#FactCheck-Fake Video of Mass Cheating at UPSC Exam Circulates Online

Introduction

Web applications are essential in various sectors, including online shopping, social networks, banking, and healthcare systems. However, they also pose numerous security threats, including Cross-Site Scripting (XSS), a client-side code injection vulnerability. XSS attacks exploit the trust relationship between users and websites, allowing them to change web content, steal private information, hijack sessions, and gain full control of user accounts without breaking into the core server. This vulnerability is part of the OWASP Top 10 Web Application Security Risks.

‍

What is Cross-Site Scripting (XSS)?

An XSS attack occurs when an attacker injects client-side scripts into web pages viewed by other users. When users visit the affected pages, their browsers naively execute the inserted scripts. The exploit takes advantage of web applications that allow users to submit content without properly sanitising inputs or encoding outputs. These scripts can cause a wide range of damage, including but not limited to stealing session cookies for session hijacking, redirecting users to malicious sites, logging keystrokes to capture credentials, and altering the DOM to display fake or phishing content.

‍

How Does XSS Work?

1. Injection: A malicious user submits code through a website input, like a comment or form.
2. Execution: The submitted code runs automatically in the browsers of other users who view the page.
3. Exploitation:The attacker can steal session information, capture credentials, redirect users, or modify the page content.

The fundamental cause behind the XSS vulnerabilities is the application of:

• Accepting trusted input from the users.  
• After users' input, web pages have the strings embedded without any sanitisation.  
• Not abiding by security policies like Content Security Policy (CSP).  

With such vulnerabilities, attackers can generate malicious payloads like:  <script>alert('XSS');</script>  

‍

This code might seem simple, but its execution provides the attacker with the possibility to do the following:  

• Copy session tokens through hidden HTTP requests.  
• From attacker-controlled domains, load attacker scripts.  
• Change the DOM structure to show fake login forms for phishing.

‍

Types of XSS Attacks: XSS (Cross-Site Scripting) attacks can occur in three main variations: 

1. Stored XSS: This type of attack occurs when an attacker injects an administered payload into the database or a message board. The script then runs whenever a user visits the affected board.
2. Reflected XSS: In this attack, the danger lies in a parameter of the URL. Its social engineering techniques are attacks, in which it requires tricking people to click on a specially designed link. For example:
3. DOM-Based XSS: This technique injects anything harmful without the need for server-side scripts, in contrast to other approaches. It targets JavaScript client-side scripts such as `document.write` and `innerHTML`. Without carrying out any safety checks, these scripts will alter the page's look (DOM stands for Document Object Model). If the hash is given a malicious string, it is run directly within the browser.

‍

What Makes XSS a Threat?  

‍

A Cross-Site Scripting attack is only a primary attack vector, and can lead to significant damage that includes the following: 

• Statement Hijacking. This uses scripts to steal cookies, which are then used to pose as authorized users.  
• Theft of Credentials. Users’ passwords and usernames are wrenched from keystroke trackers.  
• Phishing. Users are prompted with deceitful login forms that are used to capture sensitive details.  
• Website Vandalism. Modified website material lowers the esteem of the brand.  
• Monetary and Legal Consequences. There are compounding effects to GDPR and DPDP Act compliance in case of Data breaches, which incur penalties and fines.  ‍

‍

Incidents in the Real World  

In 2021, an XSS Stored attack occurred on a famous e-commerce platform eBay, through their product review system. The malicious JavaScript code was set to trigger every time an infected product page was accessed by customers. This caused a lot of problems, including account takeovers, unauthorised purchases, and damage to the company’s reputation. This example further worsens the fact that even reputed platforms can be targeted by XSS attacks.

‍‍

How to Prevent XSS?

