ROAD TO HACKING

Sat Sep 30, 2017 7:49 am

What Is Phishing?

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.[1][2] The word is a neologism created as a homophone of fishing due to the similarity of using a bait in an attempt to catch a victim. According to the 2013 Microsoft Computing Safety Index, released in February 2014, the annual worldwide impact of phishing could be as high as US$5 billion.[3][better source needed]
Phishing is an example of social engineering techniques used to deceive users, and exploits weaknesses in current web security.[8] Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

TYPES OF PHISHING

Phishing types
Spear phishing

Phishing attempts directed at specific individuals or companies have been termed spear phishing.[9] Attackers may gather personal information about their target to increase their probability of success. This technique is by far the most successful on the internet today, accounting for 91% of attacks.[10]
Clone phishing

Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email.
Whaling

Several phishing attacks have been directed specifically at senior executives and other high-profile targets within businesses, and the term whaling has been coined for these kinds of attacks.[11] In the case of whaling, the masquerading web page/email will take a more serious executive-level form. The content will be crafted to target an upper manager and the person's role in the company. The content of a whaling attack email is often written as a legal subpoena, customer complaint, or executive issue. Whaling scam emails are designed to masquerade as a critical business email, sent from a legitimate business authority. The content is meant to be tailored for upper management, and usually involves some kind of falsified company-wide concern. Whaling phishers have also forged official-looking FBI subpoena emails, and claimed that the manager needs to click a link and install special software to view the subpoena.[12]
Link manipulation

Most methods of phishing use some form of technical deception designed to make a link in an email (and the spoofed website it leads to) appear to belong to the spoofed organization.[13] Misspelled URLs or the use of subdomains are common tricks used by phishers. In the following example URL, http://www.yourbank.example.com/, it appears as though the URL will take you to the example section of the yourbank website; actually this URL points to the "yourbank" (i.e. phishing) section of the example website. Another common trick is to make the displayed text for a link (the text between the <A> tags) suggest a reliable destination, when the link actually goes to the phishers' site. Many desktop email clients and web browsers will show a link's target URL in the status bar while hovering the mouse over it. This behavior, however, may in some circumstances be overridden by the phisher.[14] Equivalent mobile apps generally do not have this preview feature.

A further problem with URLs has been found in the handling of internationalized domain names (IDN) in web browsers, that might allow visually identical web addresses to lead to different, possibly malicious, websites. Despite the publicity surrounding the flaw, known as IDN spoofing[15] or homograph attack,[16] phishers have taken advantage of a similar risk, using open URL redirectors on the websites of trusted organizations to disguise malicious URLs with a trusted domain.[17][18][19] Even digital certificates do not solve this problem because it is quite possible for a phisher to purchase a valid certificate and subsequently change content to spoof a genuine website, or, to host the phish site without SSL at all.[20]
Filter evasion

Phishers have even started using images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing emails.[21] However, this has led to the evolution of more sophisticated anti-phishing filters that are able to recover hidden text in images. These filters use OCR (optical character recognition) to optically scan the image and filter it.[22]

Some anti-phishing filters have even used IWR (intelligent word recognition), which is not meant to completely replace OCR, but these filters can even detect cursive, hand-written, rotated (including upside-down text), or distorted (such as made wavy, stretched vertically or laterally, or in different directions) text, as well as text on colored backgrounds.
Website forgery

Once a victim visits the phishing website, the deception is not over. Some phishing scams use JavaScript commands in order to alter the address bar.[23] This is done either by placing a picture of a legitimate URL over the address bar, or by closing the original bar and opening up a new one with the legitimate URL.[24]

An attacker can even use flaws in a trusted website's own scripts against the victim.[25] These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, making it very difficult to spot without specialist knowledge. Just such a flaw was used in 2006 against PayPal.[26]

