07-06-2012, 11:48 AM
PHISHING
an organisations customers into imparting their confidential information for nefarious use.
Riding on the back of mass-mailings such as Spam, or using ‘bots to automatically target
victims, any online business may find Phishers masquerading as them and targeting their
customer base. Organisational size doesn’t matter; the quality of the personal information
reaped from the attack has a value all in itself to the criminals.
PHISHING HISTORY
The word “phishing” originally comes from the analogy that early Internet criminals used email
lures to “phish” for passwords and financial data from a sea of Internet users. The use of “ph”
in the terminology is partly lost in the annals of time, but most likely linked to popular hacker
naming conventions such as “Phreaks” which traces back to early hackers who were involved
in “phreaking” – the hacking of telephone systems.
The term was coined in the 1996 timeframe by hackers who were stealing America Online
(AOL) accounts by scamming passwords from unsuspecting AOL users. The popularised first
mention on the Internet of phishing was made in alt.2600 hacker newsgroup in January 1996,
however the term may have been used even earlier in the popular hacker newsletter “2600”.
THE PHISHING THREAT
1. Social Engineering Factors
2. Phishing Message Delivery
3. IRC and Instant Messaging
4. Trojaned Hosts
5. Phishing Attack Vectors
PHISHING ATTACT VECTOR
1. Man-in-the-middle Attacks
2. URL Obfuscation Attacks
3. Cross-site Scripting Attacks
4. Preset Session Attacks
5. Observing Customer Data
6. Client-side Vulnerability Exploitation
PHISHING PREVENTION
1. Consistent Branding.
2. Monitor bounces to customer facing e-mail addresses.
3. Monitor referrers to public web sites.
4. Watermark web content.
5. Preposition countermeasures .
6. Organizational and Administrative Countermeasures .
Phishing-A Cyber Crime, the provisions of Information Technology Act, 2000
he phishing fraud is an online fraud in which the fraudster disguise themselves and use false and fraudulent websites of bank and other financial institutions, URL Links to deceive people into disclosing valuable personal data, later on which is used to swindle money from victim account. Thus, essentially it is a cyber crime and it attracts many penal provisions of the Information Technology Act, 2000 as amended in 2008 adding some new provisions to deal with the phishing activity. The following Sections of the Information Technology Act, 2000 are applicable to the Phishing Activity:
The Information Technology Act, 2000 makes penal provisions under the Chapter XI of the Act and further, Section 81 of the IT Act, 2000 contains a non obstante clause, i.e. “the provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force”. The said non obstante clause gives an overriding effect to the provisions of the IT Act over the other Acts including the Indian Penal Code. The aforesaid penal provisions of the IT Act, 2000 which is attracted to the phishing scam are however been made bailable by virtue of Section 77B IT Act intentionally in view of the fact that there is always an identity conflict as to the correct or accurate identity of the person behind the alleged phishing scam and there is always a smokescreen behind the alleged crime as to the identity of the person who has actually via these online computer resources have or have not committed the offence and in view of the possible misuse of the penal provision for cyber offences as contained in the IT Act, the offence is made bailable.