PhishTank is an anti-phishing site run by the OpenDNS team and offers the possibility of submitting suspected phishing sites for community-based review. In short, other users cast their vote on whether a submission is likely a phishing scheme or not.
Most of them are very easy to detect, but every now and then scams with an unusual twist will make “voters” pause and analyze them more deeply.
One such scam has recently been submitted and, at first glance, it looked like it was definitely a phish. The bogus website impersonated the HSBC Bank and asked for the users’ login credentials. But, there were other things to consider in order to make sure.
According to Allison Rhodes, one of the primary ways PhishTank tests if a phish is still functional is to check if the site returns a 404 error. If it does, it usually means that the site has been taken down and no longer presents a threat.
“However, a website administrator can put whatever content they want on their 404 error page,” points out Rhodes. “This is exactly what we saw happen. By returning a 404 error, but still rendering the phish, the website administrator avoided being caught by PhishTank.”
Luckily for the user who submitted the sample, PhishTank’s list of things to look for contains many other items, so the scheme has been identified for what it was in the end, and has been blocked around the world simultaneously.
“The moral of the story here, and the moral to every story about Internet security: the bad guys are crafty and constantly trying new ways to trick Internet users,” adds Rhode. “Security companies like OpenDNS need to be vigilant and work with the security community to quickly react to threats and always stay ahead of the bad guys.”