Phishers Celebrate Christmas with Fake Lottery Prizes and Gifts

Co-author: Avdhoot Patil

Special occasions like Christmas have been a common ground for phishers to introduce new baits in their phishing sites. Last Christmas was no different and this time they used fake lottery prizes and gifts as baits. The phishing sites were hosted on free webhosting sites.

In the first example, a phishing site spoofing a gaming brand stated they wil reward the user with a Christmas gift. The phishing site exclaimed it hoped users like the gift and wished to encourage them to playing the game. To receive the fake gift, the user is asked to enter their login credentials and also complete a simple form.

The questions asked in the form are the following:

  • Will you be playing this Christmas?
  • If you could help, which way would you help us?
  • What is your age?
  • Please select your gift.

The choice of gifts included credit points, VIP status, club membership, and a selection of badges.

After the credentials are entered and the form completed, the following page acknowledges the submission of user information. If users fell victim to the phishing site by entering their login credentials, phishers would have successfully stolen the information for identity theft purposes.

Phishing campaigns were prevalent in the banking sector as well. A phishing site impersonating a highly reputed bank was observed. The fake site claimed a lottery prize was available for their customers. The type of lottery offered was a Christmas raffle draw and the bogus prize money was in the amount of 2.5 million dollars. Customers were asked to enter their full name, email address and password to be eligible receive the prize money. A note was also provided (shown below) which prompted customers to look for a confirmation email after submitting information. After the user's credentials are entered, the phishing page redirects to the legitimate bank’s website, creating the illusion that a valid verification took place.

Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages.
  • Avoid providing any personal information when answering an email.
  • Never enter personal information in a pop-up page or screen.
  • When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
  • Frequently update your security software (such as Norton Internet Security 2012) which protects you from online phishing.

Fake Offers For Mobile Airtime Haunts Indian Users

Co-Author: Avdhoot Patil

Symantec is familiar with phishing sites which promote fake offers for mobile airtime. In December, 2011, the phishing sites which utilized these fake offers as bait have returned. The phishing sites were hosted with free web hosting.

When end users enter the phishing site, they receive a pop up message stating they can obtain a free recharge of Rs. 100:

Upon closing the pop up message, users would arrive at a phishing page which spoofs the Facebook login page. The contents of the page would be altered to make it look as though the social networking site was giving away free mobile airtime. A list of 12 popular mobile phone services from India would be displayed with their brand logos. Once the page completes loading, the theme songs for each of these mobile services play, one after the other.

This phishing page gives a long (fake) offer description. In the description, users are required to enter their login credentials to receive the free airtime offer. The description further states with pride that the site is the first ever to provide this offer and reminds it is always free for users. In reality, if users enter their credentials the phishing page will redirect to a legitimate web retailer selling online purchases of mobile airtime. The strategy behind bothering to redirect to such a site is to mislead users into believing that a valid login has taken place and avoid suspicion. If users do fall victim to these phishing sites, phishers will have successfully stolen their information for identity theft purposes.

Users should be careful. In the fake login below (in blue and purple text) you can see the claims of free airtime:

The URLs on the phishing page also contained text in them to further lead users to believe this social networking website has a relationship with online mobile airtime recharging. The examples:

hxxp://www.******.******.com/Facebook-rc/facebook2011.html  [Domain name removed]
hxxp://free-r3charg3.******.cc/facebook2011.html  [Domain name removed]
hxxp://free-rechargess.******.cc/recharge/1/3.php  [Domain name removed]

Here are a few best practices for Facebook users to combat these threats:

  • Use unique logins and passwords for each of the websites you use.
  • Check to see that you're logging in from a legitimate Facebook page with the facebook.com domain.
  • Be cautious of any message, post or link you find on Facebook that looks suspicious or requires an additional login.
  • Do not click on suspicious links in email messages.
  • Avoid providing any personal information when answering an email.
  • Never enter personal information in a pop-up page or screen.
  • Become a fan of the Facebook Security Page for more updates on new threats as well as helpful information on how to protect yourself online.
  • Frequently update your security software (such as Norton Internet Security 2012) which protects you from online phishing.

