Cenzic 232 Patent
Paid Advertising
web application security lab

Ha.ckers.org Is A Phishing Site

It’s true, because Firefox tells me so! I didn’t even realize it myself until my browser so nicely informed me that my post about extortion was potentially phishing for my password. And here I thought my site was working for me. All this time it was trying to steal my password! Thank god my browser is there to help me, cuz otherwise I would have… uhm… put my password in… somewhere… no, wait… maybe… uhm… on the page… uhm… I guess… hmmm… nothing here says password anywhere… maybe in that box that says comments… cuz that looks like it could steal stuff from me. I suppose you can sense my sarcasm, but really, come on. How is ha.ckers.org possibly anything like a phishing site? Click here to see what I saw this morning. As of the time of this blog post it’s still not fixed.

If there is anyone on earth who should be whitelisted, it’s this site, given the fact that there is zero chance I’d ever put a phishing site up on this website (if I wanted to be a bad guy, I sure as hell wouldn’t do it on my own site). Hell, I used to work on anti-phishing software. But this strikes me as strange. What is the vetting process involved in putting something on a suspected bad site anyway (clearly it’s not working)? From what I can tell there’s not much going on under the hood because there’s not a single thing on that page that looks anything like a phishing site.

If I had been running a big commercial site, this could have had severe impact on my ability to do business, and my reputation with my consumers. I don’t think most people realize how bad this kind of thing is. Ha.ckers.org is one of the few sites that really is not impacted at all by this sort of thing, but I know I’d feel differently if I were running an e-commerce site. Time to re-vamp the heuristics and the process boys. Color this security guy unimpressed.

Update: Apparently I am also put on the MSFT anti-phishing list as well Click here for a photo of that as well. So it looks like this isn’t heuristics based after all. Someone actually manually added me to the phishing list. Because that extortion post really looks scary. Nicely done guys.

25 Responses to “Ha.ckers.org Is A Phishing Site”

  1. yawnmoth Says:

    I’m not getting phishing alerts in FF2 or IE7 when I visit that URL…

  2. beNi Says:

    hehe, they dont like your blogposts so they are censoring you via their “antiphishing” features *g*

  3. RSnake Says:

    @yawnmoth - not sure why you don’t see it… maybe I have an old version of the phishing list or you have and old one. It still shows in both browsers for me.

    @beNi - that’s a nice conspiracy theory. There are certainly enough people at any one of those companies who feed into those anti-phishing lists who might be interested in censoring me. Alas, it will only backfire.

  4. SW Says:

    Haha. I don’t have either of those anti-phishing things. Common sense does quite well. I don’t know why they would include this site because everyone who views it knows that it isn’t phishing anyways. Seems pointless to me.

  5. RSnake Says:

    MS’s response:

    Thank you for contacting us about: http://ha.ckers.org/blog/20070305/extortion-or-payment/.

    We have reviewed the information you provided regarding this website and removed the incorrect designation. We thank you for bringing this matter to our attention.

    Please note that although we have removed the incorrect designation, it may take up to 24 hours for you to see this change reflected.

    In the event that the incorrect designation persists beyond 24 hours from the receipt of this e-mail message, please let us know by replying directly to this message. Please do not reply unless the problem persists.

    Thank you,
    Microsoft Phishing Filter Support

  6. RSnake Says:

    Firefox has now removed me from the anti-phishing list as well. I am still being reported as “suspicious” from Microsoft, but we’ll give it 24 hours before passing judgment on that one. :)

  7. Jungsonn Says:

    I did not get that phishing thingy, ow I forgot, I modded my FF :) Well, I don’t understand it. Most submitted sites to the phishtank are first reviewed right? or are they?

    Strange stuff dude.

  8. Dan Veditz Says:

    When I first read your post yesterday it was not flagged in FF. Maybe the filters picked up on digi7al64’s post containing links to paypal, ebay and amazon.

    Jungsonn: I don’t think either MS or Firefox (Google) use Phishtank, phishtank URLs were used in a comparative audit of the two products and neither scored 100%

  9. rxbbx Says:

    @RSnake
    This is sad indeed.. I hope you get everything right.. you don’t deserve this.

