Professional Documents
Culture Documents
CYBERCRIMES
A Textbook for BS Criminology Students and Practitioners
ARLAN G. REBURON
What is Cybercrime
Cybercrime goes beyond the technical,
transnational dimension and involves
offenders who deliberately fashion their
attacks to exploit the potential
weaknesses present in the infrastructure’s
transnational nature.
It threatens the substantial and growing reliance
of commerce, governments, and the public upon the
information infrastructure to conduct business, carry
messages, and process information.
Cybercrime is criminal activity that either targets or
uses a computer, a computer network or a networked
device.
Most, but not all,
cybercrime is committed
by cybercriminals or
hackers who want to make
money. Cybercrime is
carried out by individuals
or organizations.
Some cybercriminals are organized, use advanced
techniques and are highly technically skilled. Others are
novice hackers.
Rarely, cybercrime aims to damage computers for
reasons other than profit. These could be political/
ideological or personal in nature.
Cybercrime is one of the fastest growing non-
violent crimes in the Asian region. It takes a great deal
of technical expertise and co-operation, both local and
foreign, in order to address such problems. This crime
affects different countries in varying degrees, depending
on the extent of the legislative enactment of each country.
In the Philippines, as technical and electronic
landscapes change, there is a need to enact laws or
amend existing laws to fully address cyber threats.
Types
Here are some specific examples of the
different types of cybercrime:
• Email and internet fraud.
• Identity fraud (where personal information is
stolen and used).
• Theft of financial or card payment data.
• Theft and sale of corporate data.
• Cyberextortion (demanding money to prevent a
threatened attack).
• Ransomware attacks (a type of cyberextortion).
• Crypto jacking (where hackers mine cryptocurrency
using resources they do not own).
• Cyberespionage (where hackers access
government or company data).
2 Introduction to Cybercrime
Cybercriminals may infect computers with viruses
and malware to damage devices or stop them working.
They may also use malware to delete or steal data.
Cybercrime that stops users using a machine or
network, or prevents a business providing a software
service to its customers, is called a Denial-of-Service (DoS)
attack.
Cybercrime that uses computers to commit other
crimes may involve using computers or networks to
spread malware, illegal information or illegal images.
Sometimes cybercriminals conduct both categories
of cybercrime at once. They may target computers with
viruses first. Then, use them to spread malware to other
machines or throughout a network.
Cybercriminals may also carry out what is known
as a Distributed-Denial-of-Service (DDos) attack. This is
similar to a DoS attack but cybercriminals use
numerous compromised computers to carry it out.
The US Department of Justice recognizes a third
category of cybercrime which is where a computer is
used as an accessory to crime. An example of this is
using a computer to store stolen data.
The US has signed the European Convention of
Cybercrime. The convention casts a wide net and there are
numerous malicious computer-related crimes which it
considers cybercrime. For example:
• Illegally intercepting or stealing data.
• Interfering with systems in a way that compromises
a network.
• Infringing copyright.
• Illegal gambling.
• Selling illegal items online.
• Soliciting, producing or possessing child
pornography.
Chapter I: Introduction 3
Examples of cybercrime
4 Introduction to Cybercrime
Phishing
Chapter I: Introduction 5
A DDoS attack overwhelms a system by using one
of the standard communication protocols it uses to
spam the system with connection requests.
Cybercriminals who are carrying out
cyberextortion may use the threat of a DDoS attack to
demand money. Alternatively, a DDoS may be used as a
distraction tactic while other type of cybercrime takes
place.
A famous example of this type of attack is the 2017
DDoS attack on the UK National Lottery website. This
brought the lottery’s website and mobile app offline,
preventing UK citizens from playing.
Cybercrime in PH
6 Introduction to Cybercrime
all contacts listed in that directory. Once received and
opened in another computer, it replicates all that it did
previously. The replication went on and on, sweeping all
computers where the email was received and opened,
from Hong Kong, to Europe, to the United States,
infecting and damaging computers and networks of
small and big companies, private and government
institutions. The damage was about US$ 5.5 billion;
some reports say US$ 10 billion.
