Siksha Sarovar

Siksha Sarovar (sikshasarovar.com) is a free educational web application that helps students in India learn programming and prepare for academic and competitive exams. The platform offers structured coding courses (C, C++, Python, Java, HTML, CSS, PHP, Power BI, AI, Machine Learning, Data Science), complete university curriculum notes for BCA/MCA students with previous year question papers, Class 10 and Class 12 CBSE/HBSE school notes, and dedicated preparation material for SSC, UPSC, Banking, Railway and other government exams. Browsing the site is completely free and requires no account. Users may optionally sign in with Google solely to save their learning progress, quiz scores and personal preferences across devices.

Privacy Policy | Terms of Service | Contact Siksha Sarovar | About Siksha Sarovar

v4.0.9 · PWA
Siksha Sarovar logo
Siksha Sarovar
Your Learning Universe

Siksha Sarovar is a free e-learning platform for coding courses, BCA university notes and competitive exam preparation. Optional Google sign-in saves your learning progress across devices.

Initializing knowledge base…
Compiling modules 0%

4.1 Security Threats — Cybercrime, Fraud, Spoofing, Sniffing, DoS

Lesson 18 of 21 in the free E-Commerce notes on Siksha Sarovar, written by Rohit Jangra.

4.1 Security Threats in E-Commerce

E-commerce sites are prime targets for cyberattackers because they handle:

  • Money (credit cards, bank credentials)
  • Personal data (name, address, phone)
  • Trust signals (login credentials, OTPs)

The CIA Triad — security goals

Every e-commerce security mechanism aims at one of three goals (the CIA Triad):

GoalMeaningExample Attack
ConfidentialityData stays privateEavesdropping, sniffing
IntegrityData not altered in transitMan-in-the-middle, tampering
AvailabilitySystem stays accessibleDoS / DDoS

Plus three more (the Extended Triad for commerce):

GoalMeaningExample Attack
AuthenticitySender / receiver verifiedSpoofing, phishing
AuthorisationActing party has permissionPrivilege escalation
Non-repudiationSender cannot deny laterForged signatures

---

Categories of Security Threats

CategoryExamples
CybercrimesHacking, malware, ransomware
FraudCredit card fraud, identity theft, phishing
Network attacksSpoofing, sniffing, DoS, DDoS, MITM
Application attacksSQL injection, XSS, CSRF
Insider threatsMalicious employees, accidental leaks
PhysicalTheft of hardware, device loss

---

1. Cybercrimes — broad category

Any criminal activity involving a computer or network. Includes:

CrimeDescriptionIndian Law
HackingUnauthorised accessIT Act 2000 §66 (3-year imprisonment, ₹5 lakh fine)
Identity theftStealing identity for fraud§66C
CyberstalkingRepeated harassment online§354D IPC
CyberterrorismAttacks on critical infra§66F (life imprisonment)
Data theftStealing data§66B
DefamationFalse online statements§499 IPC
Obscene contentDistributing obscene material§67 IT Act
PhishingFake login pages to steal credentials§66D
Online gamblingIllegal in most statesState acts

Famous Indian cybercrime cases

  • AIIMS Delhi ransomware (2022) — 15 days outage, allegedly Chinese-origin
  • Maharashtra eSeva fraud (2018) — ₹76 crore stolen via fake portals
  • Cosmos Bank heist (2018) — ₹94 crore lost in coordinated ATM withdrawals globally
  • Mumbai Westside fraud (2016) — Hong Kong-based attackers cleared ₹100 crore

---

2. Credit Card Fraud / Theft

Common credit card frauds

FraudDescription
SkimmingDevice on ATM/POS captures magnetic stripe
PhishingFake bank email asks for CVV / OTP
VishingPhone call impersonating bank
SmishingSMS phishing
Card cloningMagnetic stripe data copied to fake card
Card-Not-Present (CNP) fraudStolen card details used online
Account takeoverLogin credentials hijacked → cards added
Friendly fraudCustomer disputes legit transaction (chargeback abuse)
Application fraudFake application with stolen identity
First-party fraudCustomer never intended to pay

Mitigation

  • EMV chip — replaces magnetic stripe (cloning much harder)
  • 3D Secure / OTP — for online transactions
  • CVV — never store at merchant (PCI-DSS)
  • Tokenisation — actual card never seen by merchant
  • Fraud detection ML — pattern recognition (unusual location, amount)
  • Velocity checks — too many txns in short time → flag
  • Geolocation — txn from unusual country → flag
  • Device fingerprinting — track device characteristics

---

3. Identity Fraud

Identity fraud = unauthorised use of someone's personal information for criminal/financial gain.

