This presentation was submitted to Gurugram Police at the end of Cyber Crime Internship 2017 by our team members. There were total 100 lucky students who got a chance to join this internship and from these 100 students 5 different teams were made, at the end of the internship every team had to present on different topics related to cyber crimes and discuss on how stay safe or how to deal with those crimes.
E-mail crimes was the topic selected by our team and each of our team members explained the different parts of email crimes on the final day of our Internship.
2. • E-mail system consists of mail clients to send or fetch
mails and two different servers: SMTP and POP3 or
IMAP running on a server machine.
Introduction..
3. SMTP server…
1. Simple port transfer protocol (SMTP) listens on port no. 25
and handles outgoing mail.
2. When a client sends an email it connects to SMTP server.
3. The client has a conversation with the SMTP server telling
the server the address of the sender, receiver and the body
of the message.
4. SMTP server takes the to address and breaks it into two
parts:
a) Recipient's name
b) Domain’s name
5. SMTP server converses with domain name server.
6. SMTP server connects with recipient’s SMTP server using
port 25.
3
4. POP servers
• In computing, the Post Office Protocol (POP) is an application-
layer Internet standard protocol used by local e-mail clients
to retrieve e-mail from a remote server over a TCP/IP
connection. POP is an internet standard that defines an email
server (the POP server) and a way to retrieve mail from
it(using a POP client).
• POP supports simple download and delete Requirements for
access to Remote mailbox. A POP server listens on well known
port 110. Basically POP is used for security purpose.
• POP has developed with several versions :
POP : POP 1 was specified in RFC 918(1984).
POP2 : POP2 was specified in RFC 937(1985).
POP3 : POP3 originated with RFC 1081(1988).
4
5. IMAP server
• IMAP (Internet Message Access Protocol) – Is a standard
protocol for accessing e-mail from your local server. IMAP is a
client/server protocol in which e-mail is received and held for
you by your Internet server. As this requires only a small data
transfer this works well even over a slow connection
• IMAP has developed with several versions :
Original IMAP
IMAP2
IMAP3
IMAP4
5
7. 1.Spoofing
• Email spoofing is the forgery of an email header so that the
message appears to have originated from someone or
somewhere other than the actual source, email spoofing can
have malicious motives such as virus spreading or attempts to
gain personal banking information. Simple Mail Transfer
Protocol (SMTP) does not provide any type of authentication
process for persons sending emails.
7
8. 2.Mail Bombing/Mail Storm
Mail Bombing
Sending huge volumes of e-mails to an address in an attempt
to overflow the mailbox or overwhelm the server where
the email address is hosted to cause a denial of service
attack.
In many instances, messages are large and constructed from
meaningless data in order to consume additional system
and network resources.
Mail Storm
It is a sudden spike of ‘Reply all’ messages on an email
distribution list, caused by one misdirected message. 8
9. 3.Tweaking
• The art of changing an email address in a manner such that it
closely resembles a benign email id.
• There are various ways by which e-mail address is tweaked
• https://github.com/jquery-validation/jquery-validation/issues/1287
• xyz@gmail.com
• xyz@gmail.com
• ‌ zero width non joiner
2. Tweaked characters
• johnabraham@gmail.com
• johnạbraham@gmail.com
9
10. 4. Malicious Script Attachment
• The wanna cry attack was an example of the malicious
script attachment.
• This attack was spread through sending maicious file
attachmentt to all the windows computer that carries SMB
flaw in them.
• Once clicked, the attachment take control of the pc and
encrypt all the data resulting in ransom demand.
10
11. • There has been a significant spike in malicious spam emails
containing links, as attackers are moving away from
attachments in their efforts to spread Downloader.Ponik and
Downloader.Upatre.
• While many malicious emails come with an attachment,
organizations can block and filter these types of messages.
Symantec believes that the Cutwail botnet (Trojan.Pandex) is
behind some of the recent spam messages, along with other
botnets, and that attackers have resorted to using links
in a bid to avoid email security products that scan for
malicious attachments
11
13. 5.Phishing..
• The fraudulent practice of sending emails purporting to be from
reputable companies in order to induce individuals to reveal
personal information, such as passwords and credit card
numbers.
• Phishing is a form of identity theft that occurs when a malicious
Web site impersonates a legitimate one in order to acquire
sensitive information such as passwords, account details, or
credit card numbers.
• Phishing is a deception technique that utilizes a combination of
social engineering and technology to gather sensitive and
personal information, such as passwords and credit card details
by masquerading as a trustworthy person or business in an
electronic communication.
13
14. Types of phishing: 1. Spear phishing
2. Whaling
Classification of Phishing:
• Spooled e-mails are sent to a set of victims asking them
(usually) to upgrade their passwords, data accounts, etc.
• MSN, ICQ, AOL and other IM channels are used to reach the
victims. Social engineering techniques are used to gain
victim’s sensitive information.
• Calling the victims on the phone, classic social engineering
techniques are used by phishers.
• Another kind of attack is based on internet vulnerabilities.
