In July 2010, several phishing sites were observed to be spoofing social networking brands. This in itself is nothing new, but this time the sites were posting fake offers for free online mobile phone airtime top-ups. The phishing pages displayed the icons for a number of popular cellular service providers in India. Upon entering login credentials on the phishing site, the page displayed certain steps for the user to follow to obtain the fake offer:
First, the customer is asked to select the amount of airtime recharge in rupees, which should not exceed Rs 500 per day. Then, after selecting the amount, the phishing site generates a Java code. The user is then prompted to use the Java code whenever he or she requires a free mobile recharge. The page states that the Java code has to be entered on the address bar after logging in to the social networking site. If the user applies the code after logging in to the legitimate site, the browser pops up a set of message boxes asking for the user’s cell number and other details. The final message box states that the recharge was successful:
However, in reality, the Java code performs a series of malicious activities that ultimately send messages to people in the user’s friend list. The user also receives a text message to his or her cell phone that contains a bogus verification code. Using this fake verification code, phishers may be able to convince users that the procedure is authentic. Symantec customers have reported that they were receiving messages from their friends that recommended they make use of this facility. Messages from friends will often seem more convincing than regular phishing or spam email messages. Fraudsters have been using this technique to spread malicious code among Indian social networking users.
The malicious code also manipulates users’ profiles and replaces the content with messages promoting this offer. In some cases, the message in the attacked user’s profile states that the social networking brand is providing the free recharge as a gift to its customers:
The phishing URLs were hosted on free Web-hosting domains. The URLs contained strings that indicated the website is related to online mobile airtime recharging. Below are some examples:
hxxp://freee-rechharge.******.com [Domain name removed]
hxxp://recharge0nmobile. ******.com [Domain name removed]
hxxp://free-recharge-roxxx. ******.com [Domain name removed]
Internet users are advised to follow best practices to avoid phishing attacks. Here are some basic tips for avoiding online scams:
• Do not click on suspicious links in email messages.
• Check the URL of the website and make sure that it belongs to the brand.
• Type the domain name of your brand’s website directly into your browser’s address bar rather than following any link.
• Frequently update your security software, such as Norton Internet Security 2010, which protects you from online phishing.
Note: My thanks to the co-authors of this blog, Rohan Shah and Wahengbam RobinSingh.