HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 40 guests and 1 member online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Network Pen Testingarrow When I was phished?
EH-Net
May 23, 2013, 09:21:16 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: When I was phished?  (Read 7642 times)
0 Members and 1 Guest are viewing this topic.
Manu Zacharia (-M-)
Sr. Member
****
Offline Offline

Posts: 393


c0c0n Hacking Conference - where hackers unite


View Profile WWW
« on: September 17, 2006, 05:36:55 AM »
Hi All,

I would like to share with you a phishing experience I had to face recently.

For those who need an introduction on Phishing:
Quote
Phishing and Identity Theft
In computing, phishing is a form of criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message, although phone contact has been used as well.

Phishing techniques
Most methods of phishing use some form of technical deception designed to make a link in an email appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers.


Recently I received an instant message (yahoo) from one of my friend who is not very good with the technical aspects of Internet. He is just a common internet user. The message recieved :
Quote
http://www.geocities.com/chakkkara_ummma/yahoo.html
Click this link and login ur yahoo id, u will get a wonderful gift enjoy. pls send this message to all ur buddies

As a normal enthusiastic user, we all have the tendency to open the link. When a user clicks on the above link, it opens a page as displayed below:



If you look closely at the displayed page, it looks very similar to yahoo login page. However, it is not a yahoo page. The cracker (lets not call him a hacker, as hacking is never un-ethical) has smartly created a web page which looks very similar to the login page of yahoo. When an novice user fills in the page with his username and password, and click the Sign In button, on the back ground, the entered user credentials (username and password) is sent to some database / email ID. My Friend entered his username and password unknowingly and .....So I decided to find the culprit.

Lets Find The Culprit

Using Tamper Data (an add-on for mozilla firefox), I captured the informations sent through this web page. See the below screen shot:



If you look at the above image very closely, you can easily understand the following facts (refer the red lines):

* When the user clicks the Sign In button, the page is re-directed to http://www2.fiberbit.net/form/mailto.cgi
* The page (or the script) is programmed in such a way that a mail will be sent to love.cynade@gmail.com. (refer the field "Mail_To")
* The mail will appear to come as if from SpArKz (refer the field "Mail_From")
* Once the mail is send, the page will be automatically redirected to http://photos.yahoo.com. (refer the field "Next_Page")

So we have found the cracker here. The person's email ID is love.cynade@gmail.com.

A step further.
Using the same tool mentioned above, the data send from a web page can be altered. So what I have done is, I changed the "Mail_To" value from love.cynade@gmail.com (internally the email id love.cynade@gmail.com is represented as love.cynade%40gmail.com) to xxxx.zzzzzzzz@gmail.com (my email ID). And hurray, i got the details delivered in my mail box. See the below screen shot:



It displayed the full information about the user who visited the site which includes:

* The ISP of the User - in my case it is Asianet.co.in.
* The IP address of the user - in my case it is 202.**.227.*** (not displayed due to various security reasons)
* These information can be further used to get into your personal system.

Tracing Down the Cracker
To trace the location of the hacker who was using the email ID love.cynade@gmail.com, I created a temperory email ID, registered a temperory account with ReadNotify.com and shooted some mails to love.cynade@gmail.com. And hooray, when he opened the mails I got the IP address of him and thats it.

I wrote to Yahoo also regarding the same and they immediately removed the site from Geocities and replied back. And withing weeks yahoo changed their login screen also. The cracker was able to get into many compromised accounts and from there to many accounts like banks, e-commerce sites etc using this simple techniques.

The Above quoted URL is currently not available as it is removed by Yahoo. But there are still thousands of phishing sites available that may exploit the human factor of the internet technology.

Do you have any similar experiences - share it here - what ways the hacker approached you? ......

Regards,

The Morpheus
Logged
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n
Kev
Guest
« Reply #1 on: September 18, 2006, 01:55:52 PM »
  Good of you to take the time to do all of that. I guess if more of us did that it would be helpful.  I have found ReadNotify is a useful tool, but can be spoofed sometimes.  Oh, you slipped and called the cracker a hacker at the end of your post, lol!  Any way, keep up the good work.
Logged
jimbob
Guest
« Reply #2 on: September 18, 2006, 02:17:45 PM »
Firstly well done that man. I enjoyed your story, so I'll share one of mine.

I recently had a colleague who said, "My ebay account has been hacked." Alarm bells started ringing and I asked why he thought that was the case. "I got an email from ebay telling me so." This guy was no fool. I'm suprised he [almost] fell for it but glad he came to me first. Fear of identity theft made him believe he had been a victim, one of the oldest tricks in the phisher's toolkit.

I pointed out the signs that the email was fake. The URL was not an ebay website, all the usual tell tales. We should educate our friends, family and peers but need to do it right. If all we do is scare them we can inadvertantly feed the beast.

Jim
Logged
LSOChris
Guest
« Reply #3 on: September 18, 2006, 04:56:26 PM »
great post!
Logged
don
Editor-In-Chief
Administrator
Hero Member
*****
Offline Offline

Posts: 4167


Editor-In-Chief


View Profile WWW
« Reply #4 on: September 20, 2006, 01:30:23 PM »
I agree, so I submitted it to digg:

http://digg.com/security/When_I_Was_Phished

Don
Logged
CISSP, MCSE, CSTA, Security+ SME
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.062 seconds with 24 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Free Business and Tech Magazines and eBooks

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.