A Universal Man-in-the-middle (MITM) Phishing Kit, discovered in 2007, provides a simple-to-use interface that allows a phisher to convincingly reproduce websites and capture log-in details entered at the fake site.[27]

To avoid anti-phishing techniques that scan websites for phishing-related text, phishers have begun to use Flash-based websites (a technique known as phlashing). These look much like the real website, but hide the text in a multimedia object.[28]
Covert redirect

Covert redirect is a subtle method to perform phishing attacks that makes links appear legitimate, but actually redirect a victim to an attacker's website. The flaw is usually masqueraded under a log-in popup based on an affected site's domain.[29] It can affect OAuth 2.0 and OpenID based on well-known exploit parameters as well. This often makes use of open redirect and XSS vulnerabilities in the third-party application websites.[30]

Normal phishing attempts can be easy to spot because the malicious page's URL will usually be different from the real site link. For covert redirect, an attacker could use a real website instead by corrupting the site with a malicious login popup dialogue box. This makes covert redirect different from others.[31][32]

For example, suppose a victim clicks a malicious phishing link beginning with Facebook. A popup window from Facebook will ask whether the victim would like to authorize the app. If the victim chooses to authorize the app, a "token" will be sent to the attacker and the victim's personal sensitive information could be exposed. These information may include the email address, birth date, contacts, and work history.[30] In case the "token” has greater privilege, the attacker could obtain more sensitive information including the mailbox, online presence, and friends list. Worse still, the attacker may possibly control and operate the user’s account.[33] Even if the victim does not choose to authorize the app, he or she will still get redirected to a website controlled by the attacker. This could potentially further compromise the victim.[34]

This vulnerability was discovered by Wang Jing, a Mathematics Ph.D. student at School of Physical and Mathematical Sciences in Nanyang Technological University in Singapore.[35] Covert redirect is a notable security flaw, though it is not a threat to the Internet worth significant attention.[36]
Social engineering

Users can be incentivised to click on various kinds of unexpected content for a variety of technical and social reasons. For example, a malicious attachment might masquerade as a benign linked Google doc.[37]

Alternatively users might be outraged by a fake news story, click a link and become infected.[38]
Phone phishing

Not all phishing attacks require a fake website. Messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts.[39] Once the phone number (owned by the phisher, and provided by a voice over IP service) was dialed, prompts told users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organisation.[40] SMS phishing uses cell phone text messages to induce people to divulge their personal information.[41]
Other techniques

Another attack used successfully is to forward the client to a bank's legitimate website, then to place a popup window requesting credentials on top of the page in a way that makes many users think the bank is requesting this sensitive information.[42]

Tabnabbing takes advantage of tabbed browsing, with multiple open tabs. This method silently redirects the user to the affected site. This technique operates in reverse to most phishing techniques in that it doesn't directly take the user to the fraudulent site, but instead loads the fake page in one of the browser's open tabs.
Evil twin is a phishing technique that is hard to detect. A phisher creates a fake wireless network that looks similar to a legitimate public network that may be found in public places such as airports, hotels or coffee shops. Whenever someone logs on to the bogus network, fraudsters try to capture their passwords and/or credit card information.

IN OUR NEXT LECTURES WE WILL TALK MORE ON HOW TO MAKE PHISHING SITE/PAGE

THANKS FOR READING

Sat Sep 30, 2017 12:02 pm

Gudday guys

please;
if i want to phish a victim,how do i clone a real website page and if the victim logs in using my malicious cloned website page,the page will redirect the login details to my malicious server and also get victims stored passwords or creditcard information using javascript or other forms ?

And also how do i make sure my malicious page does not redirect the victim back to the main website server if he/she clicks the link ?

Sat Sep 30, 2017 11:28 pm

good question we will treat the topic tomorrow by 8am thank you for reading have a nice day!

ROAD TO HACKING

ROAD TO HACKING

Re: ROAD TO HACKING

Re: ROAD TO HACKING

Re: ROAD TO HACKING