PhishingA practical case study

What is phishing?

• Phishing involves fraudulently acquiring sensitive information (e.g. passwords, credit card details etc) by masquerading as a trusted entity.

The sites

• www.noodlebank.com (i.e NOODLEBANK.com)

• www.nood1ebank.com (i.e NOOD1EBANK.com)

The real site

The spoofed email

The spoofing

• The link appears as

www.noodlebank.com (i.e NOODLEBANK.com)

• But actually it links to

www.nood1ebank.com (i.e NOOD1EBANK.com)

The fake site

The “steal”

• When Debasis entered his username-password at the spoofed website, the username-password was sent across to the criminal carrying out the phishing attack.

• In this case study the username-password is sent across to a spamavert email address so that it can be seen by everyone trying out this case study.

More examples…

• In this case study, the user was enticed with a misleading URL. Such urls can be created easily using simple html code such as:

<a href=http://www.nood1ebank.com>http://www.noodlebank.com</a>

• This link displays the correct url but on clicking takes the user to the spoofed url.

Using a url with an ip address

http://www.NOODLEBANK.com@67.19.217.53

• This url does not lead to noodlebank.com, it leads to the website on the IP address 67.19.217.53

Using a split domain name

http://www.NOODLEBANK.com.securitycheck.secure-login.nood1ebank.com/login.asp

• This url does not lead to noodlebank.com, it leads to the spoofed website.

Using an obfuscated url

http://www.NOODLEBANK.com%00@%36%37%2e%31%39%2e%32%31%37%2e%35%33

• This url does not lead to noodlebank.com, it leads to the website on the IP address 67.19.217.53

Hex to ASCII converter

http://www.dolcevie.com/js/converter.html

Useful urls

• To try out the genuine website:http://www.noodlebank.com

• To try out the spoofed website:http://www.nood1ebank.com

• To see the usernames-passwords being “stolen”http://spamavert.com/mail.php?alias=noodlebank_com

Questions?