It looks like phishing will be a never-ending threat for web security going forward. There are number of popular websites being targeted for phishing to steal sensitive information. The example included here is for a very popular social networking site called Orkut. Last night, I saw an update from one of my friends on Orkut, which included headlines such as “New Orkut Version”, “Orkut New Theme” etc with some links provided. Looking at the links, I came to know that they must be fake websites used for phishing. Here is the screenshot,
Browsing those links led to a fake login webpage which looks very similar to the original Orkut login page. Closer inspection of the domain makes it clear that the phishing webpage is hosted on a free web hosting site. There are many free web hosting sites present on the internet so it is very easy to create a free fake domain and host the fake webpage’s on those sites. Being a security researcher I then quickly opened the source of the webpage and found original login form action URL is changed to “run.php” and method is changed to a GET request. Everything else was as I expected it to be. Then when I entered a fake username and password, the page sent the GET request with all parameters needed including redirect link to the Orkut home page. Here is the wireshark packet capture for the GET request and response from the “run.php” page,
Interestingly, if you look at the response from the “run.php” webpage, you will see the page uses ‘document.location.href’ to redirect it to the original login page appending all parameters needed to login including clear text Email and Password. This clearly shows that the “run.php” added this script dynamically by adding provided email and password information. Don’t worry; we have entered fake information so nothing was leaked. Remember, Orkut never uses clear text parameters in the original URL.
The webpage does not just steal information and redirect you to the original login page where you have to re-enter your username and password but it actually appends all necessary parameters to the original login URL. This means that when you enter a correct username and password you will be directly logged into Orkut and also have left your private information on the fake website. You will of course be asked for a username and password by Orkut if you entered fake information as I had. Here is another screen shot of how the URL looks like,
There are numerous phishing websites present on the Internet targeting very popular sites. The fake webpage’s used are very similar to the original ones with few changes in the source code. It is very easy to create such pages and host them on a fake website. To host such fraudulent websites all that an attacker needs is to create a fake login page similar to original one and add some server side code (e.g. the php page discussed above) to steal private information.
The above discussion is just one example of phishing. The trick used here to redirect the victim to the original website appending username and password parameters will definitely hide the fraudulent website as you will be end up at the original website. But remember the request is actually sent from the “run.php” script leaving your information on the fake website.
You will find many such phishing sites while surfing. It is becoming very easy for script kiddies to host such fake webpage’s because plenty of information on how to conduct an attack and even source code is readily available. Below is the screen shot found in one of the forum,
This was found in one of the forum where the author has uploaded fake webpage’s for 34 popular website like AOL.com, Gmail.com, eBay.com and many more. The source code even comes with clear instructions on how to use and host these fake webpage’s. The webpage’s used look like exact copies of the original websites. Below are more fake webpage’s created for many popular websites including Yahoo, MySpace etc.
Phishing is a trivially easy method to conduct online identity theft. It can be used to steal not only personal but financial information as well. It is also very easy to attract a large victim’s towards phishing website through emails, messages, scraps etc. Most of the emails prompt victim to visit the link provided and enter private information on the fake website.
You can avoid yourself being phished as per few recommendations,
- Check the website address in the address bar of the browser. Most phishing websites are hosted on free web hosting sites.
- If you find a suspicious phishing website check the source code of the webpage and try to find login form information and compare it with original website source.
- Never click on any link from email you receive from unknown trust. Remember, the sites of financial institutions, banks, auction sites, social networking sites etc never send email asking users to update or change information.
- Be extra careful before entering financial information
- Report phished site to the original website team when you encounter them.
That’s it for now.