See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/361541692

An Overview of Phishing and Its Indian Perspective

Conference Paper · June 2022

CITATIONS READS

0 73

1 author:

Reshmi Maulik
Meghnad Saha Institute of Technology
3 PUBLICATIONS 8 CITATIONS

SEE PROFILE

All content following this page was uploaded by Reshmi Maulik on 26 June 2022.

The user has requested enhancement of the downloaded file.

 An Overview of Phishing
and Its Indian Perspective
Reshmi Maulik
Meghnad Saha Institute of Technology
Techno India Group
Kolkata, India
reshmimaulik@gmail.com
Abstract— Security is the main concern today all over the world.
As new measures are developed to overcome the existing threat,
even newer attacks are launched by the malicious users.
Therefore it seems that discovering new security measures is an
ongoing issue. Phishing is one such major threat to the cyber
world which can bring even the websites of big banks to a halt.
Phishing websites may cause huge financial and confidential
information loss to major companies. In this paper we have
discussed the different types of phishing attacks, measures taken
to prevent phishing and its impact in India.
I. INTRODUCTION
“Phishing” is a word derived from the concept of “fishing
for information”. Phishing means diverting the legitimate
users to a false website, which looks very much like the
original website, and make them reveal private credentials
such as login name and password to the attackers. Later, these
attackers use this information to access the user’s account and
may use it to transfer money from the user’s bank to their own
account or may send spam to the account holder’s friends, etc.
The person who designs the phishing site is called the
phisher. Phishers are very intelligent persons as they try to
reproduce the design of the original site by copying the
original website including the logos, images, etc [5]. They
send spam to the customer by impersonating as the sending
authority of the original site. These spams are generally
official looking and sounding emails and contain links that
require the user to validate their credit card or their online
banking account login details. Therefore, the only intention of
these spams is to gain the confidence of the user and make
them to click on the embedded link. Upon clicking, the user is
directed to the phishing site and is asked to enter security
information such as login name, password, account number,
phone number, credit card details etc. Human beings are in
habit of making mistakes. It may also happen that the user, in
hurry, makes a mistake while typing the name of the website
and thus reaches the phishing website, which has a name
different from, but very similar to, the original site. According
to Financial Express, it was discovered in February 2006 that
the HDFC bank’s website had been cloned and the users were
redirected to www.hadfcbank[sic].com. Dhamija et al. [9]
gives the factors which make phishing attacks successful. The
factors include lack of computer knowledge, lack of
knowledge about security indicators, visual deception, lack of
attention towards security indicators. The study shows that
90% of internet users can be fooled by the phishers.
Sometimes people, for convenience, use same login name and
password to access their different bank accounts. The phishers
can then use this vital information to transfer money from
several bank accounts of the user. Therefore, the users are
advised not to divulge their vital information by responding to
any fraudulent e-mails that may appear to come from the bank.
Phishing are so widespread nowadays that its name is also
twisted on the basis of its impact. 'Puddle phishing' targets the
customers of regional banks or credit unions [8]. 'Spear
phishing' targets customers of individual companies or small
groups [8].
Data stolen through phishing has a good demand in the
underground market of the cyberspace. The underground
economy report prepared by Symantec Corporation is a survey
of cyber crime activities [22]. It has categorised the goods and
services available for sale in the underground economy and
found that the credit card information category which includes
credit card numbers, credit cards with CVV2 numbers and credit card
dumps is ranked highest and is almost 31% of the total sale of
goods and services. Credit card information is the highest
priced item in underground economy. The third ranked
category is sale of spam and phishing information which
includes email addresses, email account passwords, scams and
mailers and is 19% of total sale. The highest priced item in
this category was hosting of phishing scams. Spam software
consists of bulk mailers and email address extractors.
