Phishers Turn to Social Media for Money

Contributor: Avdhoot Patil

Social media is a common target for phishers for the purposes of identity theft. Phishers are now seeking financial gain from social networking phishing sites. In November 2012, phishing sites spoofed a popular social networking site and asked for financial information as a requirement for to improve user security. The phishing sites were hosted on free web hosting sites.

The phishing site stated that the social networking site had made some improvements in security and required users to verify their identity by completing a security check. After the “Continue” button was clicked, users were asked to enter their personal details.

The personal details required included the user's:

  • First name
  • Last name
  • Email address
  • Password
  • Country
  • Gender
  • Birthday

The phishing pages that followed asked for users’ webmail address with their password and their answer to their security question. The webmail confirmation was allegedly required to secure the users’ identity when logged in from an unfamiliar location. To gain the users’ confidence the phishing page also noted that they would be notified if the account was hacked.
 

Figure 1. Email address verification and security check
 

Figure 2. Personal details request
 

Figure 3. Email address and password request
 

Figure 4. Security question request
 

After the required details have been entered, the phishing site asks for financial information in order to complete payment verification. To avoid suspicion, the phishing site noted that payment verification required only the first six digits of users’ card and only asked for the full card details when users purchased user credits. After the six digits have been entered, the phishing page redirected users to a second payment verification page. The phishing page here gave the same message but asked for the complete card details. The phishing page further stated that occasionally users will be asked for additional information to authorize a transaction or to purchase credits from an application page.

The card details required included the user's:

  • First Name
  • Last Name
  • Credit Card Number
  • Type
  • Expiration Date
  • Security Code
  • Billing Address
  • City/Town
  • State/Province/Region
  • Zip/Postal Code
  • Country

If users fall victim to the phishing sites by entering their sensitive information, phishers would have successfully stolen their information for financial gain.
 

Figure 5. Card number request
 

Figure 6. Card details request
 

Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages
  • Do not provide any personal information when answering an email
  • Do not enter personal information in a pop-up page or screen
  • Ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar when entering personal or financial information
  • Update your security software (such as Norton Internet Security 2012) frequently which protects you from online phishing