Common identity fraud techniques

TechniqueHow it Works
PhishingEmail with fake login page
VishingPhone call asking for OTP
SmishingSMS phishing
PharmingDNS poisoning redirects to fake site
Data breachStolen credentials from compromised DB
Social engineeringTrick employee into revealing info
Dumpster divingDiscarded documents with PII
Aadhaar misuseLinked-account takeover

Defences

  • Multi-factor authentication
  • Email/SMS alerts on changes
  • Credit freeze (US has it; India doesn't easily)
  • CIBIL alerts for new credit applications
  • Don't share OTPs (banks never ask)

---

4. Spoofing

Spoofing = pretending to be someone you're not.

TypeDescription
Email spoofingForge "From" header
IP spoofingForge source IP address in packets
MAC spoofingForge hardware address
DNS spoofing / DNS poisoningRedirect domain to attacker's server
Caller ID spoofingShow wrong number on caller display
Website spoofingFake site mimicking real (HDFC.com vs HDFCBank.com)
GPS spoofingFake GPS coordinates
ARP spoofingSend fake ARP messages on local network

Defences

  • DNS over HTTPS / DNSSEC
  • Email auth (SPF, DKIM, DMARC)
  • VPN
  • URL inspection before clicking
  • Multi-factor auth
  • HTTPS everywhere

---

5. Sniffing

Sniffing (also eavesdropping, packet capture) = intercepting network traffic to read its contents.

Types

Sniffing comes in several flavours. Passive sniffing works on legacy hub-based networks where every packet is broadcast to every device — the sniffer just listens, no manipulation needed. Active sniffing is the modern variant: on switched networks (where each port gets only its own traffic), the attacker uses ARP poisoning to trick neighbouring devices into routing through the attacker. Wireless sniffing captures Wi-Fi packets out of the air — easier on open or WEP networks, much harder on WPA2/3. MITM (Man-in-the-Middle) is the active form of sniffing where the attacker positions themselves between two parties, reads everything, and can also tamper with messages. SSL stripping is a particularly nasty MITM technique where the attacker downgrades an HTTPS connection to plain HTTP and the victim's browser, if not configured strictly, may not notice.

Tools (used by both attackers and pen-testers)

  • Wireshark — packet analysis
  • tcpdump — command-line packet capture
  • Ettercap — MITM toolkit
  • Bettercap — modern MITM tool

Defences

  • HTTPS — encrypts traffic (more in next lesson)
  • VPN — encrypts everything in tunnel
  • WPA2/3 WiFi — strong wireless encryption
  • Avoid public WiFi for sensitive transactions
  • Certificate pinning in apps

---

6. DoS and DDoS Attacks

DoS (Denial of Service) = make a system unavailable to legitimate users. DDoS (Distributed DoS) = many machines flood the target simultaneously.

Types

DoS/DDoS attacks fall into four broad categories. Volumetric attacks simply flood the target's bandwidth so legitimate traffic cannot reach it — UDP floods and ICMP floods are textbook examples; they are measured in Gbps or Tbps. Protocol attacks target the server's finite resources for protocol state — the classic SYN flood opens half-open TCP connections faster than the server can close them; "Ping of Death" used malformed ICMP packets to crash older stacks. Application-layer attacks look like legitimate traffic but are designed to exhaust application threads — Slowloris holds HTTP connections open by sending headers very slowly; HTTP flood pounds expensive endpoints (search, login) until the app server saturates. Amplification attacks are the most cost-efficient for attackers: a small spoofed request to a public service (DNS, NTP, memcached) generates a much larger response that gets directed at the victim — a 1 Gbps attacker can produce 50–500 Gbps of inbound flood.

