Results tagged “Phishing” from SpywareGuide Greynets Blog

Worth noting that people are still reporting Direct Messages of a "do not click" variety coming through on Twitter, all of which lead to Very Bad Things (TM) depending on what nefarious campaign happens to be doing the rounds at any given time.

Should anybody send you a DM that mentions humorous things taking place in videos - like this one, for example:

This is a step above the usual phish attempt we see here, with a number of bits and pieces that build up a pretty convincing fake website. As you probably guessed from the title, the phish involves the upcoming juggernaut that is Call of Duty: Modern Warfare 2, and the endless desire some people have to take part in a beta.

The URL to avoid is

freemw2beta36.tk

and the page itself is hosted at

freemwbeta36.t35.com

Want to take a look? Sure you do.


What does this phish do that sets it a way above other phish attempts? Well, for starters it looks quite professional. Top left, they use the kind of info splash you normally see on an official XBox page. On the right, there's a media section with screenshots you can actually click into. Might not sound like much, but most phishes like this one don't have anything clickable in that whatsoever. Bottom left, they've embedded a real Youtube video that you can watch to your hearts content. Right at the bottom of the page, they've included a copyright notice - something else phishers tend to lose in translation.

All in all, pretty convincing.

The only real flaw with this phish is that there is currently NO public beta planned, and it's highly unlikely there will ever be one. Don't get suckered into handing over your Windows Live ID, as no good will come of it.

More often than not, most DIY programs I see tend to be on the murkier side of "designed well". In fact, it's more like somebody threw up on their coding tools. However, sometimes a leet hax program comes along and despite the horrible things it does, you can't help but be impressed by the design and general stylistic trappings.

The creators will still burn in Hell, of course.

But ooooh - shiny. Blinky.

Anyway, here it is - the Phish Pharm:




In case you're wondering, the fake Phish pages are in the Source Files Folder, and the two programs used are underneath. Let's take a trip to the pharm - sorry - first.

Finding dumps of stolen logins is a common occurrence round this neck of the woods; if it isn't a bunch of XBox logins, it's 5000+ EBay / Paypal accounts. Well, here we have roughly 86 Windows Live ID accounts taken without permission, via a phishing page.

Windows Live IDs can be used to access everything from Hotmail and MSN to XBox Live and Zune. Grab a Live ID, and the amount of ways you can ruin someones day increases in spectacular fashion.

In this case, the target was XBox Live gamers, by way of a fake "Get Microsoft points for free" phish.

What I found particularly interesting here is that the collected data reveals the (borderline desperate) greed on the part of the victims - allow me to explain. Many of the most popular XBox phishes involve the site creator pretending to be an ex Microsoft employee, who just so happens to have a magical way to create "free" Microsoft points (which otherwise cost money, and are used for digital videogame transactions and Zune marketplace purchases).

Here's a typical example of said fakery:



There's normally a dropdown box (bottom right), asking the victim to select a fictional amount of points while they throw away their login details. More often than not this information isn't included in the phish dump, because the phisher couldn't care less how many points the victim is after. This is what you normally end up with:


Click to Enlarge

...as you can see, nothing more than the Live ID, the password and the date.

Here, however, each stolen account in the data dump looks like this:

Logged IP address: xx.xx.xx.x0 - Date logged: Monday 20th 2009 of July 2009 09:17:27 PM
Email=xxxxxx@xxxxxxxxxx.com
Password=xxxxxxxxxxx
Points=20000
submit=Go!

For some unknown reason, the phisher decided to log the points the victim tried to obtain for free. This means we can gather up some data about the level of frenzied button mashing the victim goes through over a period of days.

Days? You bet. More on that later - for now, let's take a quick look at the amount of points the victims were dying to get their hands on. The stolen logins have been in circulation on forums for a while, and based on comments we've seen all of them have either been locked down or leeched but we've notified Microsoft anyway. All of the below were phished between Monday the 20th of July and Tuesday the 28th:

500 MS Points ($6.25 / 4.25 GBP) - 17 requests
1000 MS Points ($12.50 / 8.50 GBP) - 8 requests
2500 MS Points ($31.24 / 21.25 GBP) -  8 requests
5000 MS Points ($62.48 / 42.50 GBP) - 23 requests
10000 MS Points ($124.95 / 85.00 GBP) - 10 requests
20000 MS Points ($249.90 / 170.00 GBP) - 92 requests

In total, there were 167 attempts to get free points, with 9 misfires (which means the victim didn't pick an amount on the dropdown box, resulting in a "-Select-" left in the relevant data field). Roughly 86 individual Live IDs were phished, and the rest of the 167 attempts were repeated requests for points from the same handful of people - sometimes stretching over the full timespan from Monday 20th July to Tuesday the 28th.

One person made 24 requests over the eight days (at one stage making eleven requests for points in three minutes!), with 17 tries for the maximum amount of 20,000 MS points. That works out at 340,000 points not including his smaller requests, which means this person attempted to collect over FOUR THOUSAND DOLLARS worth of digital downloads for nothing.



In fact, he's still trying to get free points on the 28th despite not having actually received anything from the moment he tried way back on the 20th. The phisher who collected these logins deserves nothing but scorn; however, it's increasingly difficult to feel any sympathy whatsoever for some of the people caught up in the above data log.

Is the only real solution to throw both phisher and victim into a bear pit, filled with angry bears who themselves hold an irrational hatred of both bear pits and bear pit trespassers?

Why yes. Yes it is.

A common warning in relation to many phishing attacks is "Look for the .com in the URL, because that's the official site domain - if you see that you know it's the real thing".

All well and good, but sometimes people find a way to place a ".com" in there anyway.

Here's a fake XBox.com phishing page - note the URL:


Click to Enlarge

Amazingly enough, it's

xbox.com.au.tp

The problem here is that we're so conditioned in relation to "Look for the .com" that many people will see this domain and think, well, it HAS to be legit - completely disregarding the "au.tp" part that comes after it.

Unfortunately, it isn't real in the slightest. How did they get the above domain to look the way it does? Well, a .tp domain is the top level domain for East Timor. You can't actually get them anymore (due to it being replaced by .tl), but you can get various subdomains through resellers. A quick jump over to Tipdots.com, and....

