Saturday, 27 December 2014
FORENSIC AUDIT, FRAUD INVESTIGATION AND CYBER CRIMES
FORENSIC AUDIT, FRAUD
INVESTIGATION AND CYBER CRIMES
‘Fraud’ and its types.
Introduction
“There is enough in this world
for every man’s need, but there isn’t enough for every man’s greed”—Mahatma
Gandhi
The
human species has certain abilities which no other species has. Humans can
laugh and cry; no other species can. Barring Monkeys, chimpanzees and apes which
are closest to the human species, no other species has even the intelligence to
recognize an image in a mirror as reflection one’s own self. This trait of
recognizing an image as a reflection of oneself, is believed to be a sign of a
high degree of evolution on our planet. Humans are gifted with the capacity to
think, assess, evaluate and innovate. Humans can discuss, debate, concentrate
and mediate. However, along with all these marvelous evolutionary
accomplishments, humans have also developed dubious traits of deception and
manipulation. Only humans are capable of intellectual and financial
deception—the basic ingredients of ‘fraud’ or white collar crime. Human beings
have been showing traits of deception since time immemorial and the existence
of fraud probably dates back to the dark ages. The truth in that ‘fraud’ always
existed, but in recent times, it has grown exponentially and further, it has
rapidly increased in variety and dimension.
The ‘multiplier effect’ of fraud
with IT support
The information technology
revolution has provided ‘the multiplier effect’ to make fraud an even more
ominous threat, perhaps a threat which may affect not only operating results
but also the very long term survival of affected business entities. There is a
saying that “the pen is mightier than the sword.” But today, the computer mouse
is greater/mightier than the pen. A white collar executive with a briefcase, a
typical conventional profile of a fraudster, can steal 100 times more than 100
men with machine guns. However with the advent of computers and information
technology, now, a man with just a computer mouse can inflict an exponentially grater damage than even
100 white collar fraudsters. This is because on the one hand, fraudsters are
essentially capable and on the other hand, newer and more advanced computers,
digital tools and internet facilities have given them new strengths or avenues.
With this lethal combination, they have the world before them. Sitting in the
comfort of their own house, they cay can transcend all barriers of geographical
boundaries, time-zones, and currencies. They can cause financial damage
anywhere anytime in unimaginable dimensions of quantum. Millions of dollars can
be transferred from one end of the globe to the other merely at the click of a
mouse or a key on a computer keyboard. In the coming years the magnitude of
frauds can only increase and the speed of devastation will correspondingly
accelerate. Well planned and precisely executed frauds result in huge losses,
depletion of assets and above all they cripple the regular and smooth running
of business. They usually have a snowball effect which can in many cases prove
devastating. Both the auditors and the management have a major role to play in
detecting as well as deterring fraud. Fraud could occur either on account of a
fraudster’s intellectual capabilities/mind power or because of a deeply flawed
system or a combination of both.
Failure of corporate giants like
Enron, Xerox, WorldCom has become legendary in the twenty first century. In the
post Enron era the subject of fraud has become a buzzword not only in all
business, corporate circles but even in government and public sector companies,
banks and financial institutions. Authorities all over the globe, overnight
realized the limitations in the existing legislation governing the disclosures
in financial information, the responsibility of the management and the
auditors’ accountability. Therefore in the current scenario, however unpleasant
the fraud may be, neither management nor auditors can just turn a blind eye and
ignore the spectre of ‘fraud’ in business, trade, and commerce.
There can be a myriad number of
situations in which one may be called upon to deter, detect or investigate
‘fraud’. Investigating fraud, in books of account, and commercial transactions
requires the combined skills of a well- trained auditor and a criminal
investigator. However, finding these skills combined in one person is rare, so
this book intends to better acquaint readers who have a questioning mind with
criminal-investigative rules, principles, techniques, and methods. It also
intends to provide a degree of preparedness in assessing situations that lead
to existence of ‘fraud’.
The different types or kinds of
fraud
Accounting manipulations
These would include deliberate and willful
errors and omissions in accounting to mislead and deceive. Creating one
customer’s cheque to a favoured customer or writing off a capital asset as
revenue and then misappropriating it are examples of accounting manipulations.
Such manipulations can be of infinite vicissitude. Usually only chartered
accountants or persons familiar with accounting and book-keeping can understand
how such frauds are perpetrated.
Corrupt practices
Corruption involves effort to
influence and/ or the abuse of public authority through the giving or
acceptance of inducement or illegal reward for undue personal or private
advantage. Cash kickbacks or favourstaken for any kind of business commitment
are common in today’s world. Regular dealings with suppliers, customers and
third parties lead to building up of relationships which eventually lead to
favours and kickbacks. Kickbacks could be in non-cash from also. For example, a
supplier could sponsor a trip overseas to an exotic location for the purchase
manager and his family for a large order placed by the purchase manager.
Cash embezzlements
Virtually every organisation is
affected by pilferage of inventory fraud sometime or the order. Cash,
inventory, or for that matter any asset of a company, can be stolen when an
opportunity presents itself. However most of these frauds are simple and not
backed by any great intellectual capability. These occur more because of the
flaws and limitations in the control environment.
Frauds in a computerised environment
These frauds are masterminded by wrongdoers who have
tremendous intellectual capabilities. They do not necessarily need weaknesses
or bugs in any software to perpetrate frauds even non awareness or ignorance of
other users in the organisation of certain key features is enough for these
fraudsters to inflict colossal damage.
Financial leakages of
any kind
Opportunities diverted, sales
suppressed, expenses inflated or twice paid are other common business frauds.
Financial crimes
Frauds on a larger scale through
misrepresentation of financial information or also growing exponentially. For
example insurance claims for loss of stock or profits could be inflated. Even
with when a company is purchasing the business or another company, valuations
of assets could be excessive or unfair while liabilities could be suppressed or
diluted.
Fraud detection and
forensic accounting: A noble task
‘deterring
and detecting’ is a noble task since it addresses a social evil. By ferreting
out fraud, investigators assist in preserving the resources of the organisation
as well as the society. As regards the management, investigators facilitate
quantification of the impact of fraud and determining who could be the mind
behind it. Services of fraud investigators are direly needed in noble and
charitable institutions where resources are frittered away through misuse and
for vested interests.
Forensic accounting isthe specialty practice area of
accountancy that describes engagements that result from actual or anticipated
disputes or litigation. “Forensic” means “suitable for use in a court of law”,
and it to that standard and potential outcome that forensic auditors or investigative auditors, often have to give
expert evidence at the eventual trial. All of the larger accounting firms, as
well as many medium-sized and boutique firms, have specialist forensic
accounting departments. Within these groups, there may be further
sub-specialisations.
Forensic Audit is the application of accounting
methods to the tracking and collection of forensic evidence, usually for
investigation and prosecution of criminal actssuch as embezzlement or fraud,
also called forensic accounting.
Forensic accounting needs all the skill sets relating
to accounting,auditing and investigation or detective skills. It is also
referred to as forensic audit or forensic investigation. It differs from audit
in the following aspects:
a)
Audit relies on documentary evidence, whereas a
forensic audit actually examines the reliability of a document itself and looks
for other evidence available as well.
b)
Forensic audit is issue based or related to a specific
problem whereas audit is wider, area based or legislation complaint
c)
Forensic audit has several components including
technical aspects and could include any or all of the following:
-
Financial and accounting review
-
Digital forensic analysis
-
Field investigations
-
Data mining at an advanced level
-
Application of interviewing skills
-
Technical assistance such as handwriting, specimen
signatures, QC evaluation, etc.
Whom
dose corporate fraud affect?
·
Employees – Stranded, uncertainty – social,
financial and legal. Affected lots are mostly from the working class.
·
Business
owners/investors – Panic
on the markets, drop in value, erosion of wealth of both small and
institutional investors alike.
·
Customers – Uncertainty over supply chain; risk
of their businesses getting stalled; confidentiality and continuity.
·
Bankers – Concern over recovery of both
financial and non-financial exposure.
·
Government –Global image at stake; investor
confidence shaken; entire industry viewed with skepticism.
Opportunities
for chartered accountants and auditors and forensic accountants
The menace of fraud threatening the
corporate and business world provides tremendous professional opportunities for
chartered accountants and auditors. As skilled accountants, they have the
expertise to understand and tackle accounting manipulations. As systems
consultants they can provide valuable assistance in detecting short comings in
accounting systems. As auditors they can identify lapses of internal control
which lead to latent frauds and errors. As forensic accountants they provide
services in
·
Investigating and analysing financial evidence
·
Developing or assisting in development of specialised
software for forensic accounting
·
Assisting in legal proceedings as expert witness
·
Identifying substance over form
·
Preventing risk by making recommendations to avoid
future lapses, fraud as result of professional negligence
·
Preventing fraud by employees
·
Investigating crime, involving money laundering,
kick-backs and misuse of public funds;
·
Insurance claims – eg to assist in assessing Loss of
profit policies;
·
Arbitration, mediation and other such forms of
alternative disputeresolution.
