A

RESEARCH REPORT

on

CYBER CRIMES
Under the subject

INFORMATION SYSTEM MANAGEMENT

Submitted to
Submitted by
Ms. Vanisha Malik Muhammad Salim (07217003909)

Faculty, MBA Sunil Kumar Gupta (07417003909)

TIAS Praveen Kumar (05617003909)

SESSION: 2010 - 2011

TECNIA INSTITUTE OF ADVANCED STUDIES

(Approved by AICTE, Ministry of HRD, Govt. of India)
Affiliated To Guru Gobind Singh Indraprastha University, Delhi
INSTITUTIONAL AREA, MADHUBAN CHOWK, ROHINI, DELHI- 110085
E-Mail:director@tecniaindia.org, Website: www.tecniaindia.org
Fax No: 27555120, Tel: 27555121-24
 ACKNOWLEDGEMENTS

At the outset, we wish to express our sincere thanks to almighty for showering his
blessing on us to develop this report. We wish to thank our parents who always believed in us
and have faith in us in whatever we wished to do.

We would like to acknowledge our sincere thanks to Ms. Vanisha Malik, Faculty of
Information System Management, Tecnia Institute of Advanced Studies for her excellent
guidance and supervision for the completion of this report successfully.

Last but not the least we wish to thank each one of us to do so much wonderful teamwork
with trust and faith.

Muhammad Salim

Sunil Kumar Gupta

Praveen Kumar
 INDEX

SR. No. PARTICULARS PAGE No.

1 Evolution of cyber crime 1
2 Definition 2
3 Cyber criminals 2
4 Modes of committing cyber crime 3
Some case studies
5
 Pune Citibank Emphasis Call Centre Fraud
9
 State of Tamil Nadu Vs Suhas Katti 9
 SONY.SAMBANDH.COM Case 11
 Nasscom vs. Ajay Sood & Others 12
 SMC Pneumatics (India) Pvt. Ltd. v. Jogesh Kwatra 14
 Online Stock Exchange Fraud 15
 Fake Travel Agent 16

 Illegal Data Mining 17

18
 Brute force
18
 Shoulder Surfing: District Data Breach
6 Classification of effects of cyber crime 20
 Against Individuals
 Against Organization
 Against Society at large
7 Statutory provisions 25
8 The access and security trade-off 26
9 Prevention of cyber crime 29
9 Conclusion 30
10 References 31
EVOLUTION OF CYBER CRIME

The first recorded cyber crime took place in the year 1820!

That is not surprising considering the fact that the abacus, which is thought to be the
earliest form of a computer, has been around since 3500 B.C. in India, Japan and China. The era
of modern computers, however, began with the analytical engine of Charles Babbage.

In 1820, Joseph-Marie Jacquard, a textile manufacturer in France, produced the loom.

This device allowed the repetition of a series of steps in the weaving of special fabrics. This
resulted in a fear amongst Jacquard's employees that their traditional employment and livelihood
were being threatened. They committed acts of sabotage to discourage Jacquard from further use
of the new technology. This is the first recorded cyber crime!

Today, computers have come a long way with neural networks and nano-computing
promising to turn every atom in a glass of water into a computer capable of performing a billion
operations per second.

In a day and age when everything from microwave ovens and refrigerators to nuclear
power plants are being run on computers, cyber crime has assumed rather sinister implications.

Cyber crime can involve criminal activities that are traditional in nature, such as theft,
fraud, forgery, defamation and mischief. The abuse of computers has also given birth to a gamut
of new age crimes such as hacking, web defacement, cyber stalking, web jacking etc. A simple
yet sturdy definition of cyber crime would be “unlawful acts wherein the computer is either a
tool or a target or both”.

The term computer used in this definition does not only mean the conventional desktop or
laptop computer. It includes Personal Digital Assistants (PDA), cell phones, sophisticated
watches, cars and a host of gadgets.

Recent global cyber crime incidents like the targeted denial of service attacks on Estonia
have heightened fears. Intelligence agencies are preparing against coordinated cyber attacks that
could disrupt rail and air traffic controls, electricity distribution networks, stock markets,
banking and insurance systems etc. Unfortunately, it is not possible to calculate the true social
and financial impact of cyber crime. This is because most crimes go unreported.

Page | 1
CYBER CRIME
Cyber crime is the latest and perhaps the most complicated problem in the cyber world.
“Cyber crime may be said to be those species, of which, genus is the conventional crime, and
where either the computer is an object or subject of the conduct constituting crime.”

“Any criminal activity that uses a computer either as an instrumentality, target or a

means for perpetuating further crimes comes within the ambit of cyber crime.”

A generalized definition of cyber crime may be “unlawful acts wherein the computer is
either a tool or target or both.” The computer may be used as a tool in the following kinds of
activity- financial crimes, sale of illegal articles, pornography, online gambling, intellectual
property crime, e-mail spoofing, forgery, cyber defamation, cyber stalking. The computer may
however be target for unlawful acts in the following cases- unauthorized access to computer/
computer system/ computer networks, theft of information contained in the electronic form, e-
mail bombing, data didling, salami attacks, logic bombs, Trojan attacks, internet time thefts, web
jacking, theft of computer system, physically damaging the computer system.

CYBER CRIMINALS

The cyber criminals constitute of various groups/ category. This division may be justified on
the basis of the object that they have in their mind. The following are the category of cyber
criminals-

1. Children and adolescents between the age group of 6 – 18 years –

The simple reason for this type of delinquent behaviour pattern in children is seen mostly due
to the inquisitiveness to know and explore the things. Other cognate reason may be to prove
themselves to be outstanding amongst other children in their group. Further the reasons may
be psychological even. E.g. the Bal Bharati (Delhi) case was the outcome of harassment of
the delinquent by his friends.

2. Organised Hackers -

Page | 2
 These kinds of hackers are mostly organised together to fulfil certain objective. The reason
may be to fulfil their political bias, fundamentalism, etc. The Pakistanis are said to be one of
the best quality hackers in the world. They mainly target the Indian government sites with the
purpose to fulfil their political objectives. Further the NASA as well as the Microsoft sites is
always under attack by the hackers.

3. Professional hackers / crackers –

Their work is motivated by the color of money. These kinds of hackers are mostly employed
to hack the site of the rivals and get credible, reliable and valuable information. Further they
are van employed to crack the system of the employer basically as a measure to make it safer
by detecting the loopholes.

