Tag Archives: Messaging Gateway

Bebês Oferecidos para Adoção em 419 Scam

Uma variação de 419 scam de e-mails está sendo usada por fraudadores para tirar proveito de casais desprotegidos que querem adotar um bebê. Cuidadosamente as vítimas são atraídas para um falso processo de adoção, que em seguida, solicita dinheiro para cobrir despesas jurídicas e administrativas.

Enquanto a maioria dos últimos 419 golpes estão ligados à simplicidade e ingenuidade das vítimas, alguns criminosos online já começam a fazer um grande esforço para se comunicar diretamente com a vítima para conquistar a sua confiança. Os golpes são bem estudados e apresentados de forma convincente, inclusive demonstram histórias de vida real para deixá-los mais autênticos.

Fig1_9.png

Figura 1. e-mail malicioso usando uma história de adoção

Ao invés de usar os discursos mais populares para simular fraudes online usuais, tais como ganhar na loteria ou a morte de uma pessoa famosa, este tipo de fraudador adota uma abordagem diferente. A mensagem acima foi enviada para destinatários ocultos (por meio de uma conta de webmail hackeada originária da Hungria, mas encaminhada a partir da Itália) e exigia uma resposta a um diferente remetente. Estas são características típicas de um golpe de pagamento antecipado. Por isso, a Symantec decidiu investigar mais a fundo para ver como o cibercriminoso pedia dinheiro em troca de um serviço falso.

Com a finalidade de tornar esta narrativa de adoção a mais legítima possível, o fraudador nos fez passar por várias fases antes de, finalmente, chegar ao ponto em que fomos convidados a enviar dinheiro. Durante a nossa correspondência que se estendeu por 11 mensagens de respostas e réplicas de e-mail – durante mais de dois meses – o criminoso digital nos informou com riqueza de detalhes a história da mãe da criança e os regulamentos envolvidos para a adoção privada e independente. Eles ainda foram tão longe a ponto de fornecer um formulário de adoção falso e fotos do bebê.

Fig2_4.png

Figura 2. Fotos dos bebês oferecidos para adoção

fig3_1.png

Figura 3. Formulário falso de adoção usado para convencer as vítimas

Quando o fraudador finalmente decidiu pedir dinheiro, a quantia solicitada foi de US$2.500 para cobrir as taxas de entrada do processo de adoção no tribunal. Inclusive, o cibercriminosos informou a forma de um pagamento em duas parcelas – uma de US$ 1.500 e outra de US$ 1.000 – via transferência bancária eletrônica. O criminoso solicitou que os pagamentos fossem enviados desta forma para a transação parecer mais legítima e a vítima ter mais confiança no esquema.

Fig4_3.png

Figura 4. E-mail do crimonoso virtual pedindo dinheiro

Quando o fraudador fornecia um nome e endereço para receber o pagamento por transferência bancária, assumimos que essa informação era falsa. No entanto, olhando para este endereço, de forma aprofundada, tivemos uma descoberta surpreendente.

O endereço solicitado para o envio era do escritório de um legítimo advogado especializado em adoção e leis familiares (que não possuía nenhuma conexão com este esquema). Isso comprova que a maioria dos criminosos utiliza qualquer nome falso para cometer uma fraude de pagamento antecipado, roubando a identidade de uma pessoa real para a fraude parecer mais convincente. O alvo desavisado pode procurar o nome e confirmar que a pessoa é um advogado legítimo que atua Estados Unidos. Tudo ”faz sentido”, eles enviam o dinheiro e se tornam mais uma vítima da fraude.

A execução deste golpe de adoção sinaliza uma nova abordagem com 419 e-mails de SCAM. Em entrevista à The Economist, há dois anos, foi relevado pela Symantec como alguns fraudadores de pagamento antecipado mudaram a sua abordagem e enviam mensagens de e-mail que parecem legítimos. Nenhuma destas narrativas é muito sofisticada, isto porque os golpistas procuram vítimas que se “auto-selecionam”.

