<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans%3A400italic%2C700italic%2C400%2C700">Cybercrime Archives « Aam JanataSkip to content

This is the second day in a row I've discovered something suicidally whacky on Twitter. The first was when I found a profile with a UID number on it. Today was crazier. Vivek Namibar, a journalist with India Today with a verified handle on Twitter, posted a series of tweets that can only be described as extremely disturbing. You can check them out here:

The thread describes a "suicide challenge game" that involves the participants taking on various tasks assigned to them by a "curator" on the internet. Seemed complete nonsense, but the handle was a journalist and myth or fact, the tweet had already been shared almost a hundred times (and counting). So I decided to find out more.

Based on the myth that blue whales come to the shore when they want to die, the alleged game encourages participants to do various tasks that are depressing or scary or involve self-harm over a period of 49 days and they are asked to kill themselves on the 50th day. One person was arrested in Russia on charges of encouraging 16 people to commit suicide. Various reports and unsubstantiated numbers of teenagers who have killed themselves because of the game. Reports that it had spread to the UK, reports that French police were warning people. Vivek was warning that the game may have reached India with one death in Mumbai and another in Bangalore that he could not trace.

Given the gravity of the warning, I thought it was important to investigate and at least do some initial straight talking based on what I found.

There is no evidence whatsoever that the Blue Whale Challenge exists

While it is hardly unheard of that depressed teenagers (and even perfectly healthy ones as well as adults) succumb to undesirable influences on the internet, given today's modern world of technology, it is impossible that if an organized game involving interaction over the internet over 50 days existed as a link in a large number of deaths in multiple countries, goes undetected. In the event of a suicide, a person's communications will be examined. If the suicide is suspected to have happened because of influences on the internet, there will be an investigation and at least some kind of concrete information would have come up. Given that several of the tasks reported involve self-harm, including making cuts on the body, carving a whale on various parts of the body and so on, it would have been hard evidence linking various suicides - there is no such evidence. There would be statements from the family about this kind of self-mutilation happening before the suicide. There are no such reports.

The game seems to be some sort of an urban myth that originated in Russia. It is possible that there may have been communications or some interactions involving depressed teenagers who committed suicide and tasks and so on, but there is absolutely no proof that such a game exists. It is just that we tend to notice more what has been brought to our attention, so if such a link is heard about, anything that could remotely fit starts looking like it is true. If I told you a pimple was forming on your nose when we met in person, you'd touch your nose a lot more, exploring its contour to catch that pimple!

The only place where the game seems to have spread is in Brazil with several suicides and suicide attempts allegedly related with the game reported. yet there is are no reports of investigations or arrests.

What is the real danger of the Blue Whale Game?

Well, it is obvious. An urban myth that runs wild and gives people ideas. Ideas that exploit others, or seductive ideas for suicidal people to make one last statement and dramatic exit. Another reporter who tried to find out about the game and wrote about it found that a lot of the comments he received were from teenagers seeking the blue whale game! Needless to say, regardless of whether the game exists, it is providing a source of curiosity and potentially interesting teenagers with suicidal tendencies. He provided a button with his story that said "Start game" and over 9% of people who read his article and its warnings clicked the button anyway. The button led to a page where people were asked why they wanted to play the game and answers ranged from the curious to those really wanting to end their lives.

Sociopaths may see opportunity in the teenagers being interested and seek to harm them by engaging them in what they are seeking and expect. An urban myth that makes suicide sound like some kind of rite of passage may encourage vulnerable minds to lose objectivity and choose self-harm.

Malicious online entities could engage people in the game and provide people with links that infected their computers with malware. After all, a person looking to find a person encouraging them to commit suicide is hardly going to expect a hacker.

All the usual cautions about strangers on the internet apply.

What is the good news?

Is there a good news about the blue whale game? Well, yes. Given that the blue whale game involves tasks to be completed over 50 days, tasks that involve fairly conspicuous behavior, like going to the tops of building and standing on the edge, standing on bridges, cutting their arms, cutting designs onto their limbs - this behavior is very easy to notice and trigger concern. And the good news is that it must go on for almost two months before the suicide. I think it beats a teenager committing suicide on a whim and gives people a chance to notice the problem and gives them a chance to change their minds. 49 days of bizarre behavior has a much better chance of someone intervening than a teenager leaving for college and stepping in front of a train. There is no need for paranoia. It isn't true, and even if it were, it has a better chance of someone noticing it and putting a stop to it than an "unorganized" suicide, so to say.

