In the past couple of months, Symantec has observed phishing attacks on legitimate automotive sales brands that are based in the UK and the USA. These brands help customers to sell new and used vehicles such as cars, motorbikes, etc. The legitimate websites also provide customers with the facility to advertise the vehicles they wish to sell. There were several phishing sites created to harvest customers’ confidential information. The phishing sites were hosted on free Web hosting domains. In one of the phishing sites the page stated that the brand was offering customers the opportunity to advertise for free. The customer was required to complete an identity verification (that was fake) so as to avail of the free offer. The verification process prompted for the customer’s email address, the ad’s ID, and a security question with its answer. In this attack the fraudsters attempted to convince customers that the phishing page was authentic by providing the caption “We fight fraud for you!!” On the contrary, if customers fall victim to the phishing site, the fraudsters will have succeeded in stealing their identities. A second phishing site stated that the customer’s account was being kept “on-hold” and that he or she had to sign in to re-activate the account. After login information is entered, the page redirects to the legitimate site. Still other phishing sites using similar scams asked for confidential information, including the customer’s contact details and credit card details. These particular phishing sites stated that the information was required to make a payment towards purchasing the vehicle that had been selected by the customer. The contact details requested included the customer’s name, address, phone number, and email address. The credit card details included the credit card number, card expiration date, and security code. The primary motive behind these phishing attacks was financial gain. Internet users are advised to follow best practices to avoid phishing attacks. Here are some basic tips for avoiding online scams: • Do not click on suspicious links in email messages. • Check the URL of the website and make sure that it belongs to the brand. • Type the domain name of your brand’s website directly into your browser’s address bar rather than following any link. • Frequently update your security software, such as Norton Internet Security 2010, which protects you from online phishing. ----------------------------------- Note: My thanks to co-authors Anand Muralidharan and Ashish Diwakar.