Wamu Phishing Sites Stale Too

Earlier this week I noted that most PayPal phishing sites are stale – they are based on old versions of the PayPal login page. It seems that most WAMU phishing sites are also stale.

If you take a quick look at the HTML source of the standard WAMU login page, you’ll find some javascript that looks like this – its pre-populated with today’s date.

var g_dtToday = new Date(“03/23/2005”);

However, most WAMU phishing sites use a date from 10/29/2004.

var g_dtToday = new Date(“10/29/2004”);

Why is this significant? The old date (and other timestamp code in the HTML) creates a kind of signature. Either we have a single phisher creating most of the WAMU spoof sites, or someone created a kit that’s being used by multiple phishers.