According to Symantec, phishing and spamming are more
popular activities in the underground economy because of its
low restrictions to entry, requirement of few technical skills
and high return on investment on phishing-related goods and
services.
The Anti-Phishing Working Group (APWG) is the global
pan-industrial and law enforcement association focused on
eliminating the fraud and identity theft that result from
phishing, pharming and email spoofing of all types. APWG
provides the most comprehensive picture of the scale of email-
based phishing attacks on the internet. According to Phishing
Activity Trends Report Q1 2008 [2], 92.9% attacks are made
on financial services websites. About 4.77% of websites –
which were classified during Q1 2008 as hosting malicious
code in the form of either a phishing-based keylogger or a
Trojan downloader, which downloads keyloggers – are hosted
from India.
Phishing attacks are increasing with an increase of e-
commerce as it requires online transaction and transfer of
money via debit card or credit card. Different reports show
that phishing is on rise. A reason for this is the greater access
of the younger generation to the Internet anywhere and at any
time. They consider it as fun to send some misleading
message, such as regarding some terrible attack that is likely
to take place in a sensitive place, or to hack some important
bank website to get the information of its customers and later
use it to get some easy money. New generation is also
addicted very much to the social networking sites. These sites
enable users to share personal information, images, videos, etc
with other members of their network. They sometime also use
third party software to customize their page to make it look
better than others. However, the popularity of these sites
makes them attractive to cyber criminals. The criminals may
use the social engineering techniques to lure the users of these
sites to download malwares or to disclose personal
information. The phishing attacks can also be made
successful by spoofing the social networking pages trusted by
users. According to AFP report of August 6, 2009, the
microblogging site Twitter, the social networking site
Facebook and search giant Google have recently undergone
denial of service attack and while the latter fended off the
attacks successfully, the services of the first two sites were
severely compromised.
II. TYPES OF PHISHING ATTACKSS
There are many types of phishing attacks. Some of them
are as follows:
A. DNS-Based Phishing ("Pharming")
The phishers tamper with the host site's file names or
URLs, so that when the user visits the site they are diverted to
some bogus site. Pharming means manipulating the name
resolution process of the DNS servers on the Internet.
Therefore, the victim unknowingly reveals their personal and
sensitive information to some illegitimate site.
B. Keyloggers and Screenloggers
People sometime use the computers of cyber café to access
their bank accounts. Some of the cyber cafés use software
keyloggers to capture keyboard events and keystroke data and
use them to get credit card information, authentication
credentials, personal information and the contents of email and
instant messenger. These information may be used later to
access the customer’s bank account. The screenloggers can be
used as well to phish information. They record any
information displayed on the screen. Thus the screenloggers
can defeat the use of virtual keyboard used by some banks to
prevent the theft of the passwords.
C. Malware-Based Phishing
The capabilities of botnet malwares to make phishing
attacks have also increased. When the infected systems are
browsing the Internet, keywords typed can trigger the botnets
to redirect the user to some phishing site to steal their personal
data.
D. Deceptive Phishing
The victim receives some deceptive emails (spam) from
trusted authorities or friends. These messages contain some
kind of threats and tell them to change the security settings for
their online bank accounts by clicking on the link given in the
message or require them to log on to a remote site. The victim,
getting panicked, may step into the phisher's net and may
reveal their personal security credentials.
E. Gillnet Phishing
The phishers introduce malicious codes into the legitimate
websites or the emails sent to the victim [8]. By browsing the
websites or upon clicking the links given in the emails, a
Trojan horse will be introduced in the victims’ system. This
Trojan horse may also change the settings of the victims’
computer so that he/she may always be redirected to the
phishing websites whenever he/she may want to visit
legitimate bank websites.
F. Vishing
Vishing is an emerging threat. The term ‘vishing’ is a
