Phishing Don’t Become A Victim

In Depth

Phishing Don’t Become A Victim

Ravinder Kumar Verma | September 2009

Cyber crimes are difficult to detect due to the expanse of the virtual space. Here’s a quick guide providing A to Z of Phishing that would not only help you identify this menace but prevent it as well…

The increasing level of e-mail communication on the internet is making it one of the most common medium for fraud and virus infections. Phishing is one of the most feared cyber crimes affecting millions of people all around the world. It is Internet’s biggest identity theft scam and is widely prevalent in India. Phishing is practiced in various ways like via emails, fraudulent websites etc. For instance:

Bank Phishing scams: In some recent cases of phishing (offence which involves identity theft) reported in India, the modus operandi was same i.e. a fake target bank web site was created and the bank’s customers received an e-mail message asking them to renew certain services, claiming that failure to do so would result in the suspension or deletion of their accounts. The e-mail provided a link to a phishing site, in an illegal attempt to collect personal data and account information.

Email Phishing: Many times an email is received in one’s inbox from an unknown company congratulating him for winning a free or an inexpensive deal on a resort vacation or cruise. This kind of solicitation will most likely be a travel scam via phishing. Such emails would come with a link which would connect the email-holder with a site asking for his credit card number to avail the freebies and some personal information, hence, possibly compromising his credit card information for fraudulent online transactions.

Techniques Employed For Phishing Attacks

Man-in-the-middle attacks: In this type of attack, the attacker surrogates all communications between the system of the customer and the real web-based application. The customer connects to the attacker’s server as if it was the real site, while the attacker’s server makes a simultaneous connection to the real site. The server of the attacker proxies all communication transpired between the customer and the real web-based application server in real-time.

URL Obfuscation Attacks: URL obfuscation techniques involve minor changes to the URL wherein the fraudster tricks the user to follow a hyperlink (URL) to the attacker’s server, without the user realizing that he has been duped.

XSS (Cross-Site Scripting): In this class of attack, the attacker uses custom URL or code inspection into a valid web based application URL or imbedded data field. In general, these XSS techniques are the result of failure of a site to validate the user input before returning it to the client’s web-browser.

Modus Operandi Of Phishing In Banks

The attackers make a bogus website, identical to a large extent to the target bank. Thereafter mails are sent to the customers of the bank tempting them to provide them the log in details in order to upgrade the server. It was revealed that for this purpose the fraudster hosted the web page containing URL Links of the target bank. The attacker gained access to all the details because of active assistance provided by the associates from foreign countries like Nigeria, Russia etc. Before a transfer of funds through internet banking is executed, the bank sends an SMS to the transferor in order to confirm the transaction. The fraudsters, when they get hold of the customer’s personal information, they change the contact numbers of customers with their own, so that the transfer of funds through victim’s account to beneficiary accounts doesn’t get noticed.
In some cases, when the customers fell into trap and passed on their Internet banking password and user name, the fraud was perpetuated in three forms:-

Online money transfer from the victim’s account to a beneficiary account.
For recharging the mobile phones.
Making purchases online permissible by net banking facility.

The funds were transferred to fake accounts which were in fact opened by furnishing bogus identification documents like fake passports, fake election I Cards, Fake Pan Cards etc.
The holders of these fake accounts, which thereby became beneficiaries because of the scam, were opened in the name of Indians and not with Nigerians to diminish the chances of suspicion. Some of the beneficiary account holders were carriers of the hackers while some of the beneficiary accounts were opened by luring the persons by giving them some consideration in lieu of their services to open the account in their names and get the ill-gotten money transferred to their accounts.
The suspected IP addresses from where the fraudulent internet transaction took place were of various foreign countries that indicate the use of proxy IPs by the hackers to mislead the investigation agencies.
It has been revealed that the amount was withdrawn immediately by the hacker after the account had been compromised.

Legal Angle?

