Contributor: Avdhoot Patil
The internet can be a dangerous place with security threats lurking from every direction, and it gets worse when threats meld together. Phishing today is a major part of cybercrime and phishers have recently gained interest in additional security threats. This year has witnessed the fusion of threats such as malware and spam with phishing, for instance. The recent use of malware in bogus apps are a good example.
This month, malware was used yet again in a phishing site spoofing Facebook. This phishing site offers a fake app devised to entice Android and iPhone users and was hosted on servers based in Paris, France, with pages in the French language.
A phishing site always comes with bait but phishers always craft new ones because they don’t want users to get familiar with same old phishing bait. This time, the bait was an offer claiming that the fake app would enable users to login to Facebook with their iPhone or Android phones without the use of a password.
Figure 1. Phishing site offers fake Facebook app
The fake offer claimed it was for a free trial period of 24 hours. A button is given below the offer that translates to “Continue”. When the button was clicked, it led users to an instruction page.
Figure 2. Instructions to gain access to the fake app
The instructions read as follows:
- Users are required to complete a form with personal information.
- Users have to select the iPhone or Android app respectively, and then download the app.
- Users can access the application in its first installation.
- After the 24 hour free trial period, the app will get blocked automatically.
- After the trial period, users will receive an email with a payment option for the app. Users can then accept or uninstall the application.
Figure 3. Request for personal information
After reading the instructions and clicking the “Continue” button, users would reach a phishing page which asked for their names, email addresses, and passwords. The phishing site states that by installing the app users agree its use is in accordance with the law.
The following are the reasons the phishing site gives for requiring the personal information:
- Email address is required so that user can receive an activation code for the first 24 hours.
- Password is required in order to access the iPhone or Android application.
Figure 4. Malicious download imitating mobile app install
The next phishing page displayed logos of Android and iPhone as the download links for the app. If the links were clicked, a download prompt for files named as iphone.zip.exe and android.phone.exe appeared. In reality, there is no Android or iPhone app in use. This is actually Windows malware—which Symantec detects as Backdoor.Breut—and uses the Android and iPhone logos to lure users to install.
Symantec has analyzed this particular malware and identified the following behavior:
- The malware is identified as a Darkcomet RAT.
- The malware does not perform a network connection.
- The configuration of the command-and-control server (C&C) is set as “127.0.0.1:1604” which is the local loopback address.
- The malware doesn’t connect to any external server
If users fall victim to the phishing site by entering their login credentials, phishers would have successfully stolen their information for identity theft purposes.
Symantec advises Internet users to follow these best practices to avoid becoming victims of phishing attacks:
- Check the URL in the address bar when logging into your account to make sure it belongs to the website that you want to visit.
- Do not click on suspicious links in email messages.
- Do not provide any personal information when replying an email.
- Do not enter personal information in a pop-up page or window.
- Ensure that the website is encrypted with an SSL certificate by looking for the padlock image/icon, “https”, or the green address bar when entering personal or financial information.
- Use comprehensive security software, such as Norton Internet Security or Norton 360, which protects you from phishing and social networking scams.
- Exercise caution when clicking on enticing links sent through email or posted on social networks.