·
Engagement by: lawyers; police force; Insurance
companies; Government/Regulatory agencies; Banks; Courts and business
Community.
·
Media as part of Investigative Journalism
What
constitutes fraud?
·
Any deception carried out for getting a wonderful
benefit or advantage over another is fraud, in the broadest sense. When such
deception is carried out largely for a commercial interest, a financial gain or
for any personal benefit in some form or the other to eventually gain a
financial or commercial profit, then it is business fraud that we are talking
about. In other words fraud is any kind of harm or damage or wrongful act which
is attempted or carried out to the detriment of another intentionally. Fraud
involves deliberate deceit or
mis-representation of facts and/ or significant information to obtain undue
or illegal financial advantage.
There are three clear elements to
describe fraud:
·
Act or omission of act;
·
Damage to another or to the detriment of another;
·
Intention.
Generally, however if the above three
elements are satisfied, the fraud is deemed to have been perpetrated.
Interestingly enough, it does not matter, if eventually, the act does not
actually result in damaging the other or even if there is no financial loss. For example, a purchase manager who has
access to various vendors’ quotations in a tender/ bid selection exercise may
communicate sensitive and classified information to a favoured vender to get
him the job. However if the favoures vendor for some reason does not get the
job, it does not mean that the fraud has not taken place. It has merely
failed to damage, perhaps in the short run period. The fraud exists and it
lying inactive like a virus or bacteria in a body, waiting for an opportune
moment.
Red Flags and certain typical frauds
The quintessence of fraud
detection lies in detecting the symptom or indicator of fraud. While examining
a patient, a doctor looks for symptom or of an illness, symptoms such as a rash
or an eruption or a boil or changes in temperature or blood pressure. When he
notices such symptoms, he launches further investigations through blood tests,
scans and X-rays to ascertain the real nature of the illness and the depth of
infection or damage. In exactly the same manner an auditor looks for red flags,
a term used in fraud detection, for symptoms of wrongdoing.
1. Flags at a macro level
In order to find frauds at a macro level
the auditor looks at audit situations with a bird’s eye view as compared to an
ant’s view. Thus he does not look at individual controls for assessing the
vulnerabilities but on environmental influences, organization culture,
management vision, industry norms and practices and board policies and
guideline. There can be situations at a micro level, which are conducive for
fraudsters. It is possible that such situation can motivate and actually create
fraudsters. Conversely, fraudsters can also create such situations. In either
case, auditors much view these situations as ‘red flags’ and appropriate modify
or extend his audit procedures. The following are some typical fraud prone
situations:
1) Situation of disorderliness
2) Disaster situations
3) Organisations left in the ‘Autopilot’ mode
4) Sudden profits in an otherwise loss making business not
supported by any reasonable change in
environment
5) Consistent losses in an otherwise thriving industry
6) Situation of incomplete information: Missing records,
seizure of records by authorities, etc.
2 Flags at a micro
level
These
are frauds at the operating level which an auditor comes across while actually
carrying out his audit. The seriousness of such red flags is a function of the
materiality of the audit area and the overall control environment. If the
overall control environment appears to be safe and strong and if the red flag
is noticed in a relatively insignificant area than the red flag may not be
serious. However it is the auditor’s judgment to decide whether to extend his
audit check or to ignore the red flag. The following are some of the common red
flags within the control environment which an auditor may be mindful of:
1) The ‘Excess Knowledge’ syndrome
2) Absence of rotation of duties or prolonged exposure in
the same area
3) Close nexus with vendors, clients, or external parties
4) Gunpowder effect
5) Sudden Losses
6) TGTBT syndrome. TGTBT stands for too Good To Be True
7) Irrational behaviour
Types of fraud and typical frauds in certain industries
Frauds
can be inflicted at two levels: Management level or employee level. An auditor
can rarely discover ‘management colluded fraud’ because he is conducting an
‘audit’ and not an investigation. This has been borne out by the decision of
the Bombay High Court in Tri-Sure’s case, 61 Co. Cas. 548 where it was held
that auditor was not responsible for discovering management fraud. Emphasis was
given to the situation and conditions prevailing and facts known to the auditor
and not facts which came to light subsequently. The Court observed: ‘It is well
said that it is easier to be wiser after the event. The Court should put itself
back to the situation existing at the time of original audit and should keep
out of mind all the facts which have come to light subsequently’. In the post Enron scenario the situation
may not be quite the same and the auditors will be governed by AAS 4. The
employee level frauds are relatively easier for the auditors to detect within
the scope of their audit duties.
1.
Piggyback frauds - Milk
tanker Fraud.
2.
Trojan Horse Frauds - Cashier scrap sale.
3.
Disaster frauds - Hotel
fire case.
4.
Achilles Heel Frauds - Backdating Fraud.
5.
Red Herring frauds - Misplaced credit note Fraud.
6. Frauds stemming from Corporate Espionage - Computer
Breakdown Pattern
Noveland Uncommon Methods Effective in
Auditing and Fraud Investigation
Why do we need novel
or untried methods for auditing?
The stale procedures
syndrome
“The only man who has not made a mistake is
one who has never done anything.”
The answer to why we need novel or
untried methods of auditing is----- to overcome the stale procedures syndrome.
If one were to trap a few fireflies in a box with the lid shut, the fireflies
will keep buzzing and flying within the space in the box. They become so
habituated to flying within that restricted space, that even if the lid is
opened a little while later, they would keep flying within the same restricted
space and not fly away in the open world. This is because their minds are
closed and they do not know that the doors of the world have opened up and
freedom is there for asking.
There are many people in this world
who fall into this kind of ‘firefly’ or stale procedures syndrome. Auditors are
no exception and this is one of the reasons why auditors often do not come up
with meaningful findings. Constant repetitive work becomes mundane and
uninteresting and leads to inertia and boredom, which is called the ‘tamasic’
stage in our scriptures. In such a stage the mind tends to become dull and
impervious to new ideas, innovative and creative methods. Consequently, the
audit procedures are also listless and lackadaisical and obviously therefore
they lead to mediocre results and sometimes even glaring frauds and errors
escape their attention. In fact, unconfirmed statistics reveal that only a miniscule
percentage of reported frauds are discovered by auditors and out of those too,
a large percentage are discovered by ‘accident’ and not by pure intelligent
strategic and planned audit procedures.
The most plausible reason for auditors
not detecting glaring frauds is lack of focus. Their focus has been on
compliance issues and the practical aspects have been often neglected. Further
auditors focus on reporting only problems and not solutions. By doing so their
outlook and exposure gets severely restricted and thus audit findings are what
they have been. In this regards there are some wonderful anecdotes which
illustrate this point.
When NASA began the launch of astronauts
into space, they found out that the pens wouldn’t work at zero gravity (since
ink won’t flow down to the writing surface.) to solve this problem, it looks
them one decade and $12 million. They developed a pen that work at zero
gravity, upside down, underwater, in practically any surface including crystal
and in a temperature range from below freezing to over 300c. As against that, what did the Russians do…? They used a
pencil.
One of the other most interesting case
studies in this regard was the case of the empty soapbox, which happened in one
of Japan’s biggest cosmetics company. The company received a complaint that a
consumer had bought a soapbox that was empty. Immediately the authorities
isolated the problem to the assembly line, which transported all the packaged
boxes of soap to the delivery department. For some reason, one soapbox went
through the assembly line empty. Management asked its engineers to solve the
problem. Post – haste, the engineers worked hard to devise an X- ray machine
with high-resolution monitors manned by two people to watch all the soapboxes
that passed through the line to make sure they were not empty. No doubt, they
worked hard and they worked fast but they spent a small fortune to do so. But
when a rank – and- file employee in a small company was posed with the same
problem, he did not get into complications of X-rays, etc, but instead came out
with another solution. He bought a strong industrial electric fan and pointed
it at assembly line. He switched the fan on, and as each soapbox passed the
fan, it simply blew the empty boxes out of the line. The lesson is clear, look
for simpler but effective solutions. Devise the simplest possible solution that
solves the problems. Develop open minds, leave out ‘metanoia’, a Greek word for rigid thinking.
How can auditors get
rid of the stale procedures syndrome?
The following double pronged
approach may be effective in bringing about greater depth and penetrativeness
in audit procedures. This will enable
them to change their mindset to get out of the ‘firefly’ syndrome and look for
solutions rather than problems.
Ask the right
questions to get the right answers
One of the first things to do is to
reduce total reliance on standardised checklists and set procedures. It is
important to treat any audit, as a combination of science and art. Undoubtedly
checklists and procedures have their own place and importance in audit but they
certainly have their limitations as well. They nurture closed minds and can be
compared to blinkers on horses’ eyes. Customising checklists to given audit
situations is the secret behind every successful audit. This can be
accomplished by examining checklists for relevance, completeness and
correctness of all the questions built. In simple words, does the checklist
ensure that all questions posed are relevant,
and whether all the right questions have been asked.
Relevance and completeness are important because audit environments are dynamic
and therefore what may have been relevant a few years ago may be redundant
today and what may not have been thought of a few years ago may be important
now.