Criminals are developing new techniques to counter awareness of customers. These techniques include URL obfuscation to make phishing emails and web sites appear more legitimate and exploitation of vulnerabilities in web browsers that allow downloading and execution of malicious code from a hostile web site. Hackers use false and fraudulent websites and URL Links to deceive people into disclosing their valuable personal data later to be used in phishing schemes to swindle money from the victim’s account. Thus, it is an offence of cheating that is punishable u/s 420, the Indian Penal Code, 1860 (IPC). There is also criminal conspiracy between various people perpetrating the crime, like the person who opens the beneficiary account or who receives the funds in their account in conspiracy with the fraudster. Thus, Section 120-B IPC which relates to criminal conspiracy is also applicable. The forgery of website which is in the nature of electronic record to cheat the gullible bank customers is punishable u/s 468, IPC. Fraudulently or dishonestly using as genuine, the fake website in the nature of electronic record is punishable u/s 471, IPC. Alok Lakhanpal, Advocate, Delhi High Court & District Courts and Guest Faculty, University of Delhi, adds, “Apart from attracting the provisions of IPC, when the hacker uses false and fraudulent websites to lure the victim to disclose his personal information and take control of the internet account with the intention to cheat him by deleting or altering any information/data residing in bank server electronically (for example; changing the mobile phone number of victim with his own) the offender commits the offence of hacking which is punishable u/s 66 Information Technology Act, 2000 (IT Act).”

Thus, the account of the victim is compromised by the hacker which is not possible unless he affects some changes by way of deletion or alteration of information/data electronically in the account of the victim residing in the bank server. Thus, this Act is squarely covered and punishable u/s 66 IT Act.

“Apart from attracting the provisions of IPC, when the hacker uses false and fraudulent websites to lure the victim to disclose his personal information and take control of the internet account with the intention to cheat him by deleting or altering any information/data residing in bank server electronically (for example; changing the mobile phone number of victim with his own) the offender commits the offence of hacking which is punishable u/s 66 Information Technology Act, 2000 (IT Act).”

Alok Lakhanpal

Advocate, Delhi High Court & District Courts and Guest Faculty

Adarsh (name changed on request) had his account with a bank and availed the Net Banking facility. He was fraudulently cheated by the accused person by unauthorized debit of an amount of INR 1, 75,000/- from his account. The accused used to practice Phishing or send fake emails to bank customers in bulk. The credentials of the fake email used to appear as genuine as the accused utilised Bank’s logo in email. The accused thereafter used to request customers to enter on the link attached in the fake mail & asked customers to disclose their customer ID and password. If any customer used to respond to his queries, accused with help of that information fraudulently siphoned money from the innocent customer’s account. After this, fraudsters used to get that money transferred in their newly opened fake bank accounts and withdrew the whole amount from there.

What to do if one thinks that he is a victim?

If one has made available his personal details like account number, pin number, password or any other log-in details to the attacker, he should immediately inform the bank with which he runs the account to ensure that his account would not be compromised.
Even if one doesn’t fall into the trap, it is his duty as a good citizen to avoid others from falling into the trap. He should report phishing to the bank or agency that was being impersonated as well as to the police.

Safety Measures Adopted By Banks

Banks send mails and messages to inform their customers so that they would not become a victim of Phishing. For instance, they should not open a link that asks them to enter their personal data and also they should not feed their personal information in any other computer than their own.
Some banks use software called RSA and give their net banking customers a device which they connect to their systems. Whenever the customers need to access their online bank accounts, they have to enter a 4-letter password.

Banks not only make their customers aware through messages, mails and statements, they also keep their internal data protection system foolproof.

Manager of a private bank, Delhi, informed Witness Bureau about a case of phishing wherein a foreigner accused, (who was expert in breaking the passwords of bank customers through internet) required some banks accounts for illegal net banking transfer of money. For this he contacted the Indian accused who shared the details of the accounts of this private bank (which were opened on the basis of fake documents). Using these details, the foreign accused, through phishing, transferred Rs. 2,26,000 to these accounts, this was later withdrawn by the Indian accused.

Safety Measures For You

Delete any email without opening it if you don’t recognize the sender. Never respond to an unsolicited email that asks for personal financial information, requests your authentication or indicates a problem with your accounts using urgent or exaggerated claims. Instead of opening the attachment, it is advisable to contact the organization that has seemingly sent the e-mail. Do not open attachments. Read the text of the e-mail several times and ask yourself why the requested information would really be needed. Contact the organization that has sent the e-mail to report anything suspicious in the e-mail. Use a telephone number that you know to be legitimate. Use virus protection software and keep the virus lists current and updated. Keep your computer operating system and web browser up- date. If you think you have received a suspicious e-mail, pop-up ad or have been directed to a suspicious looking website, file a complaint with investigating agencies located in your city.

Phishing is a threat to the modern ecommerce environment and there is no strait jacket formula to deal with it or to insulate or protect oneself from phishing. Apart from mitigating or preventive measures, awareness of customer or customer education is the key to fight this menace. The law enforcement agencies, the legislature and the industry should come together and coordinate in this fight against Phishing.