Yet Again, Phishers Have Bad OpSec

The next time you’re plotting a cunning scheme, be very careful when you’re doing your homework. You might wind up tipping your hand prematurely…

20070505.log:24.117.239.142 - - [05/May/2007:17:51:41 -0400] "GET /blog/?cat=15 HTTP/1.1" 200 5450 "http://www.google.com/search?hl=en&q=How+to+make+a+phishing+site+for+runescape" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)"

Apparently, I’m the first hit on google for runescape phishing site creation, thanks to the article where I talked about tracking phishers through web bugs. It’s already a bad sign for your skills when you have to Google this sort of thing, but it’s even worse when you wind up at a page like this. Maybe he should have just viewed from Google’s cache.

Note that I haven’t obscured the IP address, so when this kid follows through and winds up in a lot more logs, whoever does the investigation might find this ;) . Just to make sure it’s indexed well: 24.117.239.142 which is 24-117-239-142.cpe.cableone.net. Time stamps and user agents and such are available in the log entry above. Feel free to contact me if you need any help ;) .