A Weblog About Topics and Issues Discussed in the Book Spam Kings by Brian McWilliams

« "Rick Yang" sued by FTC and California | Main | Toxic-blog hype »

April 14, 2005

Phishers exploiting CapitalOne.com bug

capitalone.gifWhat's in your wallet? Phishing scam artists believe they can find out, thanks to a security bug at the Capital One web site.

It's the latest version of an "open re-director" trick that's recently been used to exploit similar weaknesses at Ebay.com and ZDnet.com.

The sneaky technique works like this. A message arrives containing a hyperlink that appears to send recipients to the Capital One site so they can provide their account details. But the link actually uses a redirection feature at CapitalOne.com to whisk users off to a copycat phishing site.

Here's a phishing spam using the trick that showed up earlier this week on a mailing list for the Debian operating system.

For a harmless demonstration, click this URL and it will redirect you from the Capital One site to the FBI web site:


CapitalOne even uses the re-director on its own login page. (Put your cursor on the orange "login" buttons and watch what URL appears in the browser status bar.)

As we've mentioned before, phishing scammers apparently hope the technique will serve two purposes. First, it will sneak their messages past URL blacklists. Second, it will "social engineer" spam recipients into thinking the message is actually from Capital One.

Posted by brian at April 14, 2005 9:49 AM



Posted by: JACK at September 25, 2005 3:58 PM

My wife are tired o0f your sending thru the US mail youtr credit card app. Please drop our names from your mailing list,a.s.a.p. We also hate your stupid TV. add. Our poor dog even hides from then. Thank you. James & Virginia Janney 703 Nevad Street Toledo Ohio 43605-2615. J.Janney

Posted by: James & Virginia Janney at October 26, 2005 1:04 PM


Weblog authors are solely responsible for the content and accuracy of their weblogs, including opinions they express,
and O’Reilly Media, Inc., disclaims any and all liability for that content, its accuracy, and opinions it may contain.

All trademarks and registered trademarks appearing on spamkings.oreilly.com are the property of their respective owners.

O'Reilly Home | Privacy Policy

© 2004 O'Reilly Media, Inc.
For assistance with this site, email: