Accounting Information Systems, 13e (Romney/Steinbart)
Chapter 6 Computer Fraud and Abuse Techniques
6.1 Compare and contrast computer attack and abuse tactics.
1) ________ consists of the unauthorized copying of company data.
A) Phishing
B) Masquerading
C) Data leakage
D) Eavesdropping
2) Individuals who use telephone lines to commit fraud and other illegal acts are typically called
A) phreakers.
B) crackers.
C) phishers.
D) hackers.
3) What is a denial of service attack?
A) A denial of service attack occurs when the perpetrator sends hundreds of messages from
randomly generated false addresses, overloading an Internet service provider’s e-mail server.
B) A denial of service attack occurs when an e-mail message is sent through a re-mailer, who
removes the message headers making the message anonymous, then resends the message to
selected addresses.
C) A denial of service attack occurs when a cracker enters a system through an idle modem,
captures the PC attached to the modem, and then gains access to the network to which it is
connected.
D) A denial of service attack occurs when the perpetrator e-mails the same message to everyone
on one or more Usenet newsgroups LISTSERV lists.
4) Gaining control of somebody’s computer without their knowledge and using it to carry out
illicit activities is known as
A) hacking.
B) sniffing.
C) phreaking.
D) hijacking.
5) Tapping into a communications line and then entering the system by accompanying a
legitimate user without their knowledge is called
A) superzapping.
B) data leakage.
C) hacking.
D) piggybacking.
6) Which of the following is not a method of identity theft?
A) scavenging
B) phishing
C) shoulder surfing
D) phreaking
7) The deceptive method by which a perpetrator gains access to the system by pretending to be
an authorized user is called
A) cracking.
B) masquerading.
C) hacking.
D) superzapping.
8) The unauthorized access to, or use of, a computer system is known as
A) hacking.
B) hijacking.
C) phreaking.
D) sniffing.
9) A fraud technique that slices off tiny amounts from many projects is called the ________
technique.
A) Trojan horse
B) round down
C) salami
D) trap door
10) Data diddling is
A) gaining unauthorized access to and use of computer systems, usually by means of a personal
computer and a telecommunications network.
B) unauthorized copying of company data such as computer files.
C) unauthorized access to a system by the perpetrator pretending to be an authorized user.
D) changing data before, during, or after it is entered into the system in order to delete, alter, or
add key system data.
11) In the 1960s, techniques were developed that allowed individuals to fool the phone system
into providing free access to long distance phone calls. The people who use these methods are
referred to as
A) phreakers.
B) hackers.
C) hijackers.
D) superzappers.
12) During a routine audit, a review of cash receipts and related accounting entries revealed
discrepancies. Upon further analysis, it was found that figures had been entered correctly and
then subsequently changed, with the difference diverted to a fictitious customer account. This is
an example of
A) kiting.
B) data diddling.
C) data leakage.
D) phreaking.
13) LOLer was chatting online with l33ter. “I can’t believe how lame some people are! :) I can
get into any system by checking out the company website to see how user names are defined and
who is on the employee directory. Then, all it takes is brute force to find the password.” LOLer is
a ________, and the fraud he is describing is ________.
A) hacker; social engineering
B) phreaker; dumpster diving
C) hacker; password cracking
D) phreaker; the salami technique
14) After graduating from college with a communications degree, Rado Ionesco experienced
some difficulty in finding full-time employment. He free-lanced during the summer as a writer
and then started a blog in the fall. Shortly thereafter he was contacted by SitePromoter
Incorporated, who offered to pay him to promote their clients in his blog. He set up several more
blogs for this purpose and is now generating a reasonable level of income. He is engaged in
A) splogging.
B) Bluesnarfing.
C) vishing.
D) typosquatting.
15) Computers that are part of a botnet and are controlled by a bot herder are referred to as
A) posers.
B) zombies.
C) botsquats.
D) evil twins.
16) Wassim Masood has been the webmaster for Woori Finance only ten days when Woori’s
website was flooded with access attempts. Wassim shut down the site and only opened it to Web
addresses which he specifically identified as legitimate. As a result, many of Woori’s customers
were unable to obtain loans, causing Woori to lose a significant amount of business. Woori
Finance suffered from a
A) denial-of-service attack.
B) zero-day attack.
C) malware attack.
D) cyber-extortion attack.
17) Wassim Masood has been the webmaster for Woori Finance only ten days when he received
an e-mail that threatened to shut down Woori’s website unless Wassim wired payment to an
account in South America. Wassim was concerned that Woori Finance would suffer huge losses
if its website went down, so he wired money to the appropriate account. The author of the e-mail
successfully committed
A) a denial-of-service attack.
B) Internet terrorism.
C) hacking.
D) cyber-extortion.