There's a Windows Live ID phish doing the rounds at the moment, aimed at XBox gamers and their overwhelming desire to obtain FREE STUFF. Namely, XBox Live points. Here's the site, which is located at mspsite.t35.com:

It contains the usual nonsense designed to make the victim sit around doing nothing while the phisher changes their login information:

"This website uses an exploit found on the xbox live website. Using this exploit correctly means you can edit your amount of microsoft points on your account. As the flaw is on the Singapore websites, People living outside of singapore may need to wait up to 24 hours for there points..."

Once you enter the info, your account is as good as gone along with anything you have attached to it. If you think people don't fall for things like this, here's the proof:


Click to Enlarge

Chalk up one victim to the above site. There's bound to be more...

Here we have yet another Steam Phish, this one involving some forum based scammery. Our phishing friend sets up a forum account on the official Steam forums, then sends random people a "scary" message like this:


Click to Enlarge

Assuming the victim is suitably terrified by dire warnings of account hackings, they'll promptly jump over to

valve-ipfix.tk

which is a redirection URL hiding the "real" URL at

steampowerness1.awardspace.us

...and the victim will then enter their Steam login credentials to the phisher.

Here it is in all its phishy glory:


Click to Enlarge

Avoid.

Pharming has been around for a few years now, and most (if not all) pharming attacks I've read about usually involve techniques far beyond your average script kiddie. From Wikipedia:

Pharming (pronounced farming) is a hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real addresses -- they are the "signposts" of the Internet. Compromised DNS servers are sometimes referred to as "poisoned".

Curiously, one individual seems to be whipping up a frenzy on numerous hacking / cracking boards recently, claiming to have invented a "new, revolutionary form of phishing". It's actually "just" Pharming by another name - "Phisher Arms" (a Phisher Arm being the executable used to alter a computers hosts file) - but while being entirely ignorant of Pharming, he's also promoting a broadening and deepening of the amount of script kiddies happy to adopt such tactics. While there's a certain comedy value to him reinventing the wheel, mass adoption by wannabe pharmers is not a good thing, and there's never been a better time not to click on unknown attachments or run strange files...

In the beginning

On the 30th of April 2009, a new video appeared on exploit database Milw0rm, rather breathlessly called "Desktop Phishing: The New Art of Phishing". Along with the video came lots of graphics:


Click to Enlarge


Click to Enlarge

...and a soon to be released E-Book(!), along with an audacious bid for fame in the form of a Wikipedia page which was (unsurprisingly enough) hit with the Banhammer.

In a nutshell, it works like this:

1) Have a random executable file to hand. It can be anything, though obviously you want it to appeal to the victim you intend to send it to.

2) Bind it with a modified hosts file in such a way that it replaces the victims original hosts file when the executable runs.

3) Insert sites such as Paypal, banking sites, Ebay, whatever....into your modified hosts file, and have each of them point to an external IP address for your own computer. I bet you can see where this is going...

4) On your own computer, you host the phishing page using server software such as wampserver.

5) When the victim tries to reach Paypal or a similar site from their computer, they are of course taken to the phish page running on the attackers PC which will still say "Paypal.com" in the address bar. When the victim enters their details, they're actually placing them directly onto the attackers computer - note the URL at the top:



Whoops.

To be fair to our wheel inventing pharmer, it's an interesting technique and will no doubt be adopted en masse by the rank and file of "this is way too hard for me" wannabes out there. His video has already been viewed over 12,000 times - by comparison, most other entries on the Milw0rm frontpage are in the low thousands:


Click to Enlarge

Google "Phisher Arms" or "Desktop Phishing" and you'll already find a lot of hacking forums promoting this as the best thing ever - and they're just the ones publicly viewable.

Whatever you want to call them, there's probably quite a few of these "Phisher Arms" in circulation at the moment given that his video hit a good few weeks ago. As always, be careful what files you download...

The below site:

itunes-multiplier.webs.com

should be avoided, as it's nothing more than a cheap con trick. The gag works like this - you go out and buy an iTunes card (which use codes that are redeemed inside iTunes to credit your account).

Then you see the above website promising it can double your points and start to feel a little greedy. Here is the "multiplier":

The racing season might well be underway, but it's a good idea to be careful where your logins are concerned.

The following domain:

tema-ferrari.tk


Click to Enlarge

Is trying to entice users of popular Social networking site Orkut to login to their accounts - or, to be mre accurate, is trying to entice fans of Ferrari cars to login to their Orkut accounts. You can't really miss the huge Ferrari logo in the middle - the earliest google cache of the site is a few days before the first race in Melbourne, around the 24rd of March. Odd coincidence, that.

In case you're wondering, the text (in Portuguese) roughly translates as follows:

"Connect with friends and family using scraps and instant messaging
Meet new people through friends of friends and communities
Share your videos, pictures, and passions all in one place"

I'm going to go out on a limb here and guess the phisher won't even get a speeding ticket...

There are emails in circulation directing end-users to the following web site:

moxieusa.com/includes/PEAR/Thanks.htm

It's a Paypal phish with an added "bonus" - when you visit the page from the mail, you're presented with the following message:

"You Have Successfully Confirmed your account information.

The New Anti Fraud System has been successfully added to your PayPal account."

Entirely false, of course - nothing has been added. There's also a short ramble about additional security features:


Click to Enlarge

Click the continue button, and you're taken to the inevitable phish page.

Avoid...

We're seeing a wave of Steam related phish scams at the moment. Most (if not all) look something like this:


Click to Enlarge

Ah, the promise of free games. When have you ever let a phisher down?

The domains being used in this scam are:

steampoweredgifts.my3gb.com
steamscommunity.co.cc
gift-steampowered.co.cc
steam-acitvation.co.cc
steamrecommunity.co.cc
mysteamcommunity.co.cc
wtmail.free.fr/steam
games4steam.tk

If / when we come across others, we'll add them to the above list. Quite a few have gone offline already, only to come back to life so it might be a while before all of the above are completely DOA...

There's an old technique in certain forms of martial arts - when confronted by an attacker, just before they start to throw the first punch, you distract them with something utterly stupid.

Could be a silly noise, or you might waggle your arm to the side while pulling a face - doesn't matter. The stupider the better, it's just there to make them wonder what on earth is happening shortly before you put them through a window and run away as fast as you can.

Well, same deal here. Today we came across a program designed to do nothing at all. No hijack, no contacting a server, no files dropped, no registry entries, no staying in memory....nothing.

What is it used for?

Distraction. And lots of it.

There is a video currently in circulation on sites such as Youtube, promoting something called LiveGrabber.



