Advisory for APS School Students
Pretext
The Army Welfare Education Society has informed the Parents and students that a Scam is targeting the Army schools Students. The Scamster approaches the students by faking the voice of a female and a male. The scamster asks for the personal information and photos of the students by telling them they are taking details for the event, which is being organised by the Army welfare education society for the celebration of independence day. The Army welfare education society intimated that Parents to beware of these calls from scammers.
The students of Army Schools of Jammu & Kashmir, Noida, are getting calls from the scamster. The students were asked to share sensitive information. Students across the country are getting calls and WhatsApp messages from two numbers, which end with 1715 and 2167. The Scamster are posing to be teachers and asking for the students’ names on the pretext of adding them to the WhatsApp Groups. The scamster then sends forms links to the WhatsApp groups and asking students to fill out the form to seek more sensitive information.
Do’s
- Do Make sure to verify the caller.
- Do block the caller while finding it suspicious.
- Do be careful while sharing personal Information.
- Do inform the School Authorities while receiving these types of calls and messages posing to be teachers.
- Do Check the legitimacy of any agency and organisation while telling the details
- Do Record Calls asking for personal information.
- Do inform parents about scam calling.
- Do cross-check the caller and ask for crucial information.
- Do make others aware of the scam.
Don’ts
- Don’t answer anonymous calls or unknown calls from anyone.
- Don’t share personal information with anyone.
- Don’t Share OTP with anyone.
- Don’t open suspicious links.
- Don’t fill any forms, asking for personal information
- Don’t confirm your identity until you know the caller.
- Don’t Reply to messages asking for financial information.
- Don’t go to a fake website by following a prompt call.
- Don’t share bank Details and passwords.
- Don’t Make payment over a prompt fake call.
Related Blogs
.webp)
Introduction
Personalised advertisements deploy a mechanism that derives from the collection of the user’s data. Although it allows for a more tailored user experience, one cannot ignore the method through which this is achieved. Recently, as per a report by the Indian Express on 13th November 2024, Meta has come up with a less personalised ad option on Facebook and Instagram for its users in the European Union (EU). This was done due to the incompatibility of their previous ad offer with the EU’s Digital Markets Act (DMA).
Relevant Legislation
In October 2023, Meta came up with a “Pay or Consent” option for their users in the EU. It gave the users two options: either to pay a monthly subscription fee to avail of the ad-free usage variant of Facebook and Instagram, or to give consent to see personalised ads based on the user’s data. This consent model was introduced in their attempts to comply with the EU’s DMA. However, this was found to be incompatible with the said mandate, according to the EU regulators, as they believed that the users should not only have the option to consent to ads but also have access to less personalised but equivalent alternatives. It is this decision that pushed Meta to come up with less personalised ad options for users in the EU. The less-personalised ad option claims to rely on limited data and show ads that are only based on the context of what is being viewed i.e. during a Facebook or Instagram session requiring a minimum set of data points such as location, age, gender, and the user’s engagement with the ads. However, choosing this option also allows for such ads to be less skippable.
The EU’s Digital Markets Act came into force on November 1, 2022. The purpose was to make the digital marketing sector fairer and in doing so, identify what they consider to be “Gatekeepers” (core platform services such as messenger services, search engines, and app stores) and a list of do’s and don’ts for them. One of them, applicable to the case mentioned above, is the effective consent required by the user in case the gatekeeper decides to target advertisements enabled by tracking the users' activity outside the gatekeeper's core platform services.
The Indian Context
Although no such issues have been raised in India yet, it is imperative to know that in the Indian context, the DPDP (Digital Personal Data Protection) Act 2023 governs personal data regulation. This includes rules for Data Fiduciaries (those who, alone or in partnership with others, determine the means and purpose of processing personal data), the Data Principal (those who give data), Consent Managers, and even rules regarding processing data of children.
CyberPeace Recommendations:
At the level of the user, one can take steps to ensure limited collection of personal data by following the mentioned steps:
- Review Privacy Settings- Reviewing Privacy settings for one’s online accounts and devices is a healthy practice to avoid giving unnecessary information to third-party applications.
- Private Browsing- Browsing through private mode or incognito is encouraged, as it prevents websites from tracking your activity and personal data.
- Using Ad-blockers- Certain websites have a user option to block ads when the user first visits their page. Availing of this prevents spam advertisements from the respective websites.
- Using VPN- Using Virtual Private Networks enables users to hide their IP address and their data to be encrypted, preventing third-party actors from tracking the users' online activities
- Other steps include clearing cookies and cache data and using the location-sharing feature with care.
