One thing that annoys the hell out of me is spoof websites, those setup to look exactly like eBay or Paypal to steal account information of innocent users. If you’ve no experience of spoof websites, then consider yourself quite lucky – I encounter several emails everyday trying to redirect me to these sites.

Normally you’ll receive an email that claims to be from paypal or eBay, with the subject “Change your PayPal Account” or “Unauthorized Access: (Routing Code: P101-K455436GDT-Q-P090)” telling you someone has accessed your account or you have added another email address to your account. It then instructs you to log into your account, & confirm the changes made.

Normally in a state of panic, users try to log in to see what’s happened to there account – & they do this by clicking on the link within the email. This link though takes them directly to the spoofers website which captures your email address and password & sends them direct to the spoofer. As soon as this is done your account has been violated and they have access to your funds.

Some spoofers are very lazy, they send out the same emails again and again & don’t even setup the spoof website properly. As soon as you see the email you know for a fact it’s not a genuine email. But at the other end of the scale, some spoofers actually make the effort.

They add new emails, vary the subjects, & hide the url in the address bar so if you click on the link it reflects paypals genuine address. Some are even using emails from eBay, with titles such as Question from member regarding item #00000000 – if your an eBay seller you can easily be caught out by these emails.

Apart from reporting the spoof emails to paypal & ebay there was not a lot you could do with these emails. But recently I’ve found a new toy to play with these spoofers.

It’s called phishfighting – it should completly ruin most spoofing attempts almost immediatly.

“Phishers rely on the naivety of people to fall for their fake Paypal, eBay and banking websites. We can make the phisher’s life miserable by submitting 100′s or 1000′s of realistic looking, but fake, entries. The criminal won’t be able to distinguish between the ”Fake” entries and entries from real people who fall for the scam.” claims Phishfighting.com

Just leave it to run for a few minutes and you can see the false entries being submitted. Have fun.