any prize money. Do not send any personal
information as it could be used in identity theft scams.
Victims generally think they are a big winner but scammers will ask the victims for
thousands to claim a prize that never arrives.
The up-front payment requested can be as high as a few thousand dollars. If the victims
pay money, it is unsure that they will receive the prize, and the victims will never see their
money again. If in case the victims provide their personal details, they may be used for further
fraudulent activity such as an identity theft.
185
Travel prize scams are attempts to trick the victims into parting with their money to claim
a ‘reward’ such as a free or discounted holiday.
Unexpected prize and lottery scams work by asking the victims to pay some sort of fee in
order to claim their prize or winnings from a competition or lottery they never entered. In a
lottery promotion scam the victims receive an email claiming that they have won a lottery and
are asked for personal detail. The victims may also be asked to release the funds such as
money release fee, processing fee, currency exchange. It is advisable that individuals need not
be victimised by replying back to such mails which are on lookout of personal details.
RBI Scam
RBI Scam
Sometimes the messages will be sent as an attachment stating the RBI governor is asking
the victims to furnish the details as represented in figure 12.7 and is known as RBI scam.
Cryptojacking scams have continued to evolve, and they don’t even need you to install
anything. Scammers can use malicious code embedded in a website or an ad to infect your
device. Then the malicious code assists device’s processor without the victims knowledge. One
might make an unlucky visit to a website that uses cryptojacking code, click a link in a phishing
email, or mistype a web address. Any of those could lead to cryptojacking. While the scammer
cashes out, victims device may slow down, burn through battery power, or crash. A cryptocurrency
mining bot called “Digimine” that spreads via Facebook Messenger for Google Chrome desktop
version. South Korea is the first region where the security firm spotted Digimine, followed by
Vietnam, Azerbaijan, Ukraine, Philippines, Thailand, and Venezuela. The same is illustrated in
the figure:12.8.
Figure 12.10: Amount lost gender-wise, delivery method and type of scams
(source: https://www.scamwatch.gov.au/types-of-scams)
Summary
Advanced Fee: In advance fee schemes, the perpetrator informs a victim that the victim
has qualified for a large financial loan or has won a large financial award, but must first pay the
189
perpetrator taxes or fees in order to access the loan or award. The victim pays the advance fee,
but never receives the promised money. Auction: A fraudulent transaction or exchange that
occurs in the context of an online auction site. Business Email
Charity: Perpetrators set up false charities, usually following natural disasters, and profit
from individuals who believe they are making donations to legitimate charitable organizations.
Civil Matter: Civil lawsuits are any disputes formally submitted to a court that is not criminal.
Corporate Data Breach: A leak or spill of business data that is released from a secure
location to an untrusted environment. It may also refer to a data breach within a corporation or
business where sensitive, protected, or confidential data is copied, transmitted, viewed, stolen
or used by an individual unauthorized to do so.
Credit Card: Credit card fraud is a wide-ranging term for fraud committed using a credit
card or any similar payment mechanism as a fraudulent source of funds in a transaction.
Crimes Against Children: Anything related to the exploitation of children, including child
abuse.
Criminal Forums: A medium where criminals exchange ideas and protocols relating to
intrusion.
Employment: An individual believes they are legitimately employed, and loses money or
launders money/items during the course of their employment.
Gambling: Online gambling, also known as Internet gambling and iGambling, is a general
term for gambling using the Internet.
Health Care Related: A scheme attempting to defraud private or government health care
programs, usually involving health care providers, companies, or individuals. Schemes may
include offers for fake insurance cards, health insurance marketplace assistance, stolen health
information, or may involve medications, supplements, weight loss products, or diversion/pill
mill practices. These scams are often initiated through spam email, Internet advertisements,
links in forums or social media, and fraudulent websites.
IPR/Copyright and Counterfeit: The theft and illegal use of others’ ideas, inventions,
and creative expressions, to include everything from trade secrets and proprietary products to
parts to movies, music, and software.
4. Scammers take advantage of people looking for …………………….., often via dating
websites, apps or social media by pretending to be prospective companions.
References
1. https://heimdalsecurity.com/blog/top-online-scams/
2. https://www.scamwatch.gov.au/types-of-scams
3. https://www.scamnet.wa.gov.au/scamnet/Scam_types-Unexpected_winnings-
Scratchie_scams-Tunes_Travelling_scratchie_scam.htm
4. https://fossbytes.com/cryptojacking-bot-digimine-google-chrome-desktop/
192
LESSON - 13
MALWARE, SPYWARE AND RANSOMWARE
Learning Objectives
· Malware
· Anatomy of Stuxnet
· Anatomy of wannacry
o External Reconnaissance
o Internal Reconnaissance
o Target Manipulation
· Mobile Malware
· Spyware
· Adware
· Ransomware
o Encrypting Ransomware
o Locker Ransomware
o Crypto Ransomware
o Notable Ransomware
Structure
13. Malware
13.6. Spyware
13.7. Adware
13.8. Ransomware
13 Malware
Malware is any software intentionally designed to cause damage to a computer, server
or computer network. Malware is short for malicious software, meaning software that can be
used to compromise computer functions, steal data, bypass access controls, or otherwise cause
harm to the host computer. Malware is a broad term that refers to a variety of malicious programs
such as malware; viruses, worms, Trojan horses, adware, spyware bots, bugs and rootkits.
Sony sold the Sony rootkit, which contained a Trojan horse embedded into CDs that
silently installed and concealed itself on purchasers’ computers with the intention of preventing
illicit copying. It also reported on users’ listening habits, and unintentionally created vulnerabilities
that were then exploited by unrelated malware. Sony BMG partially addressed the scandal with
consumer settlements, a recall of about 10% of the affected CDs, and the suspension of CD
copy protection efforts in early 2007.
194
Malware does the damage after it is implanted or introduced in some way into a target’s
computer and can take the form of executable code, scripts, active content, and other
software. The code is described as computer viruses, worms, Trojan horses, ransomware,
spyware, adware, and scareware, among other terms. Malware has a malicious intent, acting
against the interest of the computer user—and so does not include software that causes
unintentional harm due to some vulnerability, which is typically described as a software bug.
Malware is used by both black hat hackers and governments, to steal personal, financial,
or business information. Malware is sometimes used broadly against government or corporate
websites to steal confidential information, or to disrupt their operation in general. However,
malware can be used against individuals to gain information such as personal identification
numbers or details, bank or credit card numbers, and passwords. Malware by categories is
illustrated in Figure 13.1.
when they created a game called “Core Wars.” In the game, programmers would unleash
software “organisms” that competed for control of the computer.
The earliest documented viruses began to appear in the early 1970s. Historians often
credit the “Creeper Worm,” an experimental self-replicating program written by Bob Thomas at
BBN Technologies - the first virus. Creeper gained access via the ARPANET and copied itself to
remote systems where it displayed the message: “I’m the creeper, catch me if you can!”
The term “virus” however, wasn’t introduced until the mid-eighties. Fred Cohen, often
considered the father of what we know today as a computer virus, coined the term in 1986. He
defined a “virus” in a single sentence as: “A program that can infect other programs by modifying
them to include a, possibly evolved, version of it.”
From these simple and benign beginnings, a massive and diabolical industry was born.
Today, according to The Anti-Phishing Workgroup, malware has infected one-third of the world’s
computers. The consequences are staggering. Cybersecurity Ventures reports that losses due
to cybercrime, including malware, are anticipated to hit $6 trillion annually by 2021.
Here are some notable varieties of malware that have had a major impact between 2010
and today.
196
2010 – Stuxnet Worm: Shortly after its release, security analysts openly speculated that
this malicious code was designed with the express purpose of attacking Iran’s nuclear program
and included the ability to impact hardware as well as software. The incredibly sophisticated
worm is believed to be the work of an entire team of developers, making it one of the most
resource-intensive bits of malware created to date.
2011 — Zeus Trojan: Although first detected in 2007, the author of the Zeus Trojan
released the source code to the public in 2011, giving the malware new life. Sometimes called
Zbot, this Trojan has become one of the most successful pieces of botnet software in the world,
impacting millions of machines. It is often used to steal banking information by man-in-the-
browser keystroke logging and form grabbing.
2016 – Cerber: One of the heavy-hitters in the ransomware sphere. It’s also one of the
most prolific crypto-malware threats. At one point, Microsoft found more enterprise PCs infected
with Cerber than any other ransomware family.
The stuxnet targeted Iranian Centrifuges. Firstly, it attacked Microsoft Windows system
and network repeatedly replicating itself an unzipping an LNK file with an executable program,
it attempted to replicate and spread across local networks. Next, it searched for a specific type
of Programmable Logic Controller (PLC) Siemens Step7 Software, an industrial control system
made by the German conglomerate Siemens. If it did not encounter Step7 software, stuxnet
197
would be dormant without harming the computer. Step7 software is used to program logic
controllers which are used in automating industrial process ranging from motor vehicles, industrial
assembly and centrifuges for nuclear energy. Upon encountering step7 software, stuxnet
attempted to access internet to download its new version and was also able to evade detection
through stolen SSL certificates from valid signed sources. SSL certificates are used to digitally
bind a cryptographic key to a known identity or organization as a form of authentication. The
stuxnet activated its payload only under specific circumstance that suggests its creator had
access to accurate and sensitive intelligence. The Iranian centrifuges at Natanz were controlled
by PC logic controllers that communicated with processors that routed the commands to the
machines. Frequency converters ensured that the centrifuges spun at the correct speed and
fed log data back to the router. In order for Stuxnet to execute, the targeted computer had to be
connected to an S7-315 Siemens PLC. Each of its six Network Module, had to be connected to
at least 31 frequency converters for a total of 155 converters. The design of the Natanz cascade
controlled 160 converters, and the creators of the Stuxnet virus must have known this condition.
Next, the virus lied dormant inside the system for 13 days to ensure that the motors are
running as normal between 807Hz and 1210Hz, and collected this log data. After that period
elapsed, Stuxnet raised the spin rate to 1410Hz for 15 minutes, followed by sleep for 27 days. This
caused damage to the centrifuges; 1380Hz is a resonance frequency for the centrifuge
enrichment tubes that can cause the tubes to shatter. After that, it slowed the spin rate to 2Hz
for 50 mins, and set it to sleep for 27 days and repeated this whole process in a loop. In order
to evade detection, Stuxnet retrieved the log files collected during the 13 days of normal
activity and sent those back to the system to create the false impression that nothing was
amiss.
In the end, Stuxnet was able to successfully penetrate the Natanz nuclear enrichment
plant and evade detection for over a year. The Institute for Science and International Security
states that “It is increasingly accepted that, in late 2009 or early 2010, Stuxnet destroyed about
1,000 IR-1 centrifuges out of about 9,000 deployed at the site.”(ISIS 2010) Stuxnet provides an
interesting case study on the impact of computer security in cyberterror and international relations,
and perhaps serves as a call for greater investment in security research and infrastructure.
