In May 2010, a phishing website was observed to be spoofing a leading, legitimate brand that provides online file transfer services. These services help people to send, receive, or host files of large sizes. Email messages typically have a limitation in the size of file that can be attached, and so online file transfer is often utilized as an alternative for sending large files. For an online file transfer, customers need to enter the recipient’s email address, select the required file, and click “send.” Upon sending, the recipients receive a notification containing a URL, from which the file can be downloaded. The legitimate brand offers the service free of cost for files within a certain size limit and requires a paid account for larger files. In the past, there have been several phishing attacks on brands that provide file hosting. However, this is the first instance of phishing a brand that provides file transfers in addition to file hosting. Spam email was sent with a link to the phishing site, claiming that the customer had received a file for download. The phishing site prompted for the customers’ login credentials. After the credentials were entered, the phishing site redirected to the legitimate site. If the fraudsters succeed in stealing login credentials, they can freely utilize the service for hosting or transferring large files. This leaves the customers’ accounts with a zero balance for file hosting space. Therefore, unlike a typical phishing site, this attack wasn't created with a motive of financial gain, but customers may end up losing the service that they have paid for. The phishing site was created on a free webhosting service based in the USA. Internet users are advised to follow best practices to avoid phishing attacks. Here are some basic tips for avoiding online scams: • Do not click on suspicious links in email messages. • Check the URL of the website and make sure that it belongs to the brand. • Type the domain name of your brand’s website directly into your browser’s address bar rather than following any link. • Frequently update your security software, such as Norton Internet Security 2010, which protects you from online phishing. ================== Note: My regards to Ashish Diwakar, co-author of this blog.