Phishing- A vulnerability of the gullible

You are currently viewing Phishing- A vulnerability of the gullible

Phishing attacks are the most basic and commonly used attacks against users and even huge organizations. Phishing in short is just tricking a user or an individual associated with an organization to enter credentials into a fake web application or any confidential system in order to access the credentials. It’s a kind of a social engineering attack where the attacker dupes the victim to enter classified information, masquerading as a trusted entity. If you look at the underlying concept of phishing it looks simple and doesn’t seem much affecting, since anybody can identify the correct entity (website, app etc) right? Well the answer is kinda complicated. If you look at the phishing attacks that occurred in the olden days and compare it to the modern ones, you might see that it’s gonna be pretty complicated and tricky to protect against it. Well enough fear-mongering let’s dive into how it takes place in the current internet world and you will find that it ain’t that complicated to protect yourself against it as well.

Vineet Nair, CTO,
Humble Fox Studios

Understanding a Phishing Attack:

Alright since we now know the definition of a phishing attack, lets understand how it is used in a modern day scenario. Let us take an example of a social networking site facebook.com, because everyone uses facebook right? Suppose let’s assume i wanna hack a person’s facebook attack via a phishing attack. The first thing I would do is to look at the official webpage of Facebook. The original one looks like this.

Well now all i have to do is replicate the webpage in a fashion that mimics the the same the user interface. Now I can simply clone the entire HTML or I can find a phishing page template of facebook online. WAIT WHAT? ONLINE? HOW’S THAT POSSIBLE. Well I am glad you asked. So phishing in general is not used only for nefarious purposes. It’s also used by penetration testers, law enforcement (federal honeypots) etc to catch criminals, find out weak spots in organization etc. So that’s why a lot of templates exist and it’s not like cloning a webpage or making something exactly like facebook is illegal. Alright with that explanation out of the way, let’s proceed to creating this phishing page. Once I get hold of the frontend of the webpage I can simply write a backend script (with PHP, nodejs) and send
the information to my end.

Well that’s all fine but if you think about it carefully we still need to bring this page up on the internet so that I can send it to the person I want to get the credentials of. So we still need to choose a hosting provider and a domain. Now we can’t obviously get a domain with
facebook.com, fb.com etc. So we need to create a domain which isn’t too suspicious. We will take the domain facebookcom.000webhost.com.

Once that’s sorted out we can then send this to anyone and they might confuse this with a real one and enter their credentials. I know
this is still a bit technical but still this example explains how the phishing attack takes place and how a phishing page is created and sent to people.

Since we are still in the topic of understanding the workings of a phishing attack, there’s one more very commonly used phishing technique. It is known as Spear Phishing. This type of attack/technique is geared towards a specific individual, organization or
business. It involves sending malicious and fraudulent e-mail and luring them to reveal confidential information. Even though it’s mainly used to get credentials, attackers tend to send and install malware into the victim’s computer as well. I won’t be covering spear phishing this time but it’s still something worth mentioning.

Alright enough about the attacking mechanism, let us discuss the methods to protect against such things.

The below two screenshots show the facebook website in two different domains.

Detecting Phishing Links and Protecting against it

Well if you have been reading carefully, the one thing we have done to create the phishing link is the domain. Since we can’t get the domains officially used by facebook like facebook.com, fb.- com etc, that’s gonna be the best defense we have to protect against phishing attacks.

Subscribe to unlock the content

Loading...
Notice the URL bar of the browser (the box that shows the website domain i.e facebook.com). The first one shows the domain “facebook.com” and the second one shows “facebookcom.000webhost.com”. Now if you clearly assess this you will find out that facebook.com is the original domain that is controlled and managed by Facebook Inc. If you're unsure about a proper facebook domain, then google search “facebook” and click the facebook login. So this is the best defence against a phishing attack which is not technical and doesn't require much time to identify. But since domains and URLs can get complicated to look at sometimes, let’s discuss a few things that will make phishing detection a bit more effcient and faster. So if you look at both images in the red highlighted section, you will see that both browsers highlight (the white glow) the important part of the entire domain. Firefox goes to an extra extent to highlight the important part of the domain i.e google.com. Since google.com is a verified domain managed by Google, the subdomains like docs.- google.com, drive.google.com etc are authorized google websites. So you see the detection becomes much easier. But what about mobile phones? How do they handle this system? Well let’s see an example of that too. So let's examine the images from left to right. The leftmost image is a screenshot of the Brave browser running on android. You can see the domain (URL bar) is clearly highlighted. The same holds true for the 2nd image which is a screenshot of Google chrome and the last one is the Opera browser. All running on android 11. So in short all of them implement this mechanism to identify whether the domain belongs to the actual company or not. This is one of the best mechanisms to prevent a basic phishing attack. Now it doesn’t stop here. New kinds of systems to arise depending upon which organization is phished and who’s the target. Some of them can even detect 2FA (Two Factor Authentication) and some impersonate a fake service that connects to your accounts (for ex: a game in facebook that requires you to login via facebook) Conclusion: So basically the main defence against any phishing attack would be to stay vigilant during times when an application or website is trying to ask you for confidential information like password, credit cards etc. As long the website or application originates from the proper company and vendors, it’s safe to say that they are not phishing instruments.