The first known cellphone virus was called Cabir and was detected in June 2004 by
Kaspersky Labs. The Cabir worm was coded to infect Symbian OS cellphones. Cabir was
designed to scan for all accessible phones using Bluetooth technology, and send a copy of
itself to the first one found. Setting your phone into a non-discoverable (hidden) Bluetooth
mode will protect your phone from the Cabir worm. But, once the phone is infected it will try to
infect other systems even after disabling Bluetooth from system settings. In 2005 Cabir’s source
code became widely available on the Internet
A type of cellphone virus that became known as mosquito was distributed as a part of a
downloadable game. It makes mobile phones to send text messages to premium-rate numbers
without the user’s approval or knowledge.
Timifonica
Timifonica was part of the first generation of viruses back in 2000. The worm was a Visual
Basic Script, or VBS-based e-mail chain letter that would deliver text messages of 160 characters
or less to random cellphones in Europe, according to PCWorld. The virus did not steal data or
destroy files. It seemed to just be a nuisance.
SymbOS.Skull
This Trojan is written for those running the Symbian OS. Under the guise of a theme
package, SymbOS.Skull replaces all system files on the mobile device, including replacing the
application icons with skulls, shown on the left. It was discovered in 2004, according to a Symantec
security report.
Zitmo
Malware is also targeting other phones as well. The Zitmo Trojan, which works in
conjunction with Zeus malware, is meant to hack users’ bank accounts by mobile device. The
Trojan targets Blackberry and Symbian devices.
200
Plankton
Google had to pull 10 applications from the official Android market in June due to their
being hijacked by malware called Plankton – probably nothing like the actual organism seen
here. Plankton, hid itself in apps that addressed themselves as supplementary programs to
Angry Birds, but when in the device would steal user browser data and could access a remote
server to add even more malicious files to the device.
Ikee
Jailbroken iPhones – or iPhones that have been worked to run unauthorized software –
became the victim of Ikee in 2009, a worm that changed the user’s wallpaper to 1980s pop
singer Rick Astley, pictured here in 2008, as a prank similar to the “Rickrolling” phenomenon on
Youtube. The worm was allegedly written by an out-of-work programmer who admitted he was
a “little naive” about the resulting response.
DroidDream
This piece of malware, discovered in March 2011, has packaged itself inside legitimate
applications in the official Android market that were released under developers “Kingmall2010,”
“we20090202,” and “Myournet,”. The malware can then send user information to a remote
server. A new variant of DroidDream – called DroidDreamLight – was discovered in May 2011.
Android.Pjapps
HongTouTou
HongTouTou was discovered in February 2011. The worm was spotted in repackaged, or
cracked, apps for smartphones on Chinese websites. The worm was found, for example in a
pirated version of RoboDefense, a game for Android phones. HongTouTou is seemingly designed
to generate search engine counts for the people who created the Trojan.
201
Geinimi
China Android phones were affected by a piece of malicious code called Geinimi in late
2010, which is spread to devices on third party apps from the Android market, according to
MobileCrunch. The Trojan sends out a user’s location and app list to a remote server and can
download apps.
DroidKungFu
Routing Malware
For the last few years, rooting malware has been the biggest threat to Android users.
These Trojans are difficult to detect, boast an array of capabilities, and have been very popular
among cybercriminals. Their main goal is to show victims as many ads as possible and to
silently install and launch the apps that are advertised. In some cases, the aggressive display of
pop-up ads and delays in executing user commands can render a device unusable.
202
Rooting malware usually tries to gain super-user rights by exploiting system vulnerabilities
that allow it to do almost anything. It installs modules in system folders, thus protecting them
from removal. In some cases – Ztorg, for example – even resetting the device to factory settings
won’t get rid of the malware. It’s worth noting that this Trojan was also distributed via the Google
Play Store.
WAP Trojans
These Trojans generally work in the following way: they receive a list of links from the
C&C, follow them (usually unnoticed by the user) and ‘click’ on page elements using a specially
created JS file. In some cases, the malware visits regular advertising pages (i.e., they steal
money from advertisers, rather than from the user); in other cases, they visit pages with WAP
subscriptions, with the money being taken from the user’s mobile account.
IoT
Although malware gained much of its initial footing by infecting computers like PCs, today
virtually anything with a microprocessor is at risk. Researchers have demonstrated how malware
can infect hundreds of new targets, including wearables (like watches and Fitbits), light
bulbs, automobiles, water supply systems, and even airliners.
Moving from research and theory to reality, cybercriminals have already successfully
deployed malware that compromised everything from simple devices to complex industrial
complexes, including mobile phones, ATM machines, security cameras, TVs, e-
cigarettes, vending machines, and nuclear plants. Most wars involve a specific set of countries
and have a defined beginning and end. Regrettably, the war with malware impacts everyone
across the globe and has no end in sight.
In all probability, most of the history of malware lies in front of us, not behind us. We can
expect to see cybercrime continue to cause unprecedented damage to both private and public
enterprises.
203
Fortunately, those organizations that diligently deploy the latest anti-malware solutions
stand a good chance of avoiding much of the damage that malware will no doubt inflict on the
masses.
Ways of Spread
Drive-by download: The unintended download of computer software from the Internet.
It either refers to the download that happens without the knowledge of a user, or the download
that a person authorizes but without the understanding of the consequences.
Homogeneity: A setup where all the systems are running on the same operating system
and connected to the same network. This increases the chances of a worm in one computer to
easily spread to others on that network.
0-Day: A zero-day vulnerability is an undisclosed flaw that hackers can exploit. It’s called
0-day because it is not publicly reported or announced before becoming active.
Exploit: A threat made real via a successful attack on an existing vulnerability. Also
refers to software that is developed to target the loopholes on a particular device.
Privilege escalation: Situation where the attacker gets escalated access to restricted
data that is on a higher level of security.
Evasion: The techniques malware maker design to avoid detection and analysis of their
malware by security systems and software.
Blended threat: A malware package that combines the characteristics of multiple types
of malware like Trojans, worms or viruses, seeking to exploit more than one system vulnerability.
204
Important Terminologies
Botnet: A number of Internet connected devices that are running one or more bots. Botnets
are used to perform distributed denial of service attacks, send spam, and steal data.
Containment: The process of stopping the spread of malware, and preventing further
damage to hosts.
Endpoint: A security approach to the protection of computer networks that are remotely
bridged to client devices. Devices that are not in compliance can thereby be provisioned with
limited access.
Payload: The part of the malware program that actually does the damage.
Signature: Signs that is specific to either a certain type of behaviour or a specific item of
malware.
Track: Evidence of an intrusion into a system or a network. Advanced malware can clean
folders, clear event logs, and hide network traffic to cover their tracks.
Zombie: A computer connected to the Internet that has been compromised by a hacker,
computer virus or Trojan horse. It can be used to perform malicious tasks.
Figure 13.4: illustrates various malware threat vectors in the year 2017. It was found that
adclick fraud was the most common scam that is targeting users on the Google Play Store.
Similarly, global spike in cryptomining malware started around the same time there was a price
spike in Bitcoin prices.
205
13.6. Spyware
Spyware is unauthorized software which spies or gathers confidential information about
individuals, organization and delivers it to hackers. Generally it runs in the background and
monitors surfing habit of individuals, captures keystrokes, typed on your keyboard, gather
information from computers and networks. Spyware does not harm computers or networks.
They just monitor the activities. What makes a spyware malicious is primarily it is installed
without direct consent.
One of the most common ways to get spyware on systems is by installing software from
questionanle sources. Many freeware and shareware applications or peer-to-peer filesharing
programs, install spyware application in background. Some provide notification about the
software buurried within the End User License Agreement (EULA). Only few users read the
EULA in its entirety.
Morpheus
Morpheus was a file sharing and searching peer-to-peer client for Microsoft windows and
distributed by the company StreamCast. Morpheus neither shows nor references any license
for its own software. However, Morpheus shows a Direct Revenue license agreement and installs
Direct Revenue software. At 4,492 words and 44 on-screen pages, Morpheus’s DR license is
the shortest of the license agreements analyzed in this article. But reading the license could be
burdensome nonetheless. According to research conducted by Human Factors International,
the average adult’s reading speed is 250 to 300 words per minute, such that this license would
still require 15 to 18 minutes to read in full.
Camouflaged spyware
Spyware installs itself in the background. Users are left with no indication that installation
is going on. The application file name of the executable that actually runs the software is quite
often disguised to appear as though it is a harmless file – for example, calling the file
svchost32.exe or msexplorer.exe.
13.7. Adware
Adware (short for advertising-supported software) is a type of malware that automatically
delivers advertisements. Common examples of adware include pop-up ads on websites and
advertisements that are displayed by software. Often times software and applications offer
“free” versions that come bundled with adware. Most adware is sponsored or authored by
advertisers and serves as a revenue generating tool. While some adware is solely designed to
deliver advertisements, it is not uncommon for adware to come bundled with spyware (see
below) that is capable of tracking user activity and stealing information. Due to the added
capabilities of spyware, adware/spyware bundles are significantly more dangerous than adware
on its own.
The following table 13.1 represents the name of various adwares and their activity &
exploiting targets & exploitable vulnerability.
13.8. Ransomware
Ransomware is a sophisticated piece of malware that blocks the victim’s access to his/
her files, and the only way to regain access to the files is to pay a ransom.
13.8.2. Locker ransomware, which locks the victim out of the operating system,
making it impossible to access the desktop and any apps or files. The files are not encrypted in
this case, but the attackers still ask for a ransom to unlock the infected computer. Example:
WinLocker.
Some locker versions can even infect the Master Boot Record (MBR). The MBR is the
section of a PC’s hard drive which enables the operating system to boot up. When MBR
ransomware strikes, the boot process can’t complete as usual and prompts a ransom note to
be displayed on the screen. Examples Satana and Petya families
13.8.3. Crypto-ransomware Encryptors are usually known, is the most widespread ones
among the cyber security community agrees that this is the most prominent and worrisome
cyber threat of the moment.
210
13.8.4. Notable Ransomware events In 2017, a massive ransomware attack targeted wide
range of sectors such as government, telecommunications, health care. Wanacry compromised
300,000 systems in over 150 countries. Most affected countries Russia, China and UK. The
spread of the ransomware “kill switch” in its code. New variants of the malware “Uiwix” do not
have this kill switch.
The Figure 13.7 illustrates the most popular ransomware between april to October 2017.
Wannacry and Cerber were far more active ransomware families.
13.8.5. Anatomy of Wannacry. Wannacry targeted its victim in two phases followed by
command and control.
13.8.5.1. Phase I: External Attack – In this phase five stage operation was carried out. These
stages are:
External Reconnaissance – wannacry searches for organizations with open port 445
(SMB over IP)endpoints and exploitable with EternalBlue which is an exploit developed by
National Security Agencies (NSA). Eternal Blue was leaked by the shadow brokers – a hacker
group in 2017, and was used part of wordwide WannaCry attack.
Weaponization - Creation of artifacts like the code to be injected in SMB process and
KILL-Switch mechanism.
Delivery & Exploitation – Exploit vulnerability with ExternalBlue, a hacking tool stolen to
NSA.
Installation - It injects the code into SMB system process and becomes persistent by
creating an entry in Windows Registry.
Command & Control – Wait for the domain controllers order to act. New variant without
Kill- Switch.
