Page |1

Prevention And Regulation of Phishing in Cyber World:

National & International Framework.

Project submitted to

Ms. Prachi Mishra

Project Submitted By

Nishant Chand Arya

1505C00079

BBALLB (Hons)

ICFAI LAW SCHOOL, THE ICFAI UNIVER SITY, DEHRADUN

 Page |2

TABLE OF CONTENTS

INTRODUCTION................................................................................................................03

REASONS FOR GROWTH……………………………………………………………….04

PHISHING TECHNIQUES……………………………………………………………….06

PHISHING ATTACKS IN INDIA………………………………………………..............07

REGULATION UNDER INDIAN & INTERNATIONAL LAWS……….……………...08

PREVENTION OF PHISHING ……………….…………………………………………..09

CONCLUSION………………………………………………………………………………12

BIBLIOGRAPHY
 Page |3

INTRODUCTION

The first documented use of the word "phishing" took place in 1996. Most people believe it
originated as an alternative spelling of "fishing," as in "to fish for information".

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit
card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an
electronic communication. 1 Communications purporting to be from popular social web sites,
auction sites, banks, online payment processors or IT administrators are commonly used to lure
unsuspecting public. Phishing emails may contain links to websites that are infected with
malware.2 Phishing is typically carried out by email spoofing3 or instant messaging,4 and it often
directs users to enter details at a fake website whose look and feel are almost identical to the
legitimate one. Phishing is an example of social engineering techniques used to deceive users
,and exploits the poor usability of current web security technologies. Attempts to deal with the
growing number of reported phishing incidents include legislation, user training, public
awareness, and technical security measures. Many websites have now created secondary tools for
applications, like maps for games, but they should be clearly marked as to who wrote them, and
you should not use the same passwords anywhere on the internet.

Phishing is a continual threat that keeps growing to this day. The risk grows even larger in social
media such as Facebook, Twitter, Myspace etc. Hackers commonly use these sites to attack
persons using these media sites in their workplace, homes, or public in order to take personal and
security information that can affect the user and the company (if in a workplace environment).
Phishing is used to portray trust in the user since you can usually not tell that the site or program
being visited/ used is not real, and when this occurs is when the hacker has the chance to access
the personal information such as passwords, usernames, security codes, and credit card numbers
among other things.

1
Van der Merwe, A J, Loock, M, Dabrowski, M. (2005), Characteristics and Responsibilities involved in a
Phishing Attack, Winter International Symposium on Information and Communication Technologies, Cape
Town, January 2005.
2
Safe Browsing (Google Online Security Blog)"
3
Landing another blow against email phishing (Google Online Security Blog)
4
Tan, Koontorm Center. "Phishing and Spamming via IM (SPIM)"
 Page |4

A phishing technique was described in detail in a paper and presentation delivered to the
International HP Users Group, Interex. 5The first recorded mention of the term "phishing" is
found in the hacking tool AOHell (according to its creator), which included a function for
stealing the passwords or financial details of America Online users.6[10] Phishing is hosting by
the top ten countries and they are US, UK, Germany, Brazil, Canada, France, Russia, Poland,
The Netherlands and Japan. According to Ghosh, there were "445,004 attacks in 2012 as
compared to 258,461 in 2011 and 187,203 in 2010” which depicts that phishing has been
threatening the individuals.

A recent and popular case of phishing is the suspected Chinese phishing campaign targeting
Gmail accounts of highly ranked officials of the United States and South Korean’s Government,
military, and Chinese political activists.The Chinese government continues to deny accusations
of taking part in cyber-attacks from within its borders, but evidence has been revealed that
China’s own People’s Liberation Army has assisted in the coding of cyber-attack software.

5
Felix, Jerry and Hauck, Chris (September 1987). "System Security: A Hacker's Perspective". 1987 Interex
Proceedings
6
Langberg, Mike (September 8, 1995). "AOL Acts to Thwart Hackers". San Jose Mercury News
 Page |5

REASONS FOR GROWTH

There are three major factors behind the recent spurt in phishing attacks worldwideparticularly in
India:

1. Unawareness among public: Worldwide, particularly in India, there has been lack of
awareness regarding the phishing attacks among the common masses. The users are
unaware that their personal information is actively being targeted by criminals and theydo
not take proper precautions when they conduct online activities.
2. Unawareness of policy – The fraudsters often count on victim’s unawareness of
Bank/financial institution policies and procedures for contacting customers, particularly
for issues relating to account maintenance and fraud investigation. Customers unaware of
the policies of an online transaction are likely to be more susceptible to the social-
engineering aspect of a phishing scam, regardless of technical sophistication.
3. Technical sophistication – Fraudsters are now using advanced technology that has been
successfully used for activities such as spam, distributed denial of service (DDoS),and
electronic surveillance. Even as customers are becoming aware of phishing,criminals are
developing techniques to counter this awareness. These techniques include URL
obfuscation to make phishing emails and web sites appear more legitimate,and
exploitation of vulnerabilities in web browsers that allow the download and executionof
malicious code from a hostile web site
 Page |6

PHISHING TECHNIQUES

• Phishing

Phishing is a way of attempting to acquire information such as usernames, passwords, and credit
card details by masquerading as a trustworthy entity in an electronic communication.

