On John Coggeshall's weblog today, there's a new posting that brings light to a "dark side" of one of the online uses for PHP - its use for phishing and why it makes such a good tool for the job.

Over the past few months I have entertained myself by reading and checking out e-mails sent out by hackers phishing for my e-bay password, paypal password, credit cards, etc. In most cases, such as this one (and no, this is not a real eBay page - they also combine the look and feel deception with a bit of chromeless windows to round things out).

[...] Some are more clever than others, but all end up linking to a fake login / validation page for eBay and execute a classic man-in-the-middle attack to compromise the user's validation information. While some are Unsecured Linux Boxes running a default Apache which hackers have gotten into and created bogus eBay login pages with, there is a new flavor I have recently found as well, such as this one which takes advantage of unsecure form mailer scripts running on respectable web sites to send e-mails to drop-box e-mail accounts with the login creditials, credit card information, etc. of anyone who is ignorant enough to buy into the scam.

Unfortunately, all of these phishing attacks have one thing in common: They are taking advantage of stupid people running PHP...

I suppose it's just one of the problems that will come up when your scripting language is not only one of the most popular on the web today, but also quite possibly the easiest to use/abuse out there as well...

If anyone has any brilliant suggestions on how PHP itself can be changed (perhaps a default configuration changed, or new anti-phishing restrictions put into place) which make any sense I'd love to hear them.