13.8.5.2. Stage 2: Internal Reconnaissance – Search for endpoints within the network with
open port 445 endpoints and exploitable with EternalBlue.
Internal Exploitation – Exploit vulnerability with EternalBlue. It injects code into the SMB
System process and becomes persistent by creating an entry in Windows Registry.
Ø Does not allow booting in system recovery mode. Hides the recycle bin
214
Ø It kills the processes that have open database to guarantee access to the encryption
of such databases(mysql, sql server and exchange)
Ø Proceeds to encrypt the files and directories of the system using on AES algorithm,
which can be decrypted if private RSA key is available.
Ø When the file encryption finishes, it shows a dialog box to the user requesting
ransom
Ransomware has some key characteristics that set it apart from other malware:
· It features unbreakable encryption, which means that decrypting the files would be
difficult. It has the ability to encrypt all kinds of files, from documents to pictures,
videos, audio files and other things that reside on a PC.
· It can scramble file names, so you can’t know which data was affected. This is one
of the social engineering tricks used to confuse and coerce victims into paying the
ransom;
215
· It will display an image or a message that lets you know your data has been encrypted
and that you have to pay a specific sum of money to get it back;
· Usually, the ransom payments have a time-limit, to add another level of psychological
constraint to this extortion scheme. Going over the deadline typically means that
the ransom will increase, but it can also mean that the data will be destroyed and
lost forever.
· It often recruits the infected PCs into botnets so cyber criminals can expand their
infrastructure and fuel future attacks.
· It can spread to other PCs connected to a local network, creating further damage.
· It frequently features data exfiltration capabilities, which means that it can also extract
data from the affected computer (usernames, passwords, email addresses, etc.)
and send it to a server controlled by cyber criminals; encrypting files isn’t always the
endgame.
· As families and variants multiply, there is a dire need to understand that at least
baseline protection to avoid data loss is required.
· Encrypting ransomware is a complex and advanced cyber threat which uses all the
tricks available because it makes cyber criminals a huge amount of money.
Figure 13.9 illustrates timeline of Ransomware
216
217
Summary
· Malware is any software intentionally designed to cause damage to a computer,
server or computer network.
Reference
1. https://www.floridatechonline.com/blog/information-technology/a-brief-history-of-
cyber-crime/
2. www.benedelman.org/spyware/p2p/
3. https://heimdalsecurity.com/blog/what-is-ransomware-protection /
#ransomwaredefinition
4. https://www.malwarefox.com/malware-types/
5. https://www.veracode.com/blog/2012/10/common-malware-types-cybersecurity-101
218
6. https://secure2.sophos.com/en-us/security-news-trends/whitepapers/gated-wp/
exploits-intercepted.aspx
7. https://go.lastline.com/rs/373-AVL-445/images /Lastline _Intro_to Advanced
Malware_WP.pdf
8. https://www.pandasecurity.com/mediacenter/news/whatsapp-coupon-scams/
9. https://securelist.com/mobile-malware-review-2017/84139/
10. https://en.wikipedia.org/wiki/Mobile_malware
11. https://heimdalsecurity.com/blog/what-is-ransomware-protection /
#ransomwaredefinition
12. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-mobile-threat-report-
2018.pdf
13. https://sophosnews.files.wordpress.com/2017/10/infographic-of-ransomware-
stats.png
14. https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
15. https://www.pandasecurity.com/mediacenter/src/uploads/2017/05/WC-info_ckc-
en.pdf
219
LESSON 14
CYBER FRAUDS - PART – I
TELECOM FRAUDS
After reading this lesson you will be able to learn the following:
· Frauds
· Fraud Triangle
Structure
14. Cyber Frauds
14.1. Fraud
14.1. Fraud
Fraud is wrongful or criminal deception intended t result in financial or personal gain.. A
person or thing intended to deceive others, typically by unjustifiably claiming or being credited
with accomplishments or qualities. In other words it is an act or course of deception, an intentional
concealment, omission or perversion of truth to gain:
Fraud takes place when a person deliberately practices deception in order to gain
something unlawfully or unfairly. The act of fraud is can be classified as either a civil or a
criminal wrong. It occurs for the purpose of deceiving another person or entity. According to the
association of fraud examiners, fraud is defined as any intentional or deliberate act to deprive
another or property or money by guile, deception or any other unfair means. Fraud is the deliberate
misrepresentation of fact for the purpose of depriving victims of property. Examples include
220
2. Perceived opportunity
3. Rationalization
“Trusted persons become trust violators when they conceive of themselves as having a
financial problem which is non-shareable, are aware this problem can be secretly resolved by
violation of the position of financial trust, and are able to apply to their own conduct in that
situation verbalizations which enable them to adjust their conceptions of themselves as trusted
persons with their conceptions of themselves as users of the entrusted funds or property.”
Perceived Pressure: It is the motivation behind the crime and it can be either personal
financial pressure such as debt problems, or work pressure or short fall in revenue. The pressure
is seen by individual as unsolvable. A common example of a period of perceive un-shareable
financial problem is gambling debt.
Opportunity: the opportunity to commit fraud s the circumstances that allow fraud to
occur and is the only condition over which the organization has complete control . Opportunities
to commit fraud are commonly present in organizations that have poor internal controls can be
overridden by management. If internal control is designed in a way that risk of getting caught is
too high, it is likely that the employee will not exploit the perceived opportunity for his or her
personal gain. Without opportunity fraud can never happen.
This means the individual will defraud the organization. In order for a fraud to occur all
three must be present but they may be in varying degrees.
· Criminal greed
· Disgruntled employees
· Complexity in technology
· Money laundering
Telecommunication frauds may be broadly classified as technical and non technical frauds.
The technical frauds may further be classified as external frauds and internal frauds. Technical
external frauds are committed externally (from outside the network) and are executed by gaining
access into the network systems such as hacking. Examples of external technical frauds include
automatic telephone line isolators to penetrate into the secret code, password STD lock and
personal identification number. Technical internal frauds are committed by gaining access to
internal telecommunication network systems. Internal fraud reveals breakdown of internal system.
Quite often they are committed by disgruntled employees. Generally this happens if there are
lack of proper internal controls. Examples include but are not limited to manipulation of databases
of billing, charging, routing, and subscribers. Non technical frauds are committed without
accessing or interfering with the network system. Examples include subscription fraud, clip
fraud and call forwarding frauds.
The history of fraud in the communication industry has two distinct lines. Frauds in traditional
fixed line networks, has been around for many decades. However, it was the fraud in the newer
mobile networks that got most of the initial attention. In the current global scenario, the problem
of fraud is becoming well understood by all providers of the communication services. With the
evolution of technology security of networks, have improved but ingenious hackers have found
a way through. With the advancement of technology the fraudsters too have gone high tech
and fraud techniques and types have continuously evolved. From simple teeing in fraud to SIM
cloning and tumbling in analog networks, fraudsters have also advanced in being technical and
sophisticated.
225
14.3.1.1. Phreaking
Switch hooking was the first phreaking method used. In this method calls were made by
disabling the rotary keypad. It was accomplished by pressing and releasing the switch hoot to
open and close the circuit quickly.
226
14.3.1.2. War dialing is a technique to automatically scan a list of telephone numbers, usually
dialing every number in a local area code to search for modems, computers, bulletin board
systems (computer servers) and fax machines. Hackers use the resulting lists for various
purposes: hobbyists for exploration, and crackers – malicious hackers who specialize in
breaching computer security – for guessing user accounts (by capturing voicemail greetings),
or locating modems that might provide an entry-point into computer or other electronic systems.
It may also be used by security personnel, for example, to detect unauthorized devices, such as
modems or faxes, on a company’s telephone network.
14.3.1.3. Private Branch Exchange (PBX) is an internal telephone system that directs calls
from one person to another within an enterprise. In this type of fraud, the criminals performs an
act of breaking into the PBX system and selling long distance call to third parties around the
world. In the current global scenario, PBX is software driven, such as voice mail, maintenance
port and direct inward system access(DISA). Phreakers use administrator account to forward
voice calls to unauthorized users and also change the configuration and access codes of the
PBX maintenance port that affects the operation of enterprise. DISA enables remote users to
access an outside line using PBX systems with authorization codes. Phreakers access the
authorization code to make calls at the cost of an enterprise.
Internet bypass fraud is one of the most complicated fraud types in the recent times.
Telecom regulators and mobile operators are face a staggering revenue loss since bypass
227
fraud is proving to be the most prolific and costly frauds. The gateway equipments such as
fixed, VOIP, GSM, CDMA, VOIP to GSM, fixed line gateway are used to terminate international
inbound calls to local subscribers by deviating traffic away from legal interconnect gateways.
Operators sending outbound international traffic connect to interconnect operators with lower
rates, leading to termination of network operator loss of revenue. Bypass fraud is considered
illegal since those who undertake it are not licensed to provide telecommunication services.
Sometimes this bypass fraud is also considered as a nation security threat.
A call via a legitimate path/route will be bypassed so that there is a revenue loss. Generally
for making national or international calls, rates are fixed by regulators in a country or by an
individual or group of operators. Bypass fraud is prevalent in countries where there is a difference
in rates between the retail calling, national calling and international calling. Moreover in some
countries, international gateways are monopolized by government operators. The fraudsters
make use of difference in rates and ensure that there is enough profits for them and serves as
the key motivating factor to invest in procuring the equipments and GSM connections for
conducting a large scale Bypass fraud. In countries where the international to national terminating
charge margins are low, nil or negative, the bypass fraud either does not exists or is conducted
a very low scale. It is one of the latest and most severe threats to a telecom operator’s revenue.
It is an unauthorized exploitation or manipulation of an operator’s network. This can happen in
two ways:
Such methods make fraudsters gain incentives to evade such high tariff interconnects
and deliver costly international calls illicitly. Fraudsters use Voice Over Protocol – Global System
for Mobile Communications (VOIP-GSM) gateways also called as “SIM Boxes”, which are used
to receive incoming calls (via wired connections) and deliver them to a cellular voice network. It
appears as if it is through a local call appearing from a customer’s phone. This practice not only
dramatically degrades the network experience for legitimate customers violating the
telecommunication laws in many countries but also extremely profitable for simboxers/fraudsters
resulting in revenue loss significantly.
several GSM gateways located in different places. The SIM box operator can route international
calls through the VoIP connection and connect the call as local traffic, allowing the box’s operator
to bypass international rates and often undercut prices charged by local mobile network operator’s
that connects VoIP calls to GSM voice network. It does not use data network.
SIMBox device requires one or more SIM cards to wirelessly connect VoIP call to GSM
network. A SIMBox acts as a VoIP client whose audio input and output are connected to a
Mobile Phone. These devices have strong market in private enterprise telephone networks.
Such private enterprise use GSM gateways with the permission of the licensed
telecommunications provider and this causes to tariff reduction enabling them to pay often at
lower cost for terminating a call. However, this is possible and legal only for domestic calls. It is
enabled by Voice over Internet Protocol (VOIP) Global System for Mobile Communication (GSM).