2. Arrest of the Suspect
Chapter I: Introduction 7
The Philippine National Police (PNP) Efforts
8 Introduction to Cybercrime
REPUBLIC ACT NO. 10175
PRELIMINARY PROVISIONS
Section 1. Title. — This Act shall be known as the
“Cybercrime Prevention Act of 2012″.
Section 2. Declaration of Policy.— The State recognizes the vital
role of information and communications industries such
as content production, telecommunications,
broadcasting electronic commerce, and data processing,
in the nation’s overall social and economic development.
The State also recognizes the importance of providing
an environment conducive to the development,
acceleration, and rational application and exploitation
of information and communications technology (ICT) to
attain free, easy, and intelligible access to exchange
and/or delivery of information; and the need to protect
and safeguard the integrity of computer, computer and
communications systems, networks, and databases,
and the confidentiality, integrity, and availability of
information and data stored therein, from all forms of
misuse, abuse, and illegal access by making punishable
under the law such conduct or conducts. In this light, the
State shall adopt sufficient powers to effectively prevent
and combat such offenses by facilitating their detection,
investigation, and prosecution at both the domestic and
international levels, and by providing arrangements for
fast and reliable international cooperation.
Chapter I: Introduction 9
communication network.
(b) Alteration refers to the modification or change, in
form or substance, of an existing computer data or
program.
(c) Communication refers to the transmission of
information through ICT media, including voice,
video and other forms of data.
(d) Computer refers to an electronic, magnetic,
optical, electrochemical, or other data processing
or communications device, or grouping of such
devices, capable of performing logical, arithmetic,
routing, or storage functions and which includes
any storage facility or equipment or
communications facility or equipment directly
related to or operating in conjunction with such
device. It covers any type of computer device
including devices with data processing
capabilities like mobile phones, smart phones,
computer networks and other devices connected
to the internet.
(e) Computer data refers to any representation of facts,
information, or concepts in a form suitable for
processing in a computer system including a
program suitable to cause a computer system to
perform a function and includes electronic
documents and/or electronic data messages
whether stored in local computer systems or online.
(f) Computer program refers to a set of instructions
executed by the computer to achieve intended
results.
(g) Computer system refers to any device or group of
interconnected or related devices, one or more of
which, pursuant to a program, performs automated
processing of data. It covers any type of device
with data processing capabilities including, but not
limited to, computers and mobile phones. The
device consisting of hardware and software may
include input, output and storage components
which may stand alone or be connected in a
network or other similar devices. It also includes
computer data storage devices or
10 Introduction to Cybercrime
media.
(h) Without right refers to either: (i) conduct
undertaken without or in excess of authority;
or (ii) conduct not covered by established legal
defenses, excuses, court orders, justifications, or
relevant principles under the law.
(i) Cyber refers to a computer or a computer
network, the electronic medium in which online
communication takes place.
(j) Critical infrastructure refers to the computer
systems, and/or networks, whether physical or
virtual, and/or the computer programs,
computer data and/or traffic data so vital to this
country that the incapacity or destruction of or
interference with such system and assets would
have a debilitating impact on security, national or
economic security, national public health and
safety, or any combination of those matters.
(k) Cybersecurity refers to the collection of tools,
policies, risk management approaches, actions,
training, best practices, assurance and
technologies that can be used to protect the cyber
environment and organization and user’s assets.
(l) Database refers to a representation of information,
knowledge, facts, concepts, or instructions which
are being prepared, processed or stored or have
been prepared, processed or stored in a formalized
manner and which are intended for use in a
computer system.
(m) Interception refers to listening to, recording,
monitoring or surveillance of the content of
communications, including procuring of the
content of data, either directly, through access and
use of a computer system or indirectly, through
the use of electronic eavesdropping or tapping
devices, at the same time that the communication
is occurring.
