I came across a pretty standard Phishing scheme today, with a twist. It's a Citibank fraud, claiming that

Your online credit card account has high-risk activity status.
We are contacting you to remind you that on December 01, 2004
our Account Review Team identified some unusual activity in
your account. In accordance with Citibank's User Agreement and
to ensure that your account has not been compromised, access to
your account was limited. Your account access will remain limited
until this issue has been resolved.

The link was to a port 80 website, in a directory "/pseronal/index.php". The webserver is a Korean YMCA site, obviously hacked. Apache + PHP.

OK, pretty standard. Except that instead of shutting down the website, or even deleting the /personal/index.php file, the /personal/index.php file now puts out the following code:

<script language="JavaScript">
location.href=unescape('https://www.accountonline.com');
</script>^M
^M

THIS IS A BAD IDEA. The website administrator is quietly "fixing" the problem by redirecting victims to the real Citibank online site. The victim logs in, thinking that there's some problem. More importantly, the victim has just been trained to TRUST PHISHING SCHEMES.

Much better would have been to put up a page that said:

Warning:

You have been tricked by a "phishing" scheme. The person who sent you the email that directed you here was trying to steal your account information.

DO NOT trust emails sent to you. ALWAYS log into your banking site by typing the address into your browser or using a bookmark you created.

This stuff drives me nutty.