Transparent Phishing?

[Andrei0427]

I was playing around with a phishing script I had made some time ago with PHP and noticed that the www.facebook.com AND facebook.com are treated differently with ettercap's DNS_SPOOF filter. So I setup the script to forward to www.facebook.com whist having the DNS spoofed on facebook.com only. This will cause an automatic redirection to the user's real profile.

This only works if the victim types "facebook.com" in the address bar, so the probability of this working is slightly slimmed down. Obviously this will only work if the user has a 'remember me' ticked on the computer beforehand, which is mostly the case.

Heres a vid. demo..

I can post the source/method here upon request :)

Edited March 6, 2012 by Andrei0427

[CanadianTaco]

I was playing around with a phishing script I had made some time ago with PHP and noticed that the www.facebook.com AND facebook.com are treated differently with ettercap's DNS_SPOOF filter. So I setup the script to forward to www.facebook.com whist having the DNS spoofed on facebook.com only. This will cause an automatic redirection to the user's real profile.

This only works if the victim types "facebook.com" in the address bar, so the probability of this working is slightly slimmed down. Obviously this will only work if the user has a 'remember me' ticked on the computer beforehand, which is mostly the case.

Heres a vid. demo..

http://youtu.be/-2bUyb7FGQQ

I can post the source/method here upon request :)

Youtube video:

"This video contains content from WMG, who has blocked it in your country on copyright grounds.

Sorry about that."

Also, I was wondering if it would work if the user uses https?

[Andrei0427]

Wow, already taken down.. Ill reupload with no music.. one sec

Edit: It shouldnt matter, your victim is entering his credentials using your non-HTTPS page then redirected to the real facebook

Edited March 6, 2012 by Andrei0427

[Drewdroid]

Wow, already taken down.. Ill reupload with no music.. one sec

Edit: It shouldnt matter, your victim is entering his credentials using your non-HTTPS page then redirected to the real facebook

To bypass the "savvy" users that check for SSL you could possibly integrate an SSLSniff proxy which will dynamically generate certs for all requested domains, but most will notice the alert for the cert validity too.

[Andrei0427]

Video is reuploaded, Ill try play around with that SSLSniff, I thought SSLStrip's favicon would be enough to bypass the security conscious.

[Drewdroid]

That works slick! I think the https: would clinch it but it looked and acted good from watching the video. The only issue I could see would be any systems that cached the DNS for Facebook prior to connecting to you but chances are they would already have logged in so I suppose it would be a missed attempt either way. Have you attempted that with a profile that uses the location aware feature (aka IP address block check for new locations)? I can't see it being an issue if you're tying into the same ISP connection but it might be if they're being routed through a wireless modem such as the USB 3g or 4G.

[Andrei0427]

The only issue I could see would be any systems that cached the DNS for Facebook

Most of the time yes, it would be cached but if the client has just connected to the network it would refresh the DNS server with your spoofed one. <I imagine you would have this pre-configured with the pineapple>

Have you attempted that with a profile that uses the location aware feature (aka IP address block check for new locations)?

EDIT:

I noticed what you meant with the IP block, that account isn't mine but he logged in from a local network I was in so this didn't matter really :P

Indeed I have and it still works! Facebook probably uses the GeoLocaction of an IP rather than the block to track it, would be a pain to reset your password if you log in from a different ISP but within the same region.

-------------------------------------------------------------------

Im thinking of adding that SSLSniff you mentioned to the log in page to add more validity to it, although its up to the victim to enable SSL on his profile. The only obvious give away is the ping.. I guess theres no way to escape it..

Glad you found it useful :)

Edited March 6, 2012 by Andrei0427

[Drewdroid]

If you don't mind posting the code you're using I'd like to play around with it a bit. I just uploaded the new firmware, reset my password and already have "customers" showing up. Might as well do something interesting with them since they're using my "ISP." :D

[Andrei0427]

Note: Since I do not have my pineapple yet, I only can help so much as to websever setup.You probably can use the steps from the RockRolling Pineapple episode to setup the redirection. This is what I did on a laptop running Backtrack:

EDIT: Kinda looks shit on all browsers other than Chrome :/

1) Place contents of: http://www.mediafire.com/?o1t637acat6a116 into /var/www/

2) Append dns_spoof for ettercap with:

facebook.com A webServIP

3) Start up webserver: service apache2 start

4) Run arpspoof <arpspoof -i wlan0 192.168.1.254(GW IP)>

5) Run ettercap with:

ettercap -Tqi wlan0 -P dns_spoof

NB: The etter_dns file will need some searching to find, for some reason it changed when I upgraded distro but its in

/usr/local/share/ettercap/etter.dns

I apologize once again for not being able to provide instructions for the pineapple, although once I learn how to do this on it ill post the new instructions :)

Edited March 6, 2012 by Andrei0427

[Drewdroid]

Awesome, no worries, I take notes as I'm playing around and post them for the Mark IV unless someone beats me to the punch. Unfortunately I just found some scripting ideas I want to take a look at for automating the web traffic capturing and sorting.

[Andrei0427]

Sure, would save me some time too to figure it all out, Id also love to see other ways to implement this :)

Thanks