Fundamentals of Computer and Internet Fraud

GLOBAL Headquarters • the gregor building 716 West Ave • Austin, TX 78701-2727 • USA FUNDAMENTALS OF COMPUTER AND INTERNET FRAUD

TABLE OF CONTENTS

I. INTRODUCTION What Is Computer Crime? ...... 2 Computer Fraud Versus Computer Crime ...... 3 Computer Fraud ...... 3 Computer Crime ...... 4 The Extent Question: How Much Computer Fraud Is There? ...... 5 A Few Statistics ...... 6 Vulnerability Projections ...... 6 The Internet ...... 7 The Perpetrators of Computer Fraud ...... 7 The Necessary Skills ...... 8 Inside or Outside ...... 8 Securing Information Resources ...... 9 Categories of Computer Fraud ...... 11 Content ...... 11 Learning Objectives ...... 12

II. THE USE OF COMPUTERS IN OCCUPATIONAL FRAUD Asset Misappropriation ...... 13 Cash Schemes ...... 13 Noncash Schemes ...... 19 Control Weaknesses ...... 20 Internal Control Weaknesses ...... 21 Control Activities ...... 24 Review Questions ...... 25

III. EMERGING TECHNOLOGY CONSIDERATIONS Fragmented Data Storage ...... 27 Video ...... 28 Bring Your Own Device ...... 28 Video ...... 28 Video ...... 29 Cloud Computing ...... 29 Video ...... 29 Video ...... 30 Video ...... 31 Social Media ...... 32 Organizational Risks ...... 32 Video ...... 32 Video ...... 33 Individual Risks ...... 34 Video ...... 35 Mobile Devices ...... 36 Mobile Ad Fraud ...... 37 Device Cloning ...... 37

Fundamentals of Computer and Internet Fraud i FUNDAMENTALS OF COMPUTER AND INTERNET FRAUD

III. EMERGING TECHNOLOGY CONSIDERATIONS (CONT.) Fraudulent Mobile Webpages...... 38 Malicious Mobile Applications ...... 38 Minimizing Risks with Mobile Devices ...... 38 The Deep Web ...... 39 Video ...... 39 Virtual Currencies ...... 40 The Internet of Things ...... 40 Video ...... 41 Review Questions ...... 43

IV. DATA MANIPULATION AND DESTRUCTION Data Manipulation ...... 45 Fraud by Input Manipulation ...... 45 Fraud by Program Manipulation ...... 45 Fraud by Output Manipulation ...... 45 Computer Forgery ...... 45 Data Destruction ...... 46 Malware ...... 47 Drive-by Downloads ...... 47 Types of Malware ...... 48 Malware Carriers ...... 60 Malware Symptoms ...... 60 Preventing Infection ...... 61 What to Do if Infected ...... 62 Antivirus and Other Security Software ...... 63 Investigating Malware Infections ...... 63 Malware Information Resources ...... 63 Laws Used to Combat the Manipulation and Destruction of Data ...... 64 The Computer Fraud and Abuse Act ...... 64 The Electronic Communications Privacy Act ...... 67 Wire Fraud ...... 69 Review Questions ...... 70

V. UNAUTHORIZED ACCESS TO COMPUTER SYSTEMS AND SERVICES Categories of Security Attacks ...... 74 Interception ...... 74 Interruption ...... 75 Modification ...... 75 Fabrication ...... 75 Passive and Active Attacks ...... 75 Passive Attacks ...... 75 Active Attacks ...... 76 Common Methods of Attack ...... 79 Social Engineering ...... 80 Reverse Social Engineering ...... 81 Hacking ...... 81 Anti-Intrusion Legislation ...... 86

ii Fundamentals of Computer and Internet Fraud FUNDAMENTALS OF COMPUTER AND INTERNET FRAUD

