Cyber Crime Case Studies
Case 1: Sony
PlayStation Network Attack
By: Khadija tul Qubra
In 2011 Sony
PlayStation network was hacked by anonymous group of hacker called LulzSec.
Sony shut down their online services between April and May to secure the
breach. More than 70 million users’ data and personal information was put at
risk because of this attack. It was the largest identity theft on record
(Gaudiosi, 2014).
This attack was
successful because passwords were not in hash format. Hash format allows system
to check for the accuracy of password while maintaining the secrecy of the
passwords. Sony organizational structure is silos which was also responsible
for the attack. They need better sharing of security in their organization to
avoid security breaches (Gaudiosi, 2014).
Sony responded the
attack by shutting down the system to solve the issue. This attack cost Sony
171 million in legal cost, a welcome back campaign and various other costs
(Vanderbug, n.d). They worked with law enforcement and a recognized technology
security firm to conduct investigation (Seybold, 2011). The forensic team after
monitoring reveled that about nine or ten serves were compromised (Takahashi,
2011).
Case 2: Hacker hacks
into financial website
By: Shahad Maddah
Mumbai police have
captured a hacker by name Kalpesh for hacking into a money related site.
Despite the fact that the hacker couldn't break into the principle server of
the budgetary establishment, which was very much secured by the money related
organization. The charged individual could make some option to the landing page
of the budgetary site and has added a string of content to the news module of
the landing page of the site. Police had the capacity split the case by taking
after the follow left by the hacker on the web server of the money related
organization. The money related foundation has kept up a different server for
monetary online exchanges, for which the financial establishment has taken most
extreme security. The site was facilitated on an alternate server, which
similarly had lesser security.
The hacker Kalpesh
is a tenth Pass adolescent of 23 years of age. He has done PC courses like
CCNA, MCSE and so forth. Yet, he is a PC junkie. He sits before the PC for very
nearly 16 to 20 times every day. He has for the most part utilized the ready
made hacking apparatuses, to hack into any site. He goes to a specific site on
the web, which encourages him to see the whole index structure of that site. At
that point utilizing different procedures, for example, acquiring a secret word
document, he gets into the head's shoes and hacks the site. A body of evidence
has been enrolled against the hacker under area 67 of Data Innovation Act –
2000 and under different segments of Indian Correctional Cod.
Case 3: Conviction in
India
By: Shaima Albugami
In May 2002,
a boy named Arif Azim ordered a Sony Colour Television set and a cordless head
phone. He used a lady's credit card number to do the payment. A lady gave her
credit card number for payment and requested that the products be delivered to
Arif Azim in Noida. The transaction was processed and the payment was duly
cleared by the credit card agency. After checking everything, the company
delivered the items to Arif Azim.
At the time of
delivery, the company took digital photographs showing the delivery being
accepted by Arif Azim. No one notices anything at that time. However, after one
and a half months the real owner had denied having made the purchase.
Therefore, the credit card agency informed the company that this was an unauthorized
transaction.
The matter was
investigated into and Arif Azim was arrested. Investigations revealed that Arif
Azim, while working at a call centre in Noida gained access to the credit card
number of an American national, which he misused on the company’s site.The CBI
recovered the colour television and the cordless headphone. The accused
admitted his guilt and the court of Shri Gulshan Kumar Metropolitan Magistrate,
New Delhi, convicted Arif Azim under Section 418, 419 and 420 of the Indian
Penal Code — this being the first time that a cyber crime has been convicted.
The court, however,
felt that as the accused was a young boy of 24 years and a first-time convict,
a lenient view needed to be taken. The court therefore released the accused on
probation for one year.
Case4: Cyber criminals
target Skype, Facebook and Windows users
By: Wed Almarhabi
Cyber criminals
targeted users of Skype, Facebook and Windows using multiple Blackhole exploits
in October, according to the latest threat report from security firm GFI
Software. Researchers uncovered a large number of Blackhole exploits
disguised as Windows licenses. Facebook account verification emails, Skype
voicemail notifications and Spam messages.