This approach is usually used to automatically install dialers.14
15. PHISHING ATTACKS STAGES
• The attacker obtains E-mail addresses for the intended
victims. These could be guessed or obtained from a variety
of sources.
• The attacker generates an E-mail that appears legitimate
and requests the recipient to perform some action.
• The attacker sends the E-mail to the intended victims in a
way that appears legitimate and obscures the true source.
• Depending on the content of the E-mail, the recipient
opens a malicious attachment, completes a form, or visits a
web site.
• The attacker harvests the victim’s sensitive information
and may exploit it in the future
15
16. 6. Key Loggers
• A keylogger is a programme or hardware device that is used to
capture every key strokes or key depression on the computer.
Keyloggers can be hardware installed to a computer or software that
is used to collect sensitive information such as:
➢ Usernames and Passwords.
➢ Credit or Debit Card Numbers.
➢ Personal information such as name, address and some other
personal information.
Keyloggers can be of two types: 1. Hardware keylogger
2. Software keylogger
16
18. 7. 419 Scams/Nigerian scams
• An advance-fee fraud or 419 Nigerian Scam is a
confidence trick in which the target is persuaded to
advance sums of money in the hope of realizing a
significantly larger gain.
• Every year, more than 50,000 people worldwide fall
victim to the Nigerian Scam. Usually contacted by e-
mail about a business proposal or winning a lottery, the
victims lose their life savings after they are persuaded
by stories with very tempting outcomes.
18
22. 8.Drive-by Downloads
Drive-by download means two things, each concerning the
download of computer software from the Internet:
Downloads done by an authorized person without knowing the
ultimate consequences.
Any download that happens without a person's knowledge,
often a computer virus, spyware, malware, or ransomware.
22
23. The malware delivered by a drive-by download is usually
classified as a Trojan horse, or Trojan, because it
deceives the user about the nature of email.
Once installed, malware delivered by a drive-by
download can do a number of different things: log
keystrokes, scan the system for files of a personal
nature, herd the system into a botnet of similarly
compromised machines, or install a "backdoor" that will
let in even more malware.
The new generation of e-mail-borne malware consists of
HTML e-mails which contain a JavaScript which
automatically downloads malware when the e-mail is
opened,"
23
25. 25
“DRIVE-BY” EMAIL ATTACKS
For the past few years, drive-by downloads have been the bane of
computer-security professionals.
Now this "instant-infection" threat has moved to an even more
dangerous forum: email. A new class of drive-by email messages
has been discovered that infect users who simply view a message,
or possibly just glance at it in a preview window.
"The new generation of e-mail-borne malware consists of HTML e-
mails which contain a JavaScript which automatically downloads
malware when the e-mail is opened," reads a press release by the
Berlin-based email security company Eleven.
26. Prevention Against
“Drive-BY” Email Attack
• Disabling HTML rendering in incoming email messages
is indeed the best and most simple defense against this
new threat.
• Unfortunately, while you can usually send messages in
plain text, it's not always easy or even possible to get
incoming messages to display that way
• Examples of three application programs are as follow :-
30. 9. Job scams
• We often see several unemployed youth paying huge cash
to fraudsters for securing jobs in Government Services or
corporate sector
• Taking advantage of the innocence of these unemployed
youth, fraudsters float fictitious companies and give
attractive advertisements to the press and attract the
unemployed youth towards them. Here are some of the
frauds committed by such criminals.
Fake Work VISA for employment abroad
Employment fraud in Railways Recruitment
Employment in reputed PSUs and Private Companies
30
31. 10. Self-destructive e-mails
Self-destructing email is electronic mail that vanishes or
becomes unreadable after a certain length of time or
upon the request of the sender.
There are various way to send self destructive email
1. Using Add-ons (snapmail extension)
2. Online Web-service (https://cryptabyte.com/self-destruct)
3. Using Extension (selfdestructingemail.com)
31
32. 1. Using Add-ons
• Snapmail Add-ons will add with Browser. If you send the
message with Snapmail button the message will be encrypted
and your recipient will just receive an email with a link to your
message. The message will self-destruct itself after 60 seconds.
Step 1. First of all, you need to download and install Snapmail
extension on your Google chrome browser.
32
33. • Step 2. Now login with your GMAIL address.
• Step 3. Now once your are into Gmail, there you need to
hit the “Compose” button.
• Step 4. Now you will see a new “Snapmail” button just
behind the “Send” button.
33
34. • Step 5. Compose the message and hit the “Snapmail”
button, you will see your message will become secure and
it will carry a message of self-destructing in 60 seconds.
34
35. 2. Website
• Step 1:- go to https://cryptabyte.com/selfdestruct website
35
36. 3. Using extension
Step 1 :- create account on selfdestructingemail.com
Step 2 :- login with your gmail account
Step 3 :- compose mail
Step 4 :- write recipient address with extension
For example drakecn@yahoo.com.selfdestructingemail.com
Step 5 :- send mail
36
38. 1. Examining headers
• Header analysis is done in order to extract the information
regarding the sender of the mail and also the path
through which the email has been transmitted.