The program looks amazing, gives you all kinds of free things, hands you free accounts for the paid XBox Live service and so on. All done by pushing a few buttons. Here are some pics lifted directly from one of the videos:







Told you it was nice looking.

However, the gimmick here rolls into town exactly six seconds into the video:



"New update available: it will no longer have an interface. It will run silent in the background -  when opened you must visit the website to redeem".

Yes, the NEW version is completely invisible and runs "silently" (extremely silently!), only giving you lots of free things if you visit the website promoted in the video and enter your own Live login details.

Doh.

While we've seen fake programs before, usually they either refuse to work, drop infection files or give out fake error messages.

This is the first time we've seen someone create an extremely slick looking interface for a Youtube video, then reduce it to nothing and pretend it's "doing something in the background". It seems the original version available to download did the usual "fake error message" routine, but the author grew tired of trying to explain away fake error messages.

What could be better than telling people it now runs silently in the background?

At any rate, based on the comments left on the creators Youtube page, it seems it's enough of a distraction to get people to hand over their login details to

lancergrabber.tk


Click to Enlarge


Did I say "user comments"? I sure did. I'll leave you with the thoughts of some people soon to be parted from their Live ID login credentials...









Yes. Of course it does...!

Click to Enlarge

Not much more to add here, other than "avoid".

Today I was browsing around a couple of Arabic language hacking forums, and came across a random link that took me somewhere interesting. Here's a screenshot of said forum, because everyone loves to look at mysterious hacking forums. Right?

Rapidshare premium accounts are big business on phishing / trading sites. It seems they're trying to do something about the problem - anyone going to the premium accounts login screen now sees this:


Click to Enlarge

...a rather fetching "Phishing Warning" box, prominently displayed. Click it, and this appears:




Something like this is always a welcome addition. It's actually been rather humorous watching people on phishing / trading sites agonising over whether or not to include the above on their phish pages in the name of authenticity...

A friend of mine had this sent to them yesterday.

At first glance, it seems like a perfectly regular Phishing mail. However, there's something in there that sort of ruins the whole phishing attempt. In case you miss it, I've highlighted it in bold text. Enjoy...


Dear PayPal Member,

As part of our security measures, we regularly screen activity in the PayPal system. We recently contacted you after noticing an issue on your account.

We requested information from you for the following reason:

We have reason to believe that your account was accessed by a third party. We have limited access to sensitive PayPal account features in case your account has been accessed by an unauthorized third party. We understand that having limited access can be an
inconvenience, but protecting your account is our primary concern.

Case ID Number:

This is a reminder to log in to PayPal as soon as possible.

Be sure to log in securely by opening a new browser window and typing the PayPal URL. Once you log in, you will be provided with steps to restore your account access. We appreciate your understanding as we work to ensure account safety.

In accordance with PayPal's User Agreement, your account access will remain limited until the issue has been resolved.

Unfortunately, if access to your account remains limited for an extended period of time, it may result in further limitations or eventual account closure. We encourage you to log in to your PayPal account as soon as possible to help avoid this.

To review your account and some or all of the information that PayPal used to make its decision to limit your account access, please visit the Resolution Center. If, after reviewing your account information, you seek further clarification regarding your account access, please contact PayPal by visiting the Help Center and clicking "Contact Us".

We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

Sincerely,
PayPal Account Review Department

----------------------------------------------------------------
Copyright ? 1999-2009 PayPal. All rights reserved.

Here's a dubious looking domain:

kasperskykeys.za.pl

As you've probably guessed, the site is being used to lure people with the promise of "free keys" for Kaspersky, only to then try and steal various types of login.

At present, it currently points to a fake Rapidshare page.


Click to Enlarge

Once you enter your Rapidshare premium login details, it's all over but the shouting. Steer clear...

This is something we've seen a lot of recently.

First, we need a Habbo phishing page, with something a little different added into the mix. Like this one:


Click to Enlarge

Notice something? Under the login panel, there's a section that says "Promo Code" and "If you have one, enter to receive an extra 100 credits".

Why would a phishing victim enter a "promo code"? And where would they get one from?

If you want the answer to that, you need to know where to go further upstream. In this case, that would be the main website of the person responsible for the phishing page:


Click to Enlarge

As you can see, it's scam city. Specifically:

"Learn to Scam!

Get rich quick using our scam site maker.

Ever wondered how a lot of Habbos have tonnes of furni ?... Simple, they either scam or spend hundreds of pounds on credits and then trading. But you don't want to be spending any money do you? Wouldn't you rather have it for free?

Using this sites scamming system you can get rich in just a few hours of hard work."

So, we have a "sign up, get phishing" scheme in play. As for the promo codes, you're about to see why this scam is so good, but only for the person who set it all up:



Amazingly, you're told to go off and direct people to two phishing sites operated by the scam site owner, instead of your own phishing URLs. The gag is you have to tell the victims to enter a "promo code" that will allow the scam site to "track which phished accounts belong to you".

Of course, it's all nonsense.

What's actually happening here, is that someone simply sits back and waits for lots of underlings - that would be you, if you happen to fall for this - to run around spreading their phishing links for them.

I'm willing to bet good money that the people recruited for these scams never, ever see the login details of the people they phished - meanwhile, someone sits at the top of the chain, building a scam empire with a maximum of style and a minimum of effort.

Well, as much style as you can muster when scamming scammers, anyway...

Today we came across a collection of approximately 270 sets of login details that have apparently been Phished via a fake XBox Live login page. The list, some 27 pages long in Word format, would allow people to access stolen XBox Live accounts, some of which may have credit card details stored against them (along with other forms of personal information, of course).


Click to Enlarge

The list itself is actually around 300 or so entries, but it seems some of it is duplicate and / or obviously fake data, entered by people annoyed at the Phishers the list has come from (as a side note, I should add it's never a good idea to enter fake info on Phishing pages - it not only makes it harder for people who wade through this info looking for victims to contact, it also opens you up to potential retaliation attacks from the Phishers).

An additional "bonus" of grabbing Live ID data is that you can use it to check out EMail accounts associated with it - not a great situation, and one of the reasons I've never been too keen on "one login to rule them all" situations. We've already seen some people boasting on forums about the info they've pulled from various EMail accounts associated with the list - how quickly "stolen XBox account" becomes "stolen everything else".

This list seems to be in circulation on a number of hacking forums; the majority of the accounts were phished between November and December of last year. Despite the relatively long time that's elapsed since the data was first collected, a lot of the accounts still seem to be accessible based on comments we're seeing on those underground sites. It seems someone might have put their personal stash on "general release" to gain some kudos with others.

