Hi All,

I would like to share with you a phishing experience I had to face recently.

For those who need an introduction on Phishing:


Recently I received an instant message (yahoo) from one of my friend who is not very good with the technical aspects of Internet. He is just a common internet user. The message recieved :

As a normal enthusiastic user, we all have the tendency to open the link. When a user clicks on the above link, it opens a page as displayed below:



If you look closely at the displayed page, it looks very similar to yahoo login page. However, it is not a yahoo page. The cracker (lets not call him a hacker, as hacking is never un-ethical) has smartly created a web page which looks very similar to the login page of yahoo. When an novice user fills in the page with his username and password, and click the Sign In button, on the back ground, the entered user credentials (username and password) is sent to some database / email ID. My Friend entered his username and password unknowingly and .....So I decided to find the culprit.

Lets Find The Culprit

Using Tamper Data (an add-on for mozilla firefox), I captured the informations sent through this web page. See the below screen shot:



If you look at the above image very closely, you can easily understand the following facts (refer the red lines):

* When the user clicks the Sign In button, the page is re-directed to http://www2.fiberbit.net/form/mailto.cgi
* The page (or the script) is programmed in such a way that a mail will be sent to love.cynade@gmail.com. (refer the field "Mail_To")
* The mail will appear to come as if from SpArKz (refer the field "Mail_From")
* Once the mail is send, the page will be automatically redirected to http://photos.yahoo.com. (refer the field "Next_Page")

So we have found the cracker here. The person's email ID is love.cynade@gmail.com.

A step further.
Using the same tool mentioned above, the data send from a web page can be altered. So what I have done is, I changed the "Mail_To" value from love.cynade@gmail.com (internally the email id love.cynade@gmail.com is represented as love.cynade%40gmail.com) to xxxx.zzzzzzzz@gmail.com (my email ID). And hurray, i got the details delivered in my mail box. See the below screen shot:



It displayed the full information about the user who visited the site which includes:

* The ISP of the User - in my case it is Asianet.co.in.
* The IP address of the user - in my case it is 202.**.227.*** (not displayed due to various security reasons)
* These information can be further used to get into your personal system.

Tracing Down the Cracker
To trace the location of the hacker who was using the email ID love.cynade@gmail.com, I created a temperory email ID, registered a temperory account with ReadNotify.com and shooted some mails to love.cynade@gmail.com. And hooray, when he opened the mails I got the IP address of him and thats it.

I wrote to Yahoo also regarding the same and they immediately removed the site from Geocities and replied back. And withing weeks yahoo changed their login screen also. The cracker was able to get into many compromised accounts and from there to many accounts like banks, e-commerce sites etc using this simple techniques.

The Above quoted URL is currently not available as it is removed by Yahoo. But there are still thousands of phishing sites available that may exploit the human factor of the internet technology.

Do you have any similar experiences - share it here - what ways the hacker approached you? ......

Regards,

The Morpheus

Firstly well done that man. I enjoyed your story, so I'll share one of mine.

I recently had a colleague who said, "My ebay account has been hacked." Alarm bells started ringing and I asked why he thought that was the case. "I got an email from ebay telling me so." This guy was no fool. I'm suprised he [almost] fell for it but glad he came to me first. Fear of identity theft made him believe he had been a victim, one of the oldest tricks in the phisher's toolkit.

I pointed out the signs that the email was fake. The URL was not an ebay website, all the usual tell tales. We should educate our friends, family and peers but need to do it right. If all we do is scare them we can inadvertantly feed the beast.

Jim

I agree, so I submitted it to digg:

http://digg.com/security/When_I_Was_Phished

Don