How dangerous is the blue whale game?

This is tough to say. Given that there is no evidence the game exists, there is no "threat score" one can attach to it. I saw several videos said to be music shared as a part of the challenge and I don't feel suicidal at all. And I am someone who has no problems with suicide and have even been suicidal myself in the past. So if there were some mystical power that would make a viewer want to kill themselves, or at least depressed, I should feel something. Nope. Zero wish to kill me. Anyone who watched and did feel depressed probably was reacting to the title saying that it would make them feel depressed or something. There are no supernatural powers in the video.

That said, obviously, self harm is dangerous and suicide is fatal. So I guess, even if the game doesn't exist if people find the idea appealing and try to copy it, it is obviously dangerous. I imagine too many horror movies in the middle of the night on a sleep deprived brain would fry anyone's sense of well being. Nothing catching up on sleep won't fix, I imagine.

The real danger of such secret, coercive interactions would likely to be predatory behavior with teenagers. Online sexual predators, risk of malicious code being downloaded to computers, personal information breached or willingly given that can make someone vulnerable to blackmail... the sane thing to do here is to keep your computer's security updated and not engage in intimate conversations with strangers.

Some last words about this blue whale suicide game thing - try the pink whale challenge instead

The reporter who did that story on the blue whale game and found the teenagers interested created an alternative pink whale challenge. Not going to link to it. If you really landed here looking for something, it will satisfy your need to search for it and find it and you can play it.

With or without the blue whale game, teenage depression and suicides are growing. There is a need to be supportive of vulnerable people and to provide a compassionate listening ear. If you find anyone around you being unusually depressed, engaging in self-harm, withdrawing from the world, do take a moment to check on them, and if necessary, speak with their friends and/or families and see that they receive any attention needed.

If you find yourself interested in suicide, seek help. More importantly, seek information. When emotions are low, it is harder to be convinced that things aren't as bad as we perceive them. Hard facts devoid of positive or negative emotion can serve as an anchor for sanity and allow you to gain a sense of perspective. Contact suicide helplines (search for them). Talk about it with friends you trust to listen to you. Make an abrupt change in life. Quit an environment making you unhappy, try something altogether different. It is a sort of metaphorical rebirth, you know? The giving up of an old unsatisfying life and the trying out of something that appeals more. I have done that often in life. Change careers, live in a different place, break up or fall in love, whatever.

Remember, thoughts of death may be common, acting on it is not. There is no need to fear. It is better to empower yourself with information and pragmatic action. If you are happy, if you care for yourself and seek help when you feel low, you aren't going to want to die, and no game can make you want to do it. That is just the internet being what it is.

Update: After publishing this post, it has come to my attention that the one Mumbai boy's suicide is behind this speculation of the Blue Whale challenge. This is in spite of the police not finding any history of altered behavior in the boy or signs of self mutilation - both of which would have been present if this were a case of the alleged "Blue whale challenge". Regardless, an incredibly uncritical media has widely reported the death as a potential Blue Whale game suicide, Devendra Fadnavis has apparently promised an inquiry saying that if it is an online game, it can easily be blocked (compounding gullibility with rank ignorance of the internet). And to top everything, this was brought up in the Parliament and the government may probably be preparing to issue some kind of a warning on the issue. While they are at it, they should also warn people against trusting Lord Voldemort. The complete gullibility of the media and the state and center governments is staggering. This is what you get by promoting stupidification and superstition. Critical thinking goes for a toss.

 

blue whale game news
How a suicide got attributed to the fictional blue whale game and swept through media, got concerned Chief Minister to promise action and got taken seriously in Rajya Sabha

Viral trends of this sort spread with panic and reach the fertile ground of the minds of those discontented with life who find them appealing. Chief Minister Devendra Fadnavis, the media and the Parliament ought to show restraint instead of introducing Indian youth to such ideas made all the more melodramatic for the attention they get. There are countless suicides in India on a daily basis. While this one is very sad as well, there is no need to go overboard about it and jump to conclusions that have no evidence in the reported facts of the case.