Famous DDoS incidents

YearTargetMagnitude
2016Dyn DNSTook down Twitter, Netflix, Spotify; ~1 Tbps
2018GitHub1.35 Tbps (memcached amplification)
2020AWS2.3 Tbps
2022Google Cloud46 million RPS
2023Cloudflare71 million RPS

Defences

DefenceHow it Helps
CDN / Anti-DDoS serviceCloudflare, AWS Shield, Akamai filter at edge
Rate limitingCap requests per IP/user
CAPTCHADifferentiate human vs bot
GeoblockingBlock traffic from regions you don't serve
Load balancing + auto-scalingAbsorb the load
DDoS scrubbingSpecialised filtering services
BGP blackholeDrop attacker's IP at ISP level

---

7. Social Engineering

The human element — tricking people instead of breaking technology.

TechniqueDescription
PhishingFake email with malicious link
Spear phishingTargeted at specific person
WhalingTargeted at executives
PretextingPose as authority (HR, IT)
BaitingUSB drives in parking lot
TailgatingFollow employee through secure door
Quid pro quo"I'll help you in exchange for credentials"

Famous social engineering attacks

  • Kevin Mitnick — pioneered the technique
  • Twitter hack 2020 — 130 high-profile accounts (Obama, Musk, Apple) compromised via social engineering of Twitter employees
  • Indian SIM-swap frauds — telecom employee tricked into porting victim's number

Defences

  • Security awareness training
  • Verify via second channel before acting on email
  • Don't trust authority claims in unsolicited contact
  • Banks don't ask for OTP (memorise this)
  • Look at full URL before entering credentials

---

8. Application-Layer Attacks

AttackDescriptionOWASP Top 10?
SQL InjectionInject SQL via input fields#3 (2021)
XSS (Cross-Site Scripting)Inject JS into pages others view#3 (2021) Injection
CSRF (Cross-Site Request Forgery)Trick user into unwanted action on logged-in site#5
Insecure DeserializationExploit unsafe input parsing#8
Broken Access ControlAccess pages/data you shouldn't#1
Sensitive Data ExposureExpose data via misconfig#2 (Crypto Failures)
XXE (XML External Entities)Exploit XML parsersSubset of #3
SSRF (Server-Side Request Forgery)Make server fetch attacker-controlled URL#10

Famous app-attack incidents

  • Equifax (2017) — 147 million records via Apache Struts vulnerability
  • British Airways (2018) — JS supply-chain attack, 500K customers exposed
  • Magecart attacks (ongoing) — JS-injection on e-commerce sites siphons card data

---

Key Terms — Lesson 4.1

Security has its own dense vocabulary. The terms below cover the threats catalogued in this lesson and the conceptual frameworks an examiner expects you to invoke.

CIA Triad — The classic information-security framework: Confidentiality (data stays private), Integrity (data is not altered), Availability (system stays usable). Every security control maps to one or more legs of the triad. The extended triad adds Authenticity (parties are who they claim to be), Authorisation (parties can do what they're attempting), and Non-repudiation (a sender cannot later deny their action).

Cybercrime — Any criminal activity that uses or targets a computer or network. In India, the IT Act 2000 (with 2008 amendments) is the primary statute, supplemented by the IPC for related offences. Section 66 covers hacking and data theft; 66C identity theft; 66D phishing; 66F cyberterrorism (life imprisonment); 67 obscene content.

Hacking — Unauthorised access to a computer or network. Section 66 of the IT Act prescribes up to 3 years' imprisonment and ₹5 lakh fine. "Ethical hacking" (penetration testing with the owner's consent) is legal and a recognised profession.

Identity Theft — Stealing someone's personal identifiers (Aadhaar number, PAN, bank credentials, OTP, biometric) and using them to commit fraud. Covered under Section 66C of the IT Act. Common in India through SIM-swap, phishing, fake KYC calls, and document misuse.