Conclusion
Meta’s compliance with the EU’s DMA signals that social media platforms cannot circumnavigate their way around rules. Balancing the services provided while respecting user privacy is of the utmost importance. The EU has set precedence for a system that respects this and can be used as an example to help set guidelines for how other countries can continue to deal with similar issues and set standards accordingly.
References
- https://indianexpress.com/article/technology/tech-news-technology/meta-less-personalised-ads-eu-regulatory-demands-9667266/
- https://rainmaker.co.in/blog/view/the-price-of-personalization-how-targeted-advertising-breaches-data-privacy-and-challenges-the-gdprs-shield
- https://www.infosecurity-magazine.com/magazine-features/fines-data-protection-violations/
- https://www.forbes.com/councils/forbestechcouncil/2023/09/01/the-landscape-of-personalized-advertising-efficiency-versus-privacy/
- https://iapp.org/news/a/pay-or-consent-personalized-ads-the-rules-and-whats-next
- https://economictimes.indiatimes.com/news/how-to/how-to-safeguard-privacy-in-the-era-of-personalised-ads/articleshow/102748711.cms?from=mdr
- https://www.business-standard.com/technology/tech-news/facebook-instagram-users-in-europe-can-opt-for-less-personalised-ads-124111201558_1.html
- https://digital-markets-act.ec.europa.eu/about-dma_en
.webp)
Data has become a critical asset for the advancement of a nation’s economic, social, and technological development. India’s emergence as a global digital economy hub makes it necessary to create a robust framework that addresses the challenges and opportunities of digital transformation. The Indian government introduced the Draft National Data Governance Framework Policy in 2022, aiming to create a comprehensive data handling and governance framework. This policy draft addresses key challenges in data management, privacy, and digital economy growth. As per the recent media reports, the Draft National Data Governance Policy so prepared is under the finalisation stage, the government specified in its implementation document for the Budget 2023-24 announcement. The policy also aims to address the country's AI adoption and the issue of lack of datasets by providing widespread access to anonymized data.
Background and Need for the Policy
India has a robust digital economy with its adoption of the Digital India Initiative, Aadhaar digital identification, UPI for seamless payments and many more. In India, 751.5 million people connect to the internet, and is home to 462.0 million social media users in January 2024, equivalent to 32.2% of its total population (Data Reportal 2024). This has brought challenges including data privacy concerns, cybersecurity threats, digital exclusion, and a need for better regulation frameworks. To overcome them, the Draft National Data Governance Policy has been designed to provide institutional frameworks for data rules, standards, guidelines, and protocols for the sharing of non-personal data sets in a manner that ensures privacy, security, and trust so that they remain secure, transparent, and accountable.
Objectives omphasizesf the Framework
The objective of the Framework Policy is to accelerate Digital Governance in India. The framework will standardize data management and security standards across the Government. It will promote transparency, accountability, and ownership in Non-Personal data and dataset access and build a platform to receive and process data requests. It will also set quality standards and promote the expansion of the datasets program and overall non-personal ecosystem. Further, it aims to build India’s digital government goals and capacity, knowledge, and competency in Government departments and entities. All this would be done while ensuring greater citizen awareness, participation, and engagement.
Key Provisions of the Draft Policy
The Draft Framework Policy aims to establish a cohesive digital governance ecosystem in India that balances the need for data utilization with protecting citizens' privacy rights. It sets up an institutional framework of the "India Data Management Office (IDMO) set up under the Digital India Corporation (DIC) which will be responsible for developing rules, standards, and guidelines under this Policy.
The key provisions of the framework policy include:
- Promoting interoperability among government digital platforms, ensuring data privacy through data anonymization and security, and enhancing citizen access to government services through digital means.
- The policy e the creation of unified digital IDs, a standardisation in digital processes, and data-sharing guidelines across ministries to improve efficiency.
- It also focuses on building digital infrastructure, such as cloud services and data centres in order to support e-governance initiatives.
- Furthermore, it encourages public-private partnerships and sets guidelines for accountability and transparency in digital governance.
Implications and Concerns of the Framework
- The policy potentially impacts data sharing in India as it mentions data anonymization. The scale of data that would need to be anonymised in India is at a very large scale and it could become a potential challenge to engage in.
- Data localization and cross-border transfers have raised concerns among global tech companies and trade partners. They argue that such requirements could increase operational costs and hinder cross-border data flows. Striking a balance between protecting national interests and facilitating business operations remains a critical challenge.
- Another challenge associated with the policy is over-data centralization under the IDMO and the potential risks of government overreach in data access.