Este exemplo serve como um lembrete de que nem todos os esquemas fraudulentos de pagamento antecipado são tentativas ociosas para obter das vítimas mais ganhos financeiros. Alguns fraudadores usam táticas criativas, como esta narrativa sobre adoção, com convincentes detalhes da vida do bebê e formulários aparentemente oficiais. Não há dúvida de que a imaginação e criatividade dos criminosos vai continuar a evoluir no futuro.

Expect Beautifully Packaged Spam along with Your Easter Gifts!

Contributor: Azam Raza

Easter, like all other celebrations is meant to be a day of jubilation, which of course means gifts, shopping, and spreading cheer. However, cheer is not the only thing that is being spread this holiday. Spammers have also started spreading their handiwork. With just a few days left before Easter, the volume of spam is on the rise.

Each year Symantec observes certain categories of spam using Easter as a theme and this year is no different. Let’s take a look at some of the different types of spam Symantec sees year-over-year, as well as some samples from this year.

Replica goods spam
With gifts being at the core of many major celebrations, product spam (replica goods spam in particular) is the spam category Symantec observes the most. In this spam, items such as fake watches and jewelry are promoted using catchy subject lines and product images. Email header examples include:

From: “WorldOfWatches” <johnwatson@[REMOVED]>

Subject: Challenge Ends Easter weekend

From: “DailyPromos” <aacpu@[REMOVED]>
Subject: Our pick today is- easter14

Easter Spam 1.png

Figure 1. Easter themed replica goods spam

Health spam
Pharmacy or medication spam is another spam category we see a lot of when we get close to any holiday season. These spam mails usually contain links to pharmacy sites which pretend to sell medication online without prescription. Season’s greetings are usually displayed as banners on these sites to add a festive touch.

Easter Spam 2 edit.png

Figure 2. Easter themed pharmacy spam

Weight loss spam is another subcategory of health spam which is seen in multiple languages. Weight loss medicines touted in these messages range from approved medication to stories about herbal extracts from exotic plants. Email header examples include:

From: “Mackenzie Burns” <monday@[REMOVED]>

Subject: Begin eating this fruit and lose the fat before Easter Sunday

Product spam
Major retailers and brands offer large discounts and sales during holiday celebrations and spammers take advantage of this. Spammers often craft their emails to make them appear to be from known retailers and brands but they usually include links leading to fake sites. Offers of gift coupons are also common. The products seen in this type of spam can range from kids toys to SUVs. Email header examples include:

Subject: Spring Sale Event on all Cars, Trucks, and SUVs!

From: Auto-Dealer-Online <williamw@[REMOVED]>

Easter Spam 3 edit.png

Figure 3. Product spam with Easter banner

Easter Spam 4 edit.png

Figure 4. Gift coupon spam seen this season

Personalized gifts
Personalized gifts are getting popular these days and spam promoting personalized messages on Easter eggs and Easter bunnies are proving popular among spammers. Most of these spam mails have links to fake sites and some of them even have links to inappropriate content. Email header examples include:

From: Easter Bouquets <rebekkahFAjhLg@[REMOVED]>

Subject: Make the Easter bunny jealous! Easter flowers

Easter Spam 5 edit_0.png

Figure 5. Spam offering personalized Easter bunny letters for children

Casino spam
Online casino and gambling spam show up in larger volumes during holiday periods. Casino spam entices victims with a signup bonus, reward points, and chances of winning a fortune. Email header examples include:

From: AU_AllSlots @ <AllSlots@[REMOVED]>

Subject: 25-free spins on Gold-Factory this-Easter  

419 scam spam
Nigerian spam routinely makes the rounds during all holiday festivals with news of lucky draws and donations. Symantec has observed 419 spam pretending to be from orphanages and charity organizations asking for donations for the unfortunate. Unsolicited emails asking for personal information should always be treated with caution. Examples of email headers include:

Subject: HappyEasterInAdvance,

From: suzanne122@[REMOVED]