Asking the right questions has been
considered the hallmark of scientific discovery. The ancient than Greek spent
hundreds of years asking ‘why’ do heavier objects fall faster than
lighter ones?’ then along came Galileo who asked ‘Do heavier objects fall
faster than lighter ones?’ After some simple experimentations the answer was
‘No, they don’t.” Thus the correct conclusion was prevented only because the
question was wrong and it defocused the inquirers completely. It is important
to remember that detection of any leakage or abuse cannot be done by
standardized checklists. Every situation is unique and fraud detection is a
very creative process.
Apply imaginative and
resourceful methods to suit given situations and audit objectives
As mentioned before, kautilyahas defined (in ‘Arthshastra’) 40 different ways of
perpetrating economic crimes and wrongdoings. A fraudster will also have the
advantage of concealing himself skillfully and perhaps even destroy, suppress,
change or insert records to suit himself. Therefore standardised record
verification and interviewing techniques may be rendered ineffective. Audit is
a creative process and an effective audit or investigation is possible only if
all possible examination and review procedures are adopted in harmony and objectively
towards the purpose of the assignment. The findings have to be viewed both
microscopically and macroscopically and the results
must ring true.
Audit procedures must be suitably
extended or modified to highlight illogical trends, patterns or mismatches of
facts or other red flags latent or glaring in given situations. Therefore
resourceful audit or investigation methods are required on certain occasions
along with conventional audit support tools. Only then will the audit process
enable auditors to determine the truth. A combination of conventional and
unconventional methods will enable the fraud detection process to be sharped
immeasurably. In fact, sometimes, resourceful and imaginative techniques are essential
for ‘root cause analysis.’
There can be many such non-standardised or unconventional methods of
detecting and ferreting out fraud. The sky is the limit and the auditor’s
imagination can be tested and utilized to his full potential. Thereforeit is advisable to approach any
audit assignment with an open mind to detect fraud particularly where ‘red’
flags appear to exist.
This book intends to provide various
untried and research-based methods which could be attempted by auditors and
investigators in their respective auditing and have been attempted in the given
situations to get more penetrative results. While these methods are unusual
they do not replace any conventional method. They can be used in consonance
with all conventional techniques to increase the area of effectiveness and
enhance an auditor’s findings. The following table provides a bird’s eye view
of the various methods of audited investigations which have been explained with
case studies in each subsequent sections of this chapter.
Novel and uncommon
methods of audit and investigation
List of novel and uncommon methods of audit
and investigation
|
S. no
|
Audit or investigation method
|
objective
|
|
1
|
Tiger
Team Tests
Case-
Mall
Vs Auditor
|
To
test resilience and robustness of internal controls. These are
practical tests of internal controls use in ‘walk-through’ procedures. They
could also involve a penetration test to break in a given system.
|
|
2
|
Luhn’s
Algorithm
Case-
Credit
card
Sale
in hotel
|
To
validate
credit card numbers and other check sum codes. These algorithm can be
useful in detecting inflated or fictitious sales where credit cards sales are
suspect.
|
|
3
|
Benford’s
Theorem
Case-
Buffet
lunch
|
It
facilitates
data validation, to understand whether it is likely to be materially
affected by errors or fraud. To facilitate ‘fraud and error hunting’,
getting and overview of the data population being examined in terms of
reliability. Also facilitates audit sampling and actually detect instances of
fraud/error.
|
|
4
|
Barium
test
|
To
test a complex system with multiple variables where routine methods would be
ineffective. In particular, where a system embodies operations spread over
huge geographical distances and where the conventional procedures have
limitations because of too much reliance on documentation which may be
suspect.
|
|
5
|
Birbal
Tricks and Traps:
·
The magic straw trap
·
The behavioural test
·
The silent witness trick
·
The birbal litmus trick
|
To
nail
or tarp suspects in a short-listed group or unearth fraudulent manipulations,
in certain situations for investigative audits.
|
|
6
|
Advanced
Data Mining methods:
Data
presentation to make forensic senseandSpace timeDimension TestsCorollary: Use
of Nanoscience Approach
|
Advanced
Data Mining methods
offer infinite ways of examining financial data for corroboration and further
analytical purposes. The objective is to uncover abnormalities, trends,
patterns, etc, to increase and auditor’s level of confidence on finding of
conventional tests. One can examine such non-financial aspects affecting data
in the financial statements, to achieve a better understanding of audit data.
|
|
S. no
|
Audit or investigation method
|
objective
|
|
7
|
The
‘surprise-repetition’ testing approach
|
To
sharpen and make certain conventional tests more penetrative. Using certain
conventional methods with a different timing and with repetitive force could
bring in amazing results.
|
|
8
|
Applying
the ‘Litmus’ Test
|
Behavioural
tests to determine innocence or guilt. This is done by creating and
appropriate situation to place suspects and observe their behavior.
|
|
9
|
Application
of Tests of Inverse Logic and Reasonableness
|
To
tackle
situations of incomplete, missing or altered information. Typical
example is an insurance claim. The conventional audit tests look for evidence
that support given assertions. This ‘Inverse Logic’ approach seeks to find
out evidence which contradicts given assertions and applies the process of
elimination to those assertions in the final hypothesis. In other words where
truth is difficult to find out because of lack of evidence, in inverse logic
one seeks to find out what is not true and eliminate that to leave behind the
truth.
|
|
10
|
The
Art of Mirror Imaging
|
Testing
of identical units for common and consistent problems. Inconsistencies should
be common to all; if not there is a reason to investigate.
|
|
11
|
Using
the Doctrine of Triage
|
Use
of scarce resources in an optimum manner to improve investigation and audit
results.
|
|
12
|
The vedic approach
and applying vedic mathematics
|
Applying
visual number tests in rare situations to discern anomalies. A hypothetical
case study.
|
|
13
|
The
Placebo Effect
|
Risk
and Fraud detection and prevention method by creating an atmosphere of strict
control and a kind of
‘Damocles’
sword hanging over potential wrongdoers.
|
‘Benford’s Law’
|
1
|
2
|
3
|
4
|
5
|
6
|
7
|
8
|
9
|
|
30.1%
|
17.6%
|
12.5%
|
9.7%
|
7.9%
|
6.7%
|
5.8%
|
5.1%
|
4.6%
|
Relative Size Factor
(RSF)
RSF
is the ratio of Largest Number to the Second Largest Number of a relevant set.
Largest
Number
RSF =
_______________________
Second Largest Number
Steps in conducting an investigation
There
are no standardised series of steps nor is there any standardised sequence of
applying tests and checks in procedures for fraud detection as one can have in
situations of audit or accounting or finalization of accounts. Creativity is an
integral part of fraud detection and the success in any fraud related
assignments is a function of both disciplined meticulous scientific tasks and
creative methods. Fraud detection cannot be governed by checklists as one can
apply and use for compliance audits or accounting assignments such as
preparation of final accounts so as to comply with disclosure requirements
specified in various Acts and prescribed accounting standards. In fraud
detection, each situation is unique and demands a customized approach. Fraud
detection also differs from audit assignments in a very important aspect: audit
offers an opinion on truth and fairness of in a financial assertion while
financial investigation or fraud
detection attempts to seek out evidence to prove of disprove a financial
hypothesis. In this context, where a situation appears to show conditions of
fraud or error, ASS 4 obligatorily requires an auditor to confirm his
suspicions, if any or dispel them by using additional, extended or modified
procedures. AAS 4 requires an auditor to apply professional skepticism and to plan and perform his audit
expecting to find fraud if any. However even AAS 4 does not provide a specific
method of conducting an investigation. At best it provides a guidance on the
method of obtaining audit evidence. Audit evidence can be obtained by one or
more of the following: inspection, observation, inquiry and confirmation,
computation, and analytical review. Considering the foregoing an
auditor/investigator can take the following important steps to the extent
relevant and appropriate under the circumstances of a given situation. He can
approach an assignment of fraud detection, by preparing a programme customized
to suit a given situation. The programme is conceptually similar to an audit
prorgamme; it should contain a series of steps for each assignment fine tuned
to meet and achieve the objectives spelt out in the terms of reference.
Various steps which
can be considered in a situation of fraud
Detection
Terms of reference
â
Evidence collected
directly: Documentary tests and Interviews
â
Evidence collected
indirectly: Field Audit and physical checks
â
Digital Analysis of
relationships and trends
â
Sting operations or
Decoy traps or investigators’ bluffs
â
Confrontation
Interviews
â
Evaluation of evidence
â
Reporting
Types of Cyber Crimes & Cyber Law in India
What is a cyber crime?
Cyber crime is a generic term that
refers to all criminal activities done using the medium of computers, the
internet, cyber space and the worldwide web.
There isn’t really a fixed definition
for cyber crime. The Indian law has not given any definition to the term cyber
crime. In fact, the Indian penal code does not use the term cyber crime at any
point even after its amendment by the Information Technology amendment Act
2008, the Indian Cyber Law. But “cyber security” is defined under section (2)
(b) means protecting information, equipment, device computer, computer
resources, communication device and information stored therein from
unauthorized access, use, disclosure, disruption, modification or destruction.