We've passed the stolen data onto Microsoft, and we're sure they'll move swiftly to lock down the accounts involved.

At least, not if you're asked to do it at the following location:

updateyourabbeybank.tk

The site is, of course, a phish page. Not a very clever one, at that. There's a particularly useful clue on the page that will helpfully deter some end-users from giving away their login details:


Click to Enlarge

In case you're still wondering, the clue would be the huge Cursormania advert at the bottom of the page. Not too many banking websites have those - even the trendy ones...

Remember this? Well, a rep for Virgin Atlantic left the following comment:

We came across an interesting site the other day:

virrgin-atlanticsairways-uk.com/default.aspx

A replica of the Virgin Atlantic website:


Click to Enlarge

None of the links worked, but you were able to login over on the right. Well, I say "login" - what I actually mean, is "send your account details to the phisher".

Now, I'm not familiar with Virgin Atlantic so you might have to help me out here. The only possible reason I could think of for obtaining Virgin Atlantic "Flying Club" logins was to somehow make use of the airmiles stored against the account. If anyone out there reading this has a Virgin Atlantic account - is that possible? Can you transfer (say) airmiles to other accounts, perhaps? I can't see how the phisher could simply book flights under the name of the stolen account, so I'd guess there must be some way to exploit the system involving airmiles.

Either that, or someone just really likes collecting Virgin Atlantic logins.

Curiously, this phish page pops up in a few other places - most notably, involving complaints related to fake job offers with Virgin Airlines here and here. The site is currently offline, but don't be surprised if they take to the skies again shortly...

I've previously written about phishing scams which appear to look like Rapidshare pages, and claim to offer specific products (without linking to any actual files).

Well, this seems to be an evolution of that particular attack.

Here's one of the newer kinds of Phish I'm talking about.


Click to Enlarge

Here's another site related to Steamgift.com. The site in question this time round is called

steamverification.com

This one takes a (somewhat bizarre) spin on attempting to take your login credentials:


Click to Enlarge

I write quite frequently about Steam scams, because there's a fair chance stolen Steam accounts can have a significant amount of money invested in them. I could simply link to the Wikipedia article describing it, but instead I'll give you a more condensed rundown - hopefully it'll give you a better idea of what's at stake.

Steam - What's The Big Deal?

If you're anything like me, you'd buy a PC game, hurl the discs somewhere and then sometime later when you came to reinstall find the manual with the license key on it was missing.

That used to happen to me a lot.

Steam is an entirely digital distribution service for PC games. Effectively, you substitute those annoying printed keys for a username and password - any games bought under your steam account can be downloaded as many times as you need to, installed on any PC and the purchase made against your username authorises the game to be played.

This means, of course, that someone with a Steam account could well have spent many hundreds of pounds / dollars / insert currency of choice on a wide variety of games. Lose your account, and you've lost a pretty big investment. Now that we've got that out of the way...

What's The Scam?

The website we're looking at today is

Steamgift.com

The website looks almost identical to the real Steam website - indeed, there is only one small (yet crucial) difference. Here's a screenshot:


Click to Enlarge

There's a large blue banner that really shouldn't be there. It reads:

"Free Steam Gift Pack! Absolutely Nothing Required!

Also including The Orange Box, Left 4 Dead, Audiosurf, Counter Strike Source, Counter Strike, Garry's Mod, Call of Duty 4 and more".

Sounds too good to be true, doesn't it?

Sure enough, click the banner and you'll see a page positively stuffed to bursting point with encouragement.


Click to Enlarge

Encouragement to fall victim to a scam, that is. Hit the "Click here for free gift" button and a final piece of "DO IT NOW" harassment awaits...


Click to Enlarge

If you fill in your Steam account details and hit "Login", you've just waved goodbye to your account.


Click to Enlarge

"Success - Your account will be credited with the Steam Gift Pack within 24 hours".

I'm willing to bet good money that isn't going to be the case...

Nothing particularly jaw dropping, but I thought it was worth mentioning. There's quite a lot of fake Rapidshare phish pages in circulation at present - they all look like this:


Click to Enlarge

...and they want you to enter your login details to "activate premium membership immediately".

What really grabbed my attention was the URL. All of these pages specifically place certain products into the web address - no random hacker usernames or swear words in these babies. Case in point:



You can see what they did there.

At any rate, avoid any so-called "Rapidshare" page seemingly promoting albums, movies or videogames. They're not what they seem...

This XBox Live phish attempt caught my eye:


Click to Enlarge

It's a lot better looking than many of the others I see, and the phisher took the time to make a fake screenshot to impress you with all the fake money he (doesn't) have. The most interesting thing about it for me is that it references another domain ("Runeflux.com"). Usually they're pretty anonymous.

Anyway, I decided to check out the domain - there's nothing there, could it have been taken down? Well, a quick search later and we have this (rather well edited) Youtube video. Apparently the domain simply hosted the same phishing page, so yes - it's a fair bet someone had it taken offline.

The important part is when you check out the profile of the person who owns the account:




Yes, our phishing friend is only 14. I've had quite a bit of experience researching people at the younger end of the age spectrum involved in this sort of thing, and I have to say the basic mechanics of "how to phish" are all in place with this kid.....slick websites, Youtube promotion, little touches like fake screenshots....it's all there.

Worrying, isn't it?

Anyway, the URL to avoid here is

h1.ripway.com/microsoftpointsgen/

There seem to be quite a few sites online at present claiming they can give you "online tax refunds", if only you fill in your bank details and click "submit". It's not a good idea, and they look pretty convincing:



Click to Enlarge


Click to Enlarge

....not really.

We've heard reports of a couple of these websites currently doing the rounds - they call themselves "Microsoft Points Heaven", and usually sit on free hosting domains. They promise you "free" Microsoft points, then ask you to enter your Live login details. At that point, your data has been stolen.


Click to Enlarge

If you check the code, you can see you're not "signing in to XBox Live" at all - you're entering your information into a standard submission form, which will send the information you enter directly to the site owner.



The last URL we saw this scam residing at was

microsoftpointheaven.weebly.com

which is now offline. It will no doubt resurface somewhere else, so be on your guard...

Wow, this is creepy.

It's an EBay phish page that does two things.


