Phishing - a practical case study

Note: This case study is no longer maintained.
This page is maintained only for archival purposes.

With the tremendous increase in the use of online banking, online share trading and ecommerce, there has been a corresponding growth in the incidents of phishing being used to carry out financial frauds.

Phishing involves fraudulently acquiring sensitive information (e.g. passwords, credit card details etc) by masquerading as a trusted entity.

The usual scenario is that the victim receives an email that appears to have been sent from his bank. The email urges the victim to click on the link in the email. When the victim does so, he is taken to “a secure page on the bank’s website”. The victim believes the web page to be authentic and he enters his username, password and other information. In reality, the website is a fake and the victim’s information is stolen and misused.

Phishing - a practical case study is a first of its kind case study in the world and has been released by Asian School of Cyber Laws. It explains the above scenario in detail along with two fully functional websites.

Download the case study (pdf)

Download the case study (ppt)

FREE ebook - Simple Guide to Digital Signatures

Note: This ebook is no longer available.
This page is maintained only for archival purposes.

Asian School of Cyber Laws has released a FREE ebook titled "Simple Guide to Digital Signatures", authored by Rohas Nagpal, President, Asian School of Cyber Laws.

This ebook begins with a short and simple explanation of the process of digital signatures.

It then provides a detailed screen-shot based step-by-step guide to obtaining a digital signature certificate from a Certifying Authority.

It then provides a detailed screen-shot based step-by-step guide to digitally signing a Microsoft Word document.

FREE ebook - 7 years of Indian Cyber Law

Note: This ebook is no longer available.
This page is maintained only for archival purposes.

Asian School of Cyber Laws has released a FREE ebook titled "7 years of Indian Cyber Law", authored by Rohas Nagpal, President, Asian School of Cyber Laws.

Indian Cyber Laws were official born on 17th October 2000 with the Information Technology Act, 2000 coming into force. This ebook discusses 7 interesting case laws that highlight the development of cyber legal jurisprudence in India over the last 7 years.

This ebook begins with a short outline of the various rules, regulations and orders that have been passed over the last 7 years. It then moves onto a brief discussion on the Indian law relating to cyber pornography and features the Avnish Bajaj (CEO of bazzee.com – now a part of the ebay group of companies) case.

The next issue covered by this paper is that of protected systems and features the Firos vs. State of Kerala case. The highly topical issue of tampering with computer source code is discussed next along with the Syed Asifuddin case.

The importance of the amendments to the Banker’s Books Evidence Act is discussed next in the context of the State Bank of India vs. Rizvi Exports Ltd case. The issue of admissibility of electronic records is discussed in the context of the State vs. Mohd. Afzal and others case also known as the Parliament attack case.

The ebook ends with two cases, one focussing on whether an ATM is a computer and the other on the place of an electronic contract.

Note: This ebook is no longer available.
This page is maintained only for archival purposes.

FREE ebook - Evolution of Cyber Crime

Note: This ebook is no longer available.
This page is maintained only for archival purposes.

Asian School of Cyber Laws has released a FREE ebook titled "Evolution of Cyber Crime", authored by Rohas Nagpal, President, Asian School of Cyber Laws.

This ebook discusses various cyber crimes such as:

  1. Financial Crimes,
  2. Cyber Pornography,
  3. Sale of Illegal Articles,
  4. Online Gambling,
  5. Intellectual Property Crimes,
  6. Email Spoofing,
  7. Forgery,
  8. Cyber Defamation,
  9. Cyber Stalking,
  10. Web defacement,
  11. Email Bombing,
  12. Data Diddling,
  13. Salami Attacks,
  14. Denial of Service Attack,
  15. Virus / Worm Attacks,
  16. Trojans and Keyloggers,
  17. Internet Time Theft,
  18. Web Jacking,
  19. Email Frauds and
  20. Cyber Terrorism.

Cyber Crime Hit List

 

"It is easy to see the faults of others but not so easy to see one’s own faults."

These words of Gautam Buddha hold true even in today’s digitalized world. The ability of criminals to easily misuse technology to commit crimes is blamed upon weaknesses in computer software. Rarely does the common man realize that the spread of cyber crime can be attributed more to his ignorance than to anything else.

