Forgot your password?
typodupeerror
Security Firefox Privacy IT

Phishing Education Test Blocked For Phishing 113

Posted by Soulskill
from the please-enter-your-opinion-and-credit-card-number-below dept.
An anonymous reader writes "It appears a website called ismycreditcardstolen.com, designed to 'educate users about the dangers of phishing,' has itself been flagged by Firefox as a reported web forgery. The site, which asks visitors to enter their credit card details to 'see if they've been stolen,' takes the hapless visitor to a page warning them about the perils of phishing, giving them advice on how to avoid similar scams and also provides a link to the Anti-Phishing Working Group's website. Or at least it did, until various browsers started blocking it. As the Sunbelt blog post notes, the project was likely doomed to failure, both because of the domain name itself and also because it uses anonymous Whois data, which isn't exactly going to make security people look at it in a positive light. Does anyone out there think this was a good idea? Or will malicious individuals start playing copycat on a public now trained to think sites like this are just 'harmless education?'"
This discussion has been archived. No new comments can be posted.

Phishing Education Test Blocked For Phishing

Comments Filter:
  • by Anonymous Coward

    It was designed to look like a phising site, and it did!

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      It was designed to look like a phising site, and it did!

      Blocked by the idiots who did a knee-jerk reaction and flagged it as a hostile site. Isn't that spiffy, it got blocked by the very lack-of-awareness idiots who it was trying to assist. Gotta love the irony.

      I say leave them to their own devices. The phishers are merely making stupidity more painful. While they intend ill, the overall effect might not be so bad.

      • by shentino (1139071)

        Except that they usually keep their ill gotten gains and use them to finance far more sinister operations.

        If they took their fleecings and donated them to charity I would approve.

        Remember, these guys are in cahoots with evil spammers.

      • by KDR_11k (778916)

        If it only told people that it's for education after they did something that would usually be very stupid then you can expect most smart people to never see that message.

      • Re: (Score:3, Interesting)

        by tomhudson (43916)

        Blocked by intelligent people - the site doesn't pass the smell test.

        And there's no reason to believe they didn't log the data.

        • by yakatz (1176317)

          Anyone who looked at the source code of the site could see that the credit card information input fields were not inside the form and therefore were not submitted.

          There is even a comment in the source that says it was done that way on purpose.

          • by tomhudson (43916)
            And you believe that?

            What's to keep them from, at random, sending out a form that DID send the data back?

            they complain. You go and check it out - see the form that doesn't send the data back, and say "don't worry." YOU are the secondary target of the social engineering - and YOU just helped vet them.

            Or, one in 100 times, you check and you also see the phishing version. But since it can't be repeated, next time you go back, it's "gee, maybe you have a virus on your machine?" Or they set a cookie flaggi

  • Hmmm... (Score:3, Insightful)

    by Devout_IPUite (1284636) on Saturday April 24, 2010 @11:37AM (#31967312)
    It doesn't seem like having users enter their credit card to check if it's been stolen is a good idea. All it takes is the site getting hacked and viola! Real stealing on every query!
    • Re:Hmmm... (Score:5, Funny)

      by maxume (22995) on Saturday April 24, 2010 @11:40AM (#31967342)

      After they click submit, the site should return a page that simply says "Yes".

    • Re: (Score:3, Interesting)

      by sunderland56 (621843)
      Maybe the site's designers are actually phishing, and collecting people's credit card details. If they are ever challenged, they have the "hey, it was just an educational web site" defense to fall back on.
      • by pikine (771084) on Saturday April 24, 2010 @01:07PM (#31967888) Journal

        If you look at the HTML code, the form fields that contain your credit card information was excluded from the form the web browser actually submits. The HTML code is essentially structured like this: [credit card issuer] [credit card number] [name on credit card] [expiration month] [expiration year] [start form] [submit button] [end form]. The form itself really only contains the submit button and nothing else. Hence, unless your browser is broken, none of the credit card information should be submitted anywhere.

        However, the bit about Google Analytics javascript on the bottom of the HTML page could contain code to collect and transmit these form fields to somewhere else. The site could be hacked, and the hacker could alter the HTML code to submit the credit card information somewhere.

