« Beware of Sneaky Music CDs | Main | A Twist on the "Web Beacon" Scam »

December 04, 2005

I love it when crooks make stupid mistakes. Two different phishers slipped up in today's deliveries.

The first goof isn't all that serious, but it defeats the purpose of applying a common technique aimed at disguising the actual URL of a phishing message link. The technique uses JavaScript to replicate—but twist—normal behavior of Web browsers (and some HTML-enabled email programs), namely, displaying the URL of a hyperlink in the window's status bar. What JavaScript can do in Internet Explorer is display whatever the programmer wants in the status bar. Typically, a phony link is designed to show, say, the real PayPal Web site URL, but the code behind the hyperlink takes you to a bogus site, where a lookalike page will request your username/password.

In one phishing message I got today, the genius behind the scam put the bogus URL not only in the normally hidden code, but also in the JavaScript stuff. Thus, he went to all that trouble to display precisely the data he wanted to hide.

Goof number two comes in the form of a phishing message that was created on a computer whose login name is GeouTzu. How do I know that? Easy. This Einstein used DreamWeaver to concoct the phony email message hoping to make it look like a genuine PayPal missive. In the process, however, he built the page with some images that were stored on his computer. DreamWeaver inserted references to the images through links to his local hard disk ("file:///C|/Documents and Settings/GeouTzu/My Documents/spacer.gif" to be precise).

Whatcha gonna do when they come for you?