Phishing Education Test Blocked For Phishing 113
An anonymous reader writes "It appears a website called ismycreditcardstolen.com, designed to 'educate users about the dangers of phishing,' has itself been flagged by Firefox as a reported web forgery. The site, which asks visitors to enter their credit card details to 'see if they've been stolen,' takes the hapless visitor to a page warning them about the perils of phishing, giving them advice on how to avoid similar scams and also provides a link to the Anti-Phishing Working Group's website. Or at least it did, until various browsers started blocking it. As the Sunbelt blog post notes, the project was likely doomed to failure, both because of the domain name itself and also because it uses anonymous Whois data, which isn't exactly going to make security people look at it in a positive light. Does anyone out there think this was a good idea? Or will malicious individuals start playing copycat on a public now trained to think sites like this are just 'harmless education?'"
So, it worked! (Score:1, Funny)
It was designed to look like a phising site, and it did!
Re: (Score:2, Insightful)
It was designed to look like a phising site, and it did!
Blocked by the idiots who did a knee-jerk reaction and flagged it as a hostile site. Isn't that spiffy, it got blocked by the very lack-of-awareness idiots who it was trying to assist. Gotta love the irony.
I say leave them to their own devices. The phishers are merely making stupidity more painful. While they intend ill, the overall effect might not be so bad.
Re: (Score:2)
Except that they usually keep their ill gotten gains and use them to finance far more sinister operations.
If they took their fleecings and donated them to charity I would approve.
Remember, these guys are in cahoots with evil spammers.
Re: (Score:1)
If it only told people that it's for education after they did something that would usually be very stupid then you can expect most smart people to never see that message.
Re: (Score:3, Interesting)
Blocked by intelligent people - the site doesn't pass the smell test.
And there's no reason to believe they didn't log the data.
Re: (Score:2)
Anyone who looked at the source code of the site could see that the credit card information input fields were not inside the form and therefore were not submitted.
There is even a comment in the source that says it was done that way on purpose.
Re: (Score:2)
What's to keep them from, at random, sending out a form that DID send the data back?
they complain. You go and check it out - see the form that doesn't send the data back, and say "don't worry." YOU are the secondary target of the social engineering - and YOU just helped vet them.
Or, one in 100 times, you check and you also see the phishing version. But since it can't be repeated, next time you go back, it's "gee, maybe you have a virus on your machine?" Or they set a cookie flaggi
Hmmm... (Score:3, Insightful)
Re:Hmmm... (Score:5, Funny)
After they click submit, the site should return a page that simply says "Yes".
Re: (Score:2)
You roably want to see our galiant efforts to stop ID theft.
http://www.effortlessis.com/stopidtheft [effortlessis.com]
Re: (Score:1)
It would be better if it didn't reveal the message when everything is left blank.
Re: (Score:1)
You want to steal my stopid?
Re: (Score:2, Informative)
You can inspect the source and verify that it doesn't actually submit the data.
That doesn't say anything about what other people see, but if there is a problem and enough people investigate, someone should eventually notice it.
Re: (Score:3, Interesting)
excluded from the form (Score:5, Interesting)
If you look at the HTML code, the form fields that contain your credit card information was excluded from the form the web browser actually submits. The HTML code is essentially structured like this: [credit card issuer] [credit card number] [name on credit card] [expiration month] [expiration year] [start form] [submit button] [end form]. The form itself really only contains the submit button and nothing else. Hence, unless your browser is broken, none of the credit card information should be submitted anywhere.
However, the bit about Google Analytics javascript on the bottom of the HTML page could contain code to collect and transmit these form fields to somewhere else. The site could be hacked, and the hacker could alter the HTML code to submit the credit card information somewhere.
Re: (Score:2)
Or maybe 1 out of every 10,000 hits to the site got a slightly different page that did send the info. Who would know?
Nice that firefox won't even let me see the page source. I guess it thinks I'm an idiot or something.
Re: (Score:3, Interesting)
Personally, I'd trigger it off of user-agent header. IE... Not a techie verifying functionality -> really submit info... Chrome/Firefox/search engine agents -> example page.
Re: (Score:2)
Or maybe IP address. If it's an AOL dialup user, they have already proven themselves gullible. :}
Re:Hmmm... (Score:5, Informative)
The site is clearly not malicious. The form tag on the page doesn't include the card number and other identifying input elements, so that data isn't gathered or even transmitted over the network from what I can tell. The page just sends you to their 'you have failed page' any time you submit it.