Addressing XSS vulnerabilities demands attention to detail and coordinated efforts across functions, as illustrated in the steps below:

 Input Validation and Output Encoding:

• Ensure input validation is in place on the client and server.
• Perform output encoding relative to context: HTML: <, >, &.
• JavaScript: Escape quotes and slashes

Content Security Policy (CSP): CSP allows scripts to be executed only from the verified sources, which helps diminish the odds of harmful scripts running on your website. For example, the Header in the code could look to some degree like this: Content-Security-Policy: script-src 'self';

Unsafe APIs should be dodged: Avoid the use of document.write(), innerHTML, and eval(), and make sure to use:

• TextContent for inserting text.
• CreateElement() and other DOM creation methods for structured content.

Secure Cookies: Apply the HttpOnly and Secure cookie flags to block JavaScript access. 

Framework Protections: Use the protective features in frameworks such as:

• React, which escapes data embedded in JSX automatically.
• Angular, which uses context-aware sanitisation.

Periodic Security Assessment:

• Use DAST tools to test the security posture of an application.
• Perform thorough penetration testing and security-oriented code reviews.

‍

‍Best Practices for Developers: Assume a Secure Development Lifecycle (SDLC) integrating XSS stoppage at each point.

• Educate developers on OWASP secure coding guidelines.
• Automate scanning for vulnerabilities in CI/CD pipelines.

‍

‍Conclusion:

To reduce the potential danger of XSS, both developers and companies must be diligent in their safety initiatives, ranging from using Content Security Policies (CSP) to verifying user input. Web applications can shield consumers and the company from the subtle but long-lasting threat of Cross-Site Scripting if security controls are implemented during the web application development stage and regular vulnerability scans are conducted.

‍

References

• https://owasp.org/www-community/attacks/xss/
• https://www.paloaltonetworks.com/cyberpedia/xss-cross-site-scripting
• https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting
• https://www.cloudflare.com/learning/security/threats/cross-site-scripting/

‍

‍

Executive Summary 

A video is being shared on social media claiming to show an avalanche in Kashmir. The caption of the post alleges that the incident occurred on February 6. Several users sharing the video are also urging people to avoid unnecessary travel to hilly regions. CyberPeace’s research found that the video being shared as footage of a Kashmir avalanche is not real. The research  revealed that the viral video is AI-generated.

‍

Claim

‍

The video is circulating widely on social media platforms, particularly Instagram, with users claiming it shows an avalanche in Kashmir on February 6. The archived version of the post can be accessed here. Similar posts were also found online. (Links and archived links provided)

• https://www.instagram.com/reel/DUd8igPEiGe/
• https://archive.is/jzb24 

‍

‍

Fact Check:  

‍

To verify the claim, we searched relevant keywords on Google. During this process, we found a video posted on the official Instagram account of the BBC. The BBC post reported that an avalanche occurred near a resort in Sonamarg, Kashmir, on January 27. However, the BBC post does not contain the viral video that is being shared on social media, indicating that the circulating clip is unrelated to the real incident.

‍

• https://www.instagram.com/reel/DUCyrTjkb-d/

‍

‍

A close examination of the viral video revealed several inconsistencies. For instance, during the alleged avalanche, people present at the site are not seen panicking, running for cover, or moving toward safer locations. Additionally, the movement and flow of the falling snow appear unnatural. Such visual anomalies are commonly observed in videos generated using artificial intelligence. As part of the research , the video was analyzed using the AI detection tool Hive Moderation. The tool indicated a 99.9% probability that the video was AI-generated.
‍

‍

Conclusion

‍

Based on the evidence gathered during our research , it is clear that the video being shared as footage of a Kashmir avalanche is not genuine. The clip is AI-generated and misleading. The viral claim is therefore false.

‍

Introduction

‍

The way we interact, go about our daily lives and manage our financial resources has completely changed in this digital age. Tasks that were earlier done manually (and were extremely time-consuming) now happen in just minutes and seconds. As this convenience expands, so do the risks that come with it. The proliferation of digital technology has opened up a wide arena where we, as users, are getting exposed to a complex environment of emerging cyber threats at every step. This has become especially true for our senior citizens, who face heightened vulnerabilities owing to their age and situational factors. Therefore, getting an understanding of these risks and knowing how to respond to them is no longer optional.