Key Takeaways and Recommendations
The GDPR in the European Union and the Digital Personal Data Protection Act passed in 2023 in India and many others are the data privacy laws in force in different countries. The policy needs to be aligned with the DPDP Act, 2023 and be updated as per the recent developments. It further needs to maintain transparency over the sharing of data and a user’s control. The policy needs engagement with industry experts, privacy advocates, and civil society to ensure a balance of innovation with privacy and security.
Conclusion
The Draft National Data Governance Framework Policy of 2022 represents a significant stage in shaping India's digital future. It ensures the evolution of data governance evolves alongside technological advancements. The framework policy seeks to foster a robust digital ecosystem that benefits citizens, businesses, and the government alike by focusing on the essentials of data privacy, transparency, and security. However, achieving this vision requires addressing concerns like data centralisation, cross-border data flows, and maintaining alignment with global privacy standards. Continued engagement with stakeholders and necessary updates to the draft policy will be crucial to its success in balancing innovation with user rights and data integrity. The final version of the policy is expected to be released soon.
References
- https://meity.gov.in/writereaddata/files/National-Data-Governance-Framework-Policy.pdf
- https://datareportal.com/?utm_source=DataReportal&utm_medium=Country_Article_Hyperlink&utm_campaign=Digital_2024&utm_term=India&utm_content=Home_Page_Link
- https://www.imf.org/en/Publications/fandd/issues/2023/03/data-by-people-for-people-tiwari-packer-matthan
- https://inc42.com/buzz/draft-national-data-governance-policy-under-finalisation-centre/
- https://legal.economictimes.indiatimes.com/news/industry/government-unveiled-national-data-governance-policy-in-budget-2023/97680515
Executive Summary:
Recently, CyberPeace faced a case involving a fraudulent Android application imitating the Punjab National Bank (PNB). The victim was tricked into downloading an APK file named "PNB.apk" via WhatsApp. After the victim installed the apk file, it resulted in unauthorized multiple transactions on multiple credit cards.
Case Study: The Attack: Social Engineering Meets Malware
The incident started when the victim clicked on a Facebook ad for a PNB credit card. After submitting basic personal information, the victim receives a WhatsApp call from a profile displaying the PNB logo. The attacker, posing as a bank representative, fakes the benefits and features of the Credit Card and convinces the victim to install an application named PNB.apk. The so called bank representative sent the app through WhatsApp, claiming it would expedite the credit card application. The application was installed in the mobile device as a customer care application. It asks for permissions such as to send or view SMS messages. The application opens only if the user provides this permission.
It extracts the credit card details from the user such as Full Name, Mobile Number, complain, on further pages irrespective of Refund, Pay or Other. On further processing, it asks for other information such as credit card number, expiry date and cvv number.
Now the scammer has access to all the details of the credit card information, access to read or view the sms to intercept OTPs.
The victim, thinking they were securely navigating the official PNB website, was unaware that the malware was granting the hacker remote access to their phone. This led to ₹4 lakhs worth of 11 unauthorized transactions across three credit cards.
The Investigation & Analysis:
Upon receiving the case through CyberPeace helpline, the CyberPeace Research Team acted swiftly to neutralize the threat and secure the victim’s device. Using a secure remote access tool, we gained control of the phone with the victim’s consent. Our first step was identifying and removing the malicious "PNB.apk" file, ensuring no residual malware was left behind.
Next, we implemented crucial cyber hygiene practices:
- Revoking unnecessary permissions – to prevent further unauthorized access.
- Running antivirus scans – to detect any remaining threats.
- Clearing sensitive data caches – to remove stored credentials and tokens.
The CyberPeace Helpline team assisted the victim to report the fraud to the National Cybercrime Portal and helpline (1930) and promptly blocked the compromised credit cards.
The technical analysis for the app was taken ahead and by using the md5 hash file id. This app was marked as malware in virustotal and it has all the permissions such as Send/Receive/Read SMS, System Alert Window.
In the similar way, we have found another application in the name of “Axis Bank” which is circulated through whatsapp which is having similar permission access and the details found in virus total are as follows:
Recommendations:
This case study implies the increasingly sophisticated methods used by cybercriminals, blending social engineering with advanced malware. Key lessons include:
- Be vigilant when downloading the applications, even if they appear to be from legitimate sources. It is advised to install any application after checking through an application store and not through any social media.
- Always review app permissions before granting access.
- Verify the identity of anyone claiming to represent financial institutions.
- Use remote access tools responsibly for effective intervention during a cyber incident.
By acting quickly and following the proper protocols, we successfully secured the victim’s device and prevented further financial loss.