4. Discontented employees-

This group include those people who have been either sacked by their employer or are
dissatisfied with their employer. To avenge they normally hack the system of their employee.

MODE AND MANNER OF COMMITING CYBER CRIME

1. Unauthorized access to computer systems or networks / Hacking-

This kind of offence is normally referred as hacking in the generic sense. However the
framers of the information technology act 2000 have no where used this term so to avoid any
confusion we would not interchangeably use the word hacking for ‘unauthorized access’ as
the latter has wide connotation.

2. Theft of information contained in electronic form-

This includes information stored in computer hard disks, removable storage media etc. Theft
may be either by appropriating the data physically or by tampering them through the virtual
medium.

Page | 3
3. Email bombing-

Email bombing refers to sending a large number of emails to the victim resulting in the
victim's email account (in case of an individual) or mail servers (in case of a company or an
email service provider) crashing. In one case, a foreigner who had been residing in Simla,
India for almost thirty years wanted to avail of a scheme introduced by the Simla Housing
Board to buy land at lower rates. When he made an application it was rejected on the grounds
that the 169 schemes were available only for citizens of India. He decided to take his
revenge. Consequently he sent thousands of mails to the Simla Housing Board and repeatedly
kept sending e-mails till their servers crashed.

4. Data diddling-

This kind of an attack involves altering raw data just before it is processed by a computer and
then changing it back after the processing is completed. Electricity Boards in India have been
victims to data diddling programs inserted when private parties were computerizing their
systems.

5. Salami attacks-

These attacks are used for the commission of financial crimes. The key here is to make the
alteration so insignificant that in a single case it would go completely unnoticed. E.g. a bank
employee inserts a program, into the bank's servers, that deducts a small amount of money
(say Rs. 5 a month) from the account of every customer. No account holder will probably
notice this unauthorized debit, but the bank employee will make a sizable amount of money
every month.

To cite an example, an employee of a bank in USA was dismissed from his job. Disgruntled
at having been supposedly mistreated by his employers the man first introduced a logic bomb
into the bank's systems.

Logic bombs are programmes, which are activated on the occurrence of a particular
predefined event. The logic bomb was programmed to take ten cents from all the accounts in

Page | 4
the bank and put them into the account of the person whose name was alphabetically the last
in the bank's rosters. Then he went and opened an account in the name of Ziegler. The
amount being withdrawn from each of the accounts in the bank was so insignificant that
neither any of the account holders nor the bank officials noticed the fault.

It was brought to their notice when a person by the name of Zygler opened his account in that
bank. He was surprised to find a sizable amount of money being transferred into his account
every Saturday.

6. Denial of Service attack-

This involves flooding a computer resource with more requests than it can handle. This
causes the resource (e.g. a web server) to crash thereby denying authorized users the service
offered by the resource. Another variation to a typical denial of service attack is known as a
Distributed Denial of Service (DDoS) attack wherein the perpetrators are many and are
geographically widespread. It is very difficult to control such attacks. The attack is initiated
by sending excessive demands to the victim's computer(s), exceeding the limit that the
victim's servers can support and making the servers crash. Denial-of-service attacks have had
an impressive history having, in the past, brought down websites like Amazon, CNN, Yahoo
and eBay!

7. Virus / worm attacks-

Viruses are programs that attach themselves to a computer or a file and then circulate
themselves to other files and to other computers on a network. They usually affect the data
on a computer, either by altering or deleting it. Worms, unlike viruses do not need the host to
attach themselves to. They merely make functional copies of themselves and do this
repeatedly till they eat up all the available space on a computer's memory. The
VBS_LOVELETTER virus (better known as the Love Bug or the ILOVEYOU virus) was
reportedly written by a Filipino undergraduate.

In May 2000, this deadly virus beat the Melissa virus hollow - it became the world's most
prevalent virus. It struck one in every five personal computers in the world. When the virus

Page | 5
was brought under check the true magnitude of the losses was incomprehensible. Losses
incurred during this virus attack were pegged at US $ 10 billion.

The original VBS_LOVELETTER utilized the addresses in Microsoft Outlook and emailed
itself to those addresses. The e-mail, which was sent out, had "ILOVEYOU" in its subject
line. The attachment file was named "LOVE-LETTER-FORYOU. TXT.vbs". The subject
line and those who had some knowledge of viruses did not notice the tiny .vbs extension and
believed the file to be a text file conquered people wary of opening e-mail attachments. The
message in the e-mail was "kindly check the attached LOVELETTER coming from me".

Since the initial outbreak over thirty variants of the virus have been developed many of them
following the original by just a few weeks. In addition, the Love Bug also uses the Internet
Relay Chat (IRC) for its propagation.

It e-mails itself to users in the same channel as the infected user.

Unlike the Melissa virus this virus does have a destructive effect. Whereas the Melissa, once
installed, merely inserts some text into the affected documents at a particular instant during
the day, VBS_LOVELETTER first selects certain files and then inserts its own code in lieu
of the original data contained in the file. This way it creates ever-increasing versions of itself.
Probably the world's most famous worm was the Internet worm let loose on the Internet by
Robert Morris sometime in 1988. The Internet was, then, still in its developing years and this
worm, which affected thousands of computers, almost brought its development to a complete
halt. It took a team of experts almost three days to get rid of the worm and in the meantime
many of the computers had to be disconnected from the network.

8. Logic bombs-

These are event dependent programs. This implies that these programs are created to do
something only when a certain event (known as a trigger event) occurs. E.g. even some
viruses may be termed logic bombs because they lie dormant all through the year and
become active only on a particular date (like the Chernobyl virus).

Page | 6
9. Trojan attacks-

A Trojan as this program is aptly called, is an unauthorized program which functions from
inside what seems to be an authorized program, thereby concealing what it is actually doing.

There are many simple ways of installing a Trojan in someone's computer. To cite and
example, two friends Rahul and Mukesh (names changed), had a heated argument over one
girl, Radha (name changed) whom they both liked. When the girl, asked to choose, chose
Mukesh over Rahul, Rahul decided to get even. On the 14th of February, he sent Mukesh a
spoofed e-card, which appeared to have come from Radha's mail account. The e-card actually
contained a Trojan. As soon as Mukesh opened the card, the Trojan was installed on his
computer. Rahul now had complete control over Mukesh's computer and proceeded to harass
him thoroughly.

