Fraudulent site - Please shut down [ST 12089]

  • Profile Image
    RSA Security
    Asked on September 21, 2011 at 10:17 AM

    Dear Team,

    Please be advised that it is likely that fraudulent content will not be visible when accessing the URL below.

    Once the victim completes filling out and submitting personal details, the URL http://www.jotform.com/submit.php/formID~12564055048/formID~12580827239/simple_spc~12564055048-12564055048

    is used by the fraudster to send the compromised details to a remote server or email address.


    Please find the HTML/Page Source code of the attack attached, in which the fraudster’s use of this URL can be seen.

    Please take the necessary steps in order to disable this fraudulent URL.

    Best Regards,

    RSA Anti-Fraud Command Center
    RSA, The Security Division of EMC
    US Phone: +1-866-408-7525
    Email: afcc@rsa.com
    For more information about RSA's AFCC
    http://www.rsa.com/node.aspx?id=3348
     
    View Source:

    <form id=12564055048 name=form_12564055048 accept-charset=utf-8 action=http://www.jotform.com/submit.php method=post cc="true" sizcache="4" sizset="0" validationset="true">
    <input type=hidden value=12564055048 name=formid>
    <form class=jotform-form id=12580827239 accept-charset="utf-8" name="form_12580827239" method="post" action="http://www.jotform.com/submit.php">
    <input type=hidden value=12580827239 name=formid>
    <input class=form-textbox id=input_1 name=q1_a _prototypeuid="3">
    <input class=form-textbox id=input_3 name=q3_b _prototypeuid="5">
    <input class=form-textbox id=input_4 name=q4_c _prototypeuid="7">
    <input class=form-textbox id=input_5 name=q5_d _prototypeuid="9">
    <input id=simple_spc type=hidden value=12564055048-12564055048 name=simple_spc>
    </form>
     

  • Profile Image
    mliz
    Answered on September 21, 2011 at 10:32 AM

    Hi,

    Thank you for bringing this to our attention.
    The form has been suspended.

    Regards,
    Mliz