How Not To Deface a Phishing Site

My job developing anti-phishing software is an almost constant source of amusement. Clueless phishers provide the most enjoyment, but sometimes we see clueless vigilantes.

DefaceHere’s a screenshot of a PayPal spoof that looks like its been defaced by a vigilante or sysadmin. Most defacers will warn users and disable the phishing site so it can’t hurt anyone. In this case, the defacer just posted a warning (at the top, and also gives a phone number to call in case anyone wants to help catch the phisher) but then he/she leaves the site intact, so it can still swipe user credentials. That’s like finding a hole in road that someone could fall into and only putting up a warning sign – fill in the hole with dirt too!

So here’s defacing-a-phishing-site law #1: when defacing a phishing site, make sure you break it so no one can get hurt.