The equipment is called SIM Boxes and the same is illustrated in Figure 1. In this process
Simboxing connects the VOIP calls to a local cellular voice network through a collection of SIM
cards and cellular radios. In a normal course the calls will be received by the network service
provider and call tariffs will be charged. In Simboxing, calls will bypass the normal course of
connection, appearing to originate from customer phone, to a network provider. The calls are
delivered at a subsidized domestic rate instead or international rate. Such an activity has its
negative impact availability, reliability and quality of service for legitimate consumers. Moreover,
it also creates network hotspots by injecting huge volume of tunneled calls, thereby causing
revenue loss to network operators.
have only limited functionality, while others hold several simcards and also supports a variety of
audio codecs in a “SIM server”. Sometimes one or more radio interfaces calls using the “Virtual
SIM cards” from the server. This prevents location based fraud detection. Miscreants, utilize
this and commits the fraud.
The cost of a simbox equipment goes upto 200,000 USD. A typical international call
which is routed through a regulated licensed. Let us assume client A is located in India and
client B is located in UK. In a typical call, when client A is calling client B, the call is routed
through the telephone network in India (labeled as “Foreign PSTN core”) to an interconnect
between client A and client B network in UK. This passes through client B’s domestic network
(labeled as “Domestic PSTN Core”) and communication establishes between client A and
client B. If client A and client B are not in neighbouring countries, there can be many interconnects
and intermediary networks. This is very critical the connections are heavily monitored for billing
purpose and quality. It can be seen that VoIP calls initiated from services such as Skype that
terminates on a mobile phone also passes through regulated interconnect.
Figure 14.6: Typical international call routed through regulated licensed interconnect
(Source: Bradley Reaves et al)
A SIMBox call is represented in Figure 14.6 A SIMBoxed international call avoids regulated
interconnect by routing the call to a SIMbox which completes the call using the local cellular
network. In a simbox case, client A call is routed through domestic network, but instead of
passing through the regulated interconnect, the call is routed over internet protocol (VoIP) to
simbox in the destination country. In doing so, the simbox places a separate call on the cellular
network in the destination country, then routes the audio from IP call into the cellular call, which
is routed to client B through the domestic network. The same is illustrated in figure 14.7.
Figure 14.7: A SIM Box international call (Source: Bradley Reaves et al)
230
The main disadvantage here is neither of end users is aware that the call is being routed
through a simbox. This causes a contractual breach of trust between two Internet Service
Providers (ISPs) who have agreed to route traffic between their networks. The intermediaries
own profit from reduced prices. Two types of attack can take place. Firstly, hijacking of
international call; secondly, hijacking and re-injecting of an international call. First type has
been described above. In the second type, Simboxes re-inject telecom voice traffic into the
mobile network masked as mobile customers and operator has to pay for the re-injected calls.
In general there are three types of routes that are used in communication networks. They are:
o Grey Route: the termination is legal for one entity or country, but illegal for the
other end.
Table 14.1: Country wise fraudulent calls in percentage based on call origin
United states 5%
Pakistan 4%
Spain 4%
Cuba 3%
Italy 3%
Philippines 3%
Somalia 3%
United Kingdom 2%
Dominican Republic 1%
Egypt 1%
Further survey points out the percentage of top five frauds, in which interconnect Bypass
fraud in network is around 5%, whereas in roaming status, interconnect bypass fraud amounts
between 20 – 25%. This can be seen evidently from the following figure 14.8.
Authorities in US say that the hackers were involved in an international crime ring that
scammed telecommunication companies out of an estimated $50million USD in last few years.
232
FBI most wanted list of cyber criminals have been arrested by authorities in their native Pakistan.
Serbian Police cracks down on illegal SIM Box Scheme. According to Serbia’s interior Ministry
in cooperation with the special department of cyber crime of Prosecutor’s Office and the Ministry
of Interior Macedonia have identified miscreats using Simboxes to bypass international
communications via VoIP and making low-cost calls in Serbia. More than 40,000 SIM cards
were found in Macedonia of mobile operators from Serbia, Croatia, Slovenia, Albania, Bosnia
and Herzegovina. There are incidents in Ghana where the fraudsters connived with partners
abroad to route internet calls via VoIP to make it appear as if the call is a local one. Even. The
seized SIMcards and connecting devices are illustrated in figure 14.9. There has been incidence
where even women has been arrested for alleged simbox fraud.
Recently, in India, a techie has been arrested for operating telephone exchange for a
Pakistan spy. According to the sources the Uttar Pradesh Anti-Terrorism squad have busted an
illegal telephone exchange and spying racket causing national security threat. This act has
been committed by a software engineer from south delhi and ten others from Lucknow and
other parts of UP. The exchanges were not only making lakhs of rupees by routing international
calls bypassing the legal gateways. These systems were used for Pakistan’s Inter-Service
Intelligence (ISI) to call Army officials to elicit information from them. The racket was busted
after the defence ministry and Army alerted the military intelligence in Jammu & Kashmir. ISI
has been spying over and innocent victims have been sharing information. Intelligence officials
unearthed the racket and found illegal network was using SIMbox to carry out their spying
233
activities. The callers based in Pakistan, Bangladesh made calls using VoIP through Simbox
and connected to receivers in India. The receivers in India could only see Indian numbers on
their phone screens. The law enforcement authorities have recovered 16 SIM BOX units, 140
prepaid cards, 10 mobile phone and 28 data cards and five laptops. The SIM Box recovered
from the suspects is illustrated in Figure 14.10.
· SIMBOX
· VOIP gateways
International Revenue Sharing Fraud (IRSF) is one of the most persistent types of fraud
within the telecom industry. In the case of IRSF, telecom pirates often utilize illegal resources to
234
gain access to an operator s network in order to bring traffic to phone numbers obtained from
an International Premium Rate Number provider. This devious activity boosts subscribers and
draws them to use attractive services offered by calling a telephone line. This results in substantial
charges to the caller.
14.3.1.6. Phishing
Phishing is a very popular form of hacking. It is simply the attempt to acquire personal
information such as usernames, passwords, credit card account information, and other sensitive
information by posing as a legitimate company. This can be done via email in its most popular
form, phone calls, or even text messages. Phishing attacks in 2012 accounted for an estimated
$1.5 billion in losses.
Email phishing is when hackers send fake emails that are often almost identical to emails
that you would receive from legitimate financial, e-commerce, or social websites. These emails
often contain links that direct users to websites that either contains malware or to websites with
login pages that look very similar to the login pages of legitimate companies.
In this increasingly digital world, users can use online services for paying bills, making
purchases, applying for a loan, paying that loan back, paying taxes, paying for traffic violations,
and so many other things. Because of this rise in online transactions, phishing is increasingly
prevalent. What’s more, email phishing is easy to automate. Everything can be done online and
on a massive scale, attacking thousands of users at once.
14.3.1.7. SMISHING
SMS phishing (often called “smishing”) operates in a similar fashion as its more wellknown
cousin, email phishing. Instead of using an email to bait victims to send sensitive information
such as bank, credit card, or Social Security numbers, and usernames or passwords, fraudsters
use text messages. SMS phishing is particularly easy to manifest as there is no junk filter like
with email and SMS messages are not as intricate as email spoofing. What’s more, users are
235
charged for receiving these texts. Luckily though, it’s fairly easy to report fraudulent texts to
your phone carrier or to the FTC. Smishing attacks can come in many different forms, from
offers for a gift card from a major retailer, or even deals on mortgages, to the aforementioned
alerts about accounts or cards.
14.3.1.8. VISHING
Voice phishing is the criminal practice of using social engineering over the telephone
system to gain access to private personal and financial information from the public for the
purpose of financial reward. It is sometimes referred to as ’vishing’, a word that is a combination
of “voice” and phishing. Voice phishing exploits the public’s trust in landline telephone services,
which have traditionally terminated in physical locations known to the telephone company, and
associated with a bill-payer. Voice phishing is typically used to steal credit card numbers or
other information used in identity theft schemes from individuals. Some fraudsters use features
facilitated by Voice over IP (VoIP). Features such as caller ID spoofing (to display a number of
their choosing on the recipients phone line), and automated systems (IVR). Voice phishing is
difficult for legal authorities to monitor or trace. To protect themselves, consumers are advised
to be highly suspicious when receiving messages directing them to call and provide credit card
or bank numbers—vishers can in some circumstances intercept calls that consumers make
when trying to confirm such messages.
Premium rate service fraud is the second largest contributor to the $46.3 billion problem
of mobile fraud. It rakes in $4.73 billion globally and $1.35 in North America of losses for
subscribers annually. This type of fraud directly attacks subscribers by getting them to make
calls to a premium rate telephone number
The most common occurrences of premium rate service fraud directly attack phone
companies through the subscription fraud method. It is a fairly basic scheme that takes advantage
of phone billing cycles. Fraudsters set up a premium-rate phone number through a carrier and
subscribe for one or multiple phone lines through a different carrier using false information.
They then run autodialers on the subscriber lines that call the premium rate numbers, running
up extremely large bills. They don’t pay the subscription bills, but receive the profits from the
premiumrate line. This goes on until the phone company begins to investigate a bill for
nonpayment, and then the fraudsters simply close out their services – leaving the bills unpaid at
the expense of the phone company.
236
Roaming is one of the highest revenue earners in the telecommunications industry, which
means that it is also the most vulnerable to fraudulent attacks. Every year, the telecommunications
industry loses $46.3 billion to fraud, and roaming fraud takes the biggest hit: about $6 billion
globally and almost $2 billion in North America, according to the Communications Fraud Control
Association’s most recent survey. These losses can contribute to rises in cell phone carrier
rates, which in turn has repercussions on a company’s brand and customer satisfaction.
Roaming fraud can happen when a subscriber that used the services of the visiting network
refuses to pay for them either by claiming ignorance, insufficient knowledge of the additional
costs, or by claiming that the service was never requested. It is fraud in its most basic form.
In the case of identity theft subscription fraud, it is often difficult for the victim to resolve
the fraud as he or she may not discover it for a long time due to the nature of monthly phone
bills. Additionally, phone carriers are weary of customers claiming subscription fraud and victims
may find it difficult to prove that they did not actually make the calls they were billed for.
The reason why subscription fraud is so pervasive is that it lends itself to many different
types of mobile fraud. For example, scammers gain access to a phone line via subscription
fraud to rack up charges on roaming networks, which is called roaming fraud
In Japanese, “wan” means “one” and “giri” means “hang up.” This form of fraud, also
known as “one ring and cut,” targets millions of mobile phone users by making random calls
from premium-rate phone lines, letting the call ring once, and then hanging up. By leaving a
“missed call” message on a user’s phone, the scammers hope that the users will call back.
When they do, they find themselves listening to advertisements like subscriptions to premium
chat lines or Internet services. The scammer pockets the revenue from the call, since they are
hardly charged for receiving a phone call. The charge goes onto the user’s phone bill – which
often times isn’t seen until weeks or months later, if ever. This extremely successful fraud
method that originated in Japan has caused $2 billion of losses globally and $570 million in
North America in the last year. Wangiri fraud is a fairly new form of mobile fraud, especially in its
more organized forms. When paired with international revenue share fraud, Wangiri fraud can
cause serious damage. Mobile phone users see a missed call from a domestic-looking number
237
(usually one with a three-digit area code), but the number is in fact connected to an international
premium-rate service line. Many consumers are not aware that many three-digit area codes
connect callers to international lines (often in the Caribbean), which is why this generates
exponentially more revenue for the scammers. Additionally, Wangiri fraud used to be operated
manually, but has been automated. Specialized fraud firms were common in the early 2000s,
making thousands of calls a day with the use of autodialers.
