Jump to content


Photo
- - - - -

Identity Theft - Phishing - Uni Assignment


  • Please log in to reply
2 replies to this topic

#1 wilo300zx

wilo300zx

    DDP Fan club member

  • Members
  • 43 posts
  • Location:Australia

Posted 30 May 2009 - 11:48 PM

This is purely for experiment to demonstrate as part of my 'Identity Theft' presentation - In no means will any of this code/script or any materials be available to the general public

I am currently studying Bach of I.T at Uni this year and our current topic on 'user information and storage - identity theft' has me thinking. We have to give a presentation on identity theft and how human society can be manipulated and/or exploited for a predetermined outcome.

I was going to talk about social engineering using phone calls/emails etc relating to the likes of Kevin Mitnick but then i thought about the idea of phishing.

Phishing is a combination of social engineering and human carelessness.

So i thought, ill show, in person, how a common social networking website like Facebook and its millions of users can be exploited through their incompetencies and laziness.

I done some research, got a rough picture in my head where i was going with this and if at all, this could be done within reason.

In theory the page should operate similar to this:
http://my.opera.com/...k-phishing-scam

I also want to be able to hand craft a email to look and act like a legitimate email from Facebook. So the test subject will receive a email from facebook.com "some kind of notification"

So i think this is how someone could go about this:

1) Create a fake Facebook domain; something like : http://www.facebook....somephpidstring.
2) Capture the current php login page from Facebook and duplicate it on my own domain.
3) Create a https page for fake authenitifcation.
4) Setup some kinda of database or back end logging script to record the data submitted into the login script.
5) Crete some .htacess redirect to submit the user's input directly into the legitimate facebook and complete the rest of the login process
6) Test login process
7) Forge a sample email claiming to be from "facebook.com" with some kind of notification "person x has commented on your photo... etc etc"
8) Ensure the email appears to be from facebook using their legitimate domain etc

Amy i on the right track with this? Note: this is all "hypothetically speaking"

#2 phasma

phasma

    Hakker addict

  • Members
  • 527 posts
  • Country:
  • Gender:Male
  • Location:Pennsylvania

Posted 31 May 2009 - 12:47 AM

Yea, you are on the right track. When I was just tinkering around with phishing I just took a snapshot of Facebook and added a username and password box with a simple PHP script that would email me the password and redirect them to the real Facebook. That is the cheap/quick method.

#3 totallyAunti

totallyAunti

    Mack Daddy 31337

  • Members
  • 209 posts
  • Country:
  • Gender:Male
  • Location:nubie-ville (somewhat new to internet, watch out)

Posted 31 May 2009 - 08:13 PM

The scam you have theorized occurs quite often. And i mean often.




BinRev is hosted by the great people at Lunarpages!