combination of voice and phishing. Because of social and
technological reach of IP telephony, it is more susceptible to
phishing attack. The goal of a vishing attacker is first to trap
your confidential personal details and then to use these
illegally trapped information to steal the access right from
individual's bank accounts to corporate treasury. More
avenues of attacks are opening up as many people are using
services like Skype to send voice messages. Also Interactive
Voice Response System (IVRS) based banking services are
prone to vishing attack. Instead of a website in the case of
phishing, an user can be misled to a wrong phone number to
divulge tele-PINs for banking services.
III. PHISHING – AN INDIAN PERSPECTIVE
According to the CIOL Bureau report [4] on June 20,
2008, India ranked 14th worldwide in hosting phishing
websites. Mumbai ranks the highest (38 per cent), followed by
New Delhi (29 per cent) and then Bangalore and Chennai with
12 per cent each. Business Standard on December 2, 2008 has
reported that India now ranks 10th in the global list of spam-
generating countries. This shows a rising trend in cyber crime.
The leading security software firm Sunbelt Software [21], on
August 30, 2007, discovered that Bank of India's hacked
website was serving dangerous malware. It has also said the
infamous Russian Business Network – an ISP linked to child
pornography and phishing – is behind the attack.
Although the above facts show that cybercrime is
increasing, the public and private sector banks are actively
improving their security measurements. They have realized
that if they do not improve their security measurements at a
rapid pace and adopt new technology, then they are going to
lose their customers. In a case of NASSCOM vs Ajay Sood
and others, the Delhi high court had declared Phishing as an
illegal activity on Internet and had allowed the affected
person/company to recover the cost of damages [8].
Government is now trying to amend the Information
Technology Act 2000, which defines the cyber terrorism, child
pornography, spam, phishing and other online frauds [11].
Almost 78 cases on an average, related to phishing, are
reported daily. In most of these phishing cases, websites are
hosted in one country but are registered in another, which
makes it difficult to disable them [11]. However, both IT
managers and employees of IT industry/BPO in India are least
concerned about the security of the confidential information
provided by their customer [1]. Also, because of limited
general awareness in India, even the victim takes time to
realize that he/she has been attacked. Most of the Internet
users may not have heard about ‘phishing’. Moreover, though
the cyber law and IT law were enacted in 2000, the IT
industries in India do not even care to register many cases of
security violation and thus many incidents go unreported.
Most of the cyber crimes took place from cyber cafes. Most
cyber cafe owners are not even aware of the types of attacks
that can be made using their computers. The person running
the cyber cafes should be more conscious and computer savvy
so that he/she can detect the person who is using his/her
computer to perform any unlawful act. Moreover, police in
India should be properly educated so that they can detect and
keep a watch over the technical fraud.
India is undergoing a huge technological revolution which
is forcing it to adopt the Information and Communication
Technology (ICT) and its benefits. Electronic Governance (e-
Governance) refers to those governance processes which use
ICT for providing governance related products and services
[18]. Its increased use may lead to enhancement of
government’s efficiency and improve its relationship with the
public [13]. However, e-governance requires the existence of a
secure and reliable infrastructure. Without a secure
infrastructure, e-governance can compromise the safety and
privacy of government data, as well as personal data of
millions of citizens of the nation.
To build a proper and secure infrastructure, India must
have an appropriate legal system and the present cyber law
must be suitably enhanced. According to Praveen Dalal [12],
the leading techno-legal specialist in India and managing
partner of Perry4Law, the major drawbacks of the present
cyber law of India include:
a) Non-inclusion of contemporary cyber-crimes and
contraventions like phishing, spamming, cyber extortions,
compromised e-mails, cyber terrorisms etc.
b) An obscure position of Freedom of speech and
expression under IT Act, 2000.
Before making any changes to the Information Technology
Act, 2000, the conflict between Right to Privacy and the Right
to Information must be resolved [13]. Article 19 (Protection