        • by fluffy99 (870997)

          Or maybe 1 out of every 10,000 hits to the site got a slightly different page that did send the info. Who would know?
          Nice that firefox won't even let me see the page source. I guess it thinks I'm an idiot or something.

          • Re: (Score:3, Interesting)

            by kgo (1741558)

            Personally, I'd trigger it off of user-agent header. IE... Not a techie verifying functionality -> really submit info... Chrome/Firefox/search engine agents -> example page.

            • by fluffy99 (870997)

              Or maybe IP address. If it's an AOL dialup user, they have already proven themselves gullible. :}

    • Re:Hmmm... (Score:5, Informative)

      by Rijnzael (1294596) on Saturday April 24, 2010 @11:44AM (#31967356)
      That's not the point of the site. The point is to show the vulnerable how easy it is to fall for phishing scams, and that you should never provide your credit card number to a site that you're unfamiliar with.

      The site is clearly not malicious. The form tag on the page doesn't include the card number and other identifying input elements, so that data isn't gathered or even transmitted over the network from what I can tell. The page just sends you to their 'you have failed page' any time you submit it.
      • by tverbeek (457094)

        Creating a site that invites people to do Something Really Stupid as a way to educate people not to do Something Really Stupid is practically begging to get flagged as malicious. It is, in fact, Something Really Stupid.

      • Re: (Score:2, Insightful)

        by MoldySpore (1280634)
        Right but all they have done is create an unsecured form where they are entering in a clear text credit card number. It is just an unnecessary risk regardless if it is a legit site or not. What if they have malware that is collecting form field entries? They just made a nice clear text form for that malicious software to extract from.
        • by causality (777677)

          Right but all they have done is create an unsecured form where they are entering in a clear text credit card number. It is just an unnecessary risk regardless if it is a legit site or not. What if they have malware that is collecting form field entries? They just made a nice clear text form for that malicious software to extract from.

          If they already have malware installed that is collecting and transmitting their data, then they already have bigger problems. It's sort of like worrying about dirty windows when the whole house has already been swallowed by a sinkhole.

          • http://ismycreditcardstolen.com/ [ismycreditcardstolen.com] was running Apache on Linux when last queried at 24-Apr-2010 17:15:46 GMT - refresh now Site Report

            Try out the Netcraft Toolbar! FAQ OS Server Last changed IP address Netblock Owner

            Linux Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8g DAV/2 SVN/1.6.9 mod_fcgid/2.3.4 24-Apr-2010 66.220.0.89 EGIHosting

            • by causality (777677)

              http://ismycreditcardstolen.com/ [ismycreditcardstolen.com] was running Apache on Linux when last queried at 24-Apr-2010 17:15:46 GMT - refresh now Site Report

              Try out the Netcraft Toolbar! FAQ OS Server Last changed IP address Netblock Owner

              Linux Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8g DAV/2 SVN/1.6.9 mod_fcgid/2.3.4 24-Apr-2010 66.220.0.89 EGIHosting

              You responded to my post. You know that what you wrote there has absolutely nothing to do with my post, right?

        • by nautsch (1186995)
          Look at the source. No info is transmitted.
        • Re: (Score:3, Interesting)

          by Rijnzael (1294596)
          In case you didn't understand my comment: the HTML input elements that are in the source to show those boxes on the page are NOT part of a form element. This means that absent some javascript, the data in those input elements will not be transmitted. Go ahead and try it with Wireshark for yourself, you'll see that the only result is a GET request for their 'you have failed' page.
      • by sqlrob (173498)

        It isn't malicious *now*.

        How do you know it isn't going to turn so?

      • That brings up an exceptional point, it seems like all page form elements should have a little triangle at the far right corner or a hover tool tip or something that indicates whether the action is a secure page, insecure page, or whether the form elements are standalone?

        • by jibjibjib (889679)
          It wouldn't be useful for security, because Javascript can take the form data and send it anywhere at any time, independent of whether the element is actually in a form or not and where it submits to.

          It'd be a "This form is probably secure but might possibly not be" indication, which is completely useless and misleading to any non-web-developer.

      • by cgenman (325138)

        Yes.

        And while we're at it, you should visit my other sites, HasYourPasswordBeenCompromised.com and DoesAnyoneHaveThisHotPictureOfMeNaked.com.

