Appendix B

Detailed Definitions and Inclusions, Panel’s Recommended Classification of Cybercrime

___________________

¹ Malware is software developed for any malicious purpose, regardless of the type of harm to be created by the software (i.e., system monitoring or keystroke logging) or the manner by which it is deployed (e.g., direct insertion onto computer, email attachment, or link distributed via social media). Malware also includes alternative development processes such as Malware-as-a-Service in which the malware developer leases or sells the code to other actors to deploy after customization. Malware may take the form of or be described using terms including virus, worm, trojan, spyware, scareware, rootkit, exploit kit, or bots/botnets.

² Ransom is the payment demanded in return for the release of something that has been held hostage. In the context of ransomware, the ransom is commonly a payment in untraceable cryptocurrency, though it need not be a monetary payment; it may be performance of a particular action.

___________________

³ Exploitation of vulnerability attempts can take such forms as SQL Injection, malicious SQL language to interfere with database queries; Cross-Site Scripting, malicious scripts introduced into web pages and applications; and file-inclusion techniques, using loopholes in web applications to input and execute local or remote malicious files.

⁴ Unauthorized login attempts include attempts to gain access to a system via routine access control mechanisms, such as brute forcing (i.e., sequentially stepping through possible credentials/passkeys), password cracking (i.e., breaking the protective cryptographic keys to login credentials), dictionary attack (i.e., attempting login using credentials previously archived in a dictionary), or password spraying (i.e., attempting login via commonly used and repeated passwords across multiple user names/accounts).

⁵ Such attacks may be known as email bombs, floods, amplification attacks, or reflection attacks; attacks specific to telephone communications may be termed Telephony Denial of Service.

___________________

⁶ Man-in-the-Middle attacks are malicious acts against communication channels for purposes of intercepting and potentially modifying transmitted data, without the knowledge of the communicating parties. Such acts specifically targeting mobile devices (e.g., distribution of fake apps) have been termed Man-in-the-Mobile attacks.

⁷ Command and Control (C2, C&C) is use of a bot or botnet to seize control of a computer or system to execute commands on another system or to channel information between systems.

⁸ In this context, information gathering includes such acts as scanning (i.e., scanning a network to identify open ports or services or active subsystems), sniffing (i.e., logical or physical interception and reading of network traffic or communications), or transfer of DNS zones.

___________________

⁹ Phishing involves attempted elicitation of sensitive information from individuals by deceptively pretending to be a legitimate, trustworthy entity. Specific labels are commonly applied to phishing based on the medium by which the deceptive communications are delivered—whaling when messages are delivered by email, smishing/SMS phishing when delivered by short message service (SMS) text messages, or vishing/voice phishing when done by telephone or Voice over Internet Protocol. When phishing is done against specifically targeted recipients (i.e., employees of a particular company) rather than a broader, “public” net casting, the practice has been termed spear phishing.

¹⁰ Pharming is the redirection of users from a legitimate/trusted website to a fraudulent, attacker-controlled website, based on the manipulation of DNS servers or stored caches, such that the redirection is unknown to the user.

___________________

¹¹ False pretenses/swindle/confidence game offenses include such variants as investment fraud (e.g., monetary and real estate), lottery/sweepstakes/inheritance, and nonpayment/nondelivery.

¹² False representation is the unauthorized use of the name of an institution for purposes of carrying out fraudulent activities. Government impersonation is the impersonation of a government official or office to perpetrate fraud.

¹³ In the “pump” phase of a pump-and-dump scheme, perpetrators artificially inflate the price of a stock they have acquired at low cost through use of fraudulent and deceptive communications (primarily through electronic means) to make the low-cost stock attractive to buyers. The stock is then sold during the “dump” phase—the massive sale typically causing the stock price to plummet and causing loss to investors. See https://www.investor.gov/introduction-investing/investing-basics/glossary/pump-and-dump-schemes

___________________

¹⁴ As in National Academies of Sciences, Engineering, and Medicine (2016a; National Academies), harassment is defined as engaging in an unlawful course of conduct of words or actions that, being directed at a specific person, annoys, alarms, or causes substantial emotional distress in that person. In turn, a course of conduct is a pattern composed of a series of two or more acts over a period of time, however short, demonstrating a continuity of purpose.

¹⁵ As in National Academies (2016a), bullying is a variant of criminal harassment in which the offender exploits a real or perceived imbalance of power (either physical or social) with the objective of dominating and belittling victim(s); cyberbullying is the use of social media and electronic communications to conduct those behaviors. As in National Academies (2016a, p. 219), we note that state law commonly addresses the offense of bullying in education code rather than penal/criminal code, treating bullying as behavior between minors that is handled by local schools; however, states have taken a firmer hand in criminalizing cyberbullying in penal code language, likely because of incidences of adults impersonating children to conduct bullying behavior and communications.

¹⁶ As in National Academies (2016a), stalking is the act of engaging in a course of conduct directed at a specific person—including but not limited to acts in which the perpetrator follows, monitors, observes, surveils, or threatens the victim—in which the perpetrator knows or should know that the course of conduct would cause a reasonable person to fear for his or her safety or the safety of a third person (e.g., a family member), or to suffer other emotional distress. Cyberstalking is the use of social media and electronic communications to conduct those behaviors.

¹⁷ Doxing could also be classified under category 2A as identity theft, given the nature of the information being unlawfully disclosed. However, we classify it here following the lead of U.S. federal law, which includes “knowingly mak[ing] restricted personal information about a covered person [or member of their immediate family] publicly available [with] the intent to threaten, intimidate, or incite the commission of a crime of violence” against the person (18 U.S.C. § 119) under the broad heading of assault. The provision defines “covered person” as any officer or employee of the federal government acting in their official duties; any juror, witness, informant, or officer of any court of the United States; or any state/local law enforcement officer being doxed in retaliation for their participation in a federal criminal investigation.

SOURCES: Generated by the panel, drawing in particular from Phillips et al. (2022), National Academies (2016a), and Wright and Parker (2023).