Table 6-1: Computer Fraud and Abuse Techniques
Piggybacking
1. Clandestine use of someone's Wi-Fi network. 2. Tapping into a communications line and entering a system by latching onto a legitimate user. 3. Bypassing physical security controls by entering a secure door when an authorized person opens it.
Trap door
A back door into a system that bypasses normal system controls.
Man-in-the-middle (MITM) attack
A hacker placing himself between a client and a host to intercept network traffic; also called session hijacking.
Botnet, bot herders
A network of hijacked computers. Bot herders use the hijacked computers, called zombies, in a variety of Internet attacks.
Splog
A spam blog that promotes Web sites to increase their Google PageRank (how often a Web page is ref-erenced by other pages).
Evil twin
A wireless network with the same name as another wireless access point. Users unknowingly connect to the evil twin; hackers monitor the traffic looking for useful information.
Masquerading/impersonation
Accessing a system by pretending to be an authorized user. The impersonator enjoys the same privileges as the legitimate user.
Pretexting
Acting under false pretenses to gain confidential information.
Web-page spoofing
Also called phishing.
Denial-of-service attack
An attack designed to make computer resources unavailable to its users. For example, so many e-mail messages that the Internet service provider's e-mail server is overloaded and shuts down.
Identity theft
Assuming someone's identity by illegally obtaining confidential information such as a Social Security number.
Zero-day attack
Attack between the time a software vulnerability is discovered and a patch to fix the problem is released.
Phreaking
Attacking phone systems to get free phone access; using phone lines to transmit viruses and to access, steal, and destroy data.
Data diddling
Changing data before, during, or after it is entered into the system.
Phishing
Communications that request recipients to disclose confidential information by responding to an e-mail or visiting a Web site.
IP address spoofing
Creating Internet Protocol packets with a forged IP address to hide the sender's identity or to imperson-ate another computer system.
Posing
Creating a seemingly legitimate business, collecting personal data while making a sale, and never deliv-ering items sold.
Web cramming
Developing a free and worthless trial-version Web site and charging the subscriber's phone bill for months even if the subscriber cancels.
War dialing
Dialing phone lines to find idle modems to use to enter a system, capture the attached computer, and gain access to its network(s).
Caller ID spoofing
Displaying an incorrect number on the recipient's caller ID display to hide the identity of the caller.
Skimming
Double-swiping a credit card or covertly swiping it in a card reader that records the data for later use.
Spamming
E-mailing an unsolicited message to many people at the same time.
Sexting
Exchanging explicit text messages and pictures.
Virus
Executable code that attaches itself to software, replicates itself, and spreads to other systems or files. Triggered by a predefined event, it damages system resources or displays messages.
Cross-site scripting (XSS) attack
Exploits Web page security vulnerabilities to bypass browser security mechanisms and create a mali-cious link that injects unwanted code into a Web site.
Hijacking
Gaining control of someone else's computer for illicit activities.
Steganography
Hiding data from one file inside a host file, such as a large image or sound file.
Buffer overflow attack
Inputting so much data that the input buffer overflows. The overflow contains code that takes control of the computer.
SQL injection attack
Inserting a malicious SQL query in input in such a way that it is passed to and executed by an applica-tion program.
Lebanese looping
Inserting a sleeve into an ATM so that it will not eject the victim's card, pretending to help the victim as a means to discover his or her PIN, and then using the card and PIN to drain the account.
Packet sniffing
Inspecting information packets as they travel the Internet and other networks.
Eavesdropping
Listening to private voice or data transmissions.
War driving/rocketing
Looking for unprotected wireless networks using a car or a rocket.
E-mail spoofing
Making a sender address and other parts of an e-mail header appear as though the e-mail originated from a different source.
Spoofing
Making electronic communications look like someone else sent it.
Scareware
Malicious software of no benefit that is sold using scare tactics.
Password cracking
Penetrating system defenses, stealing passwords, and decrypting them to access system programs, files, and data.
Chipping
Planting a chip that records transaction data in a legitimate credit card reader.
Pharming
Redirecting traffic to a spoofed Web site to obtain confidential information.
Cyber-extortion
Requiring a company to pay money to keep an extortionist from harming a computer or a person.
Scavenging/dumpster diving
Searching for confidential information by searching for documents and records in garbage cans, com-munal trash bins, and city dumps
Tabnapping
Secretly changing an already open browser tab using JavaScript.
E-mail threats
Sending a threatening message asking recipients to do something that makes it possible to defraud them.
Address Resolution Protocol (ARP) spoofing
Sending fake ARP messages to an Ethernet LAN. ARP is a computer networking protocol for determin-ing a network host's hardware address when only its IP or network address is known.
DNS spoofing
Sniffing the ID of a Domain Name System (server that converts a Web site name to an IP address) request and replying before the real DNS server.
Malware
Software that can be used to do harm.
Adware
Software that collects and forwards data to advertising companies or causes banner ads to pop up as the Internet is surfed.
Rootkit
Software that conceals processes, files, network connections, and system data from the operating system and other programs.
Ransomware
Software that encrypts programs and data until a ransom is paid to remove it.
Spyware
Software that monitors computing habits and sends that data to someone else, often without the user's permission.
Logic bombs and time bombs
Software that sits idle until a specified circumstance or time triggers it, destroying programs, data, or both.
Bluesnarfing
Stealing contact lists, images, and other data using Bluetooth.
Salami technique
Stealing tiny slices of money over time.
Bluebugging
Taking control of a phone to make calls, send text messages, listen to calls, or read text messages.
Social engineering
Techniques that trick a person into disclosing confidential information.
Economic espionage
The theft of information, trade secrets, and intellectual property.
Round-down fraud
Truncating interest calculations at two decimal places and placing truncated amounts in the perpetra-tor's account.
Hacking
Unauthorized access, modification, or use of computer systems, usually by means of a PC and a com-munications network.
Trojan horse
Unauthorized code in an authorized and properly functioning program.
Data leakage
Unauthorized copying of company data.
Software piracy
Unauthorized copying or distribution of copyrighted software.
Podslurping
Using a small device with storage capacity (iPod, Flash drive) to download unauthorized data from a computer.
Internet auction fraud
Using an Internet auction site to commit fraud.
Cyber-bullying
Using computer technology to harm another person.
SMS spoofing
Using short message service (SMS) to change the name or number a text message appears to come from.
Dictionary attack
Using software to guess company addresses, send employees blank e-mails, and add unreturned mes-sages to spammer e-mail lists.
Superzapping
Using special software to bypass system controls and perform illegal acts.
Key logger
Using spyware to record a user's keystrokes.
Internet terrorism
Using the Internet to disrupt communications and ecommerce.
Internet pump-and-dump fraud
Using the Internet to pump up the price of a stock and then sell it.
Internet misinformation
Using the Internet to spread false or misleading information.
Carding
Verifying credit card validity; buying and selling stolen credit cards.
Vishing
Voice phishing, in which e-mail recipients are asked to call a phone number that asks them to divulge confidential data.
Shoulder surfing
Watching or listening to people enter or disclose confidential data.
Typosquatting/URL hijacking
Web sites with names similar to real Web sites; users making typographical errors are sent to a site filled with malware.
Worm
Similar to a virus; a program rather than a code segment hidden in a host program. Actively transmits itself to other systems. It usually does not live long but is quite destructive while alive.