      • FAIL! (Score:3, Interesting)

        by Frosty Piss (770223)

        The site is clearly not malicious.

        Really? "Clearly"? It's not clear to me. I am supposed to TRUST these people I don't know who have a hidden whois? Seems to me like an excellent way to acquire CC numbers from ignorant rubes.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      The form data isn't actually transmitted; the submit button is on a different form. Real hackery would have to change the HTML as well.

    • Re: (Score:3, Informative)

      by u38cg (607297)
      From the page source, goddammit:

      This site is intended to be a lesson for people who are susceptible to getting phished. The goal here is for no credit card information to ever be sent across the wire. To accomplish this, all credit card info is outside the form. That way, clicking on the submit button doesn't submit any credit card info.

      Godaddy was smart enough to detect some evil keywords in the domain and require a human being to look at the site. If you are reading this, Godaddy: Our intention is to ed

      • My assertion was not that the site is stealing information. It's that if a hacker breaks into the site and changes stuff it can be stealing information.
    • I thought TFA said that it had no whois data - but use seem to know it's run by someone called Viola. Maybe her surname's Walla.
    • by Qwertie (797303)

      All it takes is the site getting hacked and viola! Real stealing on every query!

      The same could be said of any legitimate web site that takes credit card numbers. Black hats probably have numerous targets more juicy than this one.

  • Who's to say it isn't a credit card number stealing web site disguised as a web site "designed to 'educate users about the dangers of phishing'" disguised as a web site to help users determine whether their credit card numbers are stolen?
    • by 5pp000 (873881) *

      Who's to say it isn't a credit card number stealing web site disguised as a web site "designed to 'educate users about the dangers of phishing'"

      Even if this one isn't, you can be sure those will start to appear now.

      • by data2 (1382587)

        This one, as mentioned elsewhere, does not even transmit your information as it is not included in the form. So this one seems legit.

        • by abigsmurf (919188)
          It's not too hard to code a page to store things typed in despite not sending anything through post or get. How many people would notice heavily obfuscated javascript like that?
          • by data2 (1382587)

            Probably no one, unless someone really looked.
              But i guess the intersection of people who would enter their data and the people who would understand the code is empty anyway.

          • I'd notice the HUGE HONKING MASS OF OBFUSCATED JAVASCRIPT. Usually something like this stands out:

            var _0xffba=["\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21","\x0A","\x4F\x4B"];var a=_0xffba[0];function MsgBox(_0x6517x3){alert(_0x6517x3+_0xffba[1]+a);} ;MsgBox(_0xffba[2]);

            Not hard to tell something phishy is going on.

            Unless you mean javascript that does something nasty but looks perfectly innocent?

          • it could be obfuscated if there was a lot of javascript. but since theres so little of it and clearly understood, there is no question of obfuscation.
    • by Bigjeff5 (1143585)

      That's the point.

      While these guys may have been doing a good deed, if it looks like a duck, walks like a duck, and quacks like a duck, you really have no choice but to treat it like a duck.

      The only safe way to deal with even a friendly site that takes credit card numbers to trick users (in this case, to educate them instead of steal from them) is to block them. Tomorrow they may start recording the card numbers, or worse they've been collecting them for months, and now that they are shut down they start us

      • by JWSmythe (446288)

        You're absolutely right. If it was designed to look and act like a phishing site, regardless if it does currently capture any information, and the filters catch it, then the phishing filters are working properly.

            Or, as you say, treat it like a duck [alexross.com].

    • by Anonymous Coward on Saturday April 24, 2010 @11:59AM (#31967470)

      RFTSC (source code):


      <!-- Start form here so credit card details aren't submitted. -->
      <form action="check.html">
          <input type="submit" value="Check if my credit card is stolen">
      </form>

      The browser never submits any of the entered information to the server.

    • by snl2587 (1177409)
      Well, clearly you aren't the technical user the site says to use to verify that no data has been submitted.
  • by Keruo (771880) on Saturday April 24, 2010 @11:44AM (#31967360)
    Post your full name, address, credit card number and cvv as a reply to this post and we will get back to you if your card has been exposed to the threats on internet.
  • I'm just sayin'. It has all the hallmarks of a IT grad student behavioral study experiment or perhaps a prank or a hoax. Are people really that stupid?
    • by causality (777677)

      I'm just sayin'. It has all the hallmarks of a IT grad student behavioral study experiment or perhaps a prank or a hoax. Are people really that stupid?