Phishing — Deceptive communication (usually email or a fake website) that impersonates a trusted entity to trick the victim into revealing credentials, OTPs, or card data. Variants include spear phishing (targeted at a specific individual), whaling (targeted at C-level executives), vishing (voice phishing — phone call), smishing (SMS phishing), and angler phishing (fake customer-support handles on social media).

Pharming — A more sophisticated cousin of phishing where the attacker poisons DNS (locally on the victim's device or upstream at the resolver) so that even typing the correct URL leads to a fake site. Pharming is harder to detect because the URL bar shows the legitimate domain.

Skimming — Physical capture of card data using a device illegally attached to an ATM card slot or a POS terminal. The skimmer reads the magnetic stripe; a tiny camera or PIN-pad overlay captures the PIN. EMV chip cards have largely killed traditional skimming, though "shimming" (chip-level skimmers) is the new variant.

Card-Not-Present (CNP) Fraud — Fraudulent use of stolen card data in an online context, where the physical card is not required. 3D Secure / OTP, tokenisation, and fraud-detection ML are the main defences.

Account Takeover (ATO) — When an attacker gains control of a user's e-commerce or banking account — through credential stuffing, phishing, SIM-swap, or password reuse — and then drains the linked payment method, redirects deliveries, or sells the account on the dark web.

Friendly Fraud / Chargeback Abuse — When a legitimate customer disputes a real transaction with their card issuer (claiming "I didn't authorise this" or "I didn't receive the goods"), pocketing both the product and the refund. Merchants fight friendly fraud with delivery proofs, signature capture, and chargeback-arbitration tools.

Spoofing — A class of attacks where the attacker forges identity information at some protocol level. Email spoofing forges the From header; IP spoofing forges source IP; DNS spoofing / poisoning redirects a domain to the attacker's server; website spoofing uses look-alike URLs (hdfcbank-secure.com); caller-ID spoofing displays a fake calling number; ARP spoofing is used inside MITM attacks on local networks.

Sniffing / Packet Capture — Intercepting network packets to read their contents. Passive sniffing just listens; active sniffing uses ARP poisoning or rogue access points. Tools include Wireshark, tcpdump, Ettercap, and Bettercap. The primary defence is end-to-end encryption (HTTPS, VPN).

Man-in-the-Middle (MITM) — An active interception attack where the attacker sits between the two communicating parties, reading and potentially modifying the traffic. MITM requires either compromised infrastructure (rogue Wi-Fi, ARP poisoning) or a successful spoofing primitive (DNS, IP). TLS certificate validation is the primary defence; certificate pinning hardens it further.

SSL Stripping — A MITM technique where the attacker downgrades the victim's intended HTTPS connection to plain HTTP, then forwards the (now visible) traffic to the real server over HTTPS. Modern browsers warn aggressively against HTTP-only sites for this reason; HSTS (HTTP Strict Transport Security) headers tell the browser "always HTTPS for this domain".

Denial of Service (DoS) — An attack that makes a system unavailable to legitimate users. DoS uses one machine; DDoS (Distributed DoS) uses thousands or millions, usually a botnet of compromised devices.

DDoS (Distributed DoS) — A coordinated DoS attack from many machines. Four main categories: volumetric (bandwidth flood), protocol (resource exhaustion — SYN flood, Ping of Death), application-layer (Slowloris, HTTP flood), and amplification (DNS, NTP, memcached reflection). The largest publicly disclosed DDoS attacks (Cloudflare 2023, Google 2022) have peaked at tens of millions of requests per second and 2+ Tbps.

Amplification / Reflection Attack — A DDoS technique where the attacker sends a small spoofed request (with the victim's IP as the source) to a public service (open DNS resolver, NTP server, memcached) that returns a much larger response — multiplying the attacker's bandwidth by 50× to 50,000×.

Social Engineering — Manipulating a human into performing an action or revealing information they should not. Variants include phishing, pretexting (pose as authority — "this is HR, share your password"), baiting (drop infected USB drives), tailgating (follow someone through a secure door), and quid pro quo ("I'll help you in exchange for your credentials"). Kevin Mitnick was the most famous practitioner; modern attacks frequently start with social engineering before any technical exploit.

