1. (use attach)
Use the framework we have learned in this week and provide a quick analysis on the "free baby grand piano" scam
You may pick and choose any or multiple aspects (for example, the "motivation", "execution-masquerade", or the "execution-divest"). to complete your analysis.
2.
This week we discussed Cost Management and reviewed a video on Dollar General Links to an external site.
https://www.youtube.com/watch?v=vQpUV–2Jao Links to an external site.
Please further investigate Dollar General and discuss what you have found on dollar general's approach on cost management.
Lecture – Unit 11 Cybercrimes Modus Operendi
ACCT 855
Seminar in Cybersecurity Audit and Disclosure
Dr. Tien Lee, Ph.D., PMP, CISA, CISSP [email protected] | (415)644-TIEN San Francisco State University Lam Family College of Business
So Far…
Auditors’ perspective
Currently state of cybersecurity
Audit program
Current practices & use of standards
Cybersecurity threats & SOC audits
Audit Evidences
Firm’s perspective (issuer)
This week: Firm’s handling of Cybersecurity Event.
Criminal’s perspective
How cybercrimes are organized
How cybercriminals are recruited.
Know your enemy
“Know the enemy and know yourself in a hundred battles; never be in peril you will.”
-Sun Tzu
Who are the cybercriminals?
Not your typical “live-in-grandma’s-garage-incels”
Meet Kim Schmitz
aka. Kimbo, or more famously, KIM DOT COM
Turn “hacking” into an enterprising activity and injecting various racketeering techniques.
Cybercrime
Definition: Crimes conducted in or through cyberspace.
“Petty theft vs. Bank Heist”
Most common cybercrimes are small; done by curious, young individuals.
Rationalized by the “MIT Ethics” – a poetic license in committing crime to contribute towards knowledge.
Usually cause little damage.
Criminal groups would absorb and recruit such individuals as a “tool” to enable a crime; or
As a member of a cybercriminal group.
The Motive
Internal Mechanism
What drives the criminal internally?
reward
Excitement, fun, curiosity, excessive risk-taking.
Attention
External Stimuli
Socio-environmental: peer pressure
Techno-environmental: ease of access to tech.
Family-environmental: financial pressure, etc.
The Organization
The organizational aspects
Structural aspect:
Recruitment: How cybercriminals are recruited?
Task Assignment: Cybercrimes are not just for techies.
Team formation: Team formation is crucial in cybercriminal activities as it is a vehicle for peer pressure, group immersion, and binding.
The Organization
The organizational aspects
Exploitation aspect:
Group immersion: live, act, and socialize in the designated group.
Accomplice binding: Bing individuals through knowledge of a crime, or the “loot” of a crime to bind the individuals.
Psychological conditioning: condition the individuals in accepting, normalizing, rationalizing, or even defending the activities.
The Learning & Development
“Rome is not built in a day”
Cybercrimes requires learning.
Opportunities are “incubated” or “developed” in similar fashion like developing a sales lead.
Means
The learning of means of attack.
Use of special tools and equipment.
Skills and techniques
Development of “playbook”, “scripts”, or “scenarios”
The Learning & Development
Development of opportunity
Identifying suitable targets
Profiling targets
Divide targets among teams
Use of various means to “phish” for targets
Use social media, existing database, or previous effort in pretexting to find new targets.
The Execution (1)
Identify acquisition (gather the players)
Usually the first stage of cybercrime.
Identity can be stolen
Purchase other’s identity, or bank account, or business license.
Fabricate a complete, non-existent, “fake” identity.
May be assist via AI, or “deep-fake”
The Execution (2)
Masquerade
“Building the stage”
Through authority and power
fake court order, fake police, prosecutor.
Through profession or specialties
Fake UPS delivery, fake investment broker
Through compassion and or empathy.
Fake injuries, life-threatening scenarios, change in life situations.
The Execution (3)
Divest
The actual act of divest benefit, monetary or non-monetary gains.
Through coerce & compel
Compel the victims in divesting funds.,
Through attract & induce
Use financial, social, or interpersonal gains to attract and induce the victim.
Through appeal & solicit
Appeal through sympathy etc.
The Execution (4)
Evade
“the get-away car”
The mechanism used to evade prosecution or responsibilities.
Geo-impedance & obstruction
Cyber-camouflage & deception
Structural-obscure & disguise.
Putting everything together