Sometimes hackers aren't as big and bad as they're made out to be. Sometimes they just want to help make the Web a safer place for everyone. That benevolent spirit is on display on a phishing site that was recently hacked to teach gullible Internet users about the dangers of — you guessed it — phishing sites.
Researchers at the security firm GFI Labs found an email used to lure people to a phishing site, www.canal-i.com. The message attempts to scare unsuspecting readers by telling them they have exceeded the storage limit on their inbox, and says, "You will not be able to send or receive new mail until you upgrade your email. Click below link and fill the form to upgrade your account." When clicked, that link directs users to a Web page that asks for their username, email address and password.
For one hacker — he or she has not been identified — this was not just an ordinary phishing scam, but also a chance to teach others. The white-hat hacker — "white hat" refers to hackers who exploit security bugs to improve security — stripped the phishing page of its malicious content and replaced it with a stern educational message about the perils lurking in the online world.
"There is no such thing as a central Email service update," the website was manipulated to read. "A stupid criminal created this to steal your email account. I have modified it to educate you about online crime. He does not like that but that is too damn bad. You can submit this form to see a helpful video about phishing. Stop letting stupid criminals like this one hijack your account. Have a great day."
The altered phishing page included a "Submit Form" button at the bottom, the same way the original fraudulent page did, except this button redirected users to an instructional video about phishing scams. (The canal-i website currently shows an "under construction" message.)
As a general rule, any unsolicited emails that ask you to download software to fix a problem or restore any kind of service should not be trusted. Emails that appear to come from a bank or financial institution such as the Federal Deposit Insurance Corporation (FDIC) should also be handled with a heavy dose of skepticism; online crooks know that people are likely to fall for scams when they fear their personal finances may be in trouble. If you suspect such an email is out for your personal details, delete it and contact your bank directly. Running up-to-date anti-virus and anti-malware software on your computer will also help detect phishing sites and malicious emails as threats.