10. Internet time thefts-

This connotes the usage by an unauthorized person of the Internet hours paid for by another
person. In a case reported before the enactment of the Information Technology Act, 2000
Colonel Bajwa, a resident of New Delhi, asked a nearby net café owner to come and set up
his Internet connection. For this purpose, the net café owner needed to know his username
and password.

After having set up the connection he went away with knowing the present username and
password. He then sold this information to another net café. One week later Colonel Bajwa
found that his Internet hours were almost over. Out of the 100 hours that he had bought, 94
hours had been used up within the span of that week. Surprised, he reported the incident to
the Delhi police. The police could not believe that time could be stolen. They were not aware
of the concept of time-theft at all. Colonel Bajwa's report was rejected.

He decided to approach The Times of India, New Delhi. They, in turn carried a report about
the inadequacy of the New Delhi Police in handling cyber crimes. The Commissioner of
Police, Delhi then took the case into his own hands and the police under his directions raided

Page | 7
and arrested the net café owner under the charge of theft as defined by the Indian Penal Code.
The net café owner spent several weeks locked up in Tihar jail before being granted bail.

11. Web jacking-

This occurs when someone forcefully takes control of a website (by cracking the password
and later changing it). The actual owner of the website does not have any more control over
what appears on that website In a recent incident reported in the USA the owner of a hobby
website for children received an e-mail informing her that a group of hackers had gained
control over her website. They demanded a ransom of 1 million dollars from her. The owner,
a schoolteacher, did not take the threat seriously. She felt that it was just a scare tactic and
ignored the e-mail. It was three days later that she came to know, following many telephone
calls from all over the country, that the hackers had web jacked her website. Subsequently,
they had altered a portion of the website which was entitled 'How to have fun with goldfish'.
In all the places where it had been mentioned, they had replaced the word 'goldfish' with the
word 'piranhas'. Piranhas are tiny but extremely dangerous flesh-eating fish. Many children
had visited the popular website and had believed what the contents of the website suggested.
These unfortunate children followed the instructions, tried to play with piranhas, which they
bought from pet shops, and were very seriously injured!

12. Theft of computer system

This type of offence involves the theft of a computer, some part(s) of a computer or a
peripheral attached to the computer.

13. Physically damaging a computer system

This crime is committed by physically damaging a computer or its peripherals.

Page | 8
SOME CASE STUDIES

1. Pune Citibank Emphasis Call Centre Fraud

US $ 3,50,000 from accounts of four US customers were dishonestly transferred to bogus

accounts. This will give a lot of ammunition to those lobbying against outsourcing in US. Such
cases happen all over the world but when it happens in India it is a serious matter and we cannot
ignore it. It is a case of sourcing engineering. Some employees gained the confidence of the
customer and obtained their PIN numbers to commit fraud. They got these under the guise of
helping the customers out of difficult situations. Highest security prevails in the call centres in
India as they know that they will lose their business. There was not as much of breach of security
but of sourcing engineering. The call centre employees are checked when they go in and out so
they cannot copy down numbers and therefore they could not have noted these down.

They must have remembered these numbers, gone out immediately to a cyber café and accessed
the Citibank accounts of the customers. All accounts were opened in Pune and the customers
complained that the money from their accounts was transferred to Pune accounts and that’s how
the criminals were traced. Police has been able to prove the honesty of the call centre and has
frozen the accounts where the money was transferred. There is need for a strict background
check of the call centre executives. However, best of background checks can not eliminate the
bad elements from coming in and breaching security. We must still ensure such checks when a
person is hired. There is need for a national ID and a national data base where a name can be
referred to. In this case preliminary investigations do not reveal that the criminals had any crime
history. Customer education is very important so customers do not get taken for a ride. Most
banks are guilt of not doing this.

2. State of Tamil Nadu Vs Suhas Katti

The Case of Suhas Katti is notable for the fact that the conviction was achieved successfully
within a relatively quick time of 7 months from the filing of the FIR. Considering that similar
cases have been pending in other states for a much longer time, the efficient handling of the case
which happened to be the first case of the Chennai Cyber Crime Cell going to trial deserves a
special mention.

Page | 9
The case related to posting of obscene, defamatory and annoying message about a divorcee
woman in the yahoo message group. E-Mails were also forwarded to the victim for information
by the accused through a false e-mail account opened by him in the name of the victim. The
posting of the message resulted in annoying phone calls to the lady in the belief that she was
soliciting. Based on a complaint made by the victim in February 2004, the Police traced the
accused to Mumbai and arrested him within the next few days. The accused was a known family
friend of the victim and was reportedly interested in marrying her. She however married another
person. This marriage later ended in divorce and the accused started contacting her once again.
On her reluctance to marry him, the accused took up the harassment through the Internet. On 24-
3-2004 Charge Sheet was filed u/s 67 of IT Act 2000, 469 and 509 IPC before The Hon’ble
Addl. CMM Egmore by citing 18 witnesses and 34 documents and material objects. The same
was taken on file in C.C.NO.4680/2004.

On the prosecution side 12 witnesses were examined and entire documents were marked as
Exhibits. The Defence argued that the offending mails would have been given either by ex-
husband of the complainant or the complainant herself to implicate the accused as accused
alleged to have turned down the request of the complainant to marry her. Further the Defence
counsel argued that some of the documentary evidence was not sustainable under Section 65 B
of the Indian Evidence Act. However, the court relied upon the expert witnesses and other
evidence produced before it, including the witnesses of the Cyber Cafe owners and came to the
conclusion that the crime was conclusively proved. Ld. Additional Chief Metropolitan
Magistrate, Egmore, delivered the judgement on 5-11-04 as follows:

“ The accused is found guilty of offences under section 469, 509 IPC and 67 of IT Act 2000
and the accused is convicted and is sentenced for the offence to undergo RI for 2 years
under 469 IPC and to pay fine of Rs.500/-and for the offence u/s 509 IPC sentenced to
undergo 1 year Simple imprisonment and to pay fine of Rs.500/- and for the offence u/s 67
of IT Act 2000 to undergo RI for 2 years and to pay fine of Rs.4000/- All sentences to run
concurrently.”

The accused paid fine amount and he was lodged at Central Prison, Chennai. This is considered
as the first case convicted under section 67 of Information Technology Act 2000 in India.

