Co-Author: Ayub Khan Customers of popular email service providers have been a common target for phishers for identity theft purposes. Phishers are constantly devising new phishing bait strategies in the hope of stealing user email adresses and passwords. In April 2012, Symantec observed phishing pages that mimicked popular email services in an attempt to dupe users with attractive storage plans.
Customers were flooded with fake offers of free additional storage space for services such as email, online photo albums, and documents. In the first example, the phishing site was titled “Welcome to New [BRAND NAME] Quota Verification Page”. According to the bogus offer, the additional storage plan ranged from 20 GB to 1 TB per year, at no extra cost. The phishing page boasted that the free additional storage plan will help customers prevent loss of data and the inability to send and receive emails due to exhausted storage space. It also stated that the plan will auto-renew each year and the customer can choose to cancel at any time by returning to the same page:
To avoid customer suspicion when the bogus offer doesn’t materialize, phishers used a time-buying strategy. They indicated that customers would be contacted 30 days prior to renewal and also that the upgrade process will take effect in a 24-hour time span. After user credentials are entered, the phishing page redirected to a page which confirmed the upgrade was initiated and complete. The phishing page then redirected back to the legitimate service website:
Similar phishing pages were observed spoofing other email services. The phishing site in this second example is titled “Obtain Free Additional Storage”. The same bait was used here as well:
To gain customer trust, the email address field was auto-populated on the fake page and is also concealed in the query string. Looking deep into these scams, it is evident these phishing scams are targted attacks. By randomising the email address in the query string of the phishing URL, the same phishing page can be used for targeting multiple users. Below is the URL format:
http://*****/?name=email_address@domain.com&cid=email_address@domain.com
Internet users are advised to follow best practices to avoid phishing attacks: