April 25, 2007PayPal Phisher Going the Distance
It has been a long time since I bothered to fill out the username/password fields (with bogus information, obviously) of a bogus phishing site, but I tried one today to see what the modern phisher is up to.
The "Verify Your PayPal Account" phishing email message that prompted me wasn't all that well done. There was no PayPal logo art. The date by which I had to update my records to prevent account suspension was February 10, 2007 (two-and-a-half months ago according to my calendar). The actual URL behind the "Click here to update your PayPal account information" link was to an IP address, which turned out to be yet another hijacked web site (in Australia).
Appearing before me was the usual knock-off PayPal starting page with text fields for entry of username and password. I made up some appropriate text strings (the highly juvenile, yet highly satisfying, words "bite me" were sprinkled liberally throughout). I expected to be taken immediately to a more elaborate and equally phony page containing form fields for more personal data. Surprisingly, this phisher (or, rather, the supplier of the phishing kit) included the same (or at least plausibly similar) "Processing Login" page that PayPal's real site uses, complete with little dot animation:
I could see that this might convince a newbie that the site was PayPal's, even though the browser failed to show a secure connection.
Once the "processing" was completed (after a pre-ordained span of four thumb-twiddling seconds—why bother with real processing?), the site showed the page I expected. Fields included the usual names, credit card data, CVN number, ATM PIN number (always a dead giveaway that the form is being used for identity thievery), billing address, home phone number, mother's maiden name, date of birth, and even your driver's license number.
That's all the information an identity crook needs to hijack something you might treasure...you!