Re: (Score:2)
Creating a site that invites people to do Something Really Stupid as a way to educate people not to do Something Really Stupid is practically begging to get flagged as malicious. It is, in fact, Something Really Stupid.
Re: (Score:2, Insightful)
Re: (Score:2)
Right but all they have done is create an unsecured form where they are entering in a clear text credit card number. It is just an unnecessary risk regardless if it is a legit site or not. What if they have malware that is collecting form field entries? They just made a nice clear text form for that malicious software to extract from.
If they already have malware installed that is collecting and transmitting their data, then they already have bigger problems. It's sort of like worrying about dirty windows when the whole house has already been swallowed by a sinkhole.
Netcraft (Score:1)
Try out the Netcraft Toolbar! FAQ OS Server Last changed IP address Netblock Owner
Linux Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8g DAV/2 SVN/1.6.9 mod_fcgid/2.3.4 24-Apr-2010 66.220.0.89 EGIHosting
Re: (Score:2)
http://ismycreditcardstolen.com/ [ismycreditcardstolen.com] was running Apache on Linux when last queried at 24-Apr-2010 17:15:46 GMT - refresh now Site Report
Try out the Netcraft Toolbar! FAQ OS Server Last changed IP address Netblock Owner
Linux Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8g DAV/2 SVN/1.6.9 mod_fcgid/2.3.4 24-Apr-2010 66.220.0.89 EGIHosting
You responded to my post. You know that what you wrote there has absolutely nothing to do with my post, right?
Re: (Score:1)
Re: (Score:3, Interesting)
Re: (Score:2)
It isn't malicious *now*.
How do you know it isn't going to turn so?
Re: (Score:1)
That brings up an exceptional point, it seems like all page form elements should have a little triangle at the far right corner or a hover tool tip or something that indicates whether the action is a secure page, insecure page, or whether the form elements are standalone?
Re: (Score:2)
It'd be a "This form is probably secure but might possibly not be" indication, which is completely useless and misleading to any non-web-developer.
Re: (Score:2)
Yes.
And while we're at it, you should visit my other sites, HasYourPasswordBeenCompromised.com and DoesAnyoneHaveThisHotPictureOfMeNaked.com.
FAIL! (Score:3, Interesting)
The site is clearly not malicious.
Really? "Clearly"? It's not clear to me. I am supposed to TRUST these people I don't know who have a hidden whois? Seems to me like an excellent way to acquire CC numbers from ignorant rubes.
Re: (Score:2, Interesting)
The form data isn't actually transmitted; the submit button is on a different form. Real hackery would have to change the HTML as well.
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
The same could be said of any legitimate web site that takes credit card numbers. Black hats probably have numerous targets more juicy than this one.
Firefox could still be correct... (Score:1, Insightful)
Re: (Score:2)
Even if this one isn't, you can be sure those will start to appear now.
Re: (Score:1)
This one, as mentioned elsewhere, does not even transmit your information as it is not included in the form. So this one seems legit.
Re: (Score:2)
Re: (Score:1)
Probably no one, unless someone really looked.
But i guess the intersection of people who would enter their data and the people who would understand the code is empty anyway.
Re: (Score:2)
I'd notice the HUGE HONKING MASS OF OBFUSCATED JAVASCRIPT. Usually something like this stands out:
var _0xffba=["\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21","\x0A","\x4F\x4B"];var a=_0xffba[0];function MsgBox(_0x6517x3){alert(_0x6517x3+_0xffba[1]+a);} ;MsgBox(_0xffba[2]);
Not hard to tell something phishy is going on.
Unless you mean javascript that does something nasty but looks perfectly innocent?
Re: (Score:1)
Re: (Score:2)
That's the point.
While these guys may have been doing a good deed, if it looks like a duck, walks like a duck, and quacks like a duck, you really have no choice but to treat it like a duck.
The only safe way to deal with even a friendly site that takes credit card numbers to trick users (in this case, to educate them instead of steal from them) is to block them. Tomorrow they may start recording the card numbers, or worse they've been collecting them for months, and now that they are shut down they start us
Re: (Score:2)
You're absolutely right. If it was designed to look and act like a phishing site, regardless if it does currently capture any information, and the filters catch it, then the phishing filters are working properly.
Or, as you say, treat it like a duck [alexross.com].
