Co-Author: Avdhoot Patil
Symantec is familiar with phishing sites which promote fake offers for mobile airtime. In December, 2011, the phishing sites which utilized these fake offers as bait have returned. The phishing sites were hosted with free web hosting.
When end users enter the phishing site, they receive a pop up message stating they can obtain a free recharge of Rs. 100:
Upon closing the pop up message, users would arrive at a phishing page which spoofs the Facebook login page. The contents of the page would be altered to make it look as though the social networking site was giving away free mobile airtime. A list of 12 popular mobile phone services from India would be displayed with their brand logos. Once the page completes loading, the theme songs for each of these mobile services play, one after the other.
This phishing page gives a long (fake) offer description. In the description, users are required to enter their login credentials to receive the free airtime offer. The description further states with pride that the site is the first ever to provide this offer and reminds it is always free for users. In reality, if users enter their credentials the phishing page will redirect to a legitimate web retailer selling online purchases of mobile airtime. The strategy behind bothering to redirect to such a site is to mislead users into believing that a valid login has taken place and avoid suspicion. If users do fall victim to these phishing sites, phishers will have successfully stolen their information for identity theft purposes.
Users should be careful. In the fake login below (in blue and purple text) you can see the claims of free airtime:
The URLs on the phishing page also contained text in them to further lead users to believe this social networking website has a relationship with online mobile airtime recharging. The examples:
http://www.******.******.com/Facebook-rc/facebook2011.html [Domain name removed] http://free-r3charg3.******.cc/facebook2011.html [Domain name removed] http://free-rechargess.******.cc/recharge/1/3.php [Domain name removed]
http://www.******.******.com/Facebook-rc/facebook2011.html [Domain name removed]
http://free-r3charg3.******.cc/facebook2011.html [Domain name removed]
http://free-rechargess.******.cc/recharge/1/3.php [Domain name removed]
Here are a few best practices for Facebook users to combat these threats: