Comment On Phishing for a Refund

And there was me thinking there was actually a formula for calculating if a card number is valid or not...

Dammit! My favorite pin (6969) is invalid.

I sure do love me some quintessence.

Well, duh. Malware has a long history of code being of questionable quality. Some of it is obviously written by careful people with a sense of pride in their craft, but a great deal of it has serious bugs. Back in the day, the DOS virus "Whale" was well-known for being unusually large (~9KBytes) and very buggy, and many viruses called the BIOS direct disk I/O functions using INT 13 rather than INT 13h.

you might want to erase the form action URLS to that some idiot doesn't actually use your copy of the form to send off any data, false or not.

Eh, I've seen worse.

Actually, that's kind of a scary thought in itself. There are places I've worked that could have improved their websites by hiring fifteen-year-old scam artists to replace their web programmers.

I find it nice that they didn't foresee more combination. I must think that someone was bored and gave up

Bah. Mostly that page just makes me wish that married couples really could file jointly in the UK (the bottom of the page asks you to specify how you are filing).

Someone tell me that 1112223344443231 is the 555 of card numbers.

Please.

Wow, that's horrid, and what if my pin really is 1234?

frits:

Dammit, my favorite pin (6969) is invalid.

Yes. Fun how they also dislike anyone who has an insecure PIN. Only people with a well-chosen PIN will be dumb enough to fall for this scam ... no ... wait ...

On an unrelated note, the page is not "optimised" (they used the appropriate en-GB spelling at least) for Opera, Konqueror or Chrome. Does that mean those users are too smart to fall for this scam? Either that or those browsers must simply be too secure for scam sites.

boulderwatch:

Someone tell me that 1112223344443231 is the 555 of card numbers.

Please.

I would post you a link which has numbers used for testing credit card validation routines, but apparently I'm not allowed to.

However, the MasterCard ones are 5555555555554444 and 5105105105105100.

1234? That's the same combination as my luggage!

SCSimmons:

Eh, I've seen worse.

Actually, that's kind of a scary thought in itself. There are places I've worked that could have improved their websites by hiring fifteen-year-old scam artists to replace their web programmers.

Did you by any chance work as a web programmer there?

Anotehr glitch on the web page:

It says "enter a credit card number to which 354.33 will be debited."

Shouldn't it say "Credited"?

gus:

Anotehr glitch on the web page:

It says "enter a credit card number to which 354.33 will be debited."

Shouldn't it say "Credited"?

It wouldn't be much of a scam if they were crediting people's accounts with 300 squids, would it? They should get bonus points for being honest.

You can't really tell if a CC number is valid or not by using just JavaScript - the best you can do is to filter out a few obviously fake ones, so this isn't really a wtf.

I'm not going to waste my time picking holes in phishing code. There has always been a rule here on TDWTF that if it's not in production it's not a WTF. Otherwise every 14 year old's personal home page would be up here as an example of bad code, which is hardly appropriate. Phishing code is no different - it's not production quality, it's not designed for production and it's not in production so it shouldn't be on TDWTF.

Just my 2p (and my 2nd submit attempt)

While this is really the least of this person's problems, has anyone noticed the fact that the browser test is for less than or equal to IE? Not IE 7, mind you, but IE in general. Is less than IE Netscape 5?

I just needed 3 attempts to submit. Something is going funny today.

I like how the webmaster is "smart" enough to use the onsubmit event on the form, rather than pushing an input button with onclick event.

And then I see the onsubmit handler:

<form ... onsubmit="if (Validate()==false) return false;" ...>

Couldn't just use onsubmit="return Validate();" ?

But, TRWTF is very similar code is in the "Add a comment" page of thedailywtf (I suppose .NET's fault, but still...):

<form ... onsubmit="javascript:return WebForm_OnSubmit();" ...>
[ ... ]
<!--
function WebForm_OnSubmit() {
if (typeof(ValidatorOnSubmit) == "function" && ValidatorOnSubmit() == false) return false;
return true;
}
// -->

onlyyou:

You can't really tell if a CC number is valid or not by using just JavaScript - the best you can do is to filter out a few obviously fake ones, so this isn't really a wtf.

You could validate that the check digits match, which will catch most of the stupid errors (though you're only really finding out if you've got a card number that might be issued sometime; you can't know what's actually been issued at that point).

Wonder whether the scammers bothered to recheck these things on the server side? I'd guess not (which would make filling their DB with crap really easy) but you never really know…

onlyyou:

You can't really tell if a CC number is valid or not by using just JavaScript - the best you can do is to filter out a few obviously fake ones, so this isn't really a wtf.

You can tell if it's physically possible for it to be valid quite easily - the majority of credit cards use a MOD 10 check digit.

captcha: Validus (Latin for "valid"?)

TarquinWJ:

And there was me thinking there was actually a formula for calculating if a card number is valid or not...

There are indeed algorithms that the banks use to generate new card numbers. They used to be a highly valuable commodity on the black market as they could be used to generate CC numbers that would appear to be valid and would fool non-realtime checks (I remember several such CC generators back in the day and they did genuinely work in very specific scenarios). But non-realtime checks are now a thing of the past; whenever you make a transaction these days it will validate the actual card so if it is not genuine it won't work, even if the number satisfies the creation algorithm for the given card type. Ahh, takes me back to a simpler time of CC fraud.

Offtopic:

Seeing as this is a website for information technology failures, and there are frequently code examinations, would it not make sense to "open up the code" on the site and let some of us fix the notorious "2nd / 3rd / 4th / nth attempt to post" issue?

Not that I don't appreciate the work that's gone on in the site, I'd just like to help make a site I enjoy that much better.

I love the random typos, all months having 31 days, the fact that that DiaplayAllOkayMessage variable is hardcoded in, yet its value is being checked for multiple cases (despite that fact that it isn't changed anywhere). Good stuff!

Good'un. I particulary liked the way they picked chunks of files from genuine organisations all round the world to try and make the web page look plausible.

IRS? Argos? Western Union (Irish branch)?

C. W. "ignatius" A.:

I just needed 3 attempts to submit. Something is going funny today.

“Today”? It's been broken for months. I suspect it's something handling database locking badly, so you're in a race with every other submitter.

Wolfan:

Wow, that's horrid, and what if my pin really is 1234?

Most ATMs (in the UK at least) will not allow you to change your PIN to something "insecure".

onlyyou:

You can't really tell if a CC number is valid or not by using just JavaScript - the best you can do is to filter out a few obviously fake ones, so this isn't really a wtf.

You should pass them to a gateway for verification, and not arbitrarily filter out sequences of numbers.

scamz:

gus:

Anotehr glitch on the web page:

It says "enter a credit card number to which 354.33 will be debited."

Shouldn't it say "Credited"?

It wouldn't be much of a scam if they were crediting people's accounts with 300 squids, would it? They should get bonus points for being honest.

Actually, not necessarily. The meaning of 'credit' and 'debit' interchange depending on whether you are talking about a credit or debit account, which usually depends on your perspective.

A 'debit' account is an account where the balance is the amount of money you owe somebody else. A 'credit' account is one where somebody (or something, accountants aren't fussy) owes you. Crediting is always a positive increase, debit is always a negative increase, so debiting a liability account (debit) is actually a gain for the holder of the account.

Or something like that. Not being an accountant, I always get the terms mixed up.

And we programmers think we have issues with poor naming conventions. At least we haven't codified them ;)

onlyyou:

You can't really tell if a CC number is valid or not by using just JavaScript - the best you can do is to filter out a few obviously fake ones, so this isn't really a wtf.

No the best you can do is to find a java script Luhn (I think it's called that) algorithm to validate it. Credit card numbers adhere to a pattern with check digits to validate them against to help prevent mistakes from double key presses and other common mistakes.

onlyyou:

You can't really tell if a CC number is valid or not by using just JavaScript - the best you can do is to filter out a few obviously fake ones, so this isn't really a wtf.

But you can improve detection, basic Mod 11 test at least.

SCSimmons:

Eh, I've seen worse.

Actually, that's kind of a scary thought in itself. There are places I've worked that could have improved their websites by hiring fifteen-year-old scam artists to replace their web programmers.

There used to be a time when they were just scammers and swindlers.
Now everyone is some kind of "artist". phhh...

I am sure its not long before "Coding artists" replace today's programmers.

That'll be the beginning of the end...they'd start teaching programming in art school...
You'd get courses in color-coding-coding and exhibitions showing inexplicable perl expressions in galleries all around the world.
Writing code would become "cool", and all the nerds will have to find something else to do...

[quote user="Finance"][quote user="scamz"][quote user="gus"]Anotehr glitch on the web page:

It says "enter a credit card number to which 354.33 will be debited."

Shouldn't it say "Credited"?

[/quote]

It wouldn't be much of a scam if they were crediting people's accounts with 300 squids, would it? They should get bonus points for being honest.[/quote]

Actually, not necessarily. The meaning of 'credit' and 'debit' interchange depending on whether you are talking about a credit or debit account, which usually depends on your perspective.

A 'debit' account is an account where the balance is the amount of money you owe somebody else. A 'credit' account is one where somebody (or something, accountants aren't fussy) owes you.
[/quote]

So why is a credit card called a credit card? I wish the balance on my card was what they owed me...

They are definitely being incompetently honest here; no 'not necessarily about it.

[quote user="Finance"][quote user="scamz"]
Or something like that. Not being an accountant, I always get the terms mixed up.
[/quote]

Well, you got something right...

Finance:

scamz:

Or something like that. Not being an accountant, I always get the terms mixed up.

Well, you got something right...

(OK, so I'm hardly perfect either with ****ing up the formatting...)

Botia:

1234? That's the same combination as my luggage!

Blast! You beat me to the punch line!

It's good to know that two of my cards' PINs are not valid... and in case you're wondering... no, I haven't changed them myself.

Anyone else think its funny that they are using the US IRS's stylesheets and 1x gifs?

I really need to find my logon info again:

Offtopic:

Seeing as this is a website for information technology failures, and there are frequently code examinations, would it not make sense to "open up the code" on the site and let some of us fix the notorious "2nd / 3rd / 4th / nth attempt to post" issue?

Not that I don't appreciate the work that's gone on in the site, I'd just like to help make a site I enjoy that much better.

But you don't understand. The failed posting "issue" is part of the CAPTCHA, to occasionally filter out bots that don't handle error conditions.</joke>

TRWTF: IE7, which renders the "text source" as HTML.

<b>Important: The tax law imposes heavy penalties for giving false or misleading information.</b>

TRWTF will be how many users submit the form they got from TDWTF with correct data....

You've gotta give the scammer credit for at least trying to decrease the number of invalid entries he's going to have to sift through in order to swindle someone. Hey, his time is valuable too.

JuanCarlosII:

Wolfan:

Wow, that's horrid, and what if my pin really is 1234?

Most ATMs (in the UK at least) will not allow you to change your PIN to something "insecure".

Considering they're only 4 digits, that pretty much applies to all PINs.

Mathematicians have proved that 3529 is the only safe pin.
Bugger!
We'd better move to 5-digits.

gus:

Anotehr glitch on the web page:

It says "enter a credit card number to which 354.33 will be debited."

Shouldn't it say "Credited"?

Actually, the wording I saw was:

Please enter your exactly credit card information where the 327.54 GBP will be debited.

Nice English there. I think it should be "credited" too. Even if it's a credit card (as opposed to a debit card), it's a credit to the card holder. Or rather, it would be if it wasn't a scam.

Another odd thing I saw was that it apparently includes the css and some images from irs.gov even though it pretends to be from the UK. They probably had a US one first.

me:

TRWTF: IE7, which renders the "text source" as HTML.

No, TRWTF is expecting a valid HTML file not to be rendered as HTML just because the extension has been changed.

a victim of facilisis:

SCSimmons:

Eh, I've seen worse.

Actually, that's kind of a scary thought in itself. There are places I've worked that could have improved their websites by hiring fifteen-year-old scam artists to replace their web programmers.

Did you by any chance work as a web programmer there?

No. I was a Microsoft Access application developer. :)

I did a little work on their intranet at times, mostly to fix stuff the 'real' web developers broke. Like the javascript Y2K bug I cleaned up in 1999 ... on a page that had been created in 1998. If I had that code, I would so submit it to this site. I never was able to figure out what the original designer was thinking, but I bet one of the regular commenters here would have found a way to justify it.