Tuesday, July 20, 2010

Learn phishing using Google Pages

Phishing Tutorial using Google Pages
Here is a small tutorial on how you can trick your friends and get their gmail or Google username and password.
The entire technique demonstrated here is technically called as phishing. In computing, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card information. It is infact a crime to trick and get personal sensitive information using phishing.
I am using Google Pages to demonstrate how phishing works. The bad news is that Google Pages does not accept new signup as of now. If you already have an account over there then you can just consider yourself lucky.
Since we are using Google pages, it is obvious and common sense to use something relevant to Google so that users believe that they are actually being asked some information by Google. We will create a login page exactly you see at pages.google.com to capture user password. Since the user is on Google Pages, and he see’s a Google Pages login page, he will trust it. This is all required to make the user actually believe that he or she is on a web page that is not new to her. This is an important aspect while implementing phishing
Before we begin, I must tell you that you must know a web programming language, plus you must have web space where you can host your code. I used asp.net to create a login page that looks exactly like the one at pages.google.com, except for the text written in the yellow strip.
Let us begin now
Step 1: Go to pages.google.com and login using your Google account.
Step 2: We are going to create two web pages. The page we are creating now will host your personal information and photographs from some trip or anything that you think will interest your friends. This is the page your friends will see after they login through the fake page that you create later in step 3. So, click on Create a new page link to create a page. Lets assume that you create a web page with name “My NASA visit” as I have some pics of my NASA visit. Upload your photographs on it so that your friends believe that you actually went on a visit. Publish this page and save the link. In my case, the link is http://xxxxxxx.googlepages.com/mynasavisit
Step 3: Create another web page. Give this page title “NASA visit” or a name which looks something close to what we created in step 2. This is because the user will be redirected to the page created in step 2 after he logs in from this page we are creating now and he/she shouldn’t feel the change. Once you are on the Page Creator page, click “Change Look” to change the look of the web page.
Step 4: On the “Choose Look” page, select the Micro Ghost template.
Step 5: Now change the text color of the text “Google Pages” to white color so that it becomes invisible. Select the text and use the text color option in the toolbar to set white color.
Step 6: Now you need your web programming skills to create a login page that looks like the one at pages.google.com. You may change the text in the yellow strip to something like “Please authenticate yourself to view the Published Page”. While you design the page, you will have to take care of using labels or panels or images with white background which will cover the highlighted gray area. Host this page on a different server
On the Google page that we created in step 3, click on the “Click here to enter your page’s main content” and enter a iframe code to give a reference to your web page that you created which looks like the login page.
For example,
Now publish your page and it should something like this.
This is a snapshot of the page that I have created. Note that I have blurred out my name from the page. Notice the text in yellow is different from what you see at pages.google.com
Important Read it:
It takes some time to create the page UI but is worth tricking your friends. Make sure you redirect the user after he clicks Sign In button to the web page created in Step 2. The user will feel that he has passed authentication. You can capture the username and password and mail it to your email account. Also, use basic validation on username and password like minimum length, etc to give it a real look. Again, use a cookie to check if the user is entering username and his password for the first time. If yes, send a Google style message saying invalid credentials and ask the user to re-enter the credentials. Also, he links that you see on the page are all working and pointed to actual Google pages. This is all to give a real look and to trick those who are suspicious about the page ;)
So, we have something to learn from here
  • You learnt what is phishing with an example using Google Pages
  • Important learning is that you should not click on any link that your friend might send you. Most of the times, it is the closer dearer ones who trick you to get your username and passwords
  • Don’t provide your username, password on websites you visit for the first time and you don’t know what they exactly offer.
  • To be on safe side, create a dummy of fake email account on gmail, yahoo with passwords that you don’t use anywhere else. So, in worst case you will loose a email account but your other personal accounts will be safe