Relate the examples, illustrations and

mini-cases provided here to the cyber-

crime categories mentioned in Chapter 1
and to the technical concepts explained in
Chapters 25.
Appreciate the interplay of crime and legal
perspectives provided in Chapter 6, and relate
them to organi zational implications dis-
cussed in Chapter 9 and to psychological and
political dimensions of cybercrimes explained
in Chapter 10.
Learn the practical scenarios of how criminals/
fraudsters use methods, tools and techniques
to commit cybercrimes and will be able to
relate it to concepts learned in Chapter 4.
Understand how real life instances of cyber-
crimes can impact individuals and organiza-
tions if due care is not taken.
Get overview of threats in cybersecurity
with the crimes that are committed in the
cyberspace.
Understand how forensics discussed in
Chapters 7 and 8 is applied in real life.
Relate to organizational implications of cyber-
security discussed in Chapter 9.
11.1 Introduction
Trough Chapters 19, readers are exposed to various categories of cybercrimes, the tools and techniques
used by cybercriminals as well as the forensics and legal aspects involved. We learned about the psychological
and ethical dimensions and organizational implications in terms of cybersecurity (Chapter 10).
In Section 1.5 of Chapter 1, we presented classications of cybercrime and explained the crimes under
each category. Chapters 25 provide detailed discussion on cybercrimes cyberstalking and harassment
(Chapter 2); Vishing and Smishing (Chapter 3); and Phishing and Spear Phishing (Chapter 5). For the
illustrations/case studies on digital forensics investigations, the background and reference chapters are
Chapters 8 and 9. For the reasons of condentiality and privacy, real names (individuals and/or organizations) are
masked in some of the illustrations. Tough the names are masked, the situations are real. If the hypothetical names
match with actual names of any living or dead person, it is purely a coincidence. A number of cases/ illustrations
are based on the information released in the public domain; those URLs are mentioned. Neither authors nor the
publisher is responsible for false/inaccurate information posted on those public weblinks.
Cybercrime knows no geographical boundaries! Figure 11.1 illustrates this point eectively. Criminals,
the means for the crimes and the impacted victims can be anywhere on the globe! In most cases, however,
Cybercrime: Illustrations,
Examples and Mini-Cases
Learning Objectives
After completing this chapter, you will able to:
11
Cyber security_Chapter 11.indd 603 2011-03-25 10:34:38 AM
604 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
they also get caught, as illustrations in this chapter show. Students of a legal course curriculum, from the
standpoint of enhancing their knowledge about applicability of prevailing laws in their regions, may like to
use the mini-cases, examples and illustrations for discussing which laws and which sections in those laws
would be applicable.
Overall, the objective of this chapter is to help readers appreciate the seriousness and implications of
computer crime scenarios presented here. Te mini-cases, illustrations and examples presented here are
cybercrime incidents that have taken place in India as well as other countries.
Tis chapter is divided into six sections:
1. Section 11.2: Real-Life Examples
2. Section 11.3: Mini-Cases
3. Section 11.4: Illustrations of Financial Crimes in Cyber Domain
4. Section 11.5: Digital Signature-Related Crime Scenarios
5. Section 11.6: Digital Forensics Case Illustrations
6. Section 11.7: Online Scams
At the beginning of each section, there is a table with list of examples/illustrations/case studies addressed in
the section. Te chapters, in which the underlying concepts are discussed, are mentioned in those tables. Tis
will help you refer back to those chapters. Tere are no summary and review questions for this chapter.
11.2 Real-Life Examples
Tis section contains real-life examples of E-Mail Spoong, release of viruses/worms, cyberstalking, hacking,
computer intrusion and computer frauds, website attacks, cybersquatting and IPR crimes. Table 11.1 lists
the examples provided in this section.
Victim
Tracing possible
Offender/
criminal
Open wireless
network
Anonymous communication
service
Tracing challenges
E-Mail service (no formal
registration)
Figure 11.1 |Cybercrimes are boundary less!
Cyber security_Chapter 11.indd 604 2011-03-25 10:34:39 AM
Cybercrime: Illustrations, Examples and Mini-Cases 605
Table 11.1 | List of examples in Section 11.2
Example
No.
Title Topic Chapter
Cross-Reference
1 O cial Website of Maharashtra Government Hacked Website hacking Chapters 1 and 10
2 E-Mail Spoong Instances E-Mail Spoong Chapters 1, 3
and 4
3 E-Mail Bombing involving a Foreigner E-Mail malpractices Chapter 1
4 I Love You Melissa Come Meet Me on the Internet Virus and worms Chapters 14
5 Te Piranhas Tragedy with Children Misleading informa-
tion on websites

