Co-author: Avdhoot Patil
Special occasions like Christmas have been a common ground for phishers to introduce new baits in their phishing sites. Last Christmas was no different and this time they used fake lottery prizes and gifts as baits. The phishing sites were hosted on free webhosting sites.
In the first example, a phishing site spoofing a gaming brand stated they wil reward the user with a Christmas gift. The phishing site exclaimed it hoped users like the gift and wished to encourage them to playing the game. To receive the fake gift, the user is asked to enter their login credentials and also complete a simple form.
The questions asked in the form are the following:
The choice of gifts included credit points, VIP status, club membership, and a selection of badges.
After the credentials are entered and the form completed, the following page acknowledges the submission of user information. If users fell victim to the phishing site by entering their login credentials, phishers would have successfully stolen the information for identity theft purposes.
Phishing campaigns were prevalent in the banking sector as well. A phishing site impersonating a highly reputed bank was observed. The fake site claimed a lottery prize was available for their customers. The type of lottery offered was a Christmas raffle draw and the bogus prize money was in the amount of 2.5 million dollars. Customers were asked to enter their full name, email address and password to be eligible receive the prize money. A note was also provided (shown below) which prompted customers to look for a confirmation email after submitting information. After the user's credentials are entered, the phishing page redirects to the legitimate bank’s website, creating the illusion that a valid verification took place.
Internet users are advised to follow best practices to avoid phishing attacks: