InBoxRevenge KS Forum

Regarding http://www.spamcop.net/sc?id=z5229153446z9f151b466025ba16b4c8e4baad30b919z;action=display ,
I noticed this:

The email constructs an HTML form that collect passwords and other data. I did not test the form to see if JavaScript altered its action, but it appears to use a POST service provided by www.emo-ett.si (in Slovenia) that logs the stolen data before redirecting to the legitimate http://poste.it site.

I have taken the liberty of sharing the email message with PhishTank: http://www.phishtank.com/phish_detail.php?phish_id=1346220
and with WOT: http://www.mywot.com/en/scorecard/emo-ett.si/comment-39291654
The PhishTank screenshot most probably shows the legitimate Poste Italiane web page, after the redirection which I mentioned.

[Edited for grammar.]

I'd like to add that the complete idiot behind this particular phishing effort hasn't even constructed the form properly.


That will fail. He didn't include the "http://" in the "action" portion of the form tag, so it will look for a local file named "www.emo-ett.si/done.php", which doesn't exist.

Worse: he hasn't labeled his inputs, so there are five fields which aren't described, for which the phishing victim won't understand their expected values.

A true genius.

I'm reporting the phishing attack to the hosting company for emo-ett.si. Never hurts.

SiL

oh, was a bug in xPhish V.0.01.04 2011/11/15.
I corrected this in V.0.01.05 2012/01/23, now it can find POST links also when no other NOT scam links are found.
Thank you.