Update 2: More info on Snopes

2

Mumbai, 24thJuly 2012: Beware Mumbai citizens! Think twice before complaining against illegal building activity to MCGM’s officers on their official email id and mobile numbers, or they may threaten to book you under cyber-crime laws! Also be careful if they invite you to meet them with your complaint on Lokshahi Din, because they may land you in trouble! Your efforts in bringing the illegal activities to the attention of the authorities may not be appreciated; far from it! After a tongue-lashing, you may well be scrambling to save your skin from the cybercrime police, for the cyber-crime of emailing a complaint!

state-bank-india-juhu-Slab-Punctured-Staircase outside state bank of India JuhuOn Monday 15th July, Deputy Municipal Commissioner Vijay Balamvar sent this message to citizens loud and clear in his office at his Lokshahi Din (which ironically means, “the day when the citizen is king”). Advocate Sunil Tiwari, who had waited patiently outside his office from 3.30 till 5.15, was asked why he had sent complaints and building photographs to his email id (DMC.z4@mcgm.gov.in) and to his mobile phone (9820702619) on Whatsapp, was asked to produce documents to prove that he was actually an advocate! The DMC refused point-blank to even talk about Adv. Tiwari’s complaint about the illegal alteration (breaking the ground-floor slab to install a stairway) of a Juhu building by State Bank of India, photos attached) causing a danger of building collapse, and instead asked Tiwari what right he had to clog his official email and his mobile phone with complaints and photos of the building.

“Are you living in that building? How are you affected by the alterations being made? If you are not living in that building, what right have you to send me such messages? I want you to delete the email, the message you sent me from my mailbox and phone. Will you do that? Otherwise, I will complain to cyber-crime police, and look at what action to take against you under the cyber-laws,” he allegedly said. Adv Sunil Tiwari (9820702619) was shaken and indignant at the end of this unexpected turn of events, to say the least!

damaged slab and illegal staircase construction

Sunil’s friend and mentor in activism, RTI Activist Sulaiman Bhimani (9323642081), who is an interior designer, remarks that this reveals the nexus between commercial interests who make illegal alternations in buildings, and BMC’s officers, who knowingly look the other way. “Memories of recent building collapses are fresh in the minds of Mumbaikar, especially those who lost their near and dear ones due to the greed of someone. Many of the buildings collapsed due to illegal and unauthorized structural changes made on ground floor. MCGM engineers fail to take cognizance of such activities and they turn nelson eyes to such rampant illegal changes the reasons best known to them. And it seems that citizens who complain against such corruption and malpractices are intimidated by Municipal officials, who should be protecting the citizens instead of protecting such unlawful elements! If Mr Balamvar does not take cognizance of Adv. Tiwari’s complaint on a serious matter concerning common people’s lives, and instead, can talk arrogantly like this to an advocate, imagine how he would be dealing with poor people who approach him with grievances and complaints! And, if their official phones and email addresses – which is paid for with taxpayer money -- cannot be used for sending complaints, what will the citizens do?” asks Bhimani.

 

Although the President, Prime Minister, Chief Minister and others are used to routinely receive complaints from irate citizens, one doubts that anybody has threatened citizens with action under cyber-crime laws! But evidently, this Deputy Municipal Commissioner wants to set a precedent and firmly show citizens their place!

Says Corporator Dilip Patel, BJP group leader in MCGM and member of MMRDA committee (was cc-ed in almost all the complaints that Sunil Tiwari sent to MCGM), “I phoned and asked Balamvar about this altercation with Adv. Sunil, whom I have met. Balamvar replied that he would explain everything to me personally, and so, I will be meeting him tomorrow. Let us see what he says.”

 

Meanwhile, Adv Tiwari has written to CM Prithviraj Chavan and others to suspend DMC Balamwar, Asst commissioner K/West ward and the concerned engineers, and to check their call records to reveal their nexus.