6 Doodle me Diddle! Data diddling Chapter 1

7 Ring-Ring Telephone Ring: Chatting Sessions Turn
Dangerous
Cyberstalking Chapters 1 and 2
8 Young Ladys Privacy Impacted Trojan Chapters 24
9 Job Racket Exposed by Mumbai City Cybercrime Cell Smishing Chapter 3
10 Indian Banks Lose Millions of Rupees Internet fraud Chapter 1
11 Innity E-Search BPO Case Sale of personal
information
Chapter 6
12 Charged with Computer Intrusion Computer network
intrusion
Chapter 1
13 Small Shavings for Big Gains! Computer fraud Chapters 15
14 Man Goes Behind Bars for Computer Fraud Oense Computer fraud Chapters 1 and 9
15 Justice vs. Justice: Software Developer Arrested for
Launching Website Attacks
DoS (Denial-of-
service attack)
Chapters 1 and 4
16 CAN-SPAM Act Violation through E-Mail Stock Fraud SPAM, Wire fraud Chapters 1, 5 and 6
17 Business Liability through Misuse of Organizations
Information Processing Assets
IPF misuse
18 Parliament Attack Computer forensics Chapter 7
19 Game Source Code Stolen! IPR theft (source code
theft), insider attacks
Chapters 1 and 9
20 Te Petrol Pump Fraud Computer hardware
fraud
Chapter 1
21 Xiao Chungs Story Life of a Hacker Hacking and
p sychology of hackers,
zero-day attacks
Chapters 1, 9
and 10
22 Killers take Tips from 26/11 Attack to Use VOIP Cyberterrorism
using VOIP, E-Mail
forensics
Chapters 1 and 7
23 Robertson Brothers Caught for Selling Pirated Software IPR theft, software
piracy
Chapters 1 and 9
24 BSA Uncovers Software IPR Breaches IPR theft Chapters 1 and 9
25 Pune City Police Bust Nigerian Racket Scam Chapters 1 and 9
Cyber security_Chapter 11.indd 605 2011-03-25 10:34:39 AM
606 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
11.2.1 Example 1: Ofcial Website of Maharashtra Government Hacked
Website hacking was addressed in Chapter 1 (Box 1.4, Figs. 1.6, 1.9 and 1.10). Tis is an incidence
reported in September 2007. Te impacted website was http://www.maharashtragovernment.in. A few days
after the Chief Minister of the state inaugurated the new, citizen-friendly service-based web portal of the
Brihanmumbai Municipal Corporation, the Maharashtra governments o cial website was hacked which
lead to the shutting down of www.maharashtra.gov. Te state o cials, however, said that there was no data
lost and that there was no serious damage to the website. State O cials further stated that the website gets
updated daily with information on various government regulations and decisions, and supports links to
all government departments. However, IT experts had to restore the o cial website of the government of
Maharashtra, having succumbed to the attack by the hacker.
As per reports, the site was attacked early in the morning by a person or a group proclaimed as cool-
hacker. Te hacker left an imprint of a hand on the hacked website (see Fig. 11.2). Te states information
and technology department came to know about the incident next day morning. Tey immediately blocked
all access to the website. Te IT department has lodged an FIR (First Information Report) with the police in
an attempt to trace the culprit.
Joint commissioner of police, in his o cial remark, stated that the states IT o cials lodged a formal
complaint with the cybercrime branch police following this incidence. He expressed condence that the
hackers would be tracked down. Te Commissioner also mentioned that the hacker had posted some
Arabic content on the site. According to sources, hackers were suspected to be from Washington. IT
experts gave to understand that the hackers had identied themselves as Hackers Cool Al-Jazeera and
claimed they were based in Saudi Arabia. O cials further added that this might be a red herring to throw
Figure 11.2
|
Maharashtra state website hacked.
(source: http://sunnytalkstech.blogspot.com/2007/09/mpsc-website-defaced.html 22 July 2010).
Cyber security_Chapter 11.indd 606 2011-03-25 10:34:39 AM
Cybercrime: Illustrations, Examples and Mini-Cases 607
investigators o their trail. For those who are not familiar with the term red herring, it refers to the
tactic of diverting attention away from an item of signicance.
Te State Government website contained detailed information about government departments, circulars,
reports and several other topics. IT experts, who were assigned to work on restoration of the website, told Arab
News that they feared that the hackers may have destroyed all of the websites contents. Te worrisome part
was that according to a senior o cial from the State Governments IT department, the o cial website has been
aected by viruses on several occasions in the past, but was never hacked. Te o cial added that the website
had no rewall. However, state o cials denied there being any data loss or any serious damage to the website.
Te o cials said that the hacker could only manage to damage the homepage.
Point to note here is that the website was hacked for the second time in the past two weeks, the fourth
time since July 2007. Te previous attack took place on 5 September 2007. Tis incidence of repeated attack
on the website underscores the need for security measures being in place (intrusion detection system IDS,
intrusion prevention system IPS and rewalls).
11.2.2 Example 2: E-Mail Spoong Instances
E-Mail bombing was mentioned in Chapter 1 (Section 1.5.16) and explained further in Chapter 4
(Table 4.11). Tis is an example of that. An American teenager made millions of dollars by spreading false
information about certain companies whose shares he had short sold. Tis misleading information was
spread by sending spoofed E-Mails purportedly from news agencies like Reuters, to share brokers and inves-
tors who were informed that the companies were doing very badly. Even after the truth emerged, the values
of the shares could not be restored to the earlier levels. Tis resulted in thousands of investors losing a lot of
money. Tis can be considered as a cybercrime against an organization because the impacted organization
was the one about whom false information was spread.
Tere is another example of E-Mail Spoong incident in India. A branch of the Global Trust Bank expe-
rienced a customer run-down on the bank owing to a certain rumour spread about the bank not doing well
nancially. Under panic, many customers decided to withdraw all their money and close their accounts.
It was revealed later that someone had sent out spoofed E-Mails to many of the banks customers announc-
ing that the bank was in a very bad shape nancially and could close operations any time. In the next few
days, unfortunately, this information turned out to be true. So, can we say that this instance of E-Mail
Spoong saved many customers?
Another shocking example of the E-Mail Spoong involves a former executive from a well-known com-
pany in the state of Gujarat. Te executive faked himself to be a lady by adopting a false name. He then
created a fake E-Mail ID. Using that ID, the executive contacted a businessman based in the Middle East.
Te executive posing as a woman then went into a long cybercourting relationship with the Middle East
businessman. During this cyberdating, the executive used to send many emotional blackmailing mes-
sages to the businessman. One such message threatened the businessman that if he ended this relationship,
she (i.e., the executive posing as a woman) would end her life! What is worse, the executive gave another
womans E-Mail ID to the businessman. Tis too was a non-existent address. When the Middle East busi-
nessman sent a mail at that ID, he was shocked to learn that the executive (who presented himself as a
woman) had died and that now the police was searching him as the suspect in that death case! Using this
trap and trick the executive exhorted from the businessman several hundred thousands of Indian Rupees
threatening that the businessman would get exposed if he did not part with that money. Te executive also
sent E-Mails to him from dierent E-Mail IDs making the poor businessman believe that they were mails
from high court and police o cials. All this was done to extract more money from the gullible businessman.
Finally, businessman ew to India to lodge a case with the Police. Internet users indeed enjoy anonymity
and can get away with many things recall Fig. 1.5 in Chapter 1.
Cyber security_Chapter 11.indd 607 2011-03-25 10:34:39 AM
608 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
11.2.3 Example 3: E-Mail Bombing Involving a Foreigner
E-Mail bombing is explained in Chapter 1; this example brings out an instance based on that. A foreigner
had been residing in Shimla, India for almost 30 years. He wanted to avail a scheme that was introduced by
the Shimla Housing Board to buy land at lower rates. His application, however, was rejected on the grounds
that the scheme was available only to Indian citizens. Feeling furious, the foreigner decided to take revenge.
He transmitted thousands of mails to the Simla Housing Board. He did not stop there. He kept on sending
E-Mails till their servers crashed. An interesting question is which law of the land would have been used for
ling a case against this non-Indian person.
11.2.4 Example 4: I Love You Melissa Come Meet Me on the Internet
Tis example involved the VBS_LOVELETTER virus - also known as the Love Bug or the ILOVEYOU
virus. It is said to be written by a Filipino undergraduate. In May 2000, it was proven that this virus is
deadlier than the Melissa virus and it became the worlds most prevalent virus. It impacted one in every ve
personal computers in the world. When the virus was brought under control, the true magnitude of the
losses was unbelievable. Te attack from this virus caused losses to the tune of almost US$ 10 billion.
It is interesting to see how the virus works. Te original VBS_LOVELETTER thrived on the addresses in
Microsoft Outlook. It utilized that address book and E-Mailed itself to those addresses. Te E-Mail, which
was sent out, had ILOVEYOU in its subject line. Te attachment le was named LOVE-LETTER-
FORYOU. TXT.vbs. Even with such dubious sounding subject line, even those who had some knowledge
of viruses did not notice the tiny .vbs extension. People believed the le to be a text le and this mail also
fooled people who are wary of opening E-Mail attachments. Te message in the E-Mail read as follows:
Kindly check the attached LOVELETTER coming from me.
Since the initial outbreak, over 30 variants of the virus have been developed, many of them following the
original by just a few weeks. Te Love Bug propagates itself using the Internet Relay Chat (IRC). It E-Mails
itself to users in the same channel as the infected user. However, unlike the Melissa virus this virus does have a
destructive eect. Te Melissa virus, once installed, merely inserts some text into the aected documents at
a particular instant during the day. On the other hand, VBS_LOVELETTER rst selects certain les and
then inserts its own code in lieu of the original data contained in the le. Tus, it succeeds in creating ever-
increasing versions of itself, that is, self-propagation mode. Te worlds most famous worm probably was the
Internet worm let loose on the Internet sometime in 1988 by Robert Morris. At that time, the Internet was
in its early formative and developing years. Te Internet worm aected thousands of computers and almost
brought Internet development to a complete halt. It took a team of experts several days to get rid of the
Internet worm and in the meantime many of the computers had to be disconnected from the network.
11.2.5 Example 5: The Piranhas Tragedy with Children
Web Jacking is explained in Section 1.5.8 of Chapter 1. Tis incident was reported in the US. Tere was a
hobby website for children. Te owner of the site received an E-Mail informing her that a group of hackers
had gained control over her website. Tey demanded a ransom of one million dollars from her. Te owner
was a school teacher. She did not pay due attention to that (threatening) mail because she did not think it
was serious. She thought it was just a scare tactic and so she simply ignored the E-Mail. After about three
days, she started getting several telephone calls from almost all over the country and then she came to
know that the hackers had really web jacked her website. Te hackers had altered a portion of the website
which was entitled How to have fun with goldsh. Tey had replaced the word goldsh with the word
piranhas. Piranhas are tiny but extremely dangerous esh-eating sh! It was sad because, the fatal result of
Cyber security_Chapter 11.indd 608 2011-03-25 10:34:39 AM
Cybercrime: Illustrations, Examples and Mini-Cases 609
this apparently minor sounding nd-and-replace cyberprank was terrible. Many children who visited the
popular website believed what the contents of the website suggested. Tese unfortunate children did not
realize what would be in their fate. Tey followed the instructions to try playing with piranhas, which they
bought from pet shops and were very seriously injured!
11.2.6 Example 6: Doodle me Diddle!
Data Diddling technique was addressed in Chapter 1; this is a real-life example of that. Indian Electricity
Boards suered as victims of data diddling. Such programs got inserted when private parties were computer-
izing their systems. Te NDMC Electricity Billing Fraud Case in 1996 is a typical example. Te computer
network was used for preparing receipts and for keeping the accounts of electricity bills by the NDMC,
Delhi. Money collection, computerized accounting, record maintenance and remittance in the bank were
outsourced to a private contractor who was a computer professional. He misappropriated vast amount of
money by manipulating data les to show less receipt and bank remittance. As we know, this kind of attack
involves altering raw data just before it is processed by a computer and then changing it back after the
processing is completed.
11.2.7 Example 7: Ring-Ring Telephone Ring Chatting Sessions Turn
Dangerous
Cyberstalking was mentioned in Chapter 1 and explained in Chapter 2 (Section 2.4). Here is a real-life
example of that crime which was registered with Delhi police. Stalking is dened as pursuing stealthily.
As we learned, cyberstalking means following a persons activities, that is, a persons navigation across the
Internet by posting messages (sometimes even threatening messages) on the bulletin boards that are visited
by the victims, entering the chat rooms frequented by the victim, constantly bombarding the victim with
E-Mails, etc. Richa Sharma was the rst lady to register a cyberstalking case. Her husbands friend pro-
vided her a telephone number in the general chat room. Some websites do provide general chatting facility
(e.g., websites like MIRC and ICQ) where a person can easily chat without revealing his/her true identity.
Te friend of Ms. Sharmas husband also encouraged chatters to speak in profane language to Ms. Sharma.
As a result, Ms. Sharma received more than 30 calls in 3 days and many chatters contacted her. Almost all of
the calls were made to her at odd hours from all over India and a few of the calls came in from outside India
too. Tis created havoc in the personal life of Ms. Sharma and caused her much mental stress. She got fed-up
with these calls and chat drama and complained to the police against a person who she felt was using her
identity to chat over the Internet at the website www.mirc.com. In her complaint, Ms. Sharma mentioned
that the person was chatting on the Net using her ID and also complained about the obscene language used
by that person while chatting with her. Ms. Sharma, further complained that the same person was deliber-
ately giving her telephone number to other chatters, asking them to call her at odd hours.
11.2.8 Example 8: Young Ladys Privacy Impacted
We have explained about Trojan, viruses and other malware in Chapters 24. We should be careful, else untow-
ard things can happen as illustrated by this example. A young magazine journalist in Mumbai was working
on an article about online relationships. Te article was about how people can easily nd friendship and even
love companions on the Internet. During the tenure of her research work, she happened to make a lot of
online friends. One of these friends (ill-minded, unfortunately for the young lady) managed to infect her
computer with a Trojan. Te young journalist lady lived in a small, one-bedroom apartment and her computer
Cyber security_Chapter 11.indd 609 2011-03-28 3:58:59 PM
610 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
was located in a corner of her bedroom. She had the habit of never powering o her computer. Unknown
to her, the Trojan would activate her web camera and microphone even when the Internet was switched o.
A year later she realized that hundreds of her private pictures were posted on pornographic sites around the
world! Her anc broke the engagement and the young lady was thrown into suicidal depression.
11.2.9 Example 9: Job Racket Exposed by Mumbai City Cybercrime Cell
Smishing is explained in Section 3.8.5 in Chapter 3. Tis example illustrates how cybercriminals use Smishing
to cheat people. Tis case happened in the year 2009. Himesh Kapadia, aged 26 years, received an SMS
oering him a job in Marriot Hotel. Himesh, in response, eagerly mailed his resume. He also deposited over
` 1.7 lakhs (` 1,70,000) as per the instruction of a person who claimed to be a London diplomat. Himesh
grew suspicious when he was asked for additional money and nally approached the cybercrime cells of the
Mumbai Police. Te investigations resulted in the arrest of a couple and ve Nigerians allegedly involved
in cheating people by promising them housekeeping jobs in Marriot Hotel, London. While the Nigerians,
posing as London diplomats, would send SMSs and E-Mails oering jobs in the hotel, the couple operated
the bank accounts.
As Himesh recalls, in September 2009, he began exchanging mails with James Richard who claimed
to be a London diplomat. He had asked Himesh to pay diering sums of money. Even after paying over
` 1.7 lakhs (` 1,70,000) he continued to exhort more money from Himesh. Te police directed the bank
authorities to block the account holders ATM facilities. In last week of November 2009, the bank informed
the police that a couple approached the bank to withdraw money from the account. Mumbai Police arrested
the couple and later the Nigerians who came looking for them to collect the money.
11.2.10 Example 10: Indian Banks Lose Millions of Rupees
Numerous types of cybercrimes were mentioned in Chapter 1; frauds using the Internet are some of them.
Tis is a real-life example showing the techniques used by cybercriminals. Banks across the country lost
` 6.57 crore (` 6,57,00,000) to Internet frauds in 233 incidents of cybercrime, with Tamil Nadu topping
the list in last scal year. ` 2.09 crore (` 2,09,00,000) has been lost by various banks in the Indian
state of Tamil Nadu in seven cases reported between April and December 2008. Te lending institu-
tions in Maharashtra had reported the highest number of incidents, 23 in all. Tey lost ` 55.54 lakhs
(` 55,54,000) to online fraudulent practices. Tis was revealed by the erstwhile Minister of State for Home
told the Lok Sabha in February 2009.
Te banks in other Indian states Andhra Pradesh, Rajasthan and West Bengal lost ` 89.93 lakhs
(` 89,93,000), ` 64.29 lakhs (` 64,29,000) and ` 35.72 lakhs (` 35,72,000), respectively, while Kerala
and Delhi lost ` 17.60 (` 17,60,000) and ` 10.90 lakhs (` 10,90,000), respectively, owing to cyberfrauds.
A total of 11 cases of Internet frauds were reported from Andhra Pradesh, 8 from Delhi, 7 from Tamil Nadu,
6 from Karnataka and 5 from West Bengal during the said period. Surprisingly, banks in Bihar, Goa and
Jharkhand did not lose a single penny to such activities and no case was reported from any of these states.
Te Minister presented a state-wise list of number of incidents of Internet frauds that includes cases of
fraudulent withdrawal of money from banks through Internet/online banking, as reported by the banks
to the Reserve Bank of India. According to a data updated till 2007, out of the total 355 people arrested
across the country, a maximum 156 people were arrested in Madhya Pradesh in connection with cheating-
related cases under IT Act Fraud digital signature (Section 64) and Breach of Condentiality/Privacy
(Section 72) and IPC Crime (Forgery and Criminal Breach of Trust/Fraud). Te highest numbers of
cases, 153, were also registered in Madhya Pradesh for forgery and Criminal Breach of Trust/Fraud out
Cyber security_Chapter 11.indd 610 2011-03-25 10:34:40 AM
Cybercrime: Illustrations, Examples and Mini-Cases 611
of the total of 302 cases in the said period. Similarly, a total of 41 incidents 38 under IPC crime and 3
under IT Act were reported in Chhattisgarh for cyberfrauds and 75 persons 72 under IPC crime and
3 under IT Act were arrested. A total of 59 people were also arrested in Andhra Pradesh, 36 in Punjab,
16 in Andaman and Nicobar Island and 4 in Delhi in connection with cheating-related incidents in 2007.
Te amount lost to cyberfrauds during April 2007 and March 2008 were ` 5.58 crore (` 5,58,00,000) and
374 people were arrested in this connection.
11.2.11 Example 11: Innity E-Search BPO Case
Tis case brings to the fore the emerging threat arising from sale of personal information. We learn here
that the denition of sensitive personal information is very important for organizations to be clear on what
they wish to protect from theft. Tis is especially important for the BPO (business process outsourcing)
or ganizations to whom the clients entrust their condential data.
A fraud discovered at a Gurgaon-based BPO created an embarrassing situation for Innity E-Search, the
company in which Mr. Kapoor was employed. A British newspaper reported that one of its reporters had
covertly purchased personal information of 1,000 British customers from an Indian call-center employee.
However, Mr. Kapoor, the employee of Innity E-Search (a New Delhi-based web designing company) was
reportedly involved in the case, denied any wrong-doing. Te company also said that it had nothing to do
with the incident.
It so happened in this case that the journalist used an agent, oered a job, requested for a presentation
on a CD and later claimed that the CD contained some condential data. Te fact that the CD contained
such data was itself not substantiated by the journalist. In this kind of a situation we can only say that the
journalist used bribery to induce an out of normal behavior of an employee. Tis is not observation of a
fact but creating a factual incident by intervention.
This example breaks the misconception that BPOs in India are not covered under the Information
Technology Act and Amendments thereof.
BPOs in India, irrespective whether captive/independent/subsidiary, irrespective whether inbound/
outbound, are covered under the Indian IT Act. Indian BPO organizations must understand this: As per
Indian IT Act, every business process outsourcing (BPO) organization is an INTERMEDIARY Section
1 (2w) of the Act denes Intermediary. Indian BPOs must take cognizance of Sections 43A (Compensation
for failure to protect data), 67C (Preservation and retention of information by intermediaries), 69B (Power to
authorize to monitor and collect tra c data or information through any computer resource for cyber security), 70B
(Indian Computer Emergency Response Team to serve as national agency for incident response), 72A (Punishment
for disclosure of information in breach of lawful contract), 79 (Exemption from liability of intermediary in certain
cases) and 85 (Oences by companies) of the Indian IT Act.
BPOs with respect to any particular electronic records, means any person who on behalf of another
person receives, stores or transmits that record or provides any service with respect to that record
can be classied as intermediaries. This is according to Section 2(1)(w) of the Indian IT Act.
Cyber security_Chapter 11.indd 611 2011-03-25 10:34:40 AM
612 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
11.2.12 Example 12: Charged for Computer Intrusion
Computer network intrusion was explained in Chapter 1 (Section 1.5.18); this example is related to that.
Te story of this incident was released in 4 November 2009. Scott R. Burgess, aged 45, Jasper, Indiana, and
Walter D. Puckett, aged 39, Williamstown, Kentucky, were indicted for computer intrusion. Tis was
announced by Timothy M. Morrison, US Attorney, Southern District of Indiana, after an inquiry by the
Federal Bureau of Investigation (FBI) and the Indiana State Police.
It is alleged that Burgess and Puckett accessed the Stens Corporation computer systems, based in
Jasper, Indiana, from various places on approximately 12 dierent occasions without authorization. It was
f urther alleged that the computer intrusions were performed for the purpose of gaining commercial and
p ersonal nancial benets. Furthermore, it was alleged that Burgess and Puckett were working for a business
competitor of Stens at the time of the intrusions.
A maximum of 5 years imprisonment with $250,000 ne is what Burgess and Puckett had to face.
An initial hearing was scheduled before a US Magistrate Judge. However, an indictment was only a charge
and is not an evidence of guilt. A defendant was presumed innocent and was entitled to a fair trial at which
the government must prove guilt beyond a reasonable doubt.
11.2.13 Example 13: Small Shavings for Big Gains!
Tis incident, involving a Salami attack-like technique, was published on 17 September 2009. Michael
Largent, aged 22, resident of Plumas Lake area, was sentenced to 15 months in prison and compensation of
over $200,000. Tis was the punishment given by the US District Judge Morrison C. England Jr. for fraud
and related activity in connection with computers. After release from prison, Largent also had to face 3 years
of strict restrictions due to illegal use of computers and the Internet. Tis case was jointly investigated by
US Secret Service and the FBI. Te US Attorneys O ce for the Northern District of California, San Jose
Division, also assisted with this case.
Te case was prosecuted during the period November 2007 through May 2008. Te prosecution was
done by the Assistant US Attorney Matthew D. Segal, who worked as prosecutor in the o ces Computer
Hacking and Intellectual Property (CHIP) unit. According to Attorney Mathew, the accused Michael
Largent developed a computer program allowing him to defraud a few companies such as E-Trade,
Charles Schwab & Co. and Google by opening or attempting to open more than 58,000 brokerage
accounts. He did this to steal the micro-deposits. Michael knew that a nancial institution make a
micro-deposit when an account is opened to test the functionality of an account. Te amounts deposited in
this case were in the range $0.01 to $2.00.
To cover his identity, Michael Largent used false names, addresses, drivers license numbers and
social security numbers, including the names of known cartoon and comic book characters to open the
accounts. When the deposits took place, he would divert the funds into his own bank accounts or onto
prepaid debit cards, without the authorization or knowledge of his victims. As a result, Michael Largent
fraudulently obtained or attempted to obtain tens of thousands of dollars which he used for personal
expenses.
Two organizations, namely, E*TRADE (E-Trade Financial Corporation) and Charles Schwab & Co.
Inc., in parallel notied the law enforcement agency when they detected the fraud. Assistant US Attorney
Robin R. Taylor, also of the CHIP unit, brought the criminal complaint and the indictment in this case
in May 2008 and Segal took over in January 2009. In sentencing, Judge England observed that Michael
Largents scheme took some sophistication, and wondered why he had not used his skills and talents in a
lawful way.
Cyber security_Chapter 11.indd 612 2011-03-25 10:34:40 AM
Cybercrime: Illustrations, Examples and Mini-Cases 613
11.2.14 Example 14: Man Goes Behind Bars for Computer Fraud Offense
Here is another example similar to the previous one (Example 13). Tis example shows the hazards of
not monitoring remote access permissions and the consequences of perhaps too much faith placed in the
in siders with a naive belief that the insiders would never bring harm to their organizations (remember
the discussion in Chapter 9). Te ill use of administrator account and password also comes to the fore. Tere
are tremendous learning implications for organizational information security practices. Noteworthy is the
nature of punishment given to the guilty thereby creating an opportunity for remorse and also to morally
guide others to avoid his wrong-doing. Read on for further details on this case.
Jerey H. Sloman, US Acting Attorney for the Southern District of Florida, and Jonathan
I. Solomon, Special Agent in Charge (from FBI, Miami Field O ce) announced that defendant, Lesmany
Nunez, on 14 July 2009, was sentenced by Chief US District Judge Federico A. Moreno to 12 months and 1
day imprisonment after pleading guilty to computer fraud, in violation of Title 18, United States Code, Section
1030(a)(5)(A)(ii). Upon his release from prison, Nunez was ordered to serve 3 years of supervised release,
with a special condition that he performs 100 hours of community service by lecturing young people on the
implications of hacking into other peoples computers and networks. Nunez was also ordered to pay $31,560
in restitution.
As per the facts revealed during in-court statements, Nunez, aged 30, was a former computer s upport
technician at Quantum Technology Partners (QTP), located in Miami-Dade County. QTP provides ser-
vices such as data storage, E-Mail communication and scheduling for their client companies. Late Saturday
night, Nunez remotely accessed QTPs network without authorization, using an admini strator account and
password. He rst changed the passwords of all of the IT system administrators and then he shut down
almost all of the QTP servers. What is more, Nunez also deleted les. Had he not done that, it would have
been possible to re-install the data from backup tapes much easily and in less time. As a result of Nunezs
malformed acts, QTP and their clients could not perform their normal business functions for a number of
days, suering a tremendous business loss.
As a result of the unauthorized access to the system and the deletion of data, QTP suered over $30,000 in
damages. Tis included the cost of responding to the oense; conducting a damage assessment; restoring the
data, system and information to their previous condition; and other costs incurred due to the interruption
of network services. Trough forensics investigations, Nunez was identied as the perpetrator. Investigators
found that the activity on QTPs computer could be traced to his home network. Additional evidence was
also found subsequently when they performed a search of his computer.
Source: www.cybercrime.gov; posted on 14 July 2009.
11.2.15 Example 15: Justice vs. Justice Software Developer
Arrested for Launching Website Attacks
Denial-of-service attack (DoS) was mentioned in Chapters 1 and 2. It is explained in Chapter 4 (Section
4.9). Hacking and website defacement were addressed in Section 1.5.11 of Chapter 1. Screen shots of
hacked websites were presented in Figs. 1.61.10. Tis real-life example shows the crime by a young software
engineer who launched a series of denial-of-service attacks on various websites. It shows what misled/
confused youth can do and in turn, how they become cybercriminals by embracing false motives. It is a
reection of rapidly changing values in our society. Forensics comes the fore in the example.
Bruce Raisley, aged 47, was a software developer from Monaca, Pennsylvania, when he was charged with
the oense of computer fraud and abuse. He quietly surrendered to the FBI on 1 July 2009. More specically,
Bruce was charged with the unauthorized access of protected computers with the intention of causing denial-of-service
Cyber security_Chapter 11.indd 613 2011-03-28 3:59:43 PM
614 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
and/or losses to the websites. A number of websites were impacted among them were, RollingStone.com
and the website of Rick A. Ross Institute of New Jersey (Rick Ross Institute), based in Hudson County, NJ,
who run the Internet archive service for the study of destructive cults, controversial groups and movement
and Perverted Justice, a Portland, Oregon-based organization (operated by X. E.). Perverted Justice is an
organization that seeks to identify and expose pedophiles and sexual predators targeting minors.
Around 2004, Bruce had volunteered for Perverted Justice. Perverted-Justice.com. mentioned before,
is a loosely organized group of computer gamers, students and the occasional well-meaning but misguided
reactionary who claimed that their primary purpose was to bring about the complete destruction of the
lives of anyone they believe is guilty of chatting with one of their baiters. Teir baiters troll Internet
chat rooms pretending to be young teen-aged girls in the hopes of entrapping men into sexually suggestive
conversations. Once targeted, members of Perverted Justice organization search the Internet for all avail-
able information to publicly identify the target, along with complete information about the target the
family, targets employer, friends, associates, neighbors, etc. Next, they launch a brutal harassment campaign
against anyone listed on their site via phone calls, Internet messages, E-Mails, neighborhood yers, etc.
Another impacted organization was Corrupted-Justice.com a civil rights advocacy organization. It is a
group of like-minded people who are dedicated to bringing about an end, using legal means, to the harass-
ment and terrorism being perpetrated by the vigilante group. In this case, host of attacks were mounted on
Corrupted Justice, an organization whose stated purpose is claimed to educate the public on the actions
of various purported cybervigilante groups, including perverted Justice. In year 2006 or around that time,
Bruce had become a member of Corrupted Justice, after becoming disenchanted with Perverted Justice!
According to the criminal complaints received, in September 2006 and July 2007, Radar Magazine and
the Rolling Stone published two separate articles (Strange Bedfellows and To Catch a Predator: Te New
American Witch Hunt for Dangerous Pedophiles). Both articles presented positive and negative views on
the activities conducted by Perverted Justice and its volunteers. Te articles described what was termed as
questionable tactics by Perverted Justice to silence critics. One of these tactics was an episode between X.E.
and Bruce. In or about 2007, Strange Bedfellows was reprinted on numerous websites.
Around 25 September 2007, the Rick Ross Institute experienced a distributed denial-of-Service (DDoS)
attack. One of the attacking computers was found to be that of the Academic and Research Network of
Slovenia (ARNES). Upon examination, they found a malicious program on their network. Around
20 November 2007, the Slovenian Computer Emergency Response Team (SI-CERT) further determined
that the DDOS program downloaded instructions from two locations, dosdragon.com and n9zle.com.
Tese l ocations instructed the program to repeatedly target the victim websites.
Victim Rolling Stone was subjected to multiple DDOS attacks directed specically at the webpage which
hosted Te New American Witch Hunt. During the height of the DDOS attacks, the page requests for
the article escalated from a few requests per day to millions of page requests per day, causing the web-
site to experience signicant slowdown. On 7 March 2008, the US Computer Emergency Response Team
(US-CERT) conrmed SI-CERTs ndings. On 16 January 2008 and 8 February 2008, Internet Service
Provide records showed that Bruce controlled both command and control systems.
Corrupted Justice was the victim of a similar attack on 25 July 2007. As a result of this particular attack,
their website was shut down for 4 days. Tey were attacked again on or about 2 November 2007 and on or
about 10 March 2008, resulting in additional 7 days without service. As per the complaint lodged, Bruce
had contacted Corrupted Justice to show o that he had again taken down their servers. Te complaint
also states that Bruce told Corrupted Justice that he unleashed a virus that could never be stopped, that
[Corrupted Justice] could kiss goodbye to their website because nothing could protect their servers against
this attack. During a search of his home on 27 March 2008, Bruce admitted to contacting both Rick Ross
Institute and Corrupted Justice, asking them to take the articles o from their websites. Additionally, Bruce
Cyber security_Chapter 11.indd 614 2011-03-25 10:34:40 AM
Cybercrime: Illustrations, Examples and Mini-Cases 615
stated that he wrote the programs on a memory stick it was seized by FBI as part of the search. Bruce
also admitted that he used these programs to attack the Perverted Justice, Corrupted Justice and Rick Ross
Institute websites. A forensics review of the seized electronic media conrmed that it contained copies of
programs used in conjunction with the DDoS attack.
Tis case was prosecuted in the District of New Jersey. Bruce was scheduled for an initial appearance on
1 July 2009 before the Honorable Patty Schwartz, US Magistrate. Upon being convicted, Bruce received a
maximum of up to 10 years imprisonment along with the ne of $250,000. As would be known to readers/
students well-versed with law, criminal complaint is merely an accusation. Despite this accusation, every
defendant is presumed innocent unless and until proven guilty beyond a reasonable doubt. Special Agent
in charge of this case stated that in this situation, this type of cyberbullying (the term was introduced in
Chapter 2, Box 2.8) was used as a way to silence the media and deny them of their constitutional rights to
the freedom of press. Te Agent further stated that cyberbullying is not acceptable. He thanked all the
team members involved for a job well done. Tis real-life example shows that technology works both ways
and the criminal will get caught.
Source: http://www.cybercrime.gov; posted on 1 July 2009.
11.2.16 Example 16: CAN-SPAM Act Violation through E-Mail Stock Fraud
Spamming is explained in Chapter 1 (Section 1.5 and Box 1.5). Anti-Spam Laws in Canada are explained
in Section 6.2.3 of Chapter 6. Here is a real life happening on that. Tis example involves the CAN-SPAM
Act for those who are not aware of it, refer to the links about this Act in Ref. #30, Additional Useful Web
References, Further Reading. Te full form of CAN-SPAM Act is Controlling the Assault of Non-Solicited
Pornography And Marketing Act of 2003. Five individuals pleaded guilty on 23 June 2009 in the federal
court in Detroit for their involvement in a wide-ranging international stock fraud scheme that had the illegal
use of bulk commercial E-Mails or spamming. Considering the advanced age of one of the fraudsters in
this example, we can say that just like cybercrime knows no national boundaries, criminals seem to have no
heed to their age!
Alan M. Ralsky, aged 64, and Scott K. Bradley, aged 38; both pleaded guilty to conspiring to commit
wire fraud, mail fraud and of violating the CAN-SPAM Act. Tis act denes a commercial electronic mail
message as any electronic mail message the primary purpose of which is the commercial advertisement
or promotion of a commercial product or service (including content on an Internet website operated for a
commercial purpose). It exempts transactional or relationship messages. Ralsky and Bradley also pleaded
guilty to wire fraud and money laundering apart from the violation of CAN-SPAM Act. Under the
terms of his plea agreement, Ralsky acknowledged facing up to 87 months in prison and a $1 million ne
under the federal sentencing guidelines while Bradley acknowledged facing up to 78 months in prison and a
$1 million ne under the federal sentencing guidelines.
For some time, Alan Ralsky was the worlds most notorious illegal spammer. In fact he was the self-
proclaimed Godfather of Spam. Today Ralsky, his son-in-law Scott Bradley and three of their co-conspirators
stand convicted for their roles in running an international spamming operation that sent billions of illegal
E-Mail advertisements to pump up Chinese penny stocks and then reap prots by causing trades in these
same stocks while others bought at the inated prices. Using the Internet to manipulate the stock market
through Spam E-Mail campaigns is a serious crime. Tis case shows that federal law enforcement has the
both the capability and the will to successfully investigate, prosecute and punish such cybercrimes.
Te CAN-SPAM Act was passed by Congress in 2003 to address Spam E-Mails. Te Act has certain
provisions (criminal provisions) to prohibit falsication of certain information used in E-Mail transmission.
John S. Bown, 45, of Fresno, California, pleaded guilty to conspiracy to commit wire fraud, mail fraud and
Cyber security_Chapter 11.indd 615 2011-03-25 10:34:40 AM
616 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
to violate the CAN-SPAM Act. He also pleaded guilty to conspiring to commit computer fraud by creating a
Botnet and violating the CAN-SPAM Act. A Botnet is a network of computers that have been infected by
malicious software. Under the terms of his plea agreement, Bown acknowledges he is facing up to 63 months
in prison and a $75,000 ne under the federal sentencing guidelines.
Yet another person, William C. Neil, aged 46, of Fresno, admitted that he had conspired to violate the
CAN-SPAM Act. Under the terms of his plea agreement, Neil acknowledged facing up to 37 months in
prison and a $30,000 ne under the federal sentencing guidelines. James E. Fite, aged 36, of Culver City,
California, pleaded guilty to conspiracy to commit wire fraud, mail fraud and to violate the CAN-SPAM
Act. Apart from this, he also pleaded guilty of making false statements to FBI agents. Under the terms of his
plea agreement, Fite acknowledged that he was to face up to 2 years in prison and a $30,000 ne under the
federal sentencing guidelines. Finally, Spam King Alan Ralsky got 4 years in jail.
Assistant Attorney General said We will not allow criminals to use E-Mail as a conduit for fraud. Tis
prosecution, the Departments largest to date under the CAN-SPAM Act, underscores our strong and stead-
fast commitment to ridding our nancial markets and cyberspace of E-Fraudsters looking to prey on inno-
cent victims. Special Agent in Charge mentioned that cybercrime investigations are a top priority of the
FBI who is known to aggressively investigate those individuals who exploit computers for committing vari-
ous crimes. In todays aggressive international business world, there will always be a select few who illegally
manipulate the system for their own prot. According to Special Agent in Charge, Internal Revenue Service
Criminal Investigation (IRS-CI), they, that is, IRS CI, diligently follows the money frauds and assists in the
seizure and penalty for any illegal gains from their illegal business practices.
According to court records, from January 2004 through September 2005, Ralsky, Bradley, Judy Devenow,
Bown, William Neil, Anki Neil, James Bragg, Fite, Peter Severa, Wai John Hui, Francis Tribble, and others
engaged in a related set of conspiracies designed to use Spam E-Mails to manipulate thinly traded stocks
and prot by trading in those stocks once their share prices increased after recipients of the Spam E-Mails
traded in the stocks being promoted. Te defendants were indicted in the Eastern District of Michigan in
December 2007.
Ralsky served as the Chief Executive O cer and primary deal maker for the Spam E-Mail operation.
Bradley, Ralskys son-in-law, served as the Chief Financial O cer and Director of operations for the Spam
E-Mail operation. Bown, who was Chief Executive O cer of an Internet services company called GDC
Layer One, served as the Chief Technology O cer for the Spam E-Mail operation. William Neil, who was
an employee of GDC Layer One, built and maintained a computer network used to transmit Spam E-Mails
as part of the conspiracy. Fite was a contract spammer who hired others to send Spam E-Mails as part of the
conspiracy. Devenow, Hui and Tribble previously pleaded guilty for their roles in the conspiracy.
Devenow managed the Spam E-Mail operation and also sent Spam E-Mails. Tribble took charge of
p lanning and directing the stock trading to further the conspiracy. Hui, CEO of China World Trade, served
as the lead dealmaker to represent the companies whose stocks were being promoted via Spam E-Mail.
Court documents revealed that many of the Spam E-Mails promoted thinly traded pink sheet stocks for
US companies owned and controlled by individuals in Hong Kong and China. Te Spam E-Mails contained
signicantly false and deceptive information or omissions. Tose E-Mails were created and sent using some
peculiar software programs to make it di cult to trace them back to the conspirators. According to the
indictment, the conspirators used wire communications, the US mail and common carriers to further their
frauds. Te conspirators also participated in money laundering involving millions of dollars generated
by their manipulative stock trading.
Te defendants were indicted to have used several illegal methods in order to maximize the amount of
Spam that evaded Spam-blocking devices and tricked recipients into opening, and acting on, the advertise-
ments in the Spam. Tese included using falsied headers in the E-Mail messages, using proxy computers to
Cyber security_Chapter 11.indd 616 2011-03-25 10:34:40 AM
Cybercrime: Illustrations, Examples and Mini-Cases 617
relay the Spam, using falsely registered domain names to send the Spam, and also making mis representations
in the advertising content of some of the underlying E-Mail messages. An accusation is merely an indictment
and defendants are presumed innocent until and unless proven culpable at trial beyond a reasonable doubt.
Te charges arose after a 3-year investigation, led by the FBI with assistance from the US Postal Inspection
Service and IRS-CI exposed a sophisticated and widespread spamming operation. Te case is being pros-
ecuted by US Attorney Terrence Berg and Trial Attorneys Tomas Dukes and Mona Sedky Spivack of the
Criminal Divisions Computer Crime and Intellectual Property Section.
Source: www.usdoj.gov
11.2.17 Example 17: Business Liability through Misuse of Organizations
Information Processing Assets
In Chapter 2, Box 2.7 explains how criminals can create false E-Mail IDs. Tis example is a real-life scenario
of that. In one bank, a management trainee of the bank was engaged with a girl working in the same bank.
Tey were to get married in due course of time. During the post-engagement period, the couple exchanged
many E-Mails; however, the boy and the girl used to write the mails during work hours using the company
computers. Unfortunately, after some time the relationship went sore and the two broke up. Te girl created
fraudulent E-Mail IDs such as indianbarassociations. She used that ID to send E-Mails to the boys foreign
clients. Te girl used the banks computer for sending these mails. Te mails had negative publicity about the
bank. Te boy lost a large number of clients assigned in his portfolio. Moreover, those clients sued the bank.
Te bank was held accountable for the E-Mails sent using the banks system. Tis small example is a lesson
organizations must have well-established computing guidelines (this is addressed in Chapter 9 Section 9.8)
and strict vigilance on how organizations computing and communication facilities are being used.
11.2.18 Example 18: Parliament Attack
Forensics fundamentals were introduced in Chapter 7; this example illustrates the scenario in which it
was used. Bureau of Police Research and Development (BPRD) at Hyderabad handled some of the top
cybercases. One such case involved analyzing and retrieving information from the laptop recovered from
terrorists, who attacked the Parliament. Te laptop was seized from the two terrorists, who were gunned
down when Parliament was under siege on 13 December 2001. Police sent the seized laptop to Computer
Forensics Division of BPRD after computer experts at Delhi failed to trace much out of its contents. Inside
the laptop there were a number of evidences that established the motives of the two terrorists, namely (a) the
sticker of the Ministry of Home that they had made on the laptop and pasted on their ambassador car to
gain entry into Parliament House and (b) the fake ID card that one of the two terrorists was carrying with
a Government of India emblem and seal. It was also found that the emblems (of the three lions) were care-
fully scanned and the seal was also deviously made along with residential address of Jammu and Kashmir.
But careful forensics detection proved that it was all forged and was created using the laptop.
11.2.19 Example 19: Game Source Code Stolen!
Source code theft is considered as an IPR theft (IPR is Intellectual Property Rights) and this example is
about source code theft in real life. Given the life style and preferences of the young generation today, one
can understand the popularity of game software packages. Game software can be loaded on the mobile hand-
sets as well. Readers can refer to Chapter 3 where cybercrimes are described in the context of mobile devices.
Te episode described in this example involves game software. It is an episode of IPR theft that took place
in 2003.
Cyber security_Chapter 11.indd 617 2011-03-25 10:34:40 AM
618 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
It so happened that a computer user in China obtained the source code of a popular game Lineage I
from an unprotected website. Tis proprietary code was then sold to several people in 2004. One of those
people set up a website, www.l2extreme.com, to oer the Lineage game at a discount. After noticing this,
the South Korean company that owned the Lineage source code sent legal warnings. However, in spite of
those warnings, the suspect did not shut down the site. He rented powerful servers enough to accom-
modate 4,000 simultaneous gamers and solicited donations from users to help defray the costs. Te loss in
potential revenues for the South Korean company was estimated at $750,000 a month. Te US FBI arrested
the suspect and the website was shut down.
Even after this action, the source code stealing of this kind did not stop. In 2007, a prominent Korean
Newspaper Chsun IIbo had reported that the source code for upcoming MMORPG Lineage III may have
been stolen and sold to an undisclosed major Japanese game company. It was suspected that this could be
an insider job. Te Seoul Metropolitan Police investigated seven former NCSoft employees in conjunction
with this crime. NCSoft estimated a damage value for the lost data at over 1 billion dollars US. Tis sub-
stantial gure was supposedly a projection based o the combined worth of the Lineage IP and its current
subscriber value. At present, Lineage has over 1.5 million subscribers worldwide (mainly in Asia) and its
current sales is over 1.6 billion dollars (1.5 trillion Korean won) spread across both titles.
Insider attacks (they could be by disgruntled employees or even by un-instigated employees with
malicious minds) are worse because, when exposed, they can considerably dampen employee spirit, as
happened in this case too. Morale at the impacted company NCsoft was in its worst stage even before word
of the theft hit mainstream news. Te company experienced serious turnover since the sacking of one of its
senior game developers for poor leadership skills. Since the layo, most of the 90-person development
team has, likewise, decided to follow their chief elsewhere.
Police reported that the data theft may actually have occurred during a job interview! In the interview,
one or more ex-NCsoft programmers demonstrated the code for external review. Roots of the problem may
actually go all the way back to when program designs for Lineage III were reputedly leaked via E-Mail and/
or portable disk.
11.2.20 Example 20: The Petrol Pump Fraud
Tank God that in India, we do not as yet have the system of automated petrol pumps! Tis feeling of relief
comes after reading this example of fraud. Te fraud took place in a petrol pump in the US. In India, it is a
common practice to keep an eye on the delivery of petrol (of course, assuming that the pump has been cali-
brated and periodically inspected to ensure that it is dispensing as it should). Te example here can be con-
sidered as Salami Technique example, because things got discovered based on little-by-little h appening!
Here is how that happened.
Four men in Los Angeles, US, were charged with fraud for allegedly installing computer chips in gaso-
line pumps that cheated consumers by overstating the amounts pumped. Te problem was noted when a
rising number of consumers complaints were received which claimed that they had been sold more gasoline
than the capacity of their gas tanks! However, the fraud was di cult to prove initially because the perpetra-
tors programmed the chips to deliver exactly the right amount of gasoline when asked for 5 and 10 gallon
amounts (precisely the amounts typically used by inspectors).
11.2.21 Example 21: Xiao Chungs Story Life of a Hacker
Chapter 1 (Section 1.4 and Table 1.3) and Chapter 10 (Figure 10.3 and Section 10.4.1), we mentioned
about motives for hacking. Here is story of young hacker Xiao Chung (he has got another pet name
in the dark world of the ace hacker community but it is kept condential) who seemed eager to tell his
Cyber security_Chapter 11.indd 618 2011-03-25 10:34:40 AM
Cybercrime: Illustrations, Examples and Mini-Cases 619
story. Like many hackers, he wants recognition for his hacking skills even as he values anonymity to remain
un-detected. Te New York Times found him through another well-known hacker who belongs to a hacker
group and who vouched that Xiao Chung is too skilled. On condition that he should not be identied by
his real name, Xiao agreed to allow a reporter to visit his modest home in a poor town outside Changsha,
and watch him work.
It is quite eerie just a few quick keystrokes and Xiao Chung proudly brings up a screen displaying his
latest victims. He says with a quite a wicked smile, Heres a list of the people whove been infected with my
Trojan Horse, and they dont even know whats gone wrong with them! You may think that Xiao may be
earning a lot from his craft; but that is not true. For all the seemingly terric power in his hand to aect so
many people, the hacker has a modest living - he works from a dingy apartment on the outskirts of this city
in central China (Fig. 11.3).
Although Xiao Chungs technical cyberattack claims cannot be veried, he is happy to demonstrate
his hacking skills. He met a journalist at a cafe one night in February 2010, and invited him to his home,
where he showed how he hacked into the website of a Chinese company. Once the website popped up on
his screen, he created additional pages and typed the word hacked onto one of them. Further, he goes
on to explain that it is an online trapdoor which he created just over a week ago, and has already lured
2,000 people from China and overseas people who clicked on something they should not have, inad-
vertently spreading a virus that allows him to take control of their computers and steal numerous bank
account passwords. It is hard to believe that Xiao Chung, a soft-spoken college graduate in his early 20s,
is a cyberthief ! He operates secretly and illegally, as part of a community of hackers who exploit aws in
computer software to break into websites, steal valuable data and sell it for a prot. Recall the Zero Day
attacks mentioned in Chapter 2, Box 2.10).
According to Internet security experts, China has legions of hackers just like Xiao Chung, and the experts
say that they are the culprits for an escalating number of global attacks launched to steal credit card numbers,
commit corporate espionage and even wage online warfare on other nations. In some cases, these attacks have
Figure 11.3 |The young hacker at work.
Cyber security_Chapter 11.indd 619 2011-03-25 10:34:40 AM
620 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
been traced back to China. In addition to independent criminals like Xiao Chung, computer security specialists
say there are so-called patriotic hackers (i.e., Hacktivists) who focus their attacks on political targets.
Te Peoples Liberation Army has got intelligence-oriented hackers. It is said that there are also more
shady groups who are believed to work with the State Government. It is said that in China, as well as in parts
of Eastern Europe and Russia, computer hacking has become something of a national sport, and a l ucrative
one. It is being done with all the professional aplomb; for example, there are hacker conferences, hacker
training academies and magazines with names like Hacker X Files and Hacker Defense, which oer tips on
how to break into computers or build a Trojan Horse, step by step. Refer to Ref. #5, Additional Useful Web
References, Further Reading.
It is getting easy for hackers; for less than $6, one can even purchase the Hackers Penetration Manual.
Books on hacking are also sold, to a lesser extent, in the US and elsewhere. With 380 million web users in
China and a sizzling online gaming market, analysts say it is no wonder that Chinese youths are so skilled
at hacking. Many Chinese hackers are interviewed to get them inducted into a loosely dened commu-
nity of computer devotees working independently. Tey are also selling services to corporations and even
the military! Because it is di cult to trace hackers, exactly who is behind any specic attack and how and
where they operate remains to a large extent a mystery. And that is just the way Xiao Chung, the young
Chinese hacker, wants it.
Xiao Chungs story is like most young hackers who fall in love with hacking in college. Xiao, too, took
to hacking after friends showed him how to break into computer systems during his rst year in the college.
After earning a degree in engineering, he took a job with a government agency, largely to please his parents,
just to show them a regular job. However, hacking remains his passion! At the end of his work at the
regular job, Xiao turns to his passion: hacking. He admits that he does it for the lure of money. Many
hackers make a lot of money, he says, and he seems to be charting his own path. Exactly how much he has
earned, he would not like to disclose. But he does admit to selling Malicious Code to others, and boasts of
being able to tap into peoples bank accounts by remotely operating their computers.
Xiao is consumed by the challenges it presents. He reads hacker magazines, swaps information with a
small circle of hackers and writes Malicious Code. He uses Trojan Horses to sneak into peoples co mputers
and infect them, so he can take control. Most hackers are lazy, he says, smugly seated in front of a computer
in his spare bedroom, overlooking a dilapidated apartment complex. According to Xiao Only a few of us
can actually write code. Tats the hard part.
Computer hacking is illegal in China. Last year, Beijing revised and stiened a law that makes hacking
a crime, with punishments of up to 7 years in prison. Xiao Chung does not seem bothered by the
law, largely because he thinks it is not strictly enforced. However, he is clever enough to cover his tracks.
Financial incentives motivate many young Chinese hackers like Xiao Chung. Scott J. Henderson, author
of Te Dark Visitor: Inside the World of Chinese Hackers, had spent years tracking Chinese hackers,
sometimes with nancial help from the US Government. One Chinese hacker who broke into a US
Government site later lectured on hacking at a leading university and worked for Chinas security ministry.
According to Henderson, recently many Chinese hackers have been seeking to prot from stealing data
from big c orporations or teaching others how to hijack computers. Tey make a lot of money selling viruses
and Trojan Horses to infect other peoples computers. Tey also break into online gaming accounts and
sell the virtual characters. Its big money for these hackers.
