Phishing- The Internet Age Crime

NEERAJ AARORA, AICWA, LLB, PGD (Cyber Law), ACFE (USA)

The media runs stories on an almost daily basis covering the latest bank to have their customers targeted and how many victims succumbed to the attack. It may be you too. Suppose, one day you open your email, and found a weird looking mail, something phisy! A message in your inbox from your bank with which you have an internet enabled account asking to update your account with your personal information, login detail etc. on pretext of up gradation of server of the bank. You would also see a link, by clicking on which you would be linked to a look alike website of your bank which looks quite authentic and convincing. However, you may be smart enough to know that this is a trap by a con to get your vital personal information to make fraudulent financial transactions and swindle your money. But there are many others who are not as smart as you, and fall into the trap and pass on their vital login details and lose their valuable money.

Phishing is the internet age crime, born out of the technological advances in internet age. "Phishing" is a newer form of social engineering. Typically, Phishing is a form of social engineering, characterized by attempts to fraudulently acquire sensitive information, such as passwords, usernames, login IDs, ATM PINs and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The phishing attacks will then direct the recipient to a web page (mirror webpage) so exactly designed to look as a impersonated organization’s (often bank & financial institution) own website and then they cleverly harvest the user’s personal information, often leaving the victim unaware of the attack.

Phishing has become so rampant that even, the Oxford English Dictionary added "Phishing" to its latest publication making it a definitive word of English Language. It defines "Phishing" as:

"phishing • noun the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers, online."

As per the American Banker’s Association "Phishing attacks use ’spoofed’ e-mails and fraudulent Web sites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, Social Security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5 percent of recipients to respond to them."

The Anti-Phishing Working Group (APWG) which is an industry association focused on eliminating identity theft and fraud from the growing problem of phishing and email spoofing defines Phishing as a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials.

According to the APWG statistics, more than 371 more phishing reports were made in June 2007 than in June 2006. The total for June 2007 was more than 28888 reports. The number of unique phishing websites detected by APWG was 31,709 in June 2007 which was 10047 in June 2006. The United States remain on the top of the list for countries hosting phishing websites with 31.95%. The rest of the top 10 breakdown is as follows: Republic of Korea 10%, Poland 6.88%, Russia 6.55%, Bangladesh 4.03%, India 2.84%, Japan 2.58%, Germany 2.56%, France 2.057%, Romania 1.75%. The figure given below shows the highlights of the APWG’s June 2007 statistics on phishing. Clearly, phishing has reached an alarming proportion:-

Major factors for increase in Phishing Attacks:

There are three major factors behind the recent spurt in phishing attacks worldwide particularly in India:

Unawareness among public: Worldwide, particularly in India, there has been lack of awareness regarding the phishing attacks among the common masses. The users are unaware that their personal information is actively being targeted by criminals and they do not take proper precautions when they conduct online activities.

Unawareness of policy - The fraudsters often count on victim’s unawareness of Bank/financial institution policies and procedures for contacting customers, particularly for issues relating to account maintenance and fraud investigation. Customers unaware of the policies of an online transaction are likely to be more susceptible to the social engineering aspect of a phishing scam, regardless of technical sophistication.

Technical sophistication - Fraudsters are now using advanced technology that has been successfully used for activities such as spam, distributed denial of service (DDoS), and electronic surveillance. Even as customers are becoming aware of phishing, criminals are developing techniques to counter this awareness. These techniques include URL obfuscation to make phishing emails and web sites appear more legitimate, and exploitation of vulnerabilities in web browsers that allow the download and execution of malicious code from a hostile web site.

Techniques of Phishing attacks

Man-in-the-middle attacks: In this class of attack, the attacker sits between the customer and the real web-based application, and proxies all communications between the systems. This form of attack is successful for both HTTP and HTTPS communications. The customer connects to the attackers server as if it was the real site, while the attackers server makes a simultaneous connection to the real site. The attackers server then proxies all communications between the customer and the real web-based application server - typically in real-time.

URL Obfuscation Attacks: Using URL obfuscation techniques which involves minor changes to the URL, the fraudster tricks the user to follow a hyperlink (URL) to the attacker’s server, without the users realizing that he has been duped. URL Obfuscation uses the unspoken, unwritten secrets of the TCP/IP protocol to trick users into viewing a website that they did not intend to visit.

XSS (Cross-site Scripting): Cross-site scripting attacks (XSS) make use of custom URL or code injection into a valid web-based application URL or imbedded data field. In general, these XSS techniques are the result of failure of a site to validate user input before returning it to the client’s web-browser.

Phishing scenario in XSS:

Victim logs into a web site

• Attacker has spread "mines" using an XSS vulnerability
• Victim fall upon an XSS mine
• Victim gets a message saying that their session has terminated, and they have to to authenticate again
• Victim’s username and password are send to attacker

Some cases of phishing in India:

Phishing is a relatively new concept in India, unheard of couple of years back but recently there has been rise in the number of phishing cases in India where the innocent public fall prey to the sinister design of fraudster. In India, the most common form of phishing is by email pretending to be from a bank, where the sinister asks to confirm your personal information/login detail for some made up reason like bank is going to upgrade its server. Needless to say, the email contains a link to fake website that looks exactly like the genuine site. The gullible customers thinking that it is from the bank, enter the information asked for and send it into the hands of identity thieves.

There were phishing attempts over ICICI Bank, UTI Bank, HDFC Bank, SBI etc. in which the Modus operandi was similar. It was reported that a large number of customers of these banks had received emails, which have falsely been misrepresented to have been originated from their bank. The recipients of the mails were told to update their bank account information on some pretext. These emails included a hyperlink with-in the email itself and a click to that link took recipients to a web page, which was identical to their bank’s web page. Some of the unsuspecting recipients responded to these mails and gave their login information and passwords. Later on, through internet banking and by using the information so collected a large number of illegal/fraudulent transactions took place.

Modus Operandi of phishing attack used to target bank customers in India:-

1. The hackers have created a fake look alike websites of the target Bank and sent emails to the customers of the bank luring them to provide them the login details in order to upgrade the server. It was revealed that for this purpose the fraudster hosted the web page containing URL Links of the target bank with the help of their associates from foreign countries like Nigeria, Russia etc.

2. Before a transfer of funds through internet banking is executed, the bank sends a SMS to the transferor in order to confirm the transaction. The fraudsters, when they get hold of the customer’s personal information changed the contact numbers of customers with their own, so that the transfer of funds through victim account to beneficiary accounts goes unnoticed.

3. In these cases, when the customers fell into trap and passed on their Internet banking password and user name, the fraud was perpetuated in three forms:-

a)      The account to account transfer from the victim’s account to a beneficiary account.

b)      For recharging the mobile phones.

c)      Making purchases online permissible by net banking facility.

• 1. The beneficiary account in which the funds were transferred were fake accounts which were opened by giving fake ID documents, like fake passports, fake election I Cards, Fake Pan Cards etc.
• 2. The phishing scam revealed the involvement of Nigerians but the beneficiary accounts were opened in the name of Indians as the account with Nigerian names would arouse suspicion. Some of the beneficiary account holders were carrier of the hackers while some of the beneficiary’s accounts were opened by luring the persons by giving them some consideration in lieu of their services to open the account in their names and get the ill-gotten money transferred in their accounts.
• 3. The suspected IP addresses from which the fraudulent internet transaction took place were of various foreign countries which indicate the use of proxy IPs by the hackers to mislead the investigation agencies.
• 4. It has been revealed that the amount has been withdrawn immediately by the hacker after the account has been compromised.