      Ever heard of this site about the dangers of dihydrogen monoxide? [dhmo.org]

      "Dihydrogen monoxide can even be lethal if inhaled!" Dihydrogen monoxide is, of course, water. Their link that says it's "for the press" will explain the intent behind the site. It aims to do for critical thinking what this phishing education site does for phishing.

    • > Are people really that stupid?

      The answer to this question is always going to be the same, no matter what context you put around the question.

      Are people stupid enough to send money to 419 scammers? Stupid enough to waste thousands of hours *baiting* 419 scammers and getting them to pose for photos in various ridiculous settings and attire? Stupid enough to *be* baited? Sure enough, some people are.

      Are people stupid enough to give their credit cards details to any random person who claims to represent
  • Society is broken, not the ideas that circulate freely, no matter what anyone would wish. GPS in phones - useful to owners, and to thieves, as in http://pleaserobme.com/ [pleaserobme.com]. P2P and copyrights, anonymity, credit info, privacy rights, games. Lots of things have good and bad, legal and illegal, moral and immoral sides. I believe that in most instances, society is just having trouble adapting and finding the right way to do it, but it will change regardless, it's up to our actions to guide it. And simple eas
  • How much time did it take from when the site was published to when the various browsers had it blocked?
  • ...are people still this gullible? Even if the site is 100% legit, what would possess someone to give out their information on an site that had no ssl encryption? They put freaking graphics of "Secured!" with a green check mark on the page...honestly if people can't see through that they deserve to get their card information stolen.

    Now that I think about it, perhaps that is the secondary purpose of the site. Force people to learn not to give out their card information otherwise some guy in China will start

  • by Don Faulkner (138856) on Saturday April 24, 2010 @12:16PM (#31967572) Homepage

    When we were kids, many of us received immunizations against a host of nasty diseases. The purpose of these vaccines was to expose our immune systems to "fake badness," so that when we were exposed "real badness," the immune system would be pre-primed to deal with it.

    Phishing is a problem precisely because most of the email that your average (l)user gets and most of the sites they visit are legitimate, with no badness (of this type) involved. When you've never been exposed to phishing behavior, it's much easier to fall for a scam.

    You can run all the "awareness" campaigns you want, but users tend to ignore that sort of stuff, thinking, "right, I get it, but I'm smarter than that."

    We need to inoculate users to teach them to be wary. There should be more sites like this out there. Some geared toward credit card data, some geared toward username & password, and others yet for other forms of PII.

    Once a user is brought up short a few times by information pages like you see after you hit submit, they will be more cautious on all sites.

  • Whois shows (Score:2, Interesting)

    by captnbmoore (911895)
    That it's registered to some place in George Town Cayman Islands. I would say that is a phishing scam since they want all pertinent info. Of course IE8 does not block it so if you really want to test it and not get a scam alert just use IE8.
    • Re: (Score:3, Informative)

      No, the site is structured so if you enter any details in the form, they won't be submitted by your browser when you click the form. Since the site doesn't offer me any means to enter details and have them sent (and you'd want to give it more than the cursory glance I did to prove this) then why flag it as a phishing site?
    • Re: (Score:3, Informative)

      by icebraining (1313345)

      Except if you read its source code, you'd see it doesn't actually send the data to the server.

      By the way, in Firefox you can click "ignore this warning" in the lower right corner.

  • It makes me think of my friend when he was going to apply to Kmart, The first thing they ask for at the website is your full social security number. Needless to say that is a great target for phishing, Try this, open your cli in windows and tracert www.google.com. It returns as www.l.google.com but, on a Linux box it returns as www.google.com with ***.l.*****.com being the prime giveaway in a phishing scam some people report Google owns www.l.google.com. What is your take ? Ron
    • You seem confused about domain names. Any combination of *******.google.com is just a subdomain of google.com, which is owned by Google. So yes, as long as it ends in ".google.com" it's safe (well, unless that first dot is not a real dot - I don't know how is the whole issue around UTF-8 characters in URLs).