Hack-star Xiao Chung lives with his parents, and his bedroom has little more than a desktop computer,
a high-speed Internet connection and a large closet. Te walls are bare. Most of his socializing occurs online;
his after regular job hours range from about 6:30 p.m. to 12:30 a.m., starting every evening by perusing
computer websites like cnBeta.com. Xiao values his freedom and that is one strong reason he puts forth
for not working for any major Chinese technology company. He even claims to know details of the
Cyber security_Chapter 11.indd 620 2011-03-25 10:34:40 AM
Cybercrime: Illustrations, Examples and Mini-Cases 621
Google attack. Tat Trojan Horse on Google was created by a foreign hacker, he says, indicating that the
virus was then altered in China. A few weeks before Google was hijacked, there was a similar virus. If you
opened a particular page on Google, you were infected. Oddly, Xiaos parents did not know that he does the
hack-job at night. One day, however, he explained the intricacies of computer hacking and stealing data
while his mother stood nearby, listening silently. Xiao and his fellow hackers keep secret their knowledge of
certain so-called zero-day vulnerabilities software aws for future use. When asked whether hackers
work for the government, or the military, he says yes.
11.2.22 Example 22: Killers Take Tips from 26/11 Attack to
Use VOIP
Te term cyberterrorism was explained in Chapter 1 (Box 1.1 and Section 1.2) and here is a real-life
incidence involving cyberterrorism in the country that has just about settled from the shock of 26/11 attacks
on Mumbai. Tose attacks revealed the wireless communication technology used by the terrorists. Tis
real-life example comes from that background. In Chapter 7, E-Mail forensics is explained fully aware that
electronic mails can be traced, cybercriminals as well as terrorists adopt a technique whereby they do not
send attack-related mail and yet they communicate with their counterparts. Tis real-life e xample shows how
that technique was used.
Investigations in the murder of criminal lawyer Shahid Azmi revealed that the killers had used
c ommunication techniques similar to the ones used by terrorists during the 26/11 terror attacks and the 11/7
train blasts. According to crime branch sources, gangster Bharat Nepali, who had hired men to e liminate
Azmi, had used Voice over Internet Protocol (VoIP) system to communicate with the killers. During the
investigations it was revealed that at least six calls were made, before and after Azmis murder, using VoIP
service from Hong Kong, Los Angeles, London and Israel. Te usage of VoIP for criminal activity came to
light during the 26/11 terror attacks in Mumbai. Handlers of the terrorists, who attacked the city on the
night of 26 November 2008, were found to be using VoIP service to communicate with the 10 men who laid
siege at various locations in the city.
Use of draft E-Mail system was another communication technique used by Azmis killers. Te same
t echnique was used by terrorists in the 11/7 train blasts that rocked Mumbai city in 2006. According to
a crime branch o cial, a person from Bangkok attached photographs of Azmi in a mail and saved it as
a draft in an E-Mail account. Te killers, Devendra Jagtap and Hasmukh Solanki, who knew the password
of the E-Mail account opened the draft mail and thus identied Azmi.
Azmis killing (on 11 February 2010) had shocked the citys legal fraternity. It was scary the three men
had barged into Azmis Kurla o ce to shoot him dead and then they ran away from the scene. Azmi was
defence lawyer in the 26/11 trial for Faheem Ansari, who was recently acquitted by the court due to lack
of evidence. Te rst round of investigations revealed that it was a contract killing undertaken for ` 1 lakh
(` 1,00,000) at the command of Nepali, a former aide of infamous Chhota Rajan.
Later on crime branch o cials detained Devendra Jagtap, Pintu Dagle and Vinod Vichare from
Mulund, while the fourth accused, Hasmukh Solanki, was taken into custody on 9 March 2010. Te
police also seized four weapons that were used in the killing, three rounds of live cartridges and ve
mobile phones from the group. Of the 10 accused, six, including Nepali, his close aide Vijay Shetty,
Santosh Shetty, Rajiv Tiwari and two others, were absconding. According to Public Prosecutor Kalpana
Chavan, Nepali had given contract to kill Azmi because he believed that the lawyer was defending those
who according to him are anti-nationals. Te shooting was part of Nepalis eorts to establish his suprem-
acy in the underworld.
Cyber security_Chapter 11.indd 621 2011-03-25 10:34:41 AM
622 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
11.2.23 Example 23: Robberson Brothers Caught for Selling
Pirated Software
Investigation of Maurice A. Robberson and his brother Tomas Robberson was commenced by BSA
(Business Software Alliance). In early 2002, BSA had received complaints from software publishers and
that was the basis for the investigation. After reviewing the reported websites, BSA made undercover
purchases and determined that the software sold was pirated. After this, BSA referred the case to the
Federal Bureau Washington Field O ce. Te FBI Field O ce conducted independent investigation and
subsequently shut the operation down in October 2005. Te investigation determined that starting in late
2002 the Robberson brothers sold more than $5 million of counterfeit software products. In addition to
running four for-prot websites, the Robberson brothers were also co-conspirators with Danny Ferrer in
the operation of www.BbuysUSusA.com.
It turned out from the investigations that, during the operation of the websites, Tomas Robberson grossed
more than $150,000 by selling software with a retail value of nearly $1 million. Maurice Robberson amassed
more than $855,000 through sales of software with a retail value of nearly $5.6 million. In March 2008,
Maurice Robberson was sentenced to 36 months in prison, whereas his brother Tomas was s entenced to 30
months. Both were also ordered to undergo an additional 3 years of supervised release and pay restitution.
11.2.24 Example 24: BSA Uncovers Software IPR Breaches
Te issue of software piracy as Intellectual Property Oense is addressed in Section 9.2.2, Chapter 9. Tis
is a glaring example of that type of oence. Tis is one more example of the breach uncovered by BSA
happened in Georgia State, US, in July 2008. It involved interaction with eBay. Launched in 1995, eBay
started as a place to trade collectables and hard-to-nd items. Today, eBay is a global marketplace where
institutional buyers as well as individuals can buy and sell practically anything. You do not have to register
to take a look at whats available, but you will need to register if you want to buy or sell. Today, eBay is the
worlds online marketplace it is a place for both buyers as well as sellers to come together and trade almost
anything. People use such facilities for the convenience, at times overseeing the risks involved as we learn in
this example.
A woman was stopped from selling counterfeit copies of Corel software on eBay. An investigation revealed
that she had sold more than $212,000 worth of unlicensed software to hundreds of consumers, in the period
JanuaryMay 2008. A $250,000 civil judgment was entered against her. In another episode of similar kind,
uncovered by BSA, a person from yet another state was found to be involved. Jon Crain of Coraopolis,
Pennsylvania, operated nearly 20 websites distributing unlicensed copies of Adobe, McAfee, Microsoft and
Symantec software online. He was rst targeted in March 2007 as part of an international legal action against
ve software pirates. Te other oenders were located in the UK, Austria, and Germany. In many of these
cases, BSA was alerted to the illegal activity by reports or complaints from disappointed consumers who were
initially attracted by low price deals. BSA sued Crain, and a civil judgment was entered that included a hefty
settlement payment and a requirement to remove the unlicensed software from his website.
Another example is this incidence that took place in July 2008. Jeremiah Mondello, a 23-year Oregon
man, was sentenced to 4 years in federal prison for selling more than $1 million worth of pirated software
and distributing malware via instant message networks to steal nancial data from dozens of consumers. He
then used the stolen bank account credentials to set up more than 40 online auction accounts in the victims
names and withdraw money from their debit accounts. In addition to the prison sentence, federal investi-
gators also seized computers and $220,000 in cash from Mondello. Te government also was entitled to seize
his home and surrounding land.
Cyber security_Chapter 11.indd 622 2011-03-25 10:34:41 AM
Cybercrime: Illustrations, Examples and Mini-Cases 623
11.2.25 Example 25: Pune City Police Bust Nigerian Racket
Tis story had appeared in Pune Mirror dated 25 October 2010. Name of the victim has been masked to
respect the privacy of the person. However, all the events mentioned here are real and are presented exactly
as they happened, as mentioned in the chain of events mentioned here is as at the time of writing this. Visit
Items No. 19 in Section 11.7 (Online Scams) Nigerian Scam is explained there. What is described here is
a real-life example of that. Tis example re-emphasizes the need for cybercrime awareness. As you can see in
this example, even an educated person working in technology eld got fooled by the perpetrators and suf-
fered a big nancial loss. It also shows the greed of criminals.
Te police succeeded in nabbing two suspects in this fraud case. Tis fraud happened when the police
started probing into a complaint received from a young software engineer working in Pune city. Arjun
Changaokar, a resident in Warje area, was duped into parting with ` 10.27 lakhs (` 10,27,000) by making
him believe that he was going to be oered a high prole job in a London hotel called New Climax.
In an E-Mail chat with an alleged UK-based Councillor, Arjun, the techie from Rajiv Gandhi Infotech
Park at Hinjewadi, was convinced to pack up and leave India for UK! Te fraud got exposed when Arjun
found that there was no ight to UK from Indira Gandhi International Airport at the time he was told by
the conmen! Te eorts expended by Warje police were successful and two perpetrators, including a bank
account holder, were arrested. However, the real mastermind Chong-Ching, who is a foreign national,
was still absconding. A special squad of cyber experts has been investigating the Nigerian fraud racket run
from Meera Road. Te three accused in the FIR (First Information Report) led by the victim include
Shailendra Ramesh Soni, aged 24, a resident of Shivajinagar in Govandi in Mumbai, Naresh Shubrakaran
Sharma, aged 27, a resident of Queens Park in Mira-Bhayandar in Tane and Chong-Ching, the foreign
national whose complete name and address could not be traced (as at the time of writing this). Te fraud
took place during the period 26 July24 September 2010. Te accused have been charged under various
sections of the IPC (Indian Penal Code see Appendix P in CD) and the Indian IT Act (see Appendix O
in CD) for cheating and conspiracy using Information Technology.
As per complaint led by the victim Arjun Changaokar, the fraud started with the mail he received on
26 July 2010. In that mail he was oered a job in UK-based hotel New Climax. A person calling himself
Chong-Ching claimed to be authority at the hotel and oered to victim the post of Sales Supervisor with
a handsome UK salary. Te victim responded to the E-Mail and accepted the oer. Tere onward, the cor-
respondence continued. In another E-Mail, a person called John Smith Levis introduced himself as UK
councillor. John claimed to have been given the responsibility by the hotel to provide Visa. To get the Visa
and to pay for journey expenses and accommodation in the UK, John asked the victim for various amounts
of money in a number of E-Mails. John gave to the victim several account numbers in dierent branches of
Axis Bank and ICICI Bank. Victim Arjun deposited those amounts ranging from ` 2 to 5 lakhs (` 2,00,000
to 5,00,000) on dierent occasions. Over a 2-month period, Arjun (the victim) deposited a total amount of
` 10.27 lakhs (` 10,27,000)! In the words of the victim
At rst, I received an email oering me a high paying job in UK hotel to get a visa and to pay for journey
expenses and accommodation in UK, I was asked for various amounts of money in multiple emails. He
gave me several account numbers in dierent branches of Axis Bank and ICICI Bank. I deposited amounts
ranging from Rs. 25 lakh on dierent occasions. Over a two-month period, I deposited a total amount of
Rs. 10,27,700.
Te victim arranged the money from various sources. He shared with his parents and friends the news of his
overseas job. According to the E-Mail, the victim received on 10 October 2010, he was supposed to catch
a ight from Indira Gandhi International Airport and a person was going to meet Arjun at the airport with
Cyber security_Chapter 11.indd 623 2011-03-25 10:34:41 AM
624 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
a Visa and an air ticket. During the correspondence, receipts with fake stamps (as it turned out later) and
signatures of the British High Commissioner were sent to victim. When victim (Arjun) reached the airport,
he found that there was no such person waiting for him. Tat is when the victim realized that he had been
cheated. Arjun returned to Pune and tried to contact the concerned person but the concerned person never
replied to his mails. Arjun then decided to approach the police.
Inspector (Crime Branch) Solankar said After receiving the complaint, we started investigating the
accounts in which Arjun had deposited the requested amounts of money. We identied an account in the
name Shailendra Soni in the Shivajinagar branch of Axis Bank. We sent a team to Govandi and laid a trap
for him. After the inquiry, the Police discovered that Soni was asked by someone called Sharma for
permission to use his account. Police nabbed Sharma in Mira-Bhayandar. Te investigation revealed that
someone hailing from Nigeria asked them to commit the crime. He oered 7% of the total amount to
Sharma. Sharma, in turn, got Sonis help by oering him a 5% commission. Sharma had met the suspected
foreign national several times and they had been running this racket for many years. Sharma has various
cheating crimes registered to his name. Te Police took up the investigation aimed at nding out other
crimes committed by this gang.
11.3 Mini-Cases
In this section, we have provided real-life cases involving cyberpornography, cyberdefamation, Salami attack,
Internet time theft, etc. Table 11.2 lists the Mini-Cases of this section.
Table 11.2 | List of Mini-Cases in Section 11.3
Mini-Case
No.
Title Topic Chapter
Cross-Reference
1 Cyberpornography Involving a Juvenile
Criminal
Cyberpornography Chapters 1 and 2
2 Indian Cyberdefamation Case of a Young
Couple
Cyberdefamation,
spoofed mails with
ulterior motive
Chapters 1 and 7
3 Te Zyg-Zigler Case Salami attack, logic
bomb
Chapter 1
4 Internet Time Stealing Cybertheft
5 New York Times Company vs. Sullivan Case
of Cyber Defamation
Cyberdefamation Chapter 1
6 Te Indian Case of Online Gambling Online gambling Chapter 1
7 An Indian Case of Intellectual Property Crime IPR Teft,
Cybersquatting
Chapters 1, 9 and 10
8 Te SlumDog Millionaire Movie Piracy Case IPR theft Chapters 1, 2, 4 and 9
9 Malicious Hacking Case Organ Donation
Database Deleted
Hacking of computer
network, insider attack
Chapters 1, 2, 4 and 9
10 Te Case of Counterfeit Computer Hardware
(Continued )
Cyber security_Chapter 11.indd 624 2011-03-25 10:34:41 AM
Cybercrime: Illustrations, Examples and Mini-Cases 625
11.3.1 Mini-Case 1: Cyberpornography Involving a Juvenile Criminal
Pornography is mentioned in Chapter 1. Tere was a recent Indian incident involving cyberpornography
related to an 8th grade student of a certain Delhi school. Te classmates used to tease the boy for having a
pockmarked face. Tis went on for quite some time and the teasing did not stop in spite of students appeals
to his friends and complaints to the school teachers. Tired of the cruel jokes about his face, the boy decided
to get back at his tormentors. As revenge, he scanned photographs of his classmates and teachers, morphed
them with nude photographs and put them up on a website that he uploaded on to a free web hosting
service. Action against this student was taken after the father of one of the girls (featured on the website)
objected and lodged a complaint with the police.
In another incident that occurred in Mumbai it was found that a Swiss couple would gather slum chil-
dren and would force them to appear for obscene photographs. Te couple would then launch these photo-
graphs on to websites expressly designed for pedophiles. Te Mumbai police arrested the couple under the
charge of c yberpornography. Section 67 B of the ITA 2008 (Indian IT Act amendment of 2008) addresses
child pornography and makes searching and browsing also as oenses.
11.3.2 Mini-Case 2: Indian Cyberdefamation Case of a Young Couple
Sujata, a young girl, was about to get married to Sudesh whom she met during a social event. She was
mighty pleased because she never believed in nding a perfect match through an arranged marriage. Sudesh
seemed to be open-minded and pleasant. Tey used to meet quite often during the pre-marriage period.
One day when Sujata met Sudesh, he looked worried and even a little upset. He did not seem interested
in talking to her. When she asked, he told her that members of his family had been receiving E-Mails that
contained malicious stories about Sujatas character. Some of them were of her past aairs. He told her that
Mini-Case
No.
Title Topic Chapter
Cross-Reference
11 Te Chinese Case of Trade Secret Stealing
involving an E-Waste Company
Hacking Chapter 1
12 Internet Used for Murdering Chapters 7 and 8
13 Social Networking Victim MySpace Suicide
Case
Social networking evils Chapters 1 and 7
14 State of Tamil Nadu vs. Suhas Katti Case Cyberdefamation Chapter 1
15 Pune Citibank MphasiS Call Center Fraud Data theft Chapter 9
16 NASSCOM vs. Ajay Sood & Others Phishing Chapter 5
17 Indian Case of Cyberdefamation Cyberdefamation Chapter 1
18 Indian Cases of Cybersquatting Cybersquatting Chapters 1 and 10
19 Swedish Case of Hacking and Teft of Trade
Secrets
IPR theft Chapters 1, 9 and 10
20 IPR Violation IPR theft Chapters 1, 9 and 10
21 Indian E-Mail Spoong Case Spoong Chapter 2
Table 11.2 | (Continued )
Cyber security_Chapter 11.indd 625 2011-03-25 10:34:41 AM
626 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
his parents were very upset and he felt they were justied in getting upset; after all, Sujata was going
to be their daughter-in-law soon. Sudesh told Sujata that his parents were considering breaking o the
e ngagement. Sujata was shocked obviously, but fortunately, Sudesh was able to convince his parents and
other elders of his house to approach police instead of blindly believing the mails. During investigation,
it was revealed that the person sending those E-Mails was none other than Sujatas stepfather. Sujata was
the main source of income in the family after her mother expired; the father was a drunkard and had no
means of livelihood. Sujatas father (when he gave in during the police enquiries) admitted that he had
sent those E-Mails to break the engagement. He wanted Sujata to remain with him to continue providing
him nancial support. He a dmitted that Sujatas marriage would have caused him to lose control of her
property of which he was the guardian till she got married. Sujatas mother had bequeathed her all the
propery through a registered will because she was not sure if the property would be safe in the hand of her
chronic alcoholic husband.
Section 49 of the Indian Penal Code is mentioned in reference to cyberdefamation in Chapter 1
(Section 1.5.3). Readers may like to note that copy of the IPC (Indian Penal Code) is available in
Appendix P.
Cyberdefamation is a cognizable offense. Chapter XXI of the Indian Penal Code (IPC) is about
DEFAMATION. In Section 499 of Chapter XXI of IPC, regarding defamation there is a mention that
Whoever, by words either spoken or intended to be read, or by signs or by visible representations,
makes or publishes any imputation concerning any person intending to harm, or knowing or having
reason to believe that such imputation will harm, the reputation of such person, is said, except in the
cases hereinafter expected, to defame that person.
Te investigation traced the perpetrators through E-Mail forensics (refer to Section 7.6 of Chapter 7).
Another famous case of cyberdefamation occurred in America. Friends and relatives of a lady were
inundated with obscene E-Mail messages appearing to originate from her account. Tese mails gave the lady
a bad name and made her an object of ridicule. Te lady was an activist against pornography. In reality, a
group of people displeased with her views and angry with her for opposing them, had decided to get back
at her by using such underhanded methods. In addition to sending spoofed obscene E-Mails, they also
launched websites about her basically meant to malign her character.
11.3.3 Mini-Case 3: The Zyg-Zigler Case
It is said that in the US, it is common to re people from jobs. One employee of a bank in the US was
dismissed from his job. Te disgruntled man felt oended at have been mistreated by his employers. He
decided to take revenge. He rst introduced a logic bomb into one of the core banking systems of the bank.
Te logic bomb was programmed in such a way that the system would take 10 cents o from all the accounts
in the bank and would deposit them into the account of the person whose name was alphabetically the
last in the banks rosters. Tis disgruntled man then opened an account in the name of Ziegler. Te amount
debited from each of the accounts in the bank was so trivial that neither the account holders nor the bank
o cials noticed any fault. Finally, this phenomenon came to the notice of the bank o cials when another
person by the name of Zygler opened his account in that bank. He was astonished to nd a s ubstantial
amount of money being transferred into his account every Saturday!
Cyber security_Chapter 11.indd 626 2011-03-25 10:34:41 AM
Cybercrime: Illustrations, Examples and Mini-Cases 627
11.3.4 Mini-Case 4: Internet Time Stealing
Tis is a case that took place before the ITA 2000, was enacted. In this case a services person was impacted.
As you read on, you will realize how determination led to revelation about the fraud which otherwise would
not be detected. Te fraud described in this case could be detected due to victims alertness. Recall the discus-
sion in Section 4.12.2 about Teft of Internet Hours.
Colonel Bajwa, a resident of New Delhi, asked a nearby net cafe owner to visit for re-installing his Internet
connection. For this purpose, the net cafe owner needed to know his username and password. After setting
up the connection, the cybercafe owner walked away with the username and password noted down. He then
sold this information to another net cafe. After about a week, Colonel Bajwa discovered that his Internet
hours were almost over! Out of the 100 hours that he had purchased, more than 90 hours had been used up
within the span of that week. He noted that this had happened although he was inactive in that week in terms
of his use of the Internet from that connection that was set up with the help of the net cafe owner. Colonel
Bajwa was surprised and became suspicious of his suddenly depleting Internet account. So, he reported the
incident to the Delhi Police. Te Police could not believe that time could be stolen because they were not
aware of the concept of time-theft at all. Tey could not understand how something immovable such as
the Internet hours could be stolen and so they rejected Colonel Bajwas report. Colonel Bajwa was not will-
ing to give up and he decided to approach Te Times of India, New Delhi. Tey, in turn, prepared a report
about the shortfall of the New Delhi Police in handling cybercrimes. Te Commissioner of Police, Delhi
took charge of the case and the police under his directions raided the cybercafe and arrested the owner under
the charge of theft as dened by the Indian Penal Code. Te net cafe owner spent several weeks locked up
in Tihar jail till the bail was granted. Tere are two points to note: (a) the modied IT Act, that is, the ITA
2008 addresses the cybercafe issue and (b) not having encountered such a situation before, the police were
perplexed by the theft about something they considered immovable.
11.3.5 Mini-Case 5: New York Times Company vs. Sullivan Case of
Cyberdefamation
Here is the brief for the New York Times Co. v. Sullivan Case facts of the case decided together with
Abernathy v. Sullivan; this case concerns a full-page advertisement in the New York Times which alleged that
the arrest of the Rev. Martin Luther King, Jr. in Alabama was part of a campaign to destroy Kings eorts to
integrate public facilities and encourage blacks to vote. L. B. Sullivan, the Montgomery city commissioner,
led a libel action against the newspaper and four black ministers who were listed as endorsers of the
advertisement, claiming that the allegations against the Montgomery police defamed him personally. Under
Alabama law, Sullivan did not have to prove that he had been harmed. He also did not have to prove the
defense claim that the advertisement was untruthful because the advertisement contained factual errors.
Sullivan won a $500,000 judgment. Question presented was Did Alabamas libel law, by not requiring
Sullivan to prove that an advertisement personally harmed him and dismissing the same as untruthful due
to factual errors, unconstitutionally infringe on the First Amendments freedom of speech and freedom of
press protections? Conclusion: Te court held that the First Amendment protects the publication of all
statements, even false ones, about the conduct of public o cials except when statements are made with
actual malice (with knowledge that they are false or in reckless disregard of their truth or falsity). Under this
new standard, Sullivans case collapsed.
Tis was a US Supreme Court case which recognized the actual malice standard before press reports could
be considered to be defamation and libel, and hence allowed free reporting of the civil rights campaigns in
Cyber security_Chapter 11.indd 627 2011-03-25 10:34:41 AM
628 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
the southern US. It is one of the key decisions supporting the freedom of the press. Te actual standard for
malice requires that the publisher is aware whether the statement is false or acts in an irresponsible manner
without regard of the truth. Te decision established that for a plainti to win a libel ruling against a
newspaper, actual malice or reckless negligence must be proved on the part of the paper if the statement
in question is about a public o cial or a public gure. In the case of a private gure, the petitioner must
merely prove carelessness. Te background for this case is described below.
On 29 March 1960, the New York Times carried a full-page advertisement titled Heed Teir Rising
Voices, which solicited funds to defend Martin Luther King, Jr. against an Alabama perjury indictment.
In the advertisement there was description about actions against civil rights protesters and activists some
was inaccurate and some involved the police force of Montgomery, Alabama. Te inaccurate criticism of
the actions by the police was considered as defamation against Commissioner L.B. Sullivan, whose duties
included supervision of the police department. Tough he was not named in the advertisement but he held
the position of commissioner.
Alabama law denied a public o cer recovery of punitive damages in a libel action brought on account
of a publication concerning their o cial conduct unless they rst make a written demand for a public
retraction and the defendant fails or refuses to comply, so Sullivan sent such a request. Te Times did not
publish a retraction in response to the demand. Instead it wrote a letter stating, among other things, that
we ... are somewhat puzzled as to how you think the statements in any way reect on you, and you might,
if you desire, let us know in what respect you claim that the statements in the advertisement reect on
you. Sullivan didnt respond but instead led this suit a few days later. He also sued four black ministers
mentioned in the ad, specically Ralph Abernathy, S.S. Seay, Sr., Fred Shuttlesworth and Joseph Lowery.
Sullivan won $500,000 in an Alabama court judgment.
Eventually, Te Times did, however, publish a withdrawal of the advertisement upon the demand of
Governor John Patterson of Alabama, who asserted that the publication charged him with grave misbe-
havior and ... inappropriate actions and omissions as Governor of Alabama and Ex-O cio Chairman of
the State Board of Education of Alabama. When asked to explain why there had been a retraction for the
Governor but not for Sullivan, the Secretary of Te Times testied: We did that because we didnt want
anything that was published by Te Times to be a reection on the State of Alabama and the Governor was,
as far as we could see, the embodiment of the State of Alabama and the proper representative of the State
and, furthermore, we had by that time learned more of the actual facts which the ad purported to recite
and, nally, the ad did refer to the action of the State authorities and the Board of Education presumably
of which the Governor is the ex-o cio chairman ... . On the other hand, he testied that he did not think
that any of the language in there referred to Mr. Sullivan. Te court decision was decreed as described
below.
Tere was the rule of law that was applied by the Alabama courts; however, it was found to be
constitutionally decient. Tis was seen in the failure to provide the safeguards for freedom of speech and
of the press that are required by the First and Fourteenth Amendments in a libel action brought by a public
o cial against critics of his o cial conduct. Te decision further ruled that under the appropriate safeguards,
the evidence presented in this case was not constitutionally su cient to support the judgment for Sullivan.
11.3.6 Mini-Case 6: The Indian Case of Online Gambling
Tere are millions of websites, hosted on many servers, to oer online gambling services. It is believed
that many of these websites are actually fronts for money laundering. Fraud cases of Hawala dealings
and money mis-deals over the Internet have been reported in the past (in Ref. #8, Additional Useful Web
References, Further Reading, we have provided some links to Hawala systems for readers who have not
Cyber security_Chapter 11.indd 628 2011-03-25 10:34:41 AM
Cybercrime: Illustrations, Examples and Mini-Cases 629
heard about this informal system of transferring money). It is not yet fully known if these sites have any rela-
tionship with drug tra cking. Recent Indian case about cyber lotto is very interesting. Kola Mohan was the
man who invented the story of winning the Euro Lottery. He created a website and an E-Mail address on the
Internet with the address eurolottery@usa.net. Whenever accessed, the site would declare him as the recipi-
ent of the 12.5 million pound. A Telgu newspaper published this as news after conrmation. Meanwhile,
Kola Mohan collected large sums of money from the public as well as from some banks for mobilization of
the deposits in foreign currency. He could have gone on merrily. Te fraud, however, got exposed when a
discounted cheque from Kola Mohan with the Andhra Bank for ` 1.73 million bounced. Kola Mohan had
pledged with Andhra Bank the copy of a bond certicate purportedly issued by Midland Bank, She elds,
London stating that a term deposit of 12.5 million was held in his name.
11.3.7 Mini-Case 7: An Indian Case of Intellectual Property Crime
Cybersquatting is explained in Chapter 1 (Box 1.1). Also refer to Box 10.3 in Chapter 10. Satyam vs. Siy
is the most widely known case for that. Bharti Cellular Ltd. made a case in the Delhi High Court with a com-
plaint that some cyber squatters had registered domain names such as barticellular.com and bhartimobile.
com with network solutions under dierent ctitious names. Te court ordered Network Solutions not to
transfer the domain names in question to any third party and the matter was sub-judice. Similar issues were
brought to various High Courts earlier. Yahoo had sued a man called Akash Arora for use of the domain
name Yahooindia.Com deceptively similar to its Yahoo.com. As this case was governed by the Trade
Marks Act 1958, the additional defense taken against Yahoos legal action for the interim order was that the
Trade Marks Act was applicable only to goods. We know from Chapter 1 that intellectual property crimes
include software piracy, copyright infringement, trademarks violations, theft of computer source code, etc.
In other words, this is also referred to as cybersquatting.
11.3.8 Mini-Case 8: The Slumdog Millionaire Movie Piracy Case
Tis incident was posted on 23 July 2009. A San Marcos man pleaded guilty to a felony charge of using the
Internet to distribute a pirated copy of Slumdog Millionaire in violation of federal copyright law. Owen
Moody, aged 25, pleaded guilty to uploading a copyrighted work being prepared for commercial distribution,
admitting that he uploaded a copy of Slumdog Millionaire late 2008 to a website called thepiratebay.org,
with the illicit desire that others could download the movie over the Internet. Moody also posted a link to
the upload at the Internet websites called demonoid.com and mininova.org. At the time Moody uploaded
the movie, it was in limited release in domestic theaters and was not yet available on DVD.
Moody used the Internet screen names Tranceyo and Gizmothekitty. He found the copy of Slumdog
Millionaire on an Internet website called funle.org, where someone had uploaded a digital copy of the
movie that had been sent as an Academy Award screener to a member of the Academy of Motion Picture
Arts and Sciences for voting consideration. When Moody searched the Internet, he realized the movie was not
readily available to the general public. Moody then downloaded the movie from funle.org and uploaded
it to piratebay.org. He also created links to the movie on the two other websites, to make the movie available
to the general public. Moody uploaded the movie from his home in San Marcos, the US. rights to Slumdog
Millionaire under copyright ownership of Fox Searchlight Pictures, Inc., which is located in Los Angeles
County. At that time, the movie was in limited release in domestic theaters and was not yet available on
DVD. Moody pleaded guilty to the charge in front of the US District Judge Gary A. Feess in Los Angeles.
Judge Feess scheduled to sentence Moody on 5 October 2009. In the US, if you upload a copyrighted work,
such an act carries a statutory maximum penalty of 3 years in central prison and a $250,000 ne or twice the
gross gain or gross loss attributable to the oense, whichever is greater.
Cyber security_Chapter 11.indd 629 2011-03-25 10:34:41 AM
630 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Another case: In rst week of July 2009, a Ventura County man who obtained Academy Award
screeners of Te Curious Case of Benjamin Button and Australia pleaded guilty to uploading the
lms to the Internet. Derek Hawthorne, aged 21, of Moorpark, pleaded guilty to uploading a copy-
righted work being prepared for commercial distribution. He was sentenced by the US District Judge
R. Gary Klausner on 28 September 2009. Te US Secret Service was involved in the investigation of cases
running against Moody and Hawthorne.
11.3.9 Mini-Case 9: Malicious Hacking Case Organ Donation
Database Deleted
Hackers are type II criminals (refer to Section 1.4, Chapter 1). As mentioned in that section and in
Chapter 10, the typical motives behind cybercrime seem to be greed, desire to gain power and/or
publicity, desire for revenge, a sense of adventure, looking for thrill to access forbidden information,
destructive mindset, the desire to sell network security services. Tis is a real life example showing the conse-
quences of computer hacking. We know that disgruntled employees tend to get into criminal acts, seen from
the motive perspective of cybercrimes. Te example shows the data loss considering the critical data and
systems of an organization that were deleted in a criminal act; an act that was performed with malice and
ill intentions.
Tis is a classic case of an Insider attack (recall the discussion in Chapter 9). It involved hacking a
former employers computer network. In this case, the former IT Director of at a non-prot organ and
tissue donation center was sentenced to 2 years in prison for hacking into her former employers computer
network, announced Assistant Attorney General Lanny A. Breuer of the Criminal Division and US Attorney
for the Southern District of Texas Tim Johnson.
Te woman called Danielle Duann, aged 51, of Houston, pleaded guilty on 30 April 2009, to criminal
indictment charging her with unauthorized computer access. Duann was sentenced to jail by US District
Judge David Hittner in the Southern District of Texas. In addition to the 2-year prison term, Judge Hittner
sentenced Duann to a 3-year period of supervised release following completion of her prison sentence and
ordered her to pay $94,222 in restitution to compensate her former employer for the damage that resulted
from her actions.
While pleading guilty, Duann admitted that she had illegally accessed the computer network of LifeGift
Organ Donation Center and then intentionally deleted organ donation database records, accounting invoice
les, database and accounting software applications and various backup les, without authorization. LifeGift
is the exclusive supplier of organ procurement services for more than 200 hospitals throughout 109 counties
in North, Southeast and West Texas.
As per the court documents, LifeGift removed Duann from her position as their director of Information
Technology on 7 November 2005, and revoked all of her previous administrative rights and access to the LifeGift
computer network. In pleading guilty, Duann admitted that beginning of the evening of 7 November 2005, and
continuing until 8 November 2005, she repetitively gained unlawful access to the LifeGift computer network via
a remote connection from her home and intentionally caused damage by deleting numerous database les and
software applications, as well as their backups, related to LifeGifts organ and tissue recovery operations.
Duann further admitted that in an attempt to conceal her activities, she disabled the computer logging
functions on several LifeGift computer servers and erased the computer logs that recorded her remote
access to the LifeGift network. Tis case was investigated by the FBI and was jointly prosecuted by Trial
Attorney Tomas Dukes of the Criminal Divisions Computer Crime and Intellectual Property Section and
Special Assistant US Attorney Bret W. Davis of the US Attorneys O ce for the Southern District of Texas.
Tis example emphasizes the point that the possibility of insider attacks should never be ignored and that
Cyber security_Chapter 11.indd 630 2011-03-25 10:34:41 AM
Cybercrime: Illustrations, Examples and Mini-Cases 631
disgruntled employees do have the potential to cause damage to their organizations. Systems Administrators
as professionals possess tremendous amount of technical knowledge about how computer systems perform
and, as this example shows, it can get put to malignant use with their motive to settle their personal scores!
Source: www.usdoj.gov (12 May 2010).
11.3.10 Mini-Case 10: The Case of Counterfeit Computer Hardware
Tis is a slightly dierent kind of case reported on 3 December 2009. Christopher Myers, aged 40, and
Timothy Weatherly, aged 27 were charged with conspiracy, tra cking in counterfeit goods and smuggling in
counterfeit labels. In 2003, Myers founded a company called Deals Express. He conspired with Weatherly,
who in 2005 established a company called Deals Direct, Inc to import counterfeit Cisco brand computer
hardware from China. For making the hardware look genuine they attached fake Cisco labels to the compo-
nents and packaged them in counterfeit Cisco boxes along with counterfeit Cisco manuals.
Myers and Weatherly arranged to have the counterfeit components despatched from China to various
shipping addresses in Kansas State, including self-storage facilities in Lenexa, Merriam, Mission, Overland
Park, and Kansas City, KS, as well as UPS stores in Seattle, WA, and Portland, OR. In November 2005,
shipments of counterfeit goods were conscated in Louisville, KY, Los Angeles, CA and Wilmington, OH.
Tese seized goods included counterfeit hardware items such as network cards, connectors, manuals, labels
and boxes. In August 2005, Weatherly established a website for Deals Direct and began using eBay to sell
counterfeit Cisco products under the name direct2technology. Myers and Weatherly made suggestions to
their suppliers in Shenzhen, China, and Hong Kong for adjustments to the products to make them appear
more authentic. After these counterfeit goods were seized, the defendants made various changes in their
shipping arrangements in an attempt to avoid detection, including change of shipment address and having
counterfeit goods shipped through other countries including Sweden.
Myers and Weatherly, upon conviction, would face a maximum penalty of 5 years in federal prison
and a ne up to $250,000 on the conspiracy charge and a maximum penalty of 10 years and a ne up to
$2 million on each of the tra cking counts. Immigration and Customs Enforcement and the National
Bureau of Investigation worked on the case. Assistant US Attorney Scott Rask prosecuted the case. Legal
professionals would know that defendants are considered not guilty until and unless they are proven guilty.
Te charges led merely contain accusations of unlawful conduct.
11.3.11 Mini-Case 11: The Chinese Case of Trade Secret Stealing
Involving an E-Waste Company
Tis case was published in September 2009 by the US Department of Justice. A citizen of the Peoples
Republic of China was charged in connection with the scheme devised to steal trade secrets and proprietary
information relating to computer systems and software with environmental applications from his New Jersey
employer, Acting US Attorney Ralph J. Marra, Jr., announced. Te indictment charges Yan Zhu, aged 31,
a.k.a. Wesley ZHU, a.k.a. Westerly Zhu, who resides in Lodi, with conspiracy to steal trade secrets and
wire fraud. On the morning of 9 April 2009, FBI Special Agents arrested Zhu at his residence while he was
in the US on a work visa. Later that day, the defendant Zhu made an initial appearance in federal court in
front of US Magistrate Tonianne J. Bongiovanni. Te Magistrate released the defendant Zhu on a $200,000
secured bond. Zhu was later arrested on the accusation in Federal Court after the case was assigned to a US
District Judge.
Te indictment describes a scheme in which Zhu, along with other unindicted co-conspirators, used his
employment with a business, which is identied in the indictment only as Company A, to obtain access to the
Cyber security_Chapter 11.indd 631 2011-03-28 4:26:05 PM
632 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
companys trade secrets and proprietary and condential information relating to computer software developed
for the Chinese market. According to the charges made against Zhu, he (i.e., Zhu) worked with Company A as
a senior environmental engineer from May 2006 until his termination in July 2008. Company A is a software
development and consulting company with its principal o ce in Mercer County. Te company is in the business
of developing supporting, and implementing software and computer systems for ecological applications.
While in the services of Company A, Zhu worked on a comprehensive hazardous waste information
management system that Company A developed for the Chinese market. Te purpose of this product was to
allow a Company A customer, such as an environmental regulatory agency, as well as entities that interact with
the environmental regulatory agency, such as hazardous waste producers and shippers, to enter, organize and
view certain data regarding pollution and hazardous waste within that agencys jurisdiction. In addition, it was
alleged that Zhu worked on Company A database application that was related to this software system.
Te allegation further stated that Zhu operated his scheme with at least two co-conspirators, identied
only as Co-conspirators 1 (CC-1) and 2 (CC-2), both Chinese nationals residing in China. According to the
indictment, CC-1 had been introduced to Company A through Zhu and hired as Company As sales repre-
sentative in the Science and Technology High-Tech Zone in Xian City, Shanxi Province, China. Company A
rented o ce space in Xian City. From this o ce CC-1 represented Company A and hosted the subject soft-
ware on his/her own computer system. Te charges led allege that Zhu, CC-2 and CC-1, were all associated
with a company known only as Company X, an environment-related software company in China.
It is further alleged that Zhu and his co-conspirators exploited the trust placed in Zhu by Company A
by stealing Company As trade secrets and proprietary and condential business information, and exploit-
ing an opportunity for Company A to market its product to the Chinese government. Te indictment also
alleges that, as early as January 2008, Zhu began sending Company As computer software source code
to CC-2 in China. Eventually, the Indictment alleges, the co-conspirators used this computer source code to
develop a modied version of the Mercer County companys software in China, which was marketed under
the Company X banner. It is further alleged that the co-conspirators took control of the Mercer County
companys o ce in China, and used that space to conduct business for Company X. According to the
indictment, Zhu was terminated on 17 July 2008, in part because Company A became aware that Zhu had
sent Company A trade secret and condential and proprietary information to his personal E-Mail account.
Te charge of conspiracy to steal trade secrets carries a maximum penalty of 10 years in prison and a ne of
$250,000 or twice the aggregate loss to the victims or gain to the defendants. Each count of wire fraud carries a
maximum penalty of 20 years in prison and a ne of $250,000 or twice the aggregate loss to the victims or gain
to the defendants. Despite the accusation, the defendant is presumed innocent unless proven guilty beyond a
reasonable doubt. Marra credited Special Agents of the FBIs Trenton Resident Agency, under the direction of
Special Agent in Charge Weysan Dun in Newark, with the investigation leading to the indictment. Te govern-
ment was represented by Assistant US Attorney Eric M. Schweiker of the Criminal Division in Trenton.
11.3.12 Mini-Case 12 Internet Used for Murdering
Refer to Section 8.6 An Illustration on Real Life Use of Forensics in Chapter 8 to read this case.
11.3.13 Mini-Case 13: Social Networking Victim MySpace
Suicide Case
Tis is about MySpace suicide case reported in the New York Times. Myspace is a social networking
sites. In Section 7.14 of Chapter 7 there is a discussion about social networking sites and the potential
security/privacy threats arising from them. In that section, there was the mention about a mother c onvicted
of computer fraud for her involvement in creating a phony account on MySpace to trick a teenager, who later
Cyber security_Chapter 11.indd 632 2011-03-25 10:34:42 AM
Cybercrime: Illustrations, Examples and Mini-Cases 633
committed suicide. Tis case shows that social networking sites, though popular, can result in someone losing
his/her precious life, as this real-life case reveals. Tis case, (a real-life story) was reported in New York Times
and posted on 26 November 2008. It is a sad story of the family members and friends of the teenaged
girl who lost her life. She was a victim of social networking. Megan Meier, aged 13, committed suicide in
October 2008. Apparently, the suicide was caused by cruel messages she received on the social networking
site Myspace. Tis incidence, in a way, is also sad reality in a boyfriend-oriented culture.
Readers, who have not yet read previous chapters, may like to read about cyberbullying in Box 2.8 of
Chapter 2. According to the legal experts in the US, this was countrys rst cyberbullying verdict, in which a
Missouri woman was convicted of three misdemeanor charges of computer fraud for her involvement in cre-
ating a phony account on MySpace to trick a teenager, who later committed suicide. Te accused, Ms. Lori
Drew went through a 5-day trial. During the trial, prosecutors portrayed Ms. Lori Drew had worked in col-
lusion with her daughter, Sarah, aged 13 at that time, along with Ms. Ashley Grills, a young family friend
and also an employee of Ms. Lori Drews magazine coupon business in Dardenne Prairie. Te testimony
showed that they created a teenage boy, Josh Evans, as an identity on MySpace. Te conspiracy was to
make this pseudo character (created on MySpace) to communicate with Sarahs rival, Megan Meier, who was
also 13 years old then. Megan was known to have a history of depression and suicidal impulses. According to
testimony at the trial there were weeks of online courtship with Josh. Megan was distressed one afternoon
in October 2006, when she received an E-Mail message from Josh saying that Te world would be a better
place without you.
Ms. Ashley Grills, who is now 20, testied (under an immunity agreement) that shortly after that message
was sent, Megan wrote back, Youre the kind of boy a girl would kill herself over. Totally depressed having
such a message from her boyfriend (in reality only a pseudo character on MySpace) Megan hanged herself
that same afternoon in her bedroom. Te jury appeared to reject the governments contention that Ms. Lori
Drew had intended to harm Megan. However, the convictions signaled the 12-member Jurys belief that she
had, nonetheless, violated federal laws that prohibit gaining access to a computer without authorization.
Readers will recall that in Chapter 1, there is discussion about unauthorized access to computer (Sections
1.31.5 and Table 1.5). Specically, the jury found Ms. Lori Drew culpable of illegally accessing a computer
system on three occasions, in reference to the fraudulent postings on MySpace in the name of Josh Evans.
Te federal Computer Fraud and Abuse Act was passed in 1986 in the US and has been amended several
times since then. According to legal and computer fraud experts, the application of the law appeared to be
expanding with technology and the growth of social networking on the Internet. In general, prosecutions
under the act have been associated with people who are computer systems hackers. Until recently, social
networking sites such as MySpace did not exist. Terefore, this case would be simply another important step
in the expanded use of this statute to protect the public from computer crime. Although it was unclear how
severely Ms. Lori Drew would be punished, the jury reduced the charges to misdemeanors from felonies, and
no sentencing date was set. According to computer fraud experts, the conviction was highly signicant as it
was the rst time that a federal statute designed to combat computer crimes was used to prosecute what were
essentially abuses of a user agreement on a social networking site.
Under federal sentencing guidelines, Ms. Lori Drew could face up to 3 years in prison and $300,000 in
nes, even though she had no previous criminal record. Her lawyer asked for a new trial. While this is a case
from another country, it is a lesson for all of us. Tis case sends an overwhelming message to users of the
Internet and social networking sites.
11.3.14 Mini-Case 14: State of Tamil Nadu vs. Suhas Katti Case
Cyberdefamation was addressed in Chapter 1 and that is the concept reference in this fairly well-known
and a truly landmark case. It is considered to be Indias First cybercrime conviction. Peoples perception is
Cyber security_Chapter 11.indd 633 2011-03-25 10:34:42 AM
634 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
that conviction takes a very long time in the jurisdiction. However there are exceptions as seen in this case.
Tis well-known case of Suhas Katti (year 2004) is available in the public domain. It is noteworthy for the
fact that the conviction was achieved successfully within a relatively short time of 7 months from the date of
ling of the FIR (First Information Report). Te case illustrates how the Indian IT was used to le the case.
Similar cases have been awaiting judgment in other states for a much longer time. Tis case had a relatively
more e cient handling in the sense that this was the rst case of the Chennai Cybercrime Cell going to trial.
Terefore, it deserves a special mention.
Tis case involves posting of obscene, defamatory and annoying message about a divorcee woman in the yahoo
message group. E-Mails were also sent to the victim for information by the accused. However, this was done
through a false E-Mail account opened by him in the name of the victim. Te posting of the message resulted in
annoying phone calls to the lady in the belief that she was soliciting.
Based on a complaint made by the victim in February 2004, the Police traced the accused to Mumbai
and arrested him within the next few days. Te accused was a known family friend of the victim and was
said to be interested in marrying her. She, however, married another person. Later, the wedding ended in
a divorce, and the accused once again started making contacts with the lady. On her reluctance to marry
him, the accused took up the harassment through the Internet. On 24 March 2004, a charge sheet was led
under Section 67 of IT Act 2000, 469 and 509 IPC before Te Honble Addl. CMM Egmore by citing 18 wit-
nesses and 34 documents and material objects. Prosecution examined 12 witnesses and complete documents
were marked as Exhibits.
Te Defense argued that the oending mails would have been given either by ex-husband of the
complainant or the complainant herself to implicate the accused as accused alleged to have turned down the
request of the complainant to marry her.
Further, the Defense Counsel argued that some of the documentary evidence was not sustainable under
Section 65B of the Indian Evidence Act. However, the court relied upon the expert witnesses and other
evidence produced before it, including the witnesses of the cybercafe owners and came to the conclusion that
the crime was con clusively proved. Te judgment was submitted in May 2004 as stated below:
Te accused is found guilty of oences under section 469, 509 IPC and 67 of IT Act 2000 and the accused
is convicted and is sentenced for the oence to undergo rigorous imprisonment for 2 years under 469 IPC
and to pay ne of Rs. 500/- and for the oence under Section 509 IPC sentenced to undergo 1 year simple
imprisonment and to pay ne of Rs. 500/- and for the oence under Section 67 of IT Act 2000 to undergo
rigorous imprisonment for 2 years and to pay ne of Rs. 4000/-.
Te accused paid the ne amount and was lodged at Central Prison, Chennai. Tis is considered as the rst
case convicted under Section 67 of ITA 2000 in India.
IMPORTANT NOTE Te information contained in this case is meant for informational purpose only and is
based on material available in public domain. Authors do not make any claim about its accuracy or authenticity.
Te name of the victim is masked to protect identity. Te information provide here is based on the extracts from
the Judgment pronounced in the First Cybercrime Conviction in India.
11.3.15 Mini-Case 15: Pune Citibank MphasiS Call Center Fraud
BPO and call center business is growing in India has become a popular destination for outsourcing back-
o ce work. Tis case involves a BPO scenario and is an eye opener. US$ 3,50,000 belonging to four US
customers were fraudulently transferred to fake accounts. Tis was enough to give ammunition to those
Cyber security_Chapter 11.indd 634 2011-03-25 10:34:42 AM
Cybercrime: Illustrations, Examples and Mini-Cases 635
lobbying against outsourcing of work from the US to other countries; especially to India. Such cases are not
uncommon but media likes to focus on them when it happens in India. It is a case of sourcing engineering,
also known as social engineering. Some employees gained customer condence and obtained their PIN
numbers to commit fraud. Tey got these under the disguise of helping the customers out of di cult situ-
ations. Highest security prevails in the call centers in India as they know that they will lose their business.
Tere was not as much of breach of security but of sourcing engineering/social engineering.
As an industry practice in security, the call center employees are checked when they go in and out of the
work place. Tis is done to ensure that they do not copy down numbers or any other business condential
information. However, in this case, the employees of the call center must have remembered these numbers,
gone out immediately to a cybercafe and accessed the Citibank accounts of the customers. All accounts were
opened at Pune. Te customers lodged a complaint that the funds from their accounts were transferred to
Pune accounts. Tis is how the criminals were traced. Police were able to prove the honesty of the call center
and has frozen the accounts where the money was transferred.
Te ISO 27001 standard for information security recommends many controls and one such control is
about HR checks. As a best practice, there should be strict background check of the call center executives.
However, even the best of background checks cannot fully eliminate the bad elements from coming in and
breaching security. We must still ensure such checks when a person is hired. Tere is need for a national
ID and a national database where a name can be referred to. In this case rst round of investigations did
not disclose that the criminals had any criminal history. Customer education is crucial so that customers are
not taken for a ride. Most consumers may feel that banks are guilty of not doing this.
11.3.16 Mini-Case 16: NASSCOM vs. Ajay Sood and Others
Phishing is explained in Chapter 5 this case is to be read in that context. Te petitioner in this case was
the National Association of Software and Service Companies (NASSCOM), Indias premier software asso-
ciation. Te defendant was Ajay Sood & Others and the case was delivered in March 2005. In this case,
the Delhi High Court declared Phishing on the Internet to be an illegal act, entailing an injunction and
recovery of damages.
Te court elaborated on the concept of Phishing, in order to lay down a precedent in India. Te court
stated that it is a form of Internet fraud where a person pretends to be a legitimate association, such as a bank
or an insurance company, in order to extract personal data from a customer such as access codes, passwords,
etc. Personal data so collected by misrepresenting the identity of the legitimate party is commonly used for
the collecting partys advantage. Te court also stated, by way of an example, that typical Phishing scams
involve persons who pretend to represent online banks and siphon cash from E-Banking accounts after
conning consumers into handing over condential banking details.
According to the Delhi High Court, even though there is no specic legislation in India to penalize
Phishing, it held that Phishing to be an illegal act by dening it under Indian law as a misrepresentation
made in the course of trade leading to confusion as to the source and origin of the E-Mail causing immense harm
not only to the consumer but even to the person whose name, identity or password is misused. Te court held the
act of Phishing as passing o and tarnishing the plaintis image.
Te defendants were running a placement agency engaged in providing head-hunting and recruitment
services. In order to obtain personal data, which they could use for purposes of head-hunting, the defen-