  10. Sid Says:

    My evil plan is in motion :D:D:D
    Next; fthe.net and then amazon!!!

  11. Collier Says:

    That’d be sad If microsoft did not remove your listing since they posted on your forum requesting you submit your security vulnerabilities finding to them
    heh
    Oh well, glad everything is ok now

  12. RSnake Says:

    Everything is now fixed, in both IE7.0 and Firefox. Btw, I think I figured out what happened. There is both

    a) A form
    b) A link that digi7al64 posted that mentioned PayPal

    That could have easily spiked the heuristics. If that’s the case, every web-board everywhere is susceptible to false positives. Ugly!

    Note: Sorry, I approved Dan’s comment after writing this, sorry if it appears out of order.

  13. Spyware Says:

    But, there’s much heavier stuff on here then (if it was true) phishing. Who cares about passwords being “stolen”. You steal clipboards, crash browsers and pc’s and there’s a forum full of people wanting to use those things.

    Phishing, don’t make me laugh…

  14. RSnake Says:

    I sense some hostility in that last comment. I assure you that I’m nowhere near as malicious as I could be. The reason I’m sharing this information is so that we can find ways to stop it. I’m definitely not a blackhat in that sense - I don’t steal people’s information (at least not without telling people what’s about to happen to them). If they don’t read the site and paste their chat logs with their mistress, that’s hardly my fault, is it? But anyway, I wasn’t upset, I actually laughed out loud when I saw it.

  15. digi7al64 Says:

    I really like this idea of user submitted data having the ability to help blacklist sites (especially if it only takes a couple of links). Considering I have a vested interest in a number of dot.commers I should simply post Paypal, Ebay and Msn forgot password links to all my competitors sites.

    Think of that, every time someone goes to visit or purchase from their site, the anti-phishing filter would fire up and warn them of the impending doom…. which would hopefully result in the loss of the sale…

    I rock.

    Disclaimer: This comment was not paid for.

  16. Jungsonn Says:

    @Dan Veditz

    Uh… I meant a phishtank, as in -> tank for phish(es)links. not “phishtank” the phishtank itself. Okay, Okay? ;)

    darn… well, it uses Google safebrowsing which uhm… is a phishtank? or a tank with phishing links, yeah that rocks. We’ll keep that, tank with phishing links. Cool :D Nevermind it Dan!

    But the point here is; Who has the trigger finger at Google and MS? I always thought they review the submitted links ? If they don’t and they just hit “approved” by a click of a mouse and takes someones website practically offline, I think that is something very questionable!

  17. Awesome AnDrEw Says:

    I knew there was some reason I was being billed for Mature and Elderly pornography addressed to someone named Robert.

  18. Sid Says:

    Out of interest did anyone use the XSS assistant during this time? Did the xml file load all right in firefox?

  19. RSnake Says:

    Hey, Sid, no I didn’t try, but it shouldn’t make a difference, because the way the blacklist works it is only on a page by page basis, not site-wide. So the real question would have been if you had included that one blacklisted page into a page through a script tag or otherwise would it have shown as a phishing site? I guess it’s easy enough to test.

  20. RSnake Says:

    … in fact it is so easy to test, I just tested it. I modified a page via burp proxy to display a known and reported phishing site inside of an iframe and I was not alerted. So it appears if you inject an XSS exploit that contains an iframe with even a known and reported phishing site it will not show up as a bad site (at least in Firefox - I didn’t test IE7.0).

  21. Sid Says:

    That’s what I suspected. I guess I should have tested myself, was just a little busy at the time. I have to say I’m surprised the filter doesn’t catch this.

  22. kanedaaa Says:

    Opera display warning too. :]

  23. RSnake Says:

    Still? Which version are you using?

  24. kanedaaa Says:

    Opera 9.10 for Linux [Fraud from PhishTank]:
    This site has been found on Opera’s blacklist of suspected fraud sites. Exchanging sensitive or confidential information with this site could put you at risk for identity theft and/or financial fraud.

  25. kanedaaa Says:

    http://kaneda.bohater.net/tmp/ha.ckers.org_phishingsite_opera.jpg