    • Re: (Score:3, Informative)

      by Pentium100 (1240090)

      I don't get what you are saying...

      www.google.com is a DNS CNAME record, a record which does not point to an IP address, but to another name. Windows tracert (and ping) utilities report the IP and the name returned by the server. CNAME records are useful if you want to have multiple (sub)domains that all point to a single IP address. You can, for example, create DNS A record that points realserver.google.com to the actual IP(s) of the server(s) and a bunch of other domains that point to realserver.google.com

      • I think the OP's concerns would be satisfied with a simple WHOIS lookup, using either the IP address or the domain name, or both. Windows users can use a web-based service for lookups.

      • Google is their own ISP ; e100.net is Google.

        Registrant:

                        DNS Admin
                        Google Inc.
                        1600 Amphitheatre Parkway
                        Mountain View CA 9404

  • For instance, SonicWall blocks phishtank. Yup, SonicWall blocks a site to help protect users against phishing by being able to check links against known phishing sites (http://www.stevemilner.org/blog/2010/01/20/sonicwall-silly/). The less technical the data owners are the less helpful the the rule sets are.

    To be honest, this site in question does look like a phishing site and thus, if someone went to the site and knew what phishing was, they would most likely flag it if they did not click through (aka i
  • Phishing education phishy phished for phishy phishing the pish. pish.
  • by laing (303349) on Saturday April 24, 2010 @12:58PM (#31967856)
    OK I'm running Firefox (3.5.9) on Ubuntu Linux and I went to the site. It warned me that the site was a forgery and I clicked the "ignore this warning" button. The site prompted me to enter some credit card information which I did (false of course) and on the next page it said that I failed the test and that my information was not transmitted so I shouldn't worry but that I should have someone who is technically competent verify this. I decided to have a quick look at the previous page source to see if the submit form included the card number and when I selected 'View->Page Source' from Firefox I got the same forgery warning instead of viewing the source. The "ignore this warning" button didn't work at this point so I guess I cannot verify the claim on the page withe Firefox alone. This seems rather broken to me as the page source display doesn't execute malicious code.

    Yes I know I could save the page or use wget but why doesn't Firefox let me look at the suspected page's SOURCE? How could that possibly be harmful?

    • Re: (Score:3, Informative)

      by Dumnezeu (1673634)

      Apparently, it's a bug in Firefox. Running 3.6.3 on Windows does the same thing: if you click the "Ignore this warning" in the window with the page's source, nothing happens.

    • You can turn off blocking under Tools>Options>Security. Maybe FF doesn't work properly, but functionality to bypass security warnings can't be much of a high priority
  • by ron-l-j (1725874)
    Resolves to 209.85.225.147 witch I know to be a good IP address and yes MAC addresses can be spoofed and IP addresses can be spoofed as well. Security is just complication. And you can follow your route to primary DNS servers and look up routing tables as well. Im saying its odd that a very popular phishing trick is to slightly change the name record witch is what appears to happen when looking up google.com in tracert.
  • Malicious individuals will start building copycat sites hoping to hoodwink a public now trained to think sites like this are just 'harmless education."
  • There is the wrong way, and the Phishme.com way. cheers!
  • But they need to be more realistic now. They are realistic enough for browsers to consider them phishers (which they probably are, technically), so they need to act just a little more like real phishers.

    They need to do what all phishers do and get hundreds more domains and IP addresses.

    And put sneaky Ad listings in sponsored search results with various search engines.

  • If people are entering their information, how is blocking an educational site a smart move? I mean, if they are entering their CC #, then they already have big problems. That said, I wouldn't be telling people to go there.
    • by Mr. DOS (1276020)

      I would be, albeit subtly. I think this is a great test - making people wake up to their own stupidity is never a bad thing, and it's better to have them find out this way than have to help them out of the middle of a real credit card theft scenario.

  • My corporate net blocks a website dedicated to fighting racism and hate speech on the basis that it 'has' racism and hate speech.

    DERP.

  • I'm thinking of setting up a service where people send me all their paper money ($20 notes and up), and I check to see if they're counterfeit or not. If any notes are counterfeit I destroy them so that my clients won't get into trouble by passing dud notes.

    What do you think? Does this have possibilities?

One man's constant is another man's variable. -- A.J. Perlis

Working...