Based upon 7 years of real world cyber crime investigations, ethical hacking and penetration testing, we at Asian School of Cyber Laws (ASCL) came to two very fundamental conclusions –

1. most cyber crimes are committed using one of 5 methods,
2. most cyber crimes can be prevented by user awareness of these 5 methods.

 

 

5. Computer Viruses & Worms

Not many people know that two brothers from Pakistan are (dis)credited with having created the world’s first computer virus. From the humble beginnings of the Brain virus, today’s computer virus packs quite a punch with artificial intelligence, encrypted source code and dynamic payloads.

Several viruses and worms have caught public attention with the sheer magnitude of their impact e.g. Melissa, Love Bug, SQL Slammer, Chernobyl, Nimda etc.

Viruses can be of various types such as polymorphic, stealth, multipartite, armored, companion etc. But deep down they are usually created for one primary purpose – to damage data. And most modern viruses have a highly successful track record.

Worms on the other hand are usually created to eat into your computer and network resources.

Of late a disturbing trend is the marriage of viruses, worms, Trojans and other malicious code to produce a highly evolved artificial intelligence enabled code that we at ASCL have nicknamed hydra (HYbrid Data Raiding Agents). So far hydra are confined to sophisticated information warfare attacks where national interest and high finance is the motivation.

Hydra are in contrast to simpler viruses and worms which are primarily created to damage random computers. Hydra on the other hand are sent to carefully selected computers and are almost never found in the wild.

Because of this there is almost no known anti-virus program that is effective on hydra.

 

 

4. Trojans & Spyware

The term Trojan has a rather romantic and violent origin in the unfortunate events surrounding Helen of Troy. True to the origins of the word, Computer Trojans are software programs that appear to be very useful to but in reality enable malicious hackers to control the computers on which they are installed.

Script kiddies regularly use Trojans to cause serious damage to unsuspecting victims. Trojans are very easy to download and deploy and are most commonly sent as attachments to spoofed e-mails. The recipient of the e-mail believes that his friend / colleague has sent him an e-card or an important document and so he unsuspectingly downloads and runs the file on his computer.

Once the Trojan is installed on a computer the computer virtually becomes a free-for-all computer which people around the world can easily break into.

Case: A young lady reporter was working on an article about online relationships. The article focused on how people can easily find friendship and even love on the Internet. During the course of her research she made a lot of online friends. One of these ‘friends’ managed to infect her computer with a Trojan.

This young lady stayed in a small one bedroom apartment and her computer was located in one corner of her bedroom. Unknown to her, the Trojan could activate her web camera and microphone even when the Internet was switched off. A year later she realized that hundreds of her pictures were posted on pornographic sites around the world!

Case: The network administrator in a global bank received a beautifully packed CD ROM containing “security updates” from the company that developed the operating system that ran his bank’s servers. He installed the “updates” which in reality was Trojanized software. Three years later, the effects are still being felt in the bank’s system!

Spyware and key loggers are regularly used were to log all the strokes a victim makes on the keyboard. This assumes sinister proportions, if a key logger is installed on a computer which is regularly used for online banking and other financial transactions.

Key-loggers and spyware are most commonly found in public computers such as those in cyber cafes, hotels etc. Unsuspecting victims also end up downloading spyware when they click on “friendly” offers for free software.

Precautions
1. Do not download email attachments unless you are sure about the authenticity of the email.

2. Use good anti-virus software (many are available for free).

3. Regularly download updates for the anti-virus software. If your software has an auto update facility, use it.

4. Regularly apply updates and security patches to your operating system. For Windows users, the “automatic updates” option should be turned on.

5. Do not go “click happy” to download free software from pop-up advertisements. Almost always there is a catch!

6. Use a personal firewall (e.g. ZoneAlarm) and enable the firewall and other safety options in your operating system.

 

 

3. Phishing & Spoofing attacks

In the 19th century, British comedian Arthur Roberts invented a game called Spoof, which involved trickery and nonsense. This gave the English speaking world a new word that today symbolizes a gamut of hacking technologies.

Spoofing attacks primarily include e-mail spoofing, SMS spoofing, IP spoofing, and web spoofing. Spoofing attacks are used to trick people into divulging confidential information (e.g. credit card data) or doing something that they would usually not do (e.g. installing malicious software on their own computers).

Such use of spoofing attacks is commonly referred to as Phishing.