dants composed and sent E-Mails to third parties in the name of NASSCOM. Te high court recognized
the trademark rights of the plainti and passed an ex-parte ad interim injunction restraining the defendants
Cyber security_Chapter 11.indd 635 2011-03-25 10:34:42 AM
636 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
from using the trade name or any other name deceptively similar to NASSCOM. Te court further ordered
the defendants not to hold themselves out as being associates or a part of NASSCOM. For readers not savvy
with legal terms Exparte means on behalf of only one party, without notice to any other party. For
example, a request for a search warrant is an ex parte proceeding, since the person subject to the search is not
notied of the proceeding and is not present at the hearing.
Te court appointed a commission to conduct a search at the defendants premises. Two hard disks of the
computers, from which the fraudulent E-Mails were sent by the defendants to various parties, were taken
into custody by the local commissioner appointed by the court. Te oending E-Mails were then down-
loaded from the hard disks and presented as evidence in court. During the progress of the case, it became
clear that the defendants, in whose names the oending E-Mails were sent, were ctitious identities created
by an employee on defendants instructions, to avoid recognition and legal action.
On discovery of this fraudulent act, the ctitious names were deleted from the array of parties as
defendants in the case. Later, the defendants admitted their criminal acts and the parties settled the matter
through the recording of conciliation in the suit proceedings. According to the terms of compromise, the
defendants agreed to pay a sum of ` 1.6 million to the plainti as damages for violation of the plaintis
trademark rights. Te court also ordered the hard disks seized from the defendants premises to be handed
over to the plainti who would be the owner of the hard disks.
Tis case achieves clear milestones (a) It brings the act of Phishing into the ambit of Indian laws even
in the absence of specic legislation. (b) It demonstrates a point the perception that there is no damages
culture in India for violation of IP rights is not true. Tis case rea rms Intellectual Property owners faith
in the Indian judicial systems ability and willingness to protect intangible property rights and send a strong
message to IP owners that they can do business in India without sacricing their IP rights.
11.3.17 Mini-Case 17: Indian Case of Cyberdefamation
Tis is another well-known case available in the public domain. Tough an old case, it is considered to be
Indias rst case of cyberdefamation, in which a Court of Delhi assumed jurisdiction over a matter where a
corporates reputation was being defamed through E-Mails and passed an important ex-parte injunction. For
readers who do not come from legal background, ex-parte is a Latin legal term meaning from (by or for)
one party. An ex-parte decision is one decided by a judge without requiring all parties to the controversy to
be present. According to legal doctrines in Australia, Canada, the UK, India and the US, exparte means
a legal proceeding brought by one person in the absence of and without representation or notice of other
parties. It is also used as a slack reference to unacceptable one-sided contacts with a court, arbitrator or
represented party without notice to the other party or counsel for that party.
Te Delhi High Court conceded an ex-parte ad interim order in the case entitled SMC Pneumatics
(India) Pvt. Ltd. v. Jogesh Kwatra being Suit No. 1279/2001. Tis matter was handled by one of Indias
leading cyberlawyers. Te defendant Jogesh Kwatra was an employee of the plainti company. He started
sending defamatory, derogatory, vulgar, lthy, obscene and abusive E-Mails to his employers as also to
dierent subsidiaries of the said company all over the world with the aim to defame the company and its
Managing Director Mr. R.K. Malhotra. Te plainti led a suit for permanent injunction restraining the
defendant from doing his illegal acts of sending derogatory E-Mails to the plainti.
Arguing on behalf of the plaintis, the cyberlawyer handling the case contended that the E-Mails sent by
the defendant were distinctly obscene, vulgar, abusive, intimidating, humiliating and defamatory in nature.
Te lawyer further argued that the aim of sending the said E-Mails was to malign the impeccable reputation
of the plaintis all over India and the world. Te lawyer further contended that the acts of the defendant in
sending the E-Mails had resulted in invasion of legal rights of the plaintis. Further, it was argued that the
Cyber security_Chapter 11.indd 636 2011-03-25 10:34:42 AM
Cybercrime: Illustrations, Examples and Mini-Cases 637
defendant is under a duty not to send the aforesaid E-Mails. After the claimant company made a discovery
that the said worker of their organization was possibly involved in the act of sending oensive E-Mails, the
claimant terminated the services of the defendant.
After hearing detailed arguments of the lawyer, Honorable Justice J.D. Kapoor of the Delhi High
Court passed an ex-parte ad interim injunction observing that a prima facie case had been made out by
the plainti. As a result, the Delhi High Court stopped the defendant from sending defamatory obscene
derogatory, humiliating, vulgar and abusive E-Mails either to the plaintis or to its associate companies
and/or sister concerns all over the world including their Managing Directors and their Sales and Marketing
departments. In addition, Honorable Justice J.D. Kapoor also stopped the defendant from transmitting,
publishing, or causing to be published any information in the physical world as well as in cyberspace
which is deprecating or slanderous or oensive to the plaintis.
Te matter was posted for 4 October 2001. Tis decree by Delhi High Court has remarkable
meaning because this is for the rst time that an Indian Court assumes authority in a matter concern-
ing cyberde famation and grants an ex-parte injunction restraining the defendant from defaming the
plaintis by sending derogatory, defamatory, abusive and obscene E-Mails either to the plaintis or their
subsidiaries.
11.3.18 Mini-Case 18: Indian Cases of Cybersquatting
Te term cybersquatting is explained in Chapter 1 (Box 1.1). It is reproduced here again for readers
quick reference to understand the examples presented below. Cybersquatting means registering a popular Internet
address usually a company name with the aim of selling it to its lawful owner. After presenting the short
examples, we have summarized the learning points.
Yahoo Inc. vs. Akash Arora Case of Cybersquatting
Tis is probably the rst reported Indian case wherein the plainti (the person who lodges the complaint)
is the registered owner of the domain name yahoo.com and the plainti succeeded in obtaining an interim
order restraining the defendants and agents from dealing in service or goods on the Internet or otherwise
under the domain name yahooindia.com or any other trademark/domain name which is misleadingly
analogous to the plaintis trademark Yahoo. As on the date of writing this, there are only a small number
of reported judgments in our country; however, newspaper reports and information from dependable
sources indicate that there are at least 25 disputes pertaining to domain names pending before the Delhi
High Court itself. Refer also to the mini-case under Section 11.3.7.
Tata Sons Ltd vs. Ramadasoft Case of Cybersquatting
Tis cybersquatting case involved Tata Sons Ltd vs. Ramadasoft. Tata Sons is the holding company of Indias
largest industrial corporation, the Tata Group. Tata Sons won a case to evict a cybersquatter from 10 contested
Internet domain names. Tata Sons had led a complaint at the World Intellectual Property Organization.
Te respondent was proceeded ex-parte. As explained earlier, an ex-parte decision is one decided by a judge
without requiring all of the parties to the controversy to be present. Te board reached a conclusion that
the respondent owns the domain names. Tese domain names are confusingly similar to the complainants
trademark TATA, and the respondent has no rights or legitimate interests in respect of the domain names,
and he has registered and used the domain names in bad faith. Tese facts permit the plainti to an order
transferring the domain names from the respondent.
Cyber security_Chapter 11.indd 637 2011-03-25 10:34:42 AM
638 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
SBI Cards and Payment Services Private Limited vs. Domain Active Pty. Limited
Tis is the case that involved SBI Cards and Payment Services Private Limited vs. Domain Active Pty.
Limited. Sbicards.com was ordered by the World Intellectual Property Organization (WIPO) to be trans-
ferred to the Indian Company from an Australian entity, which hijacked the domain name hoping to later
sell it for a hefty sum to the State Bank of India subsidiary. Te panel accepted SBI Card counsels argument
that the Australian company was in the business of buying and selling domain name through its website.
Mahindra & Mahindra Limited (M&M) Case
Yet another Indian instance of cybersquatting involved Mahindra & Mahindra Limited (M&M). In this
case, a young student residing in Andhra Pradesh registered the domain names mahindra.com, mahindra.
net and mahindra.org, in his name. M&M made an appeal to the WIPO saying that they had registered the
name Mahindra as the registered trademark in India and the US. As per the order passed by the panelists,
the domain names were to be immediately transferred in favor of the Indian company.
Titan Industries Ltd. vs. Prashanth Koorapati and Others
In this case of Titan Industries Ltd. vs. Prashanth Koorapati & Ors., the Delhi High Court sanctioned
an ex-parte ad interim restriction (i.e., in the meantime) to restrain the defendants from using the name
TANISHQ on the Internet or otherwise and from committing any other act as is likely to lead to passing o
of the business and goods of the defendants as the business and goods of the plainti.
Bennett Coleman & Co Ltd. vs. Steven S Lalwani Case
Tis is another interesting case of cybersquatting. Since 1996, the complainant has been holding the domain name
www.economictimes.com, for electronically publishing it in newspapers. Te plainti had registered in India this
mark for literary purposes. However, in 1998, Steven S. Lalwani, US, registered the same domain name.
Te WIPO judgment made it clear that the complainant have a very substantial reputation in their
newspaper titles arising from their daily use in hard copy and electronic publication. It was also rmly
held that the registration and use of the domain names by the respondents is not in good faith in that their use
meant an intentional attempt to attract (with commercial gain as the purpose), Internet users to their websites
by creating a possibility of misunderstanding with the complainants marks as to the source, s ponsorships,
a liation or endorsement of those websites and the services on them.
Rediff Communication Limited vs. Cyberbooth Case
In Redi Communications Ltd. vs. Cyberbooth, petitioner, the proprietor of the well-known portal and
domain name redi.com led for embargo against the defendant, registrant of the domain name redi.com.
Te Judge was convinced that there was a clear intention to deceive and granted interim relief to the plain-
ti. Te judge a rmed that a domain name is more than an Internet address and is entitled to as much
protection as that provided for a trademark.
Te terms IPR, Copyright, Trademark, Trade secret, etc. are explained in Ref. #1, Books, Further Reading
and also in Chapter 10 (Section 10.2). Te discussion here assumes that readers are familiar with these terms.
Cyber security_Chapter 11.indd 638 2011-03-25 10:34:42 AM
Cybercrime: Illustrations, Examples and Mini-Cases 639
If not, we recommend readers to refer to the said chapter of the book mentioned. To know about Indian
Trademark Law, we have provided links in Ref. #71, Additional Useful Web References, Further Reading.
Te various statues dealing with Intellectual Property Laws in India are as follows:
1. Trademarks Act 1999 (see Appendix S).
2. Copyright Act 1957 (see Appendix T).
3. Patents Act 1970 as amended by Patents (Amendments) Act 2005 (see Appendix R).
4. Designs Act 2005.
5. Code of Civil Procedures 1908.
6. Indian Penal Code 1860 (see Appendix P).
7. Geographical Indication of Goods (Registration & Protection) Act 1999.
8. Semiconductor, Integrated Circuit Layout Design Act 2000.
9. Plants Varieties Protection and Farmers Rights Act 2001.
10. Information Technology Act 2000 (see Appendix O).
From the cybersquatting examples described so far, note the following points:
1. Te trademark law has been drastically broadened to accommodate domain name disputes.
However, in authors opinion, the trademark law should not be too widely broadened to confer upon
trademark owners the rights that they otherwise are not entitled to. Te tricky question is whether
the law will eventually give large trademark owners property rights in domain names, that is, the
ability to exclude others from using them. In deciding how far the trademark laws should reach,
it may become essential to revisit the rationale behind trademark protections. Trademark protection
is meant to provide consumers with exact information about the merchandise and services presented
by the mark, and to provide incentives to companies so that they become interested in investing in
their marks and also to enhance quality control. Trademarks, therefore, lower consumer search costs
and promote the economic functioning of the market. Marks themselves are not protected, but
the law protects the goodwill the marks embody.
2. Allowing exclusive rights in domain names will put o companies from using names that are already
used. Conventional nancial explanation for trademark law rests on the premise that there is an
countless number of marks available. However, there are only a limited number of domain names
available.
3. One more area of concern with such a right is that it would allow trademark owners to preclude
others from using not only one but several marks. It is now a general practice for companies to
register all possible domain names they can think of, that contain their company name. For example,
Exxon currently holds the rights of over more than 120 domain names incorporating the word
EXXON.
4. Te current law seems to endorse protection of large companies more, that is, those who want rights
in every possible variations of their name.
5. From a realistic point of view, the current expansion in law gives trademark owners a signicant
amount of leverage. For example, often people with genuine interests in their domain names cannot
pay for ghting with trademark owners. Naturally, this will force many to simply turn over their
rights in order to avoid corporate bullying.
Do refer to the Intellectual Property in the Cyberspace discussion in Section 10.2 of Chapter 10 that
discussion will provide greater details of IP.
Cyber security_Chapter 11.indd 639 2011-03-25 10:34:42 AM
640 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
11.3.19 Mini-Case 19: Swedish Case of Hacking and Theft
of Trade Secrets
Stealing of IPR/trade secrets is one of the major threats to industries and individuals in the modern era.
Here is a real-life scenario on that. Two well-known organizations co-operated with Government for the
investigation of this case.
Philip Gabriel Pettersson, a.k.a. Stakkato, aged 21, a Swedish national, was indicted on 17 May 2009
on the grounds of intrusion and trade secret theft charges. Tis was announced by the US Attorney for the
Northern District of California and the Justice Departments Criminal Division.
Te charges included one intrusion attempt and two attempts of trade secret misappropriation involv-
ing Cisco Systems Inc. (Cisco), San Jose, CA, a provider of computer network equipment and producer
of Internet routers. As per allegations in the condemnation, Pettersson purposely committed an intrusion
between 12 May 2004 and 13 May 2004 into the computer system and network of Cisco. It was alleged that
during the suspected intrusion, some Cisco Inter-network operating system code was misappropriated. Te
accusation also included two intrusion attempts involving the National Aeronautics and Space Administration
(NASA), including computers at the Ames Research Center and the NASA Advanced Supercomputing
Division, located at Moett Field, CA. Te accusation alleges Pettersson committed these intrusions on
19 May 2004, 20 May 2004 and 22 October 2004.
Cisco and NASA cooperated in the governments investigation. Following the incident, Cisco reported that
they could not believe that any customer information, partner information or nancial systems were aected.
Te Department of Justice worked in cooperation with the Swedish authorities on this case. From legal per-
spective, it is to be noted that an indictment is merely an accusation. All defendants are presumed innocent
until proven guilty at trial beyond a reasonable doubt. Te maximum penalty for each charge of intrusion and
theft of trade secrets is 10 years in prison, a 3-year term of supervised release, and a ne of $250,000.
Te prosecution was the result of an investigation by the FBI; US Secret Service; NASA O ce of
Inspector General, O ce of Investigations, Computer Crimes Division; and numerous additional federal
agencies. A senior o cer at the Criminal Divisions Computer Crime and Intellectual Property Section
(CCIPS) prosecuted the case with assistance from other o cers. CCIPS Senior Counsel also assisted in the
prosecution. Te Criminal Divisions O ce of International Aairs assisted on international coordination
issues in the case.
Source: www.cybercrime.gov
11.3.20 Mini-Case 20: IPR Violation
Intellectual property stealing is mentioned in Chapters 1 and 9. Intellectual Property in the Cyberspace
is explained in Chapter 10 (Section 10.2). Tis example involves a counterfeit software program. Below is
explained how this crime happened in real life.
On 12 June 2009, Rodolfo Rodriguez Cabrera, aged 43, a Cuban national, and Henry Mantilla, aged 35,
of Cape Coral, FL, were accused about a plot to manufacture and sell fake International Game Technology
(IGT)-brand video gaming machines, commonly known as slot machines, and counterfeit IGT computer
programs. Cabrera was arrested on 8 June 2009, based on the indictment. Mantilla was scheduled to appear
based on a summon in the US District Court for the District of Nevada on 2 July 2009.
As per the indictment, Cabrera was the owner as well as operator of a company called FE Electronic in
Riga, Latvia, and Mantilla owned and operated a company named Southeast Gaming Inc., in Cape Coral,
FL. Te indictment makes an allegation that during the period that spanned between August 2007 and
15 April 2009, Cabrera and Mantilla were part of the conspiracy that involved making illegal copies of IGT
Cyber security_Chapter 11.indd 640 2011-03-25 10:34:42 AM
Cybercrime: Illustrations, Examples and Mini-Cases 641
video gaming machine computer programs, placing counterfeit labels bearing IGTs registered trademark on
the computer programs, installing the counterfeit computer programs in IGT gaming machine cabinets and
then sell the counterfeit computer programs and gaming machines through their respective companies. Tey
did all this without the permission of the trademark and copyright owner, IGT.
Te charge against Cabrera and Mantilla indicated that they were involved with a conspiracy of tra ck-
ing in counterfeit goods, tra cking in counterfeit labels and criminal copyright infringement. If convicted
of all charges, each defendant faces a maximum of up to 45 years in prison and $5.25 million in nes. Te
accusation also contains 13 penalty allegations that require the defendants, if convicted, to forfeit any and all
counterfeit items and to forfeit up to $5 million in proceeds from their alleged criminal activity.
Te case was investigated by the FBI and prosecuted by Assistant US Attorney of the US Attorneys O ce
for the District of Nevada and Trial Attorney of the Criminal Divisions Computer Crime and Intellectual
Property Section (CCIPS). Signicant assistance came in this case from the Central Criminal Police
Department of the Latvian Ministry of Interior; Latvias O ce of the Prosecutor General, International
Cooperation Division; and Senior Trial Attorney Deborah Gaynus of the Criminal Divisions O ce of
International Aairs. CCIPS Trial Attorney also assisted with the prosecution. IGT also provided assistance
in this matter. An indictment is merely a formal charge by the grand jury. As legal professionals know, a
defendant is assumed to be innocent unless and until proven guilty in a court of law.
Source: www.usdoj.gov
11.3.21 Mini-Case 21: Indian E-Mail Spoong Case
Tis is a case registered by the Indian police as the rst case of cyberstalking in Delhi. To maintain conden-
tiality and privacy of the entities involved, we have masked their names. Mrs. Joshi received almost 40 calls
in 3 days mostly at odd hours from as far away as Kuwait, Cochin, Bombay and Ahmedabad. Tese calls
created havoc in the personal life destroying mental peace of Mrs. Joshi. She decided to register a complaint
with Delhi Police. A person was using her ID to chat over the Internet at the website www.mirc.com, mostly
in the Delhi channel for 4 consecutive days. Te person was chatting on the Internet, using her name and
giving her address, talking in profane language. Te same person was also deliberately giving her telephone
number to other chatters encouraging them to call Mrs. Joshi at odd hours.
While cyberstalking does not have a standard denition, it means threatening, unwarranted behavior
or advances directed by one person toward another person using Internet and other forms of online
communication channels as medium.
Tis ends all the mini-cases of this section and now we move on to illustrations of nancial crimes in the
banking domain including the credit card frauds.
11.4 Illustrations of Financial Frauds in Cyber Domain
In this section, we have provided illustrations of banking frauds (including credit card-related crimes), online
gambling, IPR crimes, digital media piracy, hacking, computer frauds, website attacks, counterfeit hardware, mali-
cious use of the Internet, social networking victims, etc. Table 11.3 lists the illustrations provided in this section.
11.4.1 Banking-Related Frauds
Illustration 1: Stolen Credit Card Information
In the introduction section, it was mentioned that cybercriminals operate beyond geographic boundaries. With
the background of credit card frauds addressed in Chapter 5 (under Phishing), this case is interesting to read.
Cyber security_Chapter 11.indd 641 2011-03-25 10:34:42 AM
642 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Table 11.3 | List of illustrations in Section 11.4
Illustration
No.
Title Topic Chapter
Cross-Reference
1 Stolen Credit Card Information Phishing and credit card
frauds (banking frauds)
Chapter 5
2 Phishing Incidence Phishing (credit card frauds) Chapter 5
3 Online Credit Card Teft Ring Credit card frauds Chapter 5
4 Understanding Credit Card Fraud Scenarios Credit card frauds Chapter 5
5 ShadowCrew the Internet Maa Gang Credit card frauds
6 Dirty Relations Goods Delivery Fraud Frauds from online purchasing
7 Fake Mails Promising Tax Refunds: Beware Internet banking Chapters 2 and 4
8 Phone Scam Targets Your Bank Account DoS (denial-of-service) attack Chapters 1, 3
and 4
9 Cookies and Beacons Te Facebook
Controversy
Cookies and Beacons
10 Privacy Loss through Leakage of Users
Facebook Proles
Personal privacy loss leading to
cybercrimes
Chapter 5
11 Debit Card Frauds Global Wave in Real Life Financial frauds with debit card
Stolen credit card information is savored by cybercriminals. DarkMarket is an English-speaking Internet
cybercrime forum created by Renukanth Subramaniam in London. It was shut down in 2008 after an FBI agent
inltrated it, leading to more than 60 arrests worldwide. Renukanth Subramaniam admitted conspiracy to defraud
and was sentenced to nearly 5 years in prison in February 2010. Te website permitted buyers and sellers of
stolen identities and credit card data to meet on the Net and establish a criminal enterprise in an entrepre-
neurial, peer-reviewed environment. It had 2,500 users at its peak, according to the FBI.
To the casual observer, there was not much to dierentiate the Java Bean Internet cafe in Wembley from
the hundreds of others in the capital. But to the surveillance o cers staking it out month after month, this
ordinary looking venue was the key to busting an astonishing and complicated network of cybercriminals. Tere
were many computers inside the caf and a former pizza bar employee ran an i nternational cyber super-
market for selling stolen credit card and account details, costing the banking industry tens of millions.
Renukanth Subramaniam, aged 33, was revealed as the founder and a major orchestrator of the secret
DarkMarket website, where elite fraudsters bought and sold personal data, before it was inltrated by the
FBI and the US Secret Service. Membership to DarkMarket was strictly by invitation. But once vetted, its
2,000 sellers and buyers traded the whole lot from card details (obtained through hacking, Phishing attacks
visit Chapter 5 for details of Phishing and ATM skimming devices), to viruses using which buyers could
extract money by threatening company websites. Tis top cybercrime site in the world oered online tutori-
als in illicit topics such as account takeovers, credit card deception and money laundering. Tere were equip-
ments such as false ATM, pin machines as well as everything needed to set up a credit card factory.
Subramaniam, a Sri Lankan-born British citizen, was a past member of ShadowCrews predecessor.
Subramaniam worked at Pizza Hut and as a dispatch courier. In 2004, the US Secret Service
uncovered ShadowCrew. JiLsi was one of the uppermost cybercriminal in the country. With this criminal,
Subramaniam managed to set up a forum globally. Without JiLsi, DarkMarket was just not possible
that was the close associaton and deep involvement that JiLsi had with DarkMarket. In spite of this being
Cyber security_Chapter 11.indd 642 2011-03-28 4:27:17 PM
Cybercrime: Illustrations, Examples and Mini-Cases 643
so, DarkMarkets 2,000 members could never meet JiLsi in real life he truly was a shadow operator!
Somehow, DarkMarket was nicky about banning rippers who would deceive other criminals. Honor
among thieves was paramount. Subramaniam was one of the top administrators. He stored his operating
system on memory sticks. But when one of his memory sticks was stolen, it cost him 100,000 in losses.
It also resulted in compromising the sites security. With this mishap, Subramaniam was downgraded to
merely a reviewer. Surveillance o cers trapped him logging on to the website when JiLsi was unaware that
the fellow criminal MasterSplyntr whom he trusted was, in fact, an FBI agent called Keith Mularski.
Illustration 2: Phishing Incidence
Phishing is explained in Chapter 5 and here is an illustration of Phishing attack in real life. According to the
news posted on 14 April 2010 (Ref. #72, Additional Useful Web References), it could well be termed Indias
rst legal adjudication of a dispute raised by a victim of a cybercrime. Te judgment for the rst case was
led under the IT Act. In this judgment, Tamil Nadus IT Secretary ordered ICICI Bank to pay ` 12.85
lakhs (` 12,85,000) to an Abu Dhabi-based NRI within 60 days in compensation for the loss suered
by him as a result of a Phishing fraud. Phishing is an Internet fraud through which cybercriminals illegally
obtain sensitive information such as usernames, passwords and credit card details by masquerading as a
trustworthy entity.
In this case, the reimbursement, that is the compensation, included the loss suered by the supplicant,
the travel expenses and the nancial loss incurred due to complete lack of involvement of the respondent
bank as per order from Tamil Nadus IT Secretary. Te order came based on an appeal (i.e., petition) that
was led by Umashankar Sivasubramaniam. As per Umashankars claim, he received an E-Mail in September
2007 from ICICI, asking him to reply with his Internet banking username and password or else his account
would become non-existent. He replied and later he found ` 6.46 lakhs (` 6,46,000) moved from his
account to the account of another company. Tat company did a withdrawal of ` 4.6 lakhs (` 4,60,000)
from an ICICI branch in Mumbai and retained the balance in its account.
An application was prepared as arbitration for proceedings under the IT Act. Te application was presented
to the state IT Secretary on 26 June 2008. In that application, Umashankar held the bank responsible for
the loss that he suered. ICICI Bank, however, claimed that the applicant (Umashankar) had failed to pro-
tect his condential information. According to ICICI Bank, Umashankar carelessly disclosed his c ondential
information such as password. According to the bank, he became the victim of a Phishing attack because of this
carelessness. Bank spokesperson said that customers are fully apprised on security aspects of Internet banking
through various means. ICICI Bank o cials empathetically said that banks security s ystems are continu-
ously audited and neither the security nor banks processes have been breached.
Te bank decided to appeal the order. Te bank spokesperson said that ICICI Bank endeavors to oer
world-class service to its customers. Tey further said that they have hundreds types of transactions, which
can be completed online without having to walk into a branch. Further, they added that the bank strives
for convenience and safety of their customers and uninterrupted availability of services through self-service
channels. Te bank claims that they also continuously upgrade their systems and technology to ensure that
customers get the best experience and a safe environment while transacting online.
Vijayashankarm a techno-legal consultant appeared for the petitioner. According to him, while the order
may lead to tightening of cyberlaws in the country, the judgment reects the lack of accountability of using
Internet banking. He further opined that, although Phishing fraud is very common, banks are not accepting the
liabilities. In his view, such a ruling will set a good precedent. In India, although there are 300-odd cases of
Phishing attacks recorded or contended, most cases do not get pursued under proper legal framework. Some
such cases were led at consumer courts. Figure 11.4 conceptually depicts the fate of cybercrimes.
Cyber security_Chapter 11.indd 643 2011-03-25 10:34:42 AM
644 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
11.4.2 Credit Card-Related Frauds
Illustration 3: Online Credit Card Theft Ring
Phishing and credit card frauds are addressed in Chapter 5. Here is a real-life example about that. Tis case
took place in June 2009 and involved 36-year-old Max Ray Butler (also known as Max Ray Vision) resident
of San Francisco, California. Max pleaded guilty in Federal Court in Pittsburgh to wire fraud charges to
two counts before Senior US District Judge. In connection with the guilty plea, the attorney mentioned in
the court that Butler, known widely on the Internet as Iceman, among other aliases, conducted computer
hacking and identity theft on the Internet on a massive scale. As part of the conspiracy, Butler cracked into
nancial institutions, credit card processing centers as well as other secure computers with the illicit purpose
of acquiring credit card account information and other personal identication information. Several of these
cards were made available to Christopher Aragon he was a partner in crime and was based in the Los
Angeles area. Christopher used these cards with the help of a team of associates to buy up commodities for
sale. Max sold the remaining card numbers out-and-out over the Internet.
Max and Christopher formed a website known as CardersMarket. Tey devoted this crafty site for the
acquisition, utilization and sale of credit card account information. Tis illicit process is known as carding.
A main intention of the site was to employ brilliant individuals to assist in carding activity. During the
best of times (from criminals view point), CardersMarket had approximately 4,500 worldwide members!
Refer to Figure 11.5 to understand the entities involved in credit card transactions.
Max was arrested on a criminal complaint on 5 September 2007 in San Francisco. A search of the com-
puter systems in Maxs apartment revealed more than 1.8 million stolen credit card account numbers. When
these card account numbers were provided to Visa, MasterCard, American Express and Discover, it was
revealed that the amount of fraudulent charges on the cards in Maxs possession totaled approximately $86.4
million. Tese losses had to be borne by the thousands of banks that issued the cards. On 20 October 2009,
Sentenced
Brought to court
Investigated
Reported
Total cases
Criminality Figures
Figure 11.4 | Fate of cybercrime cases (total cases-to-sentenced cases).
Cyber security_Chapter 11.indd 644 2011-03-25 10:34:42 AM
Cybercrime: Illustrations, Examples and Mini-Cases 645
punishment was handed: 30 years in prison, a ne of $1,000,000 or both and that is what the law
could provide as a maximum sentence. As per Federal Sentencing Guidelines, the actual sentence imposed
was based on the gravity of the oense and the previous criminal history, if any, of the accused. Many
agencies were involved in inquiry of Maxs illegal activities Computer Crime and Intellectual Property
Section (CCIPS) of the Department of Justice; the Federal Bureau of Investigation; the Vancouver Police
Department, Vancouver, Canada; the Newport Beach Police Department, Newport Beach, California; and
the Orange County Sheris Department, Orange County, California; and the US Attorneys O ce for the
Northern District of California.
If we wonder what happens to the stolen credit card data, the following dark market price i nformation
below is shocking as well as an eye opener. One can well imagine how this information must be rapidly
exchanging hands in the global black market (this information is as current at the time of writing this;
authors by no means have any validation responsibility here):
1. Data Dumps from magnetic stripes on batches of 10 cards are sold.
2. Standard cards: $50. Gold/platinum: $80. Corporate: $180.
3. Card verication values information needed for online transactions: $3$10 depending on quality.
4. Complete information/change of billing information needed for opening or taking over account
details $150 for account with $10,000 balance; $300 for one with $20,000 balance.
5. Skimmer device to read card data up to $7,000.
6. Bank log-ins 2% of available balance.
7. Hire of Botnet Software robots used in Spam attacks $50 a day (Botnets are explained in Section
2.6 of Chapter 2).
8. Credit card images: Both sides of card $30 each.
may or may not
be the same as
uses card to
buy from
provides
processing
services to
is a member of is a member of
issues cards to
MasterCard
and/or
Acquirer
Merchant
Cardholder
Issuer
Figure 11.5
|
Entities involved in credit card transactions.
Source: Authors presentation in PCI-DSS awareness sessions for industry professionals.
Cyber security_Chapter 11.indd 645 2011-03-25 10:34:42 AM
646 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
As known to law professionals, an indictment is only a charge and is not an evidence of guilt. A defendant is
presumed innocent and is entitled to a fair trial at which the government must prove guilt beyond a reason-
able doubt.
Source: www.cybercrime.gov
Illustration 4: Understanding Credit Card Fraud Scenarios
In Chapter 5, we learned about Phishing and credit card frauds are addressed in Chapter 3. What is
explained here is based on that background. Figure 11.6 presents a schema for categorizing credit card frauds.
Figure 11.5 shows main entities involved in the normal credit card transactions. Not all types depicted in
Fig. 11.6 fall under cybercrime; however, given the rise in the number of electronic transactions handled
over the Internet, most would be. Note that a fraud can be dened as willful deceit or trickery or a decep-
tive or spurious act. In an era of advanced technology, it should be easy to catch criminals and fraudsters.
However, the reality is far from this. Credit cards are not anonymous like the paper money and so, their
theft can be traced. Criminals and fraudsters do not give up; in fact, they make themselves technology savvy
to keep ahead in the game! Tey are led by the single aim of reaping the monetary benets and satisfying
that ego! Te key entities involved in credit card transactions, are shown in Fig. 11.5 their role is briey
described for reference during the fraud scenarios described in the next section.
Tere are more than 50 dierent types of cards available in the market we have considered only the
major ones. Visa and MasterCard are made up of member organizations who can be either acquirers or issu-
ers (or both). Acquirers are the members of the Visa or MasterCard organizations that handle Merchants.
Issuers are the members of the Visa or MasterCard organizations that issue the cards to cardholders.
Merchants are those entities who accept card transactions. Service Providers are the entities that pro-
vide services related to the processing, storing or transportation of card information on behalf of any of the
entities mentioned (Issuers, Acquirers, Merchants). With that preamble, a few scenarios relating to credit
card frauds are now explained. Keep in mind the classication chart of credit card frauds shown in Fig. 11.6.
Some of them are described in the following pages. In the reference section, links to credit card fraud related
video clips are provided in Refs. #1, 2, 3 and 4, Video Clips, Further Reading.
Classification of Credit Card Frauds
Application
fraud
Lost/
stolen
fraud
Merchant
collusion
Multiple
imprints
ROC
pumping
Altered
card
Skimming ATM
fraud
Validity
date
Card
number
Signature
panel
Magnetic
strip
Trapping
Operational
fraud
Fake
ATMs
Shoulder
surfing*
Special
frauds
Hit and
run
Carding
Phishing
Terminal
take-over
fraud
Figure 11.6
|
Credit card fraud classication.
*Shoulder surng is explained in Chapter 2 (Section 2.3.1).
Cyber security_Chapter 11.indd 646 2011-03-25 10:34:43 AM
Cybercrime: Illustrations, Examples and Mini-Cases 647
Credit Card Application Fraud
In an Application Fraud, the fraudster obtains information about a person who is eligible for getting a credit
card and has applied for it. Te fraudster then makes his/her application to the Issuer with that persons details
except for the residential address. Te residential address of the actual applicant is substituted by fraudsters
(mostly temporary) address. Te issuer, not being aware of this, would end up sending the card at that address!
In another variety of this fraud scenario, the fraudster obtains the card details of an already existing card
member (this is done through Phishing attacks). He then calls up the call center of the issuing organization,
pretending to be the actual card owner. He reports the card as lost and asks them to issue a replacement card
at his address, informing them also about the change of address. Now, if the issuing organization ( typically a
bank) is not security-savvy enough to call the actual card holder to validate if he/she indeed had make such
a request, the fraudster will get a genuine card at the cost of the scape goat (the actual card owner) to run up
whopping bills for his/her own use (which they normally are smart enough to avoid) or to sell the card in
the dark market the dark market rates for stolen information were mentioned in Illustration 3.
With the growing number of Internet-based applications for credit card, obtaining such information
would be possible with a man-in-the-middle attack launched. In a typical man-in-the-middle attack, elec-
tronic messages, transmitted through the Internet, are intercepted. Man-in-the-middle attack is illustrated
in Fig. 11.7. Also recall that passive and active attacks were explained in Chapter 2 (Sections 2.2.2 and
2.2.3, respectively). Tese attacks are also explained in Chapter 4 (Section 4.4). Te man-in-the-middle
attack intercepts communication taking place between two systems. Tese attacks are also explained in
Sections 4.4.1, 4.12 and Table 4.19 in Chapter 4. For example, in an http transaction the target is the TCP
connection between client and server. With the use of dierent techniques, the attacker divides the original
TCP connection into two separate and new connections one between the client (i.e., the victims machine)
and the attacker and the other between the attacker and the server, as shown in Fig. 11.7. Once the TCP
connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the
intercepted communication.
Figure 11.7 | Man-in-the-middle attack.
Original
connection
Attackers
machine
Web
server
Victims
machine
MITM
connection
Cyber security_Chapter 11.indd 647 2011-03-25 10:34:43 AM
648 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Frauds Involving Lost and Stolen Credit Cards
In this scenario, it can so happen that a card holder genuinely loses his/her credit card when he forgets to
collect it from the ATM (Automatic Teller Machine most credit cards can be used to also withdraw cash
from ATMs). Card holder may also forget to collect his/her credit card after signing for the goods purchased.
Tere are also many other ways to lose the credit card (leaving the wallet/purse behind in which the card is or
the card getting dropped out of pocket or wallet, etc.) When the fraudster nds a lost card, either he himself
uses that for shopping (which is not what the fraudster would typically do) or he sells the lost card to a gang
with whom he works. Tere are many agencies that specialize in credit card-related crimes. For example,
the Russian Business Network (RBN) is a multifaceted cybercrime organization, specializing in some cases
monopolizing personal identity theft for resale! RBN was registered as an Internet site in 2006. Initially,
much of its activity was legitimate. It appeared that the founders soon found that it was more l ucrative to
host illegal activities and started hiring criminals for their services. RBN provides web hosting services and
Internet access to all types of criminal and oensive activities, with individual activities earning up to $150
million in 1 year! Recall DarkMarket described in Illustration 1.
Such gangs have multiple layers of operations with many counterparts. Some of them are called runners.
Teir job is to show their face in the shops by physically visiting the shops for small amount purchases with
the objective of ascertaining whether the lost card is put on hold or if it is on hot list. In other words,
runners are hired to nd out the validity of lost/stolen cards. If the card is found to be clean, the fraudster
would either use the card immediately for a high value purchase (by forging the signature of course) or will
sell it in the dark market. Dark market rates for stolen/lost credit cards were mentioned in Illustration 3:
Online Credit Card Teft Ring.
The Fraud through Merchant Collusion
Tis fraud occurs when the Merchant joins hands with the fraudster by providing details of the genuine
cards in return for a share of the returns from this manipulation. Te merchant can allow members of a
gang to use his terminal as a host in order to transfer information on credit cards, which are swiped at the
merchants terminal. One way of doing this is that another swipe slot is kept hidden or discreetly near the
actual swipe machine at the Point of Sale (PoS) terminal at the merchants establishment. Always be wary
and be on the look-out if the merchant is scanning your card more than once for one pretext or the other.
For example, by asking you to let him scan it again because the rst scan was not successful. Also, never
loose site of your credit card. Always insist that you want your credit card to be swiped in your presence: be it
a restaurant or a brand hotel (ve stars hotels, etc.). Tis is important because, as a part of collusion, once
the merchant allows his terminal to the members of the fraudster gang in order to transfer the condential
information on the magnetic card on the credit card, that information is gone in the wrong hands! Te
fraudsters terminal, known as the receptor (because it receives the information), downloads the conden-
tial details of the genuine card from the host terminal. Tis stolen information can be used in a number of
ways to cheat the Issuers, at a later date. Te information can be used to manufacture counterfeit cards or
to obtain genuine cards by reporting the card as lost or to defraud by mail order. In the reference section
at the end of this chapter, we have provided a video link in Ref. #4, Video Clips, Further Reading to show
how they fake a card.
Tere are instances where the customer also colludes with the Merchant to cheat the Issuer. Customer
uses the card at the Merchant establishment, that is, a shop/mall, for a single transaction but allows the
Merchant to take multiple prints of the charge slip. Te Merchant submits these charge slips with forged
signatures and obtains the payment due to him (the Merchant) from the Acquirer (see the transactions
ow depicted in Fig. 11.5). At the end of the card holders billing cycle, when the credit card statement is
Cyber security_Chapter 11.indd 648 2011-03-25 10:34:43 AM
Cybercrime: Illustrations, Examples and Mini-Cases 649
presented for payment, the card holder disputes the charge by claiming that the transactions are fradulent
and refuses to pay. Meanwhile, the merchant has already recovered his sale due amount. Because the card
holder refuses to pay the Issuer (typically the bank), it is the Issuer who has to bear the loss. Te problem is
that it is di cult to prove such collusion. Until and unless the same card holder keeps appearing in many
such cases of frauds, tracing becomes di cult. It is said that the card issuers assume a certain small percent
of their overall transactions volume, as bad debt and levy it across their base of card holders (which runs in
thousands and thousands). Tey present it in the charge statement as a line item.
Frauds at the ATMs
Card frauds and operation frauds are the two main types of ATM frauds. Research by Retail Banking e stimates
that worldwide, there are more than 1.5 million ATM (Automated Tailor Machines sometimes jocularly
referred as Any-Time-Money!). It is said that a new ATM gets installed every ve minutes somewhere in
the world! All around the world, people carry out successful ATM transactions (withdrawing money from
their bank accounts, viewing their bank balance, etc.). For more than three decades, ATM operations have
been going on successfully. However, that does not mean that ATMs are completely risk-free. ATMs, like
most other devices that are designed to store and dispense valuable items, have been targets of frauds. ATM
thefts, burglaries and electronic frauds committed at the ATM make news lines almost daily, all over the
world. Most of the ATM frauds reported by media as debit card frauds are to do with the compromise
of Personal Identication Number (PIN). PIN and credit card code are explained later in this section. As
per reports of Global ATM Security Alliance, only 0.0016% of all ATM transactions are impacted by crime
or fraud worldwide. Notwithstanding this claim of secure ATM transactions, ATM fraud and security or
rather the lack of it is one of the most popular topics in the media!
In Europe, Card Skimming (Fig. 11.8 shows how the skimmer device looks) fraud is one of the big-
gest crimes aecting ATMs. Card skimming at ATMs caused losses of 44 million Euros across Europe and
is known to be a source of funding for criminal operations in the East European countries. Cash trapping
and transactional reversal crimes are on the rise; especially in Eastern Europe. Tieves x a device to the cash
dispensing slot of the ATM this action causes currency notes to get stuck inside the slot. Criminals return later to
remove the cash from inside the dispenser. Trapping attacks like these resulted in losses amounting to 2 mil-
lion Euros in 2005. ATM market is growing fast in Latin America and highly advanced ATM machines are
deployed in this region. ATM card fraud in the Latin American region increased by nearly 15% in the last 5
years. In the Asian region, China and India are the fastest growing ATM markets. China now has more than
86,000 ATMs and the Indian ATM market is growing at the rate of 100% annually as per reports of Frost
and Sullivan. Te top ATM fraud in Asia is ATM dispenser trapping. Asia has one of the worlds highest
Phishing attacks. You can read about Phishing in detail in Chapter 5. Refer to Ref. #5, Video Clips, Further
Reading for useful tips to protection from ATM thefts.
Carding Frauds
It was mentioned that carding involves acquisition, utilization and sale of credit card account information.
When a credit card is stolen, the thief does not know whether the card is valid. So the thief wants to nd out
about the status of the card (active, cancelled, etc.). From the thief s perspective, there are many possibilities
the card holder may have immediately reported the loss of the card or the card limit may have been com-
pletely used up. In such cases, the card is of no use to the thief. Te smart thief uses the Internet to ascertain
if the stolen card is still good for use. Te thief could use the stolen card to make a small amount purchase
using the online purchase facility on the Internet. However, that would involve the shipping address and
that would expose the thief. So the smart thief uses the stolen card for making a charity donation! Tat way,
Cyber security_Chapter 11.indd 649 2011-03-25 10:34:43 AM
650 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
the thief does not have to waste time in searching items on the product catalogues on the sale portal of any
online seller. Te thief makes the donation amount relatively small so that the card limit is not used up. He
does this for one more reason a large amount would make the transaction immediately noticeable. Carding
fraud is also used when the credit card is obtained fraudulently through card skimming (explained next) or
when a Phishing attack is done on the card.
Credit Card Skimming
Tips to prevent credit card frauds were addressed in Chapter 3 (see Box 3.2). Section 3.4 of Chapter 3 is
about credit card frauds. With that thread, the card skimming fraud is explained here. Card skimming is
done with skimmer devices; see Fig. 11.8. Te relative proportions in those images help us understand how
tiny the device is and that makes it simple for fraudster to conceal it out of view of the victim. Skimming is
in a way, fraudsters revenge on the Customer Verication Value (CVV see the links in Ref. #36, Additional
Useful Web References, Further Reading to understand this).
Figure 11.9 depicts where the card security code is located. Tis code has various terminologies attached
with it: Card Security Code (CSC), Card Verication Data (CVD), Card Verication Value (CVV or CV2),
Card Verication Value Code (CVVC), Card Verication Code (CVC), Verication Code (V-Code or V Code), or
Card Code Verication (CCV). Te CVV is an algorithm (software program logic) that is very di cult to
break. Te fraudster, therefore, does not take the trouble to break the code. He simply colludes with a single
merchant or with a group of merchants. He provides the merchant with the terminal number similar to the
one provided to the merchant by Acquirer or the bank (because in some cases the bank, that is, the Issuer
and the Acquirer, can be the same institution). Te only dierence is that the fraudsters terminal is capable
of also reading the card data that is recorded on the credit cards magnetic strip. Te swiping equipment
provided by the Issuer bank/Acquirer can only process the data by connecting to the banks server but it
Figure 11.8 | Credit card skimmer devices.
Cyber security_Chapter 11.indd 650 2011-03-25 10:34:43 AM
Cybercrime: Illustrations, Examples and Mini-Cases 651
does not have the capability to record the data on the magnetic strip of the card. Now comes the criminal
act the fraudulent merchant or the fraudster working at the Merchants PoS (Point of Sale) terminal, swipes
your credit card twice of course without you realizing it; even if you notice it and bring it to his notice, he
will give you one explanation or the other why he swiped your credit card more than once. Now, the
card is swiped once across bank-provided swiping equipment and second time on the fraudsters terminal.
Te security code (CVV, CCV, etc.) which is encoded on the magnetic strip on the back side of the credit
card (see the top right object in Fig. 11.9), and is decoded on the terminal, gets recorded on the fraudsters
terminal. He now gets the genuine card information (card holder name, card number, date of validity) along
with the security code! His job is done and he is ready to use that information for creating fake credit card
(in Ref. #2, Video Clips, Further Reading, we have provided a link to the video clip that explains this). See
the credit card skimming video clip provided there.
It may so happen that in some restaurants, a waiter could have a collusion with a fraudster gang he
could hide the skimmer device in his socks. As you stand near the payment counter for your credit card to be
swiped, after taking the card from you, the waiter may pretend to drop it. Ten waiter will bend down to pick
up the card on its way up, the card would get swiped across the skimmer device in his socks and you may
never even realize it as this may happen in less than minute! In another variant of this scenario, the skimmer
device (with a slit type see Fig. 11.8) could be located next to the actual card swiping device authorized to
the merchant by the Acquirer. If you are not carefully watching, the fraudster colluding with the merchant
(he could very well be the PoS sta of the merchant) after swiping the card with the actual credit card swip-
ing machine (see Fig. 11.10), will swipe your credit card also through the skimmer device to read the con-
dential card details (card number, date of validity and most important the credit card security code CCV,
CVV, etc.) to his benet! You can watch one such video clip demo by visiting the link mentioned in Ref. #2,
Video Clips, Further Reading.
This number is printed on your Master Card & Visa cards in the signature area of the back of
the card. (it is the last 3 digits AFTER the credit card number in the signature area of the card).
You can find your four-digit card verification
number on the front of your American
Express credit card above the credit card
number on either the right or the left side of
your credit card.
Figure 11.9
|
Credit card security code.
Source: http://www.sti.nasa.gov/cvv.html
Cyber security_Chapter 11.indd 651 2011-03-25 10:34:43 AM
652 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Illustration 5: ShadowCrew The Internet Maa Gang
Tis is a case reported in the public domain. It shows how ruthlessly the criminals can operate in the world
of credit cards. Tis illustration has a lesson for all of us that we should take adequate care not to succumb
to credit card frauds. In Chapter 4 (Section 4.10), we learned about SQL Injection. Criminals used SQL
Injection technique in this case. Tis illustration also brings to fore an important point todays cyberfraud-
sters are tech-savvy people. Tat is how this hacker gang operated. Te links related to this illustration are
provided in Ref. #40, Additional Useful Web References, Further Reading.
ShadowCrew was an international crime message board. Te board oered a haven for carders and
hackers to trade, buy and sell anything from stolen personal information (through identity theft the topic
is discussed at length in Chapter 5) to hacked credit card numbers and false identication. As we know,
a bank card number is the primary account number found on credit cards and bank cards. It has a peculiar
type of internal structure and it also shares a common numbering scheme. Credit card numbers are a special
case of ISO/IEC 7812 bank card numbers. As mentioned in Illustration 3 (Online Credit Card Teft Ring),
CardersMarket is devoted to the acquisition, use and sale of credit card account information, a process
known as carding.
Te genesis of this fraud group is interesting in early 2002, ShadowCrew emerged from an under-
ground site, counterfeitlibrary.com, and was followed up by carderplanet.com, a primarily Russian site.
It was created by only a few of people, most notably Kidd (Seth Sanders), MacGyver (Kim Taylor) and
CumbaJohnny (Albert Gonzalez, who would later become an informant for the Secret Service beginning
April 2003). Other main people who would become Administrators and Moderators were Deck (Andrew
Mantovani), BlackOps (David Appleyard) and a handful of others.
Over a period of short time, ShadowCrew grew to over 3,000 members (many were clones and inactive
accounts) worldwide with a small group of members leading the forums. During its inception, the site
was hosted overseas, in Hong Kong. However, shortly before CumbaJohnnys arrest, the server was in his
possession. Te server was hosted somewhere in New Jersey. Te downfall of the site started although it had
ourished initially.
Te site was doing well from the time it was launched in 2002 until its shut down in late October 2004.
Although there were many criminal activities taking place on the site and all seemed well, the members
were not aware of what was going on behind the scenes. Federal agents received a major breakthrough
when they found CumbaJohnny. During the period April 2003 to October 2004, Cumba helped in
Figure 11.10 | Credit card swiping machine.
Cyber security_Chapter 11.indd 652 2011-03-25 10:34:44 AM
Cybercrime: Illustrations, Examples and Mini-Cases 653
gathering information and monitoring the site and those who used it. He started by exposing many of the
Russians who were hacking databases and selling counterfeit credit cards. Some of the rst to be arrested
were Bigbuyer, BOA and Wolfrum. Although they were being arrested, no reports of it being linked to
ShadowCrew ever came about at the time.
Business continued as usual at ShadowCrew; credit cards were sold and identication forged, all while
the Secret Service monitored everything that went on and built cases against high-ranking members.
Most members knew that authorities would monitor the site and would institute controls to prevent their
identities from being known. Tese tactics involved Proxies, Virtual Private Networks (VPNs), Wi-Fi
and other anonymizing techniques (Chapter 9 explains anonymizers Section 9.8, Box 9.7). However,
members that trusted CumbaJohnnys VPN Service would be those who would face their ultimate down-
fall. CumbaJohnny oered a VPN service as a way for well-known members to connect to the Internet
through a secure gateway. VPNs were thought to be a reasonably safe method to stay anonymous in the
community, but were always considered slightly risky due to the safety being in the hands of the person
who maintained it. Nearly all of the top-ranking members who were still around in 2004 used Cumbas
VPN.
After a year of monitoring and building evidence against the members of ShadowCrew, the Secret
Service nally played its cards, hoping no one had caught on. Te government, as paranoid as any of
the criminals on the site, became worried when a member of ShadowCrew adorning the name Ethics
(Nicolas Jacobsen), allowed several members to see condential documents he had obtained through
hacking the databases of T-Mobile with an SQL injection (explained in Section 4.10 of Chapter 4). Te
documents belonged to a Secret Service agent who had been tracking both Jacobsen and ShadowCrew.
Allegedly, the documents contained a list of names and drop addresses of certain former (now arrested)
and perhaps c