Page | 10
3. SONY.SAMBANDH.COM Case

India saw its first cybercrime conviction recently. It all began after a complaint was filed by
Sony India Private Ltd, which runs a website called www.sony-sambandh.com, targeting Non
Resident Indians. The website enables NRIs to send Sony products to their friends and relatives
in India after they pay for it online. The company undertakes to deliver the products to the
concerned recipients. In May 2002, someone logged onto the website under the identity of
Barbara Campa and ordered a Sony Colour Television set and a cordless head phone. She gave
her credit card number for payment and requested that the products be delivered to Arif Azim in
Noida. The payment was duly cleared by the credit card agency and the transaction processed.

After following the relevant procedures of due diligence and checking, the company delivered
the items to Arif Azim. At the time of delivery, the company took digital photographs showing
the delivery being accepted by Arif Azim. The transaction closed at that, but after one and a half
months the credit card agency informed the company that this was an unauthorized transaction as
the real owner had denied having made the purchase. The company lodged a complaint for
online cheating at the Central Bureau of Investigation which registered a case under Section 418,
419 and 420 of the Indian Penal Code. The matter was investigated into and Arif Azim was
arrested.

Investigations revealed that Arif Azim, while working at a call centre in Noida gained access to
the credit card number of an American national which he misused on the company’s site. The
CBI recovered the colour television and the cordless head phone. In this matter, the CBI had
evidence to prove their case and so the accused admitted his guilt. The court convicted Arif
Azim under Section 418, 419 and 420 of the Indian Penal Code — this being the first time that a
cybercrime has been convicted. The court, however, felt that as the accused was a young boy of
24 years and a first-time convict, a lenient view needed to be taken. The court therefore released
the accused on probation for one year. The judgment is of immense significance for the entire
nation. Besides being the first conviction in a cybercrime matter, it has shown that the Indian
Penal Code can be effectively applied to certain categories of cyber crimes which are not
covered under the Information Technology Act 2000. Secondly, a judgment of this sort sends out
a clear message to all that the law cannot be taken for a ride.

Page | 11
4. Nasscom vs. Ajay Sood & Others

In a landmark judgment in the case of National Association of Software and Service Companies
Vs Ajay Sood & Others, delivered in March, ‘05, the Delhi High Court declared `phishing’ on
the internet to be an illegal act, entailing an injunction and recovery of damages. Elaborating on
the concept of ‘phishing’, in order to lay down a precedent in India, the court stated that it is a
form of internet fraud where a person pretends to be a legitimate association, such as a bank or
an insurance company in order to extract personal data from a customer such as access codes,
passwords, etc. Personal data so collected by misrepresenting the identity of the legitimate party
is commonly used for the collecting party’s advantage. court also stated, by way of an example,
that typical phishing scams involve persons who pretend to represent online banks and siphon
cash from e-banking accounts after conning consumers into handing over confidential banking
details.

The Delhi HC stated that even though there is no specific legislation in India to penalise
phishing, it held phishing to be an illegal act by defining it under Indian law as “a
misrepresentation made in the course of trade leading to confusion as to the source and origin of
the e-mail causing immense harm not only to the consumer but even to the person whose name,
identity or password is misused.” The court held the act of phishing as passing off and tarnishing
the plaintiff’s image. The plaintiff in this case was the National Association of Software and
Service Companies (Nasscom), India’s premier software association. The defendants were
operating a placement agency involved in head-hunting and recruitment. In order to obtain
personal data, which they could use for purposes of headhunting, the defendants composed and
sent e-mails to third parties in the name of Nasscom. The high court recognised the trademark
rights of the plaintiff and passed an ex-parte adinterim injunction restraining the defendants from
using the trade name or any other name deceptively similar to Nasscom.

The court further restrained the defendants from holding themselves out as being associates or a
part of Nasscom. The court appointed a commission to conduct a search at the defendants’
premises. Two hard disks of the computers from which the fraudulent e-mails were sent by the
defendants to various parties were taken into custody by the local commissioner appointed by the
court. The offending e-mails were then downloaded from the hard disks and presented as
evidence in court. During the progress of the case, it became clear that the defendants in whose

Page | 12
names the offending e-mails were sent were fictitious identities created by an employee on
defendants’ instructions, to avoid recognition and legal action. On discovery of this fraudulent
act, the fictitious names were deleted from the array of parties as defendants in the case.

Subsequently, the defendants admitted their illegal acts and the parties settled the matter through
the recording of a compromise in the suit proceedings. According to the terms of compromise,
the defendants agreed to pay a sum of Rs1.6 million to the plaintiff as damages for violation of
the plaintiff’s trademark rights. The court also ordered the hard disks seized from the defendants’
premises to be handed over to the plaintiff who would be deceptively similar to Nasscom. The
court further restrained the defendants from holding themselves out as being associates or a part
of Nasscom. The court appointed a commission to conduct a search at the defendants’ premises.
Two hard disks of the computers from which the fraudulent e-mails were sent by the defendants
to various parties were taken into custody by the local commissioner appointed by the court. The
offending e-mails were then downloaded from the hard disks and presented as evidence in court.

During the progress of the case, it became clear that the defendants in whose names the
offending e-mails were sent were fictitious identities created by an employee on defendants’
instructions, to avoid recognition and legal action. On discovery of this fraudulent act, the
fictitious names were deleted from the array of parties as defendants in the case. Subsequently,
the defendants admitted their illegal acts and the parties settled the matter through the recording
of a compromise in the suit proceedings. According to the terms of compromise, the defendants
agreed to pay a sum of Rs1.6 million to the plaintiff as damages for violation of the plaintiff’s
trademark rights. The court also ordered the hard disks seized from the defendants’ premises to
be handed over to the plaintiff who would be the owner of the hard disks. This case achieves
clear milestones: It brings the act of “phishing” into the ambit of Indian laws even in the absence
of specific legislation; It clears the misconception that there is no “damages culture” in India for
violation of IP rights; This case reaffirms IP owners’ faith in the Indian judicial system’s ability
and willingness to protect intangible property rights and send a strong message to IP owners that
they can do business in India without sacrificing their IP rights.

Page | 13
5. SMC Pneumatics (India) Pvt. Ltd. v. Jogesh Kwatra

In India's first case of cyber defamation, a Court of Delhi assumed jurisdiction over a matter
where a corporate’s reputation was being defamed through emails and passed an important ex-
parte injunction.

