OpenDNS runs PhishTank.com, the largest clearinghouse of phishing data on the Internet. So we’re often the first to see new, particularly sneaky phishing attacks. The one we’re sharing with you today is both of those things.
At the surface, this scam looks like hundreds of thousands of others we’ve seen over the years. It impersonates an HSBC Bank website and encourages people to enter their login credentials, which would then, presumably, be stolen and used nefariously. While any kind of phishing is gross, it’s what’s happening behind the scenes here that’s particularly alarming.
Simply put, the scam actually turns 404 errors into phishing websites. So this phishing website returned 404 headers to your browser, which normally tell your browser that the website you’re trying to load is down or can’t be found. Instead of saying a page couldn’t be found, their “error” page just looked like HSBC Bank’s website to visitors.
The reason this is especially crafty is that it completely circumvents one of the primary ways PhishTank tests if a phish is still live and functional, which is watching for 404 errors. Normally a 404 would only be returned after the offending website was fixed, indicating the content is no longer available. However, a website administrator can put whatever content they want on their 404 error page. This is exactly what we saw happen. By returning a 404 error, but still rendering the phish, the website administrator avoided being caught by Phishtank. But not for long.
Our exceptional community of security researchers, IT professionals and academics, quickly identified the phish and verified it, blocking it for more than 30 million people around the world instantly. And OpenDNS engineering is working now to update the way PhishTank works to make sure we catch these types of phishes without delay going forward.
The moral of the story here, and the moral to every story about Internet security: the bad guys are crafty and constantly trying new ways to trick Internet users. Security companies like OpenDNS need to be vigilant and work with the security community to quickly react to threats and always stay ahead of the bad guys. You can bet we will continue to do just that.
Update: The phishes referenced in this post were submitted by PhishTank community member Michael Molsner, who works for Kaspersky Lab.
CyberSchnook
That is REALLY devious! It’s also so simple that it’s surprising no one tried this earlier (that we know of)!
posted on September 28th, 2011 at 2:08 pm
travis
Great post! Luckily we protect our clients with OpenDNS so they are safe from this nasty threat!
posted on September 28th, 2011 at 2:53 pm
johnnydollar$
Great catch. Another reason why I tell everyone I can about OpenDNS. One day scanning my “stats” page, I saw a Phish listed that was blocked. I didn’t even remember going to the page but it was a link on You Tube for Casablanca books about the old Hair Band ANGEL. I used to go to their concerts back then, saw this link on a You Tube video about the history of Casablanca Records, clicked it to view the page but nothing happened. I wasn’t sent anywhere and just ignored it. Then after seeing the STATS, there was THAT Casablanca book page listed as a Phish. Thanks again OpenDNS. :0)
posted on September 28th, 2011 at 5:56 pm
Jay Scholz
That is sneaky!
I’ve often wondered…if the people behind these schemes put their good skills to work would they make more than they are making on the black market?
The truth is, probably not. It’s a sad state of affairs when, worldwide, more people with this kind of intelligence can make more money scamming the innocent than those protecting it. I’ve taught students with this kind of security knowledge and I often wonder why others can’t do good with it. It’s all about the almighty buck. I guess if you think you are intelligent enough to live with yourself with the practice of scamming others on your conscience than so be it. The rest of the world will be out there trying to stop you.
posted on September 30th, 2011 at 9:15 pm
Micha
@CyberSchnook: This technique was tried before. I don’t recall the exact PhishTank entry but I definitely remember to have spotted similar behavior at least once in the past.
posted on September 30th, 2011 at 11:29 pm
Oscar
Do you know if they can fake server errors as well (like 500)?
posted on October 3rd, 2011 at 12:48 pm