Or better yet, just a URL that collects a ton of telemetry. In most cases, their curiousity will win out and you can get browser/platform/ip address details that might help suss out the attacker.
I'll do this with a simple PHP page that records everything useful from $_ENV and $_REQUEST.