Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing Education Test Blocked For Phishing

Posted by Soulskill on from the please-enter-your-opinion-and-credit-card-number-below dept.

An anonymous reader writes "It appears a website called ismycreditcardstolen.com, designed to 'educate users about the dangers of phishing,' has itself been flagged by Firefox as a reported web forgery. The site, which asks visitors to enter their credit card details to 'see if they've been stolen,' takes the hapless visitor to a page warning them about the perils of phishing, giving them advice on how to avoid similar scams and also provides a link to the Anti-Phishing Working Group's website. Or at least it did, until various browsers started blocking it. As the Sunbelt blog post notes, the project was likely doomed to failure, both because of the domain name itself and also because it uses anonymous Whois data, which isn't exactly going to make security people look at it in a positive light. Does anyone out there think this was a good idea? Or will malicious individuals start playing copycat on a public now trained to think sites like this are just 'harmless education?'"

12 of 113 comments (clear)

  1. Re:Hmmm... by maxume · · Score: 5, Funny

    After they click submit, the site should return a page that simply says "Yes".

    --
    Nerd rage is the funniest rage.
  2. Re:Hmmm... by Rijnzael · · Score: 5, Informative

    That's not the point of the site. The point is to show the vulnerable how easy it is to fall for phishing scams, and that you should never provide your credit card number to a site that you're unfamiliar with.

    The site is clearly not malicious. The form tag on the page doesn't include the card number and other identifying input elements, so that data isn't gathered or even transmitted over the network from what I can tell. The page just sends you to their 'you have failed page' any time you submit it.

  3. Sadly the site is down, meanwhile.. by Keruo · · Score: 3, Funny

    Post your full name, address, credit card number and cvv as a reply to this post and we will get back to you if your card has been exposed to the threats on internet.

    --
    There are no atheists when recovering from tape backup.
    1. Re:Sadly the site is down, meanwhile.. by Anonymous Coward · · Score: 4, Funny

      Name: Todd Davis
      SSN: 457-55-5462
      Credit Card Number 4844 2257 9987 3655
      CW: 887
      Occupation: CEO of LifeLock

    2. Re:Sadly the site is down, meanwhile.. by JWSmythe · · Score: 3, Funny

          Funny, that's the same as one of my aliases. For some reason my card seems to be maxed out now.

      --
      Serious? Seriousness is well above my pay grade.
  4. Re:Firefox could still be correct... by Anonymous Coward · · Score: 5, Informative

    RFTSC (source code):


    <!-- Start form here so credit card details aren't submitted. -->
    <form action="check.html">
        <input type="submit" value="Check if my credit card is stolen">
    </form>

    The browser never submits any of the entered information to the server.

  5. Antivirus for Your Brain (Immunization) by Don+Faulkner · · Score: 5, Insightful

    When we were kids, many of us received immunizations against a host of nasty diseases. The purpose of these vaccines was to expose our immune systems to "fake badness," so that when we were exposed "real badness," the immune system would be pre-primed to deal with it.

    Phishing is a problem precisely because most of the email that your average (l)user gets and most of the sites they visit are legitimate, with no badness (of this type) involved. When you've never been exposed to phishing behavior, it's much easier to fall for a scam.

    You can run all the "awareness" campaigns you want, but users tend to ignore that sort of stuff, thinking, "right, I get it, but I'm smarter than that."

    We need to inoculate users to teach them to be wary. There should be more sites like this out there. Some geared toward credit card data, some geared toward username & password, and others yet for other forms of PII.

    Once a user is brought up short a few times by information pages like you see after you hit submit, they will be more cautious on all sites.

  6. Re:Hmmm... by Rijnzael · · Score: 3, Interesting

    In case you didn't understand my comment: the HTML input elements that are in the source to show those boxes on the page are NOT part of a form element. This means that absent some javascript, the data in those input elements will not be transmitted. Go ahead and try it with Wireshark for yourself, you'll see that the only result is a GET request for their 'you have failed' page.

  7. excluded from the form by pikine · · Score: 4, Interesting

    If you look at the HTML code, the form fields that contain your credit card information was excluded from the form the web browser actually submits. The HTML code is essentially structured like this: [credit card issuer] [credit card number] [name on credit card] [expiration month] [expiration year] [start form] [submit button] [end form]. The form itself really only contains the submit button and nothing else. Hence, unless your browser is broken, none of the credit card information should be submitted anywhere.

    However, the bit about Google Analytics javascript on the bottom of the HTML page could contain code to collect and transmit these form fields to somewhere else. The site could be hacked, and the hacker could alter the HTML code to submit the credit card information somewhere.

    --
    I once had a signature.
    1. Re:excluded from the form by kgo · · Score: 3, Interesting

      Personally, I'd trigger it off of user-agent header. IE... Not a techie verifying functionality -> really submit info... Chrome/Firefox/search engine agents -> example page.

      --
      Can you construct some sort of rudimentary lathe?
  8. Re:Whois shows by broken_chaos · · Score: 3, Informative

    Oddly enough that doesn't work in "view source" mode. I had to use Firebug to check the source code instead.

  9. Re:Firefox is broken by Dumnezeu · · Score: 3, Informative

    Apparently, it's a bug in Firefox. Running 3.6.3 on Windows does the same thing: if you click the "Ignore this warning" in the window with the page's source, nothing happens.

    --
    Yes, it's sarcasm. Deal with it!