• The metadata of emails is stored in the headers. At times
these headers may be tampered in order to
hide the true identity of the sender.
38
39. To extract email headers from Gmail:
1. Open the email message.
2. Click the down arrow adjacent to the Reply link in the
upper-right corner of the email message
3. Click Show Original
To extract email headers from Hotmail:
1. Login to your Hotmail account.
2. Click on Options tab on the top navigation bar
3. Click on the Mail Display Settings link Change the
Message Headers option to Full Click the OK button
39
40. To extract email headers from Microsoft Outlook 2010:
1. Click the File
2. Click Properties
3. Locate Internet Headers (bottom of the popup window)
To extract email headers from Yahoo Mail:
1. Log into your Yahoo! Mail account.
2. Click the Mail Options link on the left-hand navigation
bar.
3. Click the General Preferences link on the right.
4. Locate the Show Headers heading and select All
5. Click the "Save" button to put your new settings into
effect.
40
41. Example of a header
• Return-Path: abc@xyz.in
• Received: from abcabc (Unknown [192.168.2.67]) by
• email1.xyz.in with ESMTPA ; Mon, 13 Jul 2015 18:04:33 +0530
• From: “ABC “<abc@xyz.in>
• To: <eid1@xyz.in>, <eid2@xyz.in>,
• Cc: <ceid1@xyz.in>, <ceid2@xyz.in>,
• Subject: Schedule Sheet July 14 2015 Tuesday Date: Mon, 13
Jul 2015 18:06:36 +0530
• Message-ID: <00b401d0bd68$8f40ee30$adc2ca90$@xyz.in>
• MIME-Version: 1.0
• Content-Type: multipart/mixed;
• boundary="----=_NextPart_000_00B5_01D0BD96.A902C720“
• X-Mailer: Microsoft Outlook 15.0
• Thread-Index: AdC9aHd9Jc+d/OIUTWOX3WVE85ug1w==
• Content-Language: en-us 41
42. Return path: When final delivery of the message is done by
the SMTP server this information is inserted at the top of the
header message.
Received: This is the track record of the message inserted by
the SMTP server and it is also in the top of the header part.
From: The email address and the name of the sender. The
name is optional.
To: The recipients of the email along with their email
addresses.
Cc (Carbon Copy): They are the secondary recipients of the
email.
Subject: It is the brief description about the contents in the
message. 42
43. Date: The local date and time at which the email was created
by the sender.
Message-ID: This is an automatic generated code for
preventing the multiple delivery of messages and is unique
for every message.
MIME Version: The version of MIME used and here it is
Version 1.0.
X-Mailer: The name along with the version of the mail client
used for emailing. Here it is Microsoft Outlook 15.0.
Thread Index: This is an exclusive entry in email header by
Microsoft Outlook to track the messages.
Content Language: The language used, here it is US
English.
43
44. 2. Bait Tactics..
In this technique, a mail containing a http: “<img src>” tag is
sent to the mail address from which the mail has been
received.
When the mail is opened, a log containing the IP address of
the recipient is captured by the mail server that is hosting
the image and the recipient is tracked.
In case the recipient is using a Proxy server, the address of
the proxy server gets recorded.
44
45. 3.Extraction from server
Server investigation is done when the emails residing
on the sender and receiver ends have been purged
permanently.
Servers maintain a log of the sent and received emails,
the log investigation will generate all the deleted
emails. Furthermore, the logs can give the information
of the source from which the emails have been
generated.
(c:program filesExchsrvrservername.log)
After a certain retention period, the emails are deleted
permanently from a server. 45
46. 4.Investigation of Network Sources
This investigation is opted for, when the server logs
fail to generate the required information. Also, if
the Internet Service Providers do not give access to
the server, investigation of network sources is
opted.
The logs generated by network hubs, routers,
firewalls, etc. give information about the origination
of the email message.
46
47. 5. Examining MAC Address
• A media access control address (MAC address) of a
computer is a unique identifier assigned to network
interfaces for communications at the data link layer of
a network segment.
• For every piece of hardware in your device that has an
ability to connect to internet , each of them will have
unique MAC Address
• MAC addresses are useful for network diagnosis
because they never change, as opposed to a dynamic IP
address, which can change from time to time. For a
network administrator, that makes a MAC address a
more reliable way to identify senders and receivers of
data on the network.
47
48. • What will a MAC address look like?
Network interfaces need to have a unique identifier so that no
two devices can ever be seen as the same device on a network.
Manufactures are allocated six hexadecimal characters (note,
some large manufactures such as Apple and Samsung are
allocated multiple sets), and set the remaining six characters
themselves when producing the device.
The MAC address is broken down in the following manner:
48
50. • How can you track a MAC Address ?
Whenever a device is connected to the internet the server
used by the Internet Service Provider (ISP) keeps a log
which has certain fields such as ID Date, Time, Description,
IP Address, Computer Name, MAC Address
50
51. • In addition to the logs which are maintained by the server we
can track the Media Access Control Address using the ARP
Protocol
•
ARP stands for Address Resolution Protocol which basically is
a look up table which matches IP address with MAC Address
•
Using the ARP Protocol the investigating team can retrieve
the Media Access Control Address and this further can be
used as an evidence in convicting the criminal of the crime he
has been accused of
51
52. 6.Examining additional files
(.pst or .ost files)
Microsoft Outlook maintains email in .pst or .ost files.
Other online email programs such as Hotmail, Yahoo
and Gmail store email messages in folders such as
cookies and temp.
The email databse (.pst/.ost) is normally located in the
user accountlocal settingsapplication data
MicrosoftOutlook directory
The .pst files have archives of all folders such as
Outlook, Calendar, Drafts, Sent items, Inbox and
notes
52
53. • E-mail forensics refers to the study of email details
including: source and content of e-mail, in order to identify
the actual sender and recipient of a message, date/time of
transmission, detailed record of e-mail transaction as well as
the intent of the sender.
• In the vast majority of these e-mail cybercrimes the tactics
used vary from simple anonymity to impersonation and
identity theft. Therefore, a forensic investigator needs
efficient tools and techniques to perform the analysis with a
high degree of accuracy and in a timely fashion.
A forensic investigation of e-mail can examine both email
header and body. An investigation should have the following:
• Examining sender’s e-mail address
• Examining message initiation protocol (HTTP, SMTP)
• Examining Message ID
• Examining sender’s IP address
Email Forensics
53
54. http://centralops.net/co/
• This website contains a tool known as Email Dossier.
• Email Dossier is an online tool used to check the email
validity and investigating email.
54
1.Email Dossier
55. 2.Forensic Tool Kit (FTK)
AccessData FTK is known as the forensic tool to
perform email analysis.
FTK features powerful file filtering an search
functionality.
Features:
i. View, search, print and export email messages and
attachments.
ii. Recover deleted and partially deleted emails
iii. Automatically extract data from PKZIP, WinZip,
WinRar, GZIP, and TAR compressed files
iv. Supports file formats include: NTFS, NTFS
compressed, FAT 12/16/32, and Linux ext2 & ext3.
55
56. 3.MailXaminer..
MailXaminer is an email forensic investigation suite developed
by SysTools. MailXaminer allows cyber investigators to analyze digital
evidences from emails, attachments, contacts, calendar entries, etc.;
The MailXaminer program is built with the combination of the adept
algorithms and multiple, individual email analysis facilities set up in one
application.
56
57. 4.Aid4Mail..
• An Open Source forensic tool which can analyze emails stored in hard
disk. Further, it supports email analysis directly from webmail services
that use IMAP access (e.g. Gmail, Yahoo! Mail, AOL Mail, FastMail, GMX
Mail, Outlook.com, Outlook 356). Thus, this tools supports both online
and offline email analysis. The tool can filter the emails based on text,
time, date, keywords, logical operators, and regular expressions.
57
58. 5.Email Tracker Pro
• It can analyze email files stored in local disk. It rather focuses on
analyzing email for possible spamming contents automatically. It
provides the IP address that sends the message along with
geographical location (city) of the IP address to determine the threat
level or validity of an e-mail message. It can find the network service
provider (ISP) of the sender . It also displays whether any port is open
in any of the HTTP or FTP server in the tracked IP addresses.
58
59. 6.Paraben Email examiner
• The tool requires email to be present in the local hard disk. It
performs comprehensive analysis features, bookmarking, advanced
boolean searching, and searching within attachments. The search is
supported for various languages include UNICODE. The tool can
examine email headers and bodies, provides information based on the
search (including contents from attachments).
59
60. Case Studies
• 1 Cerber Ransomware
• On June 10, 2016, FireEye’s HX detected a Cerber ransomware
campaign involving the distribution of emails with a malicious
Microsoft Word document attached. If a recipient were to open
the document a malicious macro would contact an attacker-
controlled website to download and install the Cerber family of
ransomware.
60
61. • . The Cerber ransomware attack cycle we observed can
be broadly broken down into following steps:
61
64. • Selective targeting was used in this campaign. The attackers were
observed checking the country code of a host machine’s public IP
address against a list of blacklisted countries in the JSON
configuration, utilizing online services such as ipinfo.io to verify the
information. Blacklisted (protected) countries include: Armenia,
Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova,
Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan.
• Exploit Guard, a major new feature of FireEye Endpoint Security
(HX), detected the threat and alerted HX customers on infections
in the field so that organizations could inhibit the deployment of
Cerber ransomware. After investigating further, the FireEye
research team worked with security agency CERT-Netherlands, as
well as web hosting providers who unknowingly hosted the Cerber
installer, and were able to shut down that instance of the Cerber
command and control (C2) within hours of detecting the activity.
With the attacker-controlled servers offline, macros and other
malicious payloads configured to download are incapable of
infecting users with ransomware.