False Epidemic Alerts Spread Malicious Content

Spammers have used scare tactics in the past, notably during the swine flu outbreak in 2009. A similar spam campaign using scare tactics was observed during the weeks leading up to April 1, 2010 as an expansion of the Conficker worm with the possibility of a major threat launch. Overall, scare attacks are meant to cause panic reactions among recipients who may, out of fear, click malicious links or download and install malicious code. Similar approaches have been observed recently, this time with a false epidemic alert. In this spam campaign trumpeting false epidemic news, spammers try to infuse fear in users and encourage them to read instructions to remain safe from infection.

Sample email subjects suggest there is an epidemic in nearly all countries in the world. However, in individual messages they only mention a single country. The list of countries found in sample messages include countries from Afghanistan to Iceland, Philippines to United States. Sample email also list individual US States, such as Kansas, Colorado, Mississippi, New Jersey, Virginia, and Washington.

Subject:  Fwd: Epidemic in Afghanistan
Subject:  Fwd: Epidemic in Alaska
Subject:  Fwd: Epidemic in Algeria
Subject:  Fwd: Epidemic in Andorra
Subject:  Fwd: Epidemic in Anguilla
Subject:  Fwd: Epidemic in Afghanistan
Subject:  Fwd: Epidemic in Alaska
Subject:  Fwd: Epidemic in Algeria
Subject:  Fwd: Epidemic in Andorra
Subject:  Fwd: Epidemic in Anguilla
Subject:  Fwd: Epidemic in Australia
Subject:  Re: Epidemic in Portugal
Subject:  Re: Epidemic in Saint Barthélemy
Subject:  Re: Epidemic in Saint Helena, Ascension and Tristan da Cunha
Subject:  Re: Epidemic in South Sudan
Subject:  Re: Epidemic in Sweden
Subject:  Re: Epidemic in Syria
Subject:  Re: Epidemic in Taiwan
Subject:  Re: Epidemic in Tennessee
Subject:  Re: Epidemic in Togo
Subject:  Re: Epidemic in Tonga
Subject:  Re: Epidemic in Trinidad and Tobago
Subject:  Re: Epidemic in Turkey
Subject:  Re: Epidemic in Tuvalu
Subject:  Re: Epidemic in United Arab Emirates
Subject:  Re: Epidemic in Venezuela
Subject:  Re: Epidemic in Vermont
Subject:  Re: Epidemic in Washington
Subject:  Re: Epidemic in Wisconsin
Subject:  Fwd: Re: Epidemic in United States

The email body informs users that the government is hiding the epidemic news. If users want to benefit from instructions on how not to get infected, they need to click the link provided in the email. This link leads users to a malware site.

The malicious file downloaded is detected as Trojan.Malscript. These files exploit vulnerabilities and may perform heap spraying.

Email users need to be aware of such scare tactics and avoid panic. Do not believe email from unfamiliar senders. We also recommend users not click links in any message without first verifying the source of the email and, importantly, do not install software downloaded from the internet unless it has been scanned for viruses. Please make sure your virus definitions are updated regularly.

See the Symantec Intelligence Report for best practice guidelines for consumers.

Phishers Piggyback on Indian Websites

Contributors: Avdhoot Patil, Ayub Khan, and Dinesh Singh

Have Indian websites become a safe haven for phishers? To better understand, let’s explore how phishers create a phishing site. There are several strategies phishers frequently use: hosting their phishing site on a newly registered domain name, compromising a legitimate website and placing their phishing pages in them, or hosting their phishing site using a web hosting service.

Let’s now focus on the second method which involves the use of compromised legitimate websites. From April, 2011, to October, 2011, about 0.4% of all phishing sites were hosted on compromised Indian websites. These compromised websites belonged to a wide range of categories but the most targeted was the education category which included websites of Indian schools, colleges, and other educational institutions. Symantec has previously reported on the websites of Indian educational institutions compromised by phishers. The education category consisted of 13% of compromised Indian websites. Some of the other top categories were information technology (11%), sales (9%), Web services (8%), and e-commerce (6%).

The existence of Indian phishing sites in the education category may not be alarming but phishers have exploited Indian websites owned by individuals and organizations across many disciplines:

The phishing sites hosted on these Indian websites spoofed a multitude of brands. The majority of these brands belonged to the banking sector (comprising about 68%). The e-commerce sector comprised about 22%, and information services 3%.

Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages.
  • Avoid providing any personal information when answering an email.
  • Never enter personal information in a pop-up page or screen.
  • When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
  • Frequently update your security software (such as Norton Internet Security 2012) which protects you from online phishing.