Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing Education Test Blocked For Phishing

Posted by Soulskill on from the please-enter-your-opinion-and-credit-card-number-below dept.

An anonymous reader writes "It appears a website called ismycreditcardstolen.com, designed to 'educate users about the dangers of phishing,' has itself been flagged by Firefox as a reported web forgery. The site, which asks visitors to enter their credit card details to 'see if they've been stolen,' takes the hapless visitor to a page warning them about the perils of phishing, giving them advice on how to avoid similar scams and also provides a link to the Anti-Phishing Working Group's website. Or at least it did, until various browsers started blocking it. As the Sunbelt blog post notes, the project was likely doomed to failure, both because of the domain name itself and also because it uses anonymous Whois data, which isn't exactly going to make security people look at it in a positive light. Does anyone out there think this was a good idea? Or will malicious individuals start playing copycat on a public now trained to think sites like this are just 'harmless education?'"

29 of 113 comments (clear)

  1. Hmmm... by Devout_IPUite · · Score: 2, Insightful

    It doesn't seem like having users enter their credit card to check if it's been stolen is a good idea. All it takes is the site getting hacked and viola! Real stealing on every query!

    1. Re:Hmmm... by maxume · · Score: 5, Funny

      After they click submit, the site should return a page that simply says "Yes".

      --
      Nerd rage is the funniest rage.
    2. Re:Hmmm... by sunderland56 · · Score: 2, Interesting

      Maybe the site's designers are actually phishing, and collecting people's credit card details. If they are ever challenged, they have the "hey, it was just an educational web site" defense to fall back on.

    3. Re:Hmmm... by Rijnzael · · Score: 5, Informative

      That's not the point of the site. The point is to show the vulnerable how easy it is to fall for phishing scams, and that you should never provide your credit card number to a site that you're unfamiliar with.

      The site is clearly not malicious. The form tag on the page doesn't include the card number and other identifying input elements, so that data isn't gathered or even transmitted over the network from what I can tell. The page just sends you to their 'you have failed page' any time you submit it.

    4. Re:Hmmm... by Anonymous Coward · · Score: 2, Interesting

      The form data isn't actually transmitted; the submit button is on a different form. Real hackery would have to change the HTML as well.

    5. Re:Hmmm... by MoldySpore · · Score: 2, Insightful

      Right but all they have done is create an unsecured form where they are entering in a clear text credit card number. It is just an unnecessary risk regardless if it is a legit site or not. What if they have malware that is collecting form field entries? They just made a nice clear text form for that malicious software to extract from.

      --

      "I hope you know how very lucky you are to know me, because I am so incredibly incredible."

    6. Re:Hmmm... by u38cg · · Score: 2, Informative
      From the page source, goddammit:

      This site is intended to be a lesson for people who are susceptible to getting phished. The goal here is for no credit card information to ever be sent across the wire. To accomplish this, all credit card info is outside the form. That way, clicking on the submit button doesn't submit any credit card info.

      Godaddy was smart enough to detect some evil keywords in the domain and require a human being to look at the site. If you are reading this, Godaddy: Our intention is to educate and inform people of phishing, in a particularly memorable way: http://ismycreditcardstolen.com/anti-phishing.jpg

      BTW there is no form validation so just click the submit button if you want to see the "you have failed" message, visible here: http://ismycreditcardstolen.com/check.html

      --
      [FUCK BETA]
    7. Re:Hmmm... by Rijnzael · · Score: 3, Interesting

      In case you didn't understand my comment: the HTML input elements that are in the source to show those boxes on the page are NOT part of a form element. This means that absent some javascript, the data in those input elements will not be transmitted. Go ahead and try it with Wireshark for yourself, you'll see that the only result is a GET request for their 'you have failed' page.

    8. Re:Hmmm... by maxume · · Score: 2, Informative

      You can inspect the source and verify that it doesn't actually submit the data.

      That doesn't say anything about what other people see, but if there is a problem and enough people investigate, someone should eventually notice it.

      --
      Nerd rage is the funniest rage.
  2. Sadly the site is down, meanwhile.. by Keruo · · Score: 3, Funny

    Post your full name, address, credit card number and cvv as a reply to this post and we will get back to you if your card has been exposed to the threats on internet.

    --
    There are no atheists when recovering from tape backup.
    1. Re:Sadly the site is down, meanwhile.. by Anonymous Coward · · Score: 4, Funny

      Name: Todd Davis
      SSN: 457-55-5462
      Credit Card Number 4844 2257 9987 3655
      CW: 887
      Occupation: CEO of LifeLock

    2. Re:Sadly the site is down, meanwhile.. by JWSmythe · · Score: 3, Funny

          Funny, that's the same as one of my aliases. For some reason my card seems to be maxed out now.