 

DOWNLOADS FOR MEDIA:

1)      Adv Sunil Tiwari’s  complaint  against UNAUTHORIZED CIVIL WORK: http://tinyurl.com/complaint-x-SBI-Juhu

2)      Publishable photo of SBI Juhu from outside: http://tinyurl.com/SBI-Juhu

3)      Full text of Tiwari’s complaint against DMC Vijay Balamvar, sent by email & speedpost to CM, Municipal Commissioner etc: http://tinyurl.com/complaint-x-DMC-Balamvar

 

Far from being cowed down, we urge the common man to register their complaints (and also their protest against such bad behavior by civic officials) on their email ids – official or otherwise – and also their mobile phones!

 

Warmly,

Krishnaraj Rao

RTI Activist

9821588114

2

Yash K S is a software developer. In the last year or so, his interest in identification methods led to him discovering a vulnerability in online banking that can allow a malicious attacker to use attacks like Man in the Middle or Man in the Browser to steal money from bank accounts.

He published his findings on his website. Here is my interview with him. [Note: It has been edited from the original informal chat for coherence, but the content is unaltered in meaning.] Italics are my questions.

Can you explain briefly your background, so that my readers can understand the work you do?

I have diploma in CS after 10th, after that I joined Anti-virus company as C programmer. I am into building system products like Anti-virus, e-learning, Backup & Recover. Last 15 years I have built a lot of systems products for corporates.

How did you become interested in banking transactions?

Since I worked in anti-virus for couple of years, I continued to learn about security even though I was involved in building other products. I always knew banks are breakable. Zeus trojan, for example. The important trojan existed last 5 years for western banks, but not Indian banks,  and Indian banks continued to say online banking is secure compared with banks in the West. Around 4 years ago, I was trying to build a product which solves a problem of identitifying on the internet and I did extensive study on how banks work, as I built the product. Around 2 years ago, I developed a personal interest in seeing how secure Indian banks are and started analyzing Indian banks for security.

What is the basis of that claim by Indian banks - that online banking is secure compared with banks in the West?

Indian banks thought online banking is secure, since they are using Mobile device as additional factor to add Payee before transactions. Indian banks believe mobile is secure and they are trying to use that as second secure channel. When users adds a payee on a PC, they send this information to Mobile with OTP (One Time Password). Citibank, ICICI Bank - both of them use this method. In the case of ICICI Bank, they even have an additional transaction password and grid numbers, which the user needs to enter by looking at back side of the debit card. In HSBC bank, they dont use the same methods of ICICI and Citibank, they distribute hardware OTP (One Time Password) device, where it generates random number for every one minute. They assume this will not allow fraud transactions to happen without user knowledge. I believe they are not providing enough security for consumers in our country.

Who would be liable if someone stole money using the vulnerability you discovered?

If anybody looses money in online, end users are liable for that loss not banks, unless user proves to the bank, this fraud has not happend because of negligence. Negligence means, user system does not have any malicious programs which stole credentials or user did not give out uder credentials via phishing mail or user has not logged in some system which is not secure. This is very difficult to prove. Almost impossible, even for technical users. It becomes a user problem, bank does not take responsibility.

Screenshot from Yash's video for man in the browser attack for ICICI

So, the bank simply washes its hands off the loss instead of fixing it? Not their problem?

In my video what I have showed is - If a person is transferring money to Account 100, they see in their browser that the money is going to Account 100 and some X amount, but in back end malware changes data completly to Account 200 and some other amount. In this case, it is a Man in the Browser attack. The user is co-ordinating with malware without his own knowledge and the bank server fails to identify what is really happening in backend. Once the transfer of money is complete, if user sees the transaction via online, he still sees the same fake info, since the malware also knows to modify transaction statements.

Malwares are sophosticated and can fool both users and banks. Zeus trojan alone has costed 1 billion $ + loss in multiple banks in West. This trojan is still alive in wild and still causing losses. 5 years.

I built a similar trojan from scratch for Indian banks. Based on it, I have posted videos. I have not shared source code with anyone, keeping security in mind. I showed a few banks, in closed door meetings, this vulnerability. They were shocked to see it, but they have not fixed anything. One bank told, "Others banks might be insecure, but our bank is not". After a month or so, I went back with trojan modified for this specific bank and showed them. They are back again in denial mode.