Click to Enlarge

The first is that it bizarrely asks you to install a Firefox extension called QIP (as you can see from the yellow bar across the top in the above screenshot), which (as far as I'm aware) is a legitimate Russian extension that allows you to converse with friends across multiple platforms.



Call me crazy, but I'm sure most EBay users would immediately think something was wrong if they were presented with a Russian Firefox extension on EBay.

Worse is to come, however. If the end-user should scroll down a little, they're presented with adverts - and they don't exactly convince you that this is the real EBay website. One usually contains a naked woman of some sort. The other? Well, it tends to show a close up of a randomly selected dead womans face, often horribly mutilated.

Yes, I have no idea what's going on here either.

(Automatically translated from Italian):


Click to Enlarge

...sadly, as crude as it is you'd be surprised how many people will fall for the old "Send your login to a random Hotmail address" gag. The domain to avoid is

habbohack2.blogspot.com

There seems to have been an outbreak of phish links dropped onto Twitter in the last day or so.

Messages such as these should be avoided:

hey look at this funny blog rosalierebyb.blogspot.com/

heyy!!! i want u to see my blog!! blogtwitter.access-logins/login

You'll notice the second message (which was sent to a colleague of mine) incorrectly lists the phishpage (it's missing the .com, so the phishers shot themselves in the foot with that one) but the page at

blogtwitter.access-logins.com/login/

is still live at time of writing. More here.

Whenever I see a video on Youtube that repeatedly urges me to "visit a link" in relation to Habbo, I'm naturally suspicious. As it turns out, to fool people into handing over their Habbo logins, all you need to do is pretend you've created an awesome program that manipulates every aspect of Habbo you can think of....






...and then post up a link to a third-party website. Once you enter your login details, you'll gain access to the wonderful program.

Honest.

No doubt a lot of people have fallen for this already, but if they'd only taken the time to examine exactly where the .tk domain redirects to....



..."Fishingisfun"? Call me suspicious, but I don't think I'll be entering any login details onto that website anytime soon...

If you like shooting zombies in the face - and who doesn't - then you may well have already purchased Left 4 Dead, a videogame pitting four survivors against a relentless zombie horde.

Well, it appears to be a popular target for scammers. An EMail popped up in my mailbox over the weekend, claiming I'd received a "guest pass" that would let me play the full game "for a limited time". Here's the mail in question:


Click to Enlarge

"The steam support has invited you to use a free guest pass for Left 4 Dead on Steam, the leading digital distribution platform for PC games.

Once you've installed Steam (or if you already have an account) click here to accept steam supports invitation to a full game of Left 4 Dead."

Of course, the link for the "guest pass" doesn't take you to an official site - it takes you to

steampovvered.co.cc (note that's steampo v v ered, NOT steampowered)

At that point, if you enter your Steam password, you've potentially lost it for good. The site is currently offline, presumably because it's already been reported ("This domain is under examination at the moment, it will be finished within 24 hours"). However, there are probably more Phishing scams out there attempting to capitalise on the popularity of this particular game.

Now if you'll excuse me, I have to prepare for the coming Zombie Apocalypse...

This is a particular favourite of Phishers - a page claiming to give you free Microsoft Points for XBox Live, only to take your login and do what they want with it (which could range from using the credit card stored against your account to buy lots of games you don't actually want to just trashing your gamer profile).

With that in mind, then, here's the offering for today:

freemspoints4all.blackapplehost.com


Click to Enlarge

The "3.1" in the bottom right hand corner is particularly humorous. Anyway, hit "Click here" and you're taken to a standard fake Live login page:


Click to Enlarge

If the unwary visitor should enter their details, some code in a .php file will stash the login for the Phisher to grab later while immediately redirecting you to the following (entirely fake) message on a blank page:


Click to Enlarge

If you get to the stage where you see this message, you should be thinking about logging in as quickly as you can and changing your password. Top tip for the day - any website that offers "Free Microsoft points" should be avoided like the plague. I've yet to see a genuine one, and I think I can safely say I'll be waiting for quite some time before I do...

There seem to be quite a lot of these doing the rounds at the moment:


Click to Enlarge

They've not done a very good job with this Phish - they display an obviously fake URL, for one thing - but they do get some bonus points for attempting to lure the end-user in:

"You've been selected to take part in our quick and easy 9 questions survey.
In return we will credit $20 to your account - Just for your time!"

Sounds tempting, right?

Click the link, and you find the deal has suddenly sweetened - you're now being told the offer is for $90, not $20 - courtesy of an extremely slick looking phish page:


Click to Enlarge
 
The red text on the right that says "Capital One will add $90 credit to your account just for taking part in our quick survey." is actually a scrolling ticker. Of course, the survey itself is just fluff - the meat of the scam is directly underneath:


Click to Enlarge

As you can see, a spectacular grab for personal information. Name, address, Mothers Maiden name, phone number....the works. Directly below, they want your full card details, the number on the verification strip, your social security number and even your ATM Pin number. Note how they keep up the pretense of this being a real webpage (asking you if you want to sign up for an "EMail Newsletter" inbetween the different sections).

The URL to avoid is

capitalone.iseoul.net:202/capital.online.survey/

The site has been reported, and will hopefully be offline soon.

Not the newest scam on the block, but it does seem to be currently doing the rounds so it's worth highlighting. If you're sent an EMail with the same title as this article, with content that looks like this (usually sent from a random Hotmail account):


Click to Enlarge

...then delete it, it's a scam.

This is a particularly thoughtless and poor-taste hack. This is Rapecrisiscenter.org, a support site for people in the Central Massachusetts area:

While investigating an unrelated case of Phishing yesterday, we came across the biggest haul of stolen EBay logins we've ever seen.

How big?

Well, here's a screenshot of the "Word Count" from the document the details are stored in:

We're noticing quite a lot of these appearing in mailboxes at the moment, all .cn and .kr domains. Here's a few more (that are currently confirmed as live) for your blocklists:

adwords.google.com.qsoil.cn/select/Login
adwords.google.com.apoim.cn/select/Login
adwords.google.com.kfion.cn/select/Login
adwords.google.com.tverdo.cn/select/Login
adwords.google.com.agrod.cn/select/Login

ottoggi.co.kr/bbs/data/schedule/1194604617/redirect.google.com
kilsangsa.or.kr/zero/data/buddha/1223246866/https/portal.google.com/www.adwords.google.com/select/Login.htm

Unsurprisingly, the .cn domains are all registered to "Mr Gfdthy", the same individual that owns the mehdo.cn domain. At least one of the Korean domains appears to be a legitimate website that's been hacked and had the phish page uploaded by the hacker, and so might not be part of the "main" campaign that's currently ongoing.