(n) Service provider refers to:
(1) Any public or private entity that provides to
users of its service the ability to communicate
Chapter I: Introduction 11
by means of a computer system; and
(2) Any other entity that processes or stores
computer data on behalf of such communication
service or users of such service.
(o) Subscriber’s information refers to any information
contained in the form of computer data or any other
form that is held by a service provider, relating to
subscribers of its services other than traffic or
content data and by which identity can be
established:
(1) The type of communication service used, the
technical provisions taken thereto and the
period of service;
(2) The subscriber’s identity, postal or geographic
address, telephone and other access numbers,
any assigned network address, billing and
payment information, available on the basis of
the service agreement or arrangement; and
(3) Any other available information on the site of the
installation of communication equipment,
available on the basis of the service agreement
or arrangement.
(p) Traffic data or non-content data refers to any
computer data other than the content of the
communication including, but not limited to, the
communication’s origin, destination, route, time,
date, size, duration, or type of underlying service.
PUNISHABLE ACTS
Section 4. Cybercrime Offenses. — The following acts
constitute the offense of cybercrime punishable under this
Act:
(a) Offenses against the confidentiality, integrity and
availability of computer data and systems:
(1) Illegal Access. – The access to the whole or any
part of a computer system without right.
12 Introduction to Cybercrime
(2) Illegal Interception. – The interception made by
technical means without right of any nonpublic
transmission of computer data to, from, or
within a computer system including
electromagnetic emissions from a computer
system carrying such computer data.
(3) Data Interference. — The intentional or reckless
alteration, damaging, deletion or deterioration
of computer data, electronic document,
or electronic data message, without right,
including the introduction or transmission of
viruses.
(4) System Interference. — The intentional
alteration or reckless hindering or interference
with the functioning of a computer or computer
network by inputting, transmitting, damaging,
deleting, deteriorating, altering or suppressing
computer data or program, electronic
document, or electronic data message, without
right or authority, including the introduction
or transmission of viruses.
(5) Misuse of Devices.
(i) The use, production, sale, procurement,
importation, distribution, or otherwise
making available, without right, of:
(aa) A device, including a computer program,
designed or adapted primarily for the
purpose of committing any of the
offenses under this Act; or
(ab) A computer password, access code, or
similar data by which the whole or any
part of a computer system is capable of
being accessed with intent that it be used
for the purpose of committing any of the
offenses under this Act.
(ii) The possession of an item referred to in
paragraphs 5(i)(aa) or (bb) above with intent
to use said devices for the purpose of
committing any of the offenses under this
section.
Chapter I: Introduction 13
(6) Cyber-squatting. – The acquisition of a domain
name over the internet in bad faith to profit,
mislead, destroy reputation, and deprive
others from registering the same, if such a
domain name is:
(i) Similar, identical, or confusingly similar to an
existing trademark registered with the
appropriate government agency at the time
of the domain name registration:
(ii) Identical or in any way similar with the
name of a person other than the registrant,
in case of a personal name; and
(iii) Acquired without right or with intellectual
property interests in it.
(b) Computer-related Offenses:
(1) Computer-related Forgery. —
(i) The input, alteration, or deletion of any
computer data without right resulting in
inauthentic data with the intent that it be
considered or acted upon for legal purposes
as if it were authentic, regardless whether or
not the data is directly readable and
intelligible; or
(ii) The act of knowingly using computer data
which is the product of computer-related
forgery as defined herein, for the purpose of
perpetuating a fraudulent or dishonest
design.
(2) Computer-related Fraud. — The unauthorized
input, alteration, or deletion of computer data
or program or interference in the functioning
of a computer system, causing damage
thereby with fraudulent intent: Provided, That
if no damage has yet been caused, the penalty
imposable shall be one (1) degree lower.
