OpenDNS runs PhishTank.com, the largest clearinghouse of phishing data on the Internet. So we’re often the first to see new, particularly sneaky phishing attacks. The one we’re sharing with you today is both of those things.
At the surface, this scam looks like hundreds of thousands of others we’ve seen over the years. It impersonates an HSBC Bank website and encourages people to enter their login credentials, which would then, presumably, be stolen and used nefariously. While any kind of phishing is gross, it’s what’s happening behind the scenes here that’s particularly alarming.
Simply put, the scam actually turns 404 errors into phishing websites. So this phishing website returned 404 headers to your browser, which normally tell your browser that the website you’re trying to load is down or can’t be found. Instead of saying a page couldn’t be found, their “error” page just looked like HSBC Bank’s website to visitors.
The reason this is especially crafty is that it completely circumvents one of the primary ways PhishTank tests if a phish is still live and functional, which is watching for 404 errors. Normally a 404 would only be returned after the offending website was fixed, indicating the content is no longer available. However, a website administrator can put whatever content they want on their 404 error page. This is exactly what we saw happen. By returning a 404 error, but still rendering the phish, the website administrator avoided being caught by Phishtank. But not for long.
Our exceptional community of security researchers, IT professionals and academics, quickly identified the phish and verified it, blocking it for more than 30 million people around the world instantly. And OpenDNS engineering is working now to update the way PhishTank works to make sure we catch these types of phishes without delay going forward.
The moral of the story here, and the moral to every story about Internet security: the bad guys are crafty and constantly trying new ways to trick Internet users. Security companies like OpenDNS need to be vigilant and work with the security community to quickly react to threats and always stay ahead of the bad guys. You can bet we will continue to do just that.
Update: The phishes referenced in this post were submitted by PhishTank community member Michael Molsner, who works for Kaspersky Lab.