Time to clear out the mailbox - wait, what's this?

Here, our unfriendly neighbourhood Phisher is attempting to play on the fear of a security breach:

Attention all Apex ACH System Customers!

We inform you that on October 7, 2008 a partial loss of data took place in our database. Due to this problem urgent request to take the procedure of account verification. Verification form is located here:

[URL Removed].org

However, failure to confirm your records may result in account suspension.
This is an automated message. Please do not reply.

Best to ignore this kind of EMail, methinks...

This is PINsentry.

This is a PINsentry Phish currently doing the rounds:

Introducing PINsentry for Online Banking

To help protect your account from Online fraud, we are changing the
security for Barclays Online Banking and you will need to upgrade to
PINsentry.

PINsentry upgrade - information by email
We will send you information on PINsentry and details of any cards being
issued or upgraded by email.
Please insert your details in the attachment below.

Barclays Bank PLC is authorised and regulated by the Financial Services Authority

This is the form that comes with the EMail:

Oh dear.

Here we have a phish page for the Bank of India:

I've always been fascinated by how many net hoaxes and scams have revolved around the Dreamcast console and related games (in particular, Shenmue). I thought it might be interesting to have a look at some of the most memorable ones, though this list is by no means exhaustive so please feel free to add to the list if I've missed any.

Fake Shenmue Passport, February 2006: Back in 2006, gamers were amazed to find the Shenmue Passport spring back to life. For those of you who don't know what the Shenmue Passport is, click here. Everyone else can just skip to the "good stuff", which would be seeing this appear on your TV if you'd had the brainwave to go online with your long-dead Dreamcast in February 2006:


Click to Enlarge

A message proclaiming that downloadable content for Shenmue was back online, and that more would be "coming soon". Forums everywhere started to look like this. All of a sudden, downloads were available from the seemingly official (and freshly reborn) website and messages saying "We'll be back soon" were plentiful, sparking rumours  of a Shenmue 3  announcement (or even something related to the  limbo-ridden Shenmue Online).

However, something didn't seem quite right about all this and the truth eventually came out thanks to a fantastic bit of detective work here. Someone had bought the domain once it had expired, and decided to "give fans hope" with a bunch of uploads and fake messages. As you might expect, this did not go down very well (in fact, you can see the process of SEGA reclaiming the domain from the culprit here thanks to someone who was copied in on the EMail conversations).

Shenmue 3 Youtube Trailer, January 2007: This is a fairly crummy hoax, but did seem to sucker a lot of people. Take some CGI footage from the canceled "Shenmue Online" game, stick "Shenmue 3" over the top of it:



Place the whole mess onto Youtube then sit back and laugh. Even though the video was placed online in 2007, it's still fooling people a year on.

Dreamcast Phish, March 2008: This one was particularly nasty, and was similar in execution to the way the Shenmue.com domain was swiped for the above scam. Someone grabbed the Dreamcast.com domain, then used it to phish for email logins and caused an awful lot of LET'S KILL THE PERSON RESPONSIBLE IMMEDIATELY type comments across the Net. This is what the previously dormant website suddenly looked like after being offline for all those years:



Seeing that sent quite a few Dreamcast fans insane (myself included) which made it all the more horrible when it was revealed to be nothing more than yet-another-Dreamcast-hoax.

Luring you in with the promise of an official @dreamcast.com Email address, they asked for your serial number, desired username, password and a current Email address. Once registered, you would end up with a seemingly valid yourserialnumber@user.dreamcast.com address.

The only problem, of course, was that it wasn't SEGA sending out your details, it was the scammer who had grabbed the domain name. The theory is that people would likely use the same password for their desired Dreamcast address as the alternate Email address they provided when signing up to the "service". Thus, you would have spam lists and hijacked email addresses galore.

It didn't take long before SEGA denounced the site, and it was pulled offline shortly after. In retrospect, a dead giveaway should have been the fact that the site had Google Ads and a few other things on it (check out the rather small screenshot) that probably wouldn't have been there if SEGA had actually been in charge. SEGA almost certainly wouldn't have had a Play-Asia affiliate code embedded in the page, for that matter:

Messing around with one particular videogame is one thing, but whipping fans of the Dreamcast console into a frenzy with the promise of an out-of-the-blue Dreamcast revival was never going to end well. Sadly, the culprit was never found but hopefully they'll drop a really heavy plantpot stuffed with bricks on their foot at some point in the near future.

Shenmue "Believe" Advert, July 2008: Oh dear. EDGE magazine usually post up a cryptic, arty image as a substitute for a regular "Next Month" page. For the September issue, someone started a thread on the NEOGAF forum previewing said issue. In this case, the Next Month page looked like a notepad - and one of the more iconic images of Shenmue was the Notepad the main character used to store notes, items and the like.

A quick photo manipulation later and...


Click to Enlarge

If you can't see it, in the middle of the pad the original poster has placed "Shenmue 3: Believe" in very faint text.

This spread across the net like wildfire for a few days, until of course people started to get their hands on the issue in question and realised the whole thing was....yet again.....a hoax. I believe the EDGE preview turned out to be for an article about videogame instruction manuals.

Shenmue 3 Disc Hoax, August 2008: Sometimes innocent bloggers (who really should check the source material...) are sent images and post them up. Bad idea. Not so long ago, SEGA unveiled a room containing every single game they'd ever made. One of the images contained a pile of GD-Rom discs which SEGA used to store prototypes and early build versions of Dreamcast games on. Despite the blogger in question actually linking to the original, they were suckered in by a photoshop alteration where someone had placed "Shenmue 3" over the top:


Click to Enlarge

As SEGA themselves said,

"Ha, that's too funny, they've totally photoshopped the image. I wonder how long it is before we see this getting picked up as fact."

As it turns out, it wasn't too long - I did see this pop up on a couple of forums, but this one was caught pretty early. It's still surprising that the blogger didn't just check the original image more closely though.

This ends our tragic roundup of scams related to the Dreamcast console. I have a feeling we'll be seeing more soon enough...

Today I received an interesting phish that only caught my eye purely because of a chance circumstance involving my credit card. What I ended up with was three websites (at least one of which has likely been hacked), two phishes and a collection of screenshots for you to look at after the jump...