Slamming refers to when phone carriers illegally change customers’ telephone service
without their permission. Telephone service providers are obligated by law to obtain customers’
permission before switching them to a different provider.
Cramming refers to when phone carriers illegally add charges to customers’ telephone
bills for services they did not authorize. Similar to slamming, telephone service providers are
obligated by law to obtain customers’ permission before placing charges on their telephone bill.
It is a private telephone network used within a company. Rather than requiring a line for
each employee, which can be costly, a PBX system switches calls between users on local lines
while allowing them to share several external phone lines for making calls outside of the PBX.
Phone calls within the company are typically made by dialing a three or four digit extension. The
term PBX was first introduced in the time of switchboards, where operators would manually
connect calls but over time, the process has become standardized.
Summary
· Fraud takes place when a person deliberately practices deception in order to gain
something unlawfully or unfairly. The act of fraud is can be classified as either a civil
or a criminal wrong. It occurs for the purpose of deceiving another person or entity.
· Trusted persons become trust violators when they conceive of themselves as having
a financial problem which is non-shareable, are aware this problem can be secretly
resolved by violation of the position of financial trust, and are able to apply to their
own conduct in that situation verbalizations which enable them to adjust their
conceptions of themselves as trusted persons with their conceptions of themselves
as users of the entrusted funds or property.
238
· Perceived Pressure: It is the motivation behind the crime and it can be either
personal financial pressure such as debt problems, or work pressure or short fall
in revenue. The pressure is seen by individual as unsolvable. A common example
of a period of perceive un-shareable financial problem is gambling debt.
· Opportunity: the opportunity to commit fraud s the circumstances that allow fraud
to occur and is the only condition over which the organization has complete control
. Opportunities to commit fraud are commonly present in organizations that have
poor internal controls can be overridden by management. If internal control is
designed in a way that risk of getting caught is too high, it is likely that the employee
will not exploit the perceived opportunity for his or her personal gain. Without
opportunity fraud can never happen.
· Factors that lead to telecom fraud are Criminal greed; Disgruntled employees;
Complexity in technology; Failure to understand the complexity of new technologies;
Weakness in operating system; Failure of business models; Money laundering;
Free financial gain; Political and ideological factors; Ineffective audit systems leading
to telecom pirates
· Switch hooking was the first phreaking method used. In this method calls were
made by disabling the rotary keypad. It was accomplished by pressing and releasing
the switch hoot to open and close the circuit quickly.
· Private Branch Exchange (PBX) is an internal telephone system that directs calls
from one person to another within an enterprise. In this type of fraud, the criminals
performs an act of breaking into the PBX system and selling long distance call to
third parties around the world. In the current global scenario, PBX is software driven,
such as voice mail, maintenance port and direct inward system access(DISA).
· Internet bypass fraud is one of the most complicated fraud types in the recent
times. Telecom regulators and mobile operators are face a staggering revenue loss
since bypass fraud is proving to be the most prolific and costly frauds.
· The most common occurrences of premium rate service fraud directly attack phone
companies through the subscription fraud method. It is a fairly basic scheme that
takes advantage of phone billing cycles. Fraudsters set up a premium-rate phone
number through a carrier and subscribe for one or multiple phone lines through a
different carrier using false information.
9. What is SIMBoxing?
Reference
1. https://internalaudit.ku.edu/what-fraud
2. h t t p s : / / ww w. s y n iv e r s e . c o m / a s s e ts / f i l e s / c u s t o m_ c o n t e n t /
global_mobile_fraud_trends_report.pdf
3. https://jotopr.com/chargebacks911-dissects-key-types-of-credit-card-fraud-identity-
theft-to-friendly-fraudcybershoplifting/
4. http://www.businessdictionary.com/definition/fraud.html
5. https://internalaudit.ku.edu/what-fraud
6. Donald R. Cressey, Other People’s Money (Montclair: Patterson Smith, 1973 p. 30.
241
LESSON - 15
CYBER FRAUDS - PART - II - PAYMENT CARD FRAUDS
Learning objectives
After reading this lesson you will be able to learn the following:
o Debit Card
o Credit Card
Master Card
Maestro Card
Visa Card
Rupay Card
Global Scenario
Indian Scenario
Counter measures
Structure
15. Cyber Frauds – Payment Card Frauds
15.10. Countermeasures
Payment cards are part of a payment system issued by financial institutions, such as bank,
to a customer that enables its owner (the cardholder) to access the funds in the customer’s
designated bank accounts, or through a credit account and make payments by electronic funds
transfer and access automated teller machines (ATMs). Most payment cards, such
as debit and credit cards can also function as ATM cards, although ATM-only cards are also
available. The use of a credit card to withdraw cash at an ATM is treated differently to
a POS transaction, usually attracting interest charges from the date of the cash
withdrawal. Interbank networks allow the use of ATM cards at ATMs of private operators and
financial institutions other than those of the institution that issued the cards.
A debit card (also known as a bank card or cheque card) provides an alternative payment
method to cash when making purchases. Functionally, it can be called an electronic cheque, as
the funds are withdrawn directly from either the bank account, or from the remaining balance
on the card. In most of the countries the use of debit cards has become so widespread that their
volume of use has overtaken or entirely replaced the cheque and, in some instances, cash
transactions. Like credit cards, debit cards are used widely for telephone and Internet purchases
and, unlike credit cards, the funds are transferred immediately from the bearer’s bank account
instead of having the bearer pay back the money at a later date. Debit cards may also allow for
instant withdrawal of cash, acting as the ATM card for withdrawing cash and as a check guarantee
card. Merchants may also offer cash back facilities to customers, where a customer can withdraw
cash along with their purchase.
243
A credit card is issued to users as a system of payment. It allows its holder to buy goods
and services based on the holder’s promise to pay for these goods and services. The issuer of
the card creates a revolving account and grants a line of credit to the consumer (or the user)
from which the user can borrow money for payment to a merchant or as a cash advance to the
user.
Most credit cards are issued by banks or credit unions. Table 15.1 below gives a comparison
for better understanding of the difference between a credit card, debit card and a prepaid card.
Liability for Liability for losses. Liability for losses. Liability depends on
Unauthorized the type of funds on
Transactions the card.
interest rate
every 6 months.
MasterCard itself is a financial services business that partners with financial institutions to
issue MasterCard branded cards that are processed through the MasterCard network. The
issuing financial institution usually pays the cost of producing the cards and mailing them to
customers with specific card terms. When a financial institution partners with MasterCard then
it means that all transaction processing communications must be done through MasterCard as
the network processor.
MasterCard does not have a financial business component for credit card underwriting or
banking deposit services. Therefore MasterCard serves as a networking processing servicer
but they do not have the capability to underwrite credit or offer deposit accounts on their own.
This requires them to partner with financial institutions for all card issuance.
15.3. Maestro
Maestro is a multi-national debit card service owned by MasterCard, and was founded in
1990. Maestro cards are obtained from associate banks and can be linked to the card holder’s
current account, or they can be prepaid cards. Within the EU and certain other countries, Maestro
is MasterCard’s main debit brand and is the equivalent of signature debit card which does not
require electronic authorization, similar to the Visa Debit card. In most other countries, Maestro
is equivalent to a Visa Electron and is MasterCard’s tertiary card. It requires electronic
authorization much like a Solo debit card, i.e. not only must the information stored in either the
chip or the magnetic stripe be read, this has to be sent from the Merchant to the issuing bank,
the issuing bank then has to respond with an affirmative authorization. If the information is not
read, the issuer will decline the transaction, regardless of any disposable amount on the
connected account. This is different from other debit and credit cards, where the information
247
can be entered manually into the terminal (i.e. by punching the 13 to 19 digits and the expiry
date on the terminal) and still be approved by the issuer or stand-in processor.
Visa Debit
Visa Debit is a major debit card issued by Visa in the United Kingdom, the Republic of
Ireland and other nations of the European Union. Prior to October 2004, the debit card was
known as Visa Delta. Since June 2009, the major banks in the UK have begun issuing Visa
Debit. Barclays, Bank of Scotland/Halifax, Lloyds TSB, and Santander have already issued the
card. HSBC, RBS (including NatWest and Ulster Bank) are currently in the process of migrating
to the card from the Maestro debit card.
Visa Electron
Visa Electron is a debit or credit card available across most of the world, with the exception
of Canada, Australia, Ireland and the United States. The card was introduced by VISA in the
1980s and is a sister card to the Visa Debit card. The difference between Visa Electron and
Visa Debit is that payments with Visa Electron require that all the funds be available at the time
of transfer, i.e., Visa Electron card accounts may not be overdrawn. Visa Debit cards, on the
other hand, allow transfers exceeding available funds up to a certain limit. Some online stores
and all offline terminals (like on trains and aircraft) do not support Visa Electron because their
systems cannot check for the availability of funds.
cent of credit card transactions and almost all debit card transactions are domestic; however,
the cost of transactions was high due to monopoly of foreign gateways like Visa and Mastercard.
RuPay facilitates electronic payment at all Indian banks and financial institutions.
The IndiaPay scheme was conceived by the National Payments Corporation of India as
an alternative to the MasterCard and Visa card schemes, and to consolidate and integrate
various payment systems in India. It was renamed to RuPay to avoid naming conflicts with
other financial institutions using the same name.
The RuPay card was launched on 26 March 2012. NPCI entered into a strategic partnership
with ”Discover Financial Services” (DFS) for RuPay Card, enabling the acceptance of RuPay
Global Cards on Discover’s global payment network outside of India. Some of the unique benefits
offered by RuPay card are:
· Low cost and affordability
· Customized product offerings
· Personal data protection & Insurance
· Interoperability
· Increased security
· Reduce card-present fraud
· Enable the use of future value-added applications.
· Payment data is more secure on a chip-enabled payment card than on a magnetic
stripe (magstripe) card, as the former supports dynamic authentication, while the
latter does not (the data is static).
249
· Consequently, data from a traditional magstripe card can be easily copied (skimmed)
with a simple and inexpensive card reading device – enabling criminals to reproduce
counterfeit cards for use in both the retail and the CNP environment.
· Chip (EMV) technology is effective in combating counterfeit fraud with its dynamic
authentication capabilities (dynamic values existing within the chip itself that, when
verified by the point-of-sale device, ensure the authenticity of the card).
· In addition to the reduction of fraud and related chargebacks, there are other cost
savings associated with EMV acceptance.
The chip technology standard for payment was first used in France in 1992. Today, there
are more than 1 billion chip cards used around the world. Preventing the growth of card-present
fraudulent activity is one of the main reasons the industry is moving toward EMV technology.
Chip cards make it difficult for fraud organizations to target cardholders and businesses alike.
As a result, more and more chip cards are being introduced by financial institutions in order to
support and switch over to this technology. The flow chart of payment card chart is illustrated in
the figure 15.1.