‍

Cybercrime against senior citizens is rising every year. The elderly today are using and depending on smartphones, net banking, UPI (Unified Payments Interface) and social media more than ever. Scammers are preying on this circumstance and perpetrating well-planned cyber attacks on the senior population. A 2024 report from the United States Federal Trade Commission (FTC) that analysed cybercrime data for the year 2023 found that older adults lost more money per incident as opposed to the younger population. 

‍

This blog aims at providing practical and easy-to-follow cyber safety tips for senior citizens and a clear action plan on how to respond if they ever fall victim to a scam.

‍

Safe and Smart Browsing for the Elderly: Essential Cybersecurity Tips

‍

1. Device safety: Cybersecurity can be ensured with one simple rule, which is securing your device first. This is the first line of defence against cybercrime and can go a long way in preventing online attacks and scams. This device security can be established by using screen locks such as setting up a PIN, lock patterns, fingerprints, or even applying the face lock feature on smartphones and tablets. 

‍

The next step is to install a reputable antivirus on your device (such as laptops and desktops) and keep updating it from time to time. Enabling additional security features in your devices, such as ‘automatic updates’, further ensures that the phone’s Operating System (OS) and the Applications (apps) remain up to date. This guarantees that the device’s OS and the apps are fully upgraded to catch and fix any new security threats. Users should also beware of any unauthorised software. Suspicious links or messages that offer free software or updates should be avoided at all costs. 

‍

The Government of India’s 2024 cyber safety booklet also stresses the importance of keeping devices and apps equipped with the latest security patches to prevent exploitation of any known vulnerabilities. 

‍

2. Robust Passwords and 2FA: Weak passwords are one of the easiest entry points for cybercriminals. This is why it is crucial to have strong and robust passwords to keep accounts and devices absolutely secure. It is also important to make sure to avoid using very basic PINs, such as date of birth or predictable ascending digits such as ‘12345’. Also, similar passwords should not be used across various bank, email or social media accounts. While creating a strong password, ideally, one should use a combination of upper case and lower case letters along with mixed digits and special characters. If need be, one can jot down these complex passwords in a separate physical diary to keep a record and refer to it in case of forgetfulness. 

‍

Enabling two-factor authentication adds an extra layer of protection. Whenever and wherever possible, users should enable OTP (one-time password) based verification or app-based authentication codes. In case someone does end up stealing the user’s password, they would still need the second factor to log in.

‍

The Government of India supported the Information Security Education and Awareness (ISEA) initiative, which also provides guidelines that recommend the use of passwords and secure authentication as key cyber safety practices for senior citizens.

‍

3. Handle messages with caution: Most cybercrime instances against senior citizens are initiated with a phone call, an SMS or a WhatsApp message. Personal details such as OTPs, CVV (3-digit number on the back of a debit/credit card), ATM or UPI PIN, full debit/credit card number, net banking ID and password, etc., should never be shared over a call or a chat. Also, people need to be aware of the fact that genuine officials will never make any demands for such details over calls or messages. ISEA has specifically warned about frauds like phishing, where fraudsters call or message their victims pretending to be from banks, courier companies, telecom operators or from the government to trick seniors into revealing their personal details.

‍

A caller might say ‘Your KYC can get blocked, give OTP now’ or ‘Your card will get deactivated, click this link’. Hang up immediately! Do not click any links, do not share any number and do not install any app that they suggest (eg. remote access apps).

‍

4. Banking without worries: Online banking is truly a boon, especially for senior citizens. It eliminates the need to visit the bank in person for every small requirement. But this comfort and ease can serve us well only if we use it with a certain sense of vigilance and responsibility. 

