More fake govt websites phishing for personal data

Earlier this month, the Immigration and Checkpoints Authority warned the public of a fake website (left) that had been phishing for visitors' visa reference and passport numbers.
Earlier this month, the Immigration and Checkpoints Authority warned the public of a fake website (left) that had been phishing for visitors' visa reference and passport numbers.PHOTO: ICA

At least five agencies have issued advisories in last six months; several police reports made

Be careful, the government website you are visiting may not be the real deal. The Infocomm Development Authority (IDA) said it has seen a growing number of fake government websites over the past few years.

The problem has become serious enough for at least five government agencies to issue public advisories in the last six months against phishing.

They include the Immigration and Checkpoints Authority, the Ministry of Manpower (MOM) and the Ministry of Health. Police reports were made in several cases.

Phishing scams try to trick users into giving their personal or financial information through the use of fake websites or e-mail masquerading as official sources.

Such information can include credit card numbers, account usernames and passwords, and personal data such as identity card or passport numbers.

  • Three recent phishing attacks

  • April 2016

    The Immigration and Checkpoints Authority (ICA) warned of a website that was a close replica of its own. The fake site allows visitors to supposedly submit a visa application online. When visitors try to make a visa application inquiry, the site asks for their "visa reference number" and "travel document number". ICA said access to its official website (www.ica.gov.sg) was unaffected and no data was compromised. It has made a police report.

    February 2016

    The Agri-Food and Veterinary Authority of Singapore (AVA) alerted the public to a phishing e-mail scam that used its name. Sent from "info@ava.org.sg", the e-mail message asked recipients to submit their company details using an attached form. Its subject line said "AVA Confidential Source Directory Update 2016 edition", and it appeared to be from an official source. But e-mail addresses of a government agency should have the Internet domain "gov".

    January 2016

    The Ministry of Health (MOH) issued an alert over a phishing e-mail message from "HealthCare. gov". The message had a subject line: "HealthCare. gov: Important HealthCare Notification". It claimed that "in view of the upcoming filing of the 2015 tax returns and the modifications made in respect to health care", users should "verify (their) health care status immediately". It included a link for users to complete the supposed verification. MOH warned users not to respond to the e-mail, or click on any link or attachment within the message.

    Seow Bei Yi

Police statistics revealed a rise in the number of cases reported under the Computer Misuse and Cybersecurity Act as well. While there were 169 cases reported in 2013, this rose to 278 last year.

"Many of these fake websites appear designed to scam people from overseas who may not be familiar with Singapore government Web services," an IDA spokesman told The Sunday Times. "We take a strong stand because such fake websites seek to ride on the good reputation of the Singapore Government and we will take all necessary steps to prevent such abuse."

The MOM, for example, has posted six notices on its website in the past six months to warn of fraudulent websites, some of which were phishing for visitors' personal data.

But the fake sites did not affect access to the official MOM website and no data was compromised, it stressed.

MOM urged the public to use only its official website.

A check on MOM Web archives found that it did not put up such notices over the same period a year ago, though it warned users of two fraudulent sites in 2014.

Mr Greg Russell, IBM Asia-Pacific's head of Trusteer, a unit of IBM Security, said phishing is growing in effectiveness and is inexpensive to carry out.

Malware, or malicious software that can steal data or manipulate online sessions, can be obtained at no cost, or at most US$20,000 (S$27,000), according to IBM data.

In some cases, malware may redirect unsuspecting users to a legitimate-looking website.

Government websites are always a target, he added, as they link to visitors' personal data.

He added that phishing sites are "rarely, if ever" located in the countries they are targeting. Many originate from Eastern Europe or China. The difficulty of detecting them could also be because "most phishing attacks are effective for 90 minutes", before the sites are taken off or discovered.

In that time, the damage could already be done, Mr Russell said.

Mr Peter Sparkes, Symantec's senior director of cyber security services for Asia-Pacific and Japan, said personal data such as identification or passport numbers are more valuable than credit card information as they are "non-perishable". "They can replicate your identity, for instance, to start a new bank account in your name... and the information can be sold again and again," he said, adding that phishing attacks are becoming more targeted and sophisticated.

Mr David Freer of Intel Security's Asia-Pacific consumer division said users could check the domain name of the site and look for "https:" in the address, which indicates a secure connection. They should also avoid clicking on links in unsolicited e-mail and ignore call-to-action e-mail such as those claiming that "your account will be terminated".

Victims who shared their e-mail usernames and passwords should change the latter immediately and those who have given out personal information should make a police report, he added.

Besides engineering their tactics to the local context, attacks tend to target a smaller group of users instead of employing mass e-mail.

This makes scams harder to distinguish at a glance.

Increasingly, the people behind the scams are not just going for consumers, but also targeting large financial and e-commerce firms, said Mr David Freer, vice-president of Intel Security's Asia-Pacific consumer division.

Mr Sparkes said Singapore ranked first in Asia-Pacific and Japan, and third globally last year, as a destination for “spear phishing” or targeted attacks. In Singapore, there were an average of 3.6 cyber attacks for each organisation.

Mr Freer said users could check the domain name of the site and look for "https:" in the address, which indicates a secure connection. They should also avoid clicking on links in unsolicited e-mail and ignore call-to-action e-mail such as those claiming that "your account will be terminated".

Victims who shared their e-mail usernames and passwords should change the latter immediately and those who have given out personal information should make a police report, he added. "Being proactive and staying alert and aware of one's credit (record) is the best defence," he said.


Correction note: An earlier version of the story quoted Mr Freer as saying that Singapore ranked first in Asia-Pacific and Japan as a destination for “spear phishing”. It was actually Mr Sparkes who said it. We are sorry for the error.

A version of this article appeared in the print edition of The Sunday Times on April 24, 2016, with the headline 'More fake govt websites phishing for personal data'. Print Edition | Subscribe