Phishing Education Test Blocked For Phishing

An anonymous reader writes "It appears a website called ismycreditcardstolen.com, designed to 'educate users about the dangers of phishing,' has itself been flagged by Firefox as a reported web forgery. The site, which asks visitors to enter their credit card details to 'see if they've been stolen,' takes the hapless visitor to a page warning them about the perils of phishing, giving them advice on how to avoid similar scams and also provides a link to the Anti-Phishing Working Group's website. Or at least it did, until various browsers started blocking it. As the Sunbelt blog post notes, the project was likely doomed to failure, both because of the domain name itself and also because it uses anonymous Whois data, which isn't exactly going to make security people look at it in a positive light. Does anyone out there think this was a good idea? Or will malicious individuals start playing copycat on a public now trained to think sites like this are just 'harmless education?'"

Re:Hmmm...

[Rijnzael]

That's not the point of the site. The point is to show the vulnerable how easy it is to fall for phishing scams, and that you should never provide your credit card number to a site that you're unfamiliar with.

The site is clearly not malicious. The form tag on the page doesn't include the card number and other identifying input elements, so that data isn't gathered or even transmitted over the network from what I can tell. The page just sends you to their 'you have failed page' any time you submit it.

Re:Firefox could still be correct...

[Anonymous Coward]

RFTSC (source code):

<!-- Start form here so credit card details aren't submitted. -->
<form action="check.html">
    <input type="submit" value="Check if my credit card is stolen">
</form>

The browser never submits any of the entered information to the server.

Re:Hmmm...

[u38cg]

From the page source, goddammit:

This site is intended to be a lesson for people who are susceptible to getting phished. The goal here is for no credit card information to ever be sent across the wire. To accomplish this, all credit card info is outside the form. That way, clicking on the submit button doesn't submit any credit card info.

Godaddy was smart enough to detect some evil keywords in the domain and require a human being to look at the site. If you are reading this, Godaddy: Our intention is to educate and inform people of phishing, in a particularly memorable way: http://ismycreditcardstolen.com/anti-phishing.jpg [ismycreditcardstolen.com]

BTW there is no form validation so just click the submit button if you want to see the "you have failed" message, visible here: http://ismycreditcardstolen.com/check.html [ismycreditcardstolen.com]

Re:Whois shows

[RichardJenkins]

No, the site is structured so if you enter any details in the form, they won't be submitted by your browser when you click the form. Since the site doesn't offer me any means to enter details and have them sent (and you'd want to give it more than the cursory glance I did to prove this) then why flag it as a phishing site?

Re:Whois shows

[icebraining]

Except if you read its source code, you'd see it doesn't actually send the data to the server.

By the way, in Firefox you can click "ignore this warning" in the lower right corner.

Re:something worse

[Pentium100]

I don't get what you are saying...

www.google.com is a DNS CNAME record, a record which does not point to an IP address, but to another name. Windows tracert (and ping) utilities report the IP and the name returned by the server. CNAME records are useful if you want to have multiple (sub)domains that all point to a single IP address. You can, for example, create DNS A record that points realserver.google.com to the actual IP(s) of the server(s) and a bunch of other domains that point to realserver.google.com. Now, if the IP of the server changes, you only need to update one record.

Tracert and Linux traceroute also do reverse DNS lookup, they ask the server for a name for that IP address. This depends primarily on the ISP, without their assistance I cannot change my reverse lookup entry, for example. While multiple domain names can point to a single IP, the IP only points to one domain name.

So, with google it's like this:

www.google.com is a CNAME record that points to www.l.google.com
www.l.google.com is a A record that points to 74.125.77.147, 74.125.77.104 and 74.125.77.99
74.125.77.147 points to ew-in-f147.1e100.net
74.125.77.104 pints to ew-in-f104.1e100.net

1e100.net is probably the ISP of that server. It looks like the reverse record is made using the last octet of the IP, what does ew-in-f mean you woud have to ask that IPS.

In any case, that's why tracert reports:
Tracing route to www.l.google.com [74.125.77.104]
over a maximum of 30 hops: ...

  11 80 ms 80 ms 79 ms ew-in-f104.1e100.net [74.125.77.104]

Re:Whois shows

[broken_chaos]

Oddly enough that doesn't work in "view source" mode. I had to use Firebug to check the source code instead.

Re:Hmmm...

[maxume]

You can inspect the source and verify that it doesn't actually submit the data.

That doesn't say anything about what other people see, but if there is a problem and enough people investigate, someone should eventually notice it.

Re:Firefox is broken

[Dumnezeu]

Apparently, it's a bug in Firefox. Running 3.6.3 on Windows does the same thing: if you click the "Ignore this warning" in the window with the page's source, nothing happens.