Tuesday 26 April 2011

PHISHING EXPLAIN

WHAT IS PHISHING ?

Phishing is a fraudulent attempt, usually made through email, to steal your personal information. The best way to protect yourself from phishing is to learn how to recognize a phish.

Phishing emails usually appear to come from a well-known organization and ask for your personal information — such as credit card number, social security number, account number or password. Often times phishing attempts appear to come from sites, services and companies with which you do not even have an account.
In order for Internet criminals to successfully "phish" your personal information, they must get you to go from an email to a website. Phishing emails will almost always tell you to click a link that takes you to a site where your personal information is requested. Legitimate organizations would never request this information of you via email.

What to Plan Before Phishing ?
  1. Planning. Phishers decide which business to target and determine how to get e-mail addresses for the customers of that business. They often use the same mass-mailing and address collection techniques as spammers.
  2. Setup. Once they know which business to spoof and who their victims are, phishers create methods for delivering the message and collecting the data. Most often, this involves e-mail addresses and a Web page.
  3. Attack. This is the step people are most familiar with -- the phisher sends a phony message that appears to be from a reputable source.
  4. Collection. Phishers record the information victims enter into Web pages or popup windows.
  5. Identity Theft and Fraud. The phishers use the information they've gathered to make illegal purchases or otherwise commit fraud. As many as a fourth of the victims never fully recover If the phisher wants to coordinate another attack, he evaluates the successes and failures of the completed scam and begins the cycle again.

Phishing scams take advantages of software and security weaknesses on both the client and server sides. But even the most high-tech phishing scams work like old-fashioned con jobs, in which a hustler convinces his mark that he is reliable and trustworthy. Next, we'll look at the steps phishers take to convince victims that their messages are legitimate.


Phishing Scams
Since most people won't reveal their bank account, credit card number or password to just anyone, phishers have to take extra steps to trick their victims into giving up this information. This kind of deceptive attempt to get information is called social engineering.  Phishers often use real company logos and copy legitimate e-mail messages, replacing the links with ones that direct the victim to a fraudulent page. They use spoofed, or fake, e-mail addresses in the "From:" and "Reply-to" fields of the message, and they obfuscate links to make them look legitimate. But recreating the appearance of an official message is just part of the process. 

Phishing Prevention
Tip 1 : It is important that you learn to recognize all types of phishing emails. You should make yourself aware that if you receive a message which needs you to take immediate action with regard to any of your personal accounts then avoid it like the plague. Most phishing emails will be addressed to either “Dear Valued Customer” or “Dear Sir/Madam”, while any legitimate emails from your bank or credit card company will be addressed to you by name. It is important to know that the phisher who has sent the email in the first place is after your personal information in order to use it for fraudulent purposes.

Tip 2 : Never ever send any kind of sensitive personal information using an email. Emails are not the most secure form of communication available for people to use on the Internet. Certainly many scammers are quite capable of producing an email that looks legitimate and so will be easily able to forge such a document and then gain your information in this way.

Tip 3 : If you do have to transmit any personal information over the Internet then ensure that the site you are providing it to is completely secure. The best way for a person to identify if a site is secure or not is by looking at the site address. All sites which are considered to be secure should start with “https://” and not “http://”. Also if you look in the browser status bar you will see the lock icon being displayed.

Tip 4  :If you ever receive an email from someone you do not know and it contains a link within it then do not click on it. Rather what you should be doing is opening up an new browser page and then typing in the address which you know to be the authentic one. Or else you could call the person or company directly if you have had dealings with them and have spoken with them by telephone before.

How to do phishing ?

Step 1 - Firstly you must signup for a free web hosting service like:

www.freehostia.com

www.byethost.com etc….. and register a domain or subdomain.

After getting your signup done, you have your own subdomain like for instance you registered with freehostia, then your domain is like “www.yourname.freehostia.com”

Step 2- Now Login to your freehostia account and go to “File Manager” in the freehostia control panel.

Step 3- Now what you have to do is, go to your domain folder like “yourname.freehostia.com” and create a separate folder in that directory with the name of the site, for eg. yahoo , if you want to phish a yahoomail account!







Step 5- Now upload all 3 files to www folder inside “yourname.freehostia.com” .






So when you’re done with the uploading part, the link to your yahoo phisher is “www.yourname.freehostia.com/index.htm”.

Step 6- Congrats !! That is your phisher page !! Now all you have to do is copy the link to the phisher file i.e.”www.yourname.freehostia.com/index.htm”  and send it to the victim you want to hack ! When he/she’ll open that link, it’ll be directed to your yahoo phisher and when he/she logins that page he/she’ll be redirected to the original website and you’ll get the password in the “password.txt” file which will be created in the same  folder you created in your freehostia domain and the path to that file will be “www.yourname.freehostia.com/password.txt” !


How to make Victim to Login on your Phishing Page ?
There is a simple ,but effective Method to make the victim fool,So that he/she will Login on your Phishing page without using there mind.... :-)
I am going to show a example of HI5.COM 

1.) Go to your inbox and find a simple hi5 Friend Request.Copy it like in the picture:


2) Go to http://www.sendanonymousemail.net/ or http://www.anonymailer.net/  and send the email to Victim Like shown below...


3.)Now select the "Accept Friend" line.

   *Click the hyperlink button.
   *Paste your phishing link there.
   *Click OK button.
   See the pic for more:




4.) Now fill in the fields like this :


To: victimemail@dumb.com

From: info@hi5.com

Subject: Someone has sent you a hi5 Friend Request

Then enter the security code and click send.The e-mail will look like it came from hi5 just that it will redirect the victim to your phishing link instead of hi5.com
The same can be done for facebook and many more websites of your choice.
NOTE:There is a chance that the email wont be sent sometimes.So the best it would be to send it on your own inbox just before you send it to your victim.
Posted by ETHICAL HAKCER at 10:04

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)