What is Cyber Law?
Cyber
Law is a term used to describe the issues related to use of communications
technology, particularly “cyberspace”, i. e. is the Internet. It is less of a
distinct field of law in the way that property or contract are, as it is an
intersection of many legal fields, including intellectual property, privacy,
freedom of expression, and jurisdiction. In essence, cyber law is an attempt to
apply laws designed for the physical world, to human activity on the Internet.
In India, The IT Act, 2000 as amended by the IT (Amendment) Act, 2008 is known
as the Cyber law. It has a separate chapter XI entitled “Offences” in which
various cybercrimes have been declared as penal offences punishable with
imprisonment and fine.
1. Hacking
What is Hacking?
Hacking
is not defined in The amended IT Act, 2000.
According
to wiktionary, Hacking means unauthorized attempts to bypass the security
mechanisms of an information system and network. Also, in simple words Hacking
is the unauthorized access to a computer system, programs, data and network
resources. (The term “hacker” originally meant a very gifted programmer. In
recent years though, with easier access to multiple systems, it now has
negative implications)
Law & Punishment:
Under
Information Technology (Amendment) Act,2008, Section 43(a) read with section 66
is applicable and section 379 & 406 of Indian penal code, 1860 also are
applicable. If crime is proved under IT Act, accused shall be punished for
imprisonment, which may extend to three years or with fine, which may extend to
five lakh rupees or both. Hacking offence is cognizable, bailable, compoundable
with permission of the court before which the prosecution of such offence is
pending and triable by many magistrate.
2. Data Theft
What
is data Theft?
According
to Wikipedia, Data Theft is a growing problem, primarily perpetrated by office
workers with access to technology such as desktop computers and handheld
devices, capable of storing digital information such as flash drives, iPods and
even digital cameras. The damage caused by data theft can be considerable with
today’s ability to transmit very large files via e-mail, web pages, USB
devices. DVD storage and other hand-held devices. According to information
Technology (Amendment) Act, 2008, crime of data theft under section 43 (b) is stated
as if any person without permission of the owner or any other person, who is in
charge of a computer, computer system of computer network-downloads, copies or
extract any data, computer data base or information from such computer,
computer systems or computer network including information or data held or
stored in any removable storage medium, then it is data theft.
Law and Punishment :
Under
Information Technology (AmendmentAct, 2008, Section 43 (b) read with Section 66
is applicable and under section 379, 405 & 420 of Indian Penal Code, 1860
also applicable. Data Theft offence is cognizable, bailable, compoundable with
permission of the court before which the prosecution of such offence is pending
and triable by any magistrate.
3. Spreading Virus or worms
What is spreading of
Virus or Worms?
In
most cases, viruses can do any amount of damage, the creator intends them to
do. They can send your data to a third party and then delete your data from
your computer. They can also ruin/mess up your systems and render it unusable
without a re-installation of the operating system. Most have not done this much
damage in the past, but could easily do this in the future. Usually the virus
will install files on your system and then will change your system so that virus
program is run every time you start your system. It will then attempt to
replicate itself by sending itself to other potential victims.
Law and Punishment :
Under
Information Technology (Amendment) Act, 2008, Section 43 (c) & 43 (e) read
with Section 66 is applicable and under Section 268 of Indian Penal Code, 1860
also applicable, Spreading of Virus offence is cognizable, bailable,
compoundable with permission of the court before which the prosecution of such
offence is pending and triable by any magistrate.
4. Identity Theft
What
is Identity Theft?
According
to Wikipedia Identity theft is a form of fraud or cheating of another person’s
identity in which someone pretends to be someone else by assuming that person’s
identity, typically in order to access resources or obtain credit and other
benefits in that person’s name. information Technology (Amendment) Act, 2008,
crime of identity theft under Section 66-C, whoever, fraudulently or
dishonestly make use of the electronic signature, password or any other unique
identification feature of any other person known as identity theft.
Identity
theft is a term used to refer to fraud that involves stealing money or getting
other benefits by pretending to be someone else. The term is relatively new and
is actually a misnomer, since it is not inherently possible to steal an
identity, only to use it. The person whose identity is used can suffer various
consequences when they are held responsible for the perpetrator’s actions. At
one time the only way for someone to steal somebody else’s identity was by
killing that person and taking his place. It was typically a violent crime.
However, since then, the crime has evolved and today’s white collared criminals
are a lot less brutal. But the ramifications of an identity theft are still
scary.
Law
& Punishment:
Under
Information Technology (Amendment) Act, 2008, Section 66-C and Section 419 of
Indian Penal Code, 1860 also applicable. Identity Theft offence is cognizable,
bailable, compoundable with permission of the court before which the
prosecution of such offence is pending and triable by any magistrate.
5. E-Mail Spoofing
What
is Email Spoofing?
According
to Wikipedia, e-mail spoofing is e-mail activity in which the sender addresses
and other parts of the e-mail header are altered to appear as though the e-mail
originated from a different source.
E-mail spoofing is sending an e-mail to another person in such a way
that it appears that the e-mail was sent by someone else. A spoof email is one
that appears to originate from one source but actually has been sent from
another source. Spoofing is the act of electronically disguising one computer
as another for gaining as the password system. It is becoming so common that
you can no longer take for granted that the e-mail you are receiving is truly
from the person identified as the sender.
Email spoofing is a technique used by
hackers to fraudulently send email messages in which the sender address and
other parts of the email header are altered to appear as though the email originated
from a source other than its actual source. Hackers use this method to disguise
the actual email address from which phishing and spam messages are sent and
often use email spoofing in conjunction with Web page spoofing to trick users
into providing personal and confidential information.
Law
& Punishment:
Under
Information Technology (Amendment) Act, 2008, Section 66-D and Section 417, 419
& 465 of Indian Penal Code, 1860 also applicable. Email spoofing offence is
cognizable, bailable, compoundable with permission of the court before which
the prosecution of such offence is pending and triable by any magistrate.
6. Distributed Denial of Service Attacks (D.D.o.S.)
7. Ransomware
Denial-of-Service:
The Estonian Cyberwar
On April 26, 2007, the small Baltic state
of Estonia experienced the first wave of denial-of-service (DoS) attacks.
Accompanied by riots in the streets, these cyberattacks were launched as a
protest against the Estonian government’s removal of the Bronze Soldier
monument in Tallinn, a Soviet war monument erected in 1947. These attacks
targeted prominent government websites along with the websites of banks,
universities, and Estonian newspapers. After three weeks, the attacks ceased as
suddenly as they had begun, but not before the Estonian government undertook
measures to block all international web traffic, effectively shutting off the
“most wired country in Europe” from the rest of the world.
This study will begin with a detailed
overview of denial-of-service attacks, the different methodologies utilized in
their execution, and a brief history of their usage. Next, the case study of
the Estonian cyberwar in April-May of 2007 will be outlined in detail. Finally,
the implications of this case study on U.S. national security and potential
mitigating policies will be discussed to ensure that the U.S. remains safe from
cyberwar threats.
Cyberattacks: Means and Methodologies
Denial-of-service attacks, classified
as “cyberattacks,” have been used by hackers since the mid-1980s. Aimed
primarily at specific sites and networks, denial-of-service attacks block the
access of legitimate users, rendering the entire site or network unavailable.
This can be accomplished through any number of methods, including the
relentless transmission of irrelevant information to tie up a server so that
legitimate requests for information remain unanswered. Attackers can also use
these cyberattacks to obstruct the transmission of routing information; as a
result, legitimate requests never reach their destination. Alternatively,
computer hackers could use cyberattacks to obstruct communication between two
servers or networks so that information cannot be sent or received by either
party. Cyberattacks can also include the use of malware, a program whose name
is derived from the combination of the words “malicious” and “software;” such
programs can destroy the victim’s system software or hardware, or turn the
victim’s computer into a “zombie” system to be utilized in future attacks.
These methods of attack manifest themselves in a number of ways through dozens
of distinct denial-of-service attacks. The most common attacks known today are
flood attacks, logic/software attacks, mailbombing, permanent denial-of-service
(PDoS) attacks, accidental denial-of-service attacks, and distributed
denial-of-service (DDoS) attacks.
Flood attacks overload systems by
overwhelming them with irrelevant information or requests that tie up the
server so that legitimate user requests go unfulfilled. “Smurfing,” also known
as ICMP flooding, is one such type of attack that has commanded much attention
from both hackers and cybercrime experts alike. Smurf attacks shut down servers
by sending the victim’s IP network address to broadcasting computers, which in
turn “broadcast” the IP address to other computers, beginning a chain reaction.
These computers then respond by sending information packets back to the
victim’s IP, overloading the server. On the other hand, TCP SYN cyberattacks work
instead to overload a victim’s server by exploiting communication protocols.
The attacker sends information requests with a false “return address” to a
server, which unsuccessfully attempts to return contact until it times out.
These attempts clog the system in the meantime, rendering the server
unavailable to respond to other legitimate requests.
