Ha.ckers.org Is A Phishing Site
It’s true, because Firefox tells me so! I didn’t even realize it myself until my browser so nicely informed me that my post about extortion was potentially phishing for my password. And here I thought my site was working for me. All this time it was trying to steal my password! Thank god my browser is there to help me, cuz otherwise I would have… uhm… put my password in… somewhere… no, wait… maybe… uhm… on the page… uhm… I guess… hmmm… nothing here says password anywhere… maybe in that box that says comments… cuz that looks like it could steal stuff from me. I suppose you can sense my sarcasm, but really, come on. How is ha.ckers.org possibly anything like a phishing site? Click here to see what I saw this morning. As of the time of this blog post it’s still not fixed.
If there is anyone on earth who should be whitelisted, it’s this site, given the fact that there is zero chance I’d ever put a phishing site up on this website (if I wanted to be a bad guy, I sure as hell wouldn’t do it on my own site). Hell, I used to work on anti-phishing software. But this strikes me as strange. What is the vetting process involved in putting something on a suspected bad site anyway (clearly it’s not working)? From what I can tell there’s not much going on under the hood because there’s not a single thing on that page that looks anything like a phishing site.
If I had been running a big commercial site, this could have had severe impact on my ability to do business, and my reputation with my consumers. I don’t think most people realize how bad this kind of thing is. Ha.ckers.org is one of the few sites that really is not impacted at all by this sort of thing, but I know I’d feel differently if I were running an e-commerce site. Time to re-vamp the heuristics and the process boys. Color this security guy unimpressed.
Update: Apparently I am also put on the MSFT anti-phishing list as well Click here for a photo of that as well. So it looks like this isn’t heuristics based after all. Someone actually manually added me to the phishing list. Because that extortion post really looks scary. Nicely done guys.
March 6th, 2007 at 10:10 am
I’m not getting phishing alerts in FF2 or IE7 when I visit that URL…
March 6th, 2007 at 10:20 am
hehe, they dont like your blogposts so they are censoring you via their “antiphishing” features *g*
March 6th, 2007 at 10:26 am
@yawnmoth - not sure why you don’t see it… maybe I have an old version of the phishing list or you have and old one. It still shows in both browsers for me.
@beNi - that’s a nice conspiracy theory. There are certainly enough people at any one of those companies who feed into those anti-phishing lists who might be interested in censoring me. Alas, it will only backfire.
March 6th, 2007 at 10:50 am
Haha. I don’t have either of those anti-phishing things. Common sense does quite well. I don’t know why they would include this site because everyone who views it knows that it isn’t phishing anyways. Seems pointless to me.
March 6th, 2007 at 10:53 am
MS’s response:
Thank you for contacting us about: http://ha.ckers.org/blog/20070305/extortion-or-payment/.
We have reviewed the information you provided regarding this website and removed the incorrect designation. We thank you for bringing this matter to our attention.
Please note that although we have removed the incorrect designation, it may take up to 24 hours for you to see this change reflected.
In the event that the incorrect designation persists beyond 24 hours from the receipt of this e-mail message, please let us know by replying directly to this message. Please do not reply unless the problem persists.
Thank you,
Microsoft Phishing Filter Support
March 6th, 2007 at 10:57 am
Firefox has now removed me from the anti-phishing list as well. I am still being reported as “suspicious” from Microsoft, but we’ll give it 24 hours before passing judgment on that one.
March 6th, 2007 at 11:55 am
I did not get that phishing thingy, ow I forgot, I modded my FF
Well, I don’t understand it. Most submitted sites to the phishtank are first reviewed right? or are they?
Strange stuff dude.
March 6th, 2007 at 12:18 pm
When I first read your post yesterday it was not flagged in FF. Maybe the filters picked up on digi7al64’s post containing links to paypal, ebay and amazon.
Jungsonn: I don’t think either MS or Firefox (Google) use Phishtank, phishtank URLs were used in a comparative audit of the two products and neither scored 100%
March 6th, 2007 at 12:32 pm
@RSnake
This is sad indeed.. I hope you get everything right.. you don’t deserve this.
March 6th, 2007 at 12:40 pm
My evil plan is in motion :D:D:D
Next; fthe.net and then amazon!!!