(3) Computer-related Identity Theft. – The
intentional acquisition, use, misuse, transfer,
possession, alteration or deletion of identifying
information belonging to another, whether
14 Introduction to Cybercrime
natural or juridical, without right: Provided,
That if no damage has yet been caused, the
penalty imposable shall be one (1) degree lower.
(c) Content-related Offenses:
(1) Cybersex. — The willful engagement,
maintenance, control, or operation, directly or
indirectly, of any lascivious exhibition of
sexual organs or sexual activity, with the aid of
a computer system, for favor or consideration.
(2) Child Pornography. — The unlawful or
prohibited acts defined and punishable by
Republic Act No. 9775 or the Anti-Child
Pornography Act of 2009, committed through
a computer system: Provided, That the penalty
to be imposed shall be (1) one degree higher
than that provided for in Republic Act No. 9775.
(3) Unsolicited Commercial Communications. —
The transmission of commercial electronic
communication with the use of computer
system which seek to advertise, sell, or offer
for sale products and services are prohibited
unless:
(i) There is prior affirmative consent from the
recipient; or
(ii) The primary intent of the communication is
for service and/or administrative
announcements from the sender to its
existing users, subscribers or customers; or
(iii) The following conditions are present:
(aa) The commercial electronic communication
contains a simple, valid, and reliable way
for the recipient to reject. receipt of further
commercial electronic messages (opt-out)
from the same source;
(ab) The commercial electronic
communication does not purposely
disguise the source of the electronic
message; and
Chapter I: Introduction 15
(ac) The commercial electronic
communication does not purposely
include misleading information in any
part of the message in order to induce
the recipients to read the message.
(4) Libel. — The unlawful or prohibited acts of libel
as defined in Article 355 of the Revised Penal
Code, as amended, committed through a
computer system or any other similar means
which may be devised in the future.
Section 5. Other Offenses. — The following acts shall
also constitute an offense:
(a) Aiding or Abetting in the Commission of
Cybercrime. – Any person who willfully abets
or aids in the commission of any of the offenses
enumerated in this Act shall be held liable.
(b) Attempt in the Commission of Cybercrime. — Any
person who willfully attempts to commit any of the
offenses enumerated in this Act shall be held liable.
Section 6. All crimes defined and penalized by the
Revised Penal Code, as amended, and special laws, if
committed by, through and with the use of information
and communications technologies shall be covered by
the relevant provisions of this Act: Provided, That the
penalty to be imposed shall be one (1) degree higher
than that provided for by the Revised Penal Code, as
amended, and special laws, as the case may be.
Section 7. Liability under Other Laws. — A prosecution
under this Act shall be without prejudice to any liability
for violation of any provision of the Revised Penal Code, as
amended, or special laws.
16 Introduction to Cybercrime
Chapter II
First Responder’s Guide
50 Introduction to Cybercrime
• Listen for sounds
• Feel for vibrations or heat
NOTE: Many mobile devices save power by turning off
screens after a specified amount of time. Despite the
screen status, the device is likely still active. Ask if the
device is currently powered on. Where legal, pressing the
home button quickly will activate the screen.
Step 3 - If the device is off, do not turn it on
• Collect and package
• Ask for password/pass pattern
• Transport ASAP
Step 4 - If the device is on, proceed with caution
WARNING - The two most significant challenges for
officers seizing mobile devices are:
(1) isolating the device from cellular and Wi-Fi
networks; and
(2) obtaining security passwords or pass patterns for
the device so the evidence can be examined
forensically.
Always ask if there is any security feature enabled
on the phone. These can include passwords (simple
or complex), security/wiping apps, pass patterns, or
biometrics (facial scan). Document (see the attached
consent form for guidance) and confirm the password or
pass pattern. Turning the device off could result in the loss
of evidence. The best option is to keep the device powered,
unlocked (if locked, collect any available passwords, PIN
codes, or security unlock information), and in airplane
mode until it is in the hands of an experience technician.
