"This scam is different than normal phishing where phishers often impersonate banks and other financial institutions, claiming that the victim's account has been temporarily disabled, requiring some kind of action to restore it," writes Nick Johnston, a senior software engineer at Symantec Hosted Services. "The use of a well-known, unrelated, trusted third-party fast food restaurant brand as a vector for stealing confidential information is relatively new."
(With the mid-term elections upon us in the United States, remember phishers like to spoof campaign contribution Web pages too, see "The Potential Dangers of Online Contributions.")
The scam was directed at e-mail users in Australia and New Zealand, possibly because the cybercrooks are interested in credit card numbers from those countries, theorized Johnston.
Regardless, "this shows the global nature of the phishing problem," he writes.
The phishers were crafty enough to try and pass off the Web site as legitimate by altering the URL to make it look like it was coming from New Zealand—with the country code top-level domain as "a.nz" rather than the authentic ".nz". Aside from the altered URL, there were other key tip-offs that this e-mail was fishy. First, the logo of the fast food restaurant was blurry. Second, an error message appeared above each survey question.
Johnston notes that the phishing site was taken down shortly before MessageLabs Intelligence discovered it, noting that its effect could have been limited. Nevertheless, he writes, "the site was hosted on a compromised server, and it's quite likely that the gang had many more compromised servers ready."
As always, to avoid becoming a phishing victim, never click on links in e-mails from unusual senders and never give up personal information unless you travel to the Web site by typing out the URL yourself.
♦ Screenshots by Symantec/MessageLabs Intelligence