Something else which caught our attention this year is the volume of Easter spam in foreign languages. Easter themed attacks in foreign languages are usually about gifts and goodies, like the cupcake and gingerbread delivery spam shown here:

Portuguese

Subject: Páscoa                                                             |Subject: Easter

From: “Cupcake” <contato@[REMOVED]>

Russian

From: Пасхи <vamdetal@[REMOVED]>                       | From: pasha

Subject: Скоро Пасха                                                    | Subject: Almost Pasha

From: Пряники <sladkie.pashi@[REMOVED]>             | From: Gingerbread

Subject: Кондитерская мастерская                              | Subject: Confectionery masterskaâ

Symantec wishes all our customers a very happy Easter, and we also advise you to be cautious of these spam campaigns. Always exercise caution when dealing with unsolicited or unexpected holiday themed emails. Do not click on links in emails that look suspicious. Remember to update your antispam signatures to safeguard your personal information and give you the peace of mind to celebrate the wonderful Easter celebrations.

Babies Offered for Adoption in 419 Scam

A variation on the 419 email scam is being used by fraudsters to take advantage of couples desperate to adopt a child. Once they are carefully lured into a fake adoption process, the victims are then asked for money to cover legal and administrative fees.

While most recent 419 scams rely more on the naivety of victims than any ingenuity on the part of the spammer, some fraudsters are beginning to make more of an effort to directly communicate with the victim to secure their confidence. Their scams are well researched, convincingly presented and may borrow stories from real life to make their stories more authentic and better able to withstand a little scrutiny.

While fake adoption scams have been seen from time to time before, in this instance Symantec observed real life background details and a scammer who goes to great lengths to engage with the victim.

Fig1_9.png

Figure 1. Scam email using adoption story

Rather than using the usual advance-fee fraud scam narratives, such as winning a foreign lottery or a wealthy African leader dying, this fraudster adopts a different approach. Despite this, there were many telltale signs pointing towards a scam.  The message was sent to hidden recipients (through a hacked webmail account originating from Hungary, but routed through Italy), and the message required a response to a different webmail provider. These are typical characteristics of an advance-fee fraud, but we decided to investigate further to see how the scammer intended to ask for money.

In an effort to make this adoption narrative appear as legitimate as possible, the fraudster made us go through several hoops before finally getting to the point where we were asked to send money. During our correspondence—which spanned 11 email replies over a two month period—the scammer informed us in great detail about the mother’s story, and the regulations involved with private and independent adoption. They even went as far as providing a fake adoption form along with pictures of the baby!

Fig2_4.png

Figure 2. Babies offered for adoption through this 419 scam campaign

fig3_1.png

Figure 3. Fake adoption form used to gain victim’s confidence

When the fraudster finally decided to ask for money, we were asked to send US$2,500 to cover the “Court Order Preparation and Document Fee.” This took the form of one payment of $1,500 and another of $1,000, through a financial services wire transfer. It is likely the scammer requested the payments to be sent this way so the transaction appeared more legitimate and the victim would have more confidence that the scam was actually real.

Fig4_3.png

Figure 4. Scammer requests baby adoption money

When the fraudster provided a name and address to receive the wire transfer payment, we assumed this information was phony. However, looking up this address led us to a startling discovery.

The payee address listed was the office address of a legitimate Adoption and Family Law attorney (who has absolutely no connection to this scam). While most scammers use any old fake name to perpetrate an advance-fee fraud, hijacking a real person’s identity can make the fraud appear more convincing. The unsuspecting target may look up the name and confirm the person is a legitimate attorney who is practicing in the United States. It all “adds up,” they send the money, and become yet another victim of the scam.

The execution of this adoption scam signals a new approach by 419 scammers, some of whom have now come full circle in their approach. In an interview with The Economist two years ago, I revealed how some advance-fee fraudsters have moved from sending legitimate and official-looking scam messages to far less professional looking missives offering large sums of money in unlikely scenarios. None of these scam narratives are very sophisticated because the scammers look for victims to “self-select.”

