Improving effectiveness of phishing bait is always at the top of any phishers’ agenda. They prefer to use bait that reflects enticing subjects in order to catch the attention of as many users as possible. Recently, we have seen phishers moving one step ahead. In addition to having eye-catching bait, they are compelling users to spread the word. In today’s example, phishers used free cell phone airtime as the phishing bait.
The phishing site requested Indian Facebook users to verify their account by entering their login credentials in order to get the fake offer of free cell phone airtime. But phishers, not content with just duping one user and eager to target even more, start off by saying the offer is only valid after posting this same offer on the profile pages of a number of friends. Phishers devised this strategy because obviously receiving messages from friends is more convincing than from unknown sources. The method phishers are using in effect enlists unsuspecting users into spamming for them.
Figure 1. Facebook account verification
Figure 2. "Like us" enticement
Figure 3. Sharing enticement
Figure 4. Sharing enticement and personal information request
The first page of the phishing site asked users to verify their Facebook account. Users were then alerted that all information should be entered correctly. The second page of the phishing site displayed an image of a selection of Indian cell phone network operators. The phishing page stated that free airtime worth "Rs. 500" is available from the offer after following four additional steps. The steps were essentially to like, subscribe, share, and post the offer to at least 10 friends. Finally, in order to complete the process, the phishing site asked users for personal information including name, email address, cell phone number, network operator, and cellular zone. If any user fell victim to the phishing site, phishers would have successfully stolen personal user information for identity theft.
Users are advised to follow best practices to avoid phishing attacks:
- Do not click on suspicious links in email messages
- Do not provide any personal information when answering an email
- Do not enter personal information in a pop-up page or screen
- Ensure the website is encrypted with an SSL certificate by looking for the padlock, “https,” or the green address bar when entering personal or financial information
- Use comprehensive security software such as Norton Internet Security or Norton 360, which protects you from phishing scams and social network scams
- Report fake websites and email (for Facebook, send phishing complaints to firstname.lastname@example.org)