Web page spoofing, or phishing, is becoming a popular technique for malicious hackers to collect account information from unsuspecting users. This is a type of social engineering, which was discussed in Chapter 4, "Performing Social Engineering." The following are the steps to perform a type of web page spoofing: Step 1. | Begin by downloading the website you want to spoof using such tools as Wget or Teleport Pro (discussed in Chapter 5, "Performing Host Reconnaissance"). | Step 2. | Modify the website as needed so that you can collect information, such as credit card details, from unsuspecting users. | Step 3. | Host the website, preferably with a domain name similar to that of your spoofed source (for example, http://www.ebays.net instead of http://www.ebay.com). | Step 4. | Discover the IP address of the site you are hosting and decode the address into 32-bit DWORDs. You can ping the website or use utilities such as NSLookup, dig, or host to determine the IP address. In the following example, the private address of 192.168.1.1 is used as the website on an intranet. To convert the dotted decimal address into a single, large decimal number, do the following: - a. Take 192 and multiply it by 16,777,216. This equals 3,221,225,472. Call this SEED1.
- b. Take 168 and multiply it by 65,536. This equals 11,010,048. Call this SEED2.
- c. Take 1 and multiply it by 256. This equals 256. Call this SEED3.
- d. Next, add SEED1, SEED2, and SEED3 together with the last octet (1). This equals 3,232,235,777. This is your new DWORD value, which will be used to obscure the website that unsuspecting users will go to.
| Step 5. | Optionally, you might want to obscure the web page using hexadecimal representations of the page name. For example, if the page is called mypage.htm, you can obscure by replacing some of its letters with the hexadecimal ASCI/I code. You can do this in the file extension. The ASCII values for "t" is 116, which in hex is 0x74. You can format the name, then, as account.h%074m. This hides the type of file that you are requesting the user to go to. | Step 6. | Craft an e-mail asking the user to go to your spoofed website. Instead of linking to the real site, however, link to the obscured address. You can do this by adding the @ symbol after the real address followed by the obscured URL. Web browsers ignore anything before the @ symbol. Following is a sample e-mail demonstrating this @ technique: Account System Cleanup IMPORTANT Dear PayPal Member, Due to overwhelming reports of fraudulent transactions and account abuse, PayPal now requires all active members who have an account to verify that they rightfully own it. You must click the link below and enter your email, password and reference code on the following page to verify your account. This is NOT a SCAM or HOAX. Please check your address bar to make sure you are on the authentic PayPal website. https://www.paypal.com/accountcleanup/ <http:// www.paypal.com@3232235777/account.h%074m> Your reference code is : PPA-2546-5437 You will be guided through a series of steps which will require you to enter personal information, such as credit card number and/or bank details. ALL accounts not re-verified within 5 days of receiving this email will be automatically frozen. PayPal is doing this to protect it's valued members from fraud and scams. Paypal will not share your personal information with other companies and corporations. Privacy Policy <http://www.paypal.com/cgi-bin/ webscr?cmd=p/gen/ua/policy_privacy-outside> Thank you for your co-operation, PayPal Within the e-mail message, the address looks correct. Even if users look at the web link (http://www.paypal.com@3232235777/account.h%074m), it appears as a legitimate address. Really, though, it redirects users to go to your website, where you can ask them to put in their account information. | |