Phishing

A practical case study

What is phishing?
Phishing involves fraudulently acquiring sensitive information (e.g. passwords, credit card details etc) by masquerading as a trusted entity.

The sites
www.noodlebank.com (i.e NOODLEBANK.com) www.nood1ebank.com (i.e NOOD1EBANK.com)

The real site

The spoofed email

The spoofing
The link appears as www.noodlebank.com (i.e NOODLEBANK.com)

But actually it links to www.nood1ebank.com (i.e NOOD1EBANK.com)

The fake site

The steal
When Debasis entered his usernamepassword at the spoofed website, the username-password was sent across to the criminal carrying out the phishing attack. In this case study the username-password is sent across to a spamavert email address so that it can be seen by everyone trying out this case study.

More examples
In this case study, the user was enticed with a misleading URL. Such urls can be created easily using simple html code such as:
<a href=http://www.nood1ebank.com> http://www.noodlebank.com</a>

This link displays the correct url but on clicking takes the user to the spoofed url.

Using a url with an ip address

http://www.NOODLEBANK.com@67.19.217.53 This url does not lead to noodlebank.com, it leads to the website on the IP address 67.19.217.53

Using a split domain name

http://www.NOODLEBANK.com.securitycheck.se cure-login.nood1ebank.com/login.asp This url does not lead to noodlebank.com, it leads to the spoofed website.

Using an obfuscated url

http://www.NOODLEBANK.com%00@%36%37% 2e%31%39%2e%32%31%37%2e%35%33 This url does not lead to noodlebank.com, it leads to the website on the IP address 67.19.217.53

Hex to ASCII converter

http://www.dolcevie.com/js/converter.html

Useful urls
To try out the genuine website: http://www.noodlebank.com To try out the spoofed website: http://www.nood1ebank.com

To see the usernames-passwords being stolen

http://spamavert.com/mail.php?alias=noodlebank_com