How Not To Make Your Website Look Like A Phishing Scam

1

The BBC Micro Bit is a small programmable device that is about to be given to all Year 7 children in the UK. That’s 1 million devices. Today a link started being spread round Twitter of a form where you could register your school. It asks for a large amount of data including names, telephone numbers, email addresses and postal addresses. Only problem is that it looked to me like a scam.

The domain in question is :

http://bbcmicrobitschoolregistrationform.co.uk/

The point isn’t whether it genuine or not. The point is that the owner has done nothing to help the public know whether it is. Anyone who accepts this site at face value is one step closer to being a victim of cyber crime.

Here is a lesson to anyone considering a similar activity in the future …

micro_bit_registration_scam

Reasons to think the site was a phishing scam :

  • It uses a brand new domain where the owner has concealed their registration details. This isn’t a problem in itself but why reveal details on MicroBit.co.uk and then hide them on the registration form domain?
  • The domain MicroBit.co.uk already exists so why use another one?
  • Domains like “bbcmicrobitschoolregistrationform” are a phishing gold mine because you can just keep registering them. There is an endless supply. I could go and register bbcmicrobitschoolregisterform.co.uk and few people would even notice if I started spreading that on social media.
  • The site has no privacy policy yet is clearly collecting personal details. I don’t have a privacy policy but I expect nothing from my users. A site that consists entirely of a massive form sort of needs a little privacy mention.
  • Despite heavy coverage of the Micro Bit on the BBC news site and many of their technology focused Twitter accounts this new site got no mentions at all. That is no official acknowledgement the site existed and was genuine. A single tweet is quicker than filling in the form so why would it not be mentioned if it was genuine.
  • The “official” source of the link appears to be a private forum. So effectively completely unverifiable. Even so someone posted it into a private forum and someone else released it into the wild. Somewhere there is an egg looking for a face.
  • The BBC copyright notice only appears on the homepage not in the “Thank you” page which just seems sloppy.
  • The homepage is named “english.html” which is strange as normally the domain name would point to the default homepage without presenting a file name in the address bar.
  • A google search of “micro bit school registration” gives no indication this site is genuine or that registration has started or is even required in the first place.

Reasons to think the site was genuine :

None.

Conclusion? When it walks like a duck, smells like a duck and sounds like a duck. You treat it like a duck.


PhishingSome of these failings could be forgiven if the Micro Bit was being promoted by a small inexperienced group. It is being promoted by the BBC, Microsoft, ARM and Samsung so I would expect them to be able to throw together something professional.

Whoever decided to do it this way needs a serious think and/or course in the basics of cyber security. You need to consider how your users are going to spot the real scams. It’s just plain irresponsible. How would a user spot a scam site if you had already warmed them up to accept this?

One of the most effective ways of tackling cyber crime is to not get your users accustomed to bad habits that will get them caught in the future.

NEVER trust a new site from an organisation until that organisation mentions it publicly. In this case the BBC.

Share.

1 Comment

  1. If the first thing you see is a form like that then surely it should start https. I wouldn’t enter any info to a site starting http. It seems not secure – no lock comes up in the browser. My recommendation, even if confirmed as OK by the BBC, is AVOID until it is made secure – seems completely amateurish.

Leave A Reply