ICAI FAFD

BATCH 197

INTERNET FRAUD
INVESTIGATION REPORT
CA. ARVIND KUMAR
9560262327
[email protected]
ICAI Mem. No: 512539
 INTERNET FRAUD INVESTIGATION REPORT ICAI FAFD
BATCH 197

Dated – October 10, 2019

PRIVATE & CONFIDENTAL

To,

The Chief Financial Officer,

ABC Data Private Limited.

Re: Forensic Investigation of Ms. ABC Data Private Limited.

Dear Sirs,

Attached is our report of the results of our forensic investigation of ABC Data Private Limited. We
have conducted our investigation pursuant to our engagement letter dated 31st August 2019 between
the ABC Data Private Limited and our firm.

Our procedures were performed with the due diligence. Our conclusions and findings are in
confirmatory of our engagement letter. Our analysis and observations are based upon information
provided to us as on the date of this report. It is possible that additional information may become
available following the date of our report and, if so, our analysis and observations could be affected
by such information.

We are happy to discuss any questions at your convenience.

For XYZ & Associates

Chartered Accountants

Private & Confidential |2

 INTERNET FRAUD INVESTIGATION REPORT ICAI FAFD
BATCH 197

CONTENTS

• Background

• Scope & Obejective

• Use of Report

• Our Approach & Methodology

• Observations & Findings

• Conclusion

• Recommendations

• Limitation of Liabilities

• Annexures

Private & Confidential |3

 INTERNET FRAUD INVESTIGATION REPORT ICAI FAFD
BATCH 197

I. Background Mr. Kumar is a senior programmer with ABC Data Pvt. Ltd, an Indian
software company that has offices in several countries. Mr. Kumar is
heading the team of programmers working on a special Project Kensoft
– a software development project that has been awarded to the company
by the Government of Kenya.

On 2nd August, 2019 a scheduled internal penetration test was

conducted on the computer systems being used for Project Kensoft.

The test revealed that most of the computers were infected with a
Trojan program. Further investigation revealed that the Trojan
spread through an infected Microsoft Word document (titled
taxdetails.doc) that Kumar had sent to all his team members. It was
also discovered that the Trojan had stolen credit card information,
bank account passwords and confidential source code from the
infected computers. This stolen information had been uploaded to
some FTP servers, all of which were now non-existent.

When questioned by the management, Kumar admitted to having sent

that document to all his team members. He stated that he had received
an official email from the finance department asking him to download
the document from https://finance.abcdata.com and to distribute the
document to all his team members. The email had been deleted by
Pradeep. Pradeep said that he trusted the document because the website
that he downloaded it from was SSL protected and was part of the
abcdata.com network.

The finance department claims that it had never sent such an email to
Kumar. They also clarified that https://finance.abcdata.com was never
used by them. The IT department of ABC Data also stated that
https://finance.abcdata.com never existed.

II. Objective & Scope The primary objective of the investigation is to ascertain the
person/fraudster responsible for infecting the systems and stealing the
information and source code.

The other objective includes the following.

 To determine if Trojan virus was inserted into the computer

system as a result of fraud/scam.
 To determine the involvement of Mr. Kumar in this fraud
scheme.
 Finding out the modus operandi of the fraud scheme.
 To suggest ways for system improvement so as to prevent such
incidences in future.

Private & Confidential |4

 INTERNET FRAUD INVESTIGATION REPORT ICAI FAFD
BATCH 197

III. Use of the Forensic The forensic auditor is required to submit two original copies to the
Investigation Report Board of Directors of the ABC Data Pvt. Ltd. for internal purpose only
and the same cannot be used in any legal proceedings. The report is not
meant for public distribution. Consent of the forensic auditor shall need
to be taken in writing before providing this report to the third party.

IV. Our Approach & Fraud Examination Team Members

Methodology
 CFE. X Sharma (Team Leader)
 CA. Y Agarwal
 CA. Z Gupta

Methodology

As part of the examination of this matter, the team took the following
actions:
 We have done disk imaging of the system being currently used
by Mr. Kumar. MD5 Hash of the device was generated.