While flood attacks work to simply
overload a server or system, logic/software attacks force errors by
manipulating, and thereby breaking, communication protocols; these cyberattacks
are usually most effective on systems that have not kept their bug fixes up to
date. The “Ping of Death” attack is an example. This attack forces a system
shutdown when the attacker sends a group of pings that exceed the maximum size
allowed by the system. The inability of the system to reassemble the packets
forces an error that causes the system to crash. Teardrop attacks work much the
same way, sending malformed pings to the target server. The hacker manipulates
these packets of information so that they cannot be reassembled, and when the
target system attempts to do so, it forces a fatal error and crashes the
system.
Hackers can utilize both flood and
logic software attacks to disrupt an array of systems, from websites to entire
networks. Conversely, a “mailbombing” attack is much more limited in scope
since it only targets e-mail accounts and servers. The at-tacker uses a tool to
send thousands of e-mails at a time to a single address, which renders the user
unable to receive e-mail until the excess has been deleted. Mailbombing attacks
were most effective in the late 1990s, when space allotted for e-mail inboxes
remained small. Today, popular e-mail clients, such as Yahoo! or Gmail, grant
their users an abundance of memory. This marked increase in storage capacity
has relegated the tactic of mailbombing to a simple nuisance, as opposed to a
tool of destruction.
Permanent denial-of-service attacks
cause significantly more damage. Known colloquially as “phlashing,” this type
of cyberattack is a relatively new phenomenon, first gaining significant press
coverage in May 2008. Unlike other denial-of-service attacks that generally
only cause service disruption, the permanent denial-of-service attack
effectively destroys system hardware; users must reinstall it in order to run
the system again. This cyberattack is carried out by a process known as
“bricking a system;” a hacker sends the targeted system false hardware updates
that, in turn, render the hardware in question completely useless. Although the
popularity of these attacks has yet to be determined, most experts anticipate
that hackers will resort to other denial-of-service attacks instead, as
bricking a system renders it unable to be utilized in subsequent attacks.
It is important to note that
denial-of-service attacks do not always occur intentionally. In 2006, the video
website YouTube was sued by Universal Tube &Rollform Equipment, a small
Ohio-based company, for initiating an accidental denial-of-service attack. As
YouTube became increasingly popular, thousands of users each day began
mistakenly logging onto utube.com, the website owned by the tubing company.
This accidental cyberattack invariably forced the company to purchase more
bandwidth, and Universal Tube &Rollform Equipment sued YouTube as a result.
Another such attack occurred on September 30, 2008, when the U.S. House of
Representatives failed to pass the $700 billion bailout plan. Millions of
Americans flooded the House website to get more information, and the sudden surge
in traffic brought the website down for several hours.
Distributed denial-of-service attacks
will receive special attention in this study as they served as the modus
operandi for the “hacktivists” who attacked Estonia’s Internet infrastructure
in April 2007. These particularly volatile attacks made use of the methods
discussed above on a large scale. When executing a distributed
denial-of-service attack, a hacker attacks a network or server through the use
of hundreds or thousands of “zombies,” computers whose security has been
compromised; this allows the hacker to silently take control of the target
without the owner’s knowledge. The hacker will often channel the attacks
through other associates, called “handlers,” in order to further masquerade his
or her identity. This use of intermediary computers in cybercrime presents a
two-fold problem. First, the use of intermediaries acts as a cloaking device
for the hacker, hampering law enforcement efforts to track him or her down
after an attack has been made. Second, by using intermediaries, hackers can
create a large-scale attack with little or no effort. The use of botnets,
entire networks of zombies that can be “rented” online, in the case of
Estonia’s 2007 Cyberwar is a prime example.
Denial-of-service attacks have
existed in different forms since the mid-1980s, but distributed
denial-of-service attacks first came into play as recently as 1999. The first
documented case involved a hacker who used a network of 227 zombie computers to
overload a single computer at the University of Minnesota. The system was
knocked offline for more than two days as a result. Since that time,
distributed denial-of-service attacks have been implemented to attack scores of
online retailers and resources including Buy.com, eBay, E*Trade, and CNN.
The 2007 Estonian Cyberwar: A Case
Study
In April 2007, Estonia experienced
the world’s first cyberwar in the form of a three-week wave of distributed
denial-of-service attacks that crippled the country’s information technology
infra-structure. Although the Estonian Parliament’s decision to remove the
Bronze Soldier memorial from Tallinn’s main square served as the main
precipitating event, other factors contributed to the vulnerability of
Estonia’s sociopolitical landscape. The first involved the scores of
disaffected, disillusioned ethnic Russians who had been living within Estonia’s
borders since the end of the World War II. During the 1944-1991 Soviet
occupation of Estonia, large groups of ethnic Russians moved into Estonian
territory in search of a better life. By the time the Soviet Union collapsed,
ethnic minorities comprised approximately 40 percent of the Estonian
population. Whereas the newly formed governments of Latvia and
Lithuania—Estonia’s two Baltic state neighbors—extended universal citizenship
to all people living within their borders (making great strides to integrate
these disparate ethnic groups into one cohesive populace), Estonia refused to
do so. Instead, the Estonian government insisted that all non-ethnic Estonians
be treated as foreigners, thus forcing any ethnic Russian desiring Estonian
citizenship to undergo naturalization. Instead of bringing people of all
different ethnicities together under the Estonian banner, this policy served as
a barrier to further solidify the division between ethnic Estonians and
Russians living within Estonian borders. This division, in turn, created an
unstable political situation that Russia would find easy to manipulate.
Whereas the civil unrest resonating
within Estonia’s minority population increased the likelihood of a politically
motivated attack, the heavy reliance of the Estonian population on the Internet
and online services provided a conspicuous vulnerability that could easily be
exploited. By 2007, Estonia had earned the reputation of being the “most wired
country in Europe.” This was not the case in 1991. At the time of the country’s
emergence after the collapse of the Soviet Union, only half of Estonia’s
population had access to a simple telephone line. The new Estonian government,
however, viewed this deficiency as an opportunity for growth; it passed
legislation, the first piece of which was known as “Principles of Estonian
Information Policy,” to devote a substantial portion of its budget each year
for research and development in the realm of information technology and
telecommunications.
The Estonian government’s investment
in technology paid great dividends to the country, including innovations that
resulted in the development of the software used to create Skype, a popular
communication program. Estonia also became the first country to offer worldwide
electronic voting to its citizens, a technology used in the 2005 Estonian
elections. By 2005, the Estonian government had integrated information
technology and the Internet into society to the point where an estimated 60
percent of the population relied on the Internet for “crucial” services every
single day. In addition to conducting over 96 percent of banking transactions
online, Estonians routinely use cell phone networks to pay for street parking.
While the Estonian government heavily financed research and development
(R&D) for telecommunications and other Internet-based services and
innovations, it did little to explore defensive protocols against any potential
cyberattacks that might occur. Estonia’s dependence on the Internet and its
lack of defensive protocols made its information technology system vulnerable
and easily exploitable.
The cyberattack took place at 10 p.m.
on April 26, 2007, as unknown attackers launched a full-scale cyberattack
against the Estonian government. The cyberattack remained relatively unnoticed
for the first twenty-four hours, but was discovered soon thereafter when
Estonian Minister of Defense JaakAaviksoo found himself unable to log onto the
prime minister’s Reform Party website. The hackers had targeted this site
first, subsequently spreading to other political party and government
web-sites, including the official site for the Estonian parliament. By the end
of the first week, the distributed denial-of-service attacks levied against
these sites had knocked them completely offline.
The following week, the list of
targets expanded to include major Estonian news publications. As the scale of
attacks grew larger, news sites were systematically knocked offline. When it
was discovered that most of the attacking zombie systems were located outside
the country, news editors throughout Estonia resorted to blocking all incoming
international traffic. The news media lamented the irony that their publications
could not inform the rest of the world of what was happening in their country,
as blocking international information requests was the only way to slow traffic
to a reasonable level in order to eventually restore their servers.
The cyberattacks continued in waves
for two weeks until May 9, the anniversary of the end of the European theatre
of World War II. At the stroke of midnight, Moscow time, Estonia witnessed its
heaviest attack yet—up to 4 million packets of information sent per second.
This time the hackers focused their efforts on the Estonian banking system. By
May 10, the cyberattacks had forced Hansabank, the nation’s largest bank and a
pioneer of many of Estonia’s IT developments in the 1990s, to shut down its
Internet-based operations. This was disastrous on three counts. First, it
ceased online banking capabilities for Estonians in a country where an
estimated 97 percent of all banking transactions occurred online; second, it
severed the connection between Hansabank and its ATMs throughout Estonia; and
third, it broke the connection between Hansabank and the rest of the world,
thus preventing Estonian debit cards from working outside of the country.
These cyberattacks wreaked extensive
havoc primarily due to their careful and methodical orchestration. The
cyberattacks that had begun on April 26 averaged about 1,000 packets on the
first day. By the second day, the attack rates averaged 2,000 packets per hour,
a rate that increased exponentially throughout the three weeks of attacks. May
9 marked the heaviest day of cyberattacks, averaging a rate of over 4 million
incoming packets of information per second at hundreds of targeted websites.
