| Phishing for Average Web Users |
|
|
|
| Written by Justin Furniss | |
| Wednesday, 05 October 2005 | |
|
Click read more below to read the brief article that I have written up. It should prove useful for just about anyone who uses the WWW and E-Mail. When people think about identity theft they normally think about hackers. Hackers with green terminals showing fast scrolling tiny text, breaking into banks and other information systems which house important information. Perhaps the biggest threat to your identity is something that you know little about or nothing at all. Why would "Hackers" break into your systems to get your information when they could just ask you to give it to them at their convience? This act is known Phishing and is much more real than most people realize. Phishing is the act of luring in innocent users of a system to a look-a-like site; the site's primary objective is to get credit card and user/password information. The most effective Phishing attempts use a domain name that can be made to look like the authentic site. For instance, as a target we will use “amazon.com”. A normal domain name consists two parts: the actual domain name "amazon" and the domain suffix for lack of better terms "com". The point being, amazon.com is controlled by Amazon. Amazon can configure their servers to server pages at “www.amazon.com”. While to most users, “amazon.com” is synonymous to “www.amazon.com”, they are actually quite different. Anything before amazon.com separated by a dot is considered a sub-domain and can yield a completely different result when requested from your web browser. Many times the results are different because they point to different servers. Before I get too far ahead of myself, let's move on to how these sub domains can be used for evil! A domain such as amazon.com can have just about as many sub domains as they want. For instance, as most companies do, they can have a web server “www.amazon.com”, a public mail server “mail.amazon.com”, and even stack sub domains by having a private mail server “private.mail.amazon.com”. When sub domains are stacked as shown in the last example, tricking people gets easier. If Amazon can use domain names to create “users.mail.amazon.com” then nothing is going to stop them from setting up “google.com.amazon.com”. Note that there is no space between “google.com” and “amazon.com”. While this may not make sense at first it is quite simple. When you type "google.com.amazon.com" into a browser, it searches the Internet for the site in reverse order separated by dots. First your system will look for amazon.com because amazon.com will have servers that know where all the sub domains are. So once your browser finds amazon.com, it will ask amazon.com who "google.com.amazon.com" is. Amazon's system can respond however it wants and point to any server it wants in the world. If you actually request the URL above it will ask “amazon.com” where “google.com.amazon.com” is and Amazon will respond that it doesn’t know because Amazon does not have a system named that! The interesting part… Let’s say that I own the domain badhacker.com. I can easily configure my servers to answer to “amazon.com.badhacker.com”. The average web user will look at the first two portions of the domain and be convinced that they have reached their destination which is “amazon.com”. The ugly truth is that you have reached whichever destination that evilhacker.com wants you to reach. Phishers will commonly mirror, or copy, their target site to their own server. The most common targets are banks because that is where their main goal lives, money. So the Phisher will take all of the HTML code from the site and make it look as much like the legitimate site as possible. The only difference in the site structure that you browser interprets is where your login credentials are sent. More times than not, your personal information is sent to a database where all of the tricked users’ data is collected. How does the evil hacker get you to visit “amazon.com.evilhacker.com”? This is easier than you may think. A HTML link does not have to display the domain that it points to; it can say whatever it wants. The most common example of that is when a link on a website says “click here”. That link has to be structured as any other valid link on the Internet, for instance http://yourdomain.com/youclicked.html. I can just as easily have the link say “google.com” instead of “click here” and point to the same page. Take a look at the screenshot below of an email that I sent to myself. The first link is the valid Google URL and the second points to “amazon.com.evilhacker.com”; both links will work and will not let you know that the link is different from what you think.  This started as an email to some friends and family but now is more of an article. The reason that I wrote up this document is a Phishing site that a friend had emailed me (I like to collect them to determine new techniques). The site is http://www.amazon.com.encrypted-inquiry.cn?/exec/obidos . Just as I stated before, look at the main domain. CN is actually equivalent to “net”, “com”, or “edu”. So it seems that whoever is running this site owns “encrypted-inquiry.cn”. If you had not read this article could you tell that it is a fake site? In conclusion, next time that you get an email that gives you a link to your Bank or something like Amazon.com don’t use it unless you requested the email. It is safer to open up a browser and type the URL in manually. |
|
| Last Updated ( Wednesday, 05 October 2005 ) |