Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Issuing a License to Email | Main | A Scary Halloween »

October 30, 2007

Phishing Blast from the Past

There's that old saying (attributed to George Santayana): "Those who cannot remember the past are condemned to repeat it." That assumes, of course, that one even knew the past to begin with, and just forgot about it. When you have youngsters in their late teens and early twenties doing computerish things, they may believe they've invented something kewl...except that the same thing had been done before and abandoned.

I was amazed to receive a PayPal phishing message that harkened back to the early days of phishing with HTML-formatted email. When rendered in an HTML-capable email client (just about all of them these days), the message I received was a replica of the PayPal home page (actually, the old home page before the recent redesign), complete with form fields for username (email address) and password.

This is the lazy kid's way to phish. The form attempts to use a public form-email forwarding program (in Switzerland) to send the form field data to (in this case) a yahoo.com email address. I say lazy because this guy didn't have to go through the trouble of hijacking one of the seemingly millions of hijackable web servers around the world and installing a phishing kit on the server. All he has to do is read his Yahoo! email account to grab submitted username/password combinations.

It was this type of activity that got early phishing targets, such as PayPal and banks, to warn customers about filling out forms that arrived in an email message. That's where the phrases like, "We never ask for your username and password in an email message" came from. It had been ages since I saw a form inside a phishing email message—until today. I'll bet this guy thought he was really clever.


On the other side of the fence, recipients may not have experienced this bit of history to recognize what's happening before their eyes. It's also possible that they may not connect the warning noted above (as if customers read security notices) to the form built into the email message, and thus fall prey to the ruse. They might be condemned to repeat a past they never knew about—and then have a nasty future ahead to repair the account theft.

Posted on October 30, 2007 at 09:18 AM