of rights regarding freedom of speech, etc) and the Article 21
(Protection of Life and Personal Liberty) of the constitution
are giving protection to the attackers. The constitution of India
must be amended to redefine the articles according to the
International laws [19], “The rights of the individuals to be
protected against interference into his personal life,
relationships and those of his family by straight physical
resources or by Publication of Information.”
IV. CYBER SECURITY
The awareness about cyber security is growing in India but
preventive measures have not been taken yet. India does not
have any expertise to tackle the cyber terrorism. Cyber
Security of India should be an essential part of National ICT
policy and strategy of India. The enforcement of cyber
security can secure the e-governance base whereas cyber
forensics deal with finding the loopholes and limitations of the
existing measures to secure the base [14]. Cyber forensic has
increased its area to incorporate the judicial system so that
serious legal actions can be taken against those who are
involved with cyber terrorism by considering the evidences
found against them. Despite some good suggestions from
different levels, Government of India has not yet taken
sufficient actions in this regard.
There have been similar recommendations and demands in
several other countries and India can learn from them too.
Recently, in a report [15] to the Chairman and Ranking
Member of the US Senate Committee on Homeland Security
and Governmental Affairs, Dartmouth’s Institute for
Information Infrastructure Protection (I3P) mentioned the
following four common themes as the core recommendations
for improvement of cyber security:
1) A coordinated and collaborative approach is needed.
2) Metrics for security are a broad enabler and must be
developed.
3) An effective legal and policy framework for security
must be created.
4) The human dimension of security must be addressed.
However, the foremost step to defend against any cyber
attacks is to update the security features of the application
softwares and operating system so as to protect not only the
information but also the infrastructure it resides on.
V. DESIGN PRINCIPLES FOR ANTIPHISHING TOOLS
Parno et al. [17] had identified a set of principles for anti-
phishing tools:
(a) Outguess the phisher: Researchers and adversaries are at
a war. As soon as researchers develop any new technique to
overcome the phishing attacks, attackers find the new ways to
evade those defenses. The security measure developed should
be so strong that only the most skilled one will be able to
attack it. This will reduce the number of potential attackers.
(b) Mutual authentication: Both client and server should be
able to mutually authenticate each other. In this way, clients
will be confirmed that they are passing sensitive information
to the intended receiver and server will be confirmed that the
clients requesting for service are genuine one.
 (c) Avoid dependence on the browser’s interface: The new
anti-phishing technique developed should not have much
dependence upon the browser. This is because the security
related elements displayed on the browser can be easily copied
for the phishing sites also. Moreover, browser is much
vulnerable to javascript attacks.
(d) Reduce reliance on users: The user should not be given
the responsibility of detection of the phishing sites. The
involvement of users should be minimized as far as possible.
(e) Forgo network monitoring: This requires monitoring the
transmission of the sensitive data sent by the user. However,
attacker may make use of Java applet or other scripting to
encrypt the data sent by user and thereby prevent monitoring
the data.
VI. MEASURES TAKEN TO PREVENT PHISHING
This is an area of research for past few years. One of the
famous Turing test, CAPTCHA, can only help to protect the
websites from the bots and prevent them from denial of
service attacks, but do not provide any security to confidential
information of its users from the phishers. Some of the
researchers have suggested enhancing the security by
installing browser plug-in on personal computers, see [6, 7]
for details. Many of them have suggested using some kinds of
filters to distinguish a phishing site from the genuine site, see
[3] for details. Many email service providers have
implemented these filters which decide whether a particular
email is spam or not. They also allow users to form their
customized filters to distinguish emails on the basis of the
contents, the subjects or the sender addresses. However,
phishers are quite intelligent and they keep on changing the
contents of the emails. To protect itself from phishing attacks,