6
18) Wassim Masood works in the information technology department of TMV. On Monday
morning, he arrived at work, scanned his identity card, and entered his code. At that moment, a
lady in a delivery uniform came up behind Wassim with a bunch of boxes. Although Wassim
held the door for the delivery lade, he later wondered if the delivery lady was engaged in
A) pretexting.
B) piggybacking.
C) posing.
D) spoofing.
19) Describe at least six computer attacks and abuse techniques.
20) Zeus is an example of a
A) virus.
B) worm.
C) Trojan horse.
D) war dialing.
21) Recall that students used Facebook and VKontakte to identify Russian money laundering
mules. What fraud case did these students help foil?
A) Zeus
B) Trident Breach
C) Nigerian Banking
D) InfraGard
22) On the weekends, Thuy Nguyen climbs into her Toyota Camry and drives around the city of
Las Vegas looking for unprotected wireless networks to exploit. Thuy is most likely engaging in
A) snarfing.
B) Wi-pilfering.
C) war driving.
D) data slurping.
23) Offering a free website, then charging the phone bills of the individuals who signed up for
the free website is known as
A) snarfing.
B) web cramming.
C) podpounding.
D) e-scraping.
6.2 Explain how social engineering techniques are used to gain physical or logical access to
computer resources.
1) Mircea Vasilescu maintains an online brokerage account. In early March, Mircea received an
e-mail from the firm that explained that there had been a computer error and asked Mircea to call
a phone number to verify his customer information. When Mircea called the number, a recording
asked that he enter the code from the e-mail, his account number, and his social security number.
After he did so, he was told that he would be connected with a customer service representative,
but the connection was terminated. He contacted the brokerage company and was informed that
they had not sent the e-mail. Mircea was a victim of
A) Bluesnarfing.
B) vishing.
C) splogging.
D) typosquatting.
2) When a computer criminal gains access to a system by searching through discarded records,
this is referred to as
A) data diddling.
B) dumpster diving.
C) eavesdropping.
D) data squatting.
3) Jerry Schneider was able to amass operating manuals and enough technical data to steal $1
million of electronic equipment by
A) scavenging.
B) skimming.
C) Internet auction fraud.
D) cyber extortion.
4) Illegally obtaining and using confidential information about a person for economic gain is
known as
A) eavesdropping.
B) identity theft.
C) packet sniffing.
D) piggybacking.
5) Which method of fraud is physical in its nature rather than electronic?
A) cracking
B) hacking
C) eavesdropping
D) scavenging
6) Which of the following is the easiest method for a computer criminal to steal output without
ever being on the premises?
A) dumpster diving
B) use of a Trojan horse
C) using a telescope to peer at paper reports
D) electronic eavesdropping on computer monitors
7) Dimitri Ivanov is an accountant with PwC. The firm has a very strict policy of requiring all
users to change their passwords every sixty days. In early March, Dimitri received an e-mail
claiming that there had been an error updating his password and that provided a link to a website
with instructions for re-updating his password. Something about the e-mail made Dimitri
suspicious, so he called PwC’s information technology department and found that the e-mail was
fictitious. The e-mail was an example of
A) social engineering.
B) piggybacking.
C) spamming.
D) phishing.
8) It was late on a Friday afternoon when Makari Polzin got a call at the help desk for Taggart
Transcontinental. A man with an edge of panic in his voice was on the phone. “I’m really in a
bind and I sure hope that you can help me.” He identified himself as John Galt from the
Accounting Department. He told Makari that he had to work on a report that was due on Monday
morning and that he had forgotten to bring a written copy of his new password home with him.
Makari knew that Taggart’s new password policy required that passwords be at least fifteen
characters long, must contain letters and numbers, and must be changed every sixty days, had
created problems. Consequently, Makari provided the password to John. The caller was not John
Galt, and Makari was a victim of
A) phreaking.
B) war dialing.
C) identity theft.
D) social engineering.
9) Jim Chan decided to Christmas shop online. He linked to Amazon.com, found a perfect gift
for his daughter, registered, and placed his order. It was only later that he noticed that the
website’s URL was actually Amazom.com. Jim was a victim of
A) Bluesnarfing.
B) splogging.
C) vishing.
D) typosquatting.
10) Mo Chauncey was arrested in Emporia, Kansas, on February 29, 2008, for running an online
business that specialized in buying and reselling stolen credit card information. Mo was charged
with
A) typosquatting.
B) carding.
C) pharming.
D) phishing.
11) Which of the following is not an example of social engineering?
A) obtaining and using another person’s Social Security number, credit card, or other confidential
information
B) creating phony websites with names and URL addresses very similar to legitimate websites in
order to obtain confidential information or to distribute malware or viruses
C) using e-mail to lure victims into revealing passwords or user IDs
D) setting up a computer in a way that allows the user to use a neighbors unsecured wireless
network
12) Describe at least four social engineering techniques.
