So most people are aware of phishing emails that can be sent to your inbox. Usually, the passive response to these threats is to ignore them; however, for those people that are unaware of such a threat, they will blindly go and type their credentials into a fake login box and have their accounts compromised later. The technical details behind the way that the passwords are collected are such:
- Person enters their credentials into fake site
- The page, once POSTed to, can either just refresh back to the same page (making the user suspicious), or redirect back to the website of their choice. This website could be the legitimate source sometimes, so the person could log straight back into the right service once the credentials are collected
- In between the above two, the usernames and passwords are either sent and collected through email (email sent each time) or stored in a database.
So the weakness of these phishing schemes is of course no validation (or very little validation). These attacks usually focus on collecting as many usernames and passwords as necessary, and ignoring the rest of the information, which as any programmer knows is not a very good way to go about things. This is where attacking the attackers comes in.
So you collect passwords in a database or email? Ok. Let’s just give you thousands of username/password combinations a minute and see how you fare.
For the example phishing email, I present this email that was recently sent to me:
Welcome to Eastern Washington University Dear User, This is to inform you that your mailbox Has exceeded Its storage limit/quota as set by the web administrator, and you will not be able to receive or send new mails until you Re-validate Your Account Please click on the link Below; Re-validate Your Account (link disabled) Thanks For Your Co-operation. Eastern Washington University Security Team
Cool. So I have a URL to go to, and I follow it to the fake login page which looks exactly like the login page to my email (the generic Office Outlook shown below)
I took a look at where the data is being posted to (since the page itself was just an HTML duplicate of the sign-in page) to find this:
<form action="mail.php" method="POST" name="logonForm" autocomplete="off">
So the form was posting itself to “mail.php” which was obviously just a collector that sent the username and password of the form on its way to a certain email address. Ok, so what were the login input id’s?
<td class="txtpad"><input id="username" name="username" type="text" class="txt"></td> </tr> <tr> <td nowrap><label for="password">Password:</label></td> <td class="txtpad"><input id="password" name="password" type="password" class="txt" onfocus="g_fFcs=0"></td> </tr>
Sweet, so the username is just username and password is just password (input name attributes). Now to the fun part, write a python program to POST continuously to the email/database to flood their database/email with false info. The example i made was not very sophisticated, as it sent the same username and just random numbers as passwords, but you can change it to your will. Very easy code:
import urllib2, urllib, random
username="achernikov@ewu.edu"
password=random.randint(1,999999)
data = urllib.urlencode({'username':username,'password':password})
while True:
urllib2.urlopen("http://thephishingwebsite/mail.php",data)
The result after running it? Just about an hour later, the mail.php script was removed from the server hosting the phishing site for one of two reasons:
- The host realized that thousands of emails were being sent per hour
- The attacker got annoyed by the attack
The second result? The attacker can no longer collect information from unsuspecting or naive users. Mission accomplished.
Update: On a second look at the website, it actually was a legitimate website that was hacked (someone not updating their server most likely). No matter, threat is gone either way.