• Spear phishing

Phishing attempts directed at specific individuals or companies have been termed

spearphishing. 7 Attackers may gather personal information about their target to increase their
probability of success. This technique is, by far, the most successful on the internet today,
accounting for 91% of attacks8

• Clone phishing

A type of phishing attack whereby a legitimate, and previously delivered, email containing an
attachment or link has had its content and recipient address(es) taken and used to create an
almost identical or cloned email. The attachment or Link within the email is replaced with a
malicious version and then sent from an email address spoofed to appear to come from the
original sender. It may claim to be a resend of the original or an updated version to the original.
This technique could be used to pivot (indirectly) from a previously infected machine and gain a
foothold on another machine, by exploiting the social trust associated with the inferred
connection due to both parties receiving the original email.

• Whaling

Several recent phishing attacks have been directed specifically at senior executives and other
high profile targets within businesses, and the term whaling has been coined for these kinds of
attacks.

• Rogue WiFi (MitM)

Attackers set up or compromise free Wifi access-points, and configure them to run man-in-the-
middle (MitM) attacks, often with tools like sslstrip, to compromise all access point users.

7
"What is spear phishing?". Microsoft Security At Home.
8
Stephenson, Debbie. "Spear Phishing: Who’s Getting Caught?". Firmex.
 Page |7

• Man-in-the-middle attacks

In this class of attack, the attacker sits between the customer and the real web-based application,
and proxies all communications between the systems. This form of attack is successful for both
HTTP and HTTPS communications. The customer connects to the attackers server as if it was
the real site, while the attackers server makes a simultaneous connection to the real site. The
attackers server then proxies all communications between the customer and the real web-based
application server – typically in real-time.

• URL Obfuscation Attacks

Using a URL obfuscation technique which involves minor changes to the URL, the fraudster
tricks the user to follow a hyperlink (URL) to the attackers’ server, without the users realizing
that he has been duped. URL Obfuscation uses the unspoken, unwritten secrets of the TCP/IP
protocol to trick users into viewing a website that they did not intend to visit.

• XSS (Cross-site Scripting)

Cross-site scripting attacks (XSS) make use of custom URL or code injection into a valid web-
based application URL or imbedded data field. In general, these XSS techniques are the result of
failure of a site to validate user input before returning it to the client’s web-browser. Phishing
scenario in XSS: • Victim logs into a web site • Attacker has spread “mines” using an XSS
vulnerability • Victim fall upon an XSS mine • Victim gets a message saying that their session
has terminated, and they have to authenticate again • Victim’s username and password are send
to attacker
 Page |8

PHISHING IN INDIA

Phishing is a relatively new concept in India, unheard of couple of years back but recently there
has been rise in the number of phishing cases in India where the innocent public fall prey to the
sinister design of fraudster. In India, the most common form of phishing is by email pretending
to be from a bank, where the sinister asks to confirm your personal information/login detail for
some made up reason like bank is going to upgrade its server. Needless to say, the email contains
a link to fake website that look like the genuine site. The gullible customers thinking that it is
from the bank,enter the information asked for and send it into the hands of identity thieves.There
were phishing attempts over ICICI Bank, UTI Bank, HDFC Bank, SBI etc. in which the Modus
operandi was similar. It was reported that a large number of customers of these banks had
received emails, which have falsely been misrepresented to have been originated from their
bank. The recipients of the mails were told to update their bank account information on some
pretext. These emails included a hyperlink with-in the email itself and a click to that link took
recipients to a web page, which was identical to their bank’s web page. Later on, through internet
banking and by using the information so collected a large number of illegal/fraudulent
transaction stook place. Apart from the general banking phishing scams, some of the recent
phishing attacks that took place in India are as follows:

• RBI Phishing Scam: In a daring phishing attack of its kind, the fraudsters even have not
spared the Reserve Bank of India. The phishing email disguised as originating from the
RBI, promised its recipient prize money of Rs.10 Lakhs within 48 hours, by giving a link
which leads the user to a website that resembles the official website of RBI with the
similar logo and web address. The user is then asked to reveal his personal information
like password, I-pin number and savings account number. However, the RBI posted a
warning regarding the fraudulent phishing e-mail on the banks official website.
• IT Department Phishing Scam: The email purporting to be coming from the Income Tax
Department lures the user that he is eligible for the income tax refund based on his last
annual calculation, and seeks PAN CARD Number or Credit Card details.
• ICC World Cup 2011: One of the biggest sporting events is also under phishing attack.
The fraudsters have specifically targeted the internet users of the host countries i.e. India,
 Page |9

Bangladesh and Sri Lanka where the matches of the world cup are going on. India, which
has been allotted 29 matches of the world cup, is obviously the prime targets of the
phishing attacks.

