Fake Offers For Mobile Airtime Haunts Indian Users

Co-Author: Avdhoot Patil

Symantec is familiar with phishing sites which promote fake offers for mobile airtime. In December, 2011, the phishing sites which utilized these fake offers as bait have returned. The phishing sites were hosted with free web hosting.

When end users enter the phishing site, they receive a pop up message stating they can obtain a free recharge of Rs. 100:

Upon closing the pop up message, users would arrive at a phishing page which spoofs the Facebook login page. The contents of the page would be altered to make it look as though the social networking site was giving away free mobile airtime. A list of 12 popular mobile phone services from India would be displayed with their brand logos. Once the page completes loading, the theme songs for each of these mobile services play, one after the other.

This phishing page gives a long (fake) offer description. In the description, users are required to enter their login credentials to receive the free airtime offer. The description further states with pride that the site is the first ever to provide this offer and reminds it is always free for users. In reality, if users enter their credentials the phishing page will redirect to a legitimate web retailer selling online purchases of mobile airtime. The strategy behind bothering to redirect to such a site is to mislead users into believing that a valid login has taken place and avoid suspicion. If users do fall victim to these phishing sites, phishers will have successfully stolen their information for identity theft purposes.

Users should be careful. In the fake login below (in blue and purple text) you can see the claims of free airtime:

The URLs on the phishing page also contained text in them to further lead users to believe this social networking website has a relationship with online mobile airtime recharging. The examples:

hxxp://www.******.******.com/Facebook-rc/facebook2011.html  [Domain name removed]
hxxp://free-r3charg3.******.cc/facebook2011.html  [Domain name removed]
hxxp://free-rechargess.******.cc/recharge/1/3.php  [Domain name removed]

Here are a few best practices for Facebook users to combat these threats:

  • Use unique logins and passwords for each of the websites you use.
  • Check to see that you're logging in from a legitimate Facebook page with the facebook.com domain.
  • Be cautious of any message, post or link you find on Facebook that looks suspicious or requires an additional login.
  • Do not click on suspicious links in email messages.
  • Avoid providing any personal information when answering an email.
  • Never enter personal information in a pop-up page or screen.
  • Become a fan of the Facebook Security Page for more updates on new threats as well as helpful information on how to protect yourself online.
  • Frequently update your security software (such as Norton Internet Security 2012) which protects you from online phishing.