Phishers Spoof Facebook Appearance and Promote India’s Aam Aadmi Party

Politicians are frequently featured on phishing sites and in light of the ongoing general election in India, phishers are starting to target Indian users by using a local politician and his party as bait. 

Symantec recently observed a phishing site which spoofs Facebook’s appearance and includes Arvind Kejariwal, the former chief minister of New Delhi and leader of the Aam Aadmi Party. The phishing site was hosted on servers based in Lansing, Michigan in the US. 

Figure 1. A fake Facebook “like” button and a picture of Arvind Kejariwal on the phishing site

As seen in the previous image, the phishing site, titled “Unite With Us Against Corruption”, uses a poster of the Aam Aadmi Party along with a fake Facebook “like” button. The site’s background image is a picture of the party’s leader Arvind Kejariwal and his latest Twitter tagline, which states that “Political revolution in India has begun. Bharat jaldi badlega.” The second sentence translates to “India will soon change”. 

After clicking on the “like” button, users are prompted to input their Facebook login credentials so that they can “like” the Aam Aadmi party page. 

Figure 2. Users are asked to input their Facebook login data to “like” the Aam Aadmi party page

The phishers also used a misleading login prompt in the phishing page. Instead of mentioning the Aam Aadmi Party, the page tells users to log in with their Facebook details to like cute baby pictures. Symantec has already seen a similar phishing site which used a picture of a young girl. Phishers frequently use the same template to host different applications but this time, they forgot to change the reference to cute baby pictures. After the user enters their login credentials, the phishing site redirects the user to an acknowledgment page. The Web page then asks the user to click another “like” button.

Figure 3. A login confirmation and the “like” button on the acknowledgement page

The email address entered in the previous login page is now displayed on the acknowledgement page. The “like” button is placed beside a fake number that claims to show the amount of likes the party has already gained. However, the button is just a dummy and does not perform any functions. If users fell victim to the phishing site by entering their personal data, phishers would have successfully stolen their confidential information for identity theft purposes.

Symantec advises Internet users to follow these best practices to avoid becoming victims of phishing attacks.

  • Check the URL in the address bar when logging into your account to make sure it belongs to the website that you want to visit
  • Do not click on suspicious links in email messages
  • Do not provide any personal information when replying to an email
  • Do not enter personal information in a pop-up page or window
  • Ensure that the website is encrypted with an SSL certificate by looking for a picture of a padlock image or icon, “https”, or the green address bar when entering personal or financial information
  • Use comprehensive security software, such as Norton Internet Security or Norton 360 to protect you from phishing and social networking scams
  • Exercise caution when clicking on enticing links sent through emails or posted on social networks