This example serves as a reminder that not all advance-fee fraud scams are lazy attempts to get the most gullible victims to participate. Some fraudsters use creative tactics, such as this adoption narrative drawn out over months with convincing background details and official-looking forms. There is no doubt that scammer imagination and creativity will continue to evolve in the future.

HeartBleed – a further update from Symantec Email & Web Security

Last week, we shared details of how the HeartBleed OpenSSL vulneratbility affected our Email & Web Security products.
The newest feature in our Web Security.cloud product, the ability to analyze and control data over HTTPS communicat…

?????????????????? Facebook ?????????????????

政治家がフィッシングサイトで利用される例は後を絶ちませんが、インドの総選挙が始まったことを受け、フィッシング詐欺師は地元の政治家やその政党を餌にインドのユーザーを狙い始めています。

シマンテックは最近、Facebook の表示を偽装するフィッシングサイトを確認しており、なかには元ニューデリー州首相でありアーム・アードミ党の党首であるアルビンド・ケジリワル(Arvind Kejariwal)氏も含まれています。フィッシングサイトのホストサーバーは、米国ミシガン州のランシングに置かれていました。

figure1_facebookspam.png
図 1. フィッシングサイトに掲載されている偽の「いいね」ボタンとアルビンド・ケジリワル氏の写真

上の画像でもわかるとおり、フィッシングサイトには「Unite With Us Against Corruption(団結して政治の腐敗と戦おう)」というタイトルが付けられ、アーム・アードミ党のポスターと、Facebook の偽の「いいね」ボタンが使われています。サイトの背景画像は同党の党首アルビンド・ケジリワル氏の写真で、氏が先日 Twitter に投稿した「Political revolution in India has begun.(インドの政治革命が始まった。)Bharat jaldi badlega」というモットーも書かれています。最後の言葉は「もうすぐインドは変わる」という意味です。

この「いいね」ボタンをクリックすると、アーム・アードミ党のページに「いいね」を付けるために、Facebook のログイン情報を入力するよう求められます。

figure2_facebookspam.png
図 2. アーム・アードミ党のページに「いいね」を付けるために Facebook のログイン情報を入力するよう求められる

このフィッシングページで使われているログインの指示には、紛らわしい部分もあります。アーム・アードミ党の名前を出すかわりに、Facebook のユーザー情報でログインし、可愛い女の子の写真に「いいね」を付けるよう求めてくるのです。これと同じように女の子の写真を使うフィッシングサイトは、以前にも登場したことがあります。フィッシング詐欺師が同じテンプレートを使って別のアプリケーションをホストするのはよくあることですが、どうやら今回は、可愛い女の子の写真についての説明を変更し忘れたようです。ユーザーがログイン情報を入力すると、フィッシングサイトから確認ページにリダイレクトされます。確認ページでは、もう一度「いいね」ボタンをクリックするよう求められます。

figure3_facebookspam.png
図 3. 確認ページに表示されるログイン確認メッセージと「いいね」ボタン

確認ページには、前のログインページで入力した電子メールアドレスが表示されます。「いいね」ボタンの横には、アーム・アードミ党がこれまでに獲得した「いいね」の件数も表示されますが、これは偽の数字です。ボタンもダミーであり、何の機能も果たしていません。この手口に乗って個人情報を入力したユーザーは、個人情報を盗まれ、なりすまし犯罪に使われてしまいます。

