NESTA Crime Online - University of Brighton Repository

More documents

Recommendations

Info

Phishing, now popularly labelled as a social engineering technique, 199 is a sophisticated form of spam. Phishing involves attempts fraudulently to acquire sensitive information, such as passwords and bank log-in details, by masquerading as a trustworthy person or business, often from a bank. Bogus e-mails typically invite recipients to click on a link to a fake bank website that has an authentic look. The aim is to lure the bank customers into revealing their pin numbers and other bank account details. The stolen credentials are usually directly sent to the phisher's e-mail address. Other organisations, such as HM Revenue & Customs, are also impersonated in this manner with the same aim. Such attacks have grown exponentially in the last three years. Phishing attacks have become more sophisticated and daring as cybercriminals are leveraging new technologies and inventing new forms of phishing. One example is targeted spear phishing, which involves higher level skills than those required to send bulk e-mails. Spear phishing is any highly targeted phishing attack in which a fake e- mail is sent to all the employees or members within a certain company, government agency, organisation or group. The message might look like it comes from an employer or colleague who might routinely send an e-mail message to everyone in the company (such as the IT administrator) and could include requests for user names or passwords. Unlike traditional phishing scams which aim to steal information from individuals, spear phishing scams are deadlier as they have the potential to gain access to a company's entire computer system. It just takes one employee or group member to provide their user name or password to open their employer or group to identity theft. Spear phishing also describes scams that target people who use a certain product or website. 200 Another new form of phishing involves warning potential victims about phishing e-mails as a way to legitimise that e-mail. They are then tricked into clicking on a link that leads to a fraudulent site. Phishers continue to refresh and modernise their trade. For example, over 400 phishing kits designed to generate phishing sites were targeting top 199 Social engineering is the practice of obtaining confidential information by manipulation of legitimate users. Phishing is social engineering because it tricks people to divulge information, perform certain actions or break security procedures. Trend Micro, (2008), Threat Roundup and Forecast—1H. London, p. 4. See also David S. Wall (2007), Cybercrime, Polity Press, Cambridge. Social engineering is also explored in a Whitepaper issued by ENISA (2008) “Social Engineering: Exploring the Weakest Link”, The European Network and Information Security Agency. 200 Microsoft, www.microsoft.com/canada/athome/security/email/spear_phishing.mspx. Page 66
web 2.0 sites (such as, social networking, video sharing and Voice-over-Internet-Phone sites), free e-mail service providers, banks and popular e-Commerce websites. 201 Phishing (technical) kits typically bundle all the content required to replicate a targeted website and offer them freely on the Internet. Cloning the websites of retailers is one quick way to obtain financial and personal data. These cloned websites closely resemble the real ones and require close scrutiny to spot the difference. Another variation is for a request for sensitive information to be posted onto a legitimate website, so that a clearing bank might be seen on its website to be soliciting customer information following a major software malfunction or crash. Nothing lost but precious data In December 2005, a group of cybercriminals set up a bogus website claiming to sell a variety of electrical goods at reasonable prices and which stated that it had stock of the ‘must have’ Christmas gift: a Sony PSP. Over two thousand orders were placed, all providing personal identity information and bank details. Once the details were obtained, prospective purchasers were sent an e-mail advising them that their order could not be processed due to lack of stock. As no money was lost, there was nothing to cause any suspicion on the part of the buyer. It was only when the fraudsters starting using the financial details of the victims a few months later to perpetrate their fraudulent transactions that people felt the impact of the fraud. Apart from bogus or shame websites used to lure unsuspecting victims, site cloning involves the replication of the look and style of a genuine and trusted website that leads victims to purchase from that cloned website, and lose their financial details to fraudsters with no knowledge that they have done so. 201 Trend Micro (2008), Threat Roundup and Forecast—1H. London. Page 67
Page 1 and 2:
Research report: July 2009 Crime on
Page 3 and 4:
‘official’ statistics exist yet
Page 5 and 6:
Dynamic Capabilities The second com
Page 7 and 8:
economics (finance, micro-, macro-)
Page 9 and 10:
2.3 Cybercrime business models 73 2
Page 11 and 12:
we focus on financial cybercrime. O
Page 13 and 14:
measure all other statistical outpu
Page 15 and 16: fraud. Their methodology is still b
Page 17 and 18: opportunity for online theft of cre
Page 19 and 20: However, the recent increase in fra
Page 21 and 22: penalties for those who make fraudu
Page 23 and 24: Source: Elaborated from CIFAS onlin
Page 25 and 26: The rise of online and telephone ba
Page 27 and 28: ecruitment marketplace for cybercri
Page 29 and 30: Figure 6: Origin and destination of
Page 31 and 32: corporate blackmail, spam attacks a
Page 33 and 34: Nigerian criminal gangs in North Am
Page 35 and 36: the fastest growing segments. Howev
Page 37 and 38: 2 Digital ecosystem Innovation stud
Page 39 and 40: A digital business ecosystem is one
Page 41 and 42: actors, which are increasingly dist
Page 43 and 44: Figure 8: The cybercrime value chai
Page 45 and 46: tool is used by security and networ
Page 47 and 48: writers do not necessarily know how
Page 49 and 50: conceal this. Third, the device con
Page 51 and 52: Fraud on fraudster The most recent
Page 53 and 54: and facilitated by an explosion in
Page 55 and 56: The Storm botnet case study: the su
Page 57 and 58: accelerating on a monthly basis. Wi
Page 59 and 60: improvement and the introduction of
Page 61 and 62: that employees are more concerned a
Page 63 and 64: origin or signature or a presence o
Page 65: few simple words and a web link, wh
Page 69 and 70: Source: John Leyden, “Trojan traw
Page 71 and 72: Cybercriminals find e-gold a conven
Page 73 and 74: ecosystem at various levels, creati
Page 75 and 76: expertise they need to perpetrate o
Page 77 and 78: are often offered for bulk purchase
Page 79 and 80: Crimeware-as-a-Service (CaaS): Para
Page 81 and 82: no dominant force. Unlike tradition
Page 83 and 84: is taken, priority is understandabl
Page 85 and 86: particularly good one, since consta
Page 87 and 88: outreach needs to be evaluated to e
Page 89 and 90: some of these firms may have adopte
Page 91 and 92: esilience must now surely be of con
Page 93 and 94: 7) Click fraud: also called pay-per
Page 95 and 96: 20) Pharming: is a scamming practic
Page 97: Acknowledgements Numerous people as
show all

NESTA Crime Online - University of Brighton Repository

Create successful ePaper yourself

Delete template?

Save as template?