Hackers orchestrated these cyberattacks
through the use of weblogs, web journals, and Russian-language chat rooms;
at-tackers would post the times and dates of scheduled attacks, lists of
vulnerable Estonian sites, and even instructions on how to best carry out
distributed denial-of-service attacks against the Estonian information
infrastructure. Additionally, many of the attackers utilized botnets from all
over the world; the zombie computers commandeered in the attacks on Estonia
alone resided in over fifty countries, including the United States.
Over the course of three weeks,
targeted websites grew to number in the hundreds as government pages, banking
systems, news and media outlets, and sites of prominent Estonian universities
were systematically attacked and shut down. After vainly attempting to fend off
the waves of distributed denial-of-service attacks, the Estonian government
blocked all international traffic. In doing so, the government effectively cut
Estonia off from the rest of the world. Nonetheless, this drastic measure was met
with success as web traffic to target sites returned to a manageable load. On
May 19, the attacks stopped and the world’s first cyberwar came to an end.
At this point, the Estonian
government, the North Atlantic Treaty Organization (NATO), and the West began
to ask questions—specifically regarding who was responsible for orchestrating
the attacks. The Estonian government immediately accused the Russian government
for several reasons. First and foremost, the Russian government had publicly
denounced Estonia’s decision to remove the Bronze Soldier memorial. In addition
to calling for the Estonian government’s resignation, it was rumored that the
Russian government helped to instigate the street riots that took place in
Tallinn upon the monument’s removal. The cyberattacks could have simply served
as a “second wave” attack on the part of the Russian government in order to
promote further instability within the region. Second, the Estonian government
successfully traced one of the attacks back to an IP address owned by a member
of the Russian government. The Russian government vehemently denied any
involvement in the matter; they were later exonerated when the computer in
question was found to have been a zombie acting at the will of another unknown
attacker. To date, questions remain as to how much of an enabling role the
Russian government played in the attacks.
It is now known that the attackers
who waged cyberwarfare on Estonia acted on their own initiative, primarily as a
form of political protest. These “hacktivists” turned out to be a combination
of experienced hackers who would contract out their own botnets or write their
own malicious programs, and “script kids” who were, by and large, individual
novice hackers who attacked Estonian target sites by following “how-to” guides
found on various hacker websites. The disparate nature of the attackers made
them, in turn, difficult to track. In January of 2008, the Estonian government
successfully traced and indicted one of the attackers, Dmitri Galushkevich, an
ethnic Russian student residing in Estonia. Galushkevich had used his laptop to
take part in the denial-of-service attacks targeting the Reform Party website,
successfully taking it offline for ten days. Galushkevich pled guilty, claiming
that he took part in the attacks to protest the removal of the Bronze Soldier,
and was fined 17,500 kroons, an amount roughly equivalent to U.S. $1,635. To
date, the Estonian government has made no subsequent arrests.
The lack of arrests should not be
taken as an indicator of apathy or impotence on the part of the Estonian
government. On the contrary, several major strides have been taken both on the
part of the Estonian government and NATO as a whole to in-crease awareness of
cyber-related vulnerabilities and the necessity of instituting safeguards for
information infrastructure in response to the attacks. NATO reacted quickly to
the news of attacks on Estonia by sending several key cyberterrorism experts
into the country to assess the situation and assist the government in
curtailing the damage wrought by the events that transpired in April and May.
NATO also passed legislation to open the Co-operative Cyber Defense Center of
Excellence (CCD COE) in Tallinn to conduct cyberterrorism response research and
establish a standard protocol for responding to a cyberattack; the center was
approved in May 2008, and it opened the following August.
All
You Need To Know About Ransomware
Currently, there is one category of
malware that is becoming increasingly more popular called “ransomware.” In this
blog post, we will discuss what ransomware is and what strategies and
techniques are used in creating and propagating this latest trend in internet
crime.
What Is Ransomware And What Does It Do?
Ransomware is a category of malware
which disables the functionality of your computer by restricting your access to
it in some way. Then, it demands a ransom to be paid to the malware author to
restore the system’s functionality. The ransomware program usually locks a
computer and displays various law enforcement images to intimidate and extort
money from victims. In addition to locking you out of your computer, some
ransomware will encrypt and hide your personals files so that you don’t have
access to them anymore.
A
Little Background
Ransomware is not a new phenomenon.
The first instance of ransomware appeared back in 1989 which was known as the
PC Cyborg Trojan (also known as Aids Info Disk (AIDS)). The infamous Trojan
replaced the autoexec.bat file on the infected machine and would count the
number of times a computer had booted. Once the system’s boot count reached 90,
the Trojan would hide directories and change all of the filenames on the drive
C:\, making the system unusable. To restore the system’s functionality, the
Trojan demanded that the user pay $189 to the "PC Cyborg
Corporation." Although ransomware is not new, it has drastically increased
since 2005. Ransomware attacks were initially popular in Russia, but over the
past few years, the number of ransomware attacks has been increasing worldwide.
Ways
Ransomware Gets Into Your Computer (Delivery Methods)
Ransomware can infect your computer
in the same way as most other malware. Some of the most common ways your
computer can become infected with ransomware are:
• Drive-by download: This is the most common way for
ransomware to get into your computer. All it takes is for you to visit a
malicious or compromised website, click on a malicious advertisement/link, or
open a malicious attachment for your computer to be infected.
• Exploiting program vulnerability: Just like any other malicious program, ransomware can exploit
security vulnerabilities on your computer's operating system or in a program
(such as a web browser) that has been installed on your computer.
Popular Ransomware Variants
(Infection Methods)
As mentioned above, there are many
variants of ransomware out there, but it can be loosely classified into four
categories:
1. SMS Ransomware: This type of ransomware locks your computer and displays a
ransom message with a code. To unlock your computer, you are instructed to send
the code via text message to a premium-rate SMS number to receive the
corresponding code to unlock it.
2. Winlocker: This variant of ransomware also locks your computer, but it
displays a more intimidating ransom message which appears to be from your local
law enforcement agency. Unlike SMS ransomware, this particular kind instructs
you to pay through an online payment system such as Ukash, Paysafecard, or
Moneypak.
3. File Encryptors: This kind of ransomware can encrypt your personal files and
folders using complex encryption algorithms to make your computer’s data
unusable. The malware author then demands that you pay for the decryption key
using one of the online payment systems mentioned above. The ransomware often
leaves a file (or a “ransom note”) on the victim’s machine with payment
instructions. This type of ransomware may or may not lock your screen.
4. MBR Ransomware: This is another popular variant of ransomware, but it goes one
step farther than the other three types mentioned above in terms of how the
computer is locked. MBR Ransomware can change your computer's Master Boot
Record (MBR) and interrupts the normal boot process. The MBR is a partition on
your computer's hard drive that allows the operating system to load and boot.
When this ransomware strikes, the ransom message is displayed as soon as the
computer is turned on, meaning that you do not get the chance to load the
operating system to remove the infection and repair your system.
MBR Ransomware may look scary, but
this type of infection can easily be removed. The ransom message often says
that the files have been encrypted, but in reality, they are not.
How It Works
Ransomware is a profitable criminal
business, and its success lies in the way it functions. The whole ransomware
scheme works by scaring victims by involving law enforcement agencies and
making threats of punishment and imprisonment. To give make their attack seem
authentic, the ransomware authors use law enforcement logos and geo-specific
services to determine the location of the computer using command and control
(C&C) servers. C&C servers are centralized servers used by
cybercriminals to control infected machines remotely by sending commands and
receiving outputs (data) from the machines. When certain types of ransomware
strike your computer, it determines which country you are in and sends that
data to the C&C server. The server responds with images to be used to lock
screens. These images include text written in the local language and logos from
local law enforcement agencies.
How To Protect Your Computer Against
Ransomware
The ways to protect your computer
from ransomware are similar to the ways to protect your computer from any kind
of malware. Here are a few rules to remember to avoid malware attacks:
1. Always backup your data: Whether it’s a ransomware or any other malware attack, there’s
always a possibility of losing your data. Backup your data on a regular basis
and keep those files in a secure place away from your computer so that you can
restore it in an event of data loss.
2. Think before you click: Do not open email attachments that you were not expecting or
click on links on suspicious websites. If you see an email from a company that
is trying to get you to open an attachment to receive something like money or a
parcel, ignore that email because it may be an attempt to get you to install
bad software.
3. Secure your PC: Make sure your computer is protected with
anti-virus/anti-malware software.
4. Stay up-to-date: Make sure that all of your security programs, operating
systems and other applications are up-to-date. Also, make sure that automatic
updating is turned on.
5. Don’t pay: If you believe that you are a victim of a ransomware attack,
do not panic and, more importantly, do not pay. Even if you make the payment,
there is no guarantee that your computer’s functionality or its data will be
restored. Instead, contact your local cyber law enforcement agency.
Also, please remember that
ransomware, or any other malware for that matter, is not limited to computers
or Windows. For all around security, ensure that you keep all of your devices
protected.
How
do credit cards get misused?