インターネットを利用する際には、フィッシング攻撃を防ぐためにできる限りの対策を講じることを推奨します。

  • アカウントにログインするときに、アドレスバーの URL を確かめ、間違いなく目的の Web サイトのアドレスであることを確認する。
  • 電子メールメッセージの中の疑わしいリンクはクリックしない。
  • 電子メールに返信するときに個人情報を記述しない。
  • ポップアップページやポップアップウィンドウに個人情報を入力しない。
  • 個人情報や口座情報を入力する際には、鍵マーク(画像やアイコン)、「https」の文字、緑色のアドレスバーなどが使われていることを確かめ、その Web サイトが SSL で暗号化されていることを確認する。
  • ノートン インターネットセキュリティやノートン 360 など、フィッシング詐欺やソーシャルネットワーク詐欺から保護する統合セキュリティソフトウェアを使う。
  • 電子メールで送られてきたリンクや、ソーシャルネットワークに掲載されているリンクがどんなに魅力的でも不用意にクリックしない。

 

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Phishers Spoof Facebook Appearance and Promote India’s Aam Aadmi Party

Politicians are frequently featured on phishing sites and in light of the ongoing general election in India, phishers are starting to target Indian users by using a local politician and his party as bait. 

Symantec recently observed a phishing site which spoofs Facebook’s appearance and includes Arvind Kejariwal, the former chief minister of New Delhi and leader of the Aam Aadmi Party. The phishing site was hosted on servers based in Lansing, Michigan in the US. 

figure1_facebookspam.png
Figure 1. A fake Facebook “like” button and a picture of Arvind Kejariwal on the phishing site

As seen in the previous image, the phishing site, titled “Unite With Us Against Corruption”, uses a poster of the Aam Aadmi Party along with a fake Facebook “like” button. The site’s background image is a picture of the party’s leader Arvind Kejariwal and his latest Twitter tagline, which states that “Political revolution in India has begun. Bharat jaldi badlega.” The second sentence translates to “India will soon change”. 

After clicking on the “like” button, users are prompted to input their Facebook login credentials so that they can “like” the Aam Aadmi party page. 

figure2_facebookspam.png
Figure 2. Users are asked to input their Facebook login data to “like” the Aam Aadmi party page

The phishers also used a misleading login prompt in the phishing page. Instead of mentioning the Aam Aadmi Party, the page tells users to log in with their Facebook details to like cute baby pictures. Symantec has already seen a similar phishing site which used a picture of a young girl. Phishers frequently use the same template to host different applications but this time, they forgot to change the reference to cute baby pictures. After the user enters their login credentials, the phishing site redirects the user to an acknowledgment page. The Web page then asks the user to click another “like” button.

figure3_facebookspam.png
Figure 3. A login confirmation and the “like” button on the acknowledgement page

The email address entered in the previous login page is now displayed on the acknowledgement page. The “like” button is placed beside a fake number that claims to show the amount of likes the party has already gained. However, the button is just a dummy and does not perform any functions. If users fell victim to the phishing site by entering their personal data, phishers would have successfully stolen their confidential information for identity theft purposes.

Symantec advises Internet users to follow these best practices to avoid becoming victims of phishing attacks.

  • Check the URL in the address bar when logging into your account to make sure it belongs to the website that you want to visit
  • Do not click on suspicious links in email messages
  • Do not provide any personal information when replying to an email
  • Do not enter personal information in a pop-up page or window
  • Ensure that the website is encrypted with an SSL certificate by looking for a picture of a padlock image or icon, “https”, or the green address bar when entering personal or financial information
  • Use comprehensive security software, such as Norton Internet Security or Norton 360 to protect you from phishing and social networking scams
  • Exercise caution when clicking on enticing links sent through emails or posted on social networks

Phishers Spoof Facebook Appearance and Promote India’s Aam Aadmi Party

Politicians are frequently featured on phishing sites and in light of the ongoing general election in India, phishers are starting to target Indian users by using a local politician and his party as bait. 

Symantec recently observed a phishing site which spoofs Facebook’s appearance and includes Arvind Kejariwal, the former chief minister of New Delhi and leader of the Aam Aadmi Party. The phishing site was hosted on servers based in Lansing, Michigan in the US. 

figure1_facebookspam.png
Figure 1. A fake Facebook “like” button and a picture of Arvind Kejariwal on the phishing site

As seen in the previous image, the phishing site, titled “Unite With Us Against Corruption”, uses a poster of the Aam Aadmi Party along with a fake Facebook “like” button. The site’s background image is a picture of the party’s leader Arvind Kejariwal and his latest Twitter tagline, which states that “Political revolution in India has begun. Bharat jaldi badlega.” The second sentence translates to “India will soon change”. 

