Earlier today I received an email notification about the new MoS website. The email also notified me that a new password was issued to use on the website. These are two characteristics of a phishing mail - in this case launching a new website and sending out new passwords, they could easily have been sent from a malicious source wanting me to login to their MoS-lookalike website and take my credit card details. You shouldn’t send out a new password unless someone requests it on your website, because email can be forged. You also sent out my password in plain text email rather than on a secure part of your website. Anyone can read it and login to my account and purchase orders.

Also to my surprise while investigating the source of the mail, several of the links point to a http://www.c-f-1.com/ domain, the name doesn’t help to improve the trust in your email. To my astonishment the link led to a webpage with the html email, again with my password in plain sight. Have a look (link removed), I changed my password already. Let’s wait for Google to index it so that anyone can search for my account information. They already found other newsletters.

Finally, I used mosdownload.com to buy my mp3s online. This site no longer works as an error comes up when it tries to redirect, due to a configuration error. My order history is gone, most of my profile is gone.

I’m very disappointed with your lack of security and care for your customers and unfortunately have come to the conclusion that I won’t be using your service again, and I will recommend my friends and family to do the same, due to these trust issues.

If you do, the browser (please read “Firefox 1.5 or IE 6″ – that’s what I tested at the moment) will consider submit is an object. And an object is not a function (although you might enjoy later on the paradox that a function is an object).

Source [webprodevelopment.com]