13) What is social engineering?
14) Which of the following is not a human trait social engineers take advantage of to entice
people to reveal information they should keep confidential?
A) compassion
B) sloth
C) sex Appeal
D) authority
15) Which of the following websites likely poses the most fraud and security risk?
A) your school’s website
B) a file sharing website
C) a social media website
D) your personal website
16) True or False: Identify theft has always been a federal crime.
17) Pretexting is best described as a social engineering technique that uses
A) text messages to gain sensitive information.
B) an invented scenario to gain sensitive information.
C) threat of physical force to gain sensitive information.
D) impersonation of somebody you know to gain sensitive information.
18) On a Friday evening you use a bar’s ATM to withdraw $50 from your bank account.
However, as you complete your withdrawal, your card gets jammed in the ATM machine. The
individual waiting in line behind you approaches you and suggests re-entering your PIN number.
You do. However, your card remains jammed. You leave the bar to call your bank to report the
incident. However, after you left the individual who offered to help you removed a sleeve he
inserted in the ATM to jam your card. He now has your ATM card and PIN number. You just
fell victim to a ________ fraud.
A) tabnapping
B) Lebanese looping
C) phishing
D) pharming
1) A part of a program that remains idle until a specified date or event activates it to cause havoc
is called a
A) virus.
B) logic bomb.
C) trap door.
D) data diddle.
2) Spyware is
A) software that tells the user if anyone is spying on his computer.
B) software that monitors whether spies are looking at the computer.
C) software that monitors computing habits and sends the data it gathers to someone else.
D) none of the above
3) The unauthorized use of special program that bypass regular system controls to perform illegal
acts is called
A) a Trojan horse.
B) a trap door.
C) the salami technique.
D) superzapping.
4) Computer fraud perpetrators that modify programs during systems development, allowing
access into the system that bypasses normal system controls are using
A) a Trojan horse.
B) a trap door.
C) the salami technique.
D) superzapping.
5) A fraud technique that allows a perpetrator to bypass normal system controls and enter a
secured system is called
A) superzapping.
B) data diddling.
C) using a trap door.
D) piggybacking.
6) A set of unauthorized computer instructions in an otherwise properly functioning program is
known as a
A) logic bomb.
B) spyware.
C) trap door.
D) Trojan horse.
7) A ________ is similar to a ________, except that it is a program rather than a code segment
hidden in a host program.
A) worm; virus
B) Trojan horse; worm
C) worm; Trojan horse
D) virus; worm
8) Developers of computer systems often include a user name and password that is hidden in the
system, just in case they need to get into the system and correct problems in the future. This is
referred to as a
A) Trojan horse.
B) key logger.
C) spoof.
D) back door.
9) Narang Direct Sales is a telemarketing firm that operates out of India. The turnover rate
among employees is quite high. Recently, the information technology manager discovered that
an unknown employee had used a Bluetooth-enabled mobile phone to access the firm’s database
and copied a list of customers from the past three years and their credit card information. Narang
Direct Sales was a victim of
A) Bluesnarfing.
B) splogging.
C) vishing.
D) typosquatting.
10) Rina Misra, a first-time computer user, purchased a brand new PC two months ago and it
was now operating much more slowly and sluggishly. Since purchasing the computer, she had
been accessing the Internet and had installed a variety of free software. The problem is mostly
likely to be
A) a zero-day attack.
B) a virus.
C) a spoof.
D) Bluesnarfing.
11) In November of 2005 it was discovered that many of the new CDs distributed by Sony BMG
installed software when they were played on a computer. The software was intended to protect
the CDs from copying. Unfortunately, it also made the computer vulnerable to attack by malware
run over the Internet. The scandal and resulting backlash was very costly. The software installed
by the CDs is a
A) virus.
B) worm.
C) rootkit.
D) squirrel.
12) Which of the following would be least effective to reduce exposure to a computer virus?
A) Only transfer files between employees with USB flash drives.
B) Install and frequently update antivirus software.
C) Install all new software on a stand-alone computer for until it is tested.
D) Do not open e-mail attachments from unknown senders.
13) How can a system be protected from viruses?
14) Describe the differences between a worm and a virus?
15) Spyware that pops banner ads on a monitor, then collects information about the users web-
surfing and spending habits is an example of
A) a Trojan horse
B) scareware
C) adware
D) a keylogger
16) Ransomware often comes in the form of
A) fake antivirus software.
B) an e-mail that threatens to kidnap the reader unless a ransom is paid.
C) free performance-maximizing software.
D) free apps.
17) True or False: Law enforcement uses key logging software, a form of malware, to detect
crime.
18) Terrorists often use ________ because it is an effective way to transmit information and
receive orders.
A) steganography
B) packet sniffers
C) trap doors
D) time bombs
19) True or False: Steganography malware uses encryption to increase its effectiveness.