17 Feb 2005

Phishing seems to be getting more and more popular. This can only mean one thing - it's successful.

The usual scenario goes like this. You receive an email that makes it sound like you need to visit a web site in order to address some security concern with your account. Clicking the link leads you somewhere other than where you intend to go, but the page looks like you expect. For example, a phishing email going around right now links to

Of course, is not the same as, but if enough people receive this email, there are plenty of victims who won't notice (and who will, by coincidence, bank with Washington Mutual). Once you've been tricked into believing that the phishing site is the real thing, you are asked to provide some sensitive information. For example, if you visit the previous URL and attempt to log in, you will arrive at

This page asks for your name, credit card information, and PIN. Once you provide this, you are redirected to, a page within the legitimate Washington Mutual web site, possibly unaware that you've just given your personal information to a phisher.

Interestingly enough, whois shows the following:

  1. Domain Name :
  3. ::Registrant::
  4.         Name : Constance Edwards
  5.         Email :
  6.         Address : 1094 SE St Patricks Court, Port Orchard, WA
  7.         Zipcode : 98367
  8.         Nation : US
  9.         Tel : +1.302-338-7956
  10.         Fax : +1.302-338-7956
  12. ::Administrative Contact::
  13.         Name : Constance Edwards
  14.         Email :
  15.         Address : 1094 SE St Patricks Court, Port Orchard, WA
  16.         Zipcode : 98367
  17.         Nation : US
  18.         Tel : +1.302-338-7956
  19.         Fax : +1.302-338-7956
  21. ::Technical Contact::
  22.         Name : Constance Edwards
  23.         Email :
  24.         Address : 1094 SE St Patricks Court, Port Orchard, WA
  25.         Zipcode : 98367
  26.         Nation : US
  27.         Tel : +1.302-338-7956
  28.         Fax : +1.302-338-7956
  30. ::Name Servers::
  34. ::Dates & Status::
  35.         Created Date 2005-02-10 07:48:01 EST
  36.         Updated Date 2005-02-10 07:48:01 EST
  37.         Valid Date 2006-02-10 07:48:01 EST
  38.         Status ACTIVE

Because requests for return a server error, and because the phishing attack utilizes port 280, it seems quite possible that the legitimate owner of the site is unaware. However, it sure does seem like these attacks would be very easy to track down. Does anyone know what the big targets (banks, eBay, Paypal, etc.) are doing to address this growing concern? What can we, as web developers, do to help?