64
65. 2. NIC Spear Phishing case Study
• National Informatics Centre (NIC) Suffered a spear Phishing
attack back in October 2016. In this attack an email was used to
target Indian government organizations. In order to infect the
victims , the attackers distributed spear phishing email, which
purports to have been sent from NIC's incident report team, the
attackers spoofed an email id that is associated with Indian
Ministry of Defence to send out email to the victims. Attackers
also used the name of the top NIC official in the signature of the
email, to this is to make it look like the email was sent by a high
ranking Government official working at NIC.
65
66. • Modus Operandi :
• The attackers spoofed an email id that associated with Indian
Ministry of Defence to send out emails to the victims. The email
was made to look like it was sent from NIC’s Incident response
team instructing the recipients to read the attached documents
and to implement the cyber security plan and the signature of the
email included the name of the top ranking NIC official. The email
contained two attachments, a PDF document and a malicious
word document (NIC-Cyber Security SOP.doc). The PDF
document was a legitimate document which attackers might have
downloaded from
(http://meity.gov.in/sites/upload_files/dit/files/Plan_Report_on_Cy
ber_Security.pdf). The word document attached in the email
contained malicious macro code which when enabled, drops a
malware backdoor, executes it and then sends the system
information to the command and control server (C2 Server) and
its also downloads additional components.
66
67. • Investigation
• Once the victim opens the attached word document it prompts the
user to enable macro as shown below and the document also
contains instruction on how to enable the macros.
• If the victim enables the macro content, the malicious code drops
the malware sample and exectutes it and it also shows a decoy
document containing the instructions and guidelines related to
cyber security. This is to make the user believe that is it indeed a
document related to cyber security. Below are some of the screen
shots showing the document that will shown to the user once the
macro is enabled.
67
68. 3.ONGC subjected to email
tweaking
• The Oil and Natural Gas Corporation Limited (ONGC) lost Rs
197 crore after cyber criminals duplicated the public sector
firm’s official e-mail address with minor changes and used it
to convince a Saudi Arabia-based client to transfer payments
to their account.
• The fraud was committed on the promise that the company
making the payment would not notice a minor change in the e-
mail address of the ONGC representative, with whom they
had been communicating. While ONGC communicated with the
company from patel_dv@ongc.co.in, the fraudsters duped the
company by communicating with them from
patel_dv@ognc.co.in.
• According to the BKC cyber police team probing the case,
ONGC had an order to deliver 36,000 metric tonnes of
Naphtha — flammable liquid hydrocarbon mixtures — to Saudi
Aramco, an oil company based in Dhahran. 68
69. • On September 7, ONGC dispatched the order, worth Rs
100.15 crore, from Hazira port in Surat. According to the
police, the company usually transferred payments to
ONGC’s State Bank of India (SBI) account, but did not do
so this time.
• “ONGC was to send a second batch of naphtha to Aramco
on September 22. However, since they had not received
the earlier payment, they enquired with the Saudi-based
company,” an officer said. On being told that the delay was
on account of public holidays and bank holidays, ONGC
dispatched the second batch of Naptha worth Rs 97 crore
on September 22. Again, ONGC e-mailed a scanned copy
of the tax invoice with its SBI account number to the
company.
69
70. 4.Fake mails from Bank’s email id
70
One financial Institute registered a crime stating that some
persons (“perpetrators”) have perpetrated certain acts through
misleading emails ostensibly emanating from ICICI Bank’s email
ID. Such acts have been perpetrated with an intent to defraud the
Customers.
The Investigation was carried out with help of those emails
received by the customers of that financial Institute and arrested
the accused , the place of offence at Vijaywada was searched for
the evidence . There one Lap Top and Mobile Phone was seized
which was used for the commission of the crime.
The arrested accused had used open source code email
application software for sending spam emails. He has down
loaded the same software from net and then used it as it is.
He used only VSNL emails to spam the email to customers of
financial Institute because VSNL email service provider do not
have spam box to block the unsolicited emails.
71. • The all the information after fishing (user name,
password, Transaction password, Debit card Number
and PIN, mothers maiden name) which he had received
through Wi-Fi internet connectivity of Reliance.com
which was available on his Acer Lap Top.
• This crime has been registered u/s U/Sec. 66 of IT Act,
sec 419, 420, 465, 468, 471 of I.P.C r/w Sections 51,
63 and 65 of Copyright Act, 1957 which attract the
punishment of 3 years imprisonment and fine up to 2
lacs rupees which accused never thought of .
71
72. 5.Flipkart CEO, Binny Bansal email
account got spoofed
• The company told Bengaluru Police that the email account of CEO
Binny Bansal was spoofed, and the fraudsters then sent emails
instructing the company's CFO, Sanjay Baweja, to transfer money,
according to the Times of India.The fraudsters sent two spoofed
emails with the same message to Baweja on March 1, and
investigators discovered that the messages were sent from Hong
Kong and Canada and routed via a Russian server, the
newspaper reports.
• A Flipkart spokesperson confirms to Information Security Media
Group that the company was targeted by an attempted email
spoofing attack but declined to provide further details around the
incident."Flipkart's corporate email system leverages the highest
standards of security, including, but not limited to, two-factor
authentication," Flipkart's spokesperson says.