urrent ShadowCrew Members. Cumba, being the top member of ShadowCrew after Kidds
departure and MacGyvers arrest, was made aware of bits of the information by others who had seen it.
Although it is not certain who saw the information or what exactly it contained, it must have not been
enough to alarm anyone.
Te Secret Service rallied around with worldwide police, and on 26 October 2004 conducted a series of
raids on 28 members of ShadowCrew, spanning a total of 8 to 10 hours. Within days, the arrests were made
public, with evidence presented showing that the ShadowCrew was an Internet Maa with Mantovani as
the Godfather. Claims made by the media included monetary losses totaling millions of dollars. Allegedly,
the members were all users of CumbaJohnnys VPN Service, which led to their locations. Tose who had
not been caught did not use the VPN, were not important enough to arrest or had been ostracized from the
community.
As of August 2006, most of those indicted after the October 2004 raids pleaded guilty were since then
sentenced. Te most publicized and longest sentence was that of Mantovani, who was given 32 months in a
Federal Prison Camp. Many sites appeared after ShadowCrews death one such site was specically focused
on unraveling the mysteries of what actually happened. Tis site, thegrifters.net, was run by a member
(El Mariachi) who was formerly indicted. Tis site was the result of converting his old fraud site to an inves-
tigative site. Members of this group uncovered and compiled many pieces of information on the indicted
members of ShadowCrew until thegrifters.net was taken down in early 2006.
Te numbers involved in this case are huge. According to the Federal indictment, ShadowCrew was an
international organization of approximately 4,000 members. Te last available pages before 27 October
2004 on archive.org showed 2,709 registered members. However, this number is not a 100% correct esti-
mate of the true number of members because registration was free which meant that the numbers could
easily surpass those stated. People, familiar with the ShadowCrew forum, knew that many members operated
under more than one username. Tere were a few members who were banned from the forum they would
Cyber security_Chapter 11.indd 653 2011-03-25 10:34:44 AM
654 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
attempt to frequently register under another username. Te forum was around for over 2 years, so there
were likely many inactive accounts. Te loss gures were also big $4 million dollars. Te government was
unable to nd any concrete proof that the defendants in operation were responsible for any specic losses.
Te $4,000,000 gure was obtained by multiplying the number of credit cards transferred by $500 each (as
per Federal Law when no monetary gure in a fraud case can be determined). Te assumption in this gure
is that every single card was valid and had been used. Figure 11.11 shows that not only todays hackers and
fraudsters are tech-savvy, they are also professional in terms of gains they want.
Illustration 6: Dirty Relations Goods Delivery Fraud
Internet seems to be breeding ground for many cybercriminals who take advantage of mail Spoong, ID
theft and many other techniques to achive their fraud objectives (refer to Chapters 25). Online purchasing
is possible by sending electronic mails using the Internet and there are ample opportunities for fraudulent
people to play mischief by hiding their real identity through fake E-Mails. Tis illustration shows how this
happened in a real-life scenario. Interestingly, it also shows the humantarian approach of the legal system in
passing the judgment and giving due consideration in a given context of the crime.
It all started after Sony India Private Ltd led a complaint. Sony India runs a website called www.
sony-sambandh.com, targeting non-resident Indians (NRIs). Te website enables NRIs to send Sony prod-
ucts to their friends and relatives in India by purchasing those products online. Te company makes deliv-
ery of the products to the concerned recipients. In May 2002, a lady visited the website but did not log
onto the site with her real name. She assumed the identity of Barbara Campa and sent an E-Mail to
order a Sony Colour Television set and a cordless phone. In the mail, she provided her credit card number
for payment and made a request for getting the products delivered to a person named Arnavaz Ahmed
in Noida area. Te payment was duly cleared by the credit card agency and the tran saction was processed.
After carrying out the relevant procedures of due diligence and checking, the company delivered the items
to Arnavaz Ahmed.
Te company was very clever at the time of delivery, the company took digital photographs showing
the delivered goods being accepted by Arnavaz Ahmed. At this time, the transaction closed; however, after
Severe damage
Less profit
(Exploiters)
Small damage
Less profit
(Newbie)
Severe damage
More profit
(Emerging breed of cybercriminals)
Small damage
More profit
(Exploit buyer)
P
r
o
f
i
t
Damage
Figure 11.11 | Hackers motives and goals.
Cyber security_Chapter 11.indd 654 2011-03-25 10:34:44 AM
Cybercrime: Illustrations, Examples and Mini-Cases 655
one and a half months, the credit card agency informed the company that this was an unauthorized tran-
saction as the real owner had denied having made the purchase. Based on this, the company lodged a com-
plaint for online cheating at the Central Bureau of Investigation which registered a case with the Indian
Penal Code under Section 418 (Cheating with knowledge that wrongful loss may ensue to person whose interest
oender is bound to protect), Section 419 (Punishment for cheating by personation) and Section 420 (Cheating
and dishonestly inducing delivery of property). Copy of the Indian Penal Code is provided for readers reference
in Appendix P.
Te matter was investigated into and Arnavaz Ahmed was arrested. Investigations revealed that Arnavaz
Ahmed, while working at a call centre in Noida, gained access to the credit card number of an American
national which he misused on the companys site. Te CBI conscated the color television and the cordless
head phone. Te CBI had evidence to prove their case and so the accused admitted his guilt. Te court
convicted Arnavaz Ahmed under Sections 418, 419 and 420 of the Indian Penal Code this being the rst
time that a cybercrime has been convicted. Te court, however, felt that as the accused was a young boy of
24 years and a rst-time convict, a lenient view needed to be taken. On these grounds, the court released the
convict on probation for 1 year.
Te judgment is of utmost importance for the entire nation. Besides being the rst conviction in a
cybercrime matter, it has shown that the Indian Penal Code (the IPC) can be eectively applied to certain
categories of cybercrimes which are not covered under the ITA 2000. Second, a judgment of this sort sends
out a clear message to all that the law cannot be taken for a ride. According to Police, these E-Mail origi-
nated from an E-Mail Id which was similar to that of the Income Tax department. By investigating into
this cyberfraud, at an initial stage, it was learnt that several such E-Mails have been sent to tax payers. Te
fraudulent E-Mail asks for the receivers bank account number, customer identication number and Net
banking password. Tere are nearly 3.5 million tax payers in the country and their E-Mail identity can be
obtained easily from social networking sites, said a senior police o cer.
11.4.3 Other Illustrations
Illustration 7: Fake Mails Promising Tax Refunds Beware
Internet banking has both advantages as well as perils. Recall the discussion in Chapter 2 (Box 2.7 Fake
E-Mails) and Chapter 4 about fake E-Mails in the context of Phishing (Section 4.3.1). Tis illustra-
tion shows how that was used by criminals. If you are a tax payer waiting for refunds at the end of the
nancial year, beware of fraudulent E-Mails circulating on the Internet. Delhi Polices Economic Oence
Wing (EOW) investigated several cases where the complainants claimed to have received E-Mails in which
they are asked to provide their bank account details so that the tax refund could be transferred to the
accounts.
Such an E-Mail-based fraud came to light after the Police received a complaint from a south Delhi
businessman. Te plainti name was withheld due to the sensitive nature of the case. Te E-Mail claimed
that the receiver would receive ` 2,500 compensation from the Income Tax department if he provided with
his bank details, including Net banking password. Te person who sent the E-Mail also asked for his credit
card details; this raised doubt in the mind of the plainti.
Additional commissioner of police (EOW) said that this cyberfraud, under investigation, is similar to
attempted Phishing. Once the sender receives the details of the bank account, he can easily transfer the
money from that account through Internet banking. As a safeguard, one should not respond to such E-Mails.
One should report the matter to Police immediately. In this case, o cials at the EOW got into tracing of
the server from where these E-Mails originated. Tey asked the service provider to furnish details about
Cyber security_Chapter 11.indd 655 2011-03-25 10:34:44 AM
656 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
the E-Mail account through which these mails were sent. Recall E-Mail forensics explained in Section 7.6
of Chapter 7.
Tis was for the rst time that such a cyberscam report went to Police. It is suspected that the gang
has been operating since the past several months. It is common for fraudster gang to become active when
the dates for tax returns approach. In this case, the police approached the income tax department to take
steps to create awareness about such fraud E-Mails. However, this is not the rst time that tax returns
have come under the scanner. In 2005, the EOW had taken under arrest 12 individuals for encashment
of refund challans worth over ` 50 lakhs (` 50,00,000) through bogus bank accounts that were opened in
collusion with bank sta.
Illustration 8: Phone Scam Targets Your Bank Account
Tis illustration is about DoS attack that was mentioned in Chapter 1 (Table 1.5, Table 1.6, Box 1.5) and
explained in Chapter 4 (Section 4.9, Fig. 4.5, Box 4.8). DoS attacks are not a new happening these attacks
are used by computer hackers to bring down websites by ooding them with huge amount of network tra c.
Te masquerading technique used by cybercriminals, mentioned in Chapters14 (Table 4.9). Tis illustra-
tion shows how the technique was used.
What will happen if you get hundreds or thousands of calls on your home, business or cell phone?
It will simply tie up the lines. How would you feel if you heard anything coming, as if from thin air, recorded
messages, advertisements, or even phone sex menus when you answer? It is not annoying? Be careful, how-
ever, because, it could be more than that it could be a sign that you are being victimized by the latest scam
making the rounds. Tis telephone denial-of-service attack could possibly be the predecessor of a crime
aimed at your bank accounts. In a current twist, fraudsters have converted this activity into telephones, using
automated dialing programs and multiple accounts to overwhelm the phone lines of unsuspecting citizens.
Why do you think, the criminals do it? It turns out that the calls are simply a diversionary tactic: while
the lines are tied up, the criminals, masquerading as the victims themselves, are raiding the victims bank
accounts and online trading or other money management accounts.
Here is how these attacks work recall the discussion in Chapter 2 about the reconnaissance and
passive phase of attacks. Weeks or months before the phone calls start, a criminal uses social engineering
tactics or malware to elicit personal information from a victim that victims bank or nancial institution
would have like account numbers and passwords. Perhaps you as a victim responded to a bogus E-Mail
Phishing for information, inadvertently gave out sensitive information during a phone call, or put too much
personal information on social networking sites that are trolled by criminals. Using the technology, criminals
tie up your phone lines. Next, the criminal either reaches the nancial institution pretending to be you or
pilfers your online bank accounts using fake transactions. More often than not, the institution calls to verify
the transactions, but of course, in this scenario (due to phone lines being made busy) they are unable to get
through to the victim over the phone.
Even if you have not made any bank transactions, the criminals sometimes re-contact the nancial
institution in your name and ask the bank to do those transactions (say transfer of money or something
similar). Or they substitute their own phone number to victims accounts and just wait for the bank to call.
For example, by stealing your password [remember the keylogger ill utility mentioned in Chapter 4
(Section 4.5)]. Using that malware, they will be able to get into the account and update your prole by
putting their phone number. Now, the bank will end up calling them thinking it is you! Tey may have
even learned about your other authentication information and would be able to masquerade to the bank.
Tus, they will make your bank believe it is YOU who is talking to them! By the time you or the nancial
institution realizes what happened, its too late.
Cyber security_Chapter 11.indd 656 2011-03-25 10:34:44 AM
Cybercrime: Illustrations, Examples and Mini-Cases 657
Te Federal Bureau of Investigation (FBI, US) rst learned about this emerging scheme through one of
its private industry partners, who revealed how a Florida dentist lost $400,000 from his retirement account
after a DoS attack on his phones. Tere has certainly been a obvious rise in the number telephone DoS
attacks, with numerous incidents reported in several of the Eastern States in America. To help ght these
schemes, the FBI teamed up with the Communication Fraud Control Association comprising of security
professionals from communication providers to analyze the patterns and trends of telephone DoS attacks,
educate the public and identify the perpetrators and bring them to justice.
Remember always that ultimately, it is individual consumers and small- and medium-sized businesses
(SMB) on the front line of this battle. So take safety measures: never disclose your personal information to
an voluntary phone caller or via E-Mail; change online banking and automated telephone system passwords
frequently; check your account balances often; and protect your computers with the latest virus protection
and security software. Even if you have the slightest doubt that you are possibly under an attack through
cell phone or under a DoS attack, contact your nancial institution and your telephone provider, and le
a complaint with the appropriate authories in your location. Recall the discussion about Mishing and
Smishing in Chapter (Section 3.8 Attacks on Mobile/Cell Phones).
Illustration 9: Cookies and Beacons The Facebook Controversy
Tis illustration refers to Facebook a popular tool for social networking. As a general privacy principle,
whenever a website captures peoples personal information details (such as name, birth date, home address,
home telephone number, personal mobile number, etc.), the site is supposed to take an Explicit Consent
known as Opt-In wherein the person visiting the website will check the box appearing on the consent form
displayed on the website. Opt-Out is considered an Implicit consent wherein the person is assumed to be
giving the permission as long as he/she does not uncheck the box. Tus, Opt-Out is a method in which
personal information will be processed unless the data subject indicates it should be otherwise and Opt-In
is a method in which personal information will be processed only if the data subject indicates it should be so.
Refer to Fig. 6.2 in Chapter 6 for Opt-In and Opt-Out.
Recall the dangers of social networking sites explained in Chapter 7; Section 7.14, Tables 7.6 and 7.7.
Facebook, the social networking site, is supposed to track visitors to that site and is also supposed to have a
customizable privacy setting option. People like both cookies (a bakery product) and Beacon (a typical
breakfast item in the European countries). As much as these items are considered bad for our physical health,
so are they also for the health and well being of our condential data stored on the computers! Let us under-
stand what cookies and Beacons mean in computer parlance.
Cookies are tiny text les that are stored on a clients device and may be later retrieved by a web server
from a clients machine. Cookie les allow the web server to keep track of the end-users web browser
activities, and connect individual web requests into something like a session. Cookies can also be used to
prevent users from having to be authorized for every password protected page they access during a session,
by recording that they have successfully supplied their username and password already. Since cookies are
usually stored on a PCs hard disk, they are not portable. Cryptic or encrypted cookies with an unclear
purpose, and which are set without the users knowledge, alarm Internet privacy advocates. Tey may also
violate data protection laws.
Web Beacon is a graphic on a webpage or in an E-Mail message that is designed to monitor who is
reading the webpage or E-Mail message. Web Beacons are often invisible because they are typically only
1-by-1 pixel in size, with no color. Some information collected is the IP address of the computer that the web
Beacon is sent to, the URL of the page the web Beacon comes from and the time it was viewed. Web Beacons
are also known as web bugs, 1-by-1 GIFs, invisible GIFs and tracker GIFs (Graphics Interchange Format).
Cyber security_Chapter 11.indd 657 2011-03-25 10:34:44 AM
658 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Facebook uses Beacons heavily. Beacon was a component of Facebooks advertisement system that sent
data from extraneous websites to Facebook. Apparently for the purpose of allowing targeted advertisements
and allowing users to share their activities with their friends. On 6 November 2007, Beacon was launched
with 40+ associate websites. Te notorious service, which became the target of a class action lawsuit, and the
service was shut down in September 2009.
Facebook Beacons raised some privacy concerns. On 20 November 2007, a civic action group called
MoveOn.org created a Facebook group and online petition demanding that Facebook not publish
their activity from other websites without explicit permission from the user. In fewer than 10 days, this
group gained 50,000 members. Eventually, Beacon was changed to meet the requirement that any actions
transmitted to the website would have to be approved by the Facebook user before being published.
In 29 November 2007, a note was published by Stefan Berteau, a security researcher for Computer
Associates, was about his tests of the Beacon system. Te note said that it was found that data was still
being collected and sent to Facebook despite users Opt-Outs whereby users had the choice not to log
into Facebook at the time. Tis nding was in direct disagreement to the statements made by Chamath
Palihapitiya, Facebooks vice president of marketing and operations, in an interview with Te New York
Times published the same day:
Question to Facebook VP Marketing & Operations:
In case I purchase tickets on Fandango, and refuse to issue the information to my friends on Facebook,
does Facebook still get the information about my purchase?
Answer by the VP:
Not at all! We are still trying to dismiss a lot of wrong information being publicized without cause.
As per the blog posted by Louise Story of Te New York Times on 30 November 2007, not only had
she received the impression that Beacon would be an explicit Opt-In program, but that Coca Cola had also
had a similar impression, and as a result, had chosen to withdraw their participation in Beacon. Facebook
announced on 5 December 2007 that it would allow people to opt out of Beacon. In August 2008, a class
action court case was submitted against Facebook and other corporations that activated Facebook Beacon
when they released their common members personal information to their Facebook user friends without
members consent through the Facebook Beacon program. In September 2009, Facebook proclaimed that
it would terminate the service. In October 2009, a class action notice was issued to Facebook users who may
have used Beacon. Te proposed settlement would require Facebook to pay $9.5 million into a settlement
fund. Te named plaintis (approximately 20) would be compensated a total of $41,000, and the plaintis
lawyers would receive millions from the settlement fund.
Moral of this illustration is: (a) limit your social networking activity; (b) choose the social networking
sites that have got privacy guarding features; (c) it is your responsibility to protect your online privacy.
Illustration 10: Privacy Loss through Leakage of Users Facebook Proles
Tis is one of the latest issues going on as per the story posted end of July 2010 at the link http://in.news.
yahoo.com/43/20100729/860/ttc-proles-of-100-mn-facebook-users-le.html. In the introduction of Chapter 5, it
is mentioned that Phishing and ID Teft are emerging as the biggest security and privacy threats online.
It is a challenge for people in the digital era to protect their online privacy. Privacy has three dimensions:
(a) informational privacy; (b) personal privacy and (c) territorial privacy. Te rst as well as second aspects
are getting impacted in current times as this illustration shows. Read on to understand the issue that arose
recently.
Cyber security_Chapter 11.indd 658 2011-03-25 10:34:45 AM
Cybercrime: Illustrations, Examples and Mini-Cases 659
Hundred million users lost their personal details! Tey were all the heavy users of social networking
website. Tese personal details were leaked online and are now available for download! Imagine the impact,
people proudly (and at times carelessly too) post all sorts of their personal information on such social web-
sites; be it their honeymoon photos, personal chats with no holds barred opinions expressed and what not.
Dangers of social networking sites are explained in Chapter 7 (Section 7.14). Will people ever take the heed
and refrain from rampant use of social networking sites? It is a moot question.
An online security consultant scanned Facebook proles using a certain software tool. When that was
done, all the data of people, who had not hidden it through appropriate privacy settings, was collected.
Te list of such personal data was compiled the list was uploaded for a free download! Now it is just a
matter of accessing the URL of every searchable Facebook users prole, their name and unique ID this
is according to the latest BBC report. Imagine the implications considering the kind of personal informa-
tion people carelessly leave on their Facebook accounts. According to the enterprising security consultant, he
published the data only to highlight privacy issues, but Facebook retort said that the information was already
public; apparently the news of personal information availability spread like a wild re!
As per the basic tenet of privacy, people who use Facebook are supposed to own their information
and they are supposed to have the right to share only what they want, with those with whom they wish to
share and when they want to share. However, it turns out that in this case, information that people have
agreed to be made publicly available, was collected by a single researcher and that information (of per-
sonal nature) already existed in Google and many other search engines, as well as on Facebook. However,
Facebook denied this and said that no private data was available for public consumption or had been com-
promised. Meanwhile, the list of personal data of so many users was already downloaded by over 1,000
people on Pirate Bay, the worlds biggest le-sharing website.
According to one user (with name lusifer69) the list is terric and scary at the same time! As per
Internet watchdog Privacy International, warnings were issued to Facebook to sensitize them that some-
thing like this was likely to happen. Te expectation, therefore, was that Facebook should have anticipated
the data attack and should have put in place measures to prevent it. People nd it hard to believe that a
rm employing hundreds of engineers could not possibly imagine a privacy leakage incident of this size.
According to people, this is an instance of gross negligence on part of Facebook who have got 500 million
user accounts as of June 2010.
Illustration 11: Debit Card Frauds
Tis story appeared in March 2006 in Computerworld. Most of the major credit card associations and
nancial institutions refused to identify the origins of data compromises. Tose data compromises have
resulted in a rise of debit card fraud globally this raised serious concerns about the scope and extent of the
problem. Tese frauds attracted media and public attention as to what led to attempts by criminal gangs to
compromise PIN-based card transactions. As we know PIN is considered extremely secure. According to
the Director of Fraud Technology operations at Fair Isaac, a Minneapolis-based company, the series of recent
breach disclosures points toward a possibly shifted focus by criminals from credit card fraud to PIN-based
debit card fraud.
Banks all over the world do reissue thousands of cards as part of their operations when a card lost case is
reported. Te case in point is Citibank they acknowledged that a transaction was put on hold for an unspeci-
ed number of Citi-branded MasterCard debit cards when they detected fraudulent cash withdrawals in
several countries Canada, Russia and the UK. In a brief statement released by Citibank, it was said that
the fraud was the result of a third-party business information breach that took place in 2005. To protect its
customers, they blocked PIN-based transactions in those countries (mentioned above), for the customers
Cyber security_Chapter 11.indd 659 2011-03-25 10:34:45 AM
660 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
aected by the breach. However, a spokesperson for the company refused to disclose the name of the
third-party retailer involved in the breach.
With this disclosure, Citibank became the latest in a fast-growing list of nancial institutions they reis-
sued thousands of debit cards or blocked access to certain transactions in countries where ATM cards were
used fraudulently to withdraw cash and make purchases on US accounts.
Te list comprises big banks such as Bank of America, Washington Mutual Bank and Wells Fargo Bank,
along with many credit unions in theUS. One of them was $13 billion North Carolina State Employees
Credit Union in Raleigh, North Carolina, which, over the past two weeks, reissued more than 27,500 debit
cards after being told by Visa, USA of a security breach involving a US retailer.
According to senior vice president at the credit union (name not disclosed due to condentiality reason)
most of the compromised debit cards were fraudulently put to use in many countries Romania, Russia,
Spain and the UK. Tis at that time (year 2006) was the largest card reissue ever done. Tis is considered
to be the largest PIN theft ever. According to Gartner (the analyst rm) combined bank actions reect the
largest PIN theft to date and point to a new wave of PIN block card fraud.
We think encryption is hard to break; apparently this is not true as this fraud illustration shows. A PIN-
based fraud scheme happened when hackers somehow managed the following to gain access to the encrypted
PIN data that was sent along with card numbers to processors that execute PIN debit transactions. Te
thieves also had stolen terminal keys used to encrypt PINs, which are normally stored on a retailers terminal
controllers as conveyed by Gartner. Te encrypted PIN information, along with the key for decrypting it
and the card numbers, allow criminals to make counterfeit cards. Te increase in such frauds has drawn legal
attention in the US.
In February 2006, Representative Barney Frank (D-Mass.), the leading Democrat on the House
Financial Services Committee, sent a letter to both MasterCard and Visa urging the companies to disclose
the source or sources of the compromise or take responsibility themselves. Visa responded in an E-Mailed
statement that it understood the need for quickly giving nancial institutions the information needed to
protect themselves and cardholders from losses in the event of a security breach. In the statement released
it was stated that accusing a single source of the compromise before completion of investigation could be
inaccurate and unfair. In the same way, revealing the name of the compromised entity would become a
dominant disincentive for the compromised entity to share time-sensitive information with Visa going
forward.
MasterCard, on the other hand, did not respond to requests for comment. Let us understand how the
fraud started. According to a source, working for a company now, helping law enforcement o cials investi-
gate the fraud, most evidence suggests that point-of-sale systems at a California store of retailer O ceMax
were somehow involved in the compromise. As per the source, All roads are pointing in that direction.
However, it is still not clear precisely how the debit card and PIN information was accessed and who accessed
it. According to the o cials at least 200,000 cards may have been compromised.
O ceMax did not respond to calls for comment, but a company spokesperson was quoted in vari-
ous other media reports as denying any breach at the retailer. According to Gartner, O ceMax o cials
outright denial suggests that the source of the compromise may well be a third-party processor used by the
company to process card transactions. Another company, whose name got mentioned in connection with
the debit card fraud wave, is wholesaler Sams Club, a division of Bentonville, Arkansas-based Wal-Mart
Stores. It was acknowledged by Sams Club, in December 2005, that it was cooperating with credit card
associations in investigating reports of fraud involving approximately 600 cards used to purchase gas at its
gas stations between 21 September 2005 and 5 December 2005. Te company issued another statement
soon in response to persistent rumors and false media reports tying it to the existing wave of PIN debit fraud.
Cyber security_Chapter 11.indd 660 2011-03-25 10:34:45 AM
Cybercrime: Illustrations, Examples and Mini-Cases 661
Te company denied that any of its internal systems had been compromised and said that a review of its
gas payment systems by its own sta and an outside party revealed no breach. As the statement released, if
any compromise did take place, it appears to have been limited to the Sams Club fuel station point-of-sale
system and did not involve PIN-based transactions.
11.5 Digital Signature-Related Crime Scenarios
In this section, we present examples of crimes related to digital signatures. Tis section has two parts:
Part I contains the scenarios illustrating oenses under the Indian IT Act and Part II has the scenarios to
illustrate examples of fake or inaccurate data inside a certicate from Public Certifying Authorities (CAs).
Te scenarios presented in this section are listed in Table 11.4.
11.5.1 Part I: Offenses Under the Indian IT Act
Some background is necessary in understanding the scenarios presented in this section; especially for readers
who have not yet read the previous chapters. First, the relevant section of the Indian IT is quoted and then the
crime scenario is presented. Table 1.1 of Chapter 1 provided cybercrime statistics item number 6 in that table is
about obtaining license or digital signature certicate by misrepresentation/suppression of fact, item number 7 is about
publishing false digital signature certicate and item number 8 is about frauds in digital signature certicate. Te
topic of digital signature is a key one in the world of cybersecurity the topic was addressed in detail in Chapter
6. For understanding cryptography, encryption and digital signatures, Ref. #2, Books, Further Reading.
Digital signatures are electronic signatures. Te fundamental idea in digital signature is to use the concept
of traditional paper-based signing and turn it into an electronic ngerprint. Te ngerprint, or coded
Table 11.4 | List of illustrations in Section 11.5
Mini-Case
No.
Title Topic Chapter Cross
Reference
Part I
1 Situation 1 Digital Signature Certicate Misinterpretation of
Information Provided
Chapters 1 and 6
2 Situation 2 Digital Signature Certicate Suppression of
Information by Applicant
Chapters 1 and 6
3 Situation 3 Digital Signature Certicate False Certicate Chapters 1 and 6
4 Situation 4 Digital Signature Certicate Retaining a Rejected
Certicate
Chapters 1 and 6
5 Situation 5 Digital Signature Certicate Retaining a Certicate
Beyond its Validity Period
Chapters 1 and 6
6 Situation 6 Digital Signature Certicate Fraudulent/Unlawful Use Chapters 1 and 6
Part II
1 Illustration 1 Bait to Upgraded Digital Certicates Chapters 1 and 6
2 Illustration 2 False Certicates Issued by Multiple Public Certifying
Authorities
Chapters 1, 5
and 6
Cyber security_Chapter 11.indd 661 2011-03-25 10:34:45 AM
662 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
message, becomes the unique aspect of both the document and the entity who signs it. It binds the signer
of the document to the document. Te purpose of digital signature is to ensure that the entity who has signed
the document is authentic. It helps minimize the risk of non-repudiation, that is, any changes made to the
document after it is signed will make the signature invalid thereby protecting against signature forgery and
information tampering. Digital signature aids organizations to maintain signer authenticity, accountability,
data integrity and non-repudiation of electronic documents and forms.
Te concept of digital signature has a context to the concept of non-repudiation. Te most common
application of this concept is in the verication and trust of signatures. As per legal practice of traditional
days, a signature on a paper contract or memorandum may always be repudiated by the signatory. Such
repudiation takes place in two forms: Te signatory may claim fraud or forgery for example, a party might
say I did not sign the document. Alternately, the party may accept the signature as authentic but dispute
its validity due to coercion, that is, the party might state that he/she was asked to sign under gun point, or
under the threat of physical torture, etc.
Non-repudiation is a very powerful concept especially in the Internet age where electronic commerce
is here to stay. Non-repduation helps ensuring that one or more parties involved in a contract, especially
one agreed to via the Internet, cannot later deny it. In the context of digital security, non-repudiation is a
means to verify that the sender and the recipient were, in fact, the parties who claimed to send or receive
the message, respectively. Put simply, non-repudiation is the ability for a system to prove that a specic
user and only that specic user sent a message and that it has not been modied (during transmission), for
example, due to a man-in-the-middle attack in Chapter 4 (explained in Section 4.4 and Fig. 11.7).
To establish additional context for the discussion in this section as well as for understanding the legal
aspects involved, we allude to the Indian IT Act. Te key provisions under the Indian ITA 2000 are presented
in Table 11.5. Section 71 of the Indian IT Act has not changed after the amendment (refer to Table 6.7
in Chapter 6).
According to Section 71 Whoever makes any misrepresentation to, or suppresses any material fact
from, the Controller or the Certifying Authority for obtaining any license or Digital Signature Certicate,
as the case may be, shall be punished with imprisonment for a term which may extend to two years,
or with ne which may extend to one lakh rupees, or with both.
Section 71 of the Indian IT Act applies to:
1. A person, who, for obtaining a digital signature certicate
A. makes a misrepresentation to the Certifying Authority;
B. suppresses any material fact from the Certifying Authority.
2. A person obtaining a license to operate as a Certifying Authority
A. makes a misrepresentation to the Controller;
B. suppresses any material fact from the Controller.
Misinterpretation is interpreted as presenting information incorrectly, improperly or falsely. Tere must be a
deliberate intention to deceive. Now, let us understand the implications of these legal provisions in terms
some practical scenarios.
Cyber security_Chapter 11.indd 662 2011-03-25 10:34:45 AM
Cybercrime: Illustrations, Examples and Mini-Cases 663
Table 11.5 | Cybercrimes punishment (partial reproduction of Table 1.7 of Chapter 1)
Section Ref. and Title Chapter of the
Act and Title
Crime Punishment
Sec. 71
(Penalty for Misinterpretation)
CHAPTER XI
OFFENCES
Making misinterpretation
or suppressing material
facts for obtaining license
or Certicate
Imprisonment to term
extendable up to 2 years
or with ne up to ` 1 lakh
(` 1,00,000) or both
Sec. 73 (Penalty for publishing
Digital Signature** Certicate
false in certain particulars)
Note: In the IT Act a mendment
of year 2008, there is no change
made to this section, that is,
Section 73
CHAPTER XI
OFFENCES
Publishing false digital
signatures, false in certain
particulars.
Fine of ` 1 lakh
(` 1,00,000) or
imprisonment of 2 years
or both.
Sec. 74 (Publication for
fraudulent purpose)
Note: In the IT Act amendment
of year 2008, there is no change
made to this section, that is,
Section 73
CHAPTER XI
OFFENCES
Publication of digital
signatures for fraudulent
purpose.
Imprisonment for the
term of 2 years and ne of
` 1 lakh (` 1,00,000).
** In the IT Act Amendment, you will see the word Electronic Signature instead of Digital Signature.
Situation 1: Digital Signature Certicate Misinterpretation of Information
Provided
Let us say a person A is applying for a digital signature certicate. He lls in his name as B and also
submits photocopies of Bs passport as proof of identity for example documents such as the Driver License or
PAN Card. (which can also be seen as identity theft!). Under this circumstance, is liable for misrepresenting
information to the CA.
See Table 11.5 Suppress under this scenario is interpreted as withholding from disclosure.
Situation 2: Digital Signature Certicate Suppression of Information by Applicant
Suppose an organization XYZ is applying for a license to become a Certifying Authority (CA). In the
application form one of the information required to be lled is In case any of the company directors been
convicted for a criminal oense, then please mention relevant details. Suppose one of the company direc-
tors had been convicted in the past. However, in the submitted form, the company o cials do not provide
answer to this question, that is, they leave that eld on the form blank. Under this circumstance, the o cials
will be liable for suppressing information from the Controller.
Cyber security_Chapter 11.indd 663 2011-03-25 10:34:45 AM
664 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Material fact implies something that is relevant, pertinent or essential. The punishment provided
is imprisonment up to 2 years and/or ne up to ` 1 lakh (` 1,00,000) as mentioned in Table 1.7 in
Chapter 1.
As dened in Section 2(g) of the Indian IT Act, Certifying Authority means a person who has been
granted a license to issue a Digital Signature Certicate under Section 24.
As per Section 24, procedure for grant or rejection of license. The Controller may, on receipt of
an application under subsection (1) of Section 21, after considering the documents accompanying
the application and such other factors, as he deems t, grant the license or reject the application:
provided that no application shall be rejected under this section unless the applicant has been given a
reasonable opportunity of presenting his case.
Now let us look at some false certicate scenarios. First, let us revisit Section 73 of the Indian IT Act (refer
to Table 11.5).
As per Section 73 of the IT Act:
(1) No person shall publish a Digital Signature Certicate or otherwise make it available to any
other person with the knowledge that:
(a) The Certifying Authority listed in the certicate has not issued it;
OR
(b) The subscriber listed in the certicate has not accepted it;
OR
(c) The certicate has been revoked or suspended, unless such publication is for the purpose of
verifying a digital signature created prior to such suspension or revocation.
(2) Any person who contravenes the provisions of sub-section:
(a) Shall be punished with imprisonment for a term which may extend to two years, or with ne
which may extend to one lakh rupees, or with both.
Situation 3: Digital Signature Certicate False Certicate
A person creates a fake digital signature certicate with the illicit intent to make the victim believe that the
certicate has indeed been issued by a certain CA. Person A now plans to use this certicate to carry out
some nancial frauds with the targeted victim. He posts this certicate on his website. Te person shall be
liable under this Section 73.
Situation 4: Digital Signature Certicate Retaining a Rejected Certicate
Person A has applied to a Certifying Authority [refer to CA denition in Section 2(g) of the Indian IT
Act as mentioned previously] for a digital signature certicate. In due course of time, the said CA issues the
certicate to Person A. However, Person A does not accept it on the basis that some of the details are incor-
rect in the certicate. In the meanwhile, the CA publishes the certicate in their online repository. In this
case, the CA will be liable under Section 73 of the Indian IT Act (Penalty for publishing [Electronic Signature]
Certicate false in certain particulars).
Cyber security_Chapter 11.indd 664 2011-03-25 10:34:45 AM
Cybercrime: Illustrations, Examples and Mini-Cases 665
Situation 5: Digital Signature Certicate Retaining a Certicate Beyond
its Validity Period
Person A is employed with XYZ Company. He obtains a digital signature certicate for o cial purposes on
1st February in a certain year. He quits the job on 1 November of the same year and the certicate is revoked
on that very same day. Now suppose, XYZ Company continues to keep Person As revoked certicate in their
online repository even after 1 November, that is, even after the person has quit the organization. Under this
circumstance, XYZ Company is liable under this section. However, they will not be liable if the purpose
behind keeping Person As certicate in their repository is to verify documents signed by the person between
1 February and 1 November. Te punishment provided for this Section 73 is imprisonment up to 2 years
and/or ne up to ` 1 lakh (` 1,00,000).
As per Section 74 of the IT Act: Whoever knowingly creates, publishes or otherwise makes
available a Digital Signature Certicate for any fraudulent or unlawful purpose, shall be punished with
imprisonment for a term which may extend to two years, or with ne which may extend to one lakh
rupees, or with both.
Technologically speaking, creating a Digital Signature Certicate is not very difcult fraudsters
are getting technologically very sophisticated! All that is needed is a computer running the Windows
Server operating system and having Certicate Services installed. This way, it is easy for criminals to
create and publish digital signature certicates for fraudulent and unlawful purposes.
The word create in the context of Indian IT Act means to bring into existence.
Situation 6: Digital Signature Certicate Fraudulent/Unlawful Use
Person A is under possession of a computer with Windows Server operating system running on it.
She also has Certicate Services installed on that computer. She uses this computer to generate a digital sig-
nature certicate for herself and Person B. Tis means that now she has created the said certicates. Next,
Person A puts up Person Bs digital signature certicate onto a publicly accessible part of his website. Tis
means that now Person A has published Person Bs certicate. Note that publishing means making the
certicate known to others.
Te concept of make available can also be illustrated by extending the situation just mentioned. Suppose
now, Person A using the same computer under her possession and running the services as mentioned before
on that computer, issues this certicate to Person C knowing or not knowing that Person C plans to
misuse it to spoof Person Bs E-Mails. Under these circumstances, Person A has made the certicate available
to Person B for an unlawful/fraudulent purpose. Te punishment provided for violation of Section 74 is
imprisonment up to 2 years and/or ne up to ` 1 lakh (` 1,00,000)
11.5.2 Part II: Fake/Inaccurate Data in Certicates from
Public Certifying Authorities
Having presented scenarios of digital signature certicate-related oenses under the Indian IT Act, now let
us look at some examples of (a) bait to consumers to lure them to upgrade their digital certicates and (b)
fake or inaccurate data inside a certicate from a public CAs.
Cyber security_Chapter 11.indd 665 2011-03-25 10:34:45 AM
666 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Illustration 1: Bait to Upgraded Digital Certicates
In a typical scenario, the targeted consumers receive an E-Mail informing them that their nancial accounts
will be more secure if they are upgrade to digital certicates, or that their current digital certicate has
expired and needs to be upgraded. If they follow the link, they are taken to a website where they receive
more information about the importance of the upgrade, and are given instructions to install their digital
certicate, with a link to download the installation program.
If the targeted consumers, fooled in this way, believe the mail and install the program then the result
is that, a virus gets installed! Te rst such digital certicate malware investigated was found to be against
Bank of America. It ended in early April 2008; however, the new round of such attacks included Comerica
Bank, Colonial Bank and Merrill Lynch. Comerica was nearly a daily target with more than 250 domain
names used in the fraud. Colonial Bank was targeted for the attack in 2008, with 22 domain names used.
An attack was launched on Merrill Lynch, on 5 May 2008 with the domain names such as 1291logon.info
and 1291logon.com.
Te Merrill Lynch version of the malware is called Papras.dk by most of the antivirus programs that
detect it. Te rst edition of the Colonial Bank Trojan was called Papras.dh, and the rst version of the
Comerica Bank Trojan that we looked at was called Papras.dc. Tere were more evidences showing that
these originated from a common source. As with most up-and-coming threats, common antivirus products
are not instantly blocking the threat. For example, F-Prot, McAfee and Symantec do not show on VirusTotal
as having discovery for this threat. McAfee engineers are often heard complaining that VirusTotal is not
an accurate way of knowing whether they have detection. Tey say that when McAfee is run on desktops,
though an antivirus update is run, it does not detect some of the viruses. Unfortunately, due to the failure of
common antivirus engines to detect this virus, the viruses can spread faster.
Illustration II: False Certicates Issued by Multiple Public Certifying Authorities
Tere have been instances wherein false certicates have been obtained on a number of occasions from
numerous public CAs without ever submitting any false information in the process. You can visit the link
http://www.geotrust.com/resource/advisory/sslorg/index.htm to see live examples. For this illustration, we
have included three screen shots (Figs. 11.1211.14) to illustrate how certicates with misleading organiza-
tional names could be used to enhance Phishing schemes:
Example 1:
Refer to Fig. 11.12, it is a spoofed chase site. It shows a misleading organizational name of Chase in
O Field. Note the display of O (Organization) and C (Country) eld data [Chase (US)] in the circled
(yellow) eld at top right of the GUI. Tis is not a genuine Chase Bank site. It is an example of how the
organization eld could be used by a phisher to more convincingly perpetrate fraud. Reader should refer to
Chapter 5 to understand Phishing attacks.
Example 2:
Refer to Fig. 11.13, it shows another site with a misleading organizational name Fleet in the O Field.
Note the display of O and C eld data [Fleet (US)] in the circled (yellow) eld at the top right of the
GUI. Tis is not a genuine Fleet Bank site. It is interesting to understand how misleading certicates are
obtained. Apparently, certicate containing inaccurate or potentially fraudulent identity information can be
easily obtained typically through Identity Teft crimes as explained in Chapter 5.
Cyber security_Chapter 11.indd 666 2011-03-25 10:34:45 AM
Cybercrime: Illustrations, Examples and Mini-Cases 667
Figure 11.12
|
Spoofed chase site.
Note: The color version of the gure is also available in the CD.
Fraudulent identity information is often obtained from multiple public CAs without ever submitting any
false information in the process. Phishers and fraudsters do not care about obtain fake digital certicates to
date because consumers have never looked at or relied upon the identity information in the certicate; in
fact, most consumers do not even know it is there but this will all change if next-generation browser GUIs
extract and display certicate data in an attempt to provide users with site identity in formation for trust deci-
sion purposes.
Trust capabilities of websites need to be enhanced and the solution for this is 2nd Generation
Digital Certicates (further details on this are not within the scope of this illustration or this chapter).
A variety of browser plug-ins and toolkits are already oered for this purpose, including GeoTrusts
TrustWatch. TrustWatch applies its rules and algorithms in real-time (including checking on certicate
CN eld data for certicates located anywhere on the visited website, even when the consumer has only
started with the sites unsecured home page) and displays the result in a color-coded GUI that is easily
seen and understood by consumers. Additional enhancements are coming in the near future (see Fig.
11.14 see the color version of this gure in CD).
Te private sector has developed a number of seals and certications designed to provide varying degrees
of condence in the practices or controls over privacy and personal information.
Some Organizations with such programs are: TRUSTe, BBBOnLine, Network Advertising Initiative,
US Direct Marketing Association, Japan Information Processing, Development Center (JIPDEC), Health
Information Trust Alliance, EuroPrise.
Cyber security_Chapter 11.indd 667 2011-03-25 10:34:45 AM
668 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Figure 11.13
|
Site with misleading organization name.
Note: The color version of the gure is also available in the CD.
Figure 11.14
|
GUI enhancement.
Note: The color version of the gure is also available in the CD.
11.6 Digital Forensics Case Illustrations
Forensics tool kits are addressed in Chapters 7 and 8. Digital Forensics Case Studies are presented in this
section. Tese illustrations involve use of the forensics tools EnCase and TSK. While going through the cases
illustrations in this section, do keep in mind the chain of evidence and other related concepts explained in
Chapter 7. Table 11.6 lists the digital forensics cases of this section.
Cyber security_Chapter 11.indd 668 2011-03-25 10:34:45 AM
Cybercrime: Illustrations, Examples and Mini-Cases 669
11.6.1 Digital Forensics Illustration 1: Condential Data Theft Revealed
through Forensics Investigation
Data theft is a wide term ranging for theft and fraud committed by stealing most valuable information.
Te purpose is to obtain data without any nancial as well as manpower investments. Under Section 66 of
the amended Indian IT Act, data theft denition has become more specic. Stealing data is a crime. In this
illustrative example we see what disgruntled employees can seek revenge. In Chapter 1 (Section 1.4) we men-
tioned about Type II Cybercriminals the Insiders; these are disgruntled employees or former employees
seeking revenge. Chapter 9 also addressed the issue of Data Teft (see Section 9.2). Tis example shows a
scenario with that. All the names are masked for condentiality; however, the scenario is from real life. Tis
example illustrates the power of forensics investigation. (Te topic of forensics is explained in Chapters 7 and
8 and that is the background for this illustrative case.) It is a very educative example for readers and relates to
all the concepts learned so far. Read on
Ajay Shirgaokar an employee of POOR-ME COMPANY receives a poor performance appraisal from
his manager (see Fig. 11.15). Ajay sends an inquiry to a competitor organization, looking for a position via
E-Mail followed by a letter asking for the same, using a company letterhead. Ajay receives a job application
from UNSCRUPULOUS_COMPANY (the competitor company) see Fig. 11.16.
In a meeting with UNSCRUPULOUS_COMPANY, they propose a plan to him about getting some
urgently required information from POOR-ME COMPANY. Ajay Shirgaokar agrees to steal proprietary
information in exchange for a job and a payo. He is given a 4 GB USB Flash drive with detailed guidance
describing how to steal and transmit proprietary information. Ajay Shirgaokar reads the directions on how
to use a cracker program (see Fig. 11.17).
Ajay Shirgaokar sends a Trojan program as an attachment to E-Mail to members of the Product develop-
ment team (Trojans are explained in Chapters 2 and 4). Te attachment appears to be legitimate a solic-
itation for a good cause donation request (see the screen shot in Fig. 11.18). A member of the Product
team, Madhav Lele of POOR-ME COMPANY opens the E-Mail and the attachment (see Fig. 11.19).
Te attachment sent to Lele is a Trojan Horse program that will allow remote access to and control of
Leles machine. Now Ajay Shirgaokar is in a position to access Leles machine remotely. Figure 11.20 shows
Table 11.6 | Illustrations in Section 11.6
Digital Forensics
Case Illustration No.
Title Topic Chapter Cross
Reference
1 Condential Data Teft Revealed
through Forensics Investigation
Data Teft Chapters 1 and 9
2 Analysis of Seized Floppy Te
Drug Peddler Case
Digital Forensics Evidence
Analysis
Chapter 7
3 Vehicle Stealing Racket Revealed
Trough Computer Forensics
Investigation
Digital Forensics
Reporting
4 Child Pornography revealed
through Computer Repair
Digital Forensics
Reporting
Chapters 1, 6 and 7
Cyber security_Chapter 11.indd 669 2011-03-25 10:34:46 AM
670 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Figure 11.16 | Employee receives mail from competitor organization.
Figure 11.15 | Employee getting performance appraisal mail.
Cyber security_Chapter 11.indd 670 2011-03-25 10:34:46 AM
Cybercrime: Illustrations, Examples and Mini-Cases 671
Figure 11.17 | Employee reading a malicious program instructions.
Figure 11.18 | Ex-organizations employee reading the mail containing malicious attachment.
Cyber security_Chapter 11.indd 671 2011-03-25 10:34:46 AM
672 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Figure 11.19 | Donation request mail planted as bait by the revengeful employee.
Figure 11.20 | Suspect employees desktop.
Cyber security_Chapter 11.indd 672 2011-03-25 10:34:47 AM
Cybercrime: Illustrations, Examples and Mini-Cases 673
Ajay Shirgaokars desktop. Having stolen the company condential information, Ajay is now driven by the
pressing need to transfer it to his soon-to-be new employer, eager to impress them that he has done the job.
In order to conceal his activities, Ajay uses E-Mail and Steganography (secret writing) to hide the stolen data
in plain sight (see Fig. 11.21).
After some days, news about Competition Company (UNSCRUPULOUS_COMPANY) appears in the
media. Te news indicates that the company is all poised to demonstrate their next version of the product
months ahead of the schedule. Te news also mentions that the CEO of the company has sent a special
memo congratulating his R&D team for this fantastic achievement. In the same news, the industry analyst
are quoted stating that through this early prototype development, the company will be able to introduce
their competition product to the market very soon and that the product has the potential to take away a
major slice of sales revenues from the competition. Industry analysts, in this news, further add saying that
the prospects for other industries in the same product domain are now bleak.
Alerted by this news item, POOR-ME COMPANY engages forensics investigators to determine whether
a foul play has lead to the loss of their data. Te investigators monitor POOR-ME COMPANYs Intranet
(with appropriate authority) using forensics monitoring devices (such tools and devices were explained in
Chapters 7 and 8). Figure 11.22 shows an intercept of password crack to get into the account of the dis-
gruntled employee.
Te forensics monitoring devices used in the investigation provide the investigators with a target to focus
their investigation. With client consent, a document likely to be stolen, is tagged to provide tangible proof
Figure 11.21 | The data dump from suspect employee machine.
Cyber security_Chapter 11.indd 673 2011-03-25 10:34:47 AM
674 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Figure 11.22 | The cracked account.
of intellectual property theft and support later litigation and damages claims. In Fig. 11.23, we see investigators
tagging a document, followed by its hex dumps seen in Fig. 11.24.
Meanwhile, Ajay once again, covertly accesses Leles computer to steal intellectual property (PRODUCT).
His actions are the same as explained before. Investigators are keeping a close trail and they record Ajays
actions as evidence against him (refer to Fig. 11.25). With his nal theft complete, Ajay Shirgaokar deletes
all stolen documents and exploitation programs from his workstation see the screen shot of his worksta-
tion in Fig. 11.26. Now that Ajay has taken the bait document, the investigators perform covert digital
evidence recovery on Ajays employer who is supplied with a Palm Pilot (a kind of hand-held device) and
workstation. Hand-held forensics is explained in Chapter 8. Te investigators conduct a forensics review of
a copy of the digital evidence (refer to Figs. 11.2711.30).
Te presence of the stego pass phrase alerts investigators to look for le types that can be used for
Steganography. Using a variety of digital forensics tools, the investigators examine Ajays workstation. Te
Palm Pilot gave away his passwords and account data and other valuable information such as the use of
Steganography. Te hard drive examination allowed to recover deleted les and to look for stego les
(Steganography). Steganography in forensics context is explained in Chapter 7 (Section 7.12). Figures 11.31
and 11.32 show how the forensics tool reported the case. Recall that in Chapter 8, we explained the report-
ing features of the forensics tools (refer to Table 8.4 in Chapter 8).
Cyber security_Chapter 11.indd 674 2011-03-25 10:34:47 AM
Cybercrime: Illustrations, Examples and Mini-Cases 675
Figure 11.23 | The tagged document.
Figure 11.24 | The hex dumps.
Cyber security_Chapter 11.indd 675 2011-03-25 10:34:47 AM
676 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Figure 11.25 | Trail on the forensically cracked account.
Figure 11.26 | Cleaning the tracks act.
Cyber security_Chapter 11.indd 676 2011-03-25 10:34:47 AM
Cybercrime: Illustrations, Examples and Mini-Cases 677
Figure 11.28 | The digital evidence recovery-2.
Figure 11.27 | Digital evidence recovery-1.
Cyber security_Chapter 11.indd 677 2011-03-28 4:28:16 PM
678 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Figure 11.29 | The digital evidence recovery-3.
Figure 11.30 | More evidence.
Cyber security_Chapter 11.indd 678 2011-03-25 10:34:48 AM
Cybercrime: Illustrations, Examples and Mini-Cases 679
Figure 11.31 | Case report from the forensics tool-1.
Figure 11.32 | Case screen from the forensics tool-2.
Cyber security_Chapter 11.indd 679 2011-03-25 10:34:49 AM
680 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Figure 11.33 shows the evidence recovered from employees hard disk drive. With the digital evidence
supplied by the investigators (as well as other steps not demonstrated, that is, E-Mail examinations, inter-
views, analysis of Internet tra c, etc.) POOR-ME COMPANY led suit against UNSCRUPULOUS_
COMPANY for intellectual property theft. Tus, to conclude, in this example we learned about the extent
of malicious damage that disgruntled employees can do.
11.6.2 Digital Forensics Case Illustration 2: Analysis of Seized
Floppy the Drug Peddler Case
Use of digital forensics technique in a case of selling drugs to school children is illustrated here. In Chapter 7
types of media were displayed (Fig. 7.6 in Chapter 7). Tis illustration involves data recovery from a
oppy disk. While reading this illustration, keep in mind the imaging techniques and forensics tools,
etc. described in Chapter 7 (Sections 7.7.1 and 7.7.2). Brian Carriers Sleuth Kit/Autopsy is mentioned
in Section 7.7.2 (above Box 7.10) of Chapter 7. Te Sleuth Kit tools are capable of analysing disk or le
system images generated by dd or similar applications that create a raw image. Te dd tool (mentioned
in Section 7.16.1, Chapter 7) is found on most UNIX systems. TFS, FAT, FFS, EXT2FS and EXT3FS le
systems are supported by the tool.
Figure 11.33 | Evidence on the hard disk.
Cyber security_Chapter 11.indd 680 2011-03-25 10:34:49 AM
Cybercrime: Illustrations, Examples and Mini-Cases 681
Tis illustration has the scenario in which that tool was used. Te objective in this scenario was to analyze
a seized oppy in the hope of recovering information that would help answer question related to the investiga-
tion of the crime. Tose questions are mentioned later in this illustration. Note that all the links displayed in
the diagrams in connection with this illustration can be accessed.
It was suspected that the required information could possibly be hidden within unallocated areas of the disk
image or concealed within other areas of the disk and would, therefore, require a full le system analysis in
order to locate it. For the sake of reference, let us call the suspect as Jaggu Jungle the bad guy because the
real name cannot be disclosed due to condentiality and privacy considerations. Any resemblance to this name
or locations and/or situation in this illustration is purely a coincidence. Some background information and
evidence is presented next to help understand the context for the forensics analysis in this digital forensics case
illustration. Table 11.7 shows the background for this case illustration; it is based on a police report.
The Case Scenario: Jaggu Jungle, 28 years, was arrested on charges of selling illegal drugs to high
school students in Delhi. The police set a trap to catch Jaggu. A local young police ofcer, who
posed as a high school student, was approached by Jaggu in the parking lot of St. Stephens High
School. Jaggu asked the undercover cop if he would like to buy some marijuana (a type of drug).
Before the undercover cop could answer, Jaggu pulled some out of his pocket and showed it to the
ofcer. Jaggu Look at this stuff, it couldnt be better than this; I am selling you the best quality stuff!
My supplier not only sells it direct to me, he grows it himself.
As per police reports, Jaggu had been spotted on numerous occasions hanging out at various
local high school parking lots around 2:30 pm, the time school usually ends for the day. School of-
cials from multiple high schools had called the police regarding Jaggus presence at their school and
noted an increase in drug use among students since his arrival.
The police needed forensics help. They wanted to try and determine if Jaggu Jungle has been
selling drugs to students at other schools besides this school. The problem is that no students will come
forward and help the police. Based on Jaggus comment regarding the drug supplier, the police
were interested in nding Jaggus supplier/producer of marijuana. Jaggu denied selling drugs at any
other school besides this school and refused to provide the police with the name of his drug supplier/
producer. He also refused to validate the statement that he made to the undercover ofcer right
before his arrest.
Upon issuing a search warrant and searching the suspects house, the police were able to obtain
a small amount of marijuana. The police also seized a single oppy disk, but no computer and/or
other media was present in the house. The police imaged the suspects oppy disk and provided a
copy for forensics investigation. They wanted the forensics analysts to examine the oppy disk and
provide answers to some questions regarding this drug crime. The police wanted forensics experts
to pay special attention to any information that might prove that Jaggu was in fact selling drugs at
other high schools besides this school where the undercover police encountered him. Police also
wanted forensics experts to try and determine, if possible, who Jaggus supplier is.
Jaggus posted bail was set at ` 4.5 lakhs (` 4,50,000). Considering that Jaggu may attempt to
run away from town, the police wanted him to be under police custody as soon as possible. To do
so, the police had asked the forensics experts to fully complete the analysis results and wanted the
results to be submitted by the given date. Now it was a challenge for the forensics experts to pro-
vide the police with a strong case consisting of their specic ndings related to the questions police
had in mind:
1. Where the ndings are located on the disk?
2. What were the processes and techniques used?
3. Any actions that the suspect may have taken to deliberately delete, hide and/or alter data on
the oppy disk.
Cyber security_Chapter 11.indd 681 2011-03-25 10:34:49 AM
682 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Te objective of this examination is to seek answers of the following questions:
1. Who was the supplier of marijuana and what was the address listed for the supplier?
2. What crucial data is available within the coverpage.jpg le and why is this data crucial?
3. What (if any) other high schools, in addition to St. Stephens High School, did the criminal frequent?
4. For each le, what processes were carried out by the suspect to hide them from others?
5. What processes were used to eectively examine the complete contents of each le?
Step 1: Analysis
Te rst step of the analysis process was to retrieve the image of the oppy disk. Te disk image was down-
loaded and the MD5 hash value was also copied from the website and placed into a valid md5sum input
le called image.zip.md5 contents of image.zip.md5 were as follows:
b676147f63923e1f428131d59b1d6a72 image.zip
Conrmation that the integrity of the downloaded disk image has not been compromised is as follows:
# md5sum -c image.zip.md5
Image.zip: OK
Step 2: Autopsy Case Creation in the Tool
Having conrmed that the integrity of the downloaded image has not been compromised, a case was con-
gured within Autopsy. Autopsy was setup and congured on the analysis machine and was ready to be
used. From the Autopsy main menu (Fig. 11.34), the New Case button was selected in order to start the
conguration process for a new case.
Te next task was to prepare an input from recording the details of the case. Using the Create a New
Case form (Fig. 11.35), a case name, short description and an investigators name were entered. Te investiga-
tors name was used mainly for audit processes. One typical problem with Autopsy is that it does not allow the
Figure 11.34 | Autopsy case creation.
Cyber security_Chapter 11.indd 682 2011-03-25 10:34:49 AM
Cybercrime: Illustrations, Examples and Mini-Cases 683
investigators name to contain any spaces. In order to use an investigators full name one would need to concat-
enate it into a single string, for example Sam Borges would need to be entered as SamBorges.
Having congured the initial values, a case directory was created in the evidence locker, and a standard
conguration le was created within the case folder (see Fig. 11.36). If more than one investigator would
have been assigned to this case, then at this stage, an investigator would need to be selected before adding a
Figure 11.35 | Autopsy new case creation.
Figure 11.36 | Autopsy: Case study created.
Cyber security_Chapter 11.indd 683 2011-03-25 10:34:49 AM
684 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
host to the case. Autopsy not only saves the output from Te Sleuth Kit program les to log les named
after the investi gator, but also the commands that are executed along with other notes entered into the
system.
In the scenario involved here, only one investigators name was used in the New Case Creation form
(Fig. 11.35) so, there was only one name in the drop box. By selecting the Add Host button (see
Fig. 11.37) the investigator was moved to the next step in the conguration process. Tis case dealt with
an image of a oppy disk rather than an image from a hard disk that was retrieved from a host machine,
therefore only generic conguration details are entered into the Add a New Host form as illustrated in
Fig. 11.37. In this case, the forensics experts knew that they were looking into an IBM compatible oppy
disk. Tese types of disks are formatted with a FAT12 le system. FAT le systems store time stamps without
regard to time zones. Terefore, there was no need to enter any time zone information.
In this case, it was not known to the forensics investigators if the time on the machine used to create the
oppy disk was skewed from a time source, so nothing was entered for the time skew adjustment value (see
Fig. 11.38). An Alert Hash Database or Ignore Hash Database was not provided for this investigation so
these values were left blank. An Alert Hash Database is a database that the investigator must create. It contains
hashes of known bad les. Tese are the les that a forensics examiner wants to know about, if they exist on the
system. Examples of this include rootkits or illegal photographs. Rootkit is a software system that contains
mutliple programs designed to obscure the fact that a system has been compromised (refer to Box 4.3, Chapter 4
and Section 7.12.1, Chapter 7). An Ignore Hash Database is a database that the investigator must create.
It contains hashes of known good les and these les can be ignored if the user chooses to do so during File Type
Category Analysis. System binaries used for standard builds would be examples of les under this category.
Figure 11.37 | Autopsy: New host added.
Cyber security_Chapter 11.indd 684 2011-03-25 10:34:49 AM
Cybercrime: Illustrations, Examples and Mini-Cases 685
Figure 11.38 | Autopsy: Host oppyhost added.
Figure 11.39 | Autopsy: Case and host info added.
Having entered the conguration details for the host, and having selected the button <Add Host>, Autopsy
created the Host folder structure within the Case structure inside the evidence locker (see Fig. 11.39). At this
stage the Case and Host are created for this investigation. Next, the i nvestigator adds the disk image by
selecting the Add Image File (see Fig. 11.39).
Te Add a New Image form is now displayed (Fig. 11.40). Tis form allows the investigator to enter
information on the image le. Te analysis machine has a separate drive congured for the Evidence Locker
to hold the investigation image les, and in order to minimize space requirements the image will be imported
as symlinks to the original images. In this case, the image le was extracted from the Zip le provided on
the website, and it is this image le that was added. A symbolic link (often called symlink) is a special type
of directory entry in modern UNIX (or Unix-like) le systems that allows the system to almost transparently
refer to another directory entry, typically a le or a directory.
Unfortunately, at this stage Autopsy is unable to automatically determine the volume system type for the
disk image. Floppy disks are typically single volume; therefore, the investigator had to manually select the
Volume Image with a Volume System Type of DOS refer to Figs. 11.40 and 11.41.
Te Image File Details section is shown in Fig. 11.42; it allowed the investigator of the case to select
options for the data integrity of the image. In Section 7.7.2 of Chapter 7, it is mentioned in that during
imaging, a write protection device or application, is normally used to ensure that no information is intro-
duced onto the evidentiary media during the forensics process. Te imaging process is conrmed by means
Cyber security_Chapter 11.indd 685 2011-03-25 10:34:50 AM
686 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Figure 11.40 | Autopsy: New image added.
Figure 11.41 | Autopsy: Image type.
of the SHA-1 message digest algorithm (with a program such as sha1sum) or other still viable algorithms
such as MD5. If the MD5 hash value for the image le itself was provided, it could be entered here and
Autopsy could verify that it is correct. However, for the scenario of this case, no hash value existed for the
extracted disk image and therefore the investigator had to select the Calculate option because only the
MD5 hash value for the compressed archive was provided.
Cyber security_Chapter 11.indd 686 2011-03-25 10:34:50 AM
Cybercrime: Illustrations, Examples and Mini-Cases 687
After entering the Image File Details, Autopsy checks the integrity of the partition image (if the Verify
hash after importing? option is selected), however for this investigation the Calculate option was selected.
See Fig. 11.42. Terefore, Autopsy generated an MD5 hash value (these are hexadecimal numbers) and
inserted it into the Host conguration see Fig. 11.43 (upper portion). At this stage a Case has been created,
a Host has been created and the oppy disk image has been added to the host. It was explained in Chapter
7 (Section 7.7.1) that to be able to use forensics ndings of any type as permissible evidence in court, a data
acquisition technique, known as imaging, is used. We now see in this illustration, the use of that tech-
nique. Te Autopsy Host Manager is displayed (Fig. 11.43 lower portion) to the investigator and from this
point Autopsy can be used to analyze the contents of the oppy disk image.
Now that the investigator came closer to examining the contents of the seized disk, he wanted to
create some indexes to help search with keyword searches. By selecting the details link from the Host
Manager within Autopsy (see Fig. 11.43), the investigators were taken to the Image Details form (see
Fig. 11.44). Tis allowed them to extract the strings from the entire image as well as unallocated sec-
tors. Extracting this information caused an index to be created which improved the speed of keyword
searches. Tey selected Extract Strings, leaving the default check box marks on Generate MD5,
ASCII and Unicode.
Figure 11.42 | Autopsy: Image le details.
Cyber security_Chapter 11.indd 687 2011-03-25 10:34:51 AM
688 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
IMAGE DETAILS
Name: image.dd-0-0
Volume Id: vol1
Parent VolumeId: img1
Volume Point: A:/
File SystemType: fat 12
External Files
ASCII Strings:
Unicode Strings:
Unallocated Sectors:
ASCII Strings of Unallocated:
Unicode Strings of Unallocated:
Extract Strings of Entire Image Extract Unallocated Sectors
Extracting the ASCII and Unicode
Extracting from a file system image
will make keyword searching faster
Extracting the unallocated data in a file
system image allows more focused
keyword searches and data recovery
(Note: This Does Not Include Slack Space) Generate MD5?
ASCII: Unicode: Generate MD5?
Extract Strings Extract Unallocated
CLOSE FILE SYSTEM
Figure 11.44 | Autopsy: String details.
Figure 11.43 | Autopsy Image File Details (upper) and Host Manager Details (lower).
Cyber security_Chapter 11.indd 688 2011-03-25 10:34:51 AM
Cybercrime: Illustrations, Examples and Mini-Cases 689
String extraction always depends on the size of the le system. When le systems are larger, the extraction
of ASCII and Unicode strings can be quite time consuming. however, the disk image for this investigation
was only that of a 1.44 MB oppy disk and therefore the extraction process was quite quick. After extracting
the strings, (see Fig. 11.45), the investigation team returned to the Image Details screen and selected the
Extract Unallocated button to extract the unallocated sectors (see Fig. 11.46). Extraction of unallocated
sectors also depends on the size of the le system. Much larger time is required on larger le systems and
extraction can consume a large amount of disk space, possibly up to the size of the original image. However,
as previously mentioned, this investigation involved imaging of a oppy disk of only 1.44 MB in size.
Terefore, the extraction process was quick and the extracted data was small.
Having extracted the unallocated sectors (see Fig. 11.47), the investigator returned to the Image
Details screen and selected the Extract Strings button to extract the ASCII and Unicode strings from
the unallocated sectors (see Fig. 11.47). Compare the outputs displayed in Fig. 11.47 to the output in
Fig. 11.45; you will notice that the values for String Extraction are dierent than those for Unallocated
Sector Extraction.
When size of le system is large, similar issues, as in the extraction of ASCII and Unicode strings, arise
while extracting strings from unallocated sectors. In this investigation, however, the process was relatively
quick, because as mentioned previously, this scenario involved an image of a oppy disk. Te results of this
process are illustrated in Fig. 11.49.
Figure 11.45 | Autopsy: Image details (extracting strings).
Cyber security_Chapter 11.indd 689 2011-03-25 10:34:51 AM
690 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
IMAGE DETAILS
External Files
ASCII Strings: image.dd-0-0-fat12.asc
Name: image.dd-0-0
Volume Id: vol1
Parent VolumeId: img1
Volume Point: A:/
File SystemType: fat 12
Unicode Strings: image.dd-0-0-fat12.uni
Unallocated Sectors:
ASCII Strings of Unallocated:
Unicode Strings of Unallocated:
Extract Unallocated Sectors
Extracting the unallocated data in a file system image allows more
focused keyword searches and data recovery
(Note: This Does Not Include Slack Space)
Generate MD5?
Extract Unallocated
CLOSE FILE SYSTEM
Figure 11.46 | Autopsy: Image details after extracting strings.
Figure 11.47 | Autopsy: The result of extracting unallocated sectors.
Next, the investigator created a search index of strings on both allocated and unallocated sectors. With
this index constructed, he was able to perform a faster keyword search. All the external les required for the
search indexes are seen in Fig. 11.50.
Cyber security_Chapter 11.indd 690 2011-03-25 10:34:52 AM
Cybercrime: Illustrations, Examples and Mini-Cases 691
IMAGE DETAILS
Name: image.dd-0-0
Volume Id: vol1
Parent VolumeId: img1
Volume Point: A:/
File SystemType: fat 12
External Files
ASCII Strings: image.dd-0-0-fat12.asc
Unicode Strings: image.dd-0-0-fat12.uni
Unallocated Sectors: image.dd-0-0-fat12.unalloc
ASCII Strings of Unallocated:
Unicode Strings of Unallocated:
Extract Strings of Unallocated Sectors
Extracting the ASCII Strings from the unallocated data will make keyword
searching faster
Generate MD5?
Extract Unallocated
CLOSE FILE SYSTEM
ASCII Unicode
Figure 11.48 | Autopsy: Image details after the extraction of unallocated sectors.
Figure 11.49 | Autopsy: Result of extracting strings from unallocated sectors.
Cyber security_Chapter 11.indd 691 2011-03-25 10:34:52 AM
692 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
File browsing mode of Autopsy (see Fig. 11.51) was displayed by selecting the Analyze button, then
selecting the File from the Host Manager Analysis button. File Browsing mode provided a le manager
like view of the contents of the oppy disk image. You can see in Fig. 11.50 that the oppy disk image con-
tains listings for three les as follows:
1. cover page.jpgc (COVERP~1.JPG).
2. Jaggu Jungle.doc (_IMMYJ~1.DOC) Tis le was deleted by Jaggu.
3. Scheduled Visits.exe (SCHEDU~1.EXE).
IMAGE DETAILS
CLOSE FILE SYSTEM
Name: image.dd-0-0
Volume Id: vol1
Parent Volume Id: img1
Volume Point: A:/
File System Type: fat12
External Files
ASCII Strings: image.dd-0-0-fat12.asc
Unicode Strings: image.dd-0-0-fat12.uni
Unallocated Sectors: image.dd-0-0-fat12.unalloc
ASCII Strings of Unallocated: image.dd-0-0-fat12.unalloc-dls.asc
Unicode Strings of Unallocated: image.dd-0-0-fat12.unalloc-dls.uni
Figure 11.50 | Autopsy: Image details of extraction of allocated and unallocated strings.
Figure 11.51 | Autopsy: File analysis mode.
Cyber security_Chapter 11.indd 692 2011-03-25 10:34:52 AM
Cybercrime: Illustrations, Examples and Mini-Cases 693
Figure 11.52 | Autopsy: File analysis cover page.jpgc ASCII display.
Each le was examined to check if it contained information that could be used to answer the questions of
this case study accurately. Te questions were mentioned under the objectives of this illustration (refer to
page 682); they are mentioned below for ready reference of readers:
1. Who was the supplier of marijuana and what was the address listed for the supplier?
2. What crucial data is available within the coverpage.jpg le and why is this data crucial?
3. What (if any) other high schools besides Saint Stephens High School did the criminal frequent?
4. For each le, what processes were taken by the suspect to hide them from others?
5. What processes were used to eectively examine the complete contents of each le?
Now, let us see what they discovered with the le cover poage.jpgc le. Within the le analysis mode,
selecting the lename cover page.jpgc displayed the contents of the le as illustrated in Fig. 11.52.
Note that Autopsy could not recognize this le as a JPEG le, and the contents returned did not have the
JPEG signature JFIF. JPEG images should have the JFIF signature in the sixth byte of the le.
Te metadata for this le was viewed by selecting the 8 link in the metadata column where the lename
is listed. As illustrated in Fig. 11.53 the le size is reported as 15,585 bytes, yet it has only been allocated
to sector 451. A sector is only 512 bytes on a oppy disk, so there is insu cient space to hold this le in a
single sector.
Investigators wanted to determine if the metadata had been corrupted for this image le. Tey also
wanted to check if the data for this le exists elsewhere. So, they performed a keyword search for the JPEG
signature JFIF Keyword Search mode of Autopsy as you can see in Fig. 11.54.
Teir search for JFIF successfully found an ASCII match at Sector 73 (Fig. 11.55). It is possible to
display the HEX or ASCII contents of sector 73 within the image by selecting the links in the search results.
However this will only display a single sector, and the image may be bigger than a single sector. Te meta-
data for this le states the size of the image le is 15,585 bytes which would indicate 31 sectors are required
(as stated previously, sector sizes on a oppy disk are usually 512 bytes).
Cyber security_Chapter 11.indd 693 2011-03-25 10:34:53 AM
694 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Figure 11.53 | Autopsy: Metadata Analysis ASCII display cover page.jpgc.
Figure 11.54 | Autopsy: keyword search JFIF.
Te Data Unit mode of Autopsy (Fig. 11.56) allows an investigator to view the allocation list of an
image; this can be viewed by selecting the Allocation List button.
Cyber security_Chapter 11.indd 694 2011-03-25 10:34:53 AM
Cybercrime: Illustrations, Examples and Mini-Cases 695
Figure 11.55 | Autopsy: Result of keyword search JFIF.
Figure 11.56 | Autopsy: Data unit analysis.
Te results from of the allocation list are displayed in a single list format 500 sectors at a time. A small
sample is illustrated in Fig. 11.57. Tis output is not easy to view, therefore, the information has been sum-
marized in Table 11.7.
Cyber security_Chapter 11.indd 695 2011-03-25 10:34:53 AM
696 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Figure 11.57 | Autopsy: Data unit analysis allocation list.
Table 11.7 |Sector allocations (digital forensics using Autopsy Tool Kit)
Sector Range Allocation Status
Sectors 032 Allocated
Sectors 3372 Not allocated
Sectors 73108 Allocated
Sector 109 onward Not allocated
We can see from Table 11.7 that 36 sectors are allocated (from Sector 73108). Of these 36 sectors,
only 31 may be associated with the cover page.jpgc image le (refer to Fig. 11.51). Te dd tool can
be used to extract all 36 sectors and inspect the results. It is possible to extract the sector content using
the Data Unit mode of Autopsy to retrieve the appropriate number of sectors, and then selecting the
Export Contents button as illustrated in Fig. 11.58.
Te dd command, used to extract sectors 73108, is shown below; recall that there was a mention of
this command in Table 8.4 of Chapter 8.
dd skip=73 bs=512 count=36 if=/forensics/ev.locker/CaseIllustration01/
oppyhost/images/image.dd
of=/forensics/ev.locker/CaseIllustration01/floppyhost/output/
coverpage.jpg
Te data extracted with the dd tool normally can be viewed within an image viewer because it may
mostly contain data for a JPEG image. In this case, unfortunately, because more data was copied than the
Cyber security_Chapter 11.indd 696 2011-03-25 10:34:54 AM
Cybercrime: Illustrations, Examples and Mini-Cases 697
Figure 11.58 | Autopsy: Data unit analysis export contents option.
le size stated, it was necessary to inspect the contents of the extracted data with a hex editor to view the
extra sectors that were extracted. When the forensics investigators used the hex dumps tool and they also
manually paged through the le from the end to the start, they found references to a Scheduled Visits.
xls le, with a PK signature at oset 0x3e00. Tis could possibly mean that this le is contained within
a compressed archive (possibly called Scheduled Visits.exe). Te text pw=goodtimes was also visible
in the output at oset 0x3d20. JPEG images use an end-of-le signature of d9 and this signature was
seen at oset 0x3cdf. Tis signature, and the fact that when the metadata for the Scheduled Visits.exe le
is cross-referenced (the metadata for Schedule Visits.exe states it had been allocated sectors 104 and 105
refer to Table 11.5) indicates that only 31 sectors should be extracted for the cover page.jpgc image as was
stated earlier. In order to get an accurate representation of the JPEG image the correct number of sectors is
extracted from the original oppy disk image with the command listed below.
dd skip=73 bs=512 count=31 if=/forensics/ev.locker/ CaseIllustration01/
oppyhost/images/image.dd
of=/forensics/ev.locker/ CaseIllustration01/ oppyhost/output/cover-
page.jpg
Te string pw=goodtimes was still contained within the slack space of the extracted data when the extracted
data is viewed with a hex editor. Te recovered JPG image extracted with the command (mentioned above)
is illustrated in Fig. 11.59.
Now let us look at the le JagguJungle.doc. When the investigators selected the lename Jaggu Jungle.
doc from the le browser within the File Analysis mode of Autopsy, contents of the le got displayed
they are illustrated in Fig. 11.60. Due to its extension, Autopsy recognizes this le as a Microsoft O ce
Document. In Chapter 7, Box 7.10 explained what is meant by metadata. In this illustration, the investiga-
tors could view the metadata for this le by selecting the 5 link in the metadata column where the lename
is listed. Te metadata will detail the sectors where the le was allocated within the oppy disk image.
Cyber security_Chapter 11.indd 697 2011-03-25 10:34:54 AM
698 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
This months featured pot grower, smoker and
seller is Jaggu Jungle
POT SMOKERS MONTHLY
Your monthly guide to the best
pot on the plant!
Figure 11.59 | Image contained in coverpage.jpg le.
Figure 11.60 | Autopsy: File analysis ASCII display of the le Jaggu Jungle.doc.
Te metadata information (Fig. 11.61) indicated that initially, Sectors 3372 were allocated to this
deleted le. Te list in Table 11.7 shows that these sectors were unallocated. Terefore, the investigators
thought it may be benecial to extract these 40 sectors in hope of recovering a copy of the deleted docu-
ment. Te size of the le was checked only to ensure that the appropriate numbers of sectors are being
Cyber security_Chapter 11.indd 698 2011-03-28 4:29:51 PM
Cybercrime: Illustrations, Examples and Mini-Cases 699
extracted. For those who are not aware of oppy disk structure, Fig. 11. 62 depicts the same. Te metadata
indicated that the le size was 20,480 bytes. Considering that there are 512 bytes in a sector, this would
require exactly 40 sectors. Te dd command used to extract the sectors is shown below:
dd skip=33 bs=512 count=40 if=/forensics/ev.locker/ CaseIllustration01/
oppyhost/images/image
of=/forensics/ev.locker/CaseIllustration01/floppyhost/output/
jaggujungle.doc
Te extracted le appeared to have been created on 16 April 2002 at 08:30:00, modied on 16 April
2002 at 09:42:00 and could open successfully in a word processor. Te text contained within the document
is listed below.
Figure 11.61 | Autopsy: Metadata analysis of the le Jaggu Jungle.doc.
Jaggu Jungle
Tinku Wadi, Naupada
Thane
Jaggu
Man, your pot is surely the best - it made the cover of Going High
Magazine! Thanks for sending me the Cover Page.
How do work towards cultivating the marijuana plant? What quality
of seeds do you use man? I know your growing it and not some guy in
Vasai area.
Cyber security_Chapter 11.indd 699 2011-03-28 4:30:16 PM
700 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Disk sector
Disk track
Read/write head
Cylinder
Upper head
Lower head
Figure 11.62 | Disk structure.
These school kids, they tell me marijuana isnt addictive Ha! Ha!
They just cant stop buying from me! Man, Im glad you gave me the
trick of targeting the high school kids. You must have some experi-
ence. Its like a guaranteed paycheck. Their parents give them money
for lunch and they spend it on my stuff. Im an entrepreneur. Am I
only one you sell to or do you patronize others like me too? Common
man be only with me. Maybe I can become distributor of the year!
I emailed you the schedule that I am using. I think it helps me
cover myself and not be predictive. Tell me what you think. To open
it, use the same password that you sent me before with that le.
Lets talk soon.
Thanks,
Babu Dangat
Now let us see what was revealed by Scheduled Visits.exe. When the case investigators selected the le-
name Scheduled Visits.exe from the le browser within the File Analysis mode of Autopsy, the contents
of the le were displayed this is illustrated in Fig. 11.63. Autopsy has recognized this le as Zip Archive.
Te metadata for this le was viewed by selecting the 11 link in the metadata column where the lename
is listed (see Fig. 11.64). Te metadata had the details of the sectors where the le was allocated within the
oppy disk image.
Te metadata information (see Fig. 11.64) indicated that this deleted le was initially allocated Sectors
104 and 105. Te size of the le was 1,000 bytes, and one sector has 512 bytes this meant that it would
Cyber security_Chapter 11.indd 700 2011-03-25 10:34:55 AM
Cybercrime: Illustrations, Examples and Mini-Cases 701
Figure 11.63 | Autopsy: File analysis ASCII display of Scheduled Visits.exe.
Figure 11.64 | Autopsy: File analysis metadata analysis of Scheduled Visits.exe.
require only two sectors and this matches the sector allocation list. Te two sectors are extracted using the
dd command listed below:
dd skip=104 bs=512 count=2 if=/forensics/ev.locker/ CaseIllustration01/
oppyhost/images/image
of=/forensics/ev.locker/CaseIllustration01/floppyhost/output/
scheduledvisits.exe
Cyber security_Chapter 11.indd 701 2011-03-28 4:31:11 PM
702 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
When the investigators attempted to extract this le with the unzip tool, it produced the error End-of-
central directory signature not found this indicated that the le is incomplete. As listed in Fig. 11.7, sectors
were allocated from sectors 73 to 108. Also, as was discovered when data was initially extracted for the JPG
image from sectors 73 to 108, the text Scheduled Visits.xls was found within the last sector. With these two
pieces of supporting evidence, it was decided by the investigators to extract the data from Sectors 104 to 108 and
then they try to run the unzip tool. Te dd command used to extract Sectors 104 to 108 is shown below:
dd skip=104 bs=512 count=5 if=/forensics/ev.locker/ CaseIllustration01/
oppyhost/images/image
of=/forensics/ev.locker/CaseIllustration01/floppyhost/output/
scheduledvisits.exe
When the investigators attempted extracting this larger le with the unzip tool, the Autopsy tool prompted
for a password to be entered. At this stage an investigator could use a password cracker; however, the slack space
from the JPEG le contained the string pw=goodtimes. Terefore, they decided to try that rst. Entering
the password goodtimes allowed the unzip tool to extract the Scheduled Visits.xls le. Running the le
command on Scheduled Visits.xls indicated that the le was a Microsoft O ce Document this would
have been an investigators rst guess because of the le extension. Te Scheduled Visits.xls le contains a list
of dates and school names as illustrated in Table 11.8. All the names in the list have been masked to maintain
the condentiality. If any name happens to match with an existing school, then it is a pure co-incidence.
Table 11.8 | File contents Scheduled Visits.xls
Month (2002) Day High Schools
April Monday St.Josephs High School
Tuesday Kale High School
Wednesday Lulanagar High School
Thursday Barodia High School
Friday Rishi High School
Monday Haldiram High School
Tuesday St.Josephs High School
Wednesday Kale High School
Thursday Lulanagar High School
Friday Barodia High School
Monday Rishi High School
Tuesday Haldiram High School
Wednesday St.Josephs High School
Thursday Kale High School
Friday Lulanagar High School
Monday Barodia High School
Tuesday Rishi High School
Wednesday Haldiram High School
Thursday St.Josephs High School
Friday Kale High School
Monday Lulanagar High School
Tuesday Barodia High School
(Continued )
Cyber security_Chapter 11.indd 702 2011-03-25 10:34:56 AM
Cybercrime: Illustrations, Examples and Mini-Cases 703
Month (2002) Day High Schools
May Wednesday Rishi High School
Thursday Haldiram High School
Friday St.Josephs High School
Monday Kale High School
Tuesday Lulanagar High School
Wednesday Barodia High School
Thursday Rishi High School
Friday Haldiram High School
Monday St.Josephs School
Tuesday Kale High School
Wednesday Lulanagar High School
Thursday Barodia High School
Friday Rishi High School
Monday Haldiram High School
Tuesday St.Josephs High School
Wednesday Kale High School
Thursday Lulanagar High School
Friday Barodia High School
Monday Rishi High School
Tuesday Haldiram High School
Wednesday St.Josephs School
Thursday Kale High School
Friday Lulanagar High School
June Monday Barodia High School
Tuesday Rishi High School
Wednesday Haldiram High School
Thursday St.Josephs High School
Friday Kale High School
Monday Lulanagar High School
Tuesday Birard High School
Wednesday Rishi High School
Thursday Haldiram High School
Friday St.Joseph High School
Monday Kale High School
Tuesday Lulanagar h High School
Wednesday Birard High School
Thursday Rishi High School
Friday Haldiram High School
Monday St.Joseph High School
Tuesday Kale High School
Wednesday Lulanagar High School
Thursday Birard High School
Friday Rishi High School
Table 11.8 | (Continued )
Cyber security_Chapter 11.indd 703 2011-03-25 10:34:56 AM
704 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
At the beginning of this illustration, we had placed some questions that were objective of the forensics
investigation. Having completed the analysis of the image now the questions could be answered using the
information retrieved during the computer forensics analysis. Tis is shown in Table 11.9.
To conclude on the digital forensics illustration presented, here are the key summary points:
1. Although this illustrative example may be considered extremely small (going by its scope and dif-
culty), it demonstrates how to utilize some aspects of the Autopsy Forensics Browser to simplify
some of the tasks required when performing a le system analysis.
2. Tis illustration demonstrated Autopsys ability to process metadata information, perform keyword
searches on image les, handle deleted les and provide a basic le manager like interface to all les
within an image. Many of the steps required were performed within the browser and without the
need to directly interact with the command line tools from Te Sleuth Kit.
Table 11.9 | Answers to the case questions
Case Questions Answers Found through Computer Forensics
Question 1
Who was the supplier of marijuana and what was the
address listed for the supplier?
Jaggu Jungle
Tinku Wadi, Naupada
Tane
Question 2
What crucial data is available within the coverpage.jpg
le and why is this data crucial?
Te string pw=goodtimes was found in the slack
space at the end of the les allocation units.
Tis data was crucial as it turned out to be the pass-
word for the Scheduled Visits.exe which was a
password-protected le.
Question 3
What (if any) other high schools besides St. Josephs
High School did the criminal frequent?
Te password protected le Scheduled Visits.exe
contained the Excel spreadsheet le Scheduled Visits.xls
which listed dates for some more schools other than
St. Josephs school.
Note: Te list is given in Table 11.8.
Question 4
For each le, what processes were taken by the suspect
to mask them from others?
1. cover page.jpgc Tis le was incorrectly pointing
to Sector 451 on the disk for its data units; it should
have been pointing to Sector 73.
Any attempt to open the le would produce the data
units at Sector 451 which had all bytes set to f6.
2. Te Jaggu Jungle.doc le had been deleted.
3. Te length of le Scheduled Visits.exe stated it
was only 1,000 bytes; however, it was actually
2,560 bytes in length. Te extension of the le
did not match the le type.
Te le was also password-protected.
Question 5
What processes were used to successfully examine the
entire contents of each le?
Te Autopsy Forensics Browser was able to successfully
retrieve information about the les. Information found
using the Autopsy Forensics Browser was also used with
the dd command line tool to extract various sectors
from the disk image.
All steps have been thoroughly described in the
Analysis section presented earlier.
Cyber security_Chapter 11.indd 704 2011-03-25 10:34:56 AM
Cybercrime: Illustrations, Examples and Mini-Cases 705
3. In the analysis stages there were some steps that were required to be done outside of the Autopsy
Forensics Browser, but aside from le viewers, the only external tools that were utilized were the
dd, and hex dumps tools. Te use of the dd tool was not required, it was simply utilized for
this investigation to demonstrate an alternate method for extracting data from a disk image.
4. Point to note is that each investigation is unique and will require dierent aspects of forensic tools
in order to successfully complete an analysis. Tis illustration does not represent an exhaustive
demonstration of the tools found in Te Sleuth Kit and the Autopsy Forensics Browser by any
means; it merely provides a valuable introduction to some of the functionality provided by these
tools.
11.6.3 Digital Forensics Reporting Illustration 1: Vehicle Stealing Racket
Revealed through Computer Forensics Investigation
Good citizens are alert and behave in a responsible manner when they notice anything they believe could
have to do with cybercrime/cybersecurity matter. Tis illustration is about one such alert citizen. One eve-
ning a concerned citizen contacted the police department regarding possible stolen property. He told police
that while he was browsing the Internet, in hope to nd a car for a sensible price, he found an advertisement
that met his requirements. Tis advertisement listed a Honda City car for a low price, so he contacted the
seller. Upon meeting the seller he became suspicious that it was a stolen car being oered for sale.
After getting this information, police alerted the Auto Teft Unit. Te Auto Teft Unit conducted a
smart operation to procure the car. Surreptitiously, police o cers met with the suspect, who, after receiving
the sum (toward purchase prices of the car), provided required details to the police (in disguise) about the
vehicle (car registration number, insurance, etc.). Te culprit was taken under arrest and the car that he was
driving was searched along with his arrest. During the search, a notebook computer was taken into custody.
Although the documents provided by the suspect, that is, the culprit, looked genuine, upon examination the
documents turned out to be fake. Te auto theft examiner got in touch with the computer forensics labora-
tory to seek help in examining the seized computer. Te investigator obtained a search warrant to scrutinize
the computer and search for materials used in making fake documents and other proof related to the auto
theft charges. Te notebook computer was submitted to the computer forensics laboratory for analysis. Table
11.10 shows the initial report prepared. EnCase tool was mentioned in Chapter 7. In this real-life scenario,
it was used.
Table 11.10 | The primary report (1)
Primary Report
Type of Computer: Gateway Solo