V. UNAUTHORIZED ACCESS TO COMPUTER SYSTEMS AND SERVICES (CONT.) Preventing Unauthorized Access ...... 87 Basic Prevention Measures ...... 87 Warning Screens ...... 87 Security Policies ...... 87 Firewalls ...... 87 Security Software ...... 88 Encryption...... 88 Protecting Wireless and Remote Access ...... 89 Wi-Fi Security ...... 89 Video ...... 90 Usernames ...... 90 Passwords ...... 91 Multifactor Authentication ...... 91 Hacker Publications and Communications ...... 91 Review Questions ...... 92

VI. SOFTWARE PIRACY AND THE THEFT OF TRADE SECRETS Introduction ...... 95 Software Piracy ...... 95 The Effects of Software Piracy ...... 95 Anti-Piracy Measures ...... 96 Costs of Software Piracy ...... 96 Types of Software Piracy ...... 97 Copyright Laws ...... 98 Anti-Piracy Resources ...... 99 Theft of Trade Secrets ...... 99 Digital Data ...... 100 Economic Espionage ...... 101 Identifying and Protecting Proprietary Information ...... 102 Sample Designations of Confidentiality ...... 104 Sample Employee Manual Information ...... 106 Legislation Used to Protect Proprietary Information ...... 108 Economic Espionage Act of 1996 (18, U.S.C., §§ 1831–1839) ...... 108 Disclosing Government Trade Secrets (18, U.S.C., § 1905) ...... 111 Interstate Transportation of Stolen Property (18, U.S.C., § 2314) ...... 111 The Wire Fraud Statute (18, U.S.C., § 1343) ...... 112 The Computer Fraud and Abuse Act (18, U.S.C., 1030) ...... 112 The Uniform Trade Secrets Act...... 112 Review Questions ...... 115

VII. INTERNET AND E-COMMERCE FRAUD Introduction ...... 117 Internet Fraud Scams ...... 117 Identity Theft ...... 119 Video ...... 121 Email Abuse ...... 128 Phishing ...... 130

Fundamentals of Computer and Internet Fraud iii FUNDAMENTALS OF COMPUTER AND INTERNET FRAUD

VII. INTERNET AND E-COMMERCE FRAUD (CONT.) Video ...... 131 Video ...... 131 Video ...... 131 Video ...... 132 Foreign Trust Schemes ...... 134 Investment Schemes ...... 135 Combating Internet Fraud ...... 139 Encryption...... 139 Customer Validation ...... 139 Internal Network Security ...... 140 Firewalls ...... 140 Auditing and Intrusion Detection ...... 140 Electronic Commerce ...... 140 Types of E-Commerce ...... 141 Types of E-Commerce Scams ...... 142 Electronic Commerce and Information Security ...... 142 Information Security Goals ...... 142 Consumer Confidence ...... 145 Guidelines for E-Commerce Transactions ...... 145 Smart Cards and E-Commerce ...... 146 Review Questions ...... 148

VIII. COMPUTER SECURITY CONSIDERATIONS Computer Security ...... 151 Computer Security Risk Analysis ...... 151 Computer Security Controls ...... 153 Frameworks and Standards ...... 154 ISO/IEC 27002:2013 ...... 154 COBIT ...... 156 Payment Card Industry’s Data Security Standard ...... 156 Standard of Good Practice ...... 157 Cloud Security Alliance ...... 158 Security and Privacy Controls for Federal Information Systems and Organizations ...... 158 Physical Security and Controls ...... 159 Physical Threats ...... 159 Physical Controls ...... 160 Video ...... 161 Detective Physical Controls ...... 166 Technical and Administrative Controls ...... 167 Security Policies and Awareness Training ...... 168 Logical Access Controls ...... 169 Video ...... 171 Network Security ...... 172 Operating System Security ...... 176 Encryption...... 177 Application Security ...... 178 Data Classification ...... 181

iv Fundamentals of Computer and Internet Fraud FUNDAMENTALS OF COMPUTER AND INTERNET FRAUD

VIII. COMPUTER SECURITY CONSIDERATIONS (CONT.) Review Questions ...... 183

IX. SECURITY AUDITING AND TESTING Introduction ...... 187 Log Management and Analysis ...... 187 Recommendations for Log Management ...... 188 Types of Event Logs ...... 188 Event Attributes ...... 191 Dynamic Monitoring ...... 192 Log Analysis and Reporting ...... 192 Incident Response Plan ...... 193 Security Audits ...... 197 Video ...... 198 Phases of Security Audits ...... 198 Information Examined in Security Audits ...... 199 Event Logs ...... 199 External Security Audits ...... 200 Penetration Testing ...... 200 Review Questions ...... 203

X. LEGAL ISSUES REGARDING COMPUTER AND INTERNET FRAUD INVESTIGATIONS Avoiding Liability When Conducting Investigations ...... 205 Video ...... 205 Personal Privacy ...... 205 Employees’ Duties and Rights ...... 209 Employees’ Duty to Cooperate ...... 209 Employees’ Rights During an Investigation...... 210 Monitoring and Surveillance ...... 216 Video ...... 217 Video ...... 221 Video ...... 223 Surreptitious Recording ...... 224 Review Questions ...... 226

XI. DIGITAL FORENSICS Introduction ...... 229 Hiring a Forensic Expert ...... 230 Video ...... 231 Conducting Investigations Involving Computers ...... 232 Preliminary Investigation ...... 232 Digital Evidence ...... 236 Computer Investigations and Computer Forensics ...... 242 Plan ...... 242 Seize the Data ...... 246 Acquire an Image ...... 250 Process the Data ...... 250

Fundamentals of Computer and Internet Fraud v FUNDAMENTALS OF COMPUTER AND INTERNET FRAUD

XI. DIGITAL FORENSICS (CONT.) Analyze the Data ...... 252 Report and Testify ...... 252 Mobile Forensic Investigations ...... 252 Plan ...... 254 Seize ...... 254 Extract ...... 255 Analyze ...... 256 Document ...... 257 Report and Testify ...... 257 Review Questions ...... 258

XII. CONCLUSION ...... 261

XIII. PRACTICAL PROBLEMS Practical Problem 1 ...... 263 Practical Problem 2 ...... 266 Practical Problem 3 ...... 267 Practical Problem 4 ...... 268 Practical Problem 5 ...... 269 Practical Problem 6 ...... 271

XIV. APPENDIX A: RESOURCES ON INTERNET AND COMPUTER FRAUD ...... 273

XV. APPENDIX B: VIDEO TRANSCRIPTS ...... 277

XVI. SOLUTIONS TO REVIEW QUESTIONS II. The Use of Computers in Occupational Fraud ...... 287 III. Emerging Technology Considerations ...... 291 IV. Data Manipulation and Destruction ...... 294 V. Unauthorized Access to Computer Systems and Services ...... 300 VI. Software Piracy and the Theft of Proprietary Information ...... 305 VII. Internet and E-Commerce Fraud ...... 310 VIII. Computer Security Considerations ...... 317 IX. Security Auditing and Testing ...... 322 X. Legal Issues Regarding Computer and Internet Fraud Investigations ...... 327 XI. Digital Forensics ...... 331

XVII. SOLUTIONS TO PRACTICAL PROBLEMS Practical Problem 1 ...... 337 Practical Problem 2 ...... 339 Practical Problem 3 ...... 340 Practical Problem 4 ...... 341 Practical Problem 5 ...... 343 Practical Problem 6 ...... 345

XVIII. PRACTICAL PROBLEM EPILOGUE ...... 347

vi Fundamentals of Computer and Internet Fraud FUNDAMENTALS OF COMPUTER AND INTERNET FRAUD

XIX. FUNDAMENTALS OF COMPUTER AND INTERNET FRAUD FINAL EXAMINATION ...... E-1

XX. INDEX ...... I-1

Fundamentals of Computer and Internet Fraud vii