Paul bought ismycreditcardstolen.com a couple days ago. AJ came up with the idea a while back, but Paul’s purchase of the domain drove me to throw together a site. The goal was to educate gullible people about phishing while amusing the technically-inclined.
With some help from friends (Ben Lowery and Bjorn Tipling), I cleaned up the styling and made sure that the credit card details were never sent across the wire.
I submitted the link to Hacker News, where it was rather well-received. Everyone got the joke. Some even offered suggestions to improve the text of the warning message.
The site quickly became popular. People on Twitter talked about it.
That’s when things started going south. A decent number of people didn’t get the joke. They thought it was a real phishing site. Among them was this guy, supposedly a researcher at antivirus company Trend Micro. Google Analytics shows about half of the visitors actually clicked the submit button. I’m guessing the other half didn’t see the “This was a test. You failed.” message and assumed it was a phishing site.)
I normally don’t care about idiots on the Internet, but enough Firefox users reported it as a phishing site that it got blacklisted. Now if you try to visit it in any modern browser, you’ll get a giant warning. Even worse, sites like Twitter use the Firefox phishing blacklist to filter links, so nobody can link to the site now.
In a final bit of ridiculousness, UK Yahoo News reported that the Anti-Phishing Working Group was responsible for creating ismycreditcardstolen.com. This misunderstanding wouldn’t have happened if the reporter read the about page.
What have I learned from this?
- People on Twitter are dumber than I thought.
- A small group can add any relatively-unpopular site to the Firefox phishing blacklist.
- Some “reporter” couldn’t be troubled to click the about link on the front page of the site he wrote an article about.
Quite a few people have reported the site as being incorrectly flagged, but it hasn’t done any good. I doubt it will ever be removed from the phishing blacklist. Oh well, it was fun while it lasted. And since Paul bought the domain I’m not out any money.
Update: I was wrong to be so pessimistic. It’s removed from the phishing blacklist!