9100 notebook computer.

Operating System: Microsoft Windows 98.
Oenses: Teft of Auto, Forgery Fraud, Creating False Documents (document
forgery) and Possession of Counterfeit
Vehicle Titles.
Agent In Charge of Case: Auto Teft Unit Investigator.
Place of Forensics Examination: Computer Forensics Laboratory.
Forensics Tools used: Guidance Software

EnCase, DIGit, Jasc Software

Quick View Plus

,
and AccessData Password Recovery Tool Kit.
Cyber security_Chapter 11.indd 705 2011-03-25 10:34:56 AM
706 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Te case was processed in the manner described here. During the Assessment phase:
1. Documentation provided by the investigator was reviewed.
a. A special search warrant was obtained for the assessment of the computer in a laboratory
location legal authority was instituted for this.
b. Chain of custody was properly documented using appropriate forms dened by the concerned
departments.
c. Te appeal for service and a detailed summary explained the investigation, provided keyword
lists, and provided information about the person suspected, the stolen car, the forged doc-
uments and the Internet ad. Te investigator also provided photostat copies of the forged
documents.
2. Te computer forensics examiner set up discussion with the case agent to understand the possibilities
for additional investigation areas and also to understand potential evidence being sought in the
investigation.
3. Evidence input was completed.
a. Te evidence was noted and photographs were made.
b. A le was created and the case details were entered into the laboratory database.
c. Te computer was safely put in the laboratorys property room.
4. Te case was entrusted to a computer forensics investigator.
During the Imaging phase, the following steps were performed:
1. Te notebook computer was examined and photographed.
a. Te hardware was examined and documented.
b. A controlled boot disk was placed in the computers oppy drive. Te computer was powered
on and the BIOS setup program was entered. Te BIOS information was documented and the
system time was compared to a trusted time source and documented. Te boot sequence was
checked and documented; the system was already set to boot from the oppy drive rst.
c. Te notebook computer was powered o without making any changes to the BIOS.
2. EnCase

was used to create an evidence le containing the image of the notebook computers hard drive.
a. Te notebook computer was linked to a laboratory computer through a null-modem wire,
which connected to the computers parallel ports.
b. Te notebook computer was booted to the DOS prompt with a controlled boot disk and
EnCase

was started in server mode.

c. Te laboratory computer, ready with a magneto-optical drive for le storage space, was booted
to the DOS prompt with a restricted boot disk. EnCase was started in server mode and evi-
dence les for the notebook computer were obtained and written to magneto-optical disks.
d. When the imaging process was completed, the computers were powered o.
i. Te notebook computer was sent back to the laboratory belongings room.
ii. Te magneto-optical disks that the EnCase evidence les held on them were write-pro-
tected and logged into evidence.
Next, a number of other steps were carried out during the Analysis phase:
1. A computer in the laboratory was made ready for investigation by installing Windows 98, EnCase
for Windows and other forensics software tools on it.
2. Te EnCase evidence les from the notebook computer were copied to the laboratory computers
hard drive.
Cyber security_Chapter 11.indd 706 2011-03-25 10:34:56 AM
Cybercrime: Illustrations, Examples and Mini-Cases 707
3. A new EnCase case le was opened and the notebook computers evidence les were examined using
EnCase .
a. Deleted les were recovered by EnCase.
b. File data, including le names, dates and times, physical and logical size, and complete path,
were recorded.
c. Keyword text searches were carried out using the information furnished by the investigator.
When the results were returned, all hits were examined.
d. Graphics les were opened and viewed.
e. HTML les were opened and viewed.
f. Data les were opened for examining the contents; two password-protected and encrypted les
were sited.
g. Unallocated and slack space was searched.
h. Files of evidentiary value or investigative interest were copied/unerased from the EnCase
evidence le and copied to a compact disk.
4. Unallocated clusters were copied/un-erased from the EnCase evidence le to a clean hard drive,
wiped to DoD 5200.28-STD. DIGit was then used to carve images from unallocated space.
Te carved images were extracted from DIGit, opened and viewed. A total of 8,476 images were
extracted. Recall File Carving explained in Box 7.10 in Chapter 7.
5. Te password-protected les were copied/unerased to a 1.44 MB oppy disk. AccessData Password
Recovery Tool Kit was run on the les and passwords were recovered for both les. Te les were
opened using the passwords and viewed.
A number of ndings emerged the analysis of the notebook computer resulted in the recovery of 176 les
of evidentiary value or investigative interest. Te recovered les included:
1. 59 document les included documents having the suspects name and personal information; text
included in the forged documents; scanned payroll, corporate and validated checques; text about
and describing stolen items; and text relating to the recovered car.
2. 38 graphics les consisting of high-resolution image les showing payroll, corporate, and certied
cheques; notes; vehicle titles; registration cards and templates of drivers license from many states;
insurance cards from dierent companies; and fake (though certied) checks payable to a computer
company in the range of ` 125,000 to ` 240,000 for the obtaining notebook computers, printers
and other accessories. A good number of graphics were scanned.
3. 63 HTML les containing Hotmail and Yahoo E-Mail and condential advertisements for the
recovered car, other vehicles and numerous types of notebook computers; E-Mail text, containing
E-Mails exchanged between the culprit and the involved citizen regarding the sale of the recovered
vehicle; and E-Mail communication between the culprit and a computer agency regarding the pur-
chase of laptops.
4. 14 graphics les recovered from unallocated space showing checks at dierent stages of nish-
ing points and scanned imagery of currency notes (recall File Carving explained in Box 7.10 in
Chapter 7).
5. Two password-protected and encrypted les:
a. WordPerfect

document having a list of personal information about quite a few individuals

names, addresses, dates of birth, credit card and bank account numbers and termination dates,
current account information, and other information. Password [nomoresecrets].
b. Microsoft

Word document having vehicle title details of the recovered car. Password [HELLO].
Cyber security_Chapter 11.indd 707 2011-03-25 10:34:56 AM
708 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Te documentation about this investigation consisted of the following:
1. Forensics Report: All actions, processes and ndings were described in a detailed forensics report,
which is maintained in the laboratory case le.
2. Police Report: Te case agent was provided with a police report describing the evidence examined,
techniques used and the ndings.
3. Work Product: A compact disk containing les and le data of evidentiary value or investigative
interest was created. Te original was stored in the laboratory case le. Copies were provided to the
case agent and the prosecutor.
Computer analysis revealed some interesting information and several new avenues of investigation
were opened:
1. Investigators contacted the victims listed in the password-protected WordPerfect document, thereby
learning that the victims had all been robbed in the same city during the previous summer by an
individual whose description was similar to that of the suspect.
2. When the computer company was contacted, it was revealed that the counterfeit cheques found on
the suspects computer had been accepted for the purchase of computers, and that the computers
were shipped to him and were the subject of an ongoing investigation. Model numbers and serial
numbers furnished by the computer company turned out to match with many of the Hotmail and
Yahoo classied advertisements found on the culprits computer.
3. Many of the counterfeit cheques found on the suspects computer were already the subject of
ongoing investigations.
4. Information gathered about other vehicles led to the recovery of additional stolen vehicles.
5. Te particular information hunted in the search warrant regarding the sale of the stolen car and the
fake documents was recovered from the suspects computer.
Tis led to the arrest of the suspect who eventually pleaded guilty and was imprisoned.
11.6.4 Digital Forensics Reporting Illustration 2: Child Pornography
Revealed through Computer Repair
COPPA (Childrens Online Privacy Protection Act) and Child Pornography is addressed in Chapters 1 and 6.
Child pornography-related oenses are explained in Chapter 1. In Chapter 7, it was mentioned that computer
forensics involves lawful and ethical seizure, acquisition, analysis, reporting and safeguarding of data and meta-
data derived from digital devices which may contain information that is notable and perhaps of evidentiary
value. Tis illustration is to be read with that background and is about the reporting part of computer forensics.
Reporting is an important phase in a computer forensics/ cyberforensics investigation as explained in Section 7.7.2
of Chapter 7. Te case brief that follows is an example of what is typically involved in case analysis.
The case scenarios presented are for instructional purposes and information only. Any association to an
actual case and litigation is purely coincidental. Names and locations presented in the case scenarios
are ctitious and are not intended to reect actual people or places. Reference herein to any specic
commercial products, processes or services by trade name, trademark, manufacturer or otherwise does
not constitute or imply its endorsement, recommendation and the in formation and statements are not
meant to constitute any direct or indirect attempt to advertise those products, processes or services.
Cyber security_Chapter 11.indd 708 2011-03-25 10:34:56 AM
Cybercrime: Illustrations, Examples and Mini-Cases 709
Here is how the scenario of this illustration goes. Te setting is of old times when Windows XP operating
system was not around.
Amrish Deshpande was a young entrepreneur who owned a building construction company. Of late, Amrish
had noted that his laptop (loaded with Windows 98 systems) had developed a certain problem on the monitor
screen. So, he handed his laptop computer to his company sta member for taking it to a computer repair shop
to x the malfunctioning monitor of the laptop. After repairing the laptop, shops technician powered on the
laptop to reconrm if the monitor had been xed. A standard procedure of shop was to go to the recent menu
on the Start Bar of Windows 98 systems and select les for viewing. While doing that, the technician noticed
on the laptop screen what appeared to be an image of a young child depicted in a sexually explicit manner.
Being well-aware of the implications of any pornographic material on a laptop, the technician telephoned
the o ce of the legal authority in the town. Te concerned o cer from legal authority o ce observed
the image and conrmed it to be a violation of a prevailing law. Te laptop was seized because it con-
tained illicit material. Te capture operation was conducted in a manner consistent with recommendations
found in the manual Computer Crime Scene Investigation: A Guide for First Responders. Te laptop was
entered into evidence according to legal policy, and a search warrant was obtained for the examination of the
computer. Te computer was submitted for examination.
Objective was to determine whether Amrish (here in after referred to as the SUBJECT) possessed child
pornography. Te challenge in this case came from the fact that Amrish alone was not the user of the laptop.
Te laptop was used by the number of people in his o ce it was a shared laptop. Note the rst primary
stage report shown in Table 11.11.
During the Assessment phase, Case Investigators request for service was reviewed. Te search warrant
provided legal authority. Te forensics investigator wanted to dig into all the information regarding child
pornography, access dates and ownership of the computer. It was ascertained that the required equipment
was present in the forensics laboratory.
For the Acquisition phase, the hardware conguration was documented and a duplicate of the hard
drive was created in a manner that protected and preserved the evidence. Te CMOS details, including the
time and date, was documented.
As for the Examination phase, the directory and le structures, including le dates and times, were
recorded. A le header search was conducted to locate all graphic images. Te image les were examined and
those les holding the images of what appeared to be children depicted in a sexually explicit manner were
preserved. Shortcut les recovered pointed to les on oppy disks containing sexually explicit le names
Table 11.11 | The primary report (2)
Primary Report
Computer type: Generic laptop, serial # 123456789.
Operating system: Microsoft

Windows

98.
Oense: Possession of child pornography (prima facie suspected).
Case agent: Investigating O cer Mankame Ulhas.
Evidence number: 052356
Chain of custody: See attached form.
Where examination took place: Criminal investigations unit.
Tools used in Forensics Operation: Disk acquisition utility, universal graphic viewer, command line.
Cyber security_Chapter 11.indd 709 2011-03-25 10:34:57 AM
710 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
relating to children. Te last accessed time and date of the les indicated that the les were last accessed
10 days before the laptop was delivered to the computer repair shop. For Documentation and Reporting,
the forensics examiner was provided with a report describing the result of the preliminary examination. Te
investigator decided to conduct interviews.
During the next step, the employee who delivered the laptop computer to the computer repair shop was
interviewed. During the conversation, the employee indicated that he had never operated the computer.
Further, the employee stated that the SUBJECT had shown him images of a sexual nature involving children
on the laptop. As per the employees narration, the SUBJECT had once mentioned to the employee that he
keeps his pictures on oppy disks at home; he just forgot this one image on the laptop.
Te Advocate involved in this case (on behalf of police) was briefed in hope of obtaining a search warrant
for SUBJECTs home based on the examination of the digital evidence and the interview of the employee. A
warrant was drafted, presented to a judicial o cer, and signed. During the consequent search, oppy disks
were found at SUBJECTs house. Forensics inspection of the oppies showed additional evidences of child
pornography evidences included images in which SUBJECT was an accomplice. Tis resulted in the arrest
of SUBJECT. Te case brief report is in Table 11.12.
Table 11.12 |Case brief report
Case Brief Report
REPORT OF MEDIA ANALYSIS
MEMORANDUM FOR: Police O cer at the Police Station in Subjects geographical area Investigator
Mankame, Pune, Sahaj-Vihar Road.
SUBJECT: Forensic Media Analysis Report
SUBJECT: Amrish Deshpande
Case Number: 012345 052356
Status: Closed.
Summary of Findings:
327 les containing images of what looked like children depicted in a sexually explicit mode were recovered.
34 shortcut les that pointed to les on oppy disks with sexually explicit le names involving children were
recovered.
Items Analyzed:
TAG NUMBER ITEM DESCRIPTION
034489 One Generic laptop, Serial # CUFN 457-1
Details of Findings:
Findings in this paragraph related to the Generic Hard Drive, Model XTPS-30, Serial # 3456ABCD, recovered
from Tag Number 012345, One Generic laptop, Serial # 123456789.
1) Te examined hard drive was found to contain a Microsoft

Windows

98 operating system.
2) Te directory and le listing for the media was saved to the Microsoft

Access Database TAG 034489 MDB.

3) Te directory C:\ AMRISH DESHPANDE\PERSONAL\FAV PICS\, was found to contain 327 les con-
taining images of what looked children depicted in a sexually explicit manner. Te le directory for 327 les
disclosed that the les creation date and times are 5 July 2001 between 11:33 p.m. and 11:45 p.m., and the
last access date for 326 les listed is 27 December 2001. Additionally, the le directory information for one le
showed that the last access date was 6 January 2002.
(Continued )
Cyber security_Chapter 11.indd 710 2011-03-25 10:34:57 AM
Cybercrime: Illustrations, Examples and Mini-Cases 711
4) Te directory C:\AMRISH DESHPANDE\PERSONAL\FAV PICS TO DISK\ contained 34 shortcut les that
pointed to les on oppy disks with sexually explicit le names involving children. Te le directory informa-
tion about the 34 shortcut les gave away the les creation date and times as 5 July 2001 between 11:23 p.m.
and 11:57 p.m., and the previous access date for the 34 shortcut les was listed as 5 July 2001.
5) Te directory C:\ AMRISH DESHPANDE\LEGAL\ included ve Microsoft

