Feet Have Been

I just can’t stay away from this stuff. I told myself that I would convert this into a personal blog, but that I would try and keep the coding and such out of it. It would be a day-to-day account of my life. But damn. My life can get boring some days you know? Who want’s to read about me sitting around in my snuggie (just a snuggie) and reading for 6 hours? No one. That’s who. And old people I guess.. things like that would probably be exciting reading to them. And stalkers. But I’m sure I don’t have any of those. And even if I did, they’d probably already know that stuff.

Anyways, what I’m actually talking about today is Object Oriented Programming. To many it’s a very confusing concept and they’re flooded with questions such as when to use it, why would I use it, what IS it? And to others it comes as easy as breathing.

*NOTE* OOP is a slightly advanced concept. While you should try and learn it as soon as possible, you should have at least a moderate grasp of classes and functions.

What is it?
OOP is a way of programming that breaks down an object into pieces. Essentially an object would be something that you’re trying to achieve. OOP breaks this down so that you don’t have to continually write the same code. Instead, you can just copy over the class file, and then use the same functions as you normally would. That is the bonus of OOP.
To think of it another way, imagine a robot. That robot is what we are trying to build. But a robot is made of different pieces right? 2 arms, 2 feet, a body and a head. In Object Oriented Programming, you would take each piece and make it it’s own class.

How does it work?
What we would essentially do now, is populate this class with things that the arm can do. In this example, lets just make it very simple. All the arm can do is Judo chop and Punch. To accomplish this, all we would need to do is create two functions within our class. However, note that I said we have TWO arms. We would need some way of differentiating the right arm from the left right? The easiest way to do this, is to create a “constructor” function that would accept the name of the arm and store it for access later on.

name = $name;
 }
 
 function punch()
 {
   echo $this->name.' punches';
 }
 
 function chop()
 {
   echo $this->name.' judo chops';
 }
}
?>

From that piece of code alone, we can actually create as many arms as we need. And that is the beauty of OOP. Now my robot can run on the same piece of code, regardless if it has 2 arms, or 50 arms. Imagine, an awesome 50 armed robot running off no extra code?

When would you use it?
As often as it makes sense. If you’re building any application, your best bet would be OOP. However, if you’re working on something like a website, there really isn’t a need for it. You’ll find people from all over the internet who say that you should use OOP all the time, and others who claim that it is the worst thing to happen to programming. Ignore them. In the end, it’s up to you to decide when you need to use OOP. If you find that you seem to be using a same bit of code all the time, wrap it in a function. If you find a group of functions you use all the time, and they’re related, wrap it in a class. If you have a group of classes you use all the time, wrap it in a framework.

• • Comments [5]
  • Categories [Concepts]

Picture by toasty http://flickr.com/photos/toasty/

Two days in and I’m already breaking from routine. But this is something that I just have to post. It isn’t necessarily a big deal, and it’s something that has been going on for a quite some time, but I would just like to prove how easy this actually is.

Trout or Salmon?
Neither. We’re going after sucker fish. The ones who know enough about computers to do their banking online, but not enough to question the incorrect SSL certificate. They think they know enough about computers to make them invulnerable to anything, which is why phishing attempts work so well.

The Concept
There are numerous ways to go about phishing scams. The easiest of which involves just copying the code from the actual website. But we run into issues. The most basic of these is that if we keep the current code, and if the website uses relative links to their images, we’re screwed. We have to either replicate their directory structure, or hope to hotlink the images. Of course, a little .htaccess hack, and anyone linking to any images on the server that isn’t FROM the server, can easily be blocked. Sure it would work, but we’re lazy people right? We need the quickest solution. And the quickest solution, is an IFrame.

Essentially we are going to include the website we want in an IFrame and absolute position the input/submit form elements over the ones that are already present on the page. If that sounds like a load of BS to you, then attempting this is out of your league. If it doesn’t, you’ve probably already thought about this before and just never got around to it.

K.I.S.S – Keep It Simple Stupid
The beauty of this code is that it can be accomplished in essentially under 7 lines. As a bonus, if the user is really foiled into entering their information, you can easily redirect them back to the website they were trying to access. To them, it will seem as if they just entered the information incorrectly and they will proceed to do it again without questioning. After all, who things that they would be the subject of a scam like this?

Here is a brief overview of the code without the pixel perfect placements:

<form action="catcher.php">
<input name="username" type="text" />
<input name="password" type="password" />
<input style="dispay: none;" type="submit" />
</form>
<iframe name="myframe" src="yoursite.htm" width="100%" height="800"></iframe>

It’s a very simple solution. Now once you’ve included the website that you want, it’s really just a matter of adjusting the size and placement of the input boxes with CSS. Then, if you’ll notice, I turned the submit button invisible. What we are going to do is actually place that button over top of the actual submit button on the website. This way, the user thinks that they are clicking on the submit button, but in reality they are clicking on our invisible button.

When to use it?

1. The user is stupid. They won’t notice the slight url change (ideally you will purchase a domain name resembling the name of the website you wish to spoof)
2. The login form is present near the top of the website you are visiting. This is important, as if it’s located somewhere else, when you absolute position your login elements they will float above nothing and the user will be suspicious.
3. You won’t be breaking any laws. This one is really a disclaimer. I don’t expect readers to run out and do this, this is more of a proof of concept hack that I’m sharing.

What can they do about it?

1. Not a whole lot. If the user has javascript enabled then the website simply has to add a bit of code to their page that will break it out of the iFrame. A lot of websites already do this, but most don’t (for whatever reason).
2. If a user has Java Script disabled then they’re out of luck. The website can’t do a damn thing to break out of it.
3. Pretty much impossible to detect. Sure a shrewd admin can backtrace the IP through the log files, but they wouldn’t have a reason to.

Not Bait and Switch

Bait and Tackle
Of course, a hack like this is wholly incomplete. What would be necessary would be something like an auto-redirect or a url masker installed on the users computer. Then whenever they accessed a website of your choosing, they would automatically be directed to your website. The bonus of something like that is that no matter what happens, you can pretty much guarantee that they’ll end up at your site for you to start your phishing.

End Note
Don’t mistake my incompleteness for inaccuracy. For those who would actually seek to use this information for actual phishing scams, a few important pieces of information were removed, such as how to hide form elements (and numerous others). Those who are actually looking to learn from this should know a few other things that could make this idea more complete. If there is enough interest, I may put up answers to a few questions, such as how to not have to copy their entire website.

• • Comments [3]
  • Categories [Concepts]