Okay, I'm almost afraid to ask but... Just to clarify, this is for a classroom project and nothing else. My son has to do a web page project using an order form. The professor listed some criteria and then told the students they can add whatever else they want to. For fun my son wants to set up the web page as a pharming/phising (? spelling) site. He's going to add something like...to process your order we need the following information and then link that to his personal email. In addition, he's going to have the BBB and veri-check seal. The professor has a good sense of humor, so I'm not worried about how it will be received. I'm just wondering about the legalities. I really appreciate being able to ask questions here!
I think this is one of those areas where if you have to ask, you should probably do something else. -=Steve=-
It might also violate various school privacy policies. Most schools have policies on storage of sensitive data (credit cards numbers, SSNs, etc).
There is no need to store the collected data. In fact, the form could simply send an email to the person who has provided the data warning them that had this been a real phishing expedition their sensitive personal information could have ended up in the hands of criminals. The collected data does not have to be stored but can be ignored once the 'submit' button is clicked. Although on the web page it might be prudent to add "Where do you want to go phishing today?" and add a disclaimer, in fine print, at the bottom of the web page stating "No information collected on this form is stored or otherwise processed in any way." And provide a URL to the FTC web site about phishing and related scams. In any case, have the proposed assignment cleared by the instructor.
I suppose, although in this case one must make sure the sensitive information isn't part of the email. Every email message is as readable to others as the information you write on a postcard. For the record, I still think this is an unwise idea. -=Steve=-
If a student did that in my class, it would have a decidedly negative effect on their grade for the assignment.
Thanks for the input. I'll definately talk to him. He doesn't mean any harm by it and wanted to do it as a joke and to show others in the class the importance of verifying a site before giving out personal information. This isn't a real site per se. They just have to set up a page with an order form for pizza. I know during one computer lab, he sent a 'fake' blue screen of death to every computer and the professor didn't bat an eye. He just shook his head and yelled at him, "......, you fix this right now. " In a hardware class during a group project, he was threatened to keep his hands off the computer or "I'll have to come over there and slap you." However, he was allowed to talk the other students through the process. Anyway, like I said, his intention is just to have fun, but he has to be careful not to overstep the line. Like Steve said, when in doubt--don't (paraphrased). Thanks again!
Correct, Steve. I meant the data should not even be sent as part of the email and the data simply discarded as soon as the 'submit' button is clicked by the user.
Clarification: When I talked to my son, he said this isn't a 'real' web site. There's no URL. It's an assignment. It just looks like a web site. Shows how much I know--not much!
Hello "Mom", Maybe you should have your son join the board too. As for the assignment, I would not create anything that is web viewable. If something like this was published on a school server, that could be bad news... In addition, the "Phishing" portion generally begins with a nicely crafted email, which then leads the target to a professional looking website. At times, this fake site even uses direct links for images from the original.
Maybe this would be a good time to introduce your son to the Certified Ethical Hacker program: http://www.eccouncil.org/CEH.htm