72
73. • The company immediately detected the email spoofing and then
filed a report with the police, she added.The Times of India reports
that the attempt at fraud was discovered when the CFO's
suspicions were raised by "the nature and timing" of the messages,
prompting him to cross-check with the CEO.
• The newspaper quotes Bengaluru CID as saying the fraudsters
apparently used an "advanced virus" to hack into the email
account. Vigilance, Awareness Key The head of security at an e-
commerce portal in India, who asked to remain unnamed, tells
ISMG that companies are vulnerable to email spoofing if they have
inadequate perimeter security, which can allow phishing emails to
slip through.
• These messages can carry malware that can stay dormant for a
long time, making them difficult to detect. "Spoofing of your CEO's
email should not have happened, as this is the first step in email
security - especially in a technology-driven company like Flipkart,"
he says. Implications can be very severe, including and not
restricted to having to revamp the entire security
73
75. Some General Tips
• People are easily convinced by phishing emails and
frauds claiming to benefit the victim on pretext of money
or other valuables. General rule of thumb - If it sounds
too good to be true, stay away from it.
• Use two Factor authentication (2FA) for all personal
Email Ids.
76. • Always keep java, flashplayer and other plugins up to date
• Disable auto download .
• ALWAYS check for keyloggers (both hardware and software)
before logging into email ids logging
• Use secure email ISP like proton mail
• Do not open non legit emails or links
• Beware of honey traps
• Filter-create and update filters regularly
80. • Do not open an .exe attachment
• Enable Https Security
• Embrace security Plug-ins
• Strong Password
• Sandboxing or VM
80
81. Sandboxing
• A sandbox is a virtual environment used as a security
mechanism for separating running programs
• A sandbox typically provides a tightly controlled set of
resources for guest programs to run in, such as scratch
space on disk and memory.
82. • In this, every email rather than running on the host
machine would run on this Sandbox Model. It would
cover both the working of VMware and Antivirus.
Whenever mail arrives it would enter in the outer layer
of the model.
Firstly only the essentials/format of the mails are
checked.
After that the whole file is scanned; if it notices that
the file matches a known piece of malware , the sandbox
stops the execution and alert the user that this file
contains malicious contents. If not, the sandbox would
alert that it's safe to run/save the email outside
sandbox.
83. PGP
• Pretty Good Privacy (PGP) encryption program
provides cryptographic privacy and authentication for
data communication.
• PGP is used for signing, encrypting, and decrypting
texts, e-mails, files, directories, and whole disk
partitions and to increase the security of e-mail
communications
88. PGP make use of four types of keys :-
1. One-time session symmetric keys
2. Public Keys
3. Private Keys
4. Passphrase based symmetric keys
Cryptographic Keys
90. S/MIME
• S/MIME (Secure/Multipurpose Internet Mail Extensions)
is a standard for public key encryption and signing of
MIME data.
• S/MIME provides two security services:
– Digital signatures
• Authentication
• Nonrepudiation
• Data integrity
– Message encryption
• Confidentiality
• Data integrity
92. Staying up to date
Update client side Softwares, OS updates and plugins.
Phishing emails includes attachments which may exploit
application like java ,Flash , Adobe Acrobat Reader.
These updates include patches or hotfixes for these
vulnerabilities in these softwares.
93. Use of SPF , DKIM and DMARC
● There are various standards that help determine if an
email actually came from the sender domain it claims
to detect email spoofing.
● SPF is sender policy framework which adds a list of all
server on your DNS which are authorised to send
email on your behalf.
● DKIM is Domainkeys Identified Mail , is used to
digitally sign all outgoing mail , proving that an email
came from a specific domain and was not altered in
the transit.
● DMARC is a standard , which relies on SPF and DKIM
to ensure email authenticity and integrity. If any of the
mail fails to pass any of the two , then it fails to pass
94. Using HTML based emails
● GO offline before you open a suspicious email.
● Use non html based html email clients.
● Disable javascript.
● Disable auto download of images in gmail,outlook and
yahoo.
● Check email Header Whenever neccessary.
● Turn off read receipts in outlook.
95. Combatting Ransomware..
• Never Click on links in emails
• Never download
attachements from untrusted
oe even knwon sources
inside an email.
98. What is cyber law?
Cyber law is the part of the overall legal system that deals with the
Internet, cyberspace, and their respective legal issues. Generically,
cyber law has been referred to as the Law of the Internet.
Importance of Cyber law
Cyber law is vital because it touches almost all aspects of
transactions and behaviour on and concerning the Internet, the
World Wide Web and Cyberspace.
India introduced this law recently and every law needs some
time to mature and grow. It was understood that over a period of
occasion it will produce and further amendments will be bring to
make it well-matched with the International standards.
It is significant to realize that we need “qualitative law” and not
“quantitative laws”.
99. IT Act of India 2000
Cyber crimes can involve criminal activities that are traditional in
nature, such as theft, fraud, forgery, defamation and mischief, all of
which are subject to the Indian Penal Code. The abuse of computers
has also given birth to a gamut of new age crimes that are
addressed by the Information Technology Act, 2000. The IT Act
2000 attempts to change outdated laws and provides ways to deal
with cyber crimes. The Act offers the much-needed legal framework
so that information is not denied legal effect, validity or
enforceability, solely on the ground that it is in the form of electronic
records.
Background
The bill was passed in the budget session of 2000 and signed by
President K. R. Narayan on 9 May 2000. The bill was finalised by
group of officials headed by then Minister of Information
Technology Pramod Mahajan.
100. The original Act contained 94 sections, divided in 13 chapters and
4 schedules. The laws apply to the whole of India. Persons of other
nationalities can also be indicted under the law, if the crime
involves a computer or network located in India.
The Act provides legal framework for electronic governance by
giving recognition to electronic records and digital signatures. The
formations of Controller of Certifying Authorities was directed by
the Act, to regulate issuing of digital signatures. The Act also
amended various sections of Indian Penal Code, 1860, Indian
Evidence Act, 1872, Banker's Book Evidence Act, 1891,
and Reserve Bank of India Act, 1934 to make them compliant with
new technologies.
Summary
101. 101
A major amendment was made in 2008. It introduced
the Section 66A which penalized sending of "offensive
messages". It also introduced the Section 69, which
gave authorities the power of "interception or
monitoring or decryption of any information through
any computer resource". It also introduced penalties
for child porn, cyber terrorism and voyeurism. It was
passed on 22 December 2008 without any debate in Lok
Sabha. The next day it was passed by the Rajya Sabha.
Amendments
102. Law encompasses the rules of
conduct
• That have been approved by the
government
• Which are in force over a certain
territory, and
• Which must be obeyed by all persons on
that territory.
Violation of these rules could lead to
government action such as imprisonment
or fine or an order to pay compensation.
102
103. Cyber law encompasses laws relating
to:
Cyber Crimes
Electronic and Digital Signatures
Intellectual Property
Data Protection and Privacy
103
104. Objectives of IT Act, 2000
1.It is objective of I.T. Act 2000 to give legal recognition to any
transaction which is done by electronic way or use of internet.
2.To give legal recognition to digital signature for accepting any
agreement via computer.
3.To provide facility of filling document online relating to school
admission or registration in employment exchange.
4.According to I.T. Act 2000, any company can store their data in
electronic storage.
5.To stop computer crime and protect privacy of internet users.
6.To give legal recognition for keeping books of accounts by bankers
and other companies in electronic form.
7.To make more power to IPO, RBI and Indian Evidence act for
restricting electronic crime.
105. Laws related to email crimes
1. Sending threatening messages by e-mail
Sending a threatening or malicious message using a public
electronic communication network, including sending such a
message by email.
Provisions Applicable: - Section 3, 77A of IT Act and
Sec .503 IPC
2. Sending defamatory messages by e-mail
Sending a false or defamatory message using an email.
Provisions Applicable:- Sec.67A of IT Act and Sec .499 IPC.
3. E-mail Spoofing
A spoofed email is one that appears to originate from one source
but has actually emerged from another source. Falsifying the
name and / or email address of the originator of the email usually
does email spoofing.
Provisions Applicable:- Sec .463 IPC
106. 4. Email Account Hacking
If victim‘s email account is hacked and obscene emails are
sent to people in victim‘s address book.
Provisions Applicable: - Sections 43, 66, 66C, 67, 67A and 67B
of IT Act, 2000
5. Phishing and Email Scams
Phishing involves fraudulently acquiring sensitive information
through masquerading a site as a trusted entity. (E.g.
Passwords, credit card information)
Provisions Applicable: - Section 66 and 66D of IT Act and
Section 420 of IPC
6. Introducing Viruses, Worms, Backdoors, Rootkits,
Trojans, Bugs
All of the above are some sort of malicious programs which are
used to destroy or gain access to some electronic information.
Provisions Applicable: - Sections 43, 66 of IT Act and Section
426 IPC.
106
107. Some relevant studies:
1. ICICI BANK PHISHING
A few customers of ICICI Bank received an e-mail asking for
their internet login name and password to their account. Some
users clicked on the given URL in the mail. The Web page
looked same as the official page of the bank site. The case was
finally discovered when an assistant manager of ICICI Bank
Information Security cell received e-mails forwarded by the
bank’s customers seeking to check the validity of the e-mails
with the bank.
This crime has been registered under the Section 66 of The
Information Technology Act, 2000 including Sections 51, 63
and Section 65 of The Copyright Act, 1957 which gives the
punishment of 3 years imprisonment and fine up to 2 lakhs
rupees which accused never thought off.
108. 2.State of Tamil Nadu Vs Suhas Katti
The case related to posting of obscene, defamatory and annoying
message about a divorcee woman in the yahoo message group.
E-Mails were also forwarded to the victim for information by the
accused through a false e-mail account opened by him in the name
of the victim. The posting of the message resulted in annoying
phone calls to the lady in the belief that she was soliciting.