Re:Firefox could still be correct... (Score:5, Informative)
RFTSC (source code):
<!-- Start form here so credit card details aren't submitted. -->
<form action="check.html">
<input type="submit" value="Check if my credit card is stolen">
</form>
The browser never submits any of the entered information to the server.
Re: (Score:2)
Sadly the site is down, meanwhile.. (Score:4, Funny)
Re:Sadly the site is down, meanwhile.. (Score:4, Funny)
SSN: 457-55-5462
Credit Card Number 4844 2257 9987 3655
CW: 887
Occupation: CEO of LifeLock
Re:Sadly the site is down, meanwhile.. (Score:4, Funny)
Funny, that's the same as one of my aliases. For some reason my card seems to be maxed out now.
Re: (Score:2)
Maybe this is an intelligence test or experiment (Score:2)
Re: (Score:2)
I'm just sayin'. It has all the hallmarks of a IT grad student behavioral study experiment or perhaps a prank or a hoax. Are people really that stupid?
Ever heard of this site about the dangers of dihydrogen monoxide? [dhmo.org]
"Dihydrogen monoxide can even be lethal if inhaled!" Dihydrogen monoxide is, of course, water. Their link that says it's "for the press" will explain the intent behind the site. It aims to do for critical thinking what this phishing education site does for phishing.
Re:Maybe this is an intelligence test or experimen (Score:2)
The answer to this question is always going to be the same, no matter what context you put around the question.
Are people stupid enough to send money to 419 scammers? Stupid enough to waste thousands of hours *baiting* 419 scammers and getting them to pose for photos in various ridiculous settings and attire? Stupid enough to *be* baited? Sure enough, some people are.
Are people stupid enough to give their credit cards details to any random person who claims to represent
Re: (Score:3, Funny)
Yeah well, it's better than being anything else. ;)
I love when jealous people post snide remarks on American web sites, it just makes it all so clear how inferior they feel. :)
Re: (Score:1, Troll)
It's amusing that you think of it as a "snide remark", when I intended it as merely factual.
Re: (Score:1, Troll)
It's amusing that you think of it as a "snide remark", when I intended it as merely factual.
I'd mod you up except that I have already posted in this discussion. I am an American and I strongly agree with you. Being honest about this and not trying to cover it up would be this country's first step towards recognizing and dealing with this problem.
Re: (Score:2)
Yeah well, it's better than being anything else. ;)
I love when jealous people post snide remarks on American web sites, it just makes it all so clear how inferior they feel. :)
I am an American and I have to admit that the USA's general public is dumb. Not in the sense that they don't have intellectual capacity, but in the sense that they seem quite unwilling to use it. They'd generally rather play follow-the-leader and go whichever way the wind blows. They seem to want someone to do their thinking for them, the same way that the aristocracy of old wanted someone (domestic servants) to do their cooking and cleaning for them. This is bad, very bad.
If I thought they were trul
Re: (Score:3, Insightful)
Actually in my experience, in meeting people from all over the world, and visiting many other places, it's not Americans that are dumb. It's most people in general. Stereotypes do fit some people, because they are created from a subset of a culture.
By categorizing Americans as dumb, you therefore categorize the general population of the whole world as dumb. Only approximately 1.5% of the United States population is Native American. The remainder migrated here, and their "Am
Re: (Score:2)
Actually in my experience, in meeting people from all over the world, and visiting many other places, it's not Americans that are dumb. It's most people in general. Stereotypes do fit some people, because they are created from a subset of a culture.
By categorizing Americans as dumb, you therefore categorize the general population of the whole world as dumb. Only approximately 1.5% of the United States population is Native American. The remainder migrated here, and their "American" ancestry spans one to a few dozen generations.
I don't consider it important who migrated where, because that's more of a racial/ethnic issue. I don't think that's what this is about. I think it's our culture. That's something we have been exporting for some time now, and just about the only thing we still seem to massively export these days.
I spoke specifically of Americans because that's who is around me for handy observation. The Slashdot crowd seems slow to realize that making a claim about Americans is not the same thing as making the claim
Lots of software and Net things are that way (Score:2)
Report It (Score:2)
How much time? (Score:2)
How the heck... (Score:1)
...are people still this gullible? Even if the site is 100% legit, what would possess someone to give out their information on an site that had no ssl encryption? They put freaking graphics of "Secured!" with a green check mark on the page...honestly if people can't see through that they deserve to get their card information stolen.