Credit-card
transactions are convenient, quick and hassle-free. But they expose users to a
darker side, too. There are two sides to a coin. Along with the benefits
attached to plastic money –convenience and credit—there are lots of dangers
lurking around for card users. Credit card frauds have increased since 2000 and
fraudsters work upon new ways and means to commit misuse of credit cards.
During the last few years there has been an increase in online fraud of global
scope and geometrically increasing proportions. There are now companies that
specialize in spam and other illegal marketing techniques, like ‘Phishing’ and
‘Hacking’,that take every opportunity to make a few pennies. Even though their
net income per person is miniscule, it becomes significant when multiplied by
hundreds of thousands or even millions. Added to this threat are the man
amateur fraud artists around the world who troll the internet for credit card
and financial information to use for fraudulent purposes. Finally, identity
thieves are reaping high rewards at the expense of both the target and the
online retailer.
Types of credit card frauds
Stolen card fraud
When a holder loses his/her
credit card, it is possible for the thief to make unauthorized purchases on
that card until the card is cancelled. A thief can potentially purchase
thousands of dollars in merchandise or services before the card holder or the
bank realize that the card is in the wrong hands. Self-serve payment system
such as gas stations are also highly prone to accepting a stolen credit card,
as there is no verification of the card holder’s identify, however many stations
are trying to prevent this by adding a check requiring the users to key in a
zip code. The zip code match the code registered to the credit card or the
transfer will fail.
Account takeover fraud
Fraud perpetrators call in and
impersonate actual cardholders using stolen personal information. They have the
address and other information of the cardholder changed to an address they
control. Additional cards and possibly PIN mailers are requested and issued to
the new address and used by the fraudsters to make purchase and/or obtain cash
advances.
Sometimes the fraudster will
attempt to add themselves or an alias that they control as an authorized user
to the account in order to make it easier to commit the fraud.
Credit card mail order
fraud
Using stolen credit card number,
or computer generated card number, a thief will order stolen goods. This type
of fraud is now known as “Card Not Present” (CNP) referring to card
transactions that are requested by mail, telephone or over the Internet when
the cardholder is not present at the point of sale. VISA points out that, CNP
merchants must take extra precaution against fraud exposure and associated
losses. Anonymous scam artists bet on the fact that many fraud prevention
features do not apply in this environment. 3-D Secure is an authentication protocol developed by Visa
and MasterCard to protect online card payments, in which the card owner has to
register with the issuing bank.
Skimming
Skimming is the theft of credit card
information by a dishonest employee of a legitimate merchant, manually copying
down numbers, or using a magnetic stripe reader on a pocket-sized electronic
device. Common scenarios for skimming are restaurants or bars where the skimmer
has possession of the victim’s credit card removed out of their immediate view.
The skimmer will typically use a small keypad to unobtrusively transcribe the 3
or 4 card security code which is not present on the magnetic strip.
Many instances of skimming have been
reported where the perpetrator has put a device over the card slot of a public
cash machine (Automated teller machine),which reads the magnetic strips as the
user unknowingly passes their card through it. These devices are often used in
conjunction with a pinhole camera to read the user’s PIN at the same time.
To prevent this type of fraud, cards
in countries such as the UK are issued featuring a smart chip with public key
encryption. The chip cannot be copied, but the card number, expiry date and
security code can be, and this set of data is often sufficient to use the
victim’s credit account for fraudulent purposes with so- called “card not
present” transactions, eg manual input over the telephone or internet.
Former PwC
employee charged over leaked tax documents
Reuters | Dec 13, 2014, 09.12PM IST
A Luxembourg judge has charged a
former PricewaterhouseCoopers employee suspected of leaking documents about
secret corporate tax deals with theft and giving away business secrets.
BRUSSELS:
A Luxembourg judge has charged a former PricewaterhouseCoopers employee suspected of leaking documents about secret corporate
tax deals with theft and giving away business secrets, the Luxembourg public
prosecutor's office said on Saturday.
It said in a statement an examining
magistrate had also charged the unidentified person on Friday with breaching
professional confidentiality and fraudulent access to a computerised data
system.
The accused is suspected of
stealing thousands of pages of documents on secret corporate tax dealings that
were given to journalists, according to a source familiar with the case.
He was also charged with
money-laundering but the prosecutor's office gave no detail of that allegation.
PwC Luxembourg could not
immediately be reached for comment.
Luxembourg prosecutors opened an
investigation into what has become known as the Luxleaks affair after PwC filed
a complaint in June 2012.
The International Consortium of
Investigative Journalists (ICIJ) said in November that more than 300 companies
had secured secret deals from Luxembourg to slash their tax bills. It quoted
leaked documents, many relating to clients of the Luxembourg branch of PwC, a
leading tax adviser.
The group of investigative
journalists said the companies appeared to have channeled hundreds of billions
of dollars through Luxembourg and saved billions of dollars in taxes, based on
a review of nearly 28,000 pages of confidential documents.
Luxembourg's finance ministry has
said its system for issuing advance rulings to companies, outlining how the tax
authority would treat their transactions, was "compliant with
international and national law".
Another report by the ICIJ this
week said Walt Disney Co , commodities group Koch Industries and others agreed
deals in Luxembourg that could have delivered huge tax savings.
A Koch spokesman said Koch
companies paid taxes in accordance with applicable laws. Disney spokeswoman
ZeniaMucha said the ICIJ report was deliberately misleading.
Hackersvs
James Bond: 'Spectre' script stolen in Sony attack
Dec 14, 2014, 02.24PM IST Reuters
James
Bond films' producers said that an early version of the "SPECTRE"
script was among materials stolen and made public by hackers.
LOS ANGELES: Early villains have emerged in the
next James Bond film 'Spectre': hackers who stole a version of the screenplay
as part of a devastating cyberattack on Sony Pictures.
Producers of the James Bond films said they learned
on Saturday morning that an early version of the 'Spectre' script was among
material stolen and made public by hackers who infiltrated computers at the
Sony studio.
"Eon Productions is concerned that third
parties who have received the stolen screenplay may seek to publish it or its
contents," Eon said in a statement, while warning that the script is
protected by U.K. copyright laws.
'Spectre', starring Daniel Craig as 007, is set for
release on Nov. 6, 2015. Filming began this month after producer Barbara
Broccoli and director Sam Mendes unveiled the title, cast and new car, but
little about the plot.
"I was so excited to tell this story but to
explain why, I would have to tell you the plot and I can't do that," said
Mendes at the presentation in England, a reminder of Sony's might in the movie
world.
The Bond franchise is one of the most lucrative for
Sony Pictures and the last installment 'Skyfall' brought in $1.1 billion
worldwide, more than any other Bond film.
A Sony spokesman said news reports that the
cyberattack forced the studio to stop production on films, including 'spectre',
were wrong.
"Productions are still moving forward,"
Robert Lawson told Reuters.
Hackers launched an attack on the Sony Corp.
entertainment arm on Nov. 24, disabling the computer network and stealing and
leaking a trove of sensitive information in the most severe cyberattack on a
company on U.S. soil. The identity of the hackers has yet to be determined.
Many still
careless when making online transactions, KasperskyLab
survey shows
Dec 8, 2014, 03.36PM IST TNN[DileepAthavale ]
PUNE: A survey conducted by Kaspersky Lab and B2B
International, showed that nearly a third of those who use computers to make
online financial transactions are still careless when making such transactions.
This not only puts their own cash at risk, but also poses problems for banks
and e-payment systems if they have to refund their clients' losses, the suuvey
pointed out.
To keep the dangers to a minimum, all parties
involved in an online transaction should take adequate security measures,
Kaspersky said.
Cybercriminals are not only interested in bank card
numbers: login credentials for online banking and e-payment accounts are also
firmly in their sights. Yet 31% of respondents admitted they paid little
attention to the security levels of the sites where they enter their personal
or financial data. One user in five takes no steps to protect the passwords
used to access these sensitive resources. 16% confidently declared that
"cybercrime in which money is taken is a rare occurrence and is unlikely
to happen to me".
30% of respondents store financial data on devices
with Internet access. This would not be so risky if they always took care to
use special programs for secure data storage. Unfortunately, they don't. For
example, only 58% of Android smartphones have a security solution installed.
Worse still, 31% of smartphones and 41% of Android tablets do not even have such
basic protection as setting a password to unblock the advice before use.
Almost half of
users faced attempts to steal their money online, Kaspersky lab reports
Dec 13, 2014, 07.15PM IST TNN[NehaMadaan ]
PUNE:
According to a survey carried out jointly by
Kaspersky Lab and B2B International over a one-year period, almost half of the
users-- who responded- faced online threats involving attempted money theft.
Non-financial cyber-attacks can result in
unforeseen expenses as well. A statement issued by Kaspersky Lab said that
cybercriminals obtain valuable user data through a variety of methods. The
quickest way of digging into users' wallets is to gain access to their accounts
for payment systems, online banking or online shops that store bank card data.
"There are numerous techniques to collect this information, including
phishing pages, which imitate the official websites of the relevant
institutions, malware that collects logins and passwords as users enter them on
their devices, and many more," the statement said.