SIM Swap Fraud — A growing Indian threat: the attacker uses social engineering (or an inside helper at the telecom) to get the victim's mobile number transferred to a SIM the attacker controls. Once they own the number, they receive every OTP — for banks, wallets, exchanges — and can drain accounts within hours.

SQL Injection (SQLi) — An application-level attack where the attacker injects malicious SQL fragments into an input that gets concatenated into a database query. Properly parameterised queries (prepared statements) eliminate this class of vulnerability. SQLi remains one of the OWASP Top 10 a quarter-century after it was first described, because so much new code still gets it wrong.

Cross-Site Scripting (XSS) — An attack where the attacker injects JavaScript into a page that gets executed in another user's browser — letting the attacker steal cookies, hijack sessions, or perform actions on the victim's behalf. Three sub-types: stored (script saved in DB), reflected (script in URL), and DOM-based (entirely client-side). The defence is consistent output encoding plus Content-Security-Policy headers.

Cross-Site Request Forgery (CSRF) — An attack that tricks a victim's browser into sending an authenticated request to a site they're logged into ("transfer ₹50,000 to attacker's account") without the victim's knowledge. The defence is CSRF tokens and SameSite cookies.

Broken Access Control — Number 1 on the OWASP Top 10 (2021): users can access data or actions they should not be allowed to — by guessing URLs, manipulating request IDs, or escalating privileges. The defence is enforcing authorisation on the server for every action, not just hiding UI elements on the client.

Insider Threat — A security risk originating from someone with legitimate access — a current employee, contractor, or former employee whose credentials still work. Insider threats can be malicious (deliberate data theft) or negligent (lost laptop, accidentally emailed file). Most data breaches involve some insider element, even if the attacker is external.

IT Act 2000 — India's primary statute governing electronic commerce and cybercrime. It legally recognises electronic records and digital signatures, sets the rules for intermediary liability, and codifies most cyber-offences (hacking, identity theft, phishing, cyberterrorism, obscene content). Amended in 2008 to address newer offences.

DPDP Act 2023 (Digital Personal Data Protection Act) — India's comprehensive data-protection law (enacted 2023). It defines the rights of Data Principals (citizens), obligations of Data Fiduciaries (companies processing data), the role of the Data Protection Board, and penalties of up to ₹250 crore for serious breaches. DPDP applies to anyone processing personal data of Indians, even from outside India.

---

Study deep

  1. The attack surface is huge. A typical e-commerce site has 100+ endpoints, dozens of third-party scripts, hundreds of vendors. Each is a potential attack vector. Security is layered, not absolute.
  1. Insider threats are underestimated. Most data breaches involve insider negligence or malice. Phishing of employees → external attack is the most common pattern.
  1. The cost of a breach is high. Average data breach cost: ~$4.5 million globally; lower in India (~₹13 crore) but rising. Brand damage, customer churn, regulatory fines (GDPR up to 4% of global revenue) add to it.
  1. Compliance is necessary but not sufficient. PCI-DSS, ISO 27001, SOC 2 — compliance doesn't equal security. Many breached companies were compliant on paper.
  1. Security is a shared responsibility. Customer ↔ Merchant ↔ Payment gateway ↔ Card network. Each must do their part. RBI's 2-factor auth mandate, PCI-DSS for merchants, EMV for cards — all cooperative layers.
PYQ pattern (very common): "Discuss security threats in e-commerce." — Categorise (cybercrime, fraud, network, app, insider); list 6-8 specific threats (phishing, spoofing, sniffing, DoS, MITM, identity theft, SQL injection, social engineering); explain 2-3 with examples.
PYQ pattern: "What is DoS / DDoS attack? Explain its types and defences." — Define DoS vs DDoS; 4 types (volumetric, protocol, app-layer, amplification); 5 defences (CDN, rate-limit, CAPTCHA, scrubbing, auto-scale).