On February 22, 2011, a massive 6.3 magnitude earthquake devastated the New Zealand city of Christchurch. As per the official reports, the death toll has reached 75—a number that may yet increase. Thousands of people in New Zealand have lost their homes and search operations are still in progress. Fraudsters, as usual, are taking advantage of this by sending spam mails that request donations. In January, phishers had used the same ploy of asking for fake donations for victims of the Serrana floods.
The phishing site spoofed the Red Cross website for New Zealand and requested help from end users. Firstly, the phishing site gave details of the earthquake, highlighting the extent of the damage in the city. Secondly, details on how to make a secure online donation were given. Users were notified that upon making an online donation, the user would receive a receipt by email for tax purposes. There were three credit card services to choose from.
To make the donation, users were required to enter certain confidential information. The first field was a drop down menu from which the user had to select the cause for which the donation would be made. The causes included New Zealand Earthquake 2011, Annual Appeal 2011, Australian Floods Fund, Landmine Appeal, Pacific Disaster Preparedness Fund, and General Fund Appeal.
The confidential information required was email address, postal address, credit card number, three digit security number, card expiration date, four digit PIN code, driver license number, and date of birth. Upon entering the required information, the Web page redirected victims to the legitimate Red Cross website. The phishing site was hosted on servers based in Wien, Austria.
Internet users are advised to follow best practices to avoid phishing attacks:
• Do not click on suspicious links in email messages.
• Avoid providing any personal information when answering an email.
• Never enter personal information in a pop-up screen.
• Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.
Note: My thanks to the co-author of this blog, Ashish Diwakar.