an organization can employ web server log monitor [22]. This
will enable them to track whenever the complete download of
their logos and images on the websites will occur.
Yahoo! has launched a new concept called “sign-in-seal”
to prevent phishing attacks by allowing users to upload a
custom logo to the Yahoo login page. The principle is that if
the user sees his or her custom photo then they will be sure
that it must be the genuine Yahoo page. However, this
method has a big flaw. All the information for Yahoo's sign-
in-seal is stored in the form of cookie. Therefore, if any person
uses public computer then he/she may be at the risk of data
theft as some unauthorized person may use the vital personal
information to access his/her account information. Also the
use of cookie makes the solution local to a specific computer.
To prevent identity theft based on key logging, ICICI bank
has implemented a new feature called ‘virtual keyboard’ in its
bank website to protect the illegitimate user from accessing
the accounts of the genuine customers. A virtual keyboard is
displayed on the website where the position of the key
changes with each login and the user has to enter the password
using the virtual keyboard. Use of virtual keyboard protects
the legitimate user’s password from malicious “spyware” and
“trojan programs” but also reduces the risk of password theft.
However, such virtual keyboards are only useful for keying in
short information like passwords. Also, even with ICICI bank
the use of such useful devices is left as an optional choice of
the customer. Further, it is deployed only at the topmost level,
while the later steps for typing passwords are left vulnerable.
This shows the lack of awareness among even the topmost
banks. The virtual keyboard, while addressing the issue of
keylogging, is still vulnerable to screenlogging.
Many banks in Europe have a dual layer of security to
prevent phishing. The ATM card provided by the bank has a
chip containing the customer information built into it. A
customer is provided with a small machine, which can read the
information on the chip. When a customer logs on to the bank
website and provides the account number, the website offers
back a security number. The customer has to put the ATM
card into the machine and key in the PIN and the security
number. The machine then calculates the answer to the
security number based on the customer information stored on
the chip and PIN. This answer to the security number is
unique to the customer and the customer types it back on the
website. Since the server of the bank also has the access to the
customer account information and PIN, it can recalculate the
answer and check for the authenticity. Since the bank website
offers a different security number each time, it does not help a
phisher to get access to a few answers. The main drawback of
this system is that the customer must carry the machine all the
time to access the bank site.
ICICI Bank provides a simpler solution to this problem.
Each debit-cum-ATM card of the bank comes with a grid
numbered by alphabets. Each grid contains a two-digit number
and the collection is unique to a customer. At the time of a
transaction, the customer is asked to key in the numbers
corresponding to three randomly chosen alphabets, other than
the password. Since there are several alphabets, it takes a large
number of attempts to know all the numbers even for a
keylogger. While this method does not require the customer to
carry the machine, after a sufficiently large number of trials, a
keylogger can identify all the numbers and launch an attack.
A new powerful weapon, called DKIM, emerges against
phishing. Domain Keys Identified Mail (DKIM) is a method
of email authentication [16]. DKIM allows an organization to
embed a cryptographic signature to the outgoing mails and
also link that signature with its domain name. The signature
travels along with the mail regardless of its path across the
Internet. The receiver can use the signature to verify whether
the message came from the genuine organization as mentioned
in the domain name. Though this technique sounds similar to
pre-existing standards like S/MIME and OpenPGP, the earlier
standards had some problems. The recipient’s mail system
should be able to handle signed messages. There is no
mechanism to communicate with unknown senders. EBay,
PayPal and Yahoo have already started implementing DKIM.
However, this method does not prevent receiver from replay
attack as DKIM neither hide the address of the recipients nor
the path through which it travels.
Clearly, there are several limitations to all the solutions
provided. More research is required to come up with more
user-friendly, yet effective solutions. Also the attackers get