Now that I think about it, perhaps that is the secondary purpose of the site. Force people to learn not to give out their card information otherwise some guy in China will start
Antivirus for Your Brain (Immunization) (Score:5, Insightful)
When we were kids, many of us received immunizations against a host of nasty diseases. The purpose of these vaccines was to expose our immune systems to "fake badness," so that when we were exposed "real badness," the immune system would be pre-primed to deal with it.
Phishing is a problem precisely because most of the email that your average (l)user gets and most of the sites they visit are legitimate, with no badness (of this type) involved. When you've never been exposed to phishing behavior, it's much easier to fall for a scam.
You can run all the "awareness" campaigns you want, but users tend to ignore that sort of stuff, thinking, "right, I get it, but I'm smarter than that."
We need to inoculate users to teach them to be wary. There should be more sites like this out there. Some geared toward credit card data, some geared toward username & password, and others yet for other forms of PII.
Once a user is brought up short a few times by information pages like you see after you hit submit, they will be more cautious on all sites.
Whois shows (Score:2, Interesting)
Re: (Score:3, Informative)
Re: (Score:3, Informative)
Except if you read its source code, you'd see it doesn't actually send the data to the server.
By the way, in Firefox you can click "ignore this warning" in the lower right corner.
Re:Whois shows (Score:4, Informative)
Oddly enough that doesn't work in "view source" mode. I had to use Firebug to check the source code instead.
Re: (Score:1)
Oddly enough that doesn't work in "view source" mode.
A fix for that is already in the nightly trunk builds.
something worse (Score:1)
Re: (Score:2)
You seem confused about domain names. Any combination of *******.google.com is just a subdomain of google.com, which is owned by Google. So yes, as long as it ends in ".google.com" it's safe (well, unless that first dot is not a real dot - I don't know how is the whole issue around UTF-8 characters in URLs).
Re: (Score:1)
Re: (Score:3, Informative)
I don't get what you are saying...
www.google.com is a DNS CNAME record, a record which does not point to an IP address, but to another name. Windows tracert (and ping) utilities report the IP and the name returned by the server. CNAME records are useful if you want to have multiple (sub)domains that all point to a single IP address. You can, for example, create DNS A record that points realserver.google.com to the actual IP(s) of the server(s) and a bunch of other domains that point to realserver.google.com
Re: (Score:2)
I think the OP's concerns would be satisfied with a simple WHOIS lookup, using either the IP address or the domain name, or both. Windows users can use a web-based service for lookups.
e100.net == google (Score:2)
Google is their own ISP ; e100.net is Google.
Registrant:
DNS Admin
Google Inc.
1600 Amphitheatre Parkway
Mountain View CA 9404
Happens All The Time (Score:1)
To be honest, this site in question does look like a phishing site and thus, if someone went to the site and knew what phishing was, they would most likely flag it if they did not click through (aka i
Sounds more like (Score:2)
Firefox is broken (Score:3)
Yes I know I could save the page or use wget but why doesn't Firefox let me look at the suspected page's SOURCE? How could that possibly be harmful?
Re: (Score:3, Informative)
Apparently, it's a bug in Firefox. Running 3.6.3 on Windows does the same thing: if you click the "Ignore this warning" in the window with the page's source, nothing happens.
Re: (Score:2)
Re: (Score:1)
Yes. (Score:1)
Phishme.com does it the right way.. (Score:1)
It's not doomed to failure (Score:1)
But they need to be more realistic now. They are realistic enough for browsers to consider them phishers (which they probably are, technically), so they need to act just a little more like real phishers.
They need to do what all phishers do and get hundreds more domains and IP addresses.
And put sneaky Ad listings in sponsored search results with various search engines.
OH COME ON! (Score:2)
Re: (Score:2)
I would be, albeit subtly. I think this is a great test - making people wake up to their own stupidity is never a bad thing, and it's better to have them find out this way than have to help them out of the middle of a real credit card theft scenario.
Anti racist website blocked for hate speech (Score:2)
My corporate net blocks a website dedicated to fighting racism and hate speech on the basis that it 'has' racism and hate speech.
DERP.
That gives me an idea! (Score:1)
I'm thinking of setting up a service where people send me all their paper money ($20 notes and up), and I check to see if they're counterfeit or not. If any notes are counterfeit I destroy them so that my clients won't get into trouble by passing dud notes.
What do you think? Does this have possibilities?
Re: (Score:2)
Trolls trolling trolls -- /b/ has nothing on this place...