Jakob Nielsen has posted an interesting article about the number of internet users now online. What I find even more suprising is that North America comes in 3rd at 23%.

I’m frustrated to no end about the misuse of the web. I ventured into web land in 1997 where it was a somewhat calm and peaceful place. Nowadays there are so many fraudulent practices going on….one which is known as phishing. I never understood how someone could actually give up their information to a 3rd party culprit until I actually dug through the entire process. I’m not saying that there aren’t completely obvious clues that something is wrong….but these phishermen do a decent job of pretending to be someone they’re not. In this post I’m going to cover a PayPal fisherman trying to steal my info.

The way it generally starts is an email saying that someone tried to access your account and that you should login immediately and update your information. Here’s a screenshot of the email I received:

Ignore the [SPAM] text in the subject line. This is something that spamassasin does for me. There are millions of users out there that don’t user spam filters so this message would slip on through.

One thing that users aren’t aware of is that PayPal no longer embed links in their emails. I was able to verify this when I received an email to login and update my credit card info. The email was plain text and gave me a list of steps to follow without providing any links.

Screen 1 has a couple of interesting attributes. The first thing you notice is the supposed IP address of the computer where your information was submitted. After doing a whois lookup you’ll find out this IP belongs to a computer in Amsterdam. Screen 2 shows the results of the lookup. Seems strange, but we all know that the Internet flattens the earth so this phishing can take place from anywhere.

The second and most important thing to notice about Screen 1 is the “Click here to activate your account” link. This is the single entry point into the phisherman’s world. Different email clients are providing mechanisms to help protect users. I know Outlook displays a tooltip telling me where this link will take me. Others show this in a status bar. Most browsers display this information in a status bar, given that it’s enabled. Screen 3 shows what my Safari browser does when I place my mouse over the link.

For the purposes of this analysis I’m actually going to click on this link. In every other scenario I would recommend deleting the email and enjoying the rest of your day. Actually clicking the link isn’t harmful other than it will waste your time….and you know what they say about time. Clicking on the link yields what you seen in Screen 4.

So the dead giveaway in this screen is the URL address. If users tend to miss this I’d be completely shocked, but I can guarantee that it happens. Not to give future phisher wannabes an idea, but your chances of success might be better if you used JavaScript to hide the address bar.

If you take a look at the culprit PayPal page it looks IDENTICAL to the real PayPal page. A simple view source, change link references, and save as will get you an identical page. What’s even more interesting about this entire process is where this page lives. If you strip off the path and hit the base URL you’ll see the site in Screen 5. Note that http://64.6.232.32/ is the IP address for http://www.whenrelationshipshurt.com.

It’s very likely that this company doesn’t even know these PayPal pages exist on their server. There are several approaches that hackers can take to remotely gain access to the server and upload these types of files. This makes it even more complicated to trace back and find the culprit since the entire system lives on someone else’s server.

The next logical step in the process is to actually submit the form, but before we do that let’s take a look at where the username/password data will actually go. A quick view of the page source shows that the data will be passed to “dynaform.php” and is highlighted in Screen 6.

Now the fun begins. I decided to submit the form using test@test.com with the password test. I received the standard PayPal “Processing login” screen, which once again led me to believe I was actually using the real system. These guys implemented all the bells and whistles.

For me, this next screen was a dead giveaway that something is insanely wrong with this so called identity verification process. Screen 8 shows a couple of glaring holes that I wanted to point out. The first is the statement “It is a good idea to use the debit card linked to the checking account you have on file with us”. You’ve got to be kidding me. And the fact they’re asking for my debit pin number?!? I’ve never seen something so ridiculous. What’s even more ridiculous is the fact that people have probably fallen for this insanely illegal tactic.

After submitting the form I was directed to a success page where all my information was sent to the culprit and I was redirected to PayPal’s homepage. Screen 9 shows the “big catch”.

I’m disgusted with this complete misuse of the web and hope that someone will benefit from this post. I believe the only way to prevent this type of illegal behavior is for users to become more educated and pay more attention to the environment their working in. If you’re aware of any phishing scams then I suggest contacting the Anti-Phishing Working Group.

If you publish any video content or even consume it, you might find Jakob Nielsen’s video study interesting. While Nielsen is one of those guys people seem to love or hate I tend to learn from his studies. While I used to be on the “hate” side of the fence because of his Flash: 99% Bad study I’ve come around a bit. Plus we should know by know that Flash was seriously misused back in the day with the skip intro button. Plus Nielsen mustn’t have been that bad because Macromedia made him a nice offer.

The other day I was seriously struggling with a mapping project that included drawing PolyLines on a Google map. To tell you the exact story the application was working perfectly in FireFox. It wasn’t until I fired up IE that I decided to see if there were any problems. I can’t remember the exact error, but after doing a good amount of searching I found that the solution lies in Google’s API Documentation.

I never thought it would come to IE being the secondary browser where I test my code. I remember the days of writing pages for IE and NEVER even opening them in Netscape. It’s amazing how times change and I’m beginning to neglect IE the same way I did Netscape.

A while back I did a post on installing FlashCom on Fedora Core 3. Tonight I decided to download the latest version of FlashCom now known as Flash Media Server 2. I ran into an install problem with Fedora Core 4 and wanted to mention how I got around it.

When trying to run the installer (./installFMS) I kept receiving the following error:

error while loading shared libraries: libstdc++.so.5

I basically had to update the package using the following command:

yum install libstdc++.so.5

After selecting yes a couple of times I had the necessary packages to support the install. The second thing I’d like to mention is that running the installer without any parameters gave me the following error message:

ERROR: Your distribution, unknown, is not supported by this
Macromedia Flash Media Server installer.

By telling the installer to only warn me (./installFMS -platformWarnOnly) I was able to successfully get Flash Media Server installed.