REGULATIONS UNDER INDIAN AND INTERNATIONAL LAWS

The phishing fraud is an online fraud in which the fraudster disguise themselves and use false
and fraudulent websites of bank and other financial institutions, URL Links to deceive people
into disclosing valuable personal data, later on which is used to swindle emoney from victim
account. Thus, essentially it is a cyber crime and it attracts many penal provisions of the
Information Technology Act, 2000 as amended in 2008 adding some new provisions to deal with
the phishing activity. The following Sections of the Information Technology Act, 2000 are
applicable to the Phishing Activity:

• Section 66: The account of the victim is compromised by the phisher which is not
possible unless & until the fraudster fraudulently effects some changes by way of
deletion or alteration of information/data electronically in the account of the victim
residing in the bank server. Thus, this act is squarely covered and punishable u/s 66
ITAct.
• Section 66A: The disguised email containing the fake link of the bank or organization
isused to deceive or to mislead the recipient about the origin of such email and thus,
itclearly attracts the provisions of Section 66A IT Act, 2000
• Section 66C: In the phishing email, the fraudster disguises himself as the real bankerand
uses the unique identifying feature of the bank or organization say Logo, trademarketc.
and thus, clearly attracts the provision of Section 66C IT Act, 2000.
• Section 66D: The fraudsters through the use of the phishing email containing the link to
the fake website of the bank or organizations personates the Bank or financial institutions
to cheat upon the innocent persons, thus the offence under Section 66D too is attracted.

The Information Technology Act, 2000 makes penal provisions under the Chapter XI ofthe Act
and further, Section 81 of the IT Act, 2000 contains a non obstante clause, i.e. “the provisions of
this Act shall have effect notwithstanding anything inconsistent there with contained in any other
 P a g e | 10

law for the time being in force”. The said non obstante clause gives an overriding effect to the
provisions of the IT Act over the other Acts including the Indian Penal Code. The aforesaid
penal provisions of the IT Act, 2000which is attracted to the phishing scam are however been
made bail able by virtue of Section 77B IT Act intentionally in view of the fact that there is
always an identity conflict as to the correct or accurate identity of the person behind the alleged
phishing scam and there is always a smokescreen behind the alleged crime as to the identity of
the person who has actually via these online computer resources have or have not committed the
offence and in view of the possible misuse of the penal provision for cyber offences as contained
in the IT Act, the offence is made bail able.

Unfortunately it can be very hard to catch people like this for a number of reasons. First of all
there are hundreds of people out there that are phishers. Second they often try to keep a low
profile for their website to ensure they are not easily found. This means it can take time to find
and capture the criminal. Meanwhile, the people phishing are continuing to defraud companies
all over the internet by stealing people’s information and using it for themselves.

UK Law on Phishing

The UK government is reforming fraud laws to create an offence covering the perpetrators of
phishing attacks. The provision is among a raft of measures designed to clarify existing laws
within the new Fraud Bill, which was introduced in the House of Lords on Wednesday.

A new offence of fraud, designed to strengthen the existing law and ease the prosecution process,
is the main feature of the bill. The offence can be committed in one of three ways: false
representation (as seen in phishing attacks); abuse of position (e.g. a person lifting money from
the account of an elderly person under their care) and failing to disclose information (e.g. a
lawyer who schemes to keep information from his client so he can make money on the side).
 P a g e | 11

Judges will be able to impose sentences of up to 10 years for any of these three offences. This
means fraudsters who pose as financial institutions in the commission of phishing attacks, a form
of false representation, could become the subject of extradition proceedings.

Social responses

One strategy for combating phishing is to train people to recognize phishing attempts, and to deal
with them. Education can be effective, especially where training provides direct feedback

People can take steps to avoid phishing attempts by slightly modifying their browsing habits.
When contacted about an account needing to be "verified" (or any other topic used by phishers),
it is a sensible precaution to contact the company from which the email apparently originates to
check that the email is legitimate. Alternatively, the address that the individual knows is the
company's genuine website can be typed into the address bar of the browser, rather than trusting
any hyperlinks in the suspected phishing message.

Technical responses

• Helping to identify legitimate websites

• Secure connection

• Overcoming fundamental flaws in the security model of secure browsing

• Browsers alerting users to fraudulent websites

• Augmenting password logins

• Eliminating phishing mail

• Monitoring and takedown

• Transaction verification and signing

 P a g e | 12

CONCLUSION

Phishing is a major concern in the contemporary e-commerce environment in India and will
continue to be so because of the lack of awareness among the Internet users who are new to the
cyber-space. There is no silver bullet to thwart the phishing attack. However, it has been noticed
in the most of the phishing scams worldwide particularly in India that the hacker succeeds in
phishing attempt due to the uninformed, gullible customers who without knowing that they are
being trapped unwittingly pass on the information asked for by the fraudster. Therefore, the
awareness and customer education is the key here to fight the menace of the “Phishing” apart
from mitigating or preventative measures. The law enforcement agencies, the legislature, the
industry should come together and coordinate in their fight against the menace of the Phishing.
 P a g e | 13

BIBLIOGRAPHY

• Information Technology Act, 2000

Websites Referred

http://www.theregister.co.uk/2005/05/27/fraud_law_reform/

law.duke.edu/journals/dltr/articles/2005dltr0006.html