E-payments are forecasted to grow at a CAGR of 17.6% from 2015–2019), due to adoption
of instant payments and growth in emerging markets. However, the year-on-year growth rate of
e-payments is expected to slow down from 19.2% in 2016 to 15.3% in 2019. It is expected that
the slowdown is primarily due to the growing acceptance of m-payments and a shift of transaction
volumes from e-payments to m-payments. Purchase transaction worldwise is illustrated in
Figure 15.2.
According to the statistics recently released by RBI and reported by Medianama in, there
are 842.50 million debit cards in India Card by Feb 2018 out of which 480.70 million are those
issued by the top five banks. Between Dec2016 and Dec 2017 an estimated 81.4 million debit
cards have been added. Among the top five banks, approx 278.2 million debit cards have been
issued by SBI alone, which is more than the other four banks put together (202.6 million). This
of course is because of the huge customer base of SBI. Expanding number of Credit Card in
India is illustrated in Figure 15.3.
According to the Reserve Bank of India, by Jan 2018, the number of credit cards increased
to 855.4 million, with 8.7 million new cardholders. While a total of 36.94 million credit cards
were in operation, an addition of 0.74 million cards in Jan 2018 was reported (Figure: 15.4).
252
Credit card fraud is a wide-ranging term for theft and fraud committed using or involving
a payment card, such as a credit card or debit card, as a fraudulent source of funds in a
transaction. The purpose may be to obtain goods without paying or to obtain unauthorized
funds from an account. Credit card fraud is also an adjunct to identity theft. Card fraud happens
either with the theft of the physical card or with the compromise of data associated with the
account, including the card account number or other information that would routinely and
necessarily be used for a legitimate transaction. The compromise can occur because of many
common reasons and can usually be conducted without tipping off the cardholder, the merchant,
or the issuer at least until the account is ultimately used for fraud. The exponential growth of
credit card use on the Internet has made database security lapses particularly costly; in some
cases, millions of accounts have been compromised.
Stolen cards can be reported quickly by cardholders, but a compromised account can be
hoarded by a thief for weeks or months before any fraudulent use, making it difficult to identify
the source of the compromise. The cardholder may not discover fraudulent use until receiving
a billing statement, which may be delivered infrequently. Cardholders can mitigate this fraud
risk by checking their account frequently to ensure constant awareness in case there are any
suspicious, unknown transactions or activities.
The first surge of major corporate data breaches was reported in 2014 and 2015, and
many Americans hoped it was a just a brief trend. Those hopes faded as even bigger and
established companies became the target of cybercriminals, with the most recent being the
massive data breach at the credit bureau Equifax in September 2017.
Tracking by the Identity US based Identity Theft Resource Center (ITRC) and CyberScout
indicate that there was more than 750 data breach cases reported in the U.S. by the end of
June 2017, an increase of 29% over the same period in 2016. At this rate, the ITRC estimated
that the number of breaches will reach 1,500 by the end of 2017. The official figures are yet to
be declared though. The number of data breaches (USA) upto 2017
254
Almost 1.3 million complaints were related to frauds. Consumers reported paying over
$744 million in those fraud complaints; the median amount paid was $450. Fifty-one percent of
the consumers who reported a fraud-related complaint also reported an amount paid.
More than half (55 percent) of the fraud-related complaints listed a method of initial contact,
and of those, 77 percent were contacted by phone, while only 8 percent were first reached by
email. Only 3 percent were contacted by mail.
According to Nilson Report 2017, the year 2016 has actually seen a considerable drop in
the worldwide card related frauds as can be seen from the graph given at figure 15.8. The
projected worldwide card fraud impact in $billion is illustrated at figure 15.9.
Figure
The US Identity Theft Resource Center’s report, “Identity Theft: The Aftermath 2016”
found that nearly 20 percent of Americans surveyed were the victim of some kind of criminal
identity theft in 2015. Of those, 9.2 percent said their identity was used to commit a financial
crime that resulted in an arrest warrant.
The effects of this criminal identity theft are staggering. Fifty-five percent of victims missed
time from work, and 44 percent said they lost out on an employment opportunity. Additionally,
60.7 percent had to borrow money, and 29.5 percent had to request government assistance,
such as welfare or food stamps.
As EMV technology is adopted in the card present space, it is expected that fraud will also
shift to the least secure channels, including CNP. From an online fraud perspective, it’s important
that CNP businesses be prepared for this anticipated shift, as experienced in other regions that
have already migrated toward chip card technology. While EMV chip cards have cut counterfeit
fraud, “card not present” (CNP) fraud is rising. CNP fraud includes telephone, internet and mail
order transactions in which the cardholder does not physically present the card to the merchant.
256
Credit card frauds can be broadly classified into three categories: card related frauds,
merchant related frauds and internet related frauds. Different credit card frauds are as follows:
a) Application Fraud: This type of fraud occurs when a person falsifies an application to
acquire a credit card. Application fraud can be committed in three ways:
b) Financial Fraud, where an individual provides false information about his or her financial
status to acquire credit.
c) Non-received items (NRIs) also called postal intercepts occur when the card is stolen
from the postal service’s before it reaches its owner’s destination.
b) Lost/Stolen cards: This type of fraud occurs when a legitimate cardholder loses the
card or someone steals the card for criminal purpose
c) Amount Takeover: This type of fraud occurs when a fraudster illegally obtains all the
personal confidential information of any bonafide person. Then being impersonate as the genuine
cardholder, he/she informs the bank that his residential or office address is hanged. Next, he/
she reports that his credit card is lost and request for mailing of a new card to his new address.
He/she receives the card and thus the criminal is able to successfully takeover the account.
e) Card-not-present (CNP) Fraud: This type of fraud is conducted over the Internet, by
telephone, fax and mail order. It occurs when criminals obtain card details by the theft of card
details of any individual from discarded receipts or by copying down details of cardholder during
a transaction without the legitimate cardholders’ knowledge. It is now seen largely in UK. The
problem in countering this type of fraud is that neither the card nor the cardholder is present at
a still point in a shop.
h) Identity Fraud: It occurs when someone illegally obtains personal information and
repeatedly uses it to open new account or to initiate transaction in the name of legitimate
customer. Majority of identity thefts occur offline like stealing the wallets, intercepting the mail
or rummaging through the trash.
i) Phasing: It occurs when the criminal solicits sensitive information like the cardholders’
financial data or other account related information through e-mail posting to be the cardholders’
banker or seller where the cardholder as made recent purchases. Credit card fraud has become
regular on Internet. Through all the agencies involved in the transactions i.e. cardholders’
merchants and the card issuers suffer losses, but among them merchants are the most affected
in credit card fraud.
15.11 Countermeasures
There are different key measures, which are used for detecting and preventing credit
card frauds. Some of them are as follows:
1. Address Verification Service (AVS): This technique matches the cardholders’ billing
address and ZIP code information given for delivering the purchases against the bank record.
This system is available in the USA and in a few countries of Europe. However, this technique
has different weaknesses i.e. the address information is available online; it makes the bankers
work boring in preventing the fraud; it cannot check the entire informational card. Only American
Express bank has the facility to check all the international frauds through its AVVS system.
258
2. Credit Verification Values (CVV): This technology checks 3-4 digit number embossed
codes on credit card. This technology has advantage that it requires physical possession of
card but this advantage can be nullified by phasing. It also cannot protect the merchant from
transactions placed on physically stolen cards.
3. Negative Databases: This technology checks the order against fraud attempts.
4. Fraud Rates: This technology checks for recognized patterns associated with the fraud.
It carries the advantage that it is easy to configure and understand, but the disadvantage is that
in case the fraud patterns are changed. A new fraud pattern may not be recognized.
6. 3D-Secure: This technology works on the principle of authenticating the consumer via
previously established password. The positive side of this system is that the fraudster needs
legitimate cardholders’ password to complete the transaction. However, this advantage can
also be neglected as the passwords can be hacked.
7. Chip and PIN: The smart cards introduced to prevent credit card fraud by using this
technology. The credit card has an encrypted EMV chip storing all information and a PIN instead
of a signature, which are used to prove that you are the genuine cardholder. Thus, this technique
minimizes fraud.
8. Biometrics: This is the most recent and sophisticated technology to prevent credit card
frauds. It records a unique characteristic of the cardholder like fingerprints, voice, signature,
iris, and other similar biological components so that a computer can read it. Then the computer
compares the stored characteristics with that person who presents the card for ensuring that
he/she is the legitimate cardholder. Negative aspect of this technology is that it carries additional
costs and customers are still reluctant to accept it.
10. Collaboration: The whole industry has to work in collaboration to prevent fraud. This is
the right time when a united group is required to combat fraud and safeguard the business.
259
Summary
· Payment cards are part of a payment system issued by financial institutions, such
as bank, to a customer that enables its owner (the cardholder) to access the funds
in the customer’s designated bank accounts, or through a credit account and make
payments by electronic funds transf er and access automated teller
machines (ATMs).
· A debit card (also known as a bank card or cheque card) provides an alternative
payment method to cash when making purchases. Functionally, it can be called an
electronic cheque, as the funds are withdrawn directly from either the bank account,
or from the remaining balance on the card.
· A credit card is issued to users as a system of payment. It allows its holder to buy
goods and services based on the holder’s promise to pay for these goods and
services. The issuer of the card creates a revolving account and grants a line of
credit to the consumer (or the user) from which the user can borrow money for
payment to a merchant or as a cash advance to the user.
· A MasterCard card is any electronic payment card that uses the MasterCard network
for processing transaction communications. These cards are typically branded with
a MasterCard logo. They can be credit, debit or prepaid cards.
· RuPay is an Indian domestic card scheme conceived and launched by the National
Payments Corporation of India (NPCI).
· EMV chip technology is becoming the global standard for credit card and debit card
payments. Named after its original developers (Europay, MasterCard and Visa),
this technology features payment instruments (cards, mobile phones, etc.) with
embedded microprocessor chips that store and protect cardholder data.
machines (ATMs).
· ………………. is becoming the global standard for credit card and debit card
payments.
Reference
1. https://internalaudit.ku.edu/what-fraud
2. https://www.syniverse.com/assets/files/custom_content/global_mobile_fraud_
trends_report.pdf
3. http://indianresearchjournals.com/pdf/IJMFSMR/2013/March/16.pdf
4. https://ecommerceguide.com/guides/ecommerce-fraud/
5. https://jotopr.com/chargebacks911-dissects-key-types-of-credit-card-fraud-identity-
theft-to-friendly-fraudcybershoplifting/
6. https://www.chargify.com/blog/friendly-fraud-vs-chargeback-fraud/
7. https://krebsonsecurity.com/tag/triangulation-fraud/
8. https://chargebacks911.com/affiliate-fraud/
9. https://www.finextra.com/blogposting/14769/three-types-of-merchant-fraud-a-guide-
for-merchant-acquirers
261
10. https://www.consumer.ftc.gov/blog/2018/06/protecting-your-devices-cryptojacking
11. http://niiconsulting.com/checkmate/2014/06/it-act-2000-penalties-offences-with-
case-studies/
12. Dictionary.com
13. http://www.businessdictionary.com/definition/fraud.html
14. https://internalaudit.ku.edu/what-fraud
15. Donald R. Cressey, Other People’s Money, Montclair: Patterson Smith, 1973 p. 30.
262
LESSON - 16
CYBER FRAUDS - PART-III - ECOMMERCE FRAUDS
Learning Objectives
Ecommerce fraud
Identity Theft
Friendly Fraud
Clean Fraud
Triangulation fraud
Affiliate Fraud
o Identity Swap
o Transaction Laundering
Card Testing
Refund Fraud
Phishing
Structure
16. Ecommerce fraud
16.11. Phishing
E-commerce is one of the most breached areas by cyber criminals. Losses caused by
online frauds are about EUR 4 billion, with an increase of 15% per year. Any online retailer
should provide a protection system in order to limit damages caused by online threats.
