I don't know the numbering scheme with keys, but if you do, you can just write a script that will go through all the keys and throw away any that don't conform to this scheme, making spamming the form with completely random keys pointless
Conversely, if you do know the scheme, you can generate random keys according to this scheme that couldn't be thrown out by an automated script
I'm well aware of the validation scheme for keys, and I know that only 1/1024
completely randomly generated keys will pass the scheme. There's an easy way to turn the validation probability from 1/1024 to 100% though, but I'd probably get banned for posting it.
I don't think this guy doing the phishing is smart enough to do this though, considering he did not even try to make the site look authentic
Pretty much this.