Internet developed rapidly leaving little or no scope for its terminologies to develop. Most internet terms and phrases are English loanwords most analogous to the concept being described. Phishing as a concept is analogous to fishing where predators wait for unsuspecting victims to fall prey to fraudulent offers.

 

Phishing in English

Phishing requires three independent parties:

  • The victim whose computer system has been compromised
  • The offender who violates all privacy norms and causes disruption with losses
  • The Service Provider whose service to the victim has been affected by the offender

Phishing (as you might have already related it to fishing) is a fraudulent activity where offenders create websites or webpages replicating a popular third-party website.

After the creation of such similar content they wait for an unsuspecting user to mistake the fake website for the real one and enter sensitive data. Probability has it that 5% 1 of the people would fall for it and give their username and password details to the fake site.

Once the sensitive data is extracted from the user the offender would use the same data to login to the real site and make unauthorised requests resulting in either monetary loss or privacy lapse.

For e.g. if I had to login to your Facebook account, I would create a website which would look exactly like Facebook. I would then send the link of the new site to you. Once you receive the link, assuming it to be Facebook, you would be actually submitting your credentials to me. I would then use your username and password to login to your Facebook account.

 

How bad is it?

In 2009, a group of fraudsters (about 100 people, 53 from USA and 47 from Egypt) were sentenced to Twenty years imprisonment. FBI officials nabbed them in the operation named “Phish Phry” after a manhunt of almost two years. The fraudsters were charged of phishing $1.5 million through fake credit card and banking websites.

“This international phishing ring had a significant impact on two banks and caused huge headaches for hundreds, perhaps thousands of bank customers,”
– Acting US Attorney George S. Cardona, in a statement.

India has been a prime target of a plethora of phishing scams. Indian netizens being new and unaccustomed to the internet fall for these scams easily. India lost $53 million to phishing activities in the third quarter of 2013, and have been regularly in the top five countries by volume of scams.2

 

Different methods of phishing:

URL Obfuscation attacks

This is the most generic form of phishing. Where the victim has been taken to a misleading URL. For e.g.: https://gmail.co.pk instead of https://gmail.com

The offending website stands in the middle, accepts information from the user, stores the information and relays it to the original website. Therefore the user never gets to know if he is on the correct URL.

This is most easily done by sending fraudulent emails offering gifts or other incentives if the user clicks on a link. The user is then taken to a website which looks like the trusted entity and is asked to submit their username and password.

Man in the middle attacks

This is an advanced method where the attack is on the victim’s side. The virtual host file is a normal text file which has a list of URLs and their specific IP addresses:

Google.com 216.58.220.206
Facebook.com 31.13.78.35

So when we try to reach google.com, our computer first checks the list of IP Addresses in the virtual hosts file, if not found it looks up the internet to find their IP Addresses and then take us to the IP Addresses.

In this form of attack the virtual hosts file of the victims are targeted. A specialised malware can change the virtual host record of an user’s computer. If somehow this file can be changed by a malware, the computer can be fooled into visiting a different IP Address it never wanted to. These malware are mostly found on torrent sites and other free  download sites, the advertisements are of very low quality as they target unsophisticated users.

Once the change has been made by the malware, it is very difficult to notice the change. Good antivirus and anti malware softwares are recommended to deal with such attacks.

Cross Site Scripting (XSS) attack

As you might have noticed the X stands for Cross. This attack is done on the server’s computer. Specialised queries made to a server can make it reveal sensitive data.

This vulnerability especially is of a time when novice users would program servers and due to the vulnerable programming an advanced user could manipulate the server. However this is very rare and almost non-existent as of now.

 

Legalities

There has been a litany of cases filed by victims of phishing scams mostly against their banks. The grounds are filed under the Sections 43, 43A and 72A of the Information Technology Act, 2008 (amended). Depending on where the phishing activity has taken place, IT Act provides for different liabilities.

Section 43 (Penalty and Compensation for damage to computer, computer system, etc).

Section 43 (a), (b), (c), (h) and (i) talk about different liabilities for the offender.

Section 43 A Compensation for failure to protect data (Inserted vide ITAA 2006)

This whole section was introduced to affix liability on the Service Provider whose services have been compromised due to the attack (for e.g. the bank). A compensation has also been fixed which is not exceeding five crore rupees.

Section 66 Punishment for violation of Section 43

This section provides for punishment which may extend to three years and fine of five lakh rupees.

Section 66A(c)

This can be attracted in case of fraudulent emails. The words ‘to deceive or to mislead the addressee’ would carry the same punishment as in Section 66.

Section 66B, 66C, 66D, 66E

These different sections cover for the entire aspect of Phishing, identity theft, cheating, impersonation, violation of privacy, etc.

Section 72 A Punishment for Disclosure of information in breach of lawful contract

This section provides for punishment of the Service Provider who had an obligation to observe safe practices and network systems in order to prevent such attacks.

and Section 420 of Indian Penal Code

Apart from the IT Act, Cheating under the IPC can also be considered.

 

  1. Fay, John J. Encyclopedia of Security Management. 2nd ed. N.p.: Butterworth-Heinemann, 2007.
  2. Hindu Business Line, India lost $53 m to phishing attacks in Q3

Posted by Donnie Ashok

Donnie Ashok is a legal technology developer and a technology lawyer. He is a recent graduate from Gujarat National Law University and currently works as a technology consultant with iPleaders a leader in online legal education. IndiaTechLaw is an initiative by Donnie Ashok.

Leave a Reply