March 6th, 2007 at 12:54 pm
That’d be sad If microsoft did not remove your listing since they posted on your forum requesting you submit your security vulnerabilities finding to them
heh
Oh well, glad everything is ok now
March 6th, 2007 at 2:02 pm
Everything is now fixed, in both IE7.0 and Firefox. Btw, I think I figured out what happened. There is both
a) A form
b) A link that digi7al64 posted that mentioned PayPal
That could have easily spiked the heuristics. If that’s the case, every web-board everywhere is susceptible to false positives. Ugly!
Note: Sorry, I approved Dan’s comment after writing this, sorry if it appears out of order.
March 6th, 2007 at 2:27 pm
But, there’s much heavier stuff on here then (if it was true) phishing. Who cares about passwords being “stolen”. You steal clipboards, crash browsers and pc’s and there’s a forum full of people wanting to use those things.
Phishing, don’t make me laugh…
March 6th, 2007 at 2:44 pm
I sense some hostility in that last comment. I assure you that I’m nowhere near as malicious as I could be. The reason I’m sharing this information is so that we can find ways to stop it. I’m definitely not a blackhat in that sense - I don’t steal people’s information (at least not without telling people what’s about to happen to them). If they don’t read the site and paste their chat logs with their mistress, that’s hardly my fault, is it? But anyway, I wasn’t upset, I actually laughed out loud when I saw it.
March 6th, 2007 at 4:02 pm
I really like this idea of user submitted data having the ability to help blacklist sites (especially if it only takes a couple of links). Considering I have a vested interest in a number of dot.commers I should simply post Paypal, Ebay and Msn forgot password links to all my competitors sites.
Think of that, every time someone goes to visit or purchase from their site, the anti-phishing filter would fire up and warn them of the impending doom…. which would hopefully result in the loss of the sale…
I rock.
Disclaimer: This comment was not paid for.
March 6th, 2007 at 5:06 pm
@Dan Veditz
Uh… I meant a phishtank, as in -> tank for phish(es)links. not “phishtank” the phishtank itself. Okay, Okay?
darn… well, it uses Google safebrowsing which uhm… is a phishtank? or a tank with phishing links, yeah that rocks. We’ll keep that, tank with phishing links. Cool
Nevermind it Dan!
But the point here is; Who has the trigger finger at Google and MS? I always thought they review the submitted links ? If they don’t and they just hit “approved” by a click of a mouse and takes someones website practically offline, I think that is something very questionable!
March 6th, 2007 at 9:30 pm
I knew there was some reason I was being billed for Mature and Elderly pornography addressed to someone named Robert.
March 6th, 2007 at 11:18 pm
Out of interest did anyone use the XSS assistant during this time? Did the xml file load all right in firefox?
March 7th, 2007 at 9:16 am
Hey, Sid, no I didn’t try, but it shouldn’t make a difference, because the way the blacklist works it is only on a page by page basis, not site-wide. So the real question would have been if you had included that one blacklisted page into a page through a script tag or otherwise would it have shown as a phishing site? I guess it’s easy enough to test.
March 7th, 2007 at 9:26 am
… in fact it is so easy to test, I just tested it. I modified a page via burp proxy to display a known and reported phishing site inside of an iframe and I was not alerted. So it appears if you inject an XSS exploit that contains an iframe with even a known and reported phishing site it will not show up as a bad site (at least in Firefox - I didn’t test IE7.0).
March 7th, 2007 at 11:00 am
That’s what I suspected. I guess I should have tested myself, was just a little busy at the time. I have to say I’m surprised the filter doesn’t catch this.
March 7th, 2007 at 1:59 pm
Opera display warning too. :]
March 7th, 2007 at 2:06 pm
Still? Which version are you using?
March 7th, 2007 at 3:09 pm
Opera 9.10 for Linux [Fraud from PhishTank]:
This site has been found on Opera’s blacklist of suspected fraud sites. Exchanging sensitive or confidential information with this site could put you at risk for identity theft and/or financial fraud.
March 7th, 2007 at 3:13 pm
http://kaneda.bohater.net/tmp/ha.ckers.org_phishingsite_opera.jpg