 Obtained Chain of Custody Form from the employee in

question i.e. Mr. Kumar.

 Taken image of the device, recovered and analysed data of the

computer system being used by Mr. Kumar.

 Checked the Microsoft Word document titled “taxdetails.doc”

for infections using VirusTotal.com.

 Examined the digital signature certificates stored on Kumar’s

computer.

 Conducted a detailed examination of the computer at the

residence of Mr. Singh.

 Conducted surveillance activity in order to determine whether

the two key individuals (Mr. Kumar & Mr. Singh) in the matter
were involved in an illicit relationship.

Individuals Interviewed

The following individuals were interviewed in person by members of

the Fraud Examination Team:

 Mr. Kumar (Senior Programmer)

 Ms. Sinha (HR Head)
 Mr. Khanna (System Administrator)
 Mr. Singh (Ex System Administrator)

Private & Confidential |5

 INTERNET FRAUD INVESTIGATION REPORT ICAI FAFD
BATCH 197

1. Microsoft Word document titled “taxdetails.doc” was checked for V. Observation &
infections using VirusTotal.com. Findings

VirusTotal.com is a service that analyzes suspicious files and facilitates

the quick detection of viruses, worms, Trojans, and all kinds of malware
detected by antivirus engines.
VirusTotal.com is a free, independent service that uses multiple
antivirus engines and features real-time automatic updates of virus
signatures.

2. The results of the VirusTotal.com scan showed that the

taxdetails.doc file was in reality a Trojan infected file named
“taxdetails.doc.exe”. This file was infected with the CIA Trojan.
The CIA Trojan is a program that enables an attacker to get nearly
complete control over an infected PC.

3. The file taxdetails.doc.exe described as under is stored in the CD

ROM accompanying this investigation report.
File size: 125692 bytes
MD5: 9f0247316edd0d885efe1116fde5f56f
SHA1: 3466bee9e491e718a080264ac07386c958655aa4

4. Then the site https://finance.abcdata.com was checked for its

existence but the site did not exist. The IT department of ABC Data also
stated that https://finance.abcdata.com never existed.

5. On examining Kumar’s computer using X-Ways Trace, it

appeared that Kumar had in fact visited
https://finance.abcdata.com.

6. Digital signature certificates stored on Kumar’s computer were then

examined. The certificates present on computers allotted to other ABC
Data employees with the certificates present on Kumar’s computer.

7. This examination showed three certificates that were not present on

other ABC Data computers. The first was a certificate issued by ABC
Data to Ms. Banerjee. This certificate was stored in the “Other People”
tab of the certificate store on Kumar’s computer.

8. On being asked how he had obtained Ms. Banerjee’s certificate, Mr.

Kumar said that he had been sent some documents from Ms. Banerjee of
the ABC Data Human Resources Department. These documents had
been digitally signed and hence he had obtained Ms. Banerjee’s
certificate from her.

9. Enquiries with the ABC Data Human Resources Department showed

that there was no employee named Ms. Banerjee.

Private & Confidential |6

 INTERNET FRAUD INVESTIGATION REPORT ICAI FAFD
BATCH 197

10. On detailed examination of the digital certificates, it is apparent that V. Observation &
a certifying authority named Global CA issued a certificate to an Findings
intermediary certifying authority named ABC Data, which in turn issued
a certificate to Ms. Banerjee.
Further examination of the “certificate store” on Kumar’s computer
showed that a certificate issued by Global CA to ABC Data was stored
in the Intermediate Certification Authorities section. Additionally the
certificate of Global CA was stored in the Trusted Certification
Authorities section.

11. The IT department of ABC Data stated that they had never applied
to Global CA for a digital signature certificate.

12. The website of Global CA (www.global-ca.com) was visited by us

to ascertain its contact information. The email ID was listed as
[email protected]. ReadNotify.com email tracking service was used
by us to send tracking emails to [email protected] and
[email protected].

13. The email sent to [email protected] was accessed but no reply

was received. The IP address from where the email was accessed was
ascertained from the ReadNotify report.

