Fake Offers with Fake Trust Seals

Thanks to the co-author of this blog, Wahengbam RobinSingh.

Phishers are constantly looking for new ideas in their efforts of tricking end users. In August, Symantec observed a phishing site that utilized a number of new tricks. The phishing site masqueraded as a well known software company and claimed to offer associated software products at discounted rates. The phishing page highlighted these fake offers as “summer offerings” and stated that customers could save 80% on their purchases. Users were prompted to enter their billing information, personal information, and credit card details to complete their purchases. The personal information that was requested consisted of the user’s email address and phone number. The credit card details that were asked for were the card number, CVV code, and card expiration date. If any users had fallen victim to the phishing site, the phishers would have successfully stolen their confidential information for financial gain.

Although these fake offers were used as the bait, it wasn’t the only trick being offered up by the phishing site. There were further tactics employed in the hope of luring a greater number of end users. The phishing site was hosted on a newly registered domain name, and this new domain name was indexed in several popular search engines and had a very high page ranking. Phishers achieved the boosted page ranking by using common search keywords for the products within the domain name. For example, the domain would look like “common-search-keywords.com”. Thus, if a user searched with these keywords in a search engine, they could end up with the phishing site as a high-ranked result.
 
The phishers’ ploys didn’t end there. The phishing page also contained fake trust seals at the bottom of the page. A legitimate trust seal is a seal provided to Web pages by a third party, typically a software security company, to certify that the website in question is genuine. Clicking on a trust seal will pop up a window provided by the third party, which contains details of the site name and the encryption data used to secure the site.

How did phishers overcome this security measure? They used fake trust seals that spoofed two major companies, which when clicked, popped up a window that referenced a fake site. The URL of the fake site utilized sub-domain randomization. Below is the format of the URL:

http://www.<software security company>.com.<fake domain>.com

With a quick glance at the URL, it would seem that the trust seal is linked to an appropriate third party, but it’s not. If we read the complete URL for the pop-up window, we can see that it’s a fake site. The best practice for identifying a legitimate trust seal is to click on the seal and read the complete URL of the pop-up window. The pop-up window should have a padlock icon, ‘https’, or a green address bar.

Internet users are advised to follow best practices to avoid phishing attacks:

•    Do not click on suspicious links in email messages.
•    Avoid providing any personal information when answering an email.
•    Never enter personal information in a pop-up page or screen.
•    When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
•    Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.