How is it that the same vulnerability works for all banks? Don't all banks have their own systems - and methods?

The same trojan does not work for all banks. All banks have seperate systems, but if hacker companies writes the trojan using the concept of Man in browser and Man in middle, they can write specific malwares for each bank. Like I showed from my videos....  If I identified a security bug, banks can just fix the bug in the existing system. But, these problems are a system flaw, there is no way to fix it just by adding some stuffs. They need to replace the system itself by rethinking online banking security from the ground up.

So, you are saying, any bank account can be hacked? But can't this misuse be traced?

Today hackers are not indivisuals, they operate as underground companies. They outsource work to each other based on the skill sets like we do in normal companies. It becomes very difficult to track it. In a chain, each are specialized in specific work, they complete the work, sell it and go.

What is the most important thing here?

There are important questions..... Who is responsible if users looses money via online due to trojans? Users keeps money in bank after a solid efforts, traditional method of banking have ensured always to make sure verify the person and dispatch the money. But, moment bank exposes money via internet for anyone who authenticates using username, password + additional stuffs, if a trojan can fool these factors, who becomes responsible? How can a user be responsibile? He likes convinenace, but he definitely does not want to loose money.

Do banks explain to all end users about the online threats and make them understand, before giving them an online account? Nope. It is the responsibility of the bank to provide a safe mechanism. An insecure web facility cannot be a user's responsbility. When banks cannot give security for a specific types of attacks, they need to reduce the limit per day. They need to give insurance if they cannot solve the problem. They cannot make customer liable, since there is no way, anyone can expect a customer to know all about such threats.

Also make risks explicit, immediate transaction alerts, phone verifications?

Immediate transaction alerts exist today, due to RBI guidlines, there is no use. If a mobile has a malware which is co-ordinating with mobile trojan, then it will not even show an SMS for you.

How did banks respond to your information?

After the Citibank demo, within 2 weeks they changed system to add some information when they sent to mobile while adding payee. This mitigates a little. I appreciate Citibank for their quick reaction. But, if the same malware is expanded to mobile, complete online banking in india fails for all banks. Trojans (Zeus varients) already exists to peform co-ordinated attack by hijacking both PC and mobile of a user. There are many ways to infect both PC and Mobile, all smartphones connect to the internet or many smartphone users synch with PC. These two methods are enough to get a trojan into a mobile. Many more methods exist too. Android has more malwares compare to any other today.

ICICI Bank did not make any changes to security. Instead, they are posting on the internet saying what I am saying is wrong. After a month, they have sent a defamation case notice by asking me to pull down the content from my website. They have asked me to close my ICICI personal account too in a month.

HSBC, instead of solving problems, on 2nd Feb, people came to my house, after failed attempts to bring down content with the help of service providers. I was not present at that time; they asked my family members rude questions. I have registered an FIR. They were saying I am teaching how to hack HSBC! This is wrong! In my video, it only shows the consequences and how it is going to effect online banking customers.

Banks succeeded in removing my account from Vimeo.com. Vimeo deleted my account without informing me. After 5 months, instead of fixing problem. They are still trying to kill my content.

How many sites did your content get taken off from?

lol. Youtube, Bluthost.com, Dropbox, Vimdeo.com In ICDThost.com current hosting provided wanted me to remove direct links to video, although they were polite enough asking me, After that my site still survives there.

My intension of not pulling down the content is - This problem is not in one bank, ICICI bank thought I was targetting them alone, that was not true. But, all banks have the same issue, does not matter private or public banks today in india. I have showed this demo to RBI - Bangalore. They got a glimpse of what can happen to online transactions in country and they wanted me to proceed further to make more people within RBI aware of it, although we could not reach the executive chariman who handles payment settlements online.

So there are positive responses too.

Yes. there is a positive response too.

We had a discussion in national law school in Bangalore along with few experts, bankers, professor in that college itself. We have recorded that video. This DVD has given by professor of law school to cert-in personally. See this : Reserve Bank of India (RBI) : Man-in-browser attack - Top 100 banks of the world are reported to have experienced similar incidents - even RBI is saying last year itself. Banks are not lisetning to RBI either

Basically, we need to get support from RBI, Customers and pressure Banks for better security. That is the key.