14. With the help of the relevant Internet Service Provider it was
ascertained that the above IP address had been allotted to the computer
at the residence of Mr. Singh, who incidentally was the System
Administrator at ABC Data Pvt. Ltd.

15. A detailed examination of the computer at the residence of Mr.

Singh was conducted. The computer was running Windows 2003 Server
operating system and had certificate services installed.

16. Examination of the certificate services showed that “Global CA” had
been installed as a standalone certifying authority and “ABC Data” had
been installed as a standalone subordinate certifying authority.

17. Examination of the certificate services also showed that the “Ms.
Banerjee” certificate had been generated on the said computer. An SSL
certificate in the name of finance.abcdata.com was also recovered from
the computer.

Private & Confidential |7

 INTERNET FRAUD INVESTIGATION REPORT ICAI FAFD
BATCH 197

VI. Conclusion From the above investigation it may be concluded that:

1. Mr. Singh used Windows 2003 Certificate Services on his

personal computer to create “Global Root CA” as a standalone
root certifying authority and “ABC Data” as standalone
subordinate certifying authority under Global CA.

2. Mr. Singh then generated a digital signature certificate in the

name of Ms. Banerjee using social engineering.

3. Using social email spoofing, Mr. Singh convinced Mr. Kumar

to install the Ms. Banerjee certificate on his computer. When
Kumar did this, automatically the following happened:
i. Global Root CA certificate got installed in the Trusted
Root Certification Authorities section of his certificate
store.
ii. Fake ABC Data certificate got installed in the
Intermediate Certification Authorities section of his
certificate store.

4. Mr. Singh then set up the fake https://finance.abcdata.com

website on the ABC Data Pvt Ltd. internal network. This
website used the fake ABC Data SSL certificate generated by
Singh.

5. Mr. Singh then sent a spoofed email to Kumar, asking him to

download the taxdetails.doc file from
https://finance.abcdata.com

6. When Pradeep visited the fake https://finance.abcdata.com site,

he did not receive any Certificate warning for the fake ABC
Data SSL certificate. This is because the fake certificate had
been issued by “Global CA” and the certificate of “Global CA”
was already installed in the Trusted Root Certification
Authorities section of Kumar’s certificate store.

VII. Recommendation Where things have gone wrong? How could have management of
ABC Data avoided this type of fraud?

The virus called “Trojan” was inserted after Mr. Kumar has installed
security certificate in his system and accessed the fake website
https://finance.abcdata.com. Thus the fraud could have been avoided
had Mr. Kumar not installed security certificate in his system and
accessed the fake website https://finance.abcdata.com.

It is therefore, recommended for the HR & IT department of ABC Data

to conduct cyber fraud training & awareness session to all employees
on a regular basis so that they don’t fell prey to phishing or spoofing
emails.
It is also suggested to conduct internal penetration test and IT audits on
a regular basis.

Private & Confidential |8

 INTERNET FRAUD INVESTIGATION REPORT ICAI FAFD
BATCH 197

VIII. Limitation of In no event shall the firm, its partners, directors or employees
Liabilities (collectively referred to as “the firm”) be liable in contract or tort or
under statute or otherwise for any direct, indirect or consequential loss
or damage (including loss of profits) suffered by you (or by any other
party) arising from or in connection with the services provided under
this engagement howsoever the direct, indirect or consequential loss or
damage is caused, save for our gross negligence and wilful default.
Without prejudice to the aforesaid, our aggregate liability to you or to
any other party shall be limited to the amount of 50% of the fees paid to
the firm for that portion of the work giving rise to any claim.
The liability of the firm shall be limited to that proportion of the total
loss or damage, after taking into account your contributory negligence
(if any) or the contributory negligence (if any) of any other party, which
is just and equitable having regard to the extent of the responsibility of
the firm for the loss or damage concerned and the extent of
responsibility of any other party also liable or potentially liable to you
in respect of the same loss or damage.
Any claim by you in respect of either or both of the foregoing
paragraphs must be made within one year of the date on which the work
giving rise to the claim was delivered or, if the engagement has been
terminated, within one year of the date of termination.

Private & Confidential |9