Sending an e-mail from somebody else’s e-mail ID is the simplest form of Email spoofing. Innumerable tools exist on the Internet which can easily be used to send e-mails appearing to have been sent by somebody else. The effects are intense.

Case: Customers of ABC bank received an email from the bank asking them to verify their usernames and passwords for the bank records. The emails were spoofed, but thousands of customers clicked on the link in the email and submitted their login information at the webpage that opened up. On investigation it was found that the emails had been sent by a disgruntled employee.

Case: Thousands of employees of a global IT company ended up installing viruses on their computers when they executed an attachment appearing to have been sent out by their officers. The employees even disabled the anti-virus software because the email said that “the attachment may be incorrectly detected as a virus!” On investigation it was found that the emails had been sent out by a rival company.

SMS spoofing is very similar to e-mail spoofing. The major difference being that instead of an email ID, a cell phone number is spoofed and instead of a spoofed e-mail, a spoofed SMS is sent.

Case: A young lady received an SMS from her husband’s cell phone informing her that he had had an accident and was at the hospital and urgently needed money. On receiving the SMS, she rushed out of the house with the money. She was attacked and robbed by the person who had sent her the spoofed SMS.

An IP address (e.g. 67.19.217.53) is the primary identification of a computer connected to a network (e.g. the Internet). A criminal usually uses IP spoofing to bypass IP based authentication or to mislead investigators by leaving a trail of false evidence.

IP spoofing can be accomplished using proxy servers and simple PHP scripts that are readily and freely available online.

Case: Internet users in many countries use proxy servers to bypass Government imposed Internet censorship. (We are not passing any comment on whether is it right or wrong to impose Internet censorship or bypass it, as the case may be.)

Case: A criminal hacked into the computer systems of a sensitive Government organization. The digital trail that he left behind led to a senior official of the same department. This officer would have been arrested immediately had it not been for his impeccable record. Detailed investigations proved that the digital trail was faked.

When you sit at a computer, open up a browser and type in www.asianlaws.org, you expect to reach the correct website (and most often you do!). This is because of the domain name system which converts human readable domain names such as asianlaws.org into computer readable IP addresses such as 67.19.217.53.

DNS spoofing involves manipulating the domain name system to take unsuspecting victims to fake websites (that look identical to the original ones). Sitting at the computer you may type in www.asianlaws.org but the site that opens up may be a fake site!

This can and has been done at the local organizational level (e.g. by host file rewriting or by a network administrator with malicious intentions) or at the national or international level (by hackers exploiting vulnerabilities in the BIND software that runs most of the world’s domain name servers).

Case: Hundreds of employees at a global financial services company received emails from a popular online store about a huge discount on some popular books and DVDs. On clicking the link in the email, users were taken to what appeared to the website of the online store. Most of the recipients of the emails placed orders using their credit cards. No one got the books / DVDs, but they all got hefty credit card bills at the end of the month.

On investigation it was uncovered that the network administrators had connived to carry out a simple Phishing attack. It was a fake email and a fake website. None of the victims (most of whom were advanced computer users) realized that something was amiss.

Precautions
1. Use digital signatures to authenticate your emails. This technology is very cheap (sometimes free!) and easy to use. Digitally signed documents enjoy legal validity in many countries.
(Visit www.asianlaws.org/cyberlaw/library to learn more about digital signatures.)

2. Avoid accessing your primary email account(s) from a public computer. You can set up secondary email accounts for non critical work.

3. Treat with suspicion any email which makes an urgent request for your credit card or online banking account details.

4. If you suspect an email, do not click on the links in the email. Open up your browser and type in the URL.

5. Ensure that your operating system and Internet browser is updated regularly.

 

 

2. Packet Sniffing

On computer networks, data travels in the form of data packets. A packet sniffer can be used to read these packets while they are in transit.

On the legitimate side system administrators use this technology to monitor and troubleshoot network traffic. On the criminal side, this technology can easily be used to sniff out username and password information, credit card details etc.

Surprisingly, such sensitive information is generally transmitted in clear text from your computer to the web server. Such plain text information can easily be viewed with packet sniffing technology.

Case: A disgruntled former employee of a global trading corporation had installed Trojans in some of the company computers before resigning from his job. Subsequently, he used the Trojans to install packet sniffing software on the infected computers. Using these compromised computers, he was able to view huge amounts of sensitive information. His earnings from selling this information to rival companies were more than that of the Chairman of the company!

Packet sniffers are not very difficult to install and use and are difficult to detect. With the growing popularity of wireless networks in companies and even in public places, the risks are even higher.

Case: ASCL recently conducted experiments near several software parks. The wireless networks of a whopping 90% of the software companies were leaking out sensitive information. A malicious hacker could easily sit in a parked car with a laptop; run some sniffing software and access huge mounts of sensitive data including source codes!

 

 

1. Greed

If someone gets an email telling him that he has won a huge lottery, what is the first thing that he should do? Ask himself – did I even buy a ticket for this lottery? If you have not bought the ticket, how can you win the lottery? If you still want to believe it and then even pay a “small” processing fee, who can you blame if you get defrauded?

Every time that you download “free” software, that promises to change your very way of life, from a popup advertisement, you risk compromising your entire digital identity.

Today your computer holds the key to your digital life – your health records, bank accounts, online share trading accounts, email accounts, utility bills, credit card information, tax filings.... the list is endless.

Be CAREFUL.

UN Report quotes ASCL study on Cyber Crime

The ECommerce & Development Report 2003 recently published by the United Nations Conference on Trade and Development has quoted the findings of the Computer Crime and Abuse Report (2001-02) published by Asian School of Cyber Laws.

The UN Report identifies some of the implications that the growth of the digital economy may have for developing countries. The report aims to provide policy makers with a better understanding of the options available to them in leading sectors of developing-country economies. It is also meant to contribute to the debates at the World Summit on the Information Society and efforts to create a truly inclusive information society that serves and empowers all people.

In the words of Kofi A. Annan, Secretary-General of the United Nations, "Above all, if (the report) helps developing countries to adopt and take advantage of new digital technologies, this report will have served its purpose".

Interestingly, the ASCL Computer Crime and Abuse Report (2001-02) is the only such study quoted in the UNCTAD report.

ASCL Online Cyber Law Library

The ASCL Cyber Law Library has been indexed into various topics.

Cyber Crime:

  1. Cyber Forensics and the Law (pdf) (html)
  2. Tracing the Source of an Email (pdf) (html)
  3. What is Cyber Crime? (pdf) (html)
  4. What is a Trojan? (pdf) (html)
  5. What is a virus? (pdf) (html)
  6. What is a worm?
  7. Everything you ever wanted to know about email
  8. Cyber Crime Cases - Emerging Jurisprudence
  9. Securing Critical Oil Infrastructure from Cyber Threats
  10. Electronic Threats Facing the Corporate World
  11. Email Related Crime
  12. Cyber Terrorism in the Context of Globalization
  13. Port Scanning and its Legal Implications

Electronic Signatures:

  1. Cryptography Laws of Major Countries
  2. Defining a Digital Signature
  3. Introduction to Digital Signatures
  4. Electronic Data Interchange - An Introduction
  5. Introduction to Electronic Signatures
  6. Electronic Signatures and the Law
  7. Legislative Approach to Electronic Signatures

India Corner:

  1. Penalties under the IT Act, 2000
  2. Offences under the IT Act, 2000
  3. Cyber crimes and the Indian Penal Code
  4. Adjudication of Penalties under the IT Act
  5. Digital Evidence and the Indian Evidence Act
  6. Unauthorised Access

Digital Signatures:

  1. Information Technology (Certifying Authorities) Rules, 2000
  2. Digital Signatures and the Indian Law

Legislations:

  1. Information Technology Act, 2000
  2. Rules under the Information Technology Act, 2000
  3. The Semiconductor Integrated Circuits Layout-Design Act, 2000
  4. Rules under the The Semiconductor Integrated Circuits Layout-Design Act, 2000
  5. The Communication Convergence Bill, 2000
  6. Canada
  7. Germany
  8. Malaysia
  9. Singapore
  10. United Kingdom

General:

  1. Preamble to the Information Technology Act
  2. Information Technology Act - a Jurisdictional Perspective
  3. Computers and the Indian Law
  4. Hacking and the Indian Law
  5. Network Service Providers and the Indian Law

E-commerce Laws:

  1. Australia
  2. Austria
  3. Bermuda
  4. Canada
  5. Columbia
  6. Equador
  7. Europe
  8. Finland
  9. Germany
  10. Guernsey
  11. Ireland
  12. Philippines
  13. United Kingdom
  14. USA