      --
      Serious? Seriousness is well above my pay grade.
  3. Re:Firefox could still be correct... by Anonymous Coward · · Score: 5, Informative

    RFTSC (source code):


    <!-- Start form here so credit card details aren't submitted. -->
    <form action="check.html">
        <input type="submit" value="Check if my credit card is stolen">
    </form>

    The browser never submits any of the entered information to the server.

  4. Re:Maybe this is an intelligence test or experimen by Bigjeff5 · · Score: 2, Funny

    Yeah well, it's better than being anything else. ;)

    I love when jealous people post snide remarks on American web sites, it just makes it all so clear how inferior they feel. :)

    --
    Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
  5. Re:So, it worked! by Anonymous Coward · · Score: 2, Insightful

    It was designed to look like a phising site, and it did!

    Blocked by the idiots who did a knee-jerk reaction and flagged it as a hostile site. Isn't that spiffy, it got blocked by the very lack-of-awareness idiots who it was trying to assist. Gotta love the irony.

    I say leave them to their own devices. The phishers are merely making stupidity more painful. While they intend ill, the overall effect might not be so bad.

  6. Antivirus for Your Brain (Immunization) by Don+Faulkner · · Score: 5, Insightful

    When we were kids, many of us received immunizations against a host of nasty diseases. The purpose of these vaccines was to expose our immune systems to "fake badness," so that when we were exposed "real badness," the immune system would be pre-primed to deal with it.

    Phishing is a problem precisely because most of the email that your average (l)user gets and most of the sites they visit are legitimate, with no badness (of this type) involved. When you've never been exposed to phishing behavior, it's much easier to fall for a scam.

    You can run all the "awareness" campaigns you want, but users tend to ignore that sort of stuff, thinking, "right, I get it, but I'm smarter than that."

    We need to inoculate users to teach them to be wary. There should be more sites like this out there. Some geared toward credit card data, some geared toward username & password, and others yet for other forms of PII.

    Once a user is brought up short a few times by information pages like you see after you hit submit, they will be more cautious on all sites.

  7. Whois shows by captnbmoore · · Score: 2, Interesting

    That it's registered to some place in George Town Cayman Islands. I would say that is a phishing scam since they want all pertinent info. Of course IE8 does not block it so if you really want to test it and not get a scam alert just use IE8.

    --
    The Navy Motto "IF it ain't broke Fix It" "A day is wasted if you don't learn something new"
    1. Re:Whois shows by RichardJenkins · · Score: 2, Informative

      No, the site is structured so if you enter any details in the form, they won't be submitted by your browser when you click the form. Since the site doesn't offer me any means to enter details and have them sent (and you'd want to give it more than the cursory glance I did to prove this) then why flag it as a phishing site?

    2. Re:Whois shows by icebraining · · Score: 2, Informative

      Except if you read its source code, you'd see it doesn't actually send the data to the server.

      By the way, in Firefox you can click "ignore this warning" in the lower right corner.

      --
      Dilbert RSS feed
    3. Re:Whois shows by broken_chaos · · Score: 3, Informative

      Oddly enough that doesn't work in "view source" mode. I had to use Firebug to check the source code instead.

  8. Re:something worse by Pentium100 · · Score: 2, Informative

    I don't get what you are saying...

    www.google.com is a DNS CNAME record, a record which does not point to an IP address, but to another name. Windows tracert (and ping) utilities report the IP and the name returned by the server. CNAME records are useful if you want to have multiple (sub)domains that all point to a single IP address. You can, for example, create DNS A record that points realserver.google.com to the actual IP(s) of the server(s) and a bunch of other domains that point to realserver.google.com. Now, if the IP of the server changes, you only need to update one record.

    Tracert and Linux traceroute also do reverse DNS lookup, they ask the server for a name for that IP address. This depends primarily on the ISP, without their assistance I cannot change my reverse lookup entry, for example. While multiple domain names can point to a single IP, the IP only points to one domain name.

    So, with google it's like this:

    www.google.com is a CNAME record that points to www.l.google.com
    www.l.google.com is a A record that points to 74.125.77.147, 74.125.77.104 and 74.125.77.99
    74.125.77.147 points to ew-in-f147.1e100.net
    74.125.77.104 pints to ew-in-f104.1e100.net

    1e100.net is probably the ISP of that server. It looks like the reverse record is made using the last octet of the IP, what does ew-in-f mean you woud have to ask that IPS.

    In any case, that's why tracert reports:
    Tracing route to www.l.google.com [74.125.77.104]
    over a maximum of 30 hops: ...