Based on a complaint made by the victim in February 2004, the
Police traced the accused to Mumbai and arrested him within the
next few days. The accused was a known family friend of the
victim and was reportedly interested in marrying her. She however
married another person. This marriage later ended in divorce and
the accused started contacting her once again. On her reluctance to
marry him the accused took up the harassment through the
Internet
109. RELATED PROVISIONS..
The accused is found guilty of offences under section 469, 509
IPC and 67 of IT Act 2000 and the accused is convicted and is
sentenced for the offence to undergo RI for 2 years under 469
IPC and to pay fine of Rs.500/-and for the offence u/s 509 IPC
sentenced to undergo 1 year Simple imprisonment and to pay
fine of Rs.500/- and for the offence u/s 67 of IT Act 2000 to
undergo RI for 2 years and to pay fine of Rs.4000/-
All sentences to run concurrently.
"The accused paid fine amount and he was lodged at Central
Prison, Chennai. This is considered as the first case convicted
under section 67 of Information Technology Act 2000 in India.
110. SMC PNEUMATICS (INDIA) PVT.
LTD. V. JOGESH KWATRA
• In this case, the defendant Jogesh Kwatra being an employ of the
plaintiff company started sending derogatory, defamatory, obscene,
vulgar, filthy and abusive emails to his employers as also to
different subsidiaries of the said company all over the world with
the aim to defame the company and its Managing Director Mr. R K
Malhotra. The plaintiff filed a suit for permanent injunction
restraining the defendant from doing his illegal acts of sending
derogatory emails to the plaintiff.
• After hearing detailed arguments of Counsel for Plaintiff, Hon'ble
Judge of the Delhi High Court passed an ex-parte ad interim
injunction observing that a prima facie case had been made out by
the plaintiff. Consequently, the Delhi High Court restrained the
defendant from sending derogatory, defamatory, obscene, vulgar,
humiliating and abusive emails either to the plaintiffs or to its sister
subsidiaries all over the world including their Managing Directors
and their Sales and Marketing departments.
111. Phishing-A Cyber Crime, the provisions of
Information Technology Act, 2000
• Section 66A : (Punishment for sending offensive messages
through communication service)
Case Study -: Fake profile of President posted by imposter On
September 9, 2010, the imposter made a fake profile in the name
of the Hon’ble President Pratibha Devi Patil. A complaint was made
from Additional Controller, President Household, President
Secretariat regarding the four fake profiles created in the name of
Hon’ble President on social networking website, The First
Information Report Under Sections 469 IPC and 66A Information
Technology Act, 2000 was registered based on the said complaint
at the police station.
112. • Section 66C : (Punishment for identity theft)
Case Study -: Li Ming, a graduate student at West
Chester University of Pennsylvania faked his own death,
complete with a forged obituary in his local paper. Nine
months later, Li attempted to obtain a new driver’s license
with the intention of applying for new credit cards
eventually.
112
113. Section 66D : (Punishment for cheating by
impersonation by using computer resource)
Case Study -: Relevant Case: Sandeep Vaghese v/s State of Kerala
A complaint filed by the representative of a Company, which was
engaged in the business of trading and distribution of
petrochemicals in India and overseas, a crime was registered
against nine persons, alleging offenses under Sections 65, 66,
66A, C and D of the Information Technology Act along with
Sections 419 and 420 of the Indian Penal Code.
The company has a web-site in the name and and style
`www.jaypolychem.com’ but, another web site
`www.jayplychem.org’ was set up in the internet by first accused
Samdeep Varghese @ Sam, in conspiracy with other accused,
including Preeti and Charanjeet Singh, who are the sister and
brother-in-law of `Sam’
Defamatory and malicious matters about the company and its
directors were made available in that website. Two of the accused,
Amardeep Singh and Rahul had visited Delhi and Cochin.
114. • Section 67 -: (Punishment for publishing or transmitting
obscene material in electronic form)
Case Study -: This case is about posting obscene, defamatory and
annoying message about a divorcee woman in the Yahoo message group.
E-mails were forwarded to the victim for information by the accused
through a false e- mail account opened by him in the name of the victim.
These postings resulted in annoying phone calls to the lady. Based on the
lady’s complaint, the police nabbed the accused. Investigation revealed
that he was a known family friend of the victim and was interested in
marrying her. She was married to another person, but that marriage ended
in divorce and the accused started contacting her once again. On her
reluctance to marry him he started harassing her through internet.
Verdict : The accused was found guilty of offences under section 469,
509 IPC and 67 of IT Act 2000. He is convicted and sentenced for the
offence as follows:
• As per 469 of IPC he has to undergo rigorous imprisonment for 2 years
and to pay fine of Rs.500/-
• As per 509 of IPC he is to undergo to undergo 1 year Simple
imprisonment and to pay Rs 500/-
• As per Section 67 of IT Act 2000, he has to undergo for 2 years and to pay
fine of Rs.4000/-
115.
116. Works to do
1. Data preservation & retention policy (data
archival policy)
2. Email & Internet usage policy.
3. Specific policy of use of social media by
various departments.