‍

Users are advised to use only official banking apps that are downloaded from Google Play Store or the Apple App Store. It is also prudent to activate SMS or email alerts for all online transactions so that the user receives timely notifications of any withdrawal or transfer. Users should also avoid using public Wi-Fi connections for banking or UPI payments. It is better  to use your own mobile data or a home Wi-Fi with a strong password. This safeguards your financial transactions. India has a system in place called the Citizen Financial Cyber Fraud Reporting and Management System (CFCFRMS) that quickly responds to online financial fraud, especially with regards to UPI and net banking frauds.

‍

5. Think before you share: Beyond online banking and other essential activities on the web, lies the world of social media which has seamlessly woven itself into our daily routines. Therefore, gaining awareness about the safe usage of social media is extremely important. For starters, users should keep the privacy settings of their social media accounts as ‘Private’. They should also be mindful of accepting friend requests from strangers or unknown profiles, even if they claim that they know the user. Users must also avoid ‘oversharing’ on public platforms and social media accounts. It is always best to refrain from posting about personal details on social media such as finances, travel schedules or addresses. If a user receives urgent messages from a close friend or a relative asking for money, then it is better to first call them up directly to verify that the request is genuine. 

‍

The older generation should also be wary of fraudsters who, under false identities, build emotional relationships online and then start demanding money, gifts or even private photos from their victims. 

‍

6. Stay a step ahead: Lastly, senior users can stay a step ahead in this game by familiarising themselves with the typical scams that are targeted towards their age group. This know-how will prepare them to identify scam patterns and early warning signs. Discussing experiences or sharing knowledge with family members or peers can also help seniors bridge the gap between awareness and action.

Fallen for a scam? Don’t panic! Here’s what seniors should do next: An action plan for recovery and protection

‍

We are all human at the end of the day. Anyone can fall for a scam, even the most careful people. The important thing is how to ‘respond’ after getting scammed. As per the 2023 Internet Crime Complaint Center (IC3) Elder Fraud Report, prompt reporting after a scam can improve the chances of either freezing or retrieving the stolen money. If you have fallen for a scam, here is what you should do:

‍

1. Keep calm and disconnect: Though it may feel challenging, but the first instinct that victims should display is to keep their calm and hang up the phone. The victim should then block the number and refrain from responding to any further emails or messages. Any remote access app, screen sharing app or a support tool that were installed at the request of the caller, should be instantly uninstalled.

‍

2. Alert your bank right away: Time is of the essence when it comes to online financial frauds. If a user has been scammed and he is aware of it, then he should immediately call the official customer care number of his bank. It is to be noted here that this number should be verified from the bank’s website or from the user’s credit/debit card. Once the user is connected to the bank’s support staff, he should inform them clearly that he has been a victim of an online fraud. The support staff may guide the user regarding the options that he can undertake. These can be: blocking the cards, freezing the account or an attempt from the bank’s interface to try and stop or recall the recent transaction. 

‍

The Reserve Bank of India (RBI) has laid down certain guidelines on unauthorised electronic banking transactions that encourage quick reporting and provide a steady framework for customer liability. Also, if in case a victim feels that the bank’s response has been unsatisfactory, the complaints can be further escalated to the RBI Ombudsman.

‍

3. Reset online credentials: Once the victim has spoken to the bank and taken all necessary steps in that regard, the next step is to reset the passwords. Passwords for netbanking, UPI apps, email accounts, social media, shopping platforms, etc., should all be changed. The victim can also turn on two factor authentication for all important accounts. Incase some critical information like PAN (Permanent Account Number) or Aadhar or SSN (Social Security Number ) has been shared, the victim should be on the lookout for any identity theft in the form of unknown loans, new cards or credit enquiries. 

‍

4. Notify official cybercrime portals or authorities: The next step is to inform the relevant cybercrime authorities in your region. In India there is a government backed National Cyber Crime Helpline which is a part of the Financial Cyber Fraud Reporting and Management System. The aim of the helpline is to prevent further losses in digital payment frauds. Victims can also file a complaint on the National Cyber Crime Reporting portal. Other than these options, the victim can visit the nearest police station along with copies of their online complaint, bank statements, transaction receipts and ID proofs. 