I swear these programs keep getting smaller. Weighing in at around 30 kb, one of the newer automated phish creation programs currently in circulation. Behold, a strange cube icon on your desktop:

Run the program, and you end up with a devastatingly idiot proof phish creation tool. In a nutshell, you enter the URL of the site you want to target and also the place where your phish script is located. It sucks down the content of the target site and jumbles it up with your phish script - hey presto, one Phish page ready to roll.

Facebook...

Click to Enlarge

Myspace...

Click to Enlarge

And, just to show that it will suck down pretty much any site you enter, here's Google search engine...

Click to Enlarge

On the bright side, this one doesn't come with spoken help files...

Subject: Dear Webmail Subscriber Confirm Your Account.

Body: "Dear Webmail Subscriber,

To complete your Webmail account, you must reply to this email
immediately and enter your password here (*********)
Failure to do this will immediately render your email address
deactivated from our database.

You can also confirm your email address by logging into your webmail account.

Thank you for using!
THE SUPPORT TEAM
WEBMAIL SUPPORT
Confirm Your E-mail Address"

I see some poor phish mails, but this one doesn't even attempt to make sense. Not only is it a bad idea to tell someone to "confirm their account" when they've already been using it for four years(!), telling them they can "confirm their email address by logging into your account" is sort of redundant considering they'd have to be in it in the first place to see the mail. They don't even link to a phish page - the mail might as well just say SEND US YOUR LOGIN, THANKS!

Oh wait, it does.

A quick Google search on the domain extension for the Email used in this scam (@j-mail.info) reveals a prior history with regards email missives. Fake lotteries, grant awards, 419 references - as always, steer clear.

I'd been watching the antics of a 20 year old girl from Malaysia who had a serious thing for Phishing. I couldn't have predicted the direction the investigation would take when, quite randomly, I came across the following post with regards one of her former identities:

...."Ribut", eh? Interesting. A quick Google search later, and we find some interesting Ribut-related Phish pages:

...don't bother to look for it, I already had it killed off. What really intrigued me here was if she had any more pages floating around under her "old" username. Using a few search strings that tend to reveal some of the more "obvious" password-stealing fake logins via Google, I stumbled across a rather unusual way of keeping an eye on Phish pages:

There she is, buried in a pile of other phish pages. What is that a screenshot of, I hear you ask? And why exactly is she buried in a wall of phish? Well, note the title - "Where can I find these ads?"

This is a page from advertising network Adbrite, who the host of all these phish pages (2222mb.com) has an account with. If someone wants to host an advert on 2222mb.com, they make their selection and purchase ad space:

However, this isn't the part of the page we're interested in. You've already seen it, above, listing the "most trafficked pages" from the site in question. That's right, it appears that the most popular pages on 2222mb.com are phish pages, going off the information presented to us by Adbrite.

In fact, here's a snapshot of the current set of pages listed by Adbrite as "most trafficked pages":

...is anyone else faintly disturbed that EVERYTHING being listed for this webhost is almost always a phish page?

At this point, you normally contact the host and (depending on a whole range of factors) they kill off the rogue pages in a few days or so. My hopes were high, seeing as another host (110mb.com) with the same Admin contact (a person called Tycho Luyben, more on him later) had previously removed phish pages for me in as little as six minutes.

My first mistake, as it turns out, was getting my hopes up.

Click to Enlarge

The above is the frontpage of 2222mb.com. At the bottom of the page, it mentions Terms of Service, but you can't click into it. There is no contact email address anywhere on site, and no mention of what to do when finding evidence of abuse on the network.

Uh-oh.

As it turns out, the only way to try and get someones attention was to register for the hosting service, then submit a ticket which......was completely ignored by whoever received it.

> http://dustyd34th.2222mb.com/myspace.php
> http://ribut.2222mb.com/myspace.php
> http://najn.2222mb.com/
> http://tjt1991.2222mb.com/myspace.php
> http://darktornadic.2222mb.com/myspace/myspace.php
> http://english-naats.2222mb.com/index.htm
> http://titan7.2222mb.com/myspace.php

....were all reported on the 21st of January, and a few days later, nobody had replied to my ticket. So much for the "24 / 7" support - I added to the ticket a few days later (with words to the effect of, "these pages still appear to be live"?) and that was ignored too.

Okay, change of plan. Let's go to the guy who must be providing these reseller accounts to these webhosts in the first place. A quick check of the whois data for 2222mb reveals....something weird, actually. The other hosting services that are presumably reseller accounts provided to individuals by "Tycho" have different addresses listed, as you would expect (110mb.com, for example, is owned by someone in Australia). With 2222mb.com though, Tychos own "Admin Contact" address is listed as the main contact address for this domain.

owner-contact: O-EZL21
owner-organization: E-lab BV
owner-street: Weverstede 27 b
owner-city: Nieuwegein
owner-zip: 3431 JS
owner-country: NL
owner-phone: +31 615065229
owner-email: tycho@e-lab.nl

Is the owner of this reseller account living with Tycho or something? Could it be Tycho himself? It seems unlikely, given that Tycho replied to my first email to him (sent on the Tenth of February) with the following:

"Dear,
I will tell my client to remove these asap.

Regards,
Tycho"

...."My Client"? Okay, so why is his own Admin address listed as the primary contact point for this domain when someone else apparently owns it?

Anyway, all of the above phish pages were deleted - but I had a second, final batch of pages that needed to be deleted too. As anything and everything sent to abuse@2222mb.com and postmaster@2222mb.com went unanswered, I thought I'd better send Tycho another email. He'd fix those too, right?

Wrong.

Three more emails, sent on the 11th, 13th and 15th of February went unanswered - as did the second round of tickets raised inside the 2222mb system:

Click to Enlarge

Two of the above phish pages have since gone offline, but it seems unlikely that I had anything to do with it, given that all the rest are still online and happily phishing away. I thought I'd check out the E-Lab site attached to Tychos email address - here's where things spiral into madness:

Click to Enlarge

Note the "www" at the start of the web address. So far, so good - nothing out of the ordinary. Just a page that talks about helping people "start out" online with regards technology based ventures and the like.

However - type in the address minus the "www" and look what happens:

Click to Enlarge

...you're redirected to a site called "Stoopidsh*t.com" that contains links to numerous "extreme / crazy" videos, and also a number of videos that require you to install Zango to play them (they're the ones with the red "play video" buttons).

Apart from the fact that it's a little odd for a site acting as some kind of provider for web services to redirect to something like that, can you guess who the site is registered to?

