Skip to content

Gone Phishing

by xangelo on March 2nd, 2009

Please leave message.

Picture by toasty http://flickr.com/photos/toasty/

Two days in and I’m already breaking from routine. But this is something that I just have to post. It isn’t necessarily a big deal, and it’s something that has been going on for a quite some time, but I would just like to prove how easy this actually is.

Trout or Salmon?
Neither. We’re going after sucker fish. The ones who know enough about computers to do their banking online, but not enough to question the incorrect SSL certificate. They think they know enough about computers to make them invulnerable to anything, which is why phishing attempts work so well.

The Concept
There are numerous ways to go about phishing scams. The easiest of which involves just copying the code from the actual website. But we run into issues. The most basic of these is that if we keep the current code, and if the website uses relative links to their images, we’re screwed. We have to either replicate their directory structure, or hope to hotlink the images. Of course, a little .htaccess hack, and anyone linking to any images on the server that isn’t FROM the server, can easily be blocked. Sure it would work, but we’re lazy people right? We need the quickest solution. And the quickest solution, is an IFrame.

Essentially we are going to include the website we want in an IFrame and absolute position the input/submit form elements over the ones that are already present on the page. If that sounds like a load of BS to you, then attempting this is out of your league. If it doesn’t, you’ve probably already thought about this before and just never got around to it.

K.I.S.S – Keep It Simple Stupid
The beauty of this code is that it can be accomplished in essentially under 7 lines. As a bonus, if the user is really foiled into entering their information, you can easily redirect them back to the website they were trying to access. To them, it will seem as if they just entered the information incorrectly and they will proceed to do it again without questioning. After all, who things that they would be the subject of a scam like this?

Here is a brief overview of the code without the pixel perfect placements:

<form action="catcher.php">
<input name="username" type="text" />
<input name="password" type="password" />
<input style="dispay: none;" type="submit" />
</form>
<iframe name="myframe" src="yoursite.htm" width="100%" height="800"></iframe>

It’s a very simple solution. Now once you’ve included the website that you want, it’s really just a matter of adjusting the size and placement of the input boxes with CSS. Then, if you’ll notice, I turned the submit button invisible. What we are going to do is actually place that button over top of the actual submit button on the website. This way, the user thinks that they are clicking on the submit button, but in reality they are clicking on our invisible button.

When to use it?

  1. The user is stupid. They won’t notice the slight url change (ideally you will purchase a domain name resembling the name of the website you wish to spoof)
  2. The login form is present near the top of the website you are visiting. This is important, as if it’s located somewhere else, when you absolute position your login elements they will float above nothing and the user will be suspicious.
  3. You won’t be breaking any laws. This one is really a disclaimer. I don’t expect readers to run out and do this, this is more of a proof of concept hack that I’m sharing.

What can they do about it?

  1. Not a whole lot. If the user has javascript enabled then the website simply has to add a bit of code to their page that will break it out of the iFrame. A lot of websites already do this, but most don’t (for whatever reason).
  2. If a user has Java Script disabled then they’re out of luck. The website can’t do a damn thing to break out of it.
  3. Pretty much impossible to detect. Sure a shrewd admin can backtrace the IP through the log files, but they wouldn’t have a reason to.

Not Bait and Switch

Not Bait and Switch

Bait and Tackle
Of course, a hack like this is wholly incomplete. What would be necessary would be something like an auto-redirect or a url masker installed on the users computer. Then whenever they accessed a website of your choosing, they would automatically be directed to your website. The bonus of something like that is that no matter what happens, you can pretty much guarantee that they’ll end up at your site for you to start your phishing.

End Note
Don’t mistake my incompleteness for inaccuracy. For those who would actually seek to use this information for actual phishing scams, a few important pieces of information were removed, such as how to hide form elements (and numerous others). Those who are actually looking to learn from this should know a few other things that could make this idea more complete. If there is enough interest, I may put up answers to a few questions, such as how to not have to copy their entire website.

From → Concepts

3 Comments
  1. The girlfriend permalink

    *shakes head*
    but i still love you =)

    Reply
  2. xangelo permalink

    @The girlfriend – It’s not like I posted explicit directions on how to get this up and running, it’s more of a knowledge article than anything else.

    Reply
  3. aenariele permalink

    Oh good. I like the disclaimer at the end. “I’m not actually helping scam artists at all. Really.” is exactly what I wanted to hear by the end of this post.
    it’s a little disconcerting that a person’s information is always so vulnerable. I think people don’t actually realise how easy identity theft is…

    Reply

Leave a Reply

Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS