Post on 08-Feb-2023
Prevention And Regulation of Phishing in
Cyber World: National & International
Framework.
Project submitted to
Mr.
(Faculty: Cyber Law)
Spandan Pujari
Section : B
Roll No.144
Semester VII
HIDAYATULLAH NATIONAL LAW UNIVERSITY RAIPUR,
CHHATTISGARH
TABLE OF CONTENTS
ACKNOWLEDGMENT......................................................
.............................................. 3
RESEARCH
METHODOLOGY……………………………….......................................
4
OBJECTIVE………………………………………………………………………………...4
INTRODUCTION........................................................
........................................................ 5
REASONS FOR GROWTH…………………………………………………………………7
PHISHING TECHNIQUES…………………………………………………………………8
PHISHING ATTACKS IN INDIA………………………………………………............... 10
REGULATION UNDER INDIAN & INTERNATIONAL LAWS……….……………...12
PREVENTION OF PHISHING ……………….…………………………………………..15
CONCLUSION……………………………………………………………………………..17
BIBLIOGRAPHY………………………………............................................
.................. ..18
ACKNOWLEDGMENTS
I would like to express my heartfelt gratitude to my teacher, Mr.
for his unstinted support. I would like to thank the faculty for
giving me the chance for researching on such an intriguing and
progressive issue as this.
Thank you, jurists and masters of law for the expression of your
ideas, thoughts and immense amount of knowledge in the form of
the various books, articles and opinions. Without all of this, it
would have been a Herculean task for me to complete this project.
My gratitude also goes out to the staff and administration of
HNLU for the infrastructure in the form of our library and IT Lab
that was a source of great help for the completion of this
project.
Spandan Pujari
Semester VII
RESEARCH METHODOLOGY
The research methodology used in the project is doctrinal in
nature the references used are in the form of secondary source.
Secondary and Electronic resources have been largely used to
gather information and data about the topic. Books and other
reference as guided by Faculty of Cyber Law have been primarily
helpful in giving this project a firm structure. Websites,
dictionaries and articles have also been referred. Footnotes have
been provided wherever needed, either to acknowledge the source
or to point to a particular provision of law. Uniform citation
has been followed.
OBJECTIVES
• To understand the concept of Phishing.
• Reason for growth of Phishing.
• To get thorough classification of Phishing.
• To know the dangers of Phishing.
• To comprehend the legislation and regulation for Phishing
• To advise against Phishing and security measures.
INTRODUCTION
The first documented use of the word "phishing" took place in1996. Most people believe it originated as an alternativespelling of "fishing," as in "to fish for information".
Phishing is the attempt to acquire sensitive information such as
usernames, passwords, and credit card details (and sometimes,
indirectly, money) by masquerading as a trustworthy entity in an
electronic communication.1 Communications purporting to be from
popular social web sites, auction sites, banks, online payment
processors or IT administrators are commonly used to lure
unsuspecting public. Phishing emails may contain links to
websites that are infected with malware.2 Phishing is typically
carried out by email spoofing3 or instant messaging,4 and it
often directs users to enter details at a fake website whose look
and feel are almost identical to the legitimate one. Phishing is
an example of social engineering techniques used to deceive
1 Van der Merwe, A J, Loock, M, Dabrowski, M. (2005), Characteristics and Responsibilities involved in a Phishing Attack, Winter International Symposium on Information and Communication Technologies, Cape Town, January 2005.2 Safe Browsing (Google Online Security Blog)"3 Landing another blow against email phishing (Google Online Security Blog)4 Tan, Koontorm Center. "Phishing and Spamming via IM (SPIM)"
users,and exploits the poor usability of current web security
technologies. Attempts to deal with the growing number of
reported phishing incidents include legislation, user training,
public awareness, and technical security measures. Many websites
have now created secondary tools for applications, like maps for
games, but they should be clearly marked as to who wrote them,
and you should not use the same passwords anywhere on the
internet.
Phishing is a continual threat that keeps growing to this day.
The risk grows even larger in social media such as Facebook,
Twitter, Myspace etc. Hackers commonly use these sites to attack
persons using these media sites in their workplace, homes, or
public in order to take personal and security information that
can affect the user and the company (if in a workplace
environment). Phishing is used to portray trust in the user since
you can usually not tell that the site or program being visited/
used is not real, and when this occurs is when the hacker has the
chance to access the personal information such as passwords,
usernames, security codes, and credit card numbers among other
things.
A phishing technique was described in detail in a paper and
presentation delivered to the International HP Users Group,
Interex. 5The first recorded mention of the term "phishing" is
5 Felix, Jerry and Hauck, Chris (September 1987). "System Security: A Hacker's Perspective". 1987 Interex Proceedings
found in the hacking tool AOHell (according to its creator),
which included a function for stealing the passwords or financial
details of America Online users.6[10] Phishing is hosting by the
top ten countries and they are US, UK, Germany, Brazil, Canada,
France, Russia, Poland, The Netherlands and Japan. According to
Ghosh, there were "445,004 attacks in 2012 as compared to 258,461
in 2011 and 187,203 in 2010” which depicts that phishing has been
threatening the individuals.
A recent and popular case of phishing is the suspected Chinese
phishing campaign targeting Gmail accounts of highly ranked
officials of the United States and South Korean’s Government,
military, and Chinese political activists.The Chinese government
continues to deny accusations of taking part in cyber-attacks
from within its borders, but evidence has been revealed that
China’s own People’s Liberation Army has assisted in the coding
of cyber-attack software.
6 Langberg, Mike (September 8, 1995). "AOL Acts to Thwart Hackers". San Jose Mercury News
REASONS FOR GROWTH
There are three major factors behind the recent spurt in phishing
attacks worldwide particularly in India:
1. Unawareness among public: Worldwide, particularly in India,
there has been lack of awareness regarding the phishing
attacks among the common masses. The users are unaware that
their personal information is actively being targeted by
criminals and they do not take proper precautions when they
conduct online activities.
2. Unawareness of policy – The fraudsters often count on
victim’s unawareness of Bank/financial institution policies
and procedures for contacting customers, particularly for
issues relating to account maintenance and fraud
investigation. Customers unaware of the policies of an
online transaction are likely to be more susceptible to the
social-engineering aspect of a phishing scam, regardless of
technical sophistication.
3. Technical sophistication – Fraudsters are now using advanced
technology that has been successfully used for activities
such as spam, distributed denial of service (DDoS),and
electronic surveillance. Even as customers are becoming
aware of phishing, criminals are developing techniques to
counter this awareness. These techniques include URL
obfuscation to make phishing emails and web sites appear
more legitimate, and exploitation of vulnerabilities in web
browsers that allow the download and execution of malicious
code from a hostile web site
PHISHING TECHNIQUES
Phishing
Phishing is a way of attempting to acquire information such as
usernames, passwords, and credit card details by masquerading as
a trustworthy entity in an electronic communication.
Spear phishing
Phishing attempts directed at specific individuals or companies
have been termed spearphishing.7Attackers may gather personal
information about their target to increase their probability of
success. This technique is, by far, the most successful on the
internet today, accounting for 91% of attacks8
Clone phishing
A type of phishing attack whereby a legitimate, and previously
delivered, email containing an attachment or link has had its
content and recipient address(es) taken and used to create an
almost identical or cloned email. The attachment or Link within
the email is replaced with a malicious version and then sent from
an email address spoofed to appear to come from the original
sender. It may claim to be a resend of the original or an updated
version to the original. This technique could be used to pivot
(indirectly) from a previously infected machine and gain a
foothold on another machine, by exploiting the social trust
associated with the inferred connection due to both parties
receiving the original email.
Whaling
Several recent phishing attacks have been directed specifically
at senior executives and other high profile targets within
businesses, and the term whaling has been coined for these kinds
of attacks.
7 "What is spear phishing?". Microsoft Security At Home.8 Stephenson, Debbie. "Spear Phishing: Who’s Getting Caught?". Firmex.
Rogue WiFi (MitM)
Attackers set up or compromise free Wifi access-points, and
configure them to run man-in-the-middle (MitM) attacks, often
with tools like sslstrip, to compromise all access point users.
Man-in-the-middle attacks
In this class of attack, the attacker sits between the customer
and the real web-based application, and proxies all
communications between the systems. This form of attack is
successful for both HTTP and HTTPS communications. The customer
connects to the attackers server as if it was the real site,
while the attackers server makes a simultaneous connection to the
real site. The attackers server then proxies all communications
between the customer and the real web-based application server –
typically in real-time.
URL Obfuscation Attacks
Using a URL obfuscation technique which involves minor changes
to the URL, the fraudster tricks the user to follow a hyperlink
(URL) to the attackers’ server, without the users realizing that
he has been duped. URL Obfuscation uses the unspoken, unwritten
secrets of the TCP/IP protocol to trick users into viewing a
website that they did not intend to visit.
XSS (Cross-site Scripting)
Cross-site scripting attacks (XSS) make use of custom URL or code
injection into a valid web-based application URL or imbedded data
field. In general, these XSS techniques are the result of failure
of a site to validate user input before returning it to the
client’s web-browser. Phishing scenario in XSS: • Victim logs
into a web site • Attacker has spread “mines” using an XSS
vulnerability • Victim fall upon an XSS mine • Victim gets a
message saying that their session has terminated, and they have
to authenticate again • Victim’s username and password are send
to attacker
PHISHING IN INDIA
Phishing is a relatively new concept in India, unheard of couple
of years back but recently there has been rise in the number of
phishing cases in India where the innocent public fall prey to
the sinister design of fraudster. In India, the most common form
of phishing is by email pretending to be from a bank, where the
sinister asks to confirm your personal information/login detail
for some made up reason like bank is going to upgrade its server.
Needless to say, the email contains a link to fake website that
looks exactly like the genuine site. The gullible customers
thinking that it is from the bank, enter the information asked
for and send it into the hands of identity thieves. There were
phishing attempts over ICICI Bank, UTI Bank, HDFC Bank, SBI etc.
in which the Modus operandi was similar. It was reported that a
large number of customers of these banks had received emails,
which have falsely been misrepresented to have been originated
from their bank. The recipients of the mails were told to update
their bank account information on some pretext. These emails
included a hyperlink with-in the email itself and a click to that
link took recipients to a web page, which was identical to their
bank’s web page. Some of the unsuspecting recipients responded to
these mails and gave their login information and passwords. Later
on, through internet banking and by using the information so
collected a large number of illegal/fraudulent transactions took
place. Apart from the general banking phishing scams, some of the
recent phishing attacks that took place in India are as follows:
RBI Phishing Scam: In a daring phishing attack of its kind,
the fraudsters even have not spared the Reserve Bank of
India. The phishing email disguised as originating from the
RBI, promised its recipient prize money of Rs.10 Lakhs
within 48 hours, by giving a link which leads the user to a
website that resembles the official website of RBI with the
similar logo and web address. The user is then asked to
reveal his personal information like password, I-pin number
and savings account number. However, the RBI posted a
warning regarding the fraudulent phishing e-mail on the
banks official website.
IT Department Phishing Scam: The email purporting to be
coming from the Income Tax Department lures the user that he
is eligible for the income tax refund based on his last
annual calculation, and seeks PAN CARD Number or Credit Card
details.
ICC World Cup 2011: One of the biggest sporting events is
also under phishing attack. The fraudsters have specifically
targeted the internet users of the host countries i.e.
India, Bangladesh and Sri Lanka where the matches of the
world cup are going on. India, which has been allotted 29
matches of the world cup, is obviously the prime targets of
the phishing attacks.
.
REGULATIONS UNDER INDIAN AND INTERNATIONAL LAWS
The phishing fraud is an online fraud in which the fraudster
disguise themselves and use false and fraudulent websites of bank
and other financial institutions, URL Links to deceive people
into disclosing valuable personal data, later on which is used to
swindle emoney from victim account. Thus, essentially it is a
cyber crime and it attracts many penal provisions of the
Information Technology Act, 2000 as amended in 2008 adding some
new provisions to deal with the phishing activity. The following
Sections of the Information Technology Act, 2000 are applicable
to the Phishing Activity:
Section 66: The account of the victim is compromised by the
phisher which is not possible unless & until the fraudster
fraudulently effects some changes by way of deletion or
alteration of information/data electronically in the account
of the victim residing in the bank server. Thus, this act is
squarely covered and punishable u/s 66 IT Act.
Section 66A: The disguised email containing the fake link of
the bank or organization is used to deceive or to mislead
the recipient about the origin of such email and thus, it
clearly attracts the provisions of Section 66A IT Act, 2000
Section 66C: In the phishing email, the fraudster disguises
himself as the real banker and uses the unique identifying
feature of the bank or organization say Logo, trademark etc.
and thus, clearly attracts the provision of Section 66C IT
Act, 2000.
Section 66D: The fraudsters through the use of the phishing
email containing the link to the fake website of the bank or
organizations personates the Bank or financial institutions
to cheat upon the innocent persons, thus the offence under
Section 66D too is attracted.
The Information Technology Act, 2000 makes penal provisions under
the Chapter XI of the Act and further, Section 81 of the IT Act,
2000 contains a non obstante clause, i.e. “the provisions of this
Act shall have effect notwithstanding anything inconsistent
therewith contained in any other law for the time being in
force”. The said non obstante clause gives an overriding effect
to the provisions of the IT Act over the other Acts including the
Indian Penal Code. The aforesaid penal provisions of the IT Act,
2000which is attracted to the phishing scam are however been made
bailable by virtue of Section 77B IT Act intentionally in view of
the fact that there is always an identity conflict as to the
correct or accurate identity of the person behind the alleged
phishing scam and there is always a smokescreen behind the
alleged crime as to the identity of the person who has actually
via these online computer resources have or have not committed
the offence and in view of the possible misuse of the penal
provision for cyber offences as contained in the IT Act, the
offence is made bailable.
US Legislation on Phishing
The Congress of the USA have enacted a statute regarding Phishing
attacks named THE ANTI-PHISHING ACT OF 2005
The Act added two crimes to the current federal law:
1. It criminalized the act of sending a phishing email regardless
of whether any recipients of the email suffered any actual
damages.
2. It criminalized the act of creating a phishing website
regardless of whether any visitors to the website suffered any
actual damages.
Senator Leahy described the effects of the Act in this way:
The [Act] protects the integrity of the Internet in two ways.
First, it criminalizes the bait. It makes it illegal to
knowingly send out spoofed email that links to sham websites,
with the intention of committing a crime. Second, it
criminalizes the sham websites that are the true scene of the
crime.
If someone is convicted under the law passed by congress for
phishing they could risk spending up to five years in prison. The
people convicted of phishing may also have to pay a $250,000
fine.
Congress and Phishing has resulted in steps to see that people
can be charged with phishing just for attempting the scam. It
doesn’t matter if the phishers were successful or made anything
off their criminal venture.
Unfortunately it can be very hard to catch people like this for a
number of reasons. First of all there are hundreds of people out
there that are phishers. Second they often try to keep a low
profile for their website to ensure they are not easily found.
This means it can take time to find and capture the criminal.
Meanwhile, the people phishing are continuing to defraud
companies all over the internet by stealing people’s information
and using it for themselves.