Does Phishing violate Criminal Laws- The Legal Angle

Because hacker use false and fraudulent websites, URL Links to deceive people into disclosing valuable personal data, phishing schemes which is used later to swindle money from victim account. Thus, it is an offence of cheating punishable u/s 420 IPC. There is also criminal conspiracy between various persons perpetrating the crime, like the persons who open the beneficiary account or who receive the funds in their account in conspiracy with the fraudster. Thus, Section 120-B IPC which relates to criminal conspiracy is also applicable. Further, the forgery of website which is in the nature of electronic record to cheat the gullible bank customers is punishable u/s 468IPC. Further fraudulently or dishonestly use as genuine, the fake website in the nature of electronic record is punishable u/s 471 IPC. Apart from attracting the provisions of Indian Penal Code, when the hacker use false and fraudulent websites to lure the victim to disclose his personal information and take control of the internet account with the intention to cheat him by deleting or altering any information/data residing in bank server electronically (for example; changing the mobile phone number of victim with his own) the offender commits the offence of hacking which is punishable u/s 66 IT Act, 2000. The Section 66 of the IT Act defines hacking activity, it takes hacking activity exclusively associated with the computer resource. The essentials of hacking are:-

(a)   Whoever

(b)   Intention or knowledge

(c)   Causing wrongful loss or damage to the public or any person

(d)   Destroying or altering any information residing in a computer resource

Or diminishes its value or utility or affects it injuriously by any means.

Thus, the account of the victim is compromised by the hacker which is not possible unless & until he effects some changes by way of deletion or alteration of information/data electronically in the account of the victim residing in the bank server. Thus, this act is squarely covered and punishable u/s 66 IT Act.  

What Should Internet Users Do About Phishing Schemes?

With online transactions on rise, certain precautionary measures are to be taken by all those who make their transactions online, like credit card holders, internet bank users, to shield themselves from such frauds. Some of the precautionary measures are as follows:-

1)      The US Department of Justice recommends the user to follow a golden rule what is known as Stop, Look & Call (SLC). The SLC rule emphasizes that:-

a.      You must STOP because the phishing emails are always desperate in their language and so eager to retrieve information from you. It generally comes with a warning you give the personal information or else your account would be deactivated. Be automatically suspicious of any email with urgent/desperate requests for personal financial information.

b.      You must LOOK because the link provided in the phishing email is a fake URL and by using your sixth sense, you would see that email address itself is bogus. For example, an email which purportedly come from UTI Bank might be UTI.Bank @ yahoo.com which obviously is not the original email address of UTI Bank.

c.      You must CALL because in case you find the email suspicious & even if you don’t fall into the trap, it should be your endeavor as a good citizen to inform the target bank and the law enforcement agencies so that timely action should be taken to save other customers from being trapped by the fraudster.

2)      Check your credit card and bank account statements regularly and look for unauthorized transactions, even small ones. Report discrepancies immediately

3)      Ensure that your system has the current security software applications like; anti-spam, anti-phishing, anti-virus and anti-spyware etc.

What do you do if you think you are a victim? 

• If you have provided account numbers, pin number, password, login detail to the phisher, immediately notify the bank with which you have the account so that your accounts can’t be compromised.
• Even if you don’t fall into the trap, it is your duty as a good citizen to avoid others from falling into the trap. You should report phishing to bank or agency that was being impersonated as well as to police.

Phishing is a major concern in the contemporary e-commerce environment in India and will continue to be so because of the lack of awareness among the Internet users who are new to the internet realm. There is no silver bullet to thwart the phishing attack. However, it has been noticed in the most of the phishing scams worldwide particularly in India that the hacker succeeds in phishing attempt due to the uninformed, gullible customers who without knowing that they are being trapped unwittingly pass on the information asked for by the fraudster. Therefore, the awareness and customer education is the key here to fight the menace of the "Phishing" apart from mitigating or preventative measures. The law enforcement agencies, the legislature, the industry should come together and coordinate in their fight against the menace of the Phishing. You may send your query at nkacyber@gmail.com .