Select Page

There’s a site you may have seen being pinged around on Twitter today, called ismycreditcardstolen(dot)com. This is what it looks like:

Click to Enlarge

Yes, alarm bells were ringing for me too. “If you fear your credit card info has been stolen, enter it here and you can find out for free“. (Emphasis mine). “Avoiding fraud has never been easier!”

Oh boy.

Anyway, there’s a nice looking yellow padlock and a big green tick which always means something like this is safe, right?

Click to Enlarge

As it turns out, you just failed a test – or so the above text claims. It seems this site has been set up to warn people about the dangers of phishing, giving some hints and tips in relation to phish attacks and also providing a link to the Anti-Phishing Work Group’s Website. The site also mentions it doesn’t send your card details anywhere, and this appears to be the case.

Not sure I’d want to ever be in a situation where I had to take the word of a random third party in relation to something like that, but there we go.

There’s an About page, which lists the people who created it, along with the following message:

“The purpose of this site is to educate users about the dangers of phishing. You can learn more at the Anti-Phishing Working Group’s website.”

Unfortunately(?) most people won’t get to see the “reassuring” messages, as the site has itself been blocked by Firefox for…..phishing.

I’d like to be able to say I hadn’t seen that coming a mile off, but that would make me a gigantic liar. Having credit card in your domain is always going to smell faintly of “suspicious” to various security groups and anti-phish orgs, and having Whois data hidden by privacy services doesn’t help either.

NEVER enter your card details on sites such as the above, because you may not get off as easily next time. While the concept is – perhaps – an interesting one, the waters are muddied too much to be able to make sense of it.

The “Reported web forgery” blocks are a testament to that…

Christopher Boyd