UK Law on Phishing
The UK government is reforming fraud laws to create an offence
covering the perpetrators of phishing attacks. The provision is
among a raft of measures designed to clarify existing laws within
the new Fraud Bill, which was introduced in the House of Lords on
Wednesday.
A new offence of fraud, designed to strengthen the existing law
and ease the prosecution process, is the main feature of the
bill. The offence can be committed in one of three ways: false
representation (as seen in phishing attacks); abuse of position
(e.g. a person lifting money from the account of an elderly
person under their care) and failing to disclose information
(e.g. a lawyer who schemes to keep information from his client so
he can make money on the side).
Judges will be able to impose sentences of up to 10 years for any
of these three offences. This means fraudsters who pose as
financial institutions in the commission of phishing attacks, a
form of false representation, could become the subject of
extradition proceedings.
PREVENTION OF PHISHING
Phishing is a dangerous activity and have caused incredible
damage. The damage caused by phishing ranges from denial of
access to email to substantial financial loss. It is estimated
that between May 2004 and May 2005, approximately 1.2 million
computer users in the United States suffered losses caused by
phishing, totaling approximately US$929 million. United States
businesses lose an estimated US$2 billion per year as their
clients become victims. In 2007, phishing attacks escalated. 3.6
million adults lost US$3.2 billion in the 12 months ending in
August 2007.Microsoft claims these estimates are grossly
exaggerated and puts the annual phishing loss in the US at US$60
million. In the United Kingdom losses from web banking fraud—
mostly from phishing—almost doubled to GB£23.2m in 2005, from
GB£12.2m in 2004,while 1 in 20 computer users claimed to have
lost out to phishing in 2005.
According to 3rd Microsoft Computing Safer Index Report released
in February 2014, the annual worldwide impact of phishing could
be as high as $5 billion.
The stance adopted by the UK banking body APACS is that
"customers must also take sensible precautions ... so that they
are not vulnerable to the criminal."Similarly, when the first
spate of phishing attacks hit the Irish Republic's banking sector
in September 2006, the Bank of Ireland initially refused to cover
losses suffered by its customers (and it still insists that its
policy is not to do so), although losses to the tune of €113,000
were made good.
Social responses
One strategy for combating phishing is to train people to
recognize phishing attempts, and to deal with them. Education can
be effective, especially where training provides direct feedback
People can take steps to avoid phishing attempts by slightly
modifying their browsing habits. When contacted about an account
needing to be "verified" (or any other topic used by phishers),
it is a sensible precaution to contact the company from which the
email apparently originates to check that the email is
legitimate. Alternatively, the address that the individual knows
is the company's genuine website can be typed into the address
bar of the browser, rather than trusting any hyperlinks in the
suspected phishing message.
Technical responses
Helping to identify legitimate websites
Secure connection
Overcoming fundamental flaws in the security model of securebrowsing
Browsers alerting users to fraudulent websites
Augmenting password logins
Eliminating phishing mail
Monitoring and takedown
Transaction verification and signing
CONCLUSION
Phishing is a major concern in the contemporary e-commerce
environment in India and will continue to be so because of the
lack of awareness among the Internet users who are new to the
cyber-space. There is no silver bullet to thwart the phishing
attack. However, it has been noticed in the most of the phishing
scams worldwide particularly in India that the hacker succeeds in
phishing attempt due to the uninformed, gullible customers who
without knowing that they are being trapped unwittingly pass on
the information asked for by the fraudster. Therefore, the
awareness and customer education is the key here to fight the
menace of the “Phishing” apart from mitigating or preventative
measures. The law enforcement agencies, the legislature, the
industry should come together and coordinate in their fight
against the menace of the Phishing.
BIBLIOGRAPHY
Information Technology Act, 2000
Websites Referred
http://www.theregister.co.uk/2005/05/27/fraud_law_reform/
law.duke.edu/journals/dltr/articles/2005dltr0006.html