The best scenario would be to prevent fraud from occurring. The first step is to monitor
and check every order, being careful to the matching of IP, email and shipping addresses.
Since most of credit card fraud cases are from foreign buyers, care had to be taken when
transactions are international. Attention is to be paid if the billing and shipping addresses don’t
match. And last but not least, business should be equipped with a fraud protection service. In
any case, the best defense for online business is being aware of the threats that are out there
and knowing what to look for.
264
Any company that decides to start an online business or to move into a multi-channel
approach, making its offer available online, is going to deal with new issues and threats. Online
frauds are radically different from ones typically seen in brick-and-mortar businesses. The first
fundamental difference is that you can’t see your transactions’ counter-party. This fact makes it
harder to verify the identity of the person purchasing on your site. Fraudsters may be interested
to obtain funds, merchandise or expensive items to resell.
Modus Operandi
Here are some of the most common types of fraudulent activities that plague online
merchants everywhere.
Modus operandi
Hacking – a hacker may be able to gain access to communications between the customer
and merchant about their confidential data. A hacker may also gain access through third parties
that the retailer does business with.
The hackers gained access to Target’s network by first stealing credentials from a third
party heating and ventilation company based in Pittsburgh called Fazio Mechanical Services.
Fazio Mechanical Services’ system had access to Targets network so that they could monitor
265
and maintain their systems. It is more efficient for target to simply give contractors access to
their network, rather than hiring a target employ to moitor the system in house. Fazio Mechanical
Services was comprised by a spear phishing attack made by the hackers a few months before
the attack on Target. Using the HVAC company’s credentials, they first installed the malware on
the point of sale (POS) devices in a select few stores to first test the efficiency of the software
from November 15 to November 28, 2014 before expanding to the majority of the stores. The
malware copied data from credit cards and stored it in on a compromised Target server.
Chargeback fraud is one of the simplest forms of fraud and does not necessarily involve
identity theft. A customer orders items from the website using a payment method that can easily
be pulled (think credit or debit card). Once the items are safely shipped or otherwise out of the
retailer’s control, the customer initiates a chargeback, stating that their identity was stolen.
They then keep the merchandise for free. Many times, the customer is using their own, legitimate
credit card.
A cyber-criminal perpetrating clean fraud uses a stolen credit card in such a way that they
are able to avoid alerting the fraud detectors. Often this is because the criminal has stolen
enough information about the credit card holder that they can easily pass the transaction off as
legitimate. As an ecommerce vendor, this type of fraud can be hard to spot because the data is
so clean, hence the name.
266
For the first step, the hacker sets up a fake online store to collect a customer’s full data.
Once the victim has “placed an order,” the hacker then commits clean fraud on an ecommerce
store’s site to ship the desired item to the customer, frequently using a different victim’s card
information. It is illustrated in figure 16.1.
One fast-growing ecommerce merchant (it was part of InternetRetailer.com’s Top 500
online retailers for 2 years) who wanted to remain anonymous, told Brian Krebs in 2015 that it
was hit with multiple fraudulent transactions because of triangulation fraud.
According to KrebsonSecurity:
“The company was hit with over 40 orders across three weeks for products that later
traced back to stolen credit card data. The victimized retailer said it was able to stop a few of the
fraudulent transactions before the items shipped, but most of the sales were losses that the
victim firm had to absorb.”
Many criminals use eBay to commit triangulation fraud. Here’s how some of them do it:
The fraudster would create an auction to sell an item they don’t own yet. A customer unwittingly
purchases the item through eBay, thus giving the “seller” (i.e. the fraudster) their information.
The criminal then use stolen credit card information to purchase the item from an ecommerce
site (i.e. the victim) and ship the item to the eBay shopper, leaving the merchant to absorb the
loss.
The fraudsters hijack the proceedings through following methods illustrated in Table 16.1.
While merchant fraud is mostly something individual consumers should be wary of, it can
affect ecommerce stores as well. Hackers will occasionally run this scam in the wholesale
industry to target businesses, and these kinds of scams also erode the trust consumers have in
legitimate online retailers. Merchant fraud exposes acquirers to the liability of facilitating criminal
activity – placing them at risk of chargebacks, fines, brand or reputational damage, regulatory
sanctions, and even legal action. There are three types of Merchant Fraud. They are bustout
fraud, identity swap,
In this fraud scheme, a merchant applies for a merchant account without any intention of
actually operating a legitimate business. These merchant accounts are then used to process
fraudulent transactions or to acquire lines of credit before abandoning the account altogether.
The aim of this type of fraud is simple: process as many fraudulent transactions as possible
within a short amount of time, and before being caught, simply abandon the account. In the
online world, it is extremely easy to falsify identities and set up fake businesses.
Certain individuals, for example individuals on the AML/ATF watch lists, merchants from
countries on which economic sanctions are imposed or those belonging to certain extremist
groups are prohibited from opening merchant accounts with major acquirers. To circumvent
these prohibitions, merchants often use a fake or stolen identity or set up a bogus online storefront
in order to secure a merchant account.
In this case, the business itself may be legitimate, and chargebacks won’t necessarily be
an issue. However, regulators expect acquirers to demonstrate due care and due diligence in
preventing merchants from acquiring fraudulent accounts through identity theft. Failure to do so
can result in steep fines and severe reputational damage.
270
16.11. Phishing
In this case an email asks for user ID, passwords, credit card details and other personal
information. The sender seems to be a credit institution that needs a confirmation of some
information due to a change in the system. Phishing allows criminals to get access to bank or
other accounts and it can be used for identity theft.
The general formula is that the scammer reaches out to the business via email as a
prospective client. They say they want an impressive amount of work from the business, but
first, they’re working with a third party company who they need to pay and, for some reason,
can’t. These reasons may even sound legitimate: they’re overseas and have a limited number
of international transfers, for instance. They’ll ask you to send the third party business some
money, which they assure you will be paid back and far more.
Research shows that ecommerce fraud does seem to be more common overseas.
Indonesia has the highest rate of fraudulent purchases, with over 30% of Indonesian online
purchases have proved to be fraudulent. Venezuela is a close second, and South Africa sees
about 25% of purchases as fraudulent. Brazil and Romania round out the top five. Ten percent
of purchases made in those countries are illegal.
In terms of continents, Africa represents the highest level of false purchases followed by
South America. Asia and North America represent the median level of ecommerce fraud, while
Europe is the safest continent for online sellers.
While none of this information means that you should or shouldn’t sell to people in a
particular location, it does mean that you may choose to be more vigilant about some places
over others.
272
A basic and major red flag for fraud is inconsistent data within an order. This contradictory
information could be that the zip code and city don’t match up, or that the IP and email addresses
don’t line up. While a real customer can certainly make typos, it’s far more likely that a cyber-
criminal will make a mistake by guessing wrong information.
First-time customers
Most consumers have no more than three credit cards, so you should be suspicious of
shoppers who use more than three cards when shopping on your site — especially if they try to
use those cards one after another. If a customer puts in multiple orders on many different credit
cards, whether in one sitting or over a long period of time, you could be dealing with a cyber-
criminal.
· Multiple transactions under the same billing address going to different shipping
addresses.
· Multiple transactions under the same billing address going to different shipping
addresses.
· Multiple credit cards used on the same IP address, even if they are not billed or sent
to the same person.
273
Scammers are known to drop significant amounts of money when they make fraudulent
purchases – usually, far more than any of your typical customers would spend. A large order
may be exciting at first, but you’ll certainly want to look into it. If they have paid for expedited
shipping on that large order, that’s even more of a red flag. It indicates that the scammer is
interested in getting their hands on the goods before they get caught.
This probably sounds obvious, but you want to watch out for any data that seems made
up. It’s not that difficult to catch fake email addresses (has no@yahoo.com ever been a real
address?), and fake phone numbers can even be found by sight alone. For instance, any
number with the area code “555” is a fake.
Again, while people do make typos during a transaction, one person attempting to use
the same card while inputting the numbers wrong several times can indicate someone who’s
trying to guess at a few of the numbers.
Summary
· E-commerce Fraud can most succinctly be defined as illegal activity wrought by a
cyber criminal on a website. It results in unauthorized or otherwise fraudulent
transactions, stoen merchandise and/or wrongful requests for a refund.
· Identity theft is the most well known form of ecommerce fraud. Retailers are more
concerned about this type of fraud.
· Chargeback fraud is one of the simplest forms of fraud and does not necessarily
involve identity theft.
· A cyber-criminal perpetrating clean fraud uses a stolen credit card in such a way
that they are able to avoid alerting the fraud detectors.
274
· Merchant identity fraud is rather simple: the cyber-criminal sets up an online store
and entices a victim to purchase something, which they typically list for an impossibly
low price. Then they disappear and never ship the item.
Reference
https://people.carleton.edu/~carrolla/story.html
275
LESSON - 17
CYBER FRAUDS – PART-IV
IT FRAUDS
After reading this lesson you will be able to understand
IT Frauds
o Occupation Fraud
o Corporate Fraud
o Asset Stripping
o Fraudulent Trading
o Share Ramping
o Investment fraud
o Other frauds
Structure
17. IT Frauds
17 IT Frauds
Computer Fraud is the use of Information Technology to commit fraud. This includes
covering all components of IT starting from the end user computing devices like laptops, desktops,
mobile equipment’s to networking devices like routers, switches, wireless devices to software’s
and applications etc. Fraud is often difficult to detect and even harder to prove in a court of law.
Common practices are applicable to practicing professionals who are auditing fraud in an
information technology (IT) environment.
Melissa
David L Smith a 31 year old New Jersey programmer was accused of unleashing
the “Melissa” computer virus, a Visual Basic for Applications based worms. This
virus was propagated by deliberately posting an infected document to an
Usenet Newsgroup from a stolen AOL account. He constructed the virus to
evade anti virus software and to infect computers through Microsoft Windows
and Word programs. The Mellissa virus appeared on thousands of email
systems on March 26, 1999, disguised as an important message from a
colleague or friend.
The term “occupational fraud” is defined as: “the use of one’s occupation for personal
enrichment through the deliberate misuse or misapplication of the employing organization’s
277
resources or assets. IT Fraud is a type of criminal activity, defined as: ‘abuse of position, or
false representation, or prejudicing someone’s rights for personal gain’. Put simply, fraud is an
act of deception intended for personal gain or to cause a loss to another party.
Ø Fraudsters have large personal debts/financial losses, & a desire for personal gain.