Step 5 - Collection and Package
WARNING - You may need to collect other forensic
evidence including fingerprints, biological samples,
DNA, etc. from smartphones and mobile devices. Work
with crime scene technicians or trained forensic
personnel to preserve such evidence without disturbing
the integrity of the data on the device. Be sure to advise
forensic examiners in advance of submission of the
possible existence of hazardous material on the device.
52 Introduction to Cybercrime
expert (if you don’t know who to contact, call the
number on the inside cover of this manual)
• Photograph the screen
• Once you are prepared to power down the system,
pull the plug from the back of the computer system
• Remove the battery from a laptop system.
Step 5 – Disassemble and package the system WARNING
You may need to collect other forensic evidence including
fingerprints, biological samples, DNA, etc. from computer
systems, digital devices, and electronic media. Work with
crime scene service technicians or trained forensic
personnel to preserve such evidence without disturbing
the integrity of the digital media.
• Photograph the system from all perspectives
• Clearly mark evidence and document chain of
custody, location, and other important details about
the seized item(s)
• Disconnect and secure cables
• Check media ports and cd/dvd trays for the
presence of removable media
• Package the system, and peripheral devices, for
transport using laptop bags (if applicable), boxes, or
evidence bags
Step 6 – Transport
• Protect from temperature extremes and moisture
Do not place evidence in the cruiser’s trunk
• Protect from electro-static discharge
• Package evidence so it will not be physically
damaged or deformed
• Deliver evidence to a secure law enforcement
facility or digital evidence laboratory as soon as
practicable
Other Commonly Seized Devices That May Store
Digital Evidence
There are many other storage media and technical
devices that may process and store digital evidence.
Examples of these devices include media cards (ie.
54 Introduction to Cybercrime
• If available, paper evidence bags, or static-free
evidence bags, are best for the storage of media
• Media contained in binders or carriers should
remain in the container
• Be careful not to scratch optical media during
seizure.
• Gaming stations should be seized in the same
manner as computers
WARNING - Collecting evidence from surveillance
systems can be difficult. Time is of the essence as digital
surveillance systems often have proprietary software and
hardware needs for playback. Speak to your prosecutor
or agency legal counsel when making a decision about
the seizure of a digital surveillance system as opposed to
footage or segments of video extracted from the system.
Also, be sure to get the company and installer name and
contact information for the person that installed or
maintains the system.
Step 6 - Collection and Package
• Follow chain-of-custody procedures
• Secure data and power cables
• Label the evidence container(s), not the device(s)
• Package the device so it will not be physically
damaged or deformed
• Package the device in evidence bags or boxes
Step 7 - Transport
• Deliver evidence to a secure law enforcement
facility or digital evidence laboratory as soon as
practicable
• Protect from temperature extremes and moisture
Do…
Make sure you are lawfully present and have the
appropriate legal authority to conduct the search.
Secure the scene. Make sketches and/or take photos.
Consult technical experts as needed. Use seizure form if
collecting digital evidence.
Do Not…
Turn on computers or other digital devices. Touch a
computer if it is ‘on’ unless you are properly trained. Do
not allow anyone access to computers or other digital
devices.
56 Introduction to Cybercrime
References
References 57
in-the-philippines.html retrieved of July 12,
2021
Science Media Museum, (2020) A SHORT HISTORY
OF THE INTERNET available at https://www.