Word documents related to a
variety of contract relationships Amrish Deshpande had with other entities.
6) Te directory C:\ AMRISH DESHPANDE\AMRISH DESHPANDE BUILDING CONSTRUCTIONS\
contained les in relation to operation of Amrish Deshpande Constructions.
7) Tere were no further user-created les present on the media.
Shortcut File: A le created that has associations to another le.
Items provided: besides this hard copy report, one compact disk (CD) was submitted with an electronic copy of
this report. Te report on CD had hyperlinks to the les and directories mentioned above.
KALYANI D. INAMDAR Released by ______________________
Computer Forensic Examiner Chief Forensics O cer
Table 11.12 | (Continued )
11.7 Online Scams
In this section, we present revealing information about worlds most infamous scams. Many of them are
related for example, Nigerian scams (also known as 419 scams involve one or other form of advance fee
to lure the victim for the promise of a long-term gain). Te online scams described in this section are listed
in Table 11.13.
In a way, SPAM and SCAM are related because Spam, is often the vehicle used to convey scams
and other attempted fraudulent attacks to individuals. A HOAX also involves deception; however, it is
done without the intention of gain or damage or for depriving the victim; sometimes the intention can be
humorous. Types of cybercriminals and their motives are explained in Chapter 1 (Section 1.4). Also recall
Fig. 7.12 in Chapter 7. In this section, a number of Scam examples are provided. We hear about scams
that are reported occasionally in the news papers. Te majority of recipients may not respond to these
E-Mails; however, there are a few people who do respond to such mails. From fraudsters point of view,
that is enough to make the fraud worthwhile as many millions of messages can be sent. Invariably sums of
money which look large, but are very much smaller than the promised prots, are required in advance for
bribes, fees, etc. this is the money stolen from the victim, who thinks he/she is making an investment
for a huge prot.
In the sections that follow, some of the well-known scams are described. Te objective is to create aware-
ness for people so that they take due care and do not fall prey to such scams. Read about popular scams
in Refs. #61#65, #67#69, Additional Useful Web References, Further Reading. A fraud is a deliberate
action conducted with the motive of personal gain or an act done to damage another individual. Te specic legal
denition varies by legal jurisdiction. Fraud is a crime and also a civil law violation. Doing fraud with people
or entities (such as organizations, institutions, etc.) for money or ill-gotten gains is a common purpose of
fraud, but there have also been fraudulent discoveries. Fraudsters cleverly exploit human characteristics
such as greed and dishonesty, and victimize individuals from all walks of life. Advance free fraud is a classic
example of this. Tere are many variants of this scam and they are descirbed in the next section. Advance
Fee Scam usually begins with a letter or E-Mail that is sent only to a selected recipient but is actually sent to
Cyber security_Chapter 11.indd 711 2011-03-25 10:34:57 AM
712 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Table 11.13 | Scams described in Section 11.7
Scam No. Title
1 Foreign Country Visit Bait
2 Follow-up Scamming
3 Purchasing Goods and Services Scam
4 Cheque Cashing Scam
5 Romance Scam
6 Lottery Scam
7 Te Hitman Scam
8 Te Bomb Scam
9 Charity Scams
10 Fraud Recovery Scams
11 Pet Scams
12 Bona Vacantia Scam
13 Fake Job Oer Scam
14 Rent Scam
15 Attorney Debt Collection Scams
16 Malware Scams
17 Te Advance Fee Fraud
18 Babysitting Scams
19 Nigerian 419 Scam
20 Craigslist Scams
21 Pyramid Scheme Scams and Ponzi Scheme Scams
many persons. In the E-Mail an oer is made with a claim of a large payo for the victim. Often, the subject
line of the E-Mails have some catchy text like From the desk of Mr. XYZ, Your assistance is needed, and
so on. Te details vary, but the usual story is that a person, often a government or bank employee, knows
of a large amount of unclaimed money or gold which he cannot access directly, usually because he has no
right to it.
Te Spam E-Mails used to perpetrate scams are often transmitted from Internet cafes having satellite con-
nection. Addresses and E-Mail content of recipient are duplicated into a webmail interface on a stand-alone
storage medium, such as a memory card. During the course of many schemes, scammers look for victims to
supply bank account information. Typically this is a test devised by the scammer to gauge how gullible the
victim could be. Regarding due diligence with cybercafes, refer to Appendix J.
11.7.1 Scam No. 1 Foreign Country Visit Bait
Tis is a common trick used by fraudsters. Fraudsters take advantage of the fact that generally people are eager
to go overseas with the hope of earning more money. Fraudsters devising a plot under such scenario would
charm the victim through an invitation to visit the country. Te naive victims are invited to a country to
Cyber security_Chapter 11.indd 712 2011-03-25 10:34:57 AM
Cybercrime: Illustrations, Examples and Mini-Cases 713
meet real or fake government o cials. Some victims who do travel are instead held for ransom. Tere are
a few rumored cases, where they are illegally brought into the country without a visa and threatened into
giving additional money as the penalties for being in a foreign country without a visa may be severe. At times
victims are taken for ransom or they are killed as it happened in the case of the 29-year-old Greek man
called George Makronalli who was lured to South Africa and was killed.
11.7.2 Scam No. 2 Follow-up Scamming
Tis trick is used when scammers know that their victim who has just been scammed, is more likely to
fall for scamming attempts rather than a randomly selected target. Often the scammer contacts the victim
after a fraud the scammer is smart enough to make a representation as a law enforcement o cer. Te
victim is given to understand that a group of criminals has been arrested and that they (i.e., fraud-
sters who are pretending to be the law enforcement folks) have recovered victims lost money. Further,
fraudster/scammer tells the victim that in order to get the money back, the victim must pay a fee for
processing or insurance purposes. Even when the victim realizes the scam, this follow-up scam can be
successful because the scammer represents himself/herself as a totally dierent party and yet knows
details about the transactions. For the victim, realization that he/she has lost a large sum of money and
the prospect of getting it back often leads to the victim ending up paying even more money to the same
scammer.
Tere are many variations on the most common scam stories, and also many variations on the way the
scam works. What follows in the section below are some fo the most notable deviations from the standard
Nigerian Letter scam, but still retain the core elements; the victim is deceived by some disproportionately
large gain into sending an advance payment, which once made is irrecoverable.
11.7.3 Scam No. 3 Purchasing Goods and Services Scam
Advertising automobiles on websites has become quite common. For that matter, there is a big boom in
Online Marketing activities even if, at times, it may be at the cost of your personal information being
stolen! In this mode of scam, the fraudsters list a non-existent high value car with a low price as bait to attract
buyers eager to buy quickly; specially the young and rich targets. Te scammer posts a message to the tune
I am not in the country, but if you pay me rst, a friend will drive the car to you. Te required payment
may be the full price, or a deposit, but it would not be an insignicant fee. Te picture of the car is never
posted on the website because the car just does not exist. In this type of scam, the scammers use E-Mail only
because they are smart enough to know that the sound of their voice and their attitude will give them away
as being high risk.
Another scheme under this type of scam involves advertising fake academic conferences and enticing
academics to apply to present papers. As a common practice, the conference would typically subsidize the
accommodation but would not reimburse the cost of air journey undertaken by the academicians to be at the
conference venue for presenting papers. One method using which the scammer baits the hopeful attendee is
that they oer free air travel to the victim, if they agree to pre-pay for hotel accommodation. Te scammer
can put forth a number of arguments to support why the accommodation must be pre-paid primarily that
they do not trust the victim will attend the conference unless he/she pays upfront. In this scam, fraudsters
may use any goods or services the idea is that they bait the victim with a good deal, and the victim must
pay upfront and electronically.
Cyber security_Chapter 11.indd 713 2011-03-25 10:34:57 AM
714 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
11.7.4 Scam No. 4 Cheque Cashing Scam
Given the workforce mobility scenario, worsening tra c conditions and soaring property prices, working
from home is becoming a common pattern now. Some scam schemes are designed to exploit the workforce
mobility scenario. Such schemes are based solely on conning the victim into cashing a counterfeit cheque.
Te scammer gets in touch with the victims and gets them interested in a work-at-home opportunity.
Alternatively, the scammer may ask the victims to cash a checque or a money order under the pretext that
the instrument (i.e., the cheque or the money order) cannot be redeemed locally. According to a recently
used cover story, the perpetrator of the scam wished the victim to work as a mystery shopper, evaluating
the service provided by MoneyGram or Western Union locations within major retailers such as Wal-Mart.
Typically, the scammer sends the victim a cheque or money order, the victim cashes it, sends the cash to the
scammer via wire transfer and the scammer disappears. Later the forgery is uncovered and the bank transac-
tion is reversed. Tis makes the victim liable for the balance. Defrauding plots based solely on cheque cash-
ing typically oer only a small part of the cheques total amount, with the assurance that many more cheques
will follow. If the victim buys into the scam and cashes all the checques, the scammer can win big in a very
short period of time. Tere are other scams where overpayment is involved; these usually result in smaller
revenues for the scammer, but have a higher success rate as the scammers request seems easier to believe.
Some cheque-cashing scammers use several victims at various stages of the scam. A victim in the US or
other safe country such as the UK or Canada (where typically the cashing victim resides) is sometimes
approached with an oer to ll out cheques sent to them by the scammer and mail them to other victims
who cash the cheque and wire the money to the scammer. Usually the scammer promises a cut of the money
to the mailer of the cheque. However, that promise is usually not met, and the cheque mailer is often conned
into paying for the production and shipping costs of the cheques. Te information about the cheque is either
been stolen or is ctionalized and the cheque is forged. Usually, it is far easier to track the victim mailing the
cheques than tracking and prosecuting the scammer. Terefore, when the cheques turn up as fraudulent the
person mailing them usually ends up not only facing charges for bank fraud and conspiracy, but also faces
the liability for the full amount of the fraudulent cheques. As the mailer of the cheque is taking the call, there
is now a lesser likelihood that the scammer will be caught. Tis makes it a popular variation of the scam;
especially in countries where antifraud laws are not very tough.
Another variety of the cheque-cashing scheme involves owners of vacation rentals. Te scammer shows
interest in renting the unit for a much higher than normal rate, usually for an upcoming honeymoon, busi-
ness trip, etc. Te scammer also oers to pay all fees up front, as soon as the unsuspecting unit owner agrees
to the windfall rental. In the long run, a very genuine looking money order/bearer cheque arrives. Around
this time the scammer makes a request that a part of the rental fee be returned and provides a convincing
reason for it for example, wedding called o, death in the family, business failure, etc. Given the reason of
the supposed crises, scammer requests the victim to return most of the rental fee via wire transfer. Te owner
of the unit is encouraged to keep a fair amount as a compensation for his time. Te wire transfer is sent,
only to nd out later that the o cial looking cheque was indeed bogus and the full amount is charged back
to the unit owner by his bank.
11.7.5 Scam No. 5 Romance Scam
Fraudsters exploit human psychology to gain victims condence. Romance scam is based on a condence
trick. A condence trick or condence game (also known as a bunko, con, im am, ga e, grift, hustle,
scam, scheme, swindle or bamboozle) is an attempt to defraud a person or group by gaining their condence.
Te victim is known as the mark; the trickster is called a condence man, con man, condence trickster
Cyber security_Chapter 11.indd 714 2011-03-25 10:34:57 AM
Cybercrime: Illustrations, Examples and Mini-Cases 715
or con artist. Any accomplices are known as shills (see the explanation for these terms provided in Scam
No. 17 advance fee scam). Condent but criminally oriented people exploit human characteristics such
as greed and dishonesty. Such people have victimized individuals from all walks of life. Te condence
trick used in romance scam involves feigned romantic intentions toward victims, gaining their aection,
and then using that goodwill to commit fraud. Acts of fraud may involve access to the victims money, bank
accounts, credit cards, passports, E-Mail accounts and/or national identication numbers or by getting the
victims to commit nancial fraud on their behalf.
Fraudsters are tech-savvy; they modify their scamming techniques with the changing communication tech-
nologies that emerge. Money-for-romance angle is a recent variant of the Romance Scam. Te con artist
approaches the victim on an online dating service, an instant messenger (like Yahoo IM) or a social networking
site. Te scammer claims an interest in the victim and posts pictures of an attractive person (not themselves).
Te scammer uses this communication for his/her condence and then asks for money. Te con artist may
claim to be interested in meeting the victim, but needs cash to book a plane, hotel room or other expenses.
In other cases, they claim they are trapped in a foreign country and need assistance to return, to escape
imprisonment by corrupt local o cials, to pay for medical expenses due to an illness while abroad and so on.
Te scammer may also use the condence gained by the romance angle to introduce some variant of the origi-
nal Nigerian Letter scheme for example, saying they need to get money or valuables out of the country and
oer to share the wealth, making the request for help in leaving the country even more attractive to the victim.
Recall the discussion in Chapter 7, Section 7.14 about social networking sites. In a newer version of the scam,
the con artist claims to have information about the delity of a persons signicant other, which they will
share for a fee. Tis information is obtained through social networking sites by using search parameters such as
in a relationship or Married. Anonymous E-Mails are rst sent to attempt to verify receipt, and then a new
Web-based E-Mail account is sent along with directions on how to retrieve the information.
11.7.6 Scam No. 6 Lottery Scam
Probably, this is most often heard term. A lottery scam is a type of advance-fee fraud. It begins with an
E-Mail notication that is most unexpected. For example, you may get a mail declaring You have won! a
large sum of money in a lottery. Next, you, the recipient of the message, would usually be told to keep the
notice secret, due to a mix-up in some of the names and numbers, and to contact a claims agent. After
contacting the agent, you, as the target of the scam will be asked to pay processing fees or transfer charges
for the winnings to be distributed. In reality, however, you will never receive any lottery payment. Quite a
few E-Mail lottery scams use the names of legitimate lottery companies; however, that does not mean those
legitimate companies are in any way involved with the scams.
Fake notices of lottery wins are involved in most lottery scams. Te winner is usually lured to send
sensitive information to a free E-Mail account. Te scammer then informs the victim a small fee is required
to release the funds (insurance, registration or shipping). Once the victim sends the fee, the scammer invents
another fee.
Similar to the various types of overpayment fraud mentioned above, a new variation of the lottery scam
involves fake or stolen checques being sent to the winner of the lottery (these cheques represent a part pay-
ment of the winnings). Te winner is more likely to assume the win is legitimate, and thus more likely to
send the fee (which he does not realize is an advance fee). Te cheque and the funds involved are pointed out
by the bank when the fraud is discovered, and debited from the victims account. In 2004, another form of
the lottery scam appeared in the US. Fraud artists, using the scheme, call victims on telephones; a scammer
tells a victim that a government has given them a grant and that they must pay an advance fee, usually
around $250, to receive the grant.
Cyber security_Chapter 11.indd 715 2011-03-25 10:34:57 AM
716 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
11.7.7 Scam No. 7 The Hitman Scam
A hitman or hitwoman usually is a murderer who people hire to eliminate a target via contract killing.
Tose of you, who may have watched the Brad PitAngelina Jolie movie Mr. and Mrs. Smith, would remem-
ber the contract killing scenario. In this type of scam, an E-Mail is sent to the victims inbox, supposedly from
a hitman who has been hired by a close friend of the recipient to kill him or her. Te scammer tells the victim
that hit can be called o in exchange of a large sum of money. Tis is generally backed up with a warning not
to contact the local police or a local investigation agency, or the hitman will be forced to go through with
the plan. Tis is less of an advance-fee fraud and more of an outright extortion; however, a reward can at times
come in the form of the hitman oering to kill the man who ordered the original hit on the victim.
11.7.8 Scam No. 8 Bomb Scams
Tis type of scam comes closer to cyberterrorism, the term introduced in Chapter 1. Tis scam is similar
to hitman scam wherein scammers gets in touch with a business, mall, o ce building or other commercial
location and inform them about an impending bomb threat. Te scammer threatens that he/she will deto-
nate the bomb unless the management of the business complies with scammers demands. Often, scammers
say they have the store under surveillance; however, analysis of many such calls by police has established that
most of threat calls are made from other states or even from outside the country. Some evidence may exist
pointing to the scammers who hacked into the stores surveillance network, but this has not been conrmed
in any case and has been refuted in others. Te scammers usually demand that the store management sta
or people working in the main o ce of the store (if the store is a chain) send money via wire transfer to the
scammer. Other demands of these scammers have been more personal or humiliating, such as demanding
that everyone in the store take o their clothes.
Te underlying threat in the scam is a bomb threat so, local law enforcement is obliged to quickly
respond to the site under threat. However, because the scammer is usually nowhere near this location, the
scammer is in little, if any, danger of being apprehended while the scam is playing out. In the meantime, law
enforcement assumes that the threat is genuine, and therefore can do little to intervene without risking the
detonation of the bomb. Te fact that the threat was in reality a scam is usually not discovered until long
after the situation is over and the extortionist has collected the money demanded.
11.7.9 Scam No. 9 Charity Scams
Tis is a trick to invoke sympathetic feeling in peoples mind and use it to achieve the ulterior motive. Te
scammer presents himself/herself as a charitable entity looking for donations to help the impacted victims
(e.g., those aected by a natural disaster, terrorist attack for example the 9/11 World Trade Center attack,
regional conict, epidemic, etc.). Scammers very well know how to exploit peoples penchant for philan-
thropic work they used 2004 Tsunami and Hurricane Katrina as the popular targets for perpetrating
charity scams. Tere are other more timeless scam charities exploited as well, in the name of raising money
for cancer, AIDS or Ebola virus research, childrens orphanages (the scammer pretends to work for the
orphanage or a non-prot organization), or impersonates charities such as the Red Cross or United Way. Te
scammer asks for donations, often linking to online news articles to strengthen their story of a funds drive.
Te scammers victims are philanthropists who believe in helping a worthy cause and therefore they expect
nothing in return. Once sent, the money is gone and the scammer often disappears. Some scammers manage
to keep the scam going by asking for a series of payments. At times, the victim may land in legal trouble after
Cyber security_Chapter 11.indd 716 2011-03-25 10:34:57 AM
Cybercrime: Illustrations, Examples and Mini-Cases 717
excluding their supposed donations from their income tax submission forms. Tax rules vary from country
to country for example, as per directives of the US Tax Law, charitable donations are tax-exempt only if
donations are made to eligible non-prot organizations. Te scammer may inform the victims that their con-
tribution is deductible and that the donors should provide all necessary proof of donation. However, the infor-
mation provided by the scammer is ctional. When audited, the victim faces sti penalties. Tese scams have
some of the highest success rates especially following a major disaster, but the average loss per victim is less than
other fraud schemes. Tis is because, the victim is far less likely to donate more than what he/she can aord.
In a slight variant of Charity Scam, the scammer pretends to have a terminally ill mother, or pretends
to be a poor university student, and simply begs the victim for money to pay for medical treatment, to
pay for college tuition, to sponsor their children, etc. Te scammer assures that the money will be repaid
along with the interest by some third party at a later date (often these third parties are some ctitious
agency of the Nigerian government, or the scammer themselves once a payment from someone else is
made available to them). Once the victim starts donating funds for the cause put forth by the scammer,
the scammer tells the victim that additional money is needed for unforeseen expenses, similar to most
other variants; giving excuses similar to those mentioned earlier. Many scammers would even go to the
extent of emotionally blackmailing the vicitim. For example, a scammer would say that as sponsor of the
children, the victim is legally liable for such costs. In some cases, a scammer may pretent to be a student
and would claim that a dormitory re destroyed everything he owned and therefore he needs the money
to re-establish himself/herself !
11.7.10 Scam No. 10 Fraud Recovery Scams
Tis variant targets former victims of scams. Te scammer gets in touch with the victim telling him/her
that their organization can trail and catch the scammer and recover the cash lost by the victim, provided
the victim is willing to pay for this service. Alternatively, the scammer may tell the victim that a fund has
been set up by the Nigerian government toward reimbursement for victims of 419 frauds (refer to Section
11.7.19). Scammer may further tell the victim that all that is required is proof of loss (scammer uses this
as a bait to collect personal information of the victim) and a processing and handling fee to send to the
victim the amount of the claim. In this ploy, the scammer is trying to exploit victims utmost need to
recover their lost money, as well as the fact that the victim fell prey to such tricks and are, therefore, prone
to get trapped into such scams. Often, these scams are conducted by the same scammer who cheated the
victim in the rst place, as an attempt to ensure getting every penny possible from the victim. Alternately,
the original scammer sells information about the people he has scammed. To be on the safe side, the
scammer would terminate contact, with another scammer who is also involved in the recovery scam.
Sometimes the scammer impersonates the leading fraud-related crime-ghters in Nigeria, the Economic
and Financial Crimes Commission (EFCC), which not only adds credibility to the scam, but tarnishes the
reputation of the EFCC once this second scam is discovered.
11.7.11 Scam No. 11 Pet Scams
Tis is a scam derived from the adoption of a puppy or interesting pets such as African parrots, Peacock,
Siamese cats, etc. A scammer rst places a commercial announcement or sets up a webpage to present
puppies for adoption or for sale at an incredibly low price. For this, the scammer typically uses stolen
images from other websites and reputable breeders. When a victim calls back the scammer after seeing the
advertisement and asks why the price is so low or asks why such expensive pet is being given up for sale/
adotpion, the scammer tells the victim that they (i.e., scammer and his/her so-called family) is migrating
Cyber security_Chapter 11.indd 717 2011-03-25 10:34:57 AM
718 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
to some other country for work (usually volunteer work as missionaries this is to generate sympathy and
empathy in targeted victims mind!) or for studies. Further, the scammers claim that he/she will have no
time to look after the pet given the movement plan. Additionally, the victim will be told that the weather
in the region/country that they are moving to, is like to aect the pet, or the scammer may give the excuse
that that they already have too many pets to care for. In most cases it so happens that the potential victim
is well targeted by studying victims fondness for pets. Chapter 5 explains how Phishing and social engi-
neering techniques are used for gathering personal information about people such as their hobbies, pets,
etc. In Chapter 7, it is explained how social networking sites can be dangerous because you can lose your
sensitive personal information if due care is not taken. In a typical pet scam, the scammer exchanges a
few E-Mails with victim to build trust. Once it is known that the victim is able to arrange a right home for
the pet, the scammer oers to ship the pet, and requests the victim to only pay for shipping, or the scam-
mer changes the original price substantially to make it sound legitimate. Te victim, who by now has an
emotional bond with the pet, feels obligated and even happy to do so, as shipping is a small price to pay
compared to the pets full price at a shop or breeder. Te scammer assures to complete the transaction in a
timely manner so that the pet gets ready to enter a new home and the victim is now thrilled. However, after
wiring the money, the victim does not get the pet (because it never existed). If the victim ever hears from
the scammer again it is only for extracing additional money [(to get puppy out of airport custody, or to pay
unexpected vet bills that have come up due to pets (pretended) illness due to journey)]. Tis goes on until
the victim stops responding.
11.7.12 Scam No. 12 Bona Vacantia Scam
Te English term bona vacantia refers to property that does not any more have an owner, and is taken
over by sovereigns. Depending on the country, there are dierent names for this procedure. For example,
in the US, there is no o cial name for this; it just consists of land that is free, that is, not claimed by
anybody, and, as a result, the property goes to the government. However, if everyone is not aware of it,
you can recover it. In the UK, bona vacantia is a property without owner, that is, a property which
has been passed to the Crown. Te administration of the property rests with the Bona Vacantia Division
of the Treasury Solicitors Department. Some cases of this type of scam show that fake E-Mails and letters,
claiming to be from this department, have been reported to inform the benecaries that they are going to
benet from an inheritance and that they need to pay a fee before getting more information or releasing
the money.
Bank accounts, company assets, property or anything else that is worth the money counts as unclaimed
property in these situations. Tere are cases in which people die, but they did not designate their property
or items to people. Whichever department is in charge for supervising the money or property, administers
them until a heir or other beneciary can collect them as predetermined in some kind of will. Tese free
properties or money are not kept undisclosed but advertised in the local paper, or through a website and
they may request some vital personal information such as a full name or perhaps relations names and that
information is validated against the list to see if there is property for the inquirer. At times, names of relatives
will be required.
Given this scenario, scammers have used the possibility of this situation to their advantage for a long
time. Tere are people who would be very receptive to the idea of receiving property or funds from a rela-
tive they did not know about. Such people can be preyed upon by scammers who just want their money.
In Bona Vacantia Scam, the scammer randomly shortlists some names from the telephone directory, E-Mail
Spyware, etc. from where the persons name is available; this could even be from social networking websites.
Cyber security_Chapter 11.indd 718 2011-03-25 10:34:57 AM
Cybercrime: Illustrations, Examples and Mini-Cases 719
Te victim is then contacted by E-Mail or letter and told he/she is heir to money that has been unclaimed.
Tis communication is made to look very o cial and genuine.
Availability of bona vacantia, or unclaimed funds, is usually advertised on the Internet or by other means
declaring that there are unclaimed funds and one should apply, giving their name and other personal infor-
mation so that a check can be made to see if they are on the list. You might even have to enter names of
family members. If there are unclaimed goods or funds matching the name of the person inquiring then they
are contacted asking for more details to be submitted. Te entire process takes place via letter or E-Mail and
there is no agent involved. Knowledge about how recovery of unclaimed goods really works helps a person
stay away from such scams.
Te next step is that when the victims respond to the communication, they will be asked to give their
contact details. Usually a phone call will be made saying the goods are available but there are expenses or fees
that must be paid before they can be released. In almost all cases the victim will not ever hear anything about
the money they sent but the requests for additional payments will continue until the victim stops respond-
ing, having realized that he/she should not pay more to the con men. In cases like these knowing whom you
are speaking to and being able to verify the same with a service such as info-trace.com/area-code-906.jsp, can
save much time and money because it would be realized that the agent is not who he claims to be. Personal
cheques are even better for scammers, as it allows them to get more out of you. With the information on
your cheque, such as your address and account number, they can empty your accounts. Sending a personal
cheque to a con artist can result in identity theft. Absolutely avoid these correspondences if you can. If you
do want to investigate these claims, consult the appropriate government agency to check up on them.
11.7.13 Scam No. 13 Fake Job Offer Scams
Tese scams are also known as employment scams they are a form of criminal activity perpetrated by
unscrupulous individuals or organizations posing as recruiters with personnel needs and/or hiring agencies
that oer, and promise, attractive jobs and big money to people seeking for employment opportunities or
interested in working in certain business sector. Tis scam is aimed at persons who have published their
resumes on job sites. Te scammer sends a letter with a falsied company logo. Typically, the job oer
seems to provide extraordinary remuneration and perquisites. Te oer also mentions that the victim needs
a work permit to be able to work in the country. To make the ploy believable, scammers do not forget to
mention the address of a government o cial to contact obviously it is all bogus. Te fake government
o cial then starts eecing the victim by extracting fees from the unwary victim for the work permit
and other matters. Tese days everybody is looking for a highly paying job and scammers take advantage
of that psychology to create this kind of scam. Te result (as seen from the targets perspective) is that the
targeted applicants seem to receive bogus job oers via E-Mail with scanned appointment letters, work
conrmation, and employment contracts from well-known employer. Later on, the victims are instructed to
contact s pecied tour agencies, immigration agents and solicitors (apparantly all abroad). Tese agencies and
agents are supposed to assist them in the gettimg them the required work permits and visas.
To summarize, this is how the fake job oer scam works:
Step 1: To begin with, applicants are lured by attractive job oers in certain countries. Scammers give impres-
sion to the victims that the job does not involve high skills. Tis is done by using (without the knowledge
of victim) the names of well-known companies such as large hotel chains. Section 11.2.25 Example 25 is a
real-life example of such scam rackets busted by Pune Police in October 2010. Here is an example of a fake
E-Mail the victim might get as a result of this scam (the mail is supposedly coming from the E-Mail ID cost-
world_textil eo cebox@yahoo.co.uk refer the discussion in Chapter 2 about Fake E-Mails Box 2.7).
Cyber security_Chapter 11.indd 719 2011-03-25 10:34:57 AM
720 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Te typical E-Mail in this scam could look as follows:
WELCOME TO THE COST WORLD COMPANY
Dear Sir/Madam,
Am Mrs. Kathy Thomson, payment remittance manager for COST-
WORLD contemporary furniture (The Cost-world Company Ltd). Its a
young business and need a trustworthy representative in the UNITED
KINGDOM,UNITED STATES,CANADA and all other European country and its
environ to work with ....who will be engaged 3-6hrs Weekly and earn
between US$700 to US$1200 weekly. We are into sales of Primitive
Artworks & Textile Material which has been a very pro table business
and we are a subsidiary ofbizcom_services ltd.
We sell this within these regions, United Kingdom and also parts of
Scandinavian Europe with materials mostly in high demand in the UK.
WHAT YOU NEED TO DO FOR US?
The worldwide money transmit tax for lawful entities/companies) in
UK is 12.5%, while for the individual it is only 7%. It does not
makee sense for us to operate this way, given that the tax for inter-
national money transfer made by a private individual is 7%. That is
why we need you! We need agents to collect payment for our textiles
(in money orders, cheque or bank wire transfers) and to send back
the money to us via Money Gram or Western Union Money Transfer. This
way we will save money because of tax amount going down.
JOB DESCRIPTION?
1. Receive payment from Clients;
2. Cash Payments at your Bank;
3. Deduct 10% which will be your percentage/pay on Payment Processed;
4. Advance balance after deduction of percentage/pay to any of the
of ces. One of these of ces will contact you about sending the
payment. The payment is to be forwarded either by Money Gram or
Western Union Money Transfer.
HOW MUCH WILL YOU EARN?
10% from each operation! For instance: you receive 7000 via checks
or money orders on our behalf. You will cash the money and keep 700
(10% from 7000) for yourself! At the beginning your commission will
equal 10%, though later it will increase up to 12%!
ADVANTAGES
You will have tremendous exibility - you will not need to go out
as you will work as an self-governing service provider right from
Cyber security_Chapter 11.indd 720 2011-03-25 10:34:57 AM
Cybercrime: Illustrations, Examples and Mini-Cases 721
your home of ce. Your job is completely lawful. You can earn up to
4000-5000 monthly this will depend on the amount of time you will
devote to this job. You do not need any funds to start working on
this assignment. You can do the work effortlessly and without leav-
ing or without any impact on your current job. For employees, who
commit efforts and work hard, there is a good opportunity to be pro-
moted into managerial position. Experience shows that our employees
never leave us because to the excellent work conditions we offer.
MAIN REQUIREMENTS:
No less than 18 years or preferably older of cially capable account-
able ready to work 4-5 hours per week PC knowledge E-Mail and
Internet experience (minimal) And please know that Everything is
absolutely legal.
HERE IS A COPY OF THE EMPLOYMENT FORM FOR YOU
Reference No:- LSLCA/2031/ 8161/05
Batch No:- R4/A313/2-60
IMPORTANT:
You must be over 21 years of age.
US, UK, CANADIAN, AUSTRALIAN,OTHER EUROPEAN
CITIZENSHIP.
EMPLOYMENT FORM
First Name:..................................
Last Name:....................................
Address.......................................
City.........................................
State........................................
Zip..........................................
Phone........................................
Marital Status...............................
Age............................................
Nationality....................................
Present Occupation............................
Thanks for your anticipated action.
Yours Sincerely,
MR KENDRA THOMSON, payment remittance manager for
COST-WORLD
HOUSE OF BLISS ART GALLERY
98 Stuart Court, Richmond Hill,
Richmond, Surrey, England, TW10 6RJ
http://www.houseofbliss.com
Phone #:+(44) 702-403-7663 or +44703-186-0621
Cyber security_Chapter 11.indd 721 2011-03-25 10:34:57 AM
722 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Step 2: Having ensured that the victim is hooked, the fraudsters will require the victim to send a small
amount of money as compensation for work permit applications or VAF visa applications at embassy in
the country where they claim the job is. Tey may even assure to get the victim the reimbursement for this
amount once he/she is in that country.
Step 3: After you are tricked with Step 2 you now get into fraudsters net. Now they have you as the target
for their further requests) such as processing, ights and handling charges. All this is, of course, to extract
more money from you! Te modus operandi of most of the frauds is to boost your condence by only asking
for a small amount of money at a time and then the fraudsters go for the big kill later on down the line!
A variation of the job scam pretends to take on board freelancers who seek genuine jobs (such as in editing
or translation), then a pre-payment oer for their work is made. Tere are ways to keep away from these
fake-job-oer scams/employment scams. You should watch out for certain doubtful points and ambiguous
information that might make you distrustful about false claims and likely employment scams:
1. Be cautious with job search or training services that promise or imply guaranteed results or any
other statement assuring job opportunities that look too good.
2. Be wary about any payment and be careful before even making a slightest amout of payment. Get
in touch with o cial job consultants to seek information on the realistic value of the oered courses
and diplomas.
3. Never pay any upfront fee for placement services that oer a dream job.
4. Be careful with agencies stating limited time reduced rates or special deadlines to apply for a posi-
tion. Tey will warn you to apply (and pay) before a date. In other case, the wonderful job opportu-
nity will vanish, and your name will be removed from the list of lucky applicants. After the famous
deadline, the oer is the same with another deadline, of course.
5. Be wary of companies or agencies oering salaries too high for the promised job. Many of them oer
fantastic starting incomes, which cannot be farther from the reality. In case, you are interested in
such services, the best option is phoning or getting in contact with some company to inquire about
this specic subject.
6. Of course, never depend on oral promises.
7. Be careful with listing or bank services that provide third parties with access to your resume. In this
case, privacy and condentiality must be sealed and protected, and the activity of such agencies
must strictly comply with privacy policy and data protection regulations, and internal security rules
that guarantee the highest possible protection of stored data.
8. Job seekers should not be duped by any promise of a refund if no job or lead materializes, which is
an excellent incentive to bait those people not willing to pay money for a failed job search.
9. Be aware that fraudulent employment services will use an endless string of excuses for why you are
not entitled to a refund. For instance, a request for copies of the rejection letters from the compa-
nies. Te problem is that, in the most of the cases, you will not receive any of such letter from those
companies, which are not obliged to reply.
10. In such cases it is advisable to seek for information on the prospective employers or recruiter through
another source and contact them directly or visit their o ces in regular business hours.
11. Forget about companies with no legitimate street address and companies or agencies that refuse to
provide veriable references.
12. Be cautious of fake references. Several websites dedicated to scam job seekers draw on remarkable
lists of people who supposedly found a job through their services. An assortment of express testi-
monials from people already working on the ship (e.g., with cruise ships or oil rigs), including
photos/images of smiling persons sporting their new safety helmets and dressed in neat company
uniforms seen at their workplaces.
Cyber security_Chapter 11.indd 722 2011-03-25 10:34:57 AM
Cybercrime: Illustrations, Examples and Mini-Cases 723
13. Keep in mind that there are many cases where such scammers are fully aware that many of their
potential victims will go all over the Internet to seek information and references about the agency
and its services. Terefore, scammers often post bogus messages in forums and interactive websites devoted
to job hunting and career planning. Tere have even been cases of websites and forums edited and
managed by these same tricksters just to ll them with multiple fake threads started and continued
by supposed forum members engaged in long discussions, showing generally favorable opinions and
perceptions toward the subject.
14. Watch out for companies or agencies who ask for your nancial information. Legitimate employers do not
usually need credit card or bank account numbers, which is just an option of direct deposit of paycheck.
15. Wait until the personal interview at the companys o ces before agreeing to a direct deposit option,
refusing to accept the job if this is the only option oered by the supposed employer.
Organizations or agencies may ask for non-work-related personal information such as social insurance
number in the US, PAN card in India, passport, etc. or any other piece of sensitive information prior to
oering a job in writing. Carefully evaluate contact information mentioned in job advertisements or related
E-Mails, and specially watch the spelling errors. Also check if there is any free E-Mail address that does
not show the companys name, and inconsistencies with physical addresses or area or zip codes. All of them
are common indicators for spotting job scams. Pay careful attention to website address that look vague for
example, http://www.theweb.com. Be particularly careful about websites that make a claim to be dedicated
toward providing job opportunities or typical recruiters not inclined toward using links in advertisements,
forums or other Internet sites, which may lead to similar websites and fake replicas. All such sites are only
meant for taking away your personal information in a form of deception called Pharming (addressed in
Chapter 5 (see Box 5.10 in Chapter 5).
Tere are companies or agencies that operate outside of the country or state where they advertise. Usually,
these individuals purposefully seek to distance themselves from their victims in order to avoid closer scrutiny
and complicate an investigation by police authorities. Tey do not use a genuine street addresses, but they
depend on post o ce box addresses, or set up their head o ces, with little more than a nameplate on the
door, in one state but may operate from other far-away place or even from overseas.
11.7.14 Scam No. 14 Rent Scams
News of such scams is rampant in newspapers. People are on constant move the workforce today is really
global and people do travel all over the world in connection of their work, be it students, professionals and
many others. Sometimes, people moving from one place to another want to sell or rent their real-estate
property (house, apartment, etc.). Scammers take advantage of the fact that people need accommodation
or the fact that accommodations are on sale. Scammers are on the look-out for foreign students, doctors,
etc. who try to contact a landlord who could oer an accommodation. After the conditions are negotiated,
a fake cheque is sent for a larger sum than agreed to. After this, some emergency situation is created
which requires part of that sum to be urgently wired back. It may also happen the other way round, wherein
a fraudster advertises on the Net about a lodging facility and indicates that money needs to be wired as an
advance payment. Te victim ends up realizing that there is no accommodation!
One of the tricks used by rental scammers is to pitch the rent of the fake lodging arrangement below the
regular rental rate in a certain market. Tis becomes an attraction for the person looking for inexpensive lodging.
Tis also allows the fraudster to accept as many E-Mails or inquiries as likely. You should not allow yourself to
become a prey of such tricks. You can actually scrutinize a rent scam mail by looking out for the following:
1. Does the E-Mail begin by addressing you with Sir/Madam?
2. Are there too many wrongly spelt words in the E-Mail?
Cyber security_Chapter 11.indd 723 2011-03-25 10:34:57 AM
724 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
3. Are there character mistakes in the E-Mail? For example, Hello,my nameis Susie.
4. Is there excessive capitalization?
5. Does the E-Mail allude to words such as UK, Cashiers Cheque, Nigeria, Doctor, Reverend,
etc.
6. Is the E-Mail from a free E-Mail provider, such as gmail, yahoo, AOL (America Online), hotmail?
7. Does the E-Mail refer to another person or agent?
8. Does the E-Mail mention wanting to move in site unseen?
If the E-Mail has most of the elements described above, then there a good chance that it is a scam. If you
are unsure, it is best to not reply to the E-Mail. Table 11.14 shows some of the typical tricks used by rental
scammers and has some good advice for you.
Also read about a related scam called Craigslist Scams; it is explained in this section under illustration
number 20.
Table 11.14 | Beware of rent scammers
Rent Scam Trick 1 Rent Scam Trick 2 Rent Scam Trick 3
Typical Subject
Line Used in
the Scam Mail
Te Property in the
Advertisement Is Not
Really Mine
I Overpaid You with My
Money Order!
Wire the Money to
Your Own Friend!
Comment 1 Tis one has been happening
a lot lately. Te scammer logs
onto home rental sites, makes a
copy of the home information,
and retransmits that informa-
tion onto another site.
In this scenario, you are
renting out your room or
house, and you get this
weird E-Mail from some-
one in Africa or the UK.
It could be some pretty
African model or a poor
missionary that wants to
rent your place.
Tis trick could poten-
tially fool a lot of people,
especially if they are
not familiar with wire
transfers.
Comment 2 One problem the scammer
posts his own contact informa-
tion instead of yours!
You give them your postal
address for them to be able
send you the money ... .
Te scammer says, If you
want to rent my place,
I need proof that you
have funds. So go ahead
and wire some money to
YOUR OWN friend, but
just E-Mail me a copy of
the receipt so I can verify
that you have the funds.
Comment 3
Watch out!
As mentioned previously,
scammer sets the price really
low so that he can lure tons of
victims into contacting him for
that sweet rental deal.
A week later, you receive
the money order for a
HUGE amount. You take
the money order to the bank
and deposit it. Te bank
conrms the money order,
so you leave the matter
there, and all seems ne.
YOU (the victim) feel
comfortable since you are
to send money to your
own friend whom you
trust.
(Continued )
Cyber security_Chapter 11.indd 724 2011-03-25 10:34:57 AM
Cybercrime: Illustrations, Examples and Mini-Cases 725
Rent Scam Trick 1 Rent Scam Trick 2 Rent Scam Trick 3
Typical Subject
Line Used in
the Scam Mail
Te Property in the
Advertisement Is Not
Really Mine
I Overpaid You with My
Money Order!
Wire the Money to
Your Own Friend!
CAUTION
Ten he initiates some kind of
baloney to tell the victim that
he (i.e., the fraudster) is on
vacation and that he needs you
to wire him the money before
he can hand you the
keys to the house.
Your money is gone forever!
DO NOT WIRE THE
MONEY if you are not sure.
Ten the scammer says
Oops, my guarantor sent
you excess money, can you
please wire some of it back
to me?
Your money is gone forever!
DO NOT WIRE THE
MONEY if you are
not sure.
Tis is what will actually
end up happening if you
did that the scammer
takes the PASSWORD
ON THE WIRE
TRANSFER FORM,
goes to his nearest west-
ern union, and takes the
money himself !
Your money is gone
forever!
DO NOT WIRE THE
MONEY if you are not
sure.
Table 11.14 |(Continued )
11.7.15 Scam No. 15 Attorney Debt Collection Scams
Tis type of scam involves law rms collecting money owed typically to Asian companies. Te scammers
aim at law rms by using certiable company names. Tis is a very professional scam, and you could be
the target so watch out if you are lawyer. If the scammers approach you, they will say they represent a
manufacturing company somewhere in Asia. When you check on the company, you will be able to verify
that it exists and is a legitimate company. Remember that creating fake websites is not at all di cult (refer
to Box 2.7 in Chapter 2). Te story is that they want you to represent them for collecting a debt owed
by a company in your county or state. Tey will ask you to submit a fee contract, and they will sign this
and return it.
Scammers will then inform you that they have informed the debtor about having employed you and
that shortly you will be notied that the debtor is paying the debt. You will then receive a certied cashiers
cheque delivered by FedEx or DHL. You are required to place this cheque in your trusted account, and
when the cheque is cashed you take away your fee and costs, and wire them the balance of the collected
rms. Te cheque may be drawn on a genuine bank that you would be aware of. Victims are then asked
to take a percentage and wire the remainder to a bank in certain country typically, Korea, China or
somewhere else generally in Asia. Te bank, which this cheque is drawn on, has nothing to do with the
scam. Te cheque is bogus!
Bankers advise that instead of depositing a suspicious cheque in your trust account, you can request that
your bank send this cheque directly to the issuing bank and request collection. Tis avoids the embar-
rassment of a bounced cheque in your account and should put everyone on notice that you are concerned
about this cheque. One of these scams seen was very well done until the instructions for wiring the funds
were given to the attorney. A tip-o was that the address in the wiring instructions had nothing to do with
the legitimate front company they claimed to represent.
Cyber security_Chapter 11.indd 725 2011-03-25 10:34:57 AM
726 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
If the bank did not show due diligence and did not notice that it was a fake cheque, and if they deposited
the funds in your account, then you would never ever have any reason to believe that this was a fraud of any
kind. However, there was an attorney in Texas who actually had a cheque honoured by the bank, and wired
the money to the scam address. Later the bank came back and emptied his account when the forged cheque
was discovered. Te bank will go against you even if they have some liability. You do not want to get into
a major court case trying to protect a forged cheque. You will have a tough time trying to give reason for
money that is taken away from the naive bank. If you believe a collection matter or similar scam is occur-
ring, you should nd an autonomous source for the client address and get in touch with them to conrm
that the person who contacted you actually comes from the genuine company. Also you can call the local
debtor and ask them if they have done business with the so-called creditor company.
What really bothers is that both the creditor company and the debtor companies are real companies
and have nothing to do with the scam. Te best tip-o is the bizarre wiring instructions which will be sent
to someone not related to the creditor who hired you. Some attorneys experienced that when investiga-
tion agencies were contacted about these scams, those agencies showed little interest. So be aware that you
could pretty much be on your own. According to some people, the scammers prefer to be located in certain
countries where it is easy for them to operate; probably due to weaker laws and possibly for many other rea-
sons. Terefore, it is always good to check on the country mentioned on the envelop that brings the cheque
to you. If the envelops originates from certain countries that are known to be infamous for frauds you can
pretty well be sure that this is a scam.
Although not common in India, in the US, there are attorneys who do collections, often based on con-
tingency. A scammer contacts the attorney by pretending that he/she represents a big international rm
headquartered in another country. Te scammer tells the attorney that the organization has no o cially
permitted representation in the attorneys state, and needs to collect arrears from another business in
that state. Scammer requests the attorney to send via E-Mail a standard retainer contract. As this is a
common practice in the US, the attorney sends an E-Mail containing the contract document. Te scam-
mer signs the contract and returns it. After some days, the scammer informs the attorney that legal repre-
sentation has now been obtained and that the debtor has agreed to pay the debt by the end of the month.
Red ag #1 is when the scammer urges the attorney not to get in touch with the debtor company since
the client wishes to maintain a working relationship with the debtor, saving court case as a last option.
Te attorney is instructed to make contact with the debtor only if the committed payment is not made on
the promised date. On the promised date, the huge cheque is sent to the attorney, who deposits it in the
law rm account keeps his, that is, attorneys emergency fee, and sends back the rest of the amount to the
scammer. Red ag #2 is that the scammer will request the money be wired to a foreign country, or insists
on speedy payment. Super smart scammers will le articles of organization with both states, will build
websites, and will also purchase prepaid cell phones with local phone numbers. Tis will help scammers to
do the job of dual imposter, that is, the scammer can pose as both client and debtor. Using the Internet
communication that allows faceless communication, all of that can be done inexpensively and easily.
One Texas law rm lost $158,000 on one of these fake collection scams.
11.7.16 Scam No. 16 Malware Scams
Malware and Trojans are explained in Chapters 24. Discussion about ID theft and Phishing is available in
Chapter 5 and zombies and botnets are discussed in Chapters 1 and 2 (Section 2.6). We have got so used to
Internet convenience and the search engines running on them. Have you ever thought why it is possible for
Cyber security_Chapter 11.indd 726 2011-03-25 10:34:57 AM
Cybercrime: Illustrations, Examples and Mini-Cases 727
you to use the Internet for FREE? It is because there are sponsored links on the Internet and there are banner
ads (advertisements) on the sites that you visit.
Be aware, however, that the third-party cookies store information about you, addresses of the sites that
you browse, the IP address of your computer, in fact the entire site-to-site tra c ow. Te information
stored in these cookies is served to organizations that have presence on the Internet for the online market-
ing of their products. Tese practices can harm you in that your personal information is changing hands.
Recall the discussion in Chapter 5 about Phishing and identity theft. Using malware to infect computers
is now a very popular scam (Box 2.9 explains the term malware, and the term zombie computers is also
explained in Sections 2.6 and 2.7 in Chapter 2). At times the objective is to just turn the infected machine
into part of a very big Botnet where computers are remotely manipulated to send Spam or attack networks.
At other times the objective is to steal the identity.
Tere are a couple of scenarios under which these scams run. For example, anyone who has a blog has
probably seen blog Spam; comments to the blog simply try to entice people to go to some other site. Most
of the time, the site being advertised is merely trying to enhance its search engine rankings to create more
revenue advertisements. Te more links there are to a site, the more popular the search engines becomes. It
is often thought that blog Spam is a good way to enhance the search engine rankings. In some cases this
turns malicious. Some sites participate in extensive intellectual property theft to improve their rankings.
In Chapter 9, intellectual property (IP) is discussed you may like to refer to that chapter.
In yet another scenario, a business contacts you saying that your computer is running slow or is
infected with malware. Tey will then direct you to a website and ask you to download some software;
this software can be in many forms it may allow the scammer to gain access to your computer in order
to nd personal information and bank details. Here is how it works. Te person or group launching the
attack transmits an E-Mail message. Te more authentic it looks the better. Te idea is to have the receiver
open the attachment that is sent through the E-Mail. Once the receiver (the victim) opens the attach-
ment, a malware gets installed on his/her computer. Although the next happening depends on what has
been installed, the results can be catastrophic. Scammers can purchase malware viruses online at a small
price. Alternatively, scammers can purchase an entire virus pack with updates and 1-year technical sup-
port with an aordable fee. Tis activity of scammers is rampant, and at the same time more complicated
and hard to spot as time goes on. Te job search site victims would have no clue about a problem until it
was too late.
Tere are ways to avoid becoming victim to malware scams:
1. Remember never to open an E-Mail attachment from an unknown person. Everybody is a suspect
when it comes to online security and online privacy matters! Even those from friends should be
suspect unless its something you expected (their computers could have been taken over without
them knowing). Refer to Appendix C Part 1.
2. Treat every attachment as suspicious. Never open anything with a su x of .exe, .scr or .rar. Rememer
always that Trojans can be concealed in many ways, including pictures, which usually have a .jpg or .gif
su x most of them may not cause harm.
3. Make sure you have a good rewall and antivirus software. Both are crucial and vital assets in your
computer. Tey are denitely less expensive than having a bug removed.
4. It is a good idea to use a mail lter or a Spam guard. It oers you a chance to inspect your mail
before you download it onto your computer, and delete any items you do not want on your hard
drive, as well as blacklist certain E-Mail addresses. It is gratis, and a very helpful tool to get rid of
Spam and well as potential viruses. Tis is one area where being suspicious works well. Until you
Cyber security_Chapter 11.indd 727 2011-03-25 10:34:57 AM
728 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
know otherwise, assume everything is malware. If you do banking transactions online, do verify
your account transactions regularly for doubtful activity. Depending on your usage, you should
review the monthly statements from your credit cards and debit cards. You should also validate your
credit le twice a year to see if anyone has attempted opening accounts in your name.
11.7.17 Scam No. 17 The Advance Fee Fraud
Fraudsters often succeed because they are good at exploiting peoples condence or naivety. An advance-fee
fraud is a self-condence ploy in which the targeted victim is inuenced to move forward nancial funds
with the expectation of achieving a considerably bigger gain. Tus, as the name suggests, a condence
trick or condence game (also known under other terms such as bunko, con, im am, ga e, grift,
hustle, scam, scheme, swindle or bamboozle) is an attempt to defraud a person or group by gaining their
condence. In this game, the victim is called the mark. Te trickster, that is, the scammer who pulls the
trick is called variously as condence man or con man or condence trickster or con artist. Te accomplices,
involved in the game, are referred to as shills. A shill is the professional help the shill is paid to help
another person or association to sell goods or services. Te shill pretends as if he/she has no association with
the seller/group and gives onlookers the feeling that he or she is an eager customer. Shilling is an unlawful
activity in many situations and in many jurisdictions because of the repeatedly fraudulent and detrimental
nature of their actions.
People involved in the scam may be real; however, there could be impersonated people or ctitious
c haracters played by the con artist. In this scam, the fraudster looks for many kinds of victims. For example,
the victim could be the wife or son of an expelled person who has amassed considerable wealth from illicit
means; or it could be a bank employee who is aware about a wealthy person on death bed with no family
or any other close relatives; or a rich foreigner who has made a bank deposit just before being killed in a
plane crash (leaving no will or known next of kin); or it could be a soldier who by sheer luck has hit upon
a hidden cache of gold; or a business being audited by the government; or a disgruntled worker or corrupt
government o cial who has embezzled funds; or a refugee and so on. Te money could be in the form of
gold ingots, gold dust, money in a bank account, blood diamonds, a series of checques or bank drafts, and
so forth. An interesting thing to note is that typically the sums involved are usually in millions of dollars,
and the investor is promised a large share, typically 10% to 40% if they assist the scam character in retriev-
ing the money. In relation to the business of diamond trading, an interesting term blood diamond comes
into picture. It is also called a converted diamond, or conict diamond, or hot diamond, or a war
diamond. Blood diamond refers to a diamond obtained through mining in a battleeld and sold to nance
a rebellion, invading armys war eorts, or a warlords activity, usually in the African subcontinent.
Several operations are well organized in Nigeria, with o ces, temporary fax numbers, and often contacts
at government o ces. When the victim tries researching on the backdrop of the oer, he/she will end up
nding that all pieces t together. Scammers operating with advance-fee fraud often attract wealthy inves-
tors, investment groups, or other business entities into scams and the result is large losses of multi-million
dollars. However, there are also scammers who operate as part of smaller gangs who do not operate so pro-
fessionally or gangs that operate independently. Scammers, operating in such scenarios, have lesser access
to the connections mentioned above and therefore such small-time scammers may not have big success with
wealthier investors or business entities attempting to research them. However, even the small-time scammers
are able to convince middle-class individuals and small businesses, and can extract hundreds of thousands of
dollars from such victims.
If the victim agrees to the deal, the other side often sends one or more false documents bearing o cial
government stamps and seals. Often a photograph used by a scammer is not of any person involved in
Cyber security_Chapter 11.indd 728 2011-03-25 10:34:57 AM
Cybercrime: Illustrations, Examples and Mini-Cases 729
the scheme. Multiple people involved in schemes are ctitious; the author of the WEST AFRICAN
ADVANCE FEE SCAMS article posted on the website of the Embassy of the US in Abidjan, Cte dIvoire,
believes that in many cases one person controls many ctitious personas used in scams.
How the (Advance Fraud) Scam Works?
A scammer presents a delay or nancial challenge and says that it is preventing the transaction from occur-
ring as planned. Te mails planned to present the hurdle say things such as To transmit the money, we
need to bribe a bank o cial. Need your help us for a loan. or For you to be a party to the transaction, you
must have holdings at a Nigerian bank of $100,000 or more etc. Further delays and additional costs are
indicated, with scammer assuring a forthcoming large transfer alive. Te scammer convinces the victim that
the money paid by the victims will be more than compensated by the payo. At times, the scammer may also
add psychological pressure by claiming that on his side, he had to sell o his belongings and had to borrow
money on his house to pay certain fee. Or the scammer may refer to various salary scale and living condi-
tions in the African subcontinent, comparing with the consitions in the Western world. Most of the time,
however, the psychological pressure is self-applied; once the victim provides the money toward the payo,
the victim has a vested interest in taking the deal to the nishing line! Some victims believe that they are
smart enough to fool the con artist. Tis kind of over condence on part of victims is often exploited by
the fraudsters. Tey do this by deliberately writing in an awkward and crude style so that the victim sees
them as naive. However, that is all well planned by the scammers!
Te crucial aspect of almost all advance-fee scam is that the committed money transfer never happens
because the money or gold or diamond never exists! Te scammers depend on the fact that, by the time the
victims realize this, they victim may have sent large amount of their own money. Sometimes this money can
be the large amount of money that has been taken on loan or even stolen, to the scammer via an untraceable
and/or irreversible means such as wire transfer. Tat he is cheated, dawns upon the victim often only after
being confronted by a third party who has noticed the transactions or conversation that may get recorded
and by then it is too late!
In extreme cases the victim may not realize that he/she has been defrauded. In another version of this scam
the con man claims to have the arrangements to facilitate legitimate business loans; the victim here is not per-
suaded that he is doing anything illegal. Te fraudster meets the victim, and is able to act the part of a well-
connected and experienced loan broker. He asks for payment in advance, which is normal for large loans.
Ten the loan gradually comes in and the victim may end up being cheated for a very large amount, thinking
only that the deal simply failed. It is a pity that such frauds may go unreported. Tis can happen mainly due
to two reasons: (a) either the victim does not realize he has been cheated or (b) due to unwillingness to admit
the facts. Owing to the non-disclosure clauses included in the fraudulent contract, victim may feel scared
and that would delay the scam reporting till such time that the victim is sure that he/she has been cheated.
A very common trick used by scammers is to request that payments should be made by means of a wire
transfer facility. Te reason given by the scammer usually relates to the speed at which the payment can be
received and processed, allowing quick release of the supposed payo. Te actual motive behind giving that
reason is the fact that wire transfers and similar methods of payment are unalterable, undetectable. Tis is
because identication without knowledge of the details of the transaction is often very di cult. Scammers
are clever enough to use mobile phone numbers rather than landlines which have a xed location and are
therefore traceable. A scammer may buy a low-price mobile phone or may use a pre-paid SIM card for which
it may be necessary to submit subscriber information. Tis makes it further di cult to trace the scammer.
Technology supports the scammers if they feel they are being traced, they simply throw away their mobile
phones and purchase new ones. Refer to Sections 3.2 and 3.5 in Chapter 3.
Cyber security_Chapter 11.indd 729 2011-03-25 10:34:57 AM
730 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
The Typical Methods Used in Scams
1. Fake cheques: Bogus cheques and money orders are used in many advance-fee scams, such as
auction/classied listing overpayment, lottery scams, inheritance scams, etc. Tey are also used in
almost any scam when a payment to the victim is required to gain, regain or further solidify the
victims trust and condence in the validity of the scheme. Te cheques clearing process normally
takes 710 days and may even take up to a month when dealing with foreign banks. Some amount
of time elapses between the nances appearing as available to the account holder and the cheque
clearing. Tis passage of time is known as the oat during that time, technically speaking, the
bank has oated a loan to the account holder and it is liable to be eventually covered with the money
from the bank that clears the cheque.
Te cheque given to the victim is typically faked but it is drawn on a real account with real money
in it. For example, with accounting software (such as QuickBooks) and/or pre-printed blank cheque
books with the correct bank name printed on each leaf of the cheque book, the scammer can easily
present a cheque that looks absolutely genuine. Such cheque will pass all verication tests, and may
even clear the paying account if the account information is accurate and the funds are available.
However, notwithstanding whether the cheque clears or not, it eventually becomes obvious either
to the bank or the account holder that the cheque has been forged. Tis can happen in as short a
period as 3 days after the money is available if the bank supposedly covering the cheque nds out
the cheque information is not valid. It could take several months for a business or individual to
notice the fake draft on their account. It has been seen in some cases that although the cheque
is genuine, the fraudster arranges to have a friend (or bribes an o cial to play the friend) at
the paying bank to claim it is a fake. Tis can happen even weeks or even months later when the
physical cheque comes back at the paying bank.
Notwithstanding how much time is involved, after the cashing bank is notied that the cheque is
bogus, the transaction is inverted and the money taken away from the victims account. In many