After clicking on the “like” button, users are prompted to input their Facebook login credentials so that they can “like” the Aam Aadmi party page. 

figure2_facebookspam.png
Figure 2. Users are asked to input their Facebook login data to “like” the Aam Aadmi party page

The phishers also used a misleading login prompt in the phishing page. Instead of mentioning the Aam Aadmi Party, the page tells users to log in with their Facebook details to like cute baby pictures. Symantec has already seen a similar phishing site which used a picture of a young girl. Phishers frequently use the same template to host different applications but this time, they forgot to change the reference to cute baby pictures. After the user enters their login credentials, the phishing site redirects the user to an acknowledgment page. The Web page then asks the user to click another “like” button.

figure3_facebookspam.png
Figure 3. A login confirmation and the “like” button on the acknowledgement page

The email address entered in the previous login page is now displayed on the acknowledgement page. The “like” button is placed beside a fake number that claims to show the amount of likes the party has already gained. However, the button is just a dummy and does not perform any functions. If users fell victim to the phishing site by entering their personal data, phishers would have successfully stolen their confidential information for identity theft purposes.

Symantec advises Internet users to follow these best practices to avoid becoming victims of phishing attacks.

  • Check the URL in the address bar when logging into your account to make sure it belongs to the website that you want to visit
  • Do not click on suspicious links in email messages
  • Do not provide any personal information when replying to an email
  • Do not enter personal information in a pop-up page or window
  • Ensure that the website is encrypted with an SSL certificate by looking for a picture of a padlock image or icon, “https”, or the green address bar when entering personal or financial information
  • Use comprehensive security software, such as Norton Internet Security or Norton 360 to protect you from phishing and social networking scams
  • Exercise caution when clicking on enticing links sent through emails or posted on social networks

HeartBleed, OpenSSL and Symantec Email & Web Security

By now you should be well aware of the vulnerability CVE-2014-0160, nicknamed HeartBleed, that exists in a number of versions of OpenSSL – an extremely popular open source cryptographic library.
Yesterday, we provided some guidance on st…

Facebook ???????????????????????

      No Comments on Facebook ???????????????????????

寄稿: Parag Sawant

フィッシング詐欺師は、ユーザーの重要な情報を手に入れるチャンスを増やすために、さまざまな計略を繰り出し続けています。シマンテックが最近確認したフィッシング攻撃の場合は、男性と女性のどちらが偉いかと質問する偽の投票サイトを通じてデータが集められていました。

フィッシングページは無料の Web ホスティングサイトを利用しており、Facebook ユーザーを標的にした偽の投票ページには、「WHO IS GREAT BOYS OR GIRLS?(男性と女性、どちらが偉い?)」という質問と[VOTE(投票)]ボタンがあります。ページには、投票結果を示す棒グラフも埋め込まれており、過去 4 年間の総得票数が示されます。このようなグラフがあることで、より本物らしく見えます。

figure1_1.jpg
図 1. 投票サイトへの登録を求める Facebook アプリケーション

最初のフィッシングページには、投票プロセスを開始するボタンがあります。このボタンをクリックすると、次の図のようにポップアップウィンドウが開き、ユーザーのログイン ID とパスワードを入力するよう求められます。

figure2_0.jpg
図 2. ユーザーのアカウント情報の入力を求めるポップアップウィンドウ

ポップアップウィンドウには、男性か女性のどちらかに投票するためのボタンと、投票を送信するボタンも表示されます。フィールドに必要な情報をすべて入力し終わると、投票した情報を確認するための確認ページに進みます。

figure3.jpg
図 3. ユーザー情報を入力し終わると、投票の確認メッセージが表示される

ここで最初のページに戻ろうとして、投票数が定期的に増えていることに気付きました。先ほど 4,924,055 だった数値が、今見ると 4,924,096 になっているのです。

figure4.jpg
図 4. 変化する前と変化した後の投票数の比較

今回のフィッシング詐欺師は以下の URL を使っており、そのサブドメインからこれがアプリケーションであることがわかります。
[http://]smartapps.[削除済み].com