scienceandmediamuseum.org.uk/objects-and-
stories/short-history-internet retrived on August
30, 2021
US DOJ, (2008), Electronic Crime Scene Investigation:
A Guide for First Responders, Second Edition,
available at https://www.ojp.gov/pdffiles1/
nij/219941.pdf retrieved on Sept 13, 2021
Sosa, GC, (2018) ,COUNTRY REPORT ON
CYBERCRIME: THE PHILIPPINES available
at https://unafei.or.jp/publications/pdf/RS_
No79/No79_12PA_Sosa.pdf retrieved on June 6,
2021
58 Introduction to Cybercrime
Glossary
Glossary 59
denial of service (DoS) -- an attack that causes the targeted
system to be unable to fulfill its intended function
digital signature -- an electronic equivalent of a signature
domain name -- the textual name assigned to a host on
the Internet
dumpster diving -- looking through trash for access codes
or other sensitive information
email -- an application that allows the sending of
messages between computer users via a network
encryption -- the process of protecting information or
hiding its meaning by converting it into a code
firewall -- a device designed to enforce the boundary
between two or more networks, limiting access
hacker -- a term sometimes used to describe a person who
pursues knowledge of computer and security systems for
its own sake; sometimes used to describe a person who
breaks into computer systems for the purpose of stealing
or destroying data
hacking -- original term referred to learning programming
languages and computer systems; now associated with the
process of bypassing the security systems on a computer
system or network
high risk application -- a computer application that,
when opened, can cause the user to become vulnerable
to a security breach
hijacking -- the process of taking over a live connection
between two users so that the attacker can masquerade
as one of the users
host -- a computer system that resides on a network and
can independently communicate with other systems on
the network
Hypertext Markup Language (HTML) -- the language in
which most webpages are written
60 Introduction to Cybercrime
information security -- a system of procedures and
policies designed to protect and control information
Internet -- a computer network that uses the Internet
protocol family
Internet Relay Chat (IRC) -- a large, multiple-user, live
chat facility
Internet service provider (ISP) -- any company that
provides users with access to the Internet
intranet -- a private network used within a company or
organization that is not connected to the Internet
intrusion detection -- techniques designed to detect
breaches into a computer system or network
IP spoofing -- an attack where the attacker disguises
himself or herself as another user by means of a false IP
network address
keystroke monitoring -- the process of recording every
character typed by a computer user on a keyboard
leapfrog attack -- using a password or user ID obtained in
one attack to commit another attack
letterbomb -- an email containing live data intended to
cause damage to the recipient’s computer
malicious code -- any code that is intentionally included
in software or hardware for an unauthorized purpose
one-time password -- a password that can be used only
once, usually randomly generated by special software
packet -- a discrete block of data sent over a network
packet sniffer -- a device or program that monitors the
data traveling over a network by inspecting discrete
packets
password -- a data string used to verify the identity of
a user
Glossary 61
password sniffing -- the process of examining data
traffic for the purpose of finding passwords to use later
in masquerading attacks
pen register -- a device that records the telephone
numbers of calls received by a particular telephone
phracker -- a person who combines phone phreaking
with computer hacking
phreaker -- a person who hacks telephone systems,
usually for the purpose of making free phone calls
piggyback -- gaining unauthorized access to a computer
system via another user’s legitimate connection
piracy -- the act of illegally copying software, music, or
movies that are copyright-protected
Pretty Good Privacy (PGP) -- a freeware program designed
to encrypt email
probe -- an effort to gather information about a computer
or its users for the purpose of gaining unauthorized
access later
risk assessment -- the process of studying the
vulnerabilities, threats to, and likelihood of attacks on a
computer system or network
smart card -- an access card that contains encoded
information used to identify the user
sniffer -- a program designed to capture information
across a computer network
social engineering -- term often used to describe the
techniques virus writers and hackers utilize to trick
computer users into revealing information or activating
viruses
spam -- unsolicited commercial email
spoofing -- the process of disguising one computer user
as another
62 Introduction to Cybercrime
trap and trace device -- a device used to record the
telephone numbers dialed by a specific telephone
Trojan horse -- an apparently innocuous program that
contains code designed to surreptitiously access
information or computer systems without the user’s
knowledge
virus -- a computer program designed to make copies
of itself and spread itself from one machine to another
without the help of the user
war dialer -- software designed to detect dial-in access
to computer systems
warez -- slang for pirated software
white hat -- a hacker whose intentions are not criminal
or malicious
wiretapping -- the interception of electronic
communications in order to access information
worm -- a computer program that copies itself across a
network.
Glossary 63