Hong Kong News
Nonpartisan, Noncommercial, unconstrained.
Sunday, Jun 01, 2025
Real, Diverse, Unbiased.
Scam gets down and dirty with porn
People are warned against a phishing site disguised as a police website that "fines" internet users for browsing porn sites.
The Hong Kong Computer Emergency Response Team Coordination Centre under the Hong Kong Productivity Council received reports lately of a website asking people to submit their credit card information for fines of a few thousand Hong Kong dollars, as a means to trick them into giving their bank information.
After logging onto the fake website, people will see a logo that is the same as the one on the Hong Kong Police Force's official website, the HKCERT said.
The website tells users that their computers and browsers have been blocked "due to repeated visits to pornographic sites containing materials prohibited by the laws of Hong Kong" which is against "pornography promoting pedophilia, violence and homosexuality."
The website also asks users to pay a "fine" of HK$3,700 by credit card, and said if users fail to pay or attempt to unblock their computer without paying the fine, all information on their device will be permanently deleted, while police will come to their home to arrest them and criminal charges will be laid against them.
But after the HKCERT analyzed the fake website, it found that the website used a phishing technique called the browser-in-the-browser attack, in which hackers create the address bar, toolbar and tabs using JPG format. The real website link is hidden when the browser enters full screen mode, and therefore the false website looks like the Hong Kong Police Force website.
The HKCERT reminded computer users that they can find out if the site is fake by pressing ESC on their keyboard to exit full screen mode and users cannot change the website link in the address bar.
People also cannot view the website on mobile phone.
The HKCERT has contacted internet service providers to remove the fake website, but it believed that this kind of phishing site can continue to change.
Therefore, the center reminded people to stay alert and to pay attention to the spelling of website links. People also need to think about whether the link is real and if its sender is trustworthy before clicking onto it.
The public should also make sure they are only making credit card payments to genuine organizations on reliable equipment.
After logging onto the fake website, people will see a logo that is the same as the one on the Hong Kong Police Force's official website, the HKCERT said.
The website tells users that their computers and browsers have been blocked "due to repeated visits to pornographic sites containing materials prohibited by the laws of Hong Kong" which is against "pornography promoting pedophilia, violence and homosexuality."
The website also asks users to pay a "fine" of HK$3,700 by credit card, and said if users fail to pay or attempt to unblock their computer without paying the fine, all information on their device will be permanently deleted, while police will come to their home to arrest them and criminal charges will be laid against them.
But after the HKCERT analyzed the fake website, it found that the website used a phishing technique called the browser-in-the-browser attack, in which hackers create the address bar, toolbar and tabs using JPG format. The real website link is hidden when the browser enters full screen mode, and therefore the false website looks like the Hong Kong Police Force website.
The HKCERT reminded computer users that they can find out if the site is fake by pressing ESC on their keyboard to exit full screen mode and users cannot change the website link in the address bar.
People also cannot view the website on mobile phone.
The HKCERT has contacted internet service providers to remove the fake website, but it believed that this kind of phishing site can continue to change.
Therefore, the center reminded people to stay alert and to pay attention to the spelling of website links. People also need to think about whether the link is real and if its sender is trustworthy before clicking onto it.
The public should also make sure they are only making credit card payments to genuine organizations on reliable equipment.