このサイトに騙されたユーザーは、個人情報を盗まれ、なりすまし犯罪に使われてしまいます。

偽アプリケーションを餌に使う手口は珍しいものではありません。インターネットを利用する際には、フィッシング攻撃を防ぐためにできる限りの対策を講じることを推奨します。

  • アカウントにログインするときに、アドレスバーの URL を確かめ、間違いなく目的の Web サイトのアドレスであることを確認する。
  • 電子メールメッセージの中の疑わしいリンクはクリックしない。
  • 電子メールに返信するときに個人情報を記述しない。
  • ポップアップページやポップアップウィンドウに個人情報を入力しない。
  • 個人情報や口座情報を入力する際には、鍵マーク(画像やアイコン)、「https」の文字、緑色のアドレスバーなどが使われていることを確かめ、その Web サイトが SSL で暗号化されていることを確認する。
  • ノートン インターネットセキュリティやノートン 360 など、フィッシング詐欺やソーシャルネットワーク詐欺から保護する統合セキュリティソフトウェアを使う。
  • 電子メールで送られてきたリンクや、ソーシャルネットワークに掲載されているリンクがどんなに魅力的でも不用意にクリックしない。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Fake Voting Campaign Steals Facebook Users’ Identities

Contributor: Parag Sawant

Phishers continuously come up with various plans to enhance their chances of harvesting users’ sensitive information. Symantec recently observed a phishing campaign where data is collected through a fake voting site which asks users to decide whether boys or girls are greater.

The phishing page, hosted on a free Web hosting site, targets Facebook users and contains a fake voting campaign, “WHO IS GREAT BOYS OR GIRLS?” along with the “VOTE” button to register votes. The page is also embedded with pair of bar charts representing voting ratio and displays the total votes gained for the last four years. These give a more legitimate feel to the fake application.

figure1_1.jpg
Figure 1. The Facebook application asks  users to register their votes

The first phishing page contains a button to initiate the voting process. After the button is clicked, a pop-up window appears, asking for a user’s login ID and password, as shown below:

figure2_0.jpg
Figure 2. A popup window requesting for user account information

The pop-up also contains two option buttons to vote for either male or female, and a button to submit the vote. After all the details and fields have been entered and filled up, the page then redirects the user to an acknowledgement page to confirm his or her voting information.

figure3.jpg
Figure 3. A voting confirmation message is displayed after user information is entered

We then tried returning to the first page and found that the vote count increases periodically. The number was previously 4,924,055 but has now increased to 4,924,096.

figure4.jpg
Figure 4. A comparison of the previous vote count and the current vote count

The phishers used the following phishing URL, and a subdomain to indicate that it is an application:
http://smartapps[DOMAIN NAME].com

If any user falls victim to the site, the phishers would then have successfully stolen personal user information for identity theft purposes.

The use of fake applications as bait is not uncommon, and Symantec advises Internet users to follow these best practices to avoid becoming victims of phishing attacks:

  • Check the URL in the address bar when logging into your account to make sure it belongs to the website that you want to visit
  • Do not click on suspicious links in email messages
  • Do not provide any personal information when replying emails
  • Do not enter personal information in a pop-up page or window
  • Ensure that the website is encrypted with an SSL certificate by looking for the padlock image/icon, “HTTPS”, or the green address bar when entering personal or financial information
  • Use comprehensive security software, such as Norton Internet Security or Norton 360, to be protected from phishing and social networking scams
  • Exercise caution when clicking on enticing links sent through emails or posted on social networks