In this case, the defendant Jogesh Kwatra being an employ of the plaintiff company started
sending derogatory, defamatory, obscene, vulgar, filthy and abusive emails to his employers as
also to different subsidiaries of the said company all over the world with the aim to defame the
company and its Managing Director Mr. R K Malhotra. The plaintiff filed a suit for permanent
injunction restraining the defendant from doing his illegal acts of sending derogatory emails to
the plaintiff.

On behalf of the plaintiffs it was contended that the emails sent by the defendant were distinctly
obscene, vulgar, abusive, intimidating, humiliating and defamatory in nature. Counsel further
argued that the aim of sending the said emails was to malign the high reputation of the plaintiffs
all over India and the world. He further contended that the acts of the defendant in sending the
emails had resulted in invasion of legal rights of the plaintiffs. Further the defendant is under a
duty not to send the aforesaid emails. It is pertinent to note that after the plaintiff company
discovered the said employ could be indulging in the matter of sending abusive emails, the
plaintiff terminated the services of the defendant.

After hearing detailed arguments of Counsel for Plaintiff, Hon'ble Judge of the Delhi High Court
passed an ex-parte ad interim injunction observing that a prima facie case had been made out by
the plaintiff. Consequently, the Delhi High Court restrained the defendant from sending
derogatory, defamatory, obscene, vulgar, humiliating and abusive emails either to the plaintiffs
or to its sister subsidiaries all over the world including their Managing Directors and their Sales
and Marketing departments. Further, Hon'ble Judge also restrained the defendant from
publishing, transmitting or causing to be published any information in the actual world as also in
cyberspace which is derogatory or defamatory or abusive of the plaintiffs.

This order of Delhi High Court assumes tremendous significance as this is for the first time that
an Indian Court assumes jurisdiction in a matter concerning cyber defamation and grants an ex-
parte injunction restraining the defendant from defaming the plaintiffs by sending derogatory,
defamatory, abusive and obscene emails either to the plaintiffs or their subsidiaries.

Page | 14
6. Online Stock Exchange Fraud

Background: A complaint was received from the director of a securities firm stating that there
was an unauthorized execution of a call option resulting in a loss to the complainant. The
complainant company was dealing in sale and purchase of shares on behalf of clients. As a
broker of the stock exchange they were providing trading facilities of the equity and futures and
options markets to their sub-brokers/ high net worth individual clients. This was done at the
clients’ premises through ISDN lines/ normal telephone lines/ VPN with predefined passwords
and user IDs on their trading terminals. As per the complaint a fraudulent trade was executed by
selling a call option by using the user ID and password provided to one of the complainant’s
client. An interesting aspect was that this call option was the most inactive for trading purposes
and no trade had taken place except for the fraudulent trade.

The said call option was compulsorily exercised by the exchange thus resulting in a loss of INR
0.05 million to the complainant and wrongful gain to the culprits.

Investigation: The stock exchange provided the details of the trade log for call option of buyer
and seller. The user ID that was used to book the order could be traced from the information
provided. Some of the information that was provided was:

Date - Buy Client Name/Address

• Trade Number - Sell Member Code
• Trade Time - Sell Trading Member Name
• Trade Quantity - Sell Client Code/Name/Address
• Buy Time - Buy Order Number
• Buy Name - Sell Order Number
• Buy Client Code
The complainant’s client was examined who stated that they had not executed this trade. The
data of the computer installed at their premises was scrutinized for system error log, access log,
event log and broadcast server log. The analysis of the logs revealed that the computer system of
the client was not logged during the days when the fraudulent trades were executed. The
configuration indicated that for executing the transaction through the internet, access to the
network was imperative. Such access was authorized by the firewall installed at the network of
the complainant.

Page | 15
The firewall (which generated the log details) provided the IP address used to logon to the
system to execute the transaction. The firewall details as well as the server of the complainant
were taken to the police computer lab and analyzed using forensic tools. The transactions logs
could not be recovered from the firewall server as the same was designed to be emailed to a
specific email ID. However, the information collected from a securities firm revealed the details
of an account through which the fraudulent transaction was executed.

The ownership details and logs for the email ID were collected from a web host company and
were found to be belonging to the very person who had designed the firewall for the complainant
company. Thereafter, the mobile phone details of the accused were collected which revealed that
he was in contact with the co-accused (the person who had designed the firewall for the
complainant company). This gave the first indication that a conspiracy existed between the
accused persons.

Based on this information simultaneous raids were conducted and the accused were arrested. The
interrogation of the accused revealed the modus operandi on how the fraudulent transaction had
been executed. The accused had provided the copy of the programme (which had access, firewall
file, password and other details that were required for configuring the computer system) to the
co-accused.
The Central Processing Unit was configured by the co-accused and the same was taken to cyber
cafe and on the pretext of downloading software. The accused downloaded the software from the
attachment in his e-mail account and executed the transaction by installing the software on the
computer.

Current status: Under investigation, the accused are in judicial custody.

7. Fake Travel Agent

Background: The accused in this case was posing to be a genuine railway ticket agent and had
been purchasing tickets online by using stolen credit cards of non residents. The accused created
fraudulent electronic records/ profiles, which he used to carry out the transactions.

The tickets so purchased were sold for cash to other passengers. Such events occurred for a
period of about four months.

Page | 16
The online ticket booking service provider took notice of this and lodged a complaint with the
cyber crime investigation cell.

Investigation: The service provider gave the IP addresses, which were used for the fraudulent
online bookings, to the investigating team. IP addresses were traced to cyber cafes in two
locations.

The investigating team visited the cyber cafés but was not able to get the desired logs as they
were not maintained by the cyber café owners. The investigating team was able to short list the
persons present at cyber cafes when the bookings were made. The respective owners of the cyber
cafes were able to identify two persons who would regularly book railway tickets.

The investigating team then examined the passengers who had travelled on these tickets. They
stated that they had received the tickets from the accused and identified the delivery boy who
delivered the tickets to them. On the basis of this evidence the investigating team arrested two
persons who were identified in an identification parade.

Current status: The charge sheet has been submitted in the court.

8. Illegal Data Mining

The owner of Snipermail, a business that distributes advertisements via the Internet to e-mail
addresses on behalf of advertisers or their brokers was indicted for conspiracy, unauthorized
access of a protected computer, access device fraud, money laundering and obstruction of justice.