I have no idea what's going on with that whois data, but it looks a little strange, right? S4V 3C5 is merely a postcode - where is the rest of the address?

Actually, that's not the only website connected to Tycho that looks a little odd in a whois search. Take, for example, the whois for a site called "Riddleman.net":

....I'm sure you'll agree, that's a pretty strange looking contact address. At any rate, I think we're done poking around the weird and wonderful world of domain registrations. Time to contact Adbrite and let them know anyone going looking for either

a) 2222mb.com information via Google or

b) more information regarding Myspace phish pages on 2222mb.com via Google

are (more often than not) going to see Adbrite pages appear before anything else, usually listing some phishing pages in their own "most trafficked pages results:

Click to Enlarge

Now to me, having your own pages pop up when searching for someone else's phish pages is a form of negative association you could do without - both in terms of not wanting to be associated with such a thing, and also not wanting to be seen to be providing a way to generate money for webhosts that don't seem to be overly speedy with regards removing network abuse.

Surely, when notified about such antics you'd be quick to take action, right? At the very least, you might want to drop the person running your ads a note and suggest that a housecleaning might be in order, lest your account be canceled?

Well, that's what I thought too. However, the emails sent to Adbrite on both the 17th and the 22nd of February have (so far) not had a response from either pr@adbrite.com or support@adbrite.com (note that I only sent Adbrite details of 2222mb.com and the way that requests for phishing pages to be removed were seemingly ignored - they were not sent any additional information regarding other domains, which although interesting, were irrelevant to the point I wanted to raise with Adbrite).

I would hope that Adbrite will take a second look at this and take appropriate action if needed - 2222mb.com has already gained a form of notoriety on hacking / cracking forums as a good place to host phishing pages. Indeed, look at the results from this search...there are many hacking sites distributing tutorials recommending 2222mb.com for phish hosting.

Take those tutorials and combine them with the experiences I had simply trying to get a handful of phish pages taken offline and you have the makings of a problem that is going to grow and grow unless something is done about it.

The question is, is anybody listening and do they actually care?

After hearing a few reports of Skype Phishing these past few days, one of my colleagues happened to come across the below site:

Click to Enlarge

Phishing is a form of criminal activity using social engineering or trickster techniques to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to "fish" for users' financial information and passwords. Some phishing has become so complicated that it no longer needs to steal information from the web, IM or E-mail, but lure users to use phone connections and capture them using phone techniques. (You call a number, they ask you to enter in your account number and PIN and viola- they capture the "tones" made by your telephone keypad input and your account is wide open to the scammer.)

We talked a while ago about the global phishing termination operation launched by CastleCops and Sunbelt Software. The volunteer PIRT Squad is comprised of folks who report phish, investigate phish, and actively work on phish takedown and termination (original concept by Robin Laudanski). PIRT is funded by CastleCops.

Our own Microsoft Security MVP, Chris Boyd, has been participating on the PIRT Squad over at CastleCops and some of the first results are in. CastleCops' operators, Robin and Paul Laundanski, have compiled the list of the top phished brands in May. Here the all-volunteer group of phishing terminators has been having a real impact on phishing. Our own research team follows-up on many of these phish sites and note that many are offline quickly! That is good news...but the battle is far from over. (Other "things" may lurk on the end of these phish attempts, but that is for another entry.)

So without further ado the top brands fished in May:
Pay special attention to how "pure Internet play" brands like PayPal and eBay are the most common targets.

May 2006 confirmed phish (brand plus total count for May):

PayPal - 520
eBay - 309
Bank of America - 37
Barclays - 36
Wells Fargo - 36
Chase - 33
WAMU - 28
HSBC - 20
MasterCard - 18
e-gold - 17
Nationwide - 17
Citi - 16
BancorpSouth - 14
Postbank.de - 12
Halifax - 11
NetBank - 11
Laredo Nat'l Bank - 10
Nat'l Australia Bank - 10
Western Union - 10
National Credit Union - 9

With this early report in mind we have to take into account that Google is now throwing their hat into the e-commerce ring with a service called "Google Checkout". The business implications of this move are very, very complicated and beyond the scope of this entry- although they are important to security researchers too. However, in terms of pure security research the proverbial writing is on the wall...Google and e-commerce will only attract scammers like bears to honey. How successful they will be will depend much on how Google implements the process, their anti-fraud features, and how educated people are on phishing in general.

I admit, especially in my talks and speeches with youngsters, I am quite dismayed at the lack of awareness on Internet safety. That is one area I, and our team, have been pondering.

One of the best forms of defense is very simply- "street smarts". For example, we teach children not to go into dark alleys late at night, actually most parents wouldn't let their children out in a city at night! Yet our digital highways can be dangerous too- often the mediums are treated differently. I plan more on this in the future.

For now, us get back to Google Checkout.

Some of the features of Google Checkout include:

1) Google will store your complete shopping history. This is convenient of course, but remember if you lose access to that account- that history goes with you. This is no different than losing access via a hack to any e-mail account.

2) Google won't share your full credit card number, even with the merchants you buy from. This makes sense, since Google is doing the transaction on behalf of the merchant.

3) Google won't share your email address with merchants if you don't want them to. This is nice- you don't have to worry about getting lots of promotions via e-mail if you don't want.

4) Google will not spam you. Google pledges they will not spam you- great. They never have and I believe that is not in their plans.

5) You can store as many credit cards in Google Checkout as you want! That is where it starts to get a little bit risky.

Now, again, I am not being anti-Google, I am only being a realist. You have a pure play Internet brand, new to offering payment transaction processing to the public at large, prepared to do business en masse. If we look at recent history, like the PIRT report, it only stands to reason that Google, other privacy concerns aside, will experience their fair share of phishing attempts.

For now- use "street smarts". Be wary and be careful.

NOTE: If you are technically adept at handling phishing attempts and want to help by joining the PIRT Squad you can join the team here, if you simply want to report a phishing attempt you can do so by clicking here.

Phishing is a form of criminal activity using social engineering or trickster techniques to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to "fish" for users' financial information and passwords.

Phishing attempts that target employees of an particular company are often called "Spear Phishing". There is a current bill called the Anti-Phishing Act of 2005 now under debate and other community-driven methods are underway to attack phishers like the Phried Phish project from Castlecops where you can submit phishing address and skilled hunters will go after them and get them shutdown!

Coming soon...a bevy of tools and techniques to help protect your self from phishing.