      11 80 ms 80 ms 79 ms ew-in-f104.1e100.net [74.125.77.104]

  9. Firefox is broken by laing · · Score: 2
    OK I'm running Firefox (3.5.9) on Ubuntu Linux and I went to the site. It warned me that the site was a forgery and I clicked the "ignore this warning" button. The site prompted me to enter some credit card information which I did (false of course) and on the next page it said that I failed the test and that my information was not transmitted so I shouldn't worry but that I should have someone who is technically competent verify this. I decided to have a quick look at the previous page source to see if the submit form included the card number and when I selected 'View->Page Source' from Firefox I got the same forgery warning instead of viewing the source. The "ignore this warning" button didn't work at this point so I guess I cannot verify the claim on the page withe Firefox alone. This seems rather broken to me as the page source display doesn't execute malicious code.

    Yes I know I could save the page or use wget but why doesn't Firefox let me look at the suspected page's SOURCE? How could that possibly be harmful?

    1. Re:Firefox is broken by Dumnezeu · · Score: 3, Informative

      Apparently, it's a bug in Firefox. Running 3.6.3 on Windows does the same thing: if you click the "Ignore this warning" in the window with the page's source, nothing happens.

      --
      Yes, it's sarcasm. Deal with it!
  10. excluded from the form by pikine · · Score: 4, Interesting

    If you look at the HTML code, the form fields that contain your credit card information was excluded from the form the web browser actually submits. The HTML code is essentially structured like this: [credit card issuer] [credit card number] [name on credit card] [expiration month] [expiration year] [start form] [submit button] [end form]. The form itself really only contains the submit button and nothing else. Hence, unless your browser is broken, none of the credit card information should be submitted anywhere.

    However, the bit about Google Analytics javascript on the bottom of the HTML page could contain code to collect and transmit these form fields to somewhere else. The site could be hacked, and the hacker could alter the HTML code to submit the credit card information somewhere.

    --
    I once had a signature.
    1. Re:excluded from the form by kgo · · Score: 3, Interesting

      Personally, I'd trigger it off of user-agent header. IE... Not a techie verifying functionality -> really submit info... Chrome/Firefox/search engine agents -> example page.

      --
      Can you construct some sort of rudimentary lathe?
  11. FAIL! by Frosty+Piss · · Score: 2, Interesting

    The site is clearly not malicious.

    Really? "Clearly"? It's not clear to me. I am supposed to TRUST these people I don't know who have a hidden whois? Seems to me like an excellent way to acquire CC numbers from ignorant rubes.

    --
    If you want news from today, you have to come back tomorrow.
  12. Re:Maybe this is an intelligence test or experimen by JWSmythe · · Score: 2, Insightful

        Actually in my experience, in meeting people from all over the world, and visiting many other places, it's not Americans that are dumb. It's most people in general. Stereotypes do fit some people, because they are created from a subset of a culture.

        By categorizing Americans as dumb, you therefore categorize the general population of the whole world as dumb. Only approximately 1.5% of the United States population is Native American. The remainder migrated here, and their "American" ancestry spans one to a few dozen generations.

    --
    Serious? Seriousness is well above my pay grade.
  13. Re:Maybe this is an intelligence test or experimen by jonadab · · Score: 2

    > Are people really that stupid?

    The answer to this question is always going to be the same, no matter what context you put around the question.

    Are people stupid enough to send money to 419 scammers? Stupid enough to waste thousands of hours *baiting* 419 scammers and getting them to pose for photos in various ridiculous settings and attire? Stupid enough to *be* baited? Sure enough, some people are.

    Are people stupid enough to give their credit cards details to any random person who claims to represent their bank and/or be looking out for their interests? Yep, some people are.

    Are people stupid enough to leave young children unattended for extended periods of time? Stupid enough to show up at the police station and ask to have their confiscated contraband returned to them? Stupid enough to install pink fiberglass insulation all day wearing shorts and a t-shirt? Are women stupid enough to continue to date obviously abusive boyfriends? Are people stupid enough to shoot themselves in the sensitive bits with firearms, attempt to operate dangerous equipment (chainsaws, motor vehicles, you name it) when they're too tired to keep their eyes, deliberately ingest carelessly-measured quantities of poison without even knowing what the safe does is just to see how much they can take, stick random inappropriate objects where the sun don't shine, drill holes in their own skulls under unsanitary conditions, hijack commercial jets and fly them into the sides of buildings, buy shares in SCO, play Russian roulette, buy bottled spring water for pets, and give their computer password from work to a stranger for chocolate? These are all things people have actually done, so yeah, I'd say people are that stupid. At least, some people are.

    --
    Cut that out, or I will ship you to Norilsk in a box.
  14. Re:So, it worked! by tomhudson · · Score: 2, Interesting

    Blocked by intelligent people - the site doesn't pass the smell test.

    And there's no reason to believe they didn't log the data.