Accounting Information Systems

Fifteenth Edition, Global Edition

Chapter 9
Computer Fraud and Abuse
Techniques

• Copyright © 2021 Pearson Education Ltd.

Learning Objectives
• Compare different techniques of computer attack and
abuse.

• Explain how social engineering techniques are used to

gain physical or logical access to computer resources.

• Describe the different types of malware used to harm

computers.

• Copyright © 2021 Pearson Education Ltd.

Computer Attacks and Abuse
• There are six steps that many criminals use to attack
information systems:
– Conduct reconnaissance
– Attempt social engineering
– Scan and map the target
– Research
– Execute the attack
– Cover tracks

• Copyright © 2021 Pearson Education Ltd.

Types of Attacks
• Hacking
– Unauthorized access, modification, or use of an
electronic device or some element of a computer
system
• Social Engineering
– Techniques or tricks on people to gain physical or
logical access to confidential information
• Malware
– Software used to do harm

• Copyright © 2021 Pearson Education Ltd.

Hacking
– Hijacking
 Gaining control of a computer to carry out illicit activities
– Botnet (robot network)
 Zombies
 Bot herders
 Denial of Service (DoS) attack
 Brute force attack
 Password cracking
 Dictionary attack
 Spamming
 Spoofing – Makes the communication look as if
someone else sent it so as to gain confidential
information
• Copyright © 2021 Pearson Education Ltd.
 Social Engineering Techniques
• Identity theft: Assuming someone else’s identity (e.g.
pretending as a maintenance worker or an IT technician to
gain entry to a secure area)
• Pretexting: Using a scenario to trick victims to get information
or to gain access (e.g. Pretending to be a new employee who
lost their access card and asking a colleague to let them in).
• Posing: Creating a seemingly legitimate business, collecting
personal data while making a sale, and never delivering items
sold
• Baiting: Leaving a physical device, such as a USB drive, in a
strategic location to lure someone into using it and
compromising security (e.g. Leaving infected USB drives in a
parking lot, hoping an employee will pick one up and connect
it to a work computer.
• Copyright © 2021 Pearson Education Ltd.
 Social Engineering Techniques
• Phishing: Sending an e-mail, that appears to be from a trusted
source, asking the victim to respond to a link that that requests
sensitive data.
• Vishing (Voice Phishing): Using phone calls to deceive
individuals into providing sensitive information (e.g. Calling an
employee and pretending to be from the IT department,
requesting login credentials for a supposed system upgrade).
• Pharming: Redirects website to a fraudulent website
• Scavenging: Searching trash for confidential information
• Shoulder surfing: Spying (either close behind the person) or
using technology to snoop and get confidential information.

• Copyright © 2021 Pearson Education Ltd.

 Why People Fall Victim
• Compassion: Desire to help others
e.g. An attacker poses as a charity worker seeking donations for
a fictitious disaster relief fund. People, driven by compassion,
may willingly provide personal or financial information to
contribute to the cause.
• Greed: Want a good deal or something for free
E.g. A scammer sends an email promising huge financial returns
with minimal investment. Driven by greed, individuals may fall
victim by investing money or providing sensitive financial
information.
• Sex appeal: More cooperative with those that are flirtatious or good
looking
e.g. creating a fake online dating profile with an attractive
photo. After establishing a connection, the attacker convinces
the target to share personal information.. • Copyright © 2021 Pearson Education Ltd.
 Why People Fall Victim
• Sloth: Lazy habits
e.g. A phishing email claims to be from the IT department, stating
that the user's password needs to be updated and provides a
convenient link. Users, rather than verifying the request, might
lazily click the link and unknowingly compromise their
credentials.
• Trust: Will cooperate if trust is gained
e.g. An
attacker may spend time building a relationship with an
employee on social media, gaining their trust over weeks or
months

• Urgency: Cooperation occurs when there is a sense of immediate

need
e.g. A phishing email creates a sense of urgency, claiming that an
account will be suspended unless immediate action is taken. The
• Copyright © 2021 Pearson Education Ltd.
victim, feeling pressured, might hastily provide login credentials
Minimize the Threat of Social
Engineering
• Never let people follow you into restricted areas
• Never log in for someone else on a computer
• Never give sensitive information over the phone or through
e-mail
• Never share passwords or user IDs
• Be cautious of someone you don’t know who is trying to
gain access through you

• Copyright © 2021 Pearson Education Ltd.

Malware
Any software that is used to harm
• Spyware • Trap door
– Secretly monitors and collects – Set of instructions that allow the
information user to bypass normal system
– Can hijack browser, search controls
requests • Packet sniffer
– Adware, scareware – Captures data as it travels over
• Keylogger the Internet
– Software that records user • Virus
keystrokes – A section of self-replicating code
• Trojan Horse that attaches to a program or file
– Malicious computer requiring a human to do
instructions in an authorized something so it can replicate
and properly functioning itself
program • Worm
– Stand-alone self replicating
program
• Copyright © 2021 Pearson Education Ltd.
Cellphone Bluetooth Vulnerabilities
• Bluesnarfing
– Stealing contact lists, data, pictures on Bluetooth
compatible smartphones
• Bluebugging
– Taking control of a phone to make or listen to calls,
send or read text messages

• Copyright © 2021 Pearson Education Ltd.