It was alleged that Scott Levine and other Snipermail employees illegally accessed a computer
database owned and operated by Acxiom Corporation, a company that stores, processes, and
manages personal, financial, and corporate data on behalf of its clients. On numerous occasions,
Levine and others illegally entered into an Acxiom file transfer protocol (ftp) server and
downloaded significant amounts of data. The intrusions were traced back to an internet protocol
address that belonged to one of Snipermail’s computers. The downloading of the databases lasted
for period of a year and a half and represented 8.2 gigabytes of data. While the stolen data
contained personal information about a great number of individuals and could have resulted in
tremendous loss if the information were used in a fraudulent way, there was no evidence to date
that any of the data was misused in this way. Acxiom, immediately notified law enforcement

Page | 17
upon discovery of intrusions into its system and assisted with the investigation which was
conducted by a task force formed the Federal Bureau of Investigation (FBI) and the United
States Secret Service (USSS).

9. Brute force

In cryptography, a brute force attack or exhaustive key search is a strategy that can in theory be
used against any encrypted data by an attacker who is unable to take advantage of any weakness
in an encryption system that would otherwise make his task easier. It involves systematically
checking all possible keys until the correct key is found. In the worst case, this would involve
traversing the entire search space.

Hackers used brute force password cracking program to break into the district’s computers and
initiated a batch of bogus transfers out of the school’s payroll account. The transfers were kept
below $10,000 to avoid the anti-money laundering reporting requirements. The hackers had
almost 20 accomplices they had hired through work at home job scams. Over $100,000 was
successfully removed from the account. Two days later a school employee noticed the bogus
payments. Unfortunately, unlike consumers who typically have up to 60 days from the receipt of
a monthly statement to dispute any unauthorized charges, organizations and companies have
roughly two business days to spot and dispute unauthorized activity. This is because school
organizations that bank online fall under the Uniform Commercial Code. Due to this law, the
district was able to get less than $20,000 of the transfers reversed.

10. Shoulder Surfing: District Data Breach

A Washington State man has been sentenced to 10 years in prison after pleading guilty to 31
counts of criminal activity, most related to a school district data breach. Christopher Berge, now
21, was a student at Mountain View High School in Evergreen Public Schools when he
"shoulder surfed"--physically observed--a password used by a district employee.

Berge later used the password to gain access to the district's student information system, hosted
by the Washington School Information Processing Cooperative (WSIPC). From there, he was
able to gain access to the payroll data of another district in the state, Vancouver Public Schools.

Page | 18
That data included bank account information, Social Security numbers, and birthdates of 5,000
current and former school district employees, according to documents posted on the Vancouver
district's Web site.

Berge attempted to use those details to alter bank account information, create checks, and request
and use credit cards. He also attempted to change payroll information within the system but was
unsuccessful in those efforts. Berge was arrested in November 2009, according to local
newspaper coverage, after attempting to use one of the fake checks at a local store.

The Vancouver district put fraud prevention and resolution services in place for those affected.
The cost of those measures--$62,000--was subsequently reimbursed by the cooperative. WSIPC
provides IT services to 290 districts and schools in Washington.

The superintendent of the Vancouver district, Steve Webb, asserted in a letter to the community
that the district also suffered "damage to our reputation with the public and our employees.
Hundreds of hours were spent investigating the extent of the compromised data and developing
the plans and procedures to protect staff from further exposure to fraud.... District staff also spent
countless hours working with financial institutions, answering employee questions, and
preparing internal and external communications. It is impossible to measure lost productivity as
employees worried about their financial security and worked to change bank account and payroll
information."

Page | 19
CLASSIFICATION OF EFFECTS OF CYBER CRIME

The subject of cyber crime may be broadly classified under the following three groups. They are-

1. Against Individuals

a. Their person &

b. their property of an individual

2. Against Organization

a. Government
b. Firm, Company, Group of Individuals.

3. Against Society at large

The following are the crimes, which can be committed against the followings group

Against Individuals: –

I. Harassment via e-mails.

II. Cyber-stalking.

III. Dissemination of obscene material.

IV. Defamation.

V. Unauthorized control/access over computer system.

VI. Indecent exposure

VII. Email spoofing Cheating & Fraud

Against Individual Property: -

I. Computer vandalism.

II. Transmitting virus.

III. Netrespass

IV. Unauthorized control/access over computer system.

Page | 20
 V. Intellectual Property crimes

VI. Internet time thefts

Against Organization: -

I. Unauthorized control/access over computer system

II. Possession of unauthorized information.

III. Cyber terrorism against the government organization.

IV. Distribution of pirated software etc.

Against Society at large: -

I. Pornography (basically child pornography).

II. Polluting the youth through indecent exposure.

III. Trafficking

IV. Financial crimes

V. Sale of illegal articles

VI. Online gambling

VII. Forgery

The above mentioned offences discussed in brief as follows:

1. Harassment via e-mails-

Harassment through e-mails is not a new concept. It is very similar to harassing through letters.
Recently I had received a mail from a lady wherein she complained about the same. Her former
boy friend was sending her mails constantly sometimes emotionally blackmailing her and also
threatening her. This is a very common type of harassment via e-mails.

2. Cyber-stalking-

The Oxford dictionary defines stalking as "pursuing stealthily". Cyber stalking involves
following a person's movements across the Internet by posting messages (sometimes threatening)

Page | 21
on the bulletin boards frequented by the victim, entering the chat-rooms frequented by the
victim, constantly bombarding the victim with emails etc.

3. Dissemination of obscene material/ Indecent exposure/ Pornography (basically child

pornography) / Polluting through indecent exposure-

Pornography on the net may take various forms. It may include the hosting of web site
containing these prohibited materials. Use of computers for producing these obscene materials.
Downloading through the Internet, obscene materials. These obscene matters may cause harm to
the mind of the adolescent and tend to deprave or corrupt their mind. Two known cases of
pornography are the Delhi Bal Bharati case and the Bombay case wherein two Swiss couple
used to force the slum children for obscene photographs. The Mumbai police later arrested them.

4. Defamation

It is an act of imputing any person with intent to lower the person in the estimation of the right-
thinking members of society generally or to cause him to be shunned or avoided or to expose
him to hatred, contempt or ridicule. Cyber defamation is not different from conventional
defamation except the involvement of a virtual medium. E.g. the mail account of Rohit was
hacked and some mails were sent from his account to some of his batch mates regarding his
affair with a girl with intent to defame him.

5. Unauthorized control/access over computer system-

This activity is commonly referred to as hacking. The Indian law has however given a different
connotation to the term hacking, so we will not use the term "unauthorized access"
interchangeably with the term "hacking" to prevent confusion as the term used in the Act of 2000
is much wider than hacking.

6. E mail spoofing-

A spoofed e-mail may be said to be one, which misrepresents its origin. It shows it's origin to be
different from which actually it originates. Recently spoofed mails were sent on the name of Mr.
Na.Vijayashankar (naavi.org), which contained virus.

Rajesh Manyar, a graduate student at Purdue University in Indiana, was arrested for threatening
to detonate a nuclear device in the college campus. The alleged e- mail was sent from the

Page | 22
account of another student to the vice president for student services. However the mail was
traced to be sent from the account of Rajesh Manyar.

7. Computer vandalism-

Vandalism means deliberately destroying or damaging property of another. Thus computer

vandalism may include within its purview any kind of physical harm done to the computer of any
person. These acts may take the form of the theft of a computer, some part of a computer or a
peripheral attached to the computer or by physically damaging a computer or its peripherals.

8. Intellectual Property crimes / Distribution of pirated software-

Intellectual property consists of a bundle of rights. Any unlawful act by which the owner is
deprived completely or partially of his rights is an offence. The common form of IPR violation
may be said to be software piracy, copyright infringement, trademark and service mark violation,
theft of computer source code, etc.

The Hyderabad Court has in a land mark judgement has convicted three people and sentenced
them to six months imprisonment and fine of 50,000 each for unauthorized copying and sell of
pirated software.

9. Cyber terrorism against the government organization

At this juncture a necessity may be felt that what is the need to distinguish between cyber
terrorism and cyber crime. Both are criminal acts. However there is a compelling need to
distinguish between both these crimes. A cyber crime is generally a domestic issue, which may
have international consequences, however cyber terrorism is a global concern, which has
domestic as well as international consequences. The common form of these terrorist attacks on
the Internet is by distributed denial of service attacks, hate websites and hate emails, attacks on
sensitive computer networks, etc. Technology savvy terrorists are using 512-bit encryption,
which is next to impossible to decrypt. The recent example may be cited of – Osama Bin Laden,
the LTTE, attack on America’s army deployment system during Iraq war.

Cyber terrorism may be defined to be “ the premeditated use of disruptive activities, or the threat
thereof, in cyber space, with the intention to further social, ideological, religious, political or
similar objectives, or to intimidate any person in furtherance of such objectives”

Another definition may be attempted to cover within its ambit every act of cyber terrorism.
Page | 23
A terrorist means a person who indulges in wanton killing of persons or in violence or in
disruption of services or means of communications essential to the community or in damaging
property with the view to –

(1) Putting the public or any section of the public in fear; or

(2) Affecting adversely the harmony between different religious, racial, language or
regional groups or castes or communities; or

(3) Coercing or overawing the government established by law; or

(4) Endangering the sovereignty and integrity of the nation

A cyber terrorist is the person who uses the computer system as a means or ends to achieve the
above objectives. Every act done in pursuance thereof is an act of cyber terrorism.

11. Trafficking

Trafficking may assume different forms. It may be trafficking in drugs, human beings, arms
weapons etc. These forms of trafficking are going unchecked because they are carried on under
pseudonyms. A racket was busted in Chennai where drugs were being sold under the pseudonym
of honey.

12. Fraud & Cheating

Online fraud and cheating is one of the most lucrative businesses that are growing today in the
cyber space. It may assume different forms. Some of the cases of online fraud and cheating that
have come to light are those pertaining to credit card crimes, contractual crimes, offering jobs,
etc.

Recently the Court of Metropolitan Magistrate Delhi found guilty a 24-year-old engineer
working in a call centre, of fraudulently gaining the details of Campa's credit card and bought a
television and a cordless phone from Sony website. Metropolitan magistrate Gulshan Kumar
convicted Azim for cheating under IPC, but did not send him to jail. Instead, Azim was asked to
furnish a personal bond of Rs 20,000, and was released on a year's probation.

Page | 24
STATUTORY PROVISIONS

The Indian parliament considered it necessary to give effect to the resolution by which
the General Assembly adopted Model Law on Electronic Commerce adopted by the United
Nations Commission on Trade Law. As a consequence of which the Information Technology Act
2000 was passed and enforced on 17th May 2000. the preamble of this Act states its objective to
legalise e-commerce and further amend the Indian Penal Code 1860, the Indian Evidence Act
1872, the Banker’s Book Evidence Act1891 and the Reserve Bank of India Act 1934. The
basic purpose to incorporate the changes in these Acts is to make them compatible with the Act
of 2000. So that they may regulate and control the affairs of the cyber world in an effective
manner.

The Information Technology Act deals with the various cyber crimes in chapters IX &
XI. The important sections are Ss. 43,65,66,67. Section 43 in particular deals with the
unauthorised access, unauthorised downloading, virus attacks or any contaminant, causes
damage, disruption, denial of access, interference with the service availed by a person. This
section provide for a fine up to Rs. 1 Crore by way of remedy. Section 65 deals with ‘tampering
with computer source documents’ and provides for imprisonment up to 3 years or fine, which
may extend up to 2 years or both. Section 66 deals with ‘hacking with computer system’ and
provides for imprisonment up to 3 years or fine, which may extend up to 2 years or both. Further
section 67 deals with publication of obscene material and provides for imprisonment up to a term
of 10 years and also with fine up to Rs. 2 lakhs.

Page | 25
THE ACCESS AND SECURITY TRADE-OFF

Today, extending access to applications for the users who need them is no longer a "nice to
have" - but a key determinant of who will win and who will lose. Legacy applications and
databases, for example, contain invaluable customer information and provide a great resource for
partners and other trusted third parties; email and other messaging applications are indispensable
for seemingly instantaneous communication; and 'emerging' applications, such as audio and
video conferencing, are now the critical enabler of 'real-time business,' resulting in huge gains in
both productivity and profitability. Facilitating the rollout and accessibility of these applications,
IP networks - both private and public, wired and wireless - make access to applications possible
for any user from any corner of the globe. Why, then, are CIOs constantly refereeing a tug-of-
war between the lines of business who want to realize the value of their applications by
extending them to the users who need them and the network administrators who want to insulate
their network from attack by increasingly limiting access for untrusted third parties?

