Consider for a moment the stages involved in a traditional phishing attack:
- Create the phishing page – either buried within a legitimate site or hosted on some temporary server
- Send out carefully socially engineered phishing emails requiring login for some reason – including the link to the phishing page
- Collect data submitted to the page by deceived recipients for underworld purposes
- Do bad stuff
In a previous post we described how phishers improve stage 1 with free hosting by hiding their sites within legitimate sites. In the example below we have observed a further “streamlining” of stage 3 the phishing process. This attack targets users of HomeAway holiday rentals.
A look at the page source reveals that the filled in form is sent to “formbuddy.com” and not collected directly by the phisher. Formbuddy.com offers a similar service to that found in the forms feature of Google docs – cloud-based form result collection and management. The site collects and stores all the responses to the “form” shown above and then emails a neat summary to the phisher (whose login name is “malek”).
In other words the phisher does not have to worry about creating/managing/storing back end form data collection and can more easily scale the harvesting of phished data.
Those duped into filling out the form will not be aware of this nuance. We would hope that the request for an “email address password” would raise red flags for some users and save them from the subsequent identity compromise.