Home-made phishing attack
I thought about seeing how far I could get when trying to assemble a phishing site.
First, I chose a provider, in this case Gmail. Then, I downloaded the original login site and did the following adjustments:
- I cut all communications the site did to Google
- I changed the user and password information destination
- I manually added a Favicon from the provider's official icon repository
- I created a new script that receives the information sent from the login site and shows it on-screen
The finished product turned out to be a Gmail home site, dangerously similar to the original, with a behaviour dangerously different.
In order to really know how easy is to make this part of the attack, I can tell you that it took me approximately half an hour of a very relaxed work.
For this to be a full Phishing attack, the next step would be to deceive the user into entering the address where the site is being hosted, believing he's entering Gmail's real site.
I will clearly NOT ease that task for you, but I will leave you with the login site, that independently is harmless.
I invite you to test the site (by entering fake credentials, obviously).
Next provider, Facebook 
Link: http://www.matiaskatz.com/gmail/
Enjoy this article?
Tags
Recent Posts
- Online Nmap Scanner – Scan your network quick and easily
- What’s my IP Address?
- Denial of Service to a Sony Bravia IP TV
- CXO Community – V Identity Management in the Digital Era Conference
- Lock – A simple Linux console locking tool
Archives
- April 2012 (3)
- March 2012 (2)
- February 2012 (1)
- January 2012 (1)
- October 2011 (11)
- September 2011 (13)
- August 2011 (5)
- July 2011 (7)
- June 2011 (8)
- May 2011 (3)
- April 2011 (7)
- March 2011 (2)
- February 2011 (2)
- December 2010 (2)
- November 2010 (5)
- October 2010 (3)
- September 2010 (6)
- August 2010 (3)
- June 2010 (4)
- May 2010 (3)
- April 2010 (3)
- March 2010 (2)
- February 2010 (6)
- January 2010 (16)
- December 2009 (6)
- November 2009 (2)
- October 2009 (7)
- September 2009 (12)
- August 2009 (4)
- July 2009 (4)
- June 2009 (4)
- May 2009 (4)
August 17th, 2010 - 11:01
Muy bueno. Tambien se podrian borrar las llamadas a js para que no tire error de ejecucion.
August 17th, 2010 - 11:48
es muy bueno (Y)
August 17th, 2010 - 15:56
Corregido lo del error de Javascript
August 18th, 2010 - 11:37
Muy bueno espero el de Facebook
August 18th, 2010 - 14:05
La próxima semana sale FB
También tomo opiniones para otros providers
September 12th, 2010 - 05:48
Un poco de java script para lograr que la cpacidad tan como en el gmail original continue avanzando eto para dar u mayor realismo.
September 14th, 2010 - 22:12
El javascript que realiza esa tarea fue deshabilitada intencionalmente para generar diferencias visibles fácilmente. Gracias por el feedback
November 14th, 2010 - 02:13
Actualmente se usa jquery como metodo de programación phising para evitar errores comunes..
Ojo al xss.. fijate las entradas alert(“stealer”)
Muy bueno, Saludos. (por cierto.. muy buena la primer clase.. en un rato te envio los exploits del smf
) espero la segunda con ansias.!
November 14th, 2010 - 16:42
Federico, esto es mucho mas simple que esto, es una simple demostracion de la simpleza de este ataque
Saludos!