Fake applications offered by phishing sites continue to appear. In December 2012, a fake app was seen that was titled, “Facebook 2013 demo”. Social networking users in India were most likely targeted in this phishing attack because the phishing URL consisted of certain words in Hindi. The phishing site was hosted on a free Web-hosting site.
The phishing site spoofed the login page of Facebook and the page contents were altered to promote the fake application. A message in the phishing page stated that users could use their existing Facebook accounts to access the application and that they did not need to create a new account. Of course, such a message was added to the phishing page because phishers wanted users to enter their primary login credentials. Towards the right hand side of the phishing page there were instructions on how to access the application. The poorly worded phishing page explained the instructions in three steps, along with a note. The first two steps told users to logout of Facebook and then login to the phishing site. The third step mentioned that users would see the 2013 version of Facebook for a span of 24 hours, and the note indicated that after 24 hours it would revert back to the previous version. In reality, after the login credentials were entered, users were redirected to the legitimate Facebook login page. If users fell victim to the phishing site, phishers would have successfully stolen their information for identity theft.
Internet users are advised to follow best practices to avoid phishing attacks:
- Do not click on suspicious links in email messages
- Do not provide any personal information when answering an email
- Do not enter personal information in a pop-up page or screen
- Ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar when entering personal or financial information
- Update your security software (such as Norton Internet Security 2012) frequently which protects you from online phishing
- Report fake websites and email (for Facebook, send phishing complaints to firstname.lastname@example.org)