cases, this means that the victims could be in debt to their banks. Tis is because, by that time, the
victim has already sent a large portion of the cheque amount (by some non-reversible wire transfer
means) to the scammer and, since more uncollected funds have been sent than the funds otherwise
present in the victims account, an overdraft results.
2. Wire Transfer: A key element of advance-fee fraud is that the transaction from the victim to the
scammer must be untraceable and irreversible. Otherwise, the victims, once they become aware of
the scam, can successfully retrieve their money and/or alert o cials who can track the accounts used
by the scammer. Fraudsters used to nd wire transfers via Western Union as an ideal means for this
purpose. Te Western Union Company has its headquarters in the US and is an economic services
and communications company. Before it discontinued the service, Western Union was the best
known US Company in the business of exchanging telegrams.
Te wire transfer, if sent globaly, cannot be cancelled or inverted and that makes it di cult
to track the individual who receies the money. What is more, the spammer may not even need
to provide identication; they only need to know the transaction identication number and do
not need to know the answer to the secret question. Tis is the reason why a large number of
big scams involve making payment via wire transfer. Other comparable forms of irreversible of
payment are postal money orders and cashiers cheques. However, the wire transfer method is
most preferred by scammers because (a) it is the fastest method and (b) it makes the transaction
untraceable.
Cyber security_Chapter 11.indd 730 2011-03-25 10:34:57 AM
Cybercrime: Illustrations, Examples and Mini-Cases 731
3. Anonymous Communication: Tis mode of communciation is used because the scammers operations
must be untraceable to avoid identication and because the scammer is often impersonating someone
else. Any communication between the scammer and his victim must be done through channels that
hide the scammers true identity. Te following options in particular are widely used:
Web-based E-Mail: Recall the discussion about fake mails in Chapter 2 (Box 2.7); because many
free E-Mail services do not require valid identifying information and also allow communication
with many victims in a short span of time, they are the preferred method of communication for
scammers. Some services provide the masking of sensitive information such as the senders source
IP address. Tis helps the scammer because the scammer is completely untraceable even to the
country of origin. It is possible for scammers to create multiple accounts and often they do that!
Even if E-Mail service providers are notied about scammers fraudulent activities and suspend the
account, it is a trivial matter for the scammer to simply create a new account to resume scamming.
E-Mail hijacking/friend scams: Some fraudsters hijack existing E-Mail accounts and use them
for advance-fee fraud purposes. Te fraudsters send E-Mails to associates, friends and/or family
members of the legitimate account owner with the intent of defrauding them. Tis trick
usually requires the use of Phishing or keylogger, computer viruses, etc. to glean login
information for the E-Mail address. Phishing is explained in Chapter 5 and keylogger tools
and computer viruses are explained in Chapters 2 and 4.
Fax transmissions: Facsimile machines are commonly used tools of business whenever a
client requires a hard copy of a document. Tey can also be computer generated using web
services, and can be made unnoticeable by using prepaid phones with connection to mobile
fax machines or by use of a public fax machines such as those typically found at a document
processing business. Scammers often pretend to be business entities and they use fax transmis-
sions as an unidentied form of communication. Tis method costs them more, becaue the
prepaid phone and fax machine would generally cost far more than E-Mail; however, to a
skeptical victim it presents a more authentic looking scenario.
SMS messages: Abusing SMS bulk senders such as WASPS, scammers subscribe to these services
using fraudulent registration details and paying either via cash or stolen credit card details. Tey
then send out a lot of uncalled for SMSes to victims declaring that they have won a competition
or similar event. Further, the SMS asks the victim to contact somebody to claim and collect their
trophy. Typically the details of the person to be contacted will also be an undetectable E-Mail
address or a virtual telephone number, that is, a telephone number with no phone line directly
associated. Generally, these numbers are programmed in such a way that they can be forwarded to
either a voice over IP service or to another phone line (xed or mobile). Typically, scammers send
these messages over a weekend when most of the sta in the o ce of the service providers has
taken o. Tis is a grand opportunity for scammer to abuse the services for a whole weekend.
Telecommunications Relay Services: Many scams use telephone calls to convince the victim that
the person on the other end of the deal is a real, truthful person. Te scammer, perhaps pretend-
ing to be a citizen of some other nationality, or gender, that is, faking as somebody else, would
stir up mistrust by telephoning the victim. Terefore, in such circumstances, scammers use TRS,
a relay service (federally funded) whereby an operator or a text/speech translation program serves
as the middle layer between someone using an ordinary telephone and a deaf caller using TDD
(Telephone Device for the Deaf ) or other TeleType device (see Fig. 11.65). A scammer pretend-
ing to be deaf would use a relay service. Te victim, perhaps caught up by compassion for a
physically challenged caller, might be more vulnerable to fall into the trap set by the scammer.
Cyber security_Chapter 11.indd 731 2011-03-25 10:34:57 AM
732 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Federal Communications Comission (FCC see Ref. #57, Additional Useful Web References,
Further Reading) regulations and condentiality laws require that operators relay calls verbatim, and
that they adhere to a strict code of condentiality and ethics. Terefore, no relay operator may be
able to evaluate the authority and/or legality of a relay call, and as such the operator is able to relay
it without intrusion. Tis implies that the relay operator may not notify victims, even when they
believe that the call is part of a scam. According to MCI (an American telecommunications subsid-
iary of Verizon Communications), about 1% of their IP relay calls in 2004 were used by scammers.
It is relatively easier to track phone-based relay services and therefore, scammers tend to prefer Internet
Protocol-based relay services such as IP relay, telecommunications relay service (TRS), relay serviceor
Web-based relay services. It is an operator service that helps physically challenged people (i.e., those who
are deaf, hard-of-hearing, speech-disabled, or blind) to establish communication with users of standard
telephone via a keyboard or assistive device. During their inception period, relay services were meant to
be connected through a TDD (see Figure 11.65) or other telephone device meant to assist physically
challenged people. Today, these services embrace any commonly connected device such as a personal
computer, laptop, mobile phone, PDA, etc. Tese services integrate their overseas IP address with a
router or server located within the US. At times, TRS is used to t ransmit credit card information
fraudsters use this feature to make a deceiptful purchase with credit cards they steal. In several instances,
however, it is merely a means for the fraudster to further lure the victim into the scam.
Fake websites: Typically, 419 scams (another name for Nigerian Scams they are explained later
under illustration No. 19 of this section) are often perpetrated by E-Mail alone. However, to fool
their potential victims, some scammers enhance the believability of their oer by using a fake
website. Scammers construct these websites to imitate real commercial websites (e.g., eBay, PayPal,
or say some real banking sites) for Phishing (visit Chapter 5 where Phishing is explained). Others
scammers pretent to stand for companies or institutions to make scammers operations credibile - in
reality those companies do not exist!
In most scam operations, Phishing is the secondary objective. Scammers main objective is to cheat the
victim by making the victim send the money through legal means. As a common method for this, they use web-
sites for advance-fee fraud. For example, a scammer may construct a website for a ctional bank. Next, the scam-
mer provides the login details to get the victim into that fake website. When the victim visits this bogus bank
site created by the scammer, he/she sees the money promised by the scammer credited into his/her account. So,
now the victim trusts the scammer and sends the advance payments asked for by the scammer. Fake or hijacked
websites are the focus of online scams an example of spoofed website is shown in Fig. 11.12.
Figure 11.65 | TDD device.
Cyber security_Chapter 11.indd 732 2011-03-25 10:34:57 AM
Cybercrime: Illustrations, Examples and Mini-Cases 733
Another twist to scamming comes when the links are provided to real news sites covering events claimed to
be relevant to the transaction proposed by the scammer. For instance, a scammer may use news of the death of a
prominent government o cial as a background story for a scam involving millions of dollars of the dead o cials
money out of the country. Tese are real websites with legitimate news, but the scammer is typically not associ-
ated in any way with the reported events the scammer is just piggy-backing on the story to win the sympathy of
his victim! Refer to Chapter 1, Section 1.5.9.
11.7.18 Scam No. 18 Babysitting Scams
Tese scams seem to be more common in the western countries. Tey are also known as Nanny Scams.
Tese scams are said to be another variation of the advance scam (refer to Section 11.7.17). Babysitting
scam\Nanny scam involves recruiting unsuspecting individuals for non-existent babysitting, nanny, or
au-pair employment, that is, couple to be employed.
In one variant of this scam, a potential employee may be lured by the oer of an advance. In another
form of this scam, the victim may be asked to verify pricing and ultimately purchase items for the scammers
non-existent child. At times, victims are asked to provide rsums, references, etc. to get the victim believe
that the employer is genuine and that the high remuneration oered are valid. Scammers are smart enough
to make the victim stay focussed on his/her worthiness for employment this way, scammers succeed in
making the victim diverted from thinking whether the oer itself is worthy of replying to.
Nanny scams seem to have become a common feature in the online babysitting community. If you receive
any E-Mails analogous to the examples mentioned below, be careful! Keep in mind that the names (and ages)
used in these scams are constantly changing, so pay close attention to the structure of these E-Mails rather
than the details. Also note that most such mails will typically have many misspellings and grammatical errors.
As you read on, you will see the examples provided of some typical mails received by the victim. Tese
examples show that under the pretext of the babysitting job, victims personal details are being sought!
Interestingly, in almost all the babysitting scam mails, the scammer is saying that he/she is currently not in
town but will be returning soon. As mentioned before, most of the times the scam mails happen to have lots
of misspellings and in most such mails you will nd that the grammer is also not upto mark. You will also
notice the extremely informal and slang language used.
Note that in most of the babysitting scam mails, tempting offers are made, that is, accomodation,
transportation for the candidate, etc. Also, in almost all such scam mails, the language sounds very
informal, extra sweet and extra friendly; naturally because the scammer wants to lure the victim!
-----------------------------Typical Babysitting Scam E-Mail Example 1----------------------------
My name is Mrs. Ashleen Joseph. My husband Philip is a Captain of a cruise ship and I have a daughter whose
name is Anabella. Currently, we are on my husbands ship on a holiday and will not be back untill about two or
three weeks time. We live in a large apartment and I require a babbysitter who would also help me out taking
care of grocery purchases. We are OK to pay $18 per hour. Can you tell us for how many hours you would be
available. We can provide a Toyata Camry for you to take care of transportation problems.
I would like to know the following about you to consider you for this job:
1) What academic qualications do you possess?
2) Do you have any good certicate to support your prior babysitting/Nanny experience?
3) How old are you?
Cyber security_Chapter 11.indd 733 2011-03-25 10:34:58 AM
734 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
4) Are you married?
5) Do you have any special aptitude?
6) Do you have any crime records?
7) Do you have a valid drivers license?
8) Tell us more about your temperament.
9) Can we have one or two reference(s) from you?
10) Can you handle nances if you are given a task to carry out?
11) Will your husband/boyfriend/parent support you taking up this job?
Let me know if you will available for the work oer.
Tanks and have a nice day
Mrs Joseph
-----------------------------Typical Babysitting Scam E-Mail Example 2----------------------------
Trust all is well with u. Tank you for your response to my add. Hope you are had a great weekend. Let me
start by intorducing myself.
My name is Roberto Ferdinand, I am 30 years old and i am a single parent, I lost my wife about 2 months ago
like i said in my add in the babysitter site, I have a son named Iyke and he is a year old. My Mom looks after
Iyke in London, UK where she stays and she will be away on an apointment for a long time thats why i need a
baby sitter between these periods, As i am bringing Iyke back with me, I have gone through your, Prole and
resume and I think you are perfect for sitting Iyke, Also what are your rates? I would like you to work from
Monday-Friday either in the mornings or evenings. In the Mornings From 8.30 am-6 pm or in the evenings
from 6 till 10. Working on wekends is not compulstory so if you choose to work on Weekends you are to start
by 10 am till 5pm. I can pay $15/hour If the times are okay by you do let me know if they are not do let me
know a favourable working time by you, So we can work something out. So do let me know what your charges
are so we can proceede, I want you to start working asap okay. I live at 6562 Barnett St NE Atlanta GA 30306
I am away on a work assignment and i would return in 2/3 days. I would like to hear from you shortly. Heres
my telefone number also its a satelite telephone so you can call me anytime 0112348028297715. You should
have an international dialing acess or you can use a calling card I would like you to start soon, So please
i would be expecting to get a message from you shortly.
So we can start of asap Tank you and see you soon. Do have a great day and stay blessed.
Roberto
-----------------------------Typical Babysitting Scam E-Mail Example 3---------------------------
Hello,
My name is Mrs. Rose Smith wife to Captain John Smith. I am currently away on holiday with my phamily
and expected back in a months time. I have a cute 18-month-old girl called Kathy who i need to be looked
after when we come back from our vacation. I would like to have things in order so that you could start up
immediately; we arrive because her former nanny will not be available again.
You will be asked to work within the hours of 9am-4pm on Monday, Tuesday and Tursday and sometimes
on weekends as well. If you are in to take care of my child i will arrange a car for your use, your private room
if you wish to stay or spend the night.
Let me tell you a bit about us, I run a fashion outt back home and my hubby is the captain of a cruiser ship
which enables us to travel to dierent continents on vacations, we live a very simple life and we have a big
Cyber security_Chapter 11.indd 734 2011-03-25 10:34:58 AM
Cybercrime: Illustrations, Examples and Mini-Cases 735
apartment, though its just three of us in the house, hope you can join us on a trip someday as our last nanny
did, we are willing to pay $100(one hundred dollars) upfront (non-refundable in case we change our mind)
to show you how serious we need you.
Please get back to us with your resume and references o.k., (your house address and your telephone number
inclusive). Illl be expecting your response please do have a lovely day.
Please get back to me.
Mrs. Smith
-----------------------------Typical Babysitting Scam E-Mail Example 4----------------------------
Hello nanny/babysitter, my name is sarah tina martins. I am located In london. I have 2 kids,a male and a
female and their ages are 2 and 4yrs old. I am shifting my residence for good to New Jersey because there
I have my family business and it is really doing good over there and my arrival date is may 18. After a discus-
sion with my people about proper care-taking arrangement for my children, because I am separated from my
spouse, So Ive nally decided to search for a good and responsible nanny/babysitter. Below are the oers.
We will be oering weekly,
1) Monday through Friday, from 11.30am-5:00pm.
And the weekly pay: $960.
I will take care of your transportation which in addition to the weekly salary I will provide you irrespective
of the distance you will travel to come to work with us. Please let me know the total trvelling expenses on
a weekly basis from your place to our residence if you like to live out and furnish me with the expenses so
we include it in your basic weekly salary. We are searching for good well mannered candidates with good
attitudes, neatness and good respect for family relationship. If you interesr in this oer, please give answers
all the questions below so i can have some idea how your personality is:
1) What academic qualications do you have?
2) Do you have any related certicate to back up your babysitting/Nanny experience in the past?
3) How old are you?
4) Are you single or married?
5) Do you have any special skills that we can use in our house apart from baby-sitting work?
6) Were you involved in any legal oence in the past civil or criminal?
7) Breiy describe your temperament.
8) Can we have a couple of work eference(s) from people you worked for in the past?
9) Is your husband/boyfriend/parent in support of you doing this job?
Let me know if you will available for the work oer. If you have anything to ask regards this oer, b free to
call us. i await a response at your earliest convenience.
-----------------------------Typical Babysitting Scam E-Mail Example 5----------------------------
How are you today, i am Mrs alice cage, i and my 2 children ( they are twin - a girl and a boy) they are 2 years
old and I will be moving to the STATES(Florida) from France. I will be in the state in a couple of Weeks
from now and for the next one(1)years during my o cial work appointment. I am coming with my 2 kids,
and i need a lady to look after them, because there is nobody to be with them. so if available Kindly contact
me ASAP, so we could make arrangement accordinlgy, will be waiting to read from you soon
Regards
Mrs. Cage
Cyber security_Chapter 11.indd 735 2011-03-25 10:34:58 AM
736 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Note how informal and ill-formed the language used is it does not sound like formal communica-
tion from a person who is looking for engaging a professional help!
-----------------------------Typical Babysitting Scam E-Mail Example 6-----------------------------
Hell Babyseatter,
I m Katherine George I make lms and also I co-ordinate with artists. Currently I m in Australia shooting
for lm project. I will return back to the states soon for another o cial assignment with other lm director
with my 3 years old daughter name Verona. I need a babyseatter. She is a good girl, she went with her father
to Benin Republic when I m on work here in Australia.
My husband is very busy now and my Verona has to be with us in visiting the US with me. I think you will
like my child because she is very lively, friendly and intelligent and will give you no trouble. I want to stay
in US for at least 2/3 more months. During this time Verona should be with some babyseatter) from 9am to
4pm when im o to work. Ill pick her up. Let me know if you are interest and dont forger to write to me
about how much you want to be paid for this job and also about are for the duration at which you would be
babyseatting her. Hope to read from you soon.
Have a hapy day
Carolina
Note that here the scammer forgot what name she/he started with! Notice also the grammatical
errors, spelling mistakes, the too friendly and extra sweet language in all the scam mails quoted and
also the being away pretext used.
-----------------------------Typical Babysitting Scam E-Mail Example 7-----------------------------
Good Day, I got your info at sittercity.com I am Pamela, I work as an Interior Decorator, I am 28 years old,
i lost my Husband 2 months after i gave birth to this child. I have an assignment which i need to complete
it involves decorating of o ce and hotel for my client and i have a 6 months old baby boy. His name is
Richard, i will be living for my assignment soon as i see someone to look after the boy, till i return. Contact
to me with the full details about how you give service out to customer like me. What do you want to know
from me about my child? Looking to read from you. My E-mail address: bhush006@gmail.com Have a
lovely day. Pamela
Note the sympathy wave being created in the mind of the victim and again the being busy,
being away, having lost the spouse, etc.
-----------------------------Typical Babysitting Scam E-Mail Example 8---------------------------
My name is Mrs Jossy mark spouse to Captain Leonard mark who work on board the Royal carribean cruis-
ing company. We are located in California for now. Currently I am on holidays with family and I return
in one months time. I have a cute 2-year-old boy called Daniel who I need to be looked after till we come
Cyber security_Chapter 11.indd 736 2011-03-25 10:34:58 AM
Cybercrime: Illustrations, Examples and Mini-Cases 737
back from our vacation. I wish to put things in order so that you could start as soon as we arrive because her
previosu baby sitter will not be coming again.
You will need to work within the hours of 8am-4pm on Monday, Tuesday and thursday and also sometimes
on Saturdays and Sundays as well. If you want to look after my child I will make arrangements to provide
you with a car when you commute to and fro our home. I can also give you separate room because you may
need to spend the night when I am away for longer days.
Let me tell little about us, I own small shop back home and my husband is the captain in air cruising
company which enables us to be in many continents on vacations, we have very simple life and we have
a large apartment with 8/10 rooms although its just three of us in there, hope you can join us on a trip
someday likeour past nanny did,we are willing to pay $150(one hundred and fty US dollars) upfront (non-
refundable in case we change our mind) to show you how badly we need you.
Please contact us with your biodate, previous work references, telephone number and address o.k, Ill be
wanting your reply please do have a lovely day.
Mr/Mrs jossy mark.
Note again, here too there is the ship scenario, tempting offers like car, accomodation, etc. to
lure the victim. The characteristic spelling errors are also there!
------------------------------Typical Babysitting Scam E-Mail Example 9--------------------------
MY NAME IS SARA BRIGHT. I WANT U AS A BABY SEATTER AND AM GLAD YOUR INTEREST
IN THIS TOO. MY DAUGHTERS NAME IS JENINIFER. I WOULUD LIKE U TO LOOK AFTER
HER WHILE I GO TO WORK IN FAR LOCATION. I WAS STAYING IN WEST AFRICA, BUT
NOW THERE IS CHANGE AND I AM COMING TO YOUR LOCATION BECAUSE I WOULD
HAVE A CONTRACT WITH LESSLEY MIKE THERE. I WORK AS FASHION MODEL AND THE
CONTRACT WILL BE FOR 6 WEEKS PERHAPS EVEN FOR TWO MONTHS. I WANT YOU TO
LOOK AFTER MY DAUGHTER WHILE I WORK AWAY. I GO TO WORK 10 AM AND I GET
BACK 4 PM BUT SOME DAYS EVEN MORE LATE. I WILL LIKE TO CONFIRM IF YOU WILL
LOOK AFTER JENNIFER ER IN YOUR DAY CARE CENTRE OR THE HOTEL ROOM WHERE I
WILL BE LODGING, I AM OK WITH EITHER WAYS. MY DAUGHTER IS 3 YEARS OLD, I WILL
SEND YOU SOME PIX OF ME AND HER AS SOON AS WE CONSIDER THIS A DEAL I ASSURE
YOU HOW MUCH YOU WILL LIKE MY DAUGHER. HOW MUCH WILL TAKE TO BABY SIT
JENINIFER FOR 4/5 WEEKS AND THE TIME I NEED YOUR SERVICE FOR IS 9 AM TO 4 PM.
WRITE TO ME WITH THE AMOUNT AND I WILL BE HAPPY TO MAKE THE PAYMENT IN
ADVANCE TO SHOW YOU HOW URGENTLY I NEED YOUR SERVICE.
SARA
----------------------------Typical Babysitting Scam E-Mail Example 10--------------------------
Hello,
How are you doing today??? I seen your advert on a nanny site and though I ask you if you were avial-
able, my name is PAUL WALTERS, i have an adopted daughter her name is Leena she is 2yrs we both
are out of the country for a family reunion, and i really need a sitter for Leena when we come back
home okay,
Cyber security_Chapter 11.indd 737 2011-03-25 10:34:58 AM
738 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Please do tell me how soon you are avialable, and if so do send me your biodate and some work references
to my personal mailbox at
EMAIL: paulwalters_06@gmail.com.
I looking to your response please do have a nice day.
Warm Regards
Mr Paul Walters
11.7.19 Scam No. 19 Nigerian 419 Scam
Tis scam has got this name because of the Nigerian Criminal Law has a section number that applies to it.
You have read about the advance fee fraud scheme described earlier (Scam No. 17 in Section 11.7.17).
You will realize that the mentioned scams are similar in nature. A typical example of the infamous Nigerian
Scam, (also known as) 419 Scam is as follows:
DEAR SIR,
AT THE OUTSET I MUST FIRST ASK FOR YOUR ASSURANCE IN THIS MATTER; THIS IS DUE TO ITS NATURE. THIS
MATTER IS EXTREMELY SENSITIVE AND TOP SECRET THOUGH WE KNOW THAT A TRANSACTION OF THIS
SIZE WILL MAKE SOMEONE NERVOUS AND AT THE SAME TIME ELATED BUT WE ARE TELLING YOU THAT
ALL WILL BE ALL OK BY END OF THE DAY. WE ARE DETERMINED TO CONTACT YOU BECAUSE THERE IS
SOME EXIGENCY IN THIS TRANSACTION AS WE HAVE BEEN CONVINCED ABOUT YOUR DISCRETNESS
AND CAPABILITY TO WORK WITH SUCH TYPE OF TRANSACTIONS.
LET ME FIRST INTRODUCE MYSELF FULLY. I AM MR. MOHAMED ABBAS WORKING AS CREDIT OFFFICER WITH
THE UNION BANK OF NIGERIA PLC (UBA) I AM AT THEIR BENIN BRANCH, I GOT INFORMATION ABOUT
YOU WHILE I WAS LOOKING FOR A DEPENDABLE AND HIGHLY REGARDED INDIVIDUAL TO TAKE CARE OF
THIS HIGHLY TOP PRIORITY AND CRUCIAL TRANSACTION. THE WORK IS CONCERNED WITH TRANSFERING
LARGE SUM OF MONEY TO AN OVERSEAS BANK ACCOUNT AND THAT IS WHY THIS TRANSACTION IS TO
BE UNDERTAKEN WITH DUE CARE.
HERE IS THE OFFER:
A FOREIGNER AND AN AMERICAN, LATE BENINGGR JOHN DUKE (SNR) A DIAMOND MERCHANT WITH
THE FEDERAL GOVERNMENT OF NIGERIA, UNTIL HIS UNFORTUNATE DEATH FEW MONTHS AGO IN KENYA
AIRWAYS PLANE (AIRBUS A3K-300) FLIGHT KQ430 BANKED WITH US AT UNION BANK OF NIGERIA PLC
BENIN AND HAD A CLOSING BALANCE AS AT THE END OF MARCH 2001 WORTH $36,662,000 USD, THE
BANK NOW EXPECTING A NEXT OF RELATIVES AS THE HEIR. THIS BANK HAS PUT IN LOT OF EFFORT TO
CONTACT ANY OF THE DUKES RELATION OR FAMILY BUT THE BANK HAS NOT GOT ANY RESPONSE SO
FAR. WE BELIEVE THAT THIS IS HAPPENING DUE TO THE ALLEGED PROBABILITY OF FEWER CHANCES
TO LOCATE ANY OF BENINGGR JOHN DUKE (SNR) NEXT OF KIN (AS PER OUR RECORDS HE WAS NOT
MARRIED NOR HAD ANY CHILDREN FROM HIS AFFAIRS WITH WOMEN).
THE MANAGEMENT IS BEING PRESSURIZED BY OUR CHAIRMAN AND BOARD MEMBERS AS WELL THE
DIRECTORS OF OUR BANK. THE BANK HAS MADE ARRANGEMENTS FOR THE FUNDS TO BE DECLARED
UNCLAIMED AND IF NO CLAIM COMES IN SOON, THE BANK WILL DONATE THE FUNDS TO THE ARMS &
ARMUNITION TRUST FUNDS AND IT IS FEARED THAT THIS MAY TRIGGER A WAR IN AFRICA AND THE WORLD
IN GENERAL.
IN OTHER TO AVOID THIS NEGATIVE CONSEQUENCE SOME OF MY TRUSTWORTHY COLLEAGUES AND I
NOW REQUEST YOUR PERMISSION TO HAVE YOU STAND AS THE NEXT OF FAMILY CONNECTION TO THE
LATE BENINGGR JOHN DUKE (SNR) SO THAT THE MONEY WILL BE MADE FREE TO BE PAID INTO YOUR
BANK ACCOUNT AS THE RECEIVER AS THE KIN, ALL DOCUMENT AND PROOFS TO ENABLE YOU GET THIS
FUNDS WILL BE CAREFULLY HANDLED. OUR BANK MAKES IT MANDATORY FOR US TO OFFICIALY DECLARE
THE RECIPIENT OF THIS LARGE FUND AT THE EARLIESTPOSSIBLE. THAT IS THE REASON YOU ARE SEEING THIS
MAIL. WE ASSURE YOU THAT YOU THAT THERE IS NO RISK INVOLVED IN THIS.
Cyber security_Chapter 11.indd 738 2011-03-25 10:34:58 AM
Cybercrime: Illustrations, Examples and Mini-Cases 739
Tis method of deceit has been in existence through regular postal mail for more than 20 years. Now it is
even more rampant due to the advent of the Internet and (free) E-Mail. Recall that it is possible to create
E-Mails from fake E-Mail accounts as explained in Chapter 2 (Box 2.7). Over the last few years, literally
thousands of people have received countless E-Mails like the one above. With respect to the sample scam text
mentioned above, read what follows.
Te nature and exact text of the preposition varies from letter to letter, as well as the purported author.
Even then, there are a number of features common to most (but not all) that instantly identify them as 419
scams/Nigerian scams:
1. Often, but not always, the scam mails are written with ALL CAPS, as shown in the example. Te joke
in circulation is that there must be an epidemic of keyboards with broken Caps Lock keys in Nigeria!
2. As in this example, the mail/message or letter is characterized with bad syntax, malapropisms and
misspellings not expected of a writer who claims to be in high ranks, for example, a bank manager
or oil industry executive, etc. One should indeed nd this suspicious given that Nigeria and several
other West African nations have English as their o cial language.
3. Interestingly, in most instances of this scam, E-Mails seem to originate from an African country
and/or individual, usually Nigeria although there have been examples of such scams allegedly from
Senegal, Ivory Coast, Togo, Ghana, Liberia, Angola, Chad and South Africa as well. Asian and
Eastern European countries too are not lagging!
4. Almost always the scam communication mentions about large amounts of funds millions of
Dollars and it also mentions about those funds being trapped or frozen for a variety of ostensible
reasons: double-invoiced oil, and unclaimed accounts belonging to victims of African air disasters or
other (alleged) deceased persons are among the most frequently seen versions.
5. Tey will typically make an oer to you, as the beneciary, a hefty portion of these funds as a
commission or reward saying that all you have to do is to send them your bank account
numbers. Tey will also cleverly indicate that the more such account information you send, the
quicker your share of the proceeds will start coming into your account. Te message will also indi-
ate that your fast response will help them transfer and release the funds from the clutches of the
i nexperienced administrators, greedy bureaucrats, etc.
6. In most cases, they please you to act immediately giving some convincing reason or the other to
make you swing into action. Tey often refer to some sort of statute of limitations or other legal
constraint that is about to run out of time and they also say that they will send back the funds to the
government or other entity that would undoubtedly use them for undesirable purposes.
AS SOON AS YOU SEND ACKNOWLEDGEMENT TO CONFIRM THE RECEIPT OF THIS NOTE AND IN
ACCEPTANCE OF THIS JOINT BUSINESS PROPOSAL WE SHALL INFORM YOU ABOUT THE MODALITIES
INVOLVED AND PAYMENT RATIO TO SUIT BOTH PARTIES WITH FULL CLARITY.
IF YOU ACCEPT THIS PROPOSAL DO NOT TAKE DUE ADVANTAGE OF THE TRUST PLACED IN YOU.
KINDLY SEND YOUR REPLY IMMEDIATELY WITH THE E-Mail ADDRESS PROVIDING US WITH YOUR MOST
CONFIDENTIAL TELPHONE; FAX NUMBER AND YOUR EXCLUSIVE BANK ACCOUNT PARTICULARS SO THAT
WE CAN USE THIS INFORMATION TO APPLY FOR RELEASING THE FUNDS INTO YOUR ACCOUNT IN YOUR
FAVOUR.
THANKS IN ADVANCE IN ANTICIPATION OF YOUR KIND CO-OPERATION
BEST REGARDS
MR MOHAMED ABBAS
Cyber security_Chapter 11.indd 739 2011-03-25 10:34:58 AM
740 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
In a way, this scam is similar to the advance-fee scam; there is one point in common the targeted person
is led to believe that he or she has a chance to attain something of very great personal value (nancial reward,
a romantic relationship, etc.) in return for a small up-front monetary outlay. If you ever receive one of these
E-Mails and think that the Nigerian Scam has hit you, you should just ignore it and not take any action
that the scam would be asking you to. Recall Example 25 in Section 11.2.25 this is a real-life example of
Nigerian scam rackets busted by Pune Police in October 2010.
11.7.20 Scam No. 20 Craigslist Scams
Craigslist is the idea that was conceived by Craig Newmark and has become one of the most popular sites
on the Internet. Craigslist started in 1995 at San Francisco it is possibly the denitive site for condential
program. Posted here are advertisements for employment opportunities, personal ads, and advertisements
for cars, sale of pets, home supplies and a large number of other options. Te website is created for various
communities. Today there are 450 cities and countries throughout the world where Craigslist oers sites.
A worth over 10 million US dollars (US$) is attached to Craigslist according to business experts.
Unfortunately, this online classieds website has been plagued with scammers using advance-fee fraud
and similar techniques, usually involving fake cheques, to con people of their money. If you are selling any-
thing under $1,000 on Craigslist or eBay that cannot be shipped, or if you are renting a room (remember
the rental scam described earlier) you are at high risk of a fake cashiers cheque scam on Craigslist. Tese
s cammers are in search of low priced auctions, low sales prices and rental services because they have printed
out bogus cheques. Teir objective is to send you the bogus cheque for more than your original price or
original rent, and have you give them back the extra real cash.
Occasionally, there are fraudsters who contact an individual interested in buying or selling things on
Craigslist the fraudsters then try to pull o the exact same scam. Many of the Nigerian 419 scam features
(see the previous illustrations) are used regularly on Craigslist. Tis includes persons conducting transactions
from another country, sending bank cheques that look believable, sending money that is excess over what is
owed, and requesting that money be sent back to the scammer through wire transfer.
Lately, there is another advance-fee technique that has been used on Craigslist. In this method, fraud-
ster will contact for the sale of an item and will ask the seller to despatch the item to a location to another
country. Te seller then despatches the item and furnishes the tracking number. However, the scammer
never pays! At times the scammer will use someone who is oering an accomodation for rent and will
pose as someone migrating from another country. Te fraudster will create a situation in which it looks
like there is a dire need to have the accomodation in advance. Te fraudster also asks if it is possible to get
the occupancy with some deposit money paid. Te deposit cheque sent by the fraudster will be a bogus
cheque; however, the amount written on that cheque will be far more than the deposit amount asked for
by the seller. When the cheque is received by the seller (the target victim), the fraudster will ask for the
excess amount to be refunded. Te fake cheque will bounce and the victim will lose the amount he/she
refunded to the scammer!
Tere is a related con that takes place on the rental model, particularly in the UK the scammer places an
advertisement on a classieds website such as Craigslist or Gumtree pretending to seek an accomodation
on rent. Te scammer mentions an incredible depiction using photgraphs borrowed from other advertise-
ments or other websites. Te victim gets in touch with the scammer to get a viewing. However, the scammer
tells the victim that to do so, the victim must go to a Western Union outlet, must transfer money to a relative
to cover the amount of the deposit and must also furnish a scanned copy of the receipt in support of the
money transfer made. Supposedly, this is to conrm that the victim has enough money to cover the deposit
Cyber security_Chapter 11.indd 740 2011-03-25 10:34:58 AM
Cybercrime: Illustrations, Examples and Mini-Cases 741
before they view the accomodatoin. Te fraudster also tells the victim that he/she will get the money back
after the viewing. In reality, however, the place oered for accomodatoin may or may not exist, and the
receipt allows the scammer to have the funds with no viewing ever taking place.
Again, the scammer sends a rental application, or asks for some details that are typically mentioned on a
rental application form, such as drivers license number, bank account information, Social Security Number
or its equivalent, etc. Recall what was mentioned in Section 11.7.14 Rental Scams. Below are some tips
to note about a Craigslist scam mail:
1. When you do a posting on Craigslist you will get lots of E-Mails. You can spot a Craigslist scam
because it has the poor wording in the E-Mail. Most of the Craigslist scams come from another
country where English is not the native language. Many mails may just be the result cutting and
pasting E-Mails together!
2. Craigslist scams typically have the long-wound, that is verbose text in the E-Mail. Typically
scammers mention lots of unrelated details, that is, they mention things that have nothing to do
with what they are dealing with (remember the style of writing seen in the examples for Babysitting/
Nanny Scam E-Mails). Scammers typically write long rambling sentences about their so-called
family problem to gain sympathy from their victims, or it could be verbose text about the urgency
of getting the transaction done, or they may tell you in a long-wound way that they know you are
a good person deep down. Most of the time, there is no need to go that far the wordy text in the
mail is the tale-tale sign of a Craiglist scam!
3. Te next step to spot a Craigslist scam is characterized by the mention of religion and a huge
amount of compliments or apologies for bothering you. Somehow they believe that if they say sorry
with words sounding sincere or if they keep on mentioning about religion, they will either ba e
you or will make you comfortable. Typical Craigslist scammers will use owery langugage in their
communication with lots of religious notations thrown in.
4. Another trademark and a good way to spot a Craigslist scam is the payment by cheque or money
order. Tere is always some reason because of which they cannot meet you and send you a cheque.
Another one is that they have already sent you the cheque and entered a wrong amount. Regardless
of how this Craigslist scam appears, the outcome is the same, the cheque is not good!
5. If there is a mention in the mail about some oer to pay you for your problem, it is a way to guess
that it is a Craigslist scam. Te trick used by scammers is to make you feel that because they are
bothering you so much, they oering you something to compensate for your trouble. Only problem
is the cheque, money order or any other method they come up with is always bad and you will wind
up loosing your money.
11.7.21 Scam No. 21 Pyramid Scheme Scams and
Ponzi Scheme Scams
Tey can also be called as pyramid scheme frauds. Te way fraudsters in this team operate is in the struc-
ture of a pyramid. A pyramid scheme is considered to be a non-sustainable business model it involves
making payment promises to participants mainly for getting other people into the scheme. Any real invest-
ment or sale of products/services to customers/consumers is not intended. Basically, pyramid schemes are a
form of fraud. Many countries have banned pyramid structures. Although these kinds of schemes have been
around for a very long time, some people have a view that multi-level marketing which has been legalized is
nothing but a pyramid scheme.
Cyber security_Chapter 11.indd 741 2011-03-25 10:34:58 AM
742 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
A successful pyramid scheme uses a fake but seemingly believable business with a easy-to-understand yet
advanced-sounding money-making method which is used for prot. Te basic concept is that Person A
makes only one payment. To start earning, Person A has to get in the chain like others who will also make
one payment each. Person A gets paid out of receipts from those new recruits. Tis way, they go on to recruit
others. As each new recruit makes a payment, Person A gets his share. As the business expands, he is prom-
ised increasingly greater benets.
Te concern is that businesses based on pyramid structure hardly involve actual sales of real products
or services with an attached monetary value. To make themselves credible, fraudsters, operating pyramid
chains, equip themselves well with fake referrals, testimonials and information. Te problem is that
there is no end benet. Te monetary benets only travel up the chain. Only the originator (referred
to as the pharaoh) and a very few at the top levels of the pyramid make huge amounts of money.
Te amounts become less and less down the pyramid structure. Tere is nothing for the individuals at
the bottom of the pyramid these are the people who joined into the pyramid structure, but were not
able to get in more members.
A Ponzi scheme is a similar fraud. Charles Ponzi was not the actual mastermind in its inception.
However, his operation amassed so much money that throughout the US it came to be known as the Ponzi
scheme. A Ponzi scheme is also a fraudulent investment operation. It pays returns to separate investors
either paid from their own money or from the money paid by subsequent investigators. Te payments are
not made from actual prot made.
Basically, a Ponzi scheme is an operation with fraudulent investment. It is a procedure that pays prots
to stakeholders from their own funds or money paid by later investors, rather than from any actual revenue
made. Te Ponzi scheme usually attracts new investors by oering higher returns as compared with other
investments. Te benets are promised in the form of short-term returns that are either exceptionally high
or unbelievably consistent. Te continuity of the returns promised by a Ponzi scheme and its loud/aggressive
promotion is what attracts people (who later turn out to be unfortunate victims!). Fraudsters involved with
this scheme cleverly create a perception of ever-increasing ow of money to those who are targeted to be
hooked in or already hooked in.
Example 25 in Section 11.2.25 shows how gullible people can be! Let us take this imaginary example.
Suppose, an advertisement promises amazing returns on an investment for example, 30% on a 45-day
contract. Usually, the motive is usually to cheat ordinary people who do not have deep knowledge of nance
or nancial jargon. Verbal constructions that sound impressive but are actually meaningless will be used to
impress potential investors: watch for words such as high return investment, make money in short time
without investing, opportunity for oshore investment, etc.
Initially, without any monetary benet or objective, or prior information about the investment, only
a few investors are attracted to be roped in - usually this is done only for small amounts. About a month
later, the investor receives the original capital along with the 30% return. At this point, the investor
will have more incentive to invest additional money. As word-of-mouth publicity starts growing, other
investors would also like to cash the opportunity and they communicate their intentions to participate.
Tis results in a snowballing eect based on the promise of returns that are too high to imagine. However,
the return to the early investors is being paid out of the fund contributed by new entrants and not from
the prots made.
One reason that makes Ponzi scheme work so well initially lies in the re-investment that happens initially.
Te rst few investors, who actually get paid the huge returns, tend to reinvest their money in the scheme,
in the hope of earning more. Tis way, the fraudsters who are running the scheme do not actually need to
pay far too much net amount. All they need to do is send nancial statements to investors to show them the
amount earned by keeping the money. In this manner, fraudsters are able to maintain the perception that the
scheme is successfully operating with high returns and they continue the deception.
Cyber security_Chapter 11.indd 742 2011-03-25 10:34:58 AM
Cybercrime: Illustrations, Examples and Mini-Cases 743
|
FURT HER READI NG
Additional Useful Web References
1. For readers who are not savvy with cyber security
terms and/or for readers who have not been to
previous chapters of this book, can visit: http://
www.utexas.edu/its/glossary/secure (13 July
2010).
2. Visit the following URL to understand the
dierence between a security professional and
a hacker: http://elamb.org/hacker-vs-security-
professional/
3. An informative document on International
Financial Scams Internet Dating, Inheritance,
Work Permits, Overpayment, and Money-
Laundering can be found at: http://travel.state.
gov/pdf/international_ nancial_scams_brochure.
pdf (6 July 2010).
4. In reference to Example 1 in Section 11.2.1
(O cial Website of Maharastra Government
Hacked ), visit: http://tech2.in.com/india/news/
websites/maharashtra-gvernment-website-
hacked/16611/0 (3 June 2010).
http://www.thinkdigit.com/forum/ technology-
news/68555-hacked-maharashtra-government-
website.html (4 January 2011).
http: //www. marathikatta. com/Infotech/
Maharashtra_government_website_hacked/
http://www.thinkdigit.com/forum/technology-
news/68555-hacked-maharashtra-government-
website.html (4 January 2011).
http://www.dnaindia.com/mumbai/report_
us-still-to-probe-2007-hacking-of-maharashtra-
website_1378301 (4 January 2011).
http://www.expressindia.com/latest-news/
state-govt-website-hacked-into/218348/
(3 June 2010).
5. In reference to Example 21 in Section 11.2.21,
there are following links about professional
hacking conferences:
http://www.google.com/Top/Computers/
Hacking/Conventions/ (31 July 2010).
ht t p: / / www. c hi c a g oc on. c om/ 2009s /
conference.html (31 July 2010).
ht t p: / / www. c omput e r wor l d. c om. a u/
article/43697/hacker_conferences_highlight_
security_dangers/ (31 July 2010).
Refer to website that claim to teach you how to
hack like a Pro!:
ht t p: //www. makeuseof. com/t ag/t op-5-
websites-to-learn-how-to-hack-like-a-pro/
(3 August 2010).
To know more about the ethical hacker net-
work, visit: http://www.ethicalhacker.net/index.
php?option=com_smf&Itemid=&topic=1277.
msg4492 (3 August 2010).
6. Te Internet Teft Case of retired Col.
J.S. Bajwa was published by Te Hindu; it
can be accessed at: http://www.hindu.
com/2000/06/01/stories/0201000e.htm (15
December 2009).
7. Te New York Times Company v. Sullivan Case is
described in the following links:
http://www.legalservicesindia.com/articles/
defcy.htm (10 December 2009).
http://en.wikipedia.org/wiki/New_York_
Times_Co._v._Sullivan (15 December 2009).
8. In reference to Mini-Case 6 in Section 11.3.6
Te Indian Case of Online Gambling, the
following links can be visited regarding the
Hawala Transactions and Money
Laundering:
http://www.interpol.int/Public/FinancialCrime/
MoneyLaundering/hawala/default.asp (1 August
2010).
http: //www. howtovani sh. com/2009/09/
modern-hawala/ (1 August 2010)
9. In reference to Mini-Case 9 in Section 11.3.9
Malicious Hacking Case Organ Donation
Database Deleted, you can refer to the following
link:
http://www.scmagazineus.com/insider-threats/
topic/90/ (1 August 2010).
10. With reference to Mini-Case 16 State of Tamil
Nadu vs. Suhas Katti, readers can visit the
following link:
http://indiacyberlab.in/cyberlaws/cyber-crime-
conviction.htm (14 June 2010).
11. Te Movie Piracy example has been reported in
the following link:
www.usdoj.gov/usao/cac (1 December 2009).
Cyber security_Chapter 11.indd 743 2011-03-25 10:34:58 AM
744 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
12. Te Job Racket exposed case (mentioned in
Example 7) is reported by the Indian Express
and is posted at:
http://www.indianexpress.com/story-print/
548207/ (16 December 2009).
13. A press release on Man Sentenced in Computer
Fraud Oense may be found on the website of
the US Attorneys O ce for the Southern
District of Florida at: http://www.usdoj.gov/
usao/s (17 December 2010).
14. Te source for the FBI Case for Website Attack is:
http://www.cybercrime.gov (17 December 2010).
15. Te source for Chinese Trade Secret Stealing case
is: http://www.usdoj.gov/usao/nj/press/index.
html (20 December 2010).
16. For the infamous Heartland Payment Systems
Fraud, more information can be found by
accessing the documents in the following links:
Te following link explained how the fraud took
place: http://www.presidiobank.com/home/
fiFiles/static/documents/HeartlandPayment
SystemsInformation.pdf (7 March 2010).
Te following link describes the decision taken
by the US District Court District of New Jersey:
http://www.huntonles.com/les/webupload/
PrivacyLaw_Heartland_Decision.pdf (7 March
2010).
17. Read article BCBS Data Breach about Patients
condential information stolen at:
http://www.healthleadersmedia.com/content/
TEC-244935/Security-Breach-Puts-500000-
BlueCross-Members-Data-at-Risk (8 March
2010). Tis should be understood in the con-
text of the HIPAAs Privacy Rule.
18. Te article ICICI Bank case of Compensation to
the NRI Customer, due to Phishing Attack can be
accessed at:
http://economictimes.indiatimes.com/news/news-
by-industry/banking/finance/banking/ICICI-
Bank-told-to-pay-Rs-13-lakh-to-NRI-customer/
articleshow/5798944.cms (15 April 2010).
19. MySpace Suicide Case is reported at: http://www.
nytimes.com/2008/11/27/us/27myspace.html?_
r=1&ref=todayspaper (22 January 2010).
20. In reference to Example 19 in Section 11.2.19
Game Source Code Stolen!, you can visit the
following links:
http://www.gameguru.in/pc/2007/30/lineage-
iii-software-code-stolen/ (22 June 2010).
http://www.1up.com/do/newsStory?cId=
3159077 (30 June 2010).
21. In reference to fraud examples described in
Example 19, visit the following links:
Microsoft Online Safety Tips are available at:
http://www.microsoft.com/protect/fraud/
phishing/feefraud.aspx (19 May 2010). Here
guidance to safeguard against scams promising
money, gift and prize is provided.
Types of fraudulent acts are described at: http://
en. wikipedia.org/wiki/Fraud (19 May 2010).
22. One more link to FBIs crime-related reports
and publications is: http://www.fbi.gov/publi-
cations.htm (1 July 2010).
23. In reference to Illustration 7 of Section 11.4.3
about Facebook Beacon, you can visit: http://
en.wikipedia.org/wiki. Facebook_features#
News_Feed (10 July 2010).
24. In reference to Illustration 10 of Section 11.4.3,
you can refer to the following links:
http://economictimes.indiatimes.com/infotech/
internet/Profiles-of-100-mn-Facebook- users-
l eaked-onl i ne/arti cl eshow/6231385. cms
(3 August 2010).
http://publication.samachar.com/pub_article.
php?id=9725948&nextids=9727901|9726856|
9725948|9715404|9725947&nextIndex=3
(3 August 2010). Tere is a small video clip also
in this link.
http://www.bharatchronicle.com/profiles-of-
100m-facebook-users-leaked-online-7901
(3 August 2010).
ht t p: / / www. ef yt i mes . com/ e1/ f ul l news .
asp?edid=48927 (3 August 2010).
http://www.timesnow.tv/Data-of-100- mn-
Facebook-users-leaked/articleshow/4350626.cms
(3 August 2010).
http://ciol.com/News/News/News-Reports/
Facebook-CEO-faces-death-sentence-in-
Pakistan/137854/0/ (3 August 2010). Here is
the story about Facebook CEO faces death
sentence in Pakistan
25. In reference to Digital Forensics Case
Illustration 2 Analysis of Seized Floppy the
Drug Peddler Case in Section 11.6.2, readers
Cyber security_Chapter 11.indd 744 2011-03-25 10:34:58 AM
Cybercrime: Illustrations, Examples and Mini-Cases 745
can refer to the following link to learn about
autopsy forensics browser:
http://www.sleuthkit.org/autopsy/ (13 July 2010).
26. To know more about the banking fraud cases,
you can visit the following sites:
For the case involving Renukanth Subramaniam,
visit the following links:
http://www.darknet.org.uk/tag/renukanth-
subramaniam/ (12 May 2010).
http://en.wikipedia.org/wiki/DarkMarket
(12 May 2010).http://www.192business.com/
page/12657/dark-market-mastermind-fraudster-
jailed (12 May 2010).
http://article.wn.com/view/2009/10/13/
Losing_your_identity/ (12 May 2010).
http://www.hackinthebox.org/index.php?name
=News&le=article&sid=34664 (2010).
27. In reference to the example about killers taking
tips from Voice over Internet Protocol, readers
can visit the following link:
http: //www. dnai ndi a. com/dnapri nt910.
php?newsid=1382834 (12 May 2010).
28. Te second case on banking fraud about victim
Umashankar Sivasubramaniam was posted in
Economic Times News and can be accessed at:
http://economictimes.indiatimes.com/news/news-
by-industry/banking/finance/banking/ICICI-
Bank-told-to-pay-Rs-13-lakh-to-NRI-customer/
articleshow/5798944.cms (15 April 2010).
29. More about the article Online Credit Card Teft
Ring can be read in the following links:
http://www.docstoc.com/docs/9232256/
Iceman-Founder-of-Online-Credit-Card-Teft-
Ring-Pleads-Guilty-to-Wire-Fraud-Charges
(12 May 2010).
http://www.keylogger.org/news-world/iceman-
pleads-guilty-to-massive-computer-hacking-5898.
html (12 May 2010).
h t t p : / / a b c n e ws . g o . c o m/ Bu s i n e s s /
story?id=3641177&page=1 (12 May 2010).
http://www.databreaches.net/?p=5817 (12 May
2010).
http://www.computerworlduk.com/manage-
ment / s ecur i t y/ cybercr i me/ news / i ndex.
cfm?newsid=15494 (12 May 2010).
30. For CAN-SPAM Act, refer to the following
links:
http://www.fcc.gov/cgb/consumerfacts/cans-
pam.html (10 May 2010).
http://www.ftc.gov/spam/ (10 May 2010).
To know more about CAN-SPAM Tool Kit, visit:
http://www.can-spam-act.com/ (10 May 2010).
To know more about how to comply with CAN-
SPAM Act of 2003, visit: http://www.wilson-
web.com/wmt9/canspam_comply.htm (10 May
2010).
http://www.spamlaws.com/federal/108s877.
shtml (10 May 2010).
Read article Te CAN-SPAM Act: A Compliance
Guide for Business at: http://www.ftc.gov/bcp/
edu/pubs/business/ecommerce/bus61.shtm (10
May 2010).
http://www.newvistainc.com/2009/11/the-can-
spam-act-a-compliance-guide-for-business/
(10 May 2010).
31. In reference to protection of credit card and the
condential information stored on those cards
magnetic strip, the article How to Create and
Generate Valid Credit Card Numbers is available
at: http://www.moneybluebook.com/how-to-
create-and-generate-valid-credit-card-numbers/
(13 May 2010).
32. Read the article How Does the Hacker Economy
Works at:
ht t p: //hubpages. com/hub/hacker worl d
(15 May 2010).
33. Read about the article Stolen Datas Black Market
by visiting: http://www.darkreading.com/secu-
r i t y / e n c r y p t i o n / s h o w A r t i c l e .
jhtml?articleID=208804033 (16 May 2010).
34. Credit card skimming related links are impor-
tant to get yourself educated on how frauds
happen and how to protect yourself. Read the
article Credit card Skimming Survey: Whats your
Magstripe Worth? at: http://www.wired.com/
threatlevel/2009/10/florida_skimming/ (13
May 2010).
35. For the security of credit cards, there is a
worldwide recognized PCI-DSS standard
(Payment Card Industry Data Security
Standard) mentioned in the following links:
https://www.pcisecuritystandards.org/ (12 May
2010). Tis is the Home Page of the PCI
Security Council.
Cyber security_Chapter 11.indd 745 2011-03-25 10:34:58 AM
746 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
http://en.wikipedia.org/wiki/Payment_Card_
Industry_Data_Security_Standard (13 May
2010). Here you will nd the Wikipedia note
on the PCI-DSS standard.
PCI-DSS frequently asked questions (FAQs)
and myths are available at: http://www.pcicom-
plianceguide.org/pcifaqs.php (16 May 2010).
PCI-DSS Sample Policy can be visited at:
http://www.pcidssguru.com/pci-dss/a-sample-
policy-for-pci-dss/ (12 May 2010).
Quick Reference Guide to the PCI-DSS
Compliance is available at: http://www.pcifree.
com/pdf/pci_ssc_quick_guide.pdf (14 May
2010).
Following URL summarizes the changes from
PCI-DSS Standard version 1.1 to version 1.2
https://www.pcisecuritystandards.org/pdfs/
pci _dss_summar y_of_changes_v1-2. pdf
(10 May 2010).
A birds eye view of the PCI-DSS version 1.2 is
available at:
http://www.secureconsulting.net/2009/02/pci_
dss_v12_in_a_nutshell.html (10 May 2010).
Read how to survive a PCI-DSS audit at:
http://www.businessrecords.com/les/1st%20
quarter%202009%20digital%20media.pdf
(12 May 2010).
Te following link provides excellent informa-
tion relating important aspects of credit cards:
What type of credit cards to look for, credit card
tips, benets and drawbacks of credit cards, pro-
tecting yourself from credit card frauds, etc.
http://www.equityfoundation.com/creditcards/
index-creditcards.htm (11 May 2010).
36. Te Card Security Code (CSC), also known as
Card Verication Data (CVD), Card Veri cation
Value (CVV or CV2), Card Verication Value
Code (CVVC), Card Verication Code (CVC),
Verication Code (V-Code or V Code), or Card
Code Verication (CCV), is an important aspect
for protecting your credit card from fraud. Visit
the following links to understand this impor-
tant aspect.
http://en.wikipedia.org/wiki/Card_Security_
Code (16 May 2010). In this URL card security
code concept is explained.
http://sawaal.ibibo.com/computers-and-tech-
nology/what-cvv-number-credit-card-902703.
html (4 January 2011). Examples of CVV, etc.
and security code are provided here.
http://www.celtnet.org.uk/ns/credit-card-ccv.
html (16 May 2010). Credit card CCV number
is explained here.
Te site mentioned below is about Credit card
Dos and Donts it has useful information
about credit card safety.
http://www.hdfcbank.com/personal/cards/cc_
usage_dd.htm (4 January 2011)
37. To understand the Scheme for Bank Card
Numbering (with regard to Illustration no. 3 under
Credit Card Frauds), refer to: http://en.wikipedia.
org/wiki/Credit_card_numbers (28 June 2010).
38. For a reading on common credit card frauds,
visit: http://en.wikipedia.org/wiki/Credit_card_
fraud#Carding (28 June 2010).
39. A wikipedia note on identity theft is available at:
http://en.wikipedia.org/wiki/ Identity_theft (21
June 2010).
40. Te ShadowCrew Board list is available in the
following link (this is reference to Illustration 3):
http: //web. archi ve. org/web/200407011
94509/http://shadowcrew.com/phpBB2/
(27 June 2010).
41. Read about Global Trail of an Online Crime Ring
by visiting the link at:
ht t p: / / www. nyt i mes . com/ 2008/ 08/ 12/
technology/12theft.html?_r=1 (24 June 2010).
42. Te RSA Online Fraud Report for August 2009,
can be read at: http://www.rsa.com/solutions/
cons umer _aut hent i cat i on/ i nt el repor t /
FRARPT_DS_0809.pdf (15 July 2010).
43. In reference to Digital Forensics Case Illustration
2 Analysis of Seized Floppy the Drug Peddler
Case, to understand how the disk structure is
visit: http://en.wikipedia.org/wiki/ Disk_sector
(23 July 2010).
44. In the following link you will nd a report about
Forensics Analysis of a Compromised Intranet
Server:
http://www.sans.org/reading_room/whitepa-
pers/forensics/forensic-analysis-compromised-
intranet-server_1652 (20 June 2010).
Cyber security_Chapter 11.indd 746 2011-03-25 10:34:58 AM
Cybercrime: Illustrations, Examples and Mini-Cases 747
45. Visit a useful link on the topic of Trademark
Law, Copyright Act, etc. at:
http://www.asianlaws.org/library/cyber-laws/
trademark-law-cyberspace.pdf (16 May 2010).
At this link, you will be able to access a document
titled Indian Trademark Law & Cyberspace.
46. Te Indian Copyright Act (1957) can be
accessed at:
http://www.education.nic.in/CprAct.pdf (18
May 2010).
47. In the following link, there is a document that
provides Comparison of the Indian Trademark
Law with EU and US Laws:
h t t p : / / w w w. c l l . c o m/ f i l e s / I NTA _
IndianTMLawComparison.pdf (19 May 2010).
48. Visit the following links to read about Indian
Trademark Law:
http://www.hg.org/article.asp?id=4963 (19 May
2010).
http://www.hg.org/article.asp?id=5514 (19 May
2010).
http://www.universalteacher.com/trademark-
law-india/ (19 May 2010).
49. To understand how a written argument on behalf
of the accused, submitted in the court looks,
readers (specially those who do not have a legal
background) can take a look at one actual writ-
ten argument available at:
http://www.ceac.in/suhaskatti_2.pdf (1 July 2010).
50. Read the DNA article Make cyber systems secure,
AK Antony tells armed forces top brass at: http://
www. d n a i n d i a . c o m/ d n a p r i n t 9 1 0 .
php?newsid=1384102 (2 July 2010).
51. Read the DNA article Govt should have 500
hackers on call at:
http: //www. dnai ndi a. com/dnapri nt910.
php?newsid=1372979 (2 July 2010).
52. Read the DNA article Cyber crime: victims dont
know whom to call at:
http: //www. dnai ndi a. com/dnapri nt910.
php?newsid=1387861 (3 July 2010).
53. According to Department of Telecommunications
o cial, cyberthreat is a global issue; read about
this at:
http: //www. dnai ndi a. com/dnapri nt910.
php?newsid=1388357 (4 July 2010).
54. Net security threats are really serious read this
article at:
http: //www. dnai ndi a. com/dnapri nt910.
php?newsid=1377191 (3 July 2010).
55. FBIs Index of Cyber Crimes with live links (from
year 2003 to year 2010) is available at: http://
www.fbi.gov/page2/page2index/cyber.htm (2
July 2010).
56. In reference to Advance Fee Fraud described in
Section 11.7.17, the following links are worth
visiting:
A list of notable frauds: http://en.wikipedia.org/
wiki/Fraud (3 July 2010).
http://en.wikipedia.org/wiki/Advance-fee_
fraud (3 July 2010).
57. Federal Communications Commission (FCC)
links are provided in the following link:
For the FCC rules and regulations, visit: http://
www.fcc.gov/oet/info/rules/ (4 July 2010). Tis
is in reference to Scam No. 17: Te Advance Fee
Fraud in Section 11.7.17.
58. FCC Home Page can be accessed at: http://
www.fcc.gov/ (4 July 2010).
59. Read about online frauds by visiting this RSA
website at: http://www.rsa.com/phishing_
reports.aspx (16 July 2010).
60. To learn more about telecommunications relay
service (TRS), visit: http://en.wikipedia.org/
wiki/IP_Relay (2 July 2010).
61. In reference to Scam No. 12: Bona Vacantia Scam
in Section 11.7.12, visit: http://en.wikipedia.org/
wiki/Bona_vacantia (5 July 2010).
62. In reference to Rental Scams in Section 11.7.14,
visit: http://rentalscams.org/ (6 July 2010).
63. In reference to Attorney Debt Collection Scams
in Section 11.7.15 and to learn more about how
other attorneys around the country have been
scammed on this, visit: http://www.scamwar-
ners.com/forum/viewtopic.php?t=1578 (7 July
2010).
64. In the following link, there is an article A sucker
for the African E-Mail scam:
ht t p: / / www. r e di f f . c om/ mone y/ 2002/
dec/09dalal.htm (10 July 2010).
65. Read about Kansas Attorney General Warns of
Debt Collection Scam at: http://www.
Cyber security_Chapter 11.indd 747 2011-03-25 10:34:58 AM
748 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
consumeraairs.com/news04/2010/01/ks_debt_
collection.html#ixzz0soHCcIIM (10 July 2010).
66. Debt Collection FAQs can be accessed at:
http://www.consumerfraudreporting.org/
debtcollection.php (11 July 2010).
67. In reference to Malware Scams in Section
11.7.16, the Anatomy of Malware Scams can be
visited at:
http://www.theregister.co.uk/2008/08/22/
anatomy_of_a_hack/print.html (12 July 2010).
68. In reference to Nigerian Scam/419 Scam
described in Section 11.7.19, visit: http://www.
snopes.com/fraud/advancefee/nigeria.asp (6
July 2010).
69. In reference to Craigslist scam described in
Section 11.7.17, the following links will provide
you additional information:
http://askbobrankin.com/what_is_craigslist.
html (3 July 2010).
http://www.christianet.com/christianpenpals/
whatiscraigslist.htm (3 July 2010).
http://www.fraudguides.com/internet-craigslist-
scams.asp (3 July 2010).
70. A large list of Computer Forensic Analysis Tools
can be visited at:
http://www.caine-live.net/page11/page11.html
(24 July 2010).
71. Regarding Trade Mark Law in India, you can
visit the following links:
http://www.articlesbase.com/trademarks-
articles/trademark-law-india-466481.html
(3 January 2011).
http://www.tm-india.com/trademark-laws/
(3 January 2011).
72. In reference to Illustration 2: Phishing Incidence
in Section 11.4.1 visit the following link to read
the story ICICI Bank told to pay Rs 13 lakh to
NRI customer:
http://economictimes.indiatimes.com/news/news-
by-industry/banking/nance/banking/ icici-bank-
tol d-to-pay-rs-13-l akh-to-nri - customer/
articleshow/5798944.cms (3 January 2011).
Books
1. Godbole, N. (2009) Information Systems Security:
Security Management, Metrics, Frameworks and
Best Practices, Chapter 38, Wiley India Ltd.,
New Delhi.
2. Ibid Refer to Chapter 13 cryptography,
encryption and digital signatures.
3. Ibid Refer to Sections 19.5, 19.6 and 19.7 of
Chapter 19 (Security of Electronic Mail
Systems).
4. Mehta, R. and Mehta, R. (2009) Credit Cards: A
Legal Guide with Special Reference to Credit Card
Frauds, Universal Law Publishing Co.
Video Clips
1. To get educated on credit card-related frauds
and be alert, video clips can be seen at:
h t t p : / / www. y o u t u b e . c o m/ wa t c h ? v
=FunpS4QXcRI (14 May 2010). Here the topic
is Worlds Worst Credit Card?
h t t p : / / www. y o u t u b e . c o m/ wa t c h ? v
=6CehJarAIP8&NR=1 (14 May 2010). Here
the topic is Credit Card PIRACY!
h t t p : / / www. y o u t u b e . c o m/ wa t c h ? v
=vmaj1KJlT3U&feature=related (14 May
2010), Here the topic is How to Hack RFID-
enabled Credit Cards for $8
h t t p : / / www. y o u t u b e . c o m/ wa t c h ? v
=V3pElQD8UZg&NR=1 (14 May 2010).
Here the topic is Fake a Credit Card
2. Credit card skimming video clips can be seen at:
h t t p : / / www. y o u t u b e . c o m/ wa t c h ? v
=IEigmCRJ8FA (14 May 2010).
h t t p : / / www. y o u t u b e . c o m/ wa t c h ? v
=TE1p4ccm-2g&NR=1 (14 May 2010). Tis
video mentions that the skimmer devices are
legal and readily available. Te video clip men-
tions that it is frustrating but not illegal in the
US. It is said here that do not wait till your
bank statement arrives at the end of the month
because that gives plenty of opportunity to
the fraudster to take forward his plan. It is
better to check your bank statements online
almost daily.
At the video clip available in the following link
demonstrates how the waitress pretends to drop
the credit card of customer and how the skimmer
devise is used to get the magnetic card informa-
tion copied watch the clip at:
Cyber security_Chapter 11.indd 748 2011-03-25 10:34:58 AM
Cybercrime: Illustrations, Examples and Mini-Cases 749
http://www.youtube.com/watch?v=Ns80Ij
FHyrg&NR=1 (14 May 2010).
3. ATM Frauds with Credit Cards Video clips
can be seen in the following links:
To know more on ATM skimming, visit:
http://www.youtube.com/watch?v=m3qK46L2
b_c&feature=related (13 May 2010).
http://www.youtube.com/watch?v= xQRcm
UkcITQ (13 May 2010).
ht t p: / / www. yout ube. com/ wat ch? v=Ek
BRVWLcKlY&NR=1 (13 May 2010).
4. Visit the following link about Faking a Credit
Card
http: //www. youtube. com/watch?v=V3p
ElQD8UZg (accssed 3 January 2011)
5. For useful tips to protect yourself from ATM
thefts, refer to the following URL: http://www.
nigerianelitesforum.com/ng/business-and-
money/619-atm-theft-protect-yourself-from-
t h e - mo s t - c o mmo n - a t m- s c a ms . h t ml
(30 October 2010).
6. European Payment Councils ATM Security
Guidelines can be downloaded from the follow-
ing link:
http://www.atmia.com/newsletters/mar06/
EPC%20DTR413%20ATM%20Security%20
Guidelines.pdf (24 April 2009).
7. Demo of the New Bluetooth ATM Skimmer can
be seen at: http://www.youtube.com/watch?
v=GxoqnCYIyf8&NR=1 (16 May 2010).
8. In the following links, you can see some more
video clips about ATM Frauds:
To know more on ATM fraud live skim-
ming, visit:
http://www.youtube.com/verify_age?next_
url=http%3A//www.youtube.com/watch%
3Fv%3DQj vB2vmHj 30 (30 October
2010).
To know more about Credit Card Skimming
Operation How a Waiter at a Restaurant
does it, visit:
http://www.youtube.com/watch?v=U0w_
ktMotlo (30 October 2010).
h t t p : / / w w w. y o u t u b e . c o m/ w a t c h ?
v=hx8gliXXbQA (30 October 2010).
To know more about fake credit card, visit:
http://www.youtube.com/watch?v=V3pElQD8U
Zg&NR=1&feature=fvwp (30 October 2010).
To know more about criminal modus operandi
ATM Scam in non-English language, visit:
ht t p : / / www. y o u t u b e . c o m/ wa t c h? v =
YyArqeLSyBA (30 October 2010).
h t t p : / / w w w. y o u t u b e . c o m/ w a t c h ?
v=xQRcmUkcITQ (30 October 2010).
To know more about ATM fraud, visit: http://
www.youtube.com/watch?v=d9Y4WUk2ePw
(30 October 2010)
To know more about Chip and PIN fraud, visit:
http: //www. youtube. com/watch?v=X7pj
UIxKoEc (30 October 2010).
To know more about ATM skimming, visit:
http: //www. youtube. com/watch?v=m3q
K46L2b_c (30 October 2010).
To know more about credit card hack, visit:
http://www.youtube.com/watch?v=yIXhs
Prf2Yk (30 October 2010).
To know more about worlds worst credit card,
visit: http://www.youtube.com/watch?v=Funp
S4QXcRI&NR=1&feature=fvwp (30 October
2010).
To know more about nano skimmer instruc-
tions, visit:
http://www.youtube.com/watch?v=dMuTXBf-
fao (30 October 2010).
http://www.youtube.com/watch?v=Uu8J3UCc
bd4&p=DC5BA9A2DEC3E437&playnext=1
&index=11 (30 October 2010).
To know more about credit card skimming devices
on ATMs and gas pumps, visit:
http://www.youtube.com/watch?v=hojtvc
C-STk (30 October 2010). One more video
clip on credit card skimming.
To know more about new credit card scam, visit:
ht t p: / / www. yout ube. com/ wat ch? v=bm
KFHisu5og (30 October 2010).
http://www.youtube.com/watch?v=63hei
TqM4pg (30 October 2010). Tis link is about
ATM Scam, Check Your Machine before
Putting Your Card in
9. Te following links can be visited in reference to
the digital signature-related crimes scenarios
presented in Section 11.5:
Cyber security_Chapter 11.indd 749 2011-03-25 10:34:58 AM
750 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Demo of How Digital Signatures Work, a video
clip can be viewed at:
http://www.arx.com/resources/digital-signa-
ture-applications-demo (15 July 2010).
A Vido clip showing Demo of Digitally signing a
MicroSoft Word 2007 is available at:
http://www.arx.com/ash/Digital-Signatures-
Word2007 (24 July 2010).
In the following link you can view Demo of digital
signature for PDF http://www.arx.com/ash/Digital-
Signatures-for-Adobe-Reader (23 July 2010).
In the following link you can view Demo of
digital signature for Excel 2007 http://www.arx.
com/fl ash/Di gi tal -Si gnatures-Excel 2007
(23 July 2010).
10. Tere are more Demo Videos for digitally sign-
ing other types of documents (Word 2003,
Excel 2003, AutoCAD, Web Applications, IBM
Lotus Forms, TIFF docs, Google docs, etc.).
Tese all are available in the following CoSign
Digital Signature site:
ht t p: / / www. ar x. com/ res ources / di gi t al -
signature-applications-demo (23 July 2010).
To know more about Digital Signature
Guidelines Tutorial, visit: http://www.abanet.
org/scitech/ec/isc/dsg-tutorial.html (25 July
2010).
To know more about Digital Signature
Guidelines, visit: http://www.abanet.org/scitech/
ec/isc/dsg.pdf (23 July 2010).
To know more about VeriSign Guide to Digital
Signatures, visit: http://www.verisign.com.
au/repository/tutorial/digital/intro1.shtml (23
July 2010).
Te appendices that serve as extended material for the topic addressed in this chapter are: AV. Tese are
provided in the companion CD.
Cyber security_Chapter 11.indd 750 2011-03-25 10:34:58 AM