Phishing in people's accounts

But experts say the sheer ease with which phishing can be executed is threatening as the knowledge on how to launch a phishing attack is often just a click away. Head-S-E Asia & India, Websense Inc, Surinder Singh says, 'It's getting more and more organised by the day. There is a whole set of an organised economy - where there are websites which sell these phishing kits. With these phishing kits, even a layman like me and you without any technical background, can launch these phishing attacks. In one or two days, there are hacking tools which are sold over these websites. It's very well organised and getting bigger by the day."

Experts say phishers often meet in online secret chat rooms and trade knowledge on different security systems and new ways of launching attacks across countries. Mukhi explains, 'Once I was at a chat show on the internet and there were some phishers who were sharing ideas and they were all very unanimous - that most of the banks in India do not have an emergency response team for phishers and they don't respond as fast as an American or European bank would. So, phishers are now going to target Indian banks because they get more user names and passwords than any other banks."

Buch says, 'We have created a special place where an alert can be given and we have found that the speed of response is extremely high. Within half an hour or a couple of hours of the mail first reaching us, we get an alert. The authorities have been extremely helpful. Through the authorities, we are able to bring down the site and there is no damage done to our customers. We are available to our customers 24x7 on so many channels. The people who are mapped to that e-mail ID that I mentioned - in addition to the executive director, it goes to a host of people who are on duty and on call 24x7.'

Sounds far fetched? Not really. Just a few days ago, UTI Bank was the victim of a phishing attack. The Delhi police has arrested four Nigerian nationals and an Indian in the case. According to the police, Oxabe and his accomplices allegedly sent e-mails that included a hyper-link within the e-mail itself. A click on that link took the recipients to a web page which was identical to UTI Bank's site. After the customers had logged in with their passwords and names, the information was sent to the alleged fraudsters who then used the information to transfer large sums of money to various accounts, all over the world, using the internet banking facility.

The police believe it's an international racket involving even more people, sitting in various parts of the world. Additional Commissioner of Police, Delhi police, KK Vyas says, 'They had organised this racket in which they actually sent phishing mails using UTI Bank's details. They had copied the UTI logo etc and on that basis, they prepared letters as if they had originated from the bank.

But phishing attacks are continuing unabated. Last month, UTI Bank filed an FIR with the Delhi police after it received complaints from customers that cash had been debited from their accounts without their knowledge. Customers from Thane, Delhi, Vishakapatnam, Nasik and Ahmedabad - all had one thing in common- they had replied to an e-mail from the bank.
The damage: 30 customers who lost Rs 20 lakhs and this amount was reported by the ones who caught on early.

KK Vyas explains, 'We had been receiving more and more complaints and that means this scam could run into a very high proportion. It is quite possible that other branches of UTI Bank in various parts of the country might also be affected. So, the process of verification is going on and we are in the process of identifying where all the money has gone.'

Data from the Computer Emergency Response Team India shows phishing attacks are on the rise. The year 2005 saw 86 incidents of phishing reports. In 2006, this number more than doubled to 200 incidents. Not only were attacks being launched in India but 2006 saw the maximum phishing attacks being launched from India on other countries as well.

Security expert, Surinder Singh says, 'As per Websense Security Lab, we find that at any given point in time in 2006, there were 2 to 300 websites being hosted. There was a spurt in October where we identified 790 websites which were hosted in India and being used to carry out attacks."

Buch adds, 'Over the last six months, we have done three specific initiatives. We introduced true factor verification on the website, which means in addition to the user ID and password, the customer now has a challenge mechanism, where we ask them things only they know and only if the answer is correct, do we allow him to do a transaction.'

But Singh admits, 'No system is perfect because all these criminals also study what protection techniques are being used and they will come up with something new. It's kind of a guerilla war. You can limit the phishing incident, so you can reduce the exposure but there's no way of totally eliminating it."