Phishing

17 Feb 2005

Phishing seems to be getting more and more popular. This can only mean one thing - it's successful.

The usual scenario goes like this. You receive an email that makes it sound like you need to visit a web site in order to address some security concern with your account. Clicking the link leads you somewhere other than where you intend to go, but the page looks like you expect. For example, a phishing email going around right now links to http://logon.personal.wamu4u.com:280/login/index.php:

Of course, wamu4u.com is not the same as wamu.com, but if enough people receive this email, there are plenty of victims who won't notice (and who will, by coincidence, bank with Washington Mutual). Once you've been tricked into believing that the phishing site is the real thing, you are asked to provide some sensitive information. For example, if you visit the previous URL and attempt to log in, you will arrive at http://logon.personal.wamu4u.com:280/login/check.php:

This page asks for your name, credit card information, and PIN. Once you provide this, you are redirected to http://www.wamu.com/personal/Welcome/Privacy.htm, a page within the legitimate Washington Mutual web site, possibly unaware that you've just given your personal information to a phisher.

Interestingly enough, whois wamu4u.com shows the following:

  1. Domain Name : wamu4u.com
  2.  
  3. ::Registrant::
  4.         Name : Constance Edwards
  5.         Email : edwards@mail333.com
  6.         Address : 1094 SE St Patricks Court, Port Orchard, WA
  7.         Zipcode : 98367
  8.         Nation : US
  9.         Tel : +1.302-338-7956
  10.         Fax : +1.302-338-7956
  11.  
  12. ::Administrative Contact::
  13.         Name : Constance Edwards
  14.         Email : edwards@mail333.com
  15.         Address : 1094 SE St Patricks Court, Port Orchard, WA
  16.         Zipcode : 98367
  17.         Nation : US
  18.         Tel : +1.302-338-7956
  19.         Fax : +1.302-338-7956
  20.  
  21. ::Technical Contact::
  22.         Name : Constance Edwards
  23.         Email : edwards@mail333.com
  24.         Address : 1094 SE St Patricks Court, Port Orchard, WA
  25.         Zipcode : 98367
  26.         Nation : US
  27.         Tel : +1.302-338-7956
  28.         Fax : +1.302-338-7956
  29.  
  30. ::Name Servers::
  31.         ns1.spx2k.com
  32.         nsfr1.us2k.net
  33.  
  34. ::Dates & Status::
  35.         Created Date 2005-02-10 07:48:01 EST
  36.         Updated Date 2005-02-10 07:48:01 EST
  37.         Valid Date 2006-02-10 07:48:01 EST
  38.         Status ACTIVE

Because requests for http://wamu4u.com/ return a server error, and because the phishing attack utilizes port 280, it seems quite possible that the legitimate owner of the site is unaware. However, it sure does seem like these attacks would be very easy to track down. Does anyone know what the big targets (banks, eBay, Paypal, etc.) are doing to address this growing concern? What can we, as web developers, do to help?