M/s Voucha Gram India Pvt.Ltd, the owner of the eCommerce Portal www.gyftr.com, filed a complaint with the Hauz Khas Police Station against some hackers from various cities, accusing them of IT Act / Theft / Cheating / Misappropriation / Criminal Conspiracy / Criminal Breach of Trust / Cyber Crime of Hacking / Spooning / Tampering with Computer source documents and the Web Site.
For the past 4.5 years, the company has been in the industry of purchasing and selling Digital Gift Codes, Digital Gift Cards, and Digital Gift Vouchers, and has dealt with a variety of consumers. On December 19, 2016, at 06:35 PM, the website www.gyftr.com was hacked, and the above-mentioned accused persons gained unlawful access to the firm’s website as defined by the IT Act 2000, claiming discount vouchers, which were only found by company authorities after 24 hours.
The hacking was carried out in the following manner: initially, the hackers began the process of acquiring a gift voucher, say worth Rs 10,000. Then they proceeded to make the smaller payment, say Rs 1 through the Payment Gateway www.Payu.in, and changed the value to Rs 10,000 when the payment confirmation was transmitted back from Payu.in to Gyftr.com via the browser. The corporation lost approximately 90 lakhs as a result of this approach of hacking the payment parameter and transmitting the actual amount of voucher selected, rather than the initial value of Rs 1 paid at the payment gateway. The activity lasted two days and was only discovered on December 20, 2016, at 7:30 PM, when the coupons were blocked as far as possible.
On the same day, one of the defendants called the Gyftr.com help desk and inquired about the blocked vouchers, stating that he was willing to provide the names of other defendants in exchange for a monetary incentive, which assisted authorities in gathering more information.
The certificates were used with a variety of merchants, including MakeMyTrip.com for hotel bookings and Telecom Operators for cellphone recharges at discounted rates. The address where numerous additional things, such as clothing purchased online, was delivered was also revealed. Furthermore, one of the defendants was updating his Facebook timeline at the time the crime was committed, making offers such as 50% off hotel reservations, free Aircel recharge for friends, checking in at various hotels, and so on. He also made a statement after being released from police custody after eight days.
Sections 65 and 66 of the Information Technology Act, as well as Section 420 of the Indian Penal Code 1860, were used to charge the hackers. They were finally apprehended in January 2017 (and are currently free on bail) in Jind, Dehradun, Kota, and Bhiwani. They appeared to have met online through some Hacking Sessions when someone demonstrated how the website Gyftr.com had security flaws using Teamviewer. On the 19th and 20th of December 2016, a handful of them ended up placing a large number of orders by exploiting security flaws for almost two days.
The method of operation is as follows:
Sunny Nehra, the primary hacker, has built a large network of Indian and foreign hackers who share their knowledge online. The majority of his buddies are online hackers, API hackers, coders, developers, spammers, and other types of internet criminals. ‘Data Tampering’ is the technical word for his expertise. ‘Adding cash backs,’ i.e. improving the value of cashback offers, using the same gift card repeatedly without detection, putting online orders without making any actual payment or by making little payments only, and so on are some of the types of cybercrimes done utilizing this skill. One of his hacker pals alerted him that PayU, a popular payment gateway, had a security flaw that could be tested for data tampering. The accused was perplexed as to how such a well-known website could be so vulnerable. He began testing it and soon realized that it permitted ‘changes in parameters on the processing page,’ i.e. data manipulation. Simply put, the procedure goes like this:
1. Choose a product to buy on an e-commerce website, say one priced at Rs. 5,000/-.
2. Place the product in your shopping cart and increase the value to Rs. 5,000/-.
3. Navigate to the select payment method’ page.
4. This webpage is now ‘jammed,’ and the settings are modified, employing data interceptors (functionalities of testing software such as ‘burp suite,’ etc.).
5. The capacity to alter the parameters is learned by studying the source codes’ of the processing page of the concerned website.It may be remembered that whenever customers make online purchases, they are informed that ‘your payment is being processed; please do not refresh or push the back button after entering debit/credit card data and clicking on the make payment’ symbol. When the hackers reach this point, they push the cancel or back page icon to save the source codes, which decode to xxxxx = failure, yyyyy = success, zzzzzz = error, and so on. Once you’ve mastered decoding these source codes, you can alter the parameters on a ‘jammed’ webpage.
6. The cart value parameter of Rs. 5,000/- is altered to Rs. 1/- from the ‘debit value’,
7. The interceptor is turned off, and the order is placed by transferring funds from an online e-wallet that the hacker has created with a false or proxy identity. In this way, the hacker makes Rs. 4,999/- for a nominal payment of Rs. 1/- (either in digital money to be utilized elsewhere or by purchasing genuine things).