Blackhole exploits
require victims to open links to compromised websites hosting a file that must
be downloaded and executed to complete the attack. This file contains a
JavaScript which scans for unpatched software and other vulnerabilities before
deploying the appropriate exploits and infecting a machine. The compromised
links can be customised to target customers of specific companies, members of
various social networking sites, or general internet users seeking information
on popular news stories and events.
Researchers found
that just days before the release of Microsoft’s Windows 8, some users
encountered spam emails offering a free “Microsoft Windows License”. Users who
clicked the malicious link and downloaded the accompanying file were hit with a
Blackhole exploit and infected with a Cridex Trojan.
Another spam email
campaign targeted Facebook users with a message claiming that their account was
locked and needed to be re-verified. The links led to Blackhole exploits and a
Zeus Trojan disguised as an Adobe Flash Player download.
Skype
users were also targeted by multiple campaigns. Some received spam emails
containing phony voicemail notifications. Users who clicked on the Blackhole
links were infected with a Zeus Trojan. Other users were confronted with spam
messages from their Skype contacts containing generic questions about their
profile picture and a link to a Trojan which infected their systems, deleted
itself and began making DNS requests to various malicious URLs.
While many of
these sites were quickly taken down, the spam campaign began hijacking victims’
PCs for click fraud and directing them to ransom-ware messages, demanding
payment of fines for illegal file-sharing.
Case 5: Cyber Crime attack on Ebay
By: Fiza Mirza
Last year in
2014, eBay faced a cyber-attack and their customer privacy was eradicated. The
attack was done to steal the sensitive information of the customers using the
eBay site. Approximately 145 customers were affected and their information was
stolen which made this attack as one of the biggest attacks till date.
The attack was done by injecting malicious content into
the eBay systems and common scripting languages were used which were not new to
the site. They infiltrated the website and used the employee login credentials
to get into the system. The database that was hacked included customers’ names,
encrypted passwords, email, physical addresses, phone numbers and date of
birth. The hacker could use these personal information for identity theft. The
hacked database however, did not contain financial information.
Another factor that lead to easy hack of the site was that
eBay was using easily cracked methods for protecting the passwords. Which was
more prone to hacking.
Initial attack started with the employee login information
being stolen, which made easy access to all the information stored about the
customers. The company responded by informing their customers about this breach
and asked them to change their passwords (since the customers use same
passwords for multiple websites), and also not to respond to any unknown emails.
The solution to such issue would be to secure the
passwords and username of the users more strictly. Another way is to apply
cryptography in the system to secure the communications. Firewall and
Verification software’s must be used and to have a highly professional security
staff to monitor the system and detect any threats.
Case 1:
1. Seybold,
P. (2011, April 27). Q&A #1 for PlayStation Network and Qriocity Services.
Retrieved August 29, 2015.
2. Gaudiosi,
J. (2014, December 24). Why Sony didn't learn from its 2011 hack. Retrieved
August 29, 2015, from
http://fortune.com/2014/12/24/why-sony-didnt-learn-from-its-2011-hack/
3. Vanderbug,
E. (n.d.). LulzSec Information Security Case Study Volume 3 – Sony. Retrieved
August 29, 2015, from
http://jurinnov.com/lulzsec-information-security-case-study-volume-3-sony/
4. Takahashi,
D. (2011, May). Chronology of the attack on Sony’s PlayStation Network.
Retrieved August 29, 2015, from http://venturebeat.com/2011/05/04/chronology-of-the-attack-on-sonys-playstation-network/
Case 3:
Dr. Uma Somayajula,
an eminent IT Security professional and DSCI member provided Cyber Crime case
Case 4:
Ashford, W. (Ed.). (2014, December 13). Cyber
criminals target Skype, Facebook and Windows users.
Case 5:
Prigg, M. (2014, May 23). EBay
admits it kept massive cyber-attack secret because it thought customer data was
safe - but will STILL not say how long it knew data of 145m users was
compromised. Retrieved from http://www.dailymail.co.uk/sciencetech/article-2637899/eBay-refused-admit-massive-cyber-attack-thought-customer-data-safe.html