What is driving this zero sum game where any access gained by the business results in a
corresponding decrease in network security? The answer lies in the use of network security to
deploy applications. That is, network security, which by its design disrupts and limits
connectivity between networks, is also used to enable connectivity. These products - while
critical for protecting the physical network - were not intended to protect and extend applications
and consequently using them to deploy applications inevitably results in the access and security
trade off.

The solution, however, is not to increase the IT budget to buy more point solutions or deploy an
army of network administrators to provide the highly-oxymoronic 'brute force flexibility,' but to
deploy a new conceptual network called the Application Network. The Application Network is a
logical network that overlays the physical IP network and leverages its communications
infrastructure while not undermining its physical security. The Application Network also
underlies the applications that need the physical network for connectivity, providing robust and
extensible application-layer security. When deployed, the Application Networks allow
enterprises to use the applications their businesses require and securely extend those to the users

Page | 26
who need them - while taking advantage of, not compromising, the network security
infrastructure.

A Little History

Thirty years have passed since the U.S. Defense Advanced Research Projects Agency (DARPA)
initiated the project to determine a method of linking together many disparate packet networks to
enable cross-network communication. According to history, the initiative was referred to as the
Internetworking project and the resulting mesh of linked packet networks was called the Internet.
The Internet at that time was an aggregation of packet networks funded and hosted by
government and educational enterprises throughout the United States. Enabling this inter-
communication was the development of the Internet Protocol (IP), which defined how data
packets are routed across the various networks. Until the 1980's the Internet was a combination
of public networks that allowed primarily academic and government to communicate freely and
openly. Applications utilizing the TCP/IP protocol suite could be extended to users with routable
IP addresses, a requirement of the early Internet. Soon, however, and by design, the Internet and
its obvious business benefits began to get the attention of commercial enterprises as well as
foreign governments and soon these organizations began to adhere to the IP protocol and connect
their local networks to this public communications infrastructure. Now, users were diverse,
unknown and not necessarily trusted while the information accessible was no longer academic,
but sensitive business and governmental intelligence. Network security was born.

The Purpose of Network Security

Necessity certainly bred invention with the advent of network security. At a very high level,
organizations needed to protect their physical networks from this 'untrusted' Internet and were
eager to find solutions that allowed them limited access to the public networks while insulating
their networks from potential attack and information theft. Answering this demand, firewalls
were developed to protect the physical network. Firewalls, often utilizing Network Address
Translation (NAT) for non-routable addresses that are hidden from the outside,were designed to
limit network access by breaking the two fundamental rules of IP routing - that is that all
network nodes must know of other nodes and all addresses of devices must be known. From the

Page | 27
outset, the purpose of basic network security was to protect the physical network from attack by
limiting connectivity between the two networks.

Emergence of the Security and Access Trade Off

The unfortunate downside of physical security that limits connectivity for untrusted users is that
it also limits connectivity for trusted users. To provide access for trusted users,network
administrators were forced to start 'fixing' the networking rules broken by the physical security
as required by the users and the access they required. Opening holes in the perimeter security,
however, to allow ingress and egress is exactly that: opening holes. Network administrators
quickly realized that the amount of access granted to users was inversely proportional to the
security of their network. A seemingly zero sum game, this network security and application
access trade off is now a common dilemma within organizations large and small, domestic and
international.

Page | 28
PREVENTION OF CYBER CRIME

Prevention is always better than cure. It is always better to take certain precaution while
operating the net. A should make them his part of cyber life. Saileshkumar Zarkar, technical
advisor and network security consultant to the Mumbai Police Cyber crime Cell, advocates the
5P mantra for online security: Precaution, Prevention, Protection, Preservation and
Perseverance. A netizen should keep in mind the following things-

1. To prevent cyber stalking avoid disclosing any information pertaining to oneself. This is
as good as disclosing your identity to strangers in public place.

2. Always avoid sending any photograph online particularly to strangers and chat friends as
there have been incidents of misuse of the photographs.

3. Always use latest and updated antivirus software to guard against virus attacks.

4. Always keep back up volumes so that one may not suffer data loss in case of virus
contamination

5. Never send your credit card number to any site that is not secured, to guard against
frauds.

6. Always keep a watch on the sites that your children are accessing to prevent any kind of
harassment or depravation in children.

7. It is better to use a security programme that gives control over the cookies and send
information back to the site as leaving the cookies unguarded might prove fatal.

8. Web site owners should watch traffic and check any irregularity on the site. Putting host-
based intrusion detection devices on servers may do this.

9. Use of firewalls may be beneficial.

10. Web servers running public sites must be physically separate protected from internal
corporate network.

Adjudication of a Cyber Crime - On the directions of the Bombay High Court the Central
Government has by a notification dated 25.03.03 has decided that the Secretary to the

Page | 29
Information Technology Department in each state by designation would be appointed as the AO
for each state.

CONCLUSION

Capacity of human mind is unfathomable. It is not possible to eliminate cyber crime from
the cyber space. It is quite possible to check them. History is the witness that no legislation has
succeeded in totally eliminating crime from the globe. The only possible step is to make people
aware of their rights and duties (to report crime as a collective duty towards the society) and
further making the application of the laws more stringent to check crime. Undoubtedly the Act is
a historical step in the cyber world. Further we all together do not deny that there is a need to
bring changes in the Information Technology Act to make it more effective to combat cyber
crime. We would conclude with a word of caution for the pro-legislation school that it should be
kept in mind that the provisions of the cyber law are not made so stringent that it may retard the
growth of the industry and prove to be counter-productive.

Page | 30
References/Bibliography

1) www.cyberlawsindia.net

2) www.crime-research.org/

3) Cyber-crime: the challenge in Asia - By Roderic G. Broadhurst, Peter N. Grabosky

4) www.cyberlawclinic.org/casestudy.asp

5) http://thejournal.com/articles/2010/04/13/district-data-breach-leads-to-prison-time.aspx

6) http://en.wikibooks.org/wiki/Information_Security_in_Education/Case_Studies

7) http://www.spamlaws.com/

8) http://cybercrime.planetindia.net/application_security.htm

9) http://www.naavi.org/pati/pati_cybercrimes_dec03.htm

Page | 31