According to the survey, 43% of users faced
financial cyber-attacks during the past year, with 5% of respondents reportedly
losing money as a result. This proportion is significantly higher (9%) among
active users of Android tablets.
When explaining how they lost the money, 16% of
respondents stated that hackers had stolen their money by gaining access to
their payment services accounts, 11% believed they had fallen for fraudsters'
tricks and entered their credentials on a fake website and 7% were sure that
their logins and passwords had been intercepted by malware. The average amount
stolen from each user was $218, but one victim in five lost over $1,000 to this
type of online fraud.
Arrest
of Mumbai girls over Facebook comment was abuse of power: Centre
Dec 10, 2014, 02.11AM IST TNN
Two girls, ShaheenDhada and Rinu Srinivasan, were
arrested on November 19 on the complaint of a member of Shiv Sena'sPalghar
unit. The Sainik took offence at Dhada's harmless post on Facebook lamenting
the region-wide shutdown following Bal Thackeray's death.
NEW DELHI: The Union government for the first time
conceded before the Supreme Court on Tuesday that it was abuse of power under
Section 66A of Information and Technology Act to arrest two Mumbai-based girls
for Facebook posts criticizing shutdown of the city on November 18, 2012 for
Shiv Sena chief Bal Thackeray's funeral.
Additional solicitor general Tushar Mehta said,
"Individual cases cited in these petitions were aberrations showing abuse
of power." However, he submitted a list of action taken under Section 66A
to justify its existence on statute book.
A bench of Justices J Chelameswar and S ABobde
said, "The abuse in these cases was so egregious to start with."
The SC had taken strong exception to the arrest of
the girls, ShaheenDadha and Renu Srinivasan, after a PIL filed by Shreya
Singhal also cited several other incidents of similar abuse of power under
Section 66A to challenge its constitutional validity.
Shreya had also referred to an April 2012 incident,
when a chemistry professor from Jadavpur University in West Bengal,
AmbikeshMahapatra, was arrested for posting a cartoon concerning a political
figure (West Bengal chief minister Mamata Banerjee) on social networking sites.
She also referred to the arrest of businessman Ravi
Srinivasan in October 2012 by the Puducherry police for having made allegations
on Twitter against a politician from Tamil Nadu as well as the May 2012 arrests
of Air India employees V Jaganatharao and Mayank Sharma by Mumbai Police for
posting contents on Facebook and Orkut against a trade union leader and some
politicians.
IT
Forensics and Digital Methods for Investigations:
Computer
Forensics encompasses the process, methods, techniques and tools for
investigating frauds and crimes both in the real world and cyber world. In fact
with the proliferation of Information Technology computers are around us
everywhere. We use them in our daily lives to communicate, interact, lead our
personal lives and manage our business, industry and services. Our
infrastructure, our governance even our health care and legal systems are
heavily using IT.
With
the proliferation, use and dependence on information technology, the use of
paper documents and evidence as we know it has become much less and digital
records and evidence have gained prominence. This has led to the increasing use
and importance of computer forensics.
Digital
forensics is the use of scientific methods for the identification, preservation,
extraction and documentation of digital evidence derived from digital sources
to enable successful prosecution
Silent
in Nature: Computer frauds and crimes could be committed in privacy without
reaching to scene of crime physically i.e. no eye witnesses. There is no signs
of physical violence or struggle.
Global
in character: No national borders. By sitting comfortably far away from the
country the entire economy of the country could be destroyed. As digital
evidences are fragile in nature one has to respond quickly.
Non
existence of Physical Evidence: No physical evidence to indicate that crime has
been committed. Only on a closer look the trained person could find out the
evidences which are not in the traditional format but are in digital format.
Fraud
operators…like other criminals…are always among the first to appreciate the
potential of a new technology. Hence as professionals, it becomes imperative
that we also understand the technology and upgrade ourselves to help reduce the
scope and impact of frauds and crimes in an IT setting
What
is Forensics?
“Assaying
the correspondence (or otherwise) of actual events, episodes and happenings
& conformance of forensic approaches (tools and techniques) used with
established criteria to provide improved information to deliver justice in
accordance with criminal jurisprudence.”
Forensics
covers
Determining
potential / committed abuse.
Establishing
the fact of abuse
Preservation
of the proof – by adducing reliable external evidence.
Presentation
of the evidence and findings in a manner required by courts / public enquiries
The digital
forensic examiner has to follow the digital forensic process in order for
evidence to be admissible in a court of law. The four phases are
acquisition,
examination,
analysis
and
reporting
The
process is common in different fields including mobile and network forensics.
The process is used in investigations and has gained recognition in science
The
acquisition phase describes how data will be acquired from different types of
digital information sources. Data has to be acquired in a manner that maintains
its integrity and authenticity. The different methods and tools for acquiring
data are covered in detail.
The
examination phase covers analysis of
Physical
media
Media
management
File
system analysis
Application
analysis
Network
analysis
Memory
analysis
The
analysis phase describes how the data is processed. A hash analysis search can
be conducted using hashing tools. By comparing hash values investigators can
exclude large numbers of files that have no value to the case and hash
comparing can be done between fingerprint and hash values of the data being
examined.
This covers
the following techniques
Recovering
deleted files
Production
of time stamps and other Meta data
Removing
known files
File
signatures verifications
String
searching and file fragments
Web
activity reconstruction
Email
activity reconstruction
Registry
activity reconstruction
Analyzing
unknown files
Software
assisted analysis
Alternate
data streams
Live
forensics
Self
organizing maps
Recovering
hidden files
Geo-location
The
reporting phase covers compilation and presentation of the data in the form of
a case report which covers and provides case information based on agreed goals
and additional goals of the investigation. An example is given below
Based on
Case Goals –Required information
•Keywords /
mail domains for email analysis
•Keywords
for document identification
•Documents
located
•System
Images
–Beneficial
Information
•Full case
background or timeline of events
•Work-product
names / external associated names
•Specific
dates and times
Computer
Evidence...
...is like
any other evidence, it must be:
•
admissible
• authentic
• accurate
• complete
•
convincing to juries
The most
common tools used are
Forensic
Replicators replicates the hard disk of the suspect without altering a single
bit of data and without the system being switched on. The original can be
sealed and protected as evidence. The copy is manipulated using search
techniques to trace missing lost and deleted files to re–construct the criminal
/ fraudulent act.
Case Agent
Tools – these provide following functions
• Captured
data can be fed into a case agent tool for review
• powerful
all viewing and searching options for easy use
• complete
analysis, book marking and note taking functions
• final
report generated for a proper presentation and closing of the case.
It is only
through the practice of preventive rather than reactive techniques that
forensics will become visibly effective and become credible.
Awareness
of human element, organization’s behavior, knowledge of the system, the
technology in use and expected to be used, knowledge of crimes and fraud,
evidence and the standard of proof, potential for crimes and fraud and appreciation
of the so called clues and flags are key issues.
Fraud
Prevention Measures
It
is often said prevention is better than cure. This is very much applicable to
fraud and crime. The genesis of fraud is based on fraud triangle comprising
opportunity, rationalization and motivation or pressure.
Most
organizations have internal controls and procedures / processes in place to
prevent frauds. But these focus on only one vertex of the triangle viz.
opportunity. This leaves the other two open. A comprehensive anti fraud policy
promotes ethical values in an organization and deters fraud by acting on
reducing the motivation and pressure to commit frauds.
Such
a policy framework is based on promoting transparency, creating awareness and
education, and takes the help of techniques like whistle blowing, hotline and
others.
Key
elements of effective fraud prevention include:
a
robust Fraud Policy and Code of Conduct;
sound
fraud risk management processes;
a
comprehensive fraud control plan;
prudent
employee, and third party, due diligence;
regular
fraud awareness training;
fraud-related
controls for activities with a high fraud risk exposure;
system
controls to ensure accurate and up-to-date data; and
communication
about investigation outcomes to demonstrate that allegations and incidences of
fraud are serious and appropriately dealt with.
Anti
fraud policy – An anti-fraud policy (sometimes called a ‘fraud policy
statement’) outlines an organisation’s attitude to, and position on, fraud and
sets out responsibilities for its prevention and detection
Whistle
blower policy – It is a good practice to put a whistleblower protection policy
in place to encourage people to bring their concerns forward without fear of
retaliation. Organizations that encourage complaints by having an “open door”
policy and have a standard of “no retaliation” for raising concerns are
considered more transparent. These organizations will be in a better position
to address all concerns, whether they are about fraudulent accounting
practices, unsafe conditions, or alleged discrimination.
Hotline
– a safe effective and confidential mode of communication to enable persons to
report on fraud and voice concerns to management.
Other
measures – employee screening, customer screening, random checks and audits,
mystery shopping, segregation of duties and rotation of staff, compulsory leave
etc.
An
effective use of both preventive and detective techniques will better enable us
as chartered accountants to provide effective counter to the growing fraud
menace and help organizations in minimizing their fraud losses.
Subscribe to:
Posts (Atom)