smarter with the day. The researchers must also sharpen their
tools accordingly to maintain an even fight against the designs
of the phishers.
VII. CONCLUSION
Phishing websites are increasing day by day. Jaishankar
[10] quoted Gartner 2007 statistics to warn about an increase
in the victims of phishing by 40%. According to CERT-In
[20], out of 834 security incidents reported during July 2009,
nearly 7% were phishing incidents and 8% were related to
spamming and they comprised the second largest group after
incidents relating to website compromise and malware
propagation. As India is already at the high position in the hit
list of attacks by the phishers, much research is required to be
done in this area including development of new measures to
counterattack these phishers.
REFERENCES
[1]
Bharat B. Bhagat, and Latika Kharb, “Phishing and Its Indian
Perspective”, The Internet Journal of Medical Informatics, Vol. 3, 2008.
[2]
Peter Cassidy, “Mapping the Frontiers of Electronic Crime Threat from
Consumers’ Desktops to National Equities Markets”, Keynote address at
CODEGATE 2008, Seoul, South Korea.
[3]
Debra L. Cook, Vijay K. Gurbani and Michael Daniluk, “Phishwish: A
Simple and Stateless Phishing Filter”, Security and Communication
Networks, Vol. 2, pp. 29-43, 2009.
[4]
CyberMedia India Online Ltd, “India Very Much Home to Phishing
Websites”, http://www.ciol.com/Technology/Security/Interviews/India-
very-much-home-to-phishing-websites/20608107295/0/, 2008.
[5]
FraudWatch International Pty Ltd., http://www.fraudwatchinternational.
com/phishing-fraud/phishing-web-site-methods/, 2008.
[6]
Yogesh Joshi, Samir Saklikar, Debabrata Das, and Subir Saha,
“PhishGuard: A Browser Plug-in for Protection from Phishing”, IMSAA
2008, Bangalore, India, December 10-12.
[7]
Engin Kirda, and Christopher Kruegel, “Protecting Users against
Phishing Attacks”, The Computer Journal, Vol. 49, No.5, pp. 554-561,
2006.
[8]
N.P Singh, “Online Frauds in Banks with Phishing", Journal of Internet
Banking and Commerce, vol. 12, no.2, August 2007.
View publication stats
[9]
Rachna Dhamija, J. D. Tygar and Marti Hearst, “Why Phishing works”,
Proceedings of the SIGCHI conference on Human Factors in computing
systems , Montréal, Québec, Canada ,Pages: 581 – 590, 2006 .
[10]
K. Jaishankar, “Identity Related Crime in the Cyberspace: Examining
Phishing and Its Impact”, International Journal of Cyber Criminology
(IJCC) , January-June 2008, Vol 2 (1): 10–15.
[11]
Sanjay K.Bihani and Stuart Hamilton, “Third Meeting of the Internet
Governance Forum (IGF), in Hyderabad, India”, IFLA Journal, Vol. 35,
No. 1, 59-62 (2009).
[12]
Praveen Dalal, “Cyber Law in India Needs Rejuvenation”,
http://indianattorney.org/claw.html, 2007.
[13]
Sharique Rizvi, “Data Privacy and Right to Information: The
Phenomenon of Strategic Control and Conflicting Interests”, in Towards
Next Generation E-government, Jaijit Bhattacharya, Ed., ICEG07,
Hyderabad, India, December 28-30.
[14]
Praveen Dalal, “Cybersecurity in India: An Ignored World”,
http://www.crime-research.org/articles/Cybersecurity-India-Ignored-
World, Computer Crime Research Center, 2007.
[15]
Martin N. Wybourne, Martha F. Austin and Charles C. Palmer,
“National Cyber Security – Research and Development Challenges
Related to Economics, Physical Infrastructure and Human Behavior”,
Institute for Information Infrastructure Protection, Dartmouth, 2009.
[16]
Batty Leiba and Jim Fenton, “DomainKeys Identified Mail (DKIM):
Using Digital Signatures for Domain Verification”, IBM Research
Report RC23995 (W0606-148) June 30, 2006.
[17]
Bryan Parno, Cynthia Kuo and Adrian Perrig, “Phoolproof Phishing
Prevention”, in “Financial Cryptography and Data Security”, vol.
4107/2006, LNCS, Springer, Berlin/ Heidelberg.
[18]
Somesh Kumar Mathur, “Indian IT industry: A Performance Analysis
and A Model for Possible Adoption”, MPRA Paper no 2368, 2007,
Munich, http://mpra.ub.uni-uenchen.de/2368/1/MPRA_paper_2368.pdf.
[19]
PUCL v Union of India, [(1997) 1 SSC 301].
[20]
CERT-In, “CERT-In Monthly Security Bulletin”, http://www.cert-
in.org.in/knowledgebase/SecurityBulletin/cisb-Jul09.htm, July 2009.
[21]
SunbeltBLOG, “Bank of India Seriously Compromised”,
http://sunbeltblog.blogspot.com/2007/08/breaking-bank-of-india-
seriously.html, August 2007.
[22]
Symantec Corporation, “Symantec Report on the Underground
Economy”,
http://www.symantec.com/content/en/us/about/media/pdfs/Underground
_Econ_Report.pdf”, November 2008.