‍

In the US, such complaints can be lodged with the IC3 which runs a specialised elder fraud program. The IC3 also publishes the annual Elder Fraud Report and lays down latest guidelines and trends regarding cybercrime.

‍

5. Preserve proofs of the scam: The IC3’s 2023 report notes that detailed and prompt reporting by the victim enables law enforcement and financial institutions to deploy ‘Financial Fraud Kill Chain’ procedures that help in tracing or freezing stolen funds. This is why it is very important to preserve the evidence of a cyber scam. Proper documentation can help banks and law enforcement agencies to properly investigate a case. If possible, the victim should save all messages, WhatsApp chats, emails, screenshots and voice recordings. Establishing a clear timeline of the events also helps. Minute details such as: when the first call was received, what was said and when the money exited the victim’s account, significantly help in piecing together the full picture. Victims should also keep a record of all bank statements and transaction alert messages related to the fraudulent activity. 

‍

6. Helping seniors heal: Apart from monetary damage, the emotional impact of a scam should also be acknowledged. Getting scammed can be deeply humiliating for senior citizens, especially at their age where everyday life may already feel quite overwhelming. Also, when it comes to their lifelong savings, the ramifications of becoming a victim of an online financial scam can be quite distressing for seniors. The US Department of Justice’s elder fraud content emphasises on the fact that senior victims need ample emotional support and should not be blamed or shamed for their predicament.

‍

Families and caregivers can guide the elderly victims step by step through the recovery process which includes taking the necessary technical steps, filling out forms and following up with banks or authorities. For large value frauds, repeated targeting or cases that involve identity theft, getting a legal consult for the victim is highly advisable. This kind of support and reassurance can help seniors reduce their anxiety and regain their inner strength.

‍

Secure today, safe tomorrow

‍

The rate of cybercrime against senior citizens isn’t showing any signs of slowing down. Scammers are refining their techniques every day. Therefore, the best long standing defence against cybercrime is to make cyber safety a regular habit. This can be achieved with the support of families, caregivers and communities. Beyond the practical steps, spreading awareness and maintaining an open dialogue is equally important. Senior citizens should feel comfortable asking questions, sharing concerns and continue learning from experiences, be it theirs or of others. Reinforcement of safe online practices should become ingrained at the core of every society. When cybersecurity practices merge with everyday life, seniors gain both protection and confidence. Simple and steady digital safety practices that come with guidance and reassurance empower the seniors to enjoy the benefits of technology without fear.

Simply put, the habits that are adopted today will lay the foundation for a secure and safer digital tomorrow.

‍

References  

• https://bankingjournal.aba.com/2024/11/ftc-older-adults-lost-up-to-61-5b-to-fraud-in-2023/
• https://www.cert-in.org.in/PDF/CSH_Booklet.pdf
• https://infosecawareness.in/concept/cyber-security-tips-for-senior-citizens
• https://cybercrime.gov.in/UploadMedia/instructions_citizenreportingcyberfrauds.pdf
• https://www.ic3.gov/annualreport/reports/2023_ic3elderfraudreport.pdf
• https://www.arklegal.in/post/how-to-report-cyber-crime-in-india
• https://www.pib.gov.in/Pressreleaseshare.aspx?PRID=1814120
• https://cybercrime.gov.in/Webform/crmcondi.aspx
• https://www.justice.gov/archives/stopfraud-archive/elder-fraud-and-financial-exploitation
• https://www.ftc.gov/system/files/ftc_gov/pdf/federal-trade-commission-protecting-older-adults-report_102024.pdf
• https://www.unionbankofindia.bank.in/pdf/cyber-security-customer-awareness-guide-vol-v.pdf
• https://cdnbbsr.s3waas.gov.in/s371e09b16e21f7b6919bbfc43f6a5b2f0/uploads/2024/11/20241111752149945.pdf
• https://www.dsci.in/files/content/documents/2024/CSAM24-Infographic_Cyber-Safety-Essentials-for-Senior-Citizens-v1.pdf

‍