|
Title: When I was phished? Post by: Manu Zacharia (-M-) on September 17, 2006, 05:36:55 AM Hi All,
I would like to share with you a phishing experience I had to face recently. For those who need an introduction on Phishing: Quote Phishing and Identity Theft In computing, phishing is a form of criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message, although phone contact has been used as well. Phishing techniques Most methods of phishing use some form of technical deception designed to make a link in an email appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers. Recently I received an instant message (yahoo) from one of my friend who is not very good with the technical aspects of Internet. He is just a common internet user. The message recieved : Quote http://www.geocities.com/chakkkara_ummma/yahoo.html Click this link and login ur yahoo id, u will get a wonderful gift enjoy. pls send this message to all ur buddies As a normal enthusiastic user, we all have the tendency to open the link. When a user clicks on the above link, it opens a page as displayed below: (http://usera.imagecave.com/morpheus063/Study/Phishing.JPG) If you look closely at the displayed page, it looks very similar to yahoo login page. However, it is not a yahoo page. The cracker (lets not call him a hacker, as hacking is never un-ethical) has smartly created a web page which looks very similar to the login page of yahoo. When an novice user fills in the page with his username and password, and click the Sign In button, on the back ground, the entered user credentials (username and password) is sent to some database / email ID. My Friend entered his username and password unknowingly and .....So I decided to find the culprit. Lets Find The Culprit Using Tamper Data (an add-on for mozilla firefox), I captured the informations sent through this web page. See the below screen shot: (http://usera.imagecave.com/morpheus063/Study/TamperData-copy.jpg) If you look at the above image very closely, you can easily understand the following facts (refer the red lines): * When the user clicks the Sign In button, the page is re-directed to http://www2.fiberbit.net/form/mailto.cgi * The page (or the script) is programmed in such a way that a mail will be sent to love.cynade@gmail.com. (refer the field "Mail_To") * The mail will appear to come as if from SpArKz (refer the field "Mail_From") * Once the mail is send, the page will be automatically redirected to http://photos.yahoo.com. (refer the field "Next_Page") So we have found the cracker here. The person's email ID is love.cynade@gmail.com. A step further. Using the same tool mentioned above, the data send from a web page can be altered. So what I have done is, I changed the "Mail_To" value from love.cynade@gmail.com (internally the email id love.cynade@gmail.com is represented as love.cynade%40gmail.com) to xxxx.zzzzzzzz@gmail.com (my email ID). And hurray, i got the details delivered in my mail box. See the below screen shot: (http://usera.imagecave.com/morpheus063/Study/mail.JPG) It displayed the full information about the user who visited the site which includes: * The ISP of the User - in my case it is Asianet.co.in. * The IP address of the user - in my case it is 202.**.227.*** (not displayed due to various security reasons) * These information can be further used to get into your personal system. Tracing Down the Cracker To trace the location of the hacker who was using the email ID love.cynade@gmail.com, I created a temperory email ID, registered a temperory account with ReadNotify.com and shooted some mails to love.cynade@gmail.com. And hooray, when he opened the mails I got the IP address of him and thats it. I wrote to Yahoo also regarding the same and they immediately removed the site from Geocities and replied back. And withing weeks yahoo changed their login screen also. The cracker was able to get into many compromised accounts and from there to many accounts like banks, e-commerce sites etc using this simple techniques. The Above quoted URL is currently not available as it is removed by Yahoo. But there are still thousands of phishing sites available that may exploit the human factor of the internet technology. Do you have any similar experiences - share it here - what ways the hacker approached you? ...... Regards, The Morpheus Title: Re: When I was phished? Post by: Kev on September 18, 2006, 01:55:52 PM Good of you to take the time to do all of that. I guess if more of us did that it would be helpful. I have found ReadNotify is a useful tool, but can be spoofed sometimes. Oh, you slipped and called the cracker a hacker at the end of your post, lol! Any way, keep up the good work.
Title: Re: When I was phished? Post by: jimbob on September 18, 2006, 02:17:45 PM Firstly well done that man. I enjoyed your story, so I'll share one of mine.
I recently had a colleague who said, "My ebay account has been hacked." Alarm bells started ringing and I asked why he thought that was the case. "I got an email from ebay telling me so." This guy was no fool. I'm suprised he [almost] fell for it but glad he came to me first. Fear of identity theft made him believe he had been a victim, one of the oldest tricks in the phisher's toolkit. I pointed out the signs that the email was fake. The URL was not an ebay website, all the usual tell tales. We should educate our friends, family and peers but need to do it right. If all we do is scare them we can inadvertantly feed the beast. Jim Title: Re: When I was phished? Post by: ChrisG on September 18, 2006, 04:56:26 PM great post!
Title: Re: When I was phished? Post by: don on September 20, 2006, 01:30:23 PM I agree, so I submitted it to digg:
http://digg.com/security/When_I_Was_Phished Don
Powered by SMF 1.1.7 |
SMF © 2006-2007, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com |