The Dangers of Phishing

Disclaimer: This is for educational purposes only. It is becoming increasingly important to educate people on phishing and how easy it is to set up.

What is Phishing and How Can You Avoid it?

Phishing is the nefarious act of stealing one's sensitive information by masquerading as a reputable digital source. The most common ways to do this are by pretending to be a banking agent, social media employee, etc. to gain the user's trust and have them give up their personal information. This can be done via email spoofing, fake messages, fake websites, etc. Phishing relies on social engineering, a critical hacking skill that relies on no computer skills whatsoever. Social engineering is when hackers psychologically manipulate people to gain their trust and have them divulge things they wouldn't otherwise give such as usernames/passwords, pin numbers, etc. This can be done online or in person. The following are a few techniques you can use to avoid phishing scams. Note that using one (or even all!) of these does not ensure your safety, however. The best defense is simply using common sense to avoid sites/people/accounts you wouldn't normally trust.


How are Phishing Scams Set Up?

It is surprisingly easy to set up a phishing scam. To demonstrate the simplicity, I've set up the following (fake) phishing scam with minimal knowledge on the topic and a lazy Saturday afternoon's worth of work. It would rely on spamming the email below to the masses, hoping a few gullible recipients actually try to login at the given link, where their username and password could be logged and exploited (I obviously didn't implement the logging and exploiting part). This process could be greatly improved were the phisher to do things like (i) get a more official-sounding email address, (ii) dress up the email to properly simulate a Wells Fargo email, (iii) create a custom url that looks more official, etc. Here are the steps I went through to make this simple scam:

  1. Use wget to create a local copy of the login page you want to simulate
    • wget --mirror --convert-links --adjust-extension --page-requisites --no-parent <webpage>
    • <webpage> should be a login page, such as "https://connect.secure.wellsfargo.com/auth/login/present"
  2. Find the html element that takes in the user's username and password, and note their ID's
    • Just right click and "inspect element" in your browser at the place you put in the username/password
  3. Find the javascript function that runs when the "Login", "Sign Up", or "Confirm", button is clicked. Add javascript to do whatever you want with the username/password here. Gathering the username and password is as easy as adding lines like the following:
    • var username = document.getElementById('<USERNAME_ID>').value; // Storing username
    • var username = document.getElementById('<PASSWORD_ID>').value; // Storing password
  4. Use social engineering to bring users to your phishing site. In my case, I would use the email below. Please try it out by clicking on the link in it. If you don't trust that I'm not logging passwords, just use a fake username/password ;).


Note: the following email's "Wells Fargo" link actually originally linked to a URL I created that implemented a Wells Fargo phishing page. It looked identical to the actual login page except for its URL. When you entered your credentials, it redirected to the real Wells Fargo login page while another tab opened up and printed what you entered as your username/password. When I added this to my website, however, my website was immediately taken down and my Heroku account was suspended. In order to get my account back online, I took it out, but know this is (unfortunately) very easy to do! Be careful!


To: ___________
From: WellsFargoCustomerSupport@gmail.com
Subject: Fraudulent Login Attempt

Good afternoon valued Wells Fargo customer.

Our customer service and security division detected a suspiction login to your account. At 11:44 PM EST yesterday evening, user "Randall Keller" attempted to transfer $380.11 to account 9e3d721f35248e8a3b6128ec0116169d. If this was you, please ignore this email. If this was not you, please confirm here: www.wellsfargo.com/secure/login and the transfer will be retracted.

Sincerely,

Nancy Green
Wells Fargo Customer Support