wpe13.jpg (12021 bytes)

Hacking & Fraud

Up ]

Malicious Code
Content Security
Hacking & Fraud

Hackers

The term hacker was originally used to refer to a self-taught computer expert who is highly skilled with technology, programming, and hardware. Many hackers employ these skills to test the strength and integrity of computer systems for a wide variety of reasons: to prove their own ability, to satisfy their curiosity about how different programs work, or to improve their own programming skills by exploring the programming of others. The term hacker has been adopted by the mass media to refer to all people who break into computer systems, regardless of motivation; however, in the media the term hacker is often associated with people who hack illegally for criminal purposes. Many in the Internet security community strongly disagree with this use of the term. They prefer the term Cracker.

Crackers

Cracker is short for criminal hackers. The term cracker generally connotes a hacker who uses his or her skills to commit unlawful acts, or to deliberately create mischief. Unlike hackers whose motivations may be professional or to highlight security holes is systems, the motivation of crackers is generally to cause mischief, create damage or to pursue illegal activities, such as data theft, or vandalism.

Script Kiddies

The term Script Kiddies usually refers to those that cause damage using scripts downloaded from sites on the Internet. It’s a form of “point and click” hacking. They do not need the skills associated with real hackers and crackers to cause problems as the just use freely available scripts.


Hacking & Fraud Methods

There are a number of technical and non-technical methods for gaining access to information, or denying access to others, these include:

Port Scanning

Port scanning is a way for potential attackers to identify whether or not a computer is vulnerable to attack. In simple terms, a port is an opening on a computer through which information enters and exits. A computer uses a different port to communicate with other computers for each Internet application, such as HTTP (www), which normally uses port 80. Port scanning checks a range of Internet addresses to identify machines that respond to a connection request. Responding to a communication request indicates that a port is open. A port scan would reveal this potential victim to the attacker, and add it to a list of potential targets that the attacker could use later on.

Vulnerabilities, Exploits and Bugs

In addition to using port scanning to find machines, potential attackers use flaws in operating systems or software applications to break in and do damage. These flaws are commonly known as vulnerabilities, bugs or holes. Many remote security attacks rely on bugs in operating system software, or in the services that the machine may host. Depending on the operating system, a remote attack could work well enough to give the cracker full administrative control over a machine, letting the attacker use it for whatever purpose he likes, even using it as a platform from which to launch further attacks on other networks.

Attacks

Once an attacker gains control of the user’s computer, he or she may gain access to all the files that are stored on the computer, including personal or company financial information, credit card numbers, and client or customer data or lists. Needless to say, in the wrong hands, this could do serious damage to any business. If the data is altered or stolen, a company may risk losing the trust and credibility of their customers. In addition to the potential financial loss that may occur, the loss of information may cause a business to lose crucial competitive advantage over its rivals due to the loss of information. With the importance of information to the success of any business, the loss or theft of data could be disastrous.
When a computer is successfully hacked, it is said to be ‘owned’. Once it is owned, the victim computer can be manipulated to perform the commands of the hacker. One of the dangers of being constantly connected, is that if a user’s computer is successfully hacked, it can then be used to launch attacks against other machines, without knowledge or awareness of the user.

If the machine runs any web services, the website(s) may be defaced, destroyed or removed and replaced with web "graffiti," a tag or image representing the cracker or a cracker group or affiliation. If the computer is used for illegal activities, such as denial of service attacks against other systems, the owner of the victim computer may be held legally responsible.

Denial of service attacks are outages caused when an attacker uses one or many computer systems to force another system offline by attempting to overload it with useless traffic. A denial of service attack is a form of gridlock on the network – by unleashing a torrent of useless messages, an attacker can paralyse a business’s web server. Such an attack can render a web site useless for extended periods of time, resulting in the potential loss of customers, which can be disastrous for small businesses that rely on online customers.


Viruses and Malicious Code

Computer viruses are probably the most widely-known form of Internet security attack. Code can be used to send sensitive information to a third party or even provide full access to a PC or network over the Internet. See the section on Computer Viruses & Malicious Code for further details.

 

SPAM / Fraud

It is believed that the use of the term "SPAM" in reference to unsolicited Commercial Email (UCE) was adopted as a result of a Monty Python sketch where a group of Vikings sang a chorus of "SPAM, SPAM, SPAM... " making other conversation difficult to hear. This bears similarities with UCE where legitimate email can be drowned out by the noise of unsolicited messages. Spam is also, of course the trademark for a very tasty luncheon meat.

Spam can be considered the electronic version of Junk Mail. Not only is it annoying but it can be more sinister. A number of frauds have been perpetrated using SPAM as a propagation method. One type of fraudulent Spam is known as the Nigerian Advance Fee Fraud (also known as 419 Fraud after the code outlawing this practice in Nigeria.) and involves a request from a high level Nigerian official (sometimes government, sometimes in banking or industry) who would like to lodge funds in your bank account to get them out of the country. You are then asked to provide your bank details and then cover some of the costs of the transfer. Once you passed over your details your account could be compromised. The United States Treasury has information on advance fee fraud at http://www.treas.gov/usss/alert419.shtml and the FBI has information on all many types of financial crimes, including Internet fraud at http://www.fbi.gov/hq/cid/fc/fchome/default.htm. In the UK the National Criminal Intelligence Unit has a West African Organised Crime Unit (http://www.ncis.co.uk/waocu.asp) that provides advice on fraud of this type.  The 419 Coalition http://home.rica.net/alphae/419coal/   has been set up to fight 419 fraud and has a lot of information including how to report email, letters and faxes you have received to your local authorities and ISP's.

Further information on frauds and scams, including the Nigerian Advance Fee Fraud can be found at http://www.crimes-of-persuasion.com. It is estimate that losses related to advance fee fraud are in the hundreds of millions of dollars annually.

Further information on SPAM in general can be found at http://www.spamcon.org and http://www.euro.cauce.org. Information on protection can be found in the Privacy section of this site.

 

Wetware

Wetware is the human element of hacking. The term "there is nothing new under the Sun" is extremely relevant when you talk about hacking. In most cases, a hacker will use a computer to gather information but, utilising psychology to gain access to systems and services has been around a lot longer than computers. Utilising wetware, hardware and software together can be a very effective information gathering tool (whether it is legal or not!).

Wetware methodology can be split up into the following areas:

Bribery

This is the easiest way to gain information. Bribery can be as direct as cash payments or something more subtle. Bribery can lead to blackmail in order to maintain access to the source of information.


Social Engineering

This can be as simple as someone phoning and employee, pretending to be a member of the computer support team and asking for their User ID  and password. Individuals have been known to seek employment within an organisation with the sole aim of gathering information to attack the employing company or pass secrets to a competitor.


Shoulder Surfing

Shoulder Surfing involves the collecting of information by eavesdropping. It usually doesn’t involve much technology although it has been known for hackers to use video cameras, binoculars and audio bugs to gain information.

You can quite often find shoulder surfers in busy places such as airports. Simply listening to two people having a conversation can give valuable information about those individuals and their organisation. Lip-reading provides the additional benefits of only having to be in line of site and not within audible range. Watching keystrokes can provide you with password details and reading someone’s screen can give you valuable information. Next time you're in a departure lounge, take a look at the number of people who are using Laptops. Are they working securely?


Dumpster Diving

Dumpster diving is the colloquial name for going through somebody's rubbish - which will usually be found in dumpsters (rubbish skips) for large organisations or bins for the general public.

In the corporate environment this could be used in the first stage of an intrusion. The hacker can map out the victim, understand the way the organisation works and, in some cases, could find out passwords and account names (written on post-notes! - does this sound familiar?). They could even find out enough specific information (such as take-over bid or proprietary application information) to make further attacks unnecessary.

Identity Theft

In a personal context, enough information could be found from your refuse to commit Identity theft. Identity theft involves someone gaining goods or services after assuming   your identity. Items such as utility bills, bank and credit card statements and even email junk mail. There are at least 2 types of ID theft fraud. Card Not Present fraud involves gaining goods or services over the phone of Internet where no card is required, only the details that you would expect to find on a card. Application Fraud involves the request for a credit card using details of someone else.

It is also possible to steal data from a credit card. Equipment (a skimmer) can be used to record details from the magnetic strip of a credit card and those details can then be transferred to a dummy card, creating a clone of the original. It can take less than a second to skim a card and it isn't always obvious that something suspicious is happening, especially if you give your card to someone to process for a legitimate purpose. The cloned card can then be used and the charges will be against the owner of the original card.