Investigating phishing cases is illustrated by a sample case study.
Raghavendra was working as assistant professor at a prestigious college and was doing his PhD and spent most of his time on internet browsing to acquire requisite information. While checking his email ID, he found new message with the subject line “UR gENT: ATTENTION REQUIRED – MESSAgE FROM XYZ bANK”. On opening the mail, he found that the financial institution (bank), in which he was holding a savings bank account, had sent a communication as
From: customercare@xyzbank
Subject: “URGENT ATTENTION REQUIRED- MESSAGE FROM ABC BANK”
Date & Time: 26th January 2011, 11:00 AM (IST)
Dear Valued customer,
For security purposes, your account has been randomly chosen for verification. To verify your account, we are asking you to provide us
with all the data we are requesting. If you do not provide these details, then we may not be able verify your identity and access to your
account may be denied. Please click on the below link to get secure page
http://www.xyzbank.com/verifyaccountinfomration.html
Thanking you
Customer care,
XYZ Bank.
Upon reading the mail, the professor visited the hyperlink. He landed on a webpage purported to be of his bank. The website contained fields asking him to update his personal information including account number, password and transaction password. He duly updated the information without giving a second thought. He was under the impression that the message was genuinely from his bank. After some days, he was shocked to realize that an amount of Rs 68,000 was debited from his account for some online purchase. The professor lodged a criminal complaint with the local police station.
Applicable Sections of Law
66C and 66D of Information Technology (Amendment) Act, 2008 and Section 420 of IPC – Identity theft, cheating by personation using computer resources and cheating.
After registration, the investigation has to be undertaken by an officer of the rank of Police Inspector or above (as per ITAA 2008).
Information Gathered
From complainant: Self attested copies of the printout of phishing email along with full headers printed at the police station and soft copies of the same with date and time stamps. Details of the bank account of the victim.
From Bank:
The account statement of the complainant, which included fraudulent transaction details.
Transaction IP address of the fraudulent transaction.
Details of the beneficiaries (company to which the amount was credited for the online purchase of the electronic gadgets) and, the delivery address of the electronic equipment.
From Website Hosting Company: Particulars of the persons responsible for hosting the phishing website.
Investigation
Upon receiving reply from the bank, the investigating officer observed that the accused had made purchase of electronic gadgets from an online store. The IO contacted the online store and issued them a notice to furnish details of the equipment purchased, including delivery address of the electronic goods. The investigation revealed that the address mentioned for the delivery of goods was fraudulent and the accused had collected the goods from the courier agency directly by showing some fake ids. The fraudulently purchased electronic gadgets included a laptop and a mobile phone. The IO obtained IMEI number of the gadget. The IMEI number is unique and captured by all mobile service providers. The IO wrote a letter to all the service providers to check whether the given IMEI number belonged to their network. One of the service providers replied that the said IMEI number was found on their network. Based on this information, the IO obtained further information from the Mobile Service Provider like
- CAF form
- Call details
- Alternative mobile number given at the time of availing the connection
The service provider gave all the details and the IO analyzed the call details and found that the user had made maximum number of calls to a particular number and investigations led him to the called person. The IO received full details of the user (accused) of the mobile phone, which was purchased using the defrauded funds and was finally confronted. The laptop was also in the possession of the accused and the same was recovered.
The laptop thus seized was sent to the FSL for identifying the origin of the phishing mail and fraudulent transaction. The IO gave keywords like [email protected], etc to the FSL to establish link between the victim and the accused. No useful information regarding the phishing mail or internet banking transaction(s) was available with the accused. However, interrogation revealed that the accused was a recruit (money mule) on behalf of an unknown gang. The accused was simply acting as a conduit to deliver fraudulently obtained goods and to transfer money to the account to his recruiter. However, in the said case, the recruit did not turn up to collect the goods for sometime. Efforts to trace the unknown recruiter, who used to frequent him for collecting the gadgets / money, was untraced, despite serious efforts.
Investigation
The Investigating officer checked the full headers of the phishing mail received by the complainant to trace the IP address of the origin of the phishing email. The IP address was traced to a location outside India. However, detailed investigations revealed that the IP address was spoofed and originated from a country which was notoriously lax in implementing cyber security laws. Hence, the investigation reached a dead end with respect to tracking the original host of the phishing website. Further, with the growing sophistication of phishing attacks, it is difficult to identify the real hosts of these websites. The IO duly notified the CERT-In and the concerned Bank to pull down the phishing website.
