So you’ve heard of phishing, right? It’s essentially blasting out as many emails as you can pretending to be some company (eBay, PayPal, and national banks are some of the favorites that phishers use). You say there’s been some sort of security issue with their account and ask them to sign in.
You, as the phisher, link them to a site that looks like the company site, and when the phish enters their username and password, it redirects to you.
Well the latest trend is to, instead of pretending that there is a security issue, pretend that some strange transaction involving a lot of money has occured. For example, a PayPal phishing email I received recently appeared to be a PayPal verification email informing me that my PayPal account had been charged several hundred dollars to purchase some kind of watch. The first thought is to freak out and think, “Omigosh! Somebody has gotten a hold of my PayPal information and is making large purchases! How do I stop this?”
Conveniently, there is a link right there in the email that very boldly states, “To dispute this charge, click here.”
A savvy person such as myself can see right through that. But people who are newer to PayPal or the internet might click on the link without even stopping to think about it.
Just today, I received another email from a phisher pretending to be a communication through eBay. Take a look:
As you can see, this phisher takes advantage of the well known tendency of eBayers to be easily provoked. The communication is from a supposedly angry buyer. Your typical eBay member doesn’t like to be accused of anything (even if it’s true) and so your typical eBayer would click the respond link to fire off a nasty retort.
Which is exactly what I did…
“But Stuart, if you know it’s a phishing scam, why’d you click on the link?”
Patience my student. Sit back and learn.
So when I clicked on the link, I was taken to a site that was obviously NOT an eBay hosted site (as can be told by looking at the URL). But the look of the page itself appeared to be an eBay site:
This is where I have my fun. Notice my username. The password I used was equally vulgar, containing the word “MothaF***a”. But I hardly stopped there. I viewed the source code of the page and discovered that this phisher was a serious amateur. They were simply having the information from the sign-in form directed straight to an email address, specifically: firstname.lastname@example.org
So I went ahead and, using this email address, subscribed to about three dozen different internet newsletters. In the instances where a name was asked for, I used “Numb Nuts”.
Aaahhhh… gotta love it when the phish gets the better of the phisherman. Consider me the phish that removes the bait from the hook, then places an old boot on the line and gives it a good tug.