 Questions
1. Techniques used to obtain confidential information, often by tricking
people, are referred to as what?
Social engineering
2. Using a scenario to trick victims to get information or to gain access is one
of the social engineering techniques named as:
a) Pretexting
b) Identity theft
c) Pharming
d) Vishing

• Copyright © 2021 Pearson Education Ltd.

• Gaining control of somebody's computer without their knowledge and using it to carry
out illicit activities is known as:

• A) hacking.

• B) spamming.

• C) posing.

• D) hijacking.

• Copyright © 2021 Pearson Education Ltd.

• Gaining control of somebody's computer without their knowledge and using it to carry
out illicit activities is known as:

• A) hacking.

• B) spamming.

• C) posing.

• D) hijacking.

• Copyright © 2021 Pearson Education Ltd.

• Creating a seemingly legitimate business, collecting personal data while making a sale,
and never delivering items sold is known as

• A) hacking.

• B) spamming.

• C) posing.

• D) hijacking.

• Copyright © 2021 Pearson Education Ltd.

• Creating a seemingly legitimate business, collecting personal data while making a sale,
and never delivering items sold is known as

• A) hacking.

• B) spamming.

• C) posing.

• D) hijacking.

• Copyright © 2021 Pearson Education Ltd.

• 3. The controller of a small business received the following e-mail with an authentic-
looking e-mail address and logo:

• From: Big Bank [antifraud@bigbank.com]

• To: Justin Lewis, Controller, Small Business USA

• Subject: Official Notice for all users of Big Bank!

Due to the increased incidence of fraud and identity theft, we are asking all bank customers
to verify their account information on the following Web page: www.antifraudbigbank.com
Please confirm your account information as soon as possible. Failure to confirm your
account information will require us to suspend your account until confirmation is made.

a. What should Justin do about these e-mails?

• Copyright © 2021 Pearson Education Ltd.

  This is an attempt to acquire confidential information so that it can be used for illicit
purposes such as identity theft. Since the email looks authentic and appears
authoritative, unsuspecting and naïve employees are likely to follow the emails
instructions.

Justin should:

 Notify all employees and management that the email is fraudulent and that no information
should be entered on the indicated website.

 Delete the email without responding to its sender.

 Launch an education program for all employees and management about computer fraud
practices that could target their business.

• Notify Big Bank regarding the email.

• Copyright © 2021 Pearson Education Ltd.

 b. What should Big Bank do about these e-mails?

 Immediately alert all customers about the email and ask them to forward any suspicious
email to the bank security team. But this needs to be done via the bank’s web site, not by
an email message. Banks should never use email in ways similar to this type of attack.

 Encourages customers and employees to notify Big Bank of suspicious emails.

 Notify and cooperate with law enforcement agencies so the perpetrator can be arrested.

 Notify the internet service provider ISP from which the email originated, demanding that
the perpetrator’s account be discontinued.

c. Identify the computer fraud and abuse technique illustrated.

• This computer fraud and abuse technique is called phishing. Its purpose is to get
the information need to commit identity theft.

• Copyright © 2021 Pearson Education Ltd.

Key Terms (1 of 3)
• Hacking • Web-page spoofing
• Hijacking • Vulnerabilities
• Botnet • Zero-day attack
• Zombies • Patch
• Bot herder • Cross-site scripting (XSS)
• Denial-of-service (DoS) attack • Buffer overflow attack
• Brute force attack • SQL injection (insertion) attack
• Password cracking • Man-in-the-middle (MITM) attack
• Dictionary attack • Masquerading/impersonation
• Spamming • Piggybacking
• Spoofing • War dialing
• E-mail spoofing • War driving
• Caller ID spoofing • Phreaking
• IP address spoofing • Podslurping
• SMS spoofing
• Copyright © 2021 Pearson Education Ltd.
Key Terms (2 of 3)
• Salami technique • Pretexting
• Round-down fraud • Posing
• Economic espionage • Phishing
• Cyber-bullying • Vishing
• Sexting • Carding
• Internet misinformation • Pharming
• E-mail threats • Evil twin
• Internet auction fraud • Typosquatting/U RL hijacking
• Internet pump-and-dump fraud • Scavenging/dumpster diving
• Cryptocurrency fraud • Shoulder surfing
• Click fraud • Lebanese looping
• Software piracy • Skimming
• Social engineering • Chipping
• Identity theft • Eavesdropping

• Copyright © 2021 Pearson Education Ltd.

Key Terms (3 of 3)
• Spyware • Worm
• Adware • Bluesnarfing
• Torpedo software • Bluebugging
• Scareware
• Cyber-extortion
• Ransomware
• Keylogger
• Trojan horse
• Time bomb/logic bomb
• Trap door/back door
• Packet sniffers
• Steganography program
• Rootkit
• Virus

• Copyright © 2021 Pearson Education Ltd.