Ø Transactions will generally be taking place that were at an odd time, odd frequency,
unusual amount or to odd recipients.
Ø When internal controls are not enforced, or often compromised by higher authorities.
Ø One employee has control of a process from start to finish with no segregation of
duties
278
Types of Fraud
Ø Corporate Fraud
Ø Asset stripping
Ø Fraudulent trading
Ø Share ramping
Ø Investment fraud
Ø Other frauds
Ø “Phoenixing” – directors move assets from one limited company to another to ‘secure’
the benefits of their business and avoid the liabilities.
279
Ø Most or all the directors will usually be the same in both companies.
Ø This usually arises as a way of ‘rescuing’ the assets of a failing business rather than
targeting a company
Alternatively it can be done by buying shares in a company when they are at a low price
and then starting a rumour that the company is being taken over. When the share price rises,
the shares are sold at a profit.
The criminals will produce fake documents and applications to deliberately deceive and
exploit certain schemes which are in place to provide help to genuine applicants. Examples of
Public Sector fraud include:
These types of fraudsters usually want you to invest your money in a company or
opportunity which seems to be offering very high rates of return.
· Identity fraud
· Benefit fraud
· Contractual dispute
Case Study #1
The Trust was concerned that a doctor was running a private practice using government
resources. This was a sensitive issue -work had to be done covertly to take a forensic image of
his laptop so as not to raise suspicion or alarm other staff. Dozens of emails were extracted
showing that the subject had made private appointments over the previous year at times that he
should have been working for the Government. This evidence formed a key part of a tribunal
hearing that awarded damages.
Case Study #2
A complex, high-value case, where multiple computers and servers held evidence of the
systematic deletion of important data. The person accused of the deletion was a highly
experienced IT administrator who had gone to significant lengths to cover his tracks. Low-level
deletion software had been renamed, run remotely over the company network and then deleted,
leaving minimal artefacts.
Case Study #2
Computer forensic specialists recreated these conditions on their test network and were
able to produce the same artefacts that were found on the original computers and servers. This
information helps client to refute the explanations provided by the IT administrator in a very high
value litigation case.
Case Study #3
A large financial institution had dismissed a senior managing director due to performance
issues. The dismissed employee began legal proceedings against his former employer, claiming
unfair dismissal. Forensic Lookup on the computers revealed thousands of pornographic images
that had been downloaded to his work laptop and then transferred to personal USB drives.
283
Case Study #3
Time-line analysis revealed that the searching and downloading of the images was
exclusively carried out during office hours. Also found evidence of the subject using the laptop
to order illegal items which provided client the evidence to reject the claim of unfair dismissal.
Case Study #4
A case involving data breach – Analysis revealed a scheme to produce and distribute
sensitive material on a global scale. The data extracted revealed the suspect’s production
sources, distribution lists and order books.
Case Study #5
A large firm of insolvency practitioners based in central London to examine twelve servers
and three PCs from a recently liquidated company. The computer equipment required to be
examined had been removed from the company premises and had been piled into a corner of
a room. The equipment was old, had been switched off for months and several had been
marked ‘faulty’ by their previous owners.
Case Study #5
No passwords had been provided and the liquidated company’s former IT administrator
was unwilling to help; additionally it was understood that attempts had been made to wipe data
from the disks. Despite these circumstances computer forensic investigators managed to
recover 100% of the available data.
Case Study #6
Working closely with the insolvency practice, the mass of recovered data were extracted
- relevant emails, spreadsheets, document and internet history. The evidence extracted helped
prove the misconduct of the directors of the liquidators which the insolvency firm had long
suspected.
284
The US Public Company Accounting Oversight Board (PCAOB) also requires auditors to
evaluate fraud-related activities as a component of an internal audit function.
IT audit provides a vital role in the prevention, detection and investigation of fraud.
IT Processes
Control Objectives for Information and related Technology (COBIT) provides excellent
coverage of IT processes. The COBIT 5 framework for the governance and management of
enterprise IT is a leading-edge business optimization and growth roadmap that leverages proven
practices, global thought leadership and ground-breaking tools to inspire IT innovation and fuel
business success. IT process, according to COBIT, can be classified into one of four specific
domains:
Risk Management
Fraud Risk Assessment
The fraud risk assessment begins with ranking the likelihood and significance of fraud
activities associated with IT processes. PCAOB Auditing Standard (AS) No. 2 provides an
286
example of the probability of a risk and its corresponding significance. This PCAOB standard
specifies three risk levels:
· Remote
· Probable
The PCAOB standard also defines significance of a risk into three categories:
· Inconsequential
· Material
Upon the completion of ranking fraud activities associated with IT processes, the fraud
risk assessment process can map the IT processes with types of fraud and controls in place (if
any).
Since both the business and IT environments are changing rapidly, the fraud risk
assessment should be carried out on a regular basis or whenever there is a major change in an
IT process.
Furthermore, in identifying an IT process for fraud rik assessment, an auditor may use
history patterns of fraud within the company as a benchmark reference.
An employee of a large software services company in India was able to steal the password
of the bank account of the company and embezzle an amount in excess of US$4 million.
287
An employee of a software development company in India sold off the source code of the
new software developed by the company to its competitors.
Forex fraud
Data theft
Refund fraud
Two employees working in a Chennai (India)-based BPO misused their authority and
created 30 dummy customer e-mail IDs and embezzled more than US$91,000, which was
supposed to be paid as refund for dissatisfied customers.
Procurement fraud
Recruitment fraud
The entire recruitment team at the Indian subsidiary of a large IT company was sacked
for allegedly accepting bribes from prospective employees and recruitment consultants.
Payroll fraud
An employee of a Hyderabad-based company drew salary even after six months of leaving
the company.
288
Misappropriation of funds
Few employees from the Pune center of a large Indian BPO opened several dummy
accounts to transfer the customer funds to these fictitious accounts.
Section 43 – Penalty and Compensation for damage to computer, computer system, etc
Related Case: Mphasis BPO Fraud: 2005In December 2004, four call centre employees,
working at an outsourcing facility operated by MphasiS in India, obtained PIN codes from four
customers of MphasiS’ client, Citi Group. These employees were not authorized to obtain the
PINs. In association with others, the call centre employees opened new accounts at Indian
banks using false identities. Within two months, they used the PINs and account information
gleaned during their employment at MphasiS to transfer money from the bank accounts of
CitiGroup customers to the new accounts at Indian banks.
By April 2005, the Indian police had tipped off to the scam by a U.S. bank, and quickly
identified the individuals involved in the scam. Arrests were made when those individuals
attempted to withdraw cash from the falsified accounts, $426,000 was stolen; the amount
recovered was $230,000.
Verdict: Court held that Section 43(a) was applicable here due to the nature of unauthorized
access involved to commit transactions.
In this case the accused gained unauthorized access to the Joint Academic Network
(JANET) and deleted, added files and changed the passwords to deny access to the authorized
users. Investigations had revealed that Kumar was logging on to the BSNL broadband Internet
connection as if he was the authorized genuine user and ‘made alteration in the computer
database pertaining to broadband Internet user accounts’ of the subscribers. The CBI had
registered a cyber crime case against Kumar and carried out investigations on the basis of a
complaint by the Press Information Bureau, Chennai, which detected the unauthorised use of
broadband Internet. The complaint also stated that the subscribers had incurred a loss of Rs
38,248 due to Kumar’s wrongful act. He used to ‘hack’ sites from Bangalore, Chennai and other
cities too, they said.
289
Relevant Cases:
The CEO of an identity theft protection company, Lifelock, Todd Davis’s social security
number was exposed by Matt Lauer on NBC’s Today Show. Davis’ identity was used to obtain
a $500 cash advance loan.
Li Ming, a graduate student at West Chester University of Pennsylvania faked his own
death, complete with a forged obituary in his local paper. Nine months later, Li attempted to
obtain a new driver’s license with the intention of applying for new credit cards eventually.
A complaint filed by the representative of a Company, which was engaged in the business
of trading and distribution of petrochemicals in India and overseas, a crime was registered
against nine persons, alleging offenses under Sections 65, 66, 66A, C and D of the Information
Technology Act along with Sections 419 and 420 of the Indian Penal Code. The company has
a web-site in the name and and style ‘www.jaypolychem.com’ but, another web site
‘www.jayplychem.org’ was set up in the internet by first accused Samdeep Varghese @ Sam,
(who was dismissed from the company) in conspiracy with other accused, including Preeti and
Charanjeet Singh, who are the sister and brother-in-law of ‘Sam’ Defamatory and malicious
matters about the company and its directors were made available in that website. The accused
sister and brother-in-law were based in Cochin and they had been acting in collusion known
and unknown persons, who have collectively cheated the company and committed acts of
forgery, impersonation etc. Two of the accused, Amardeep Singh and Rahul had visited Delhi
and Cochin. The first accused and others sent e-mails from fake e-mail accounts of many of the
customers, suppliers, Bank etc. to malign the name and image of the Company and its Directors.
The defamation campaign run by all the said persons named above has caused immense
damage to the name and reputation of the Company.
290
The Company suffered losses of several crores of Rupees from producers, suppliers and
customers and were unable to do business.
Relevant Cases:
Jawaharlal Nehru University MMS scandal In a severe shock to the prestigious and
renowned institute – Jawaharlal Nehru University, a pornographic MMS clip was apparently
made in the campus and transmitted outside the university.Some media reports claimed that
the two accused students initially tried to extort money from the girl in the video but when they
failed the culprits put the video out on mobile phones, on the internet and even sold it as a CD
in the blue film market.
Nagpur Congress leader’s son MMS scandal On January 05, 2012 Nagpur Police arrested
two engineering students, one of them a son of a Congress leader, for harassing a 16-year-old
girl by circulating an MMS clip of their sexual acts. According to the Nagpur (rural) police, the
girl was in a relationship with Mithilesh Gajbhiye, 19, son of Yashodha Dhanraj Gajbhiye, a zila
parishad member and an influential Congress leader of Saoner region in Nagpur district.
Fraud Investigation
Summary
· The term “occupational fraud” is defined as: “the use of one’s occupation for personal
enrichment through the deliberate misuse or misapplication of the employing
organization’s resources or assets.
· Types of frauds are Corporate Fraud, Publishing false information, Public Sector
Fraud, Investment fraud, Share scams (boiler room fraud), Recovery Room Fraud,
Other Investment fraud, Bribery and corruption.
291
Reference
1. https://www.slideshare.net/padmajanaidu16/cyber-law-sections-under-itc-act-cases
2. https://www.scribd.com/doc/190389306/Case-studies-under-Indian-IT-Act-2000
3. http://niiconsulting.com/checkmate/2014/06/it-act-2000-penalties-offences-with-
case-studies/
292
ELECTIVE PAPER-I
Section-A
2. What is cybercrime?
9. Who is a whistleblower?
Section-B
4. Define virus, worms and trojans. List down mode of distribution of all.
SECTION – C
1. What is malware? What are different types of malware? List down notable malwares
in timeline.
2. What is fraud? What are different types of telecom frauds? Give examples.
3. Explain various types of payment card frauds. What are the countermeasures?
4. What is ecommerce fraud? What are different types of ecommerce frauds? Give
examples.