Sign in to follow this  
Followers 0
wilo300zx

Identity Theft - Phishing - Uni Assignment

3 posts in this topic

This is purely for experiment to demonstrate as part of my 'Identity Theft' presentation - In no means will any of this code/script or any materials be available to the general public

I am currently studying Bach of I.T at Uni this year and our current topic on 'user information and storage - identity theft' has me thinking. We have to give a presentation on identity theft and how human society can be manipulated and/or exploited for a predetermined outcome.

I was going to talk about social engineering using phone calls/emails etc relating to the likes of Kevin Mitnick but then i thought about the idea of phishing.

Phishing is a combination of social engineering and human carelessness.

So i thought, ill show, in person, how a common social networking website like Facebook and its millions of users can be exploited through their incompetencies and laziness.

I done some research, got a rough picture in my head where i was going with this and if at all, this could be done within reason.

In theory the page should operate similar to this:

http://my.opera.com/coxy/blog/2007/11/24/f...k-phishing-scam

I also want to be able to hand craft a email to look and act like a legitimate email from Facebook. So the test subject will receive a email from facebook.com "some kind of notification"

So i think this is how someone could go about this:

1) Create a fake Facebook domain; something like : http://www.facebook.com/au/login.php/somephpidstring.

2) Capture the current php login page from Facebook and duplicate it on my own domain.

3) Create a https page for fake authenitifcation.

4) Setup some kinda of database or back end logging script to record the data submitted into the login script.

5) Crete some .htacess redirect to submit the user's input directly into the legitimate facebook and complete the rest of the login process

6) Test login process

7) Forge a sample email claiming to be from "facebook.com" with some kind of notification "person x has commented on your photo... etc etc"

8) Ensure the email appears to be from facebook using their legitimate domain etc

Amy i on the right track with this? Note: this is all "hypothetically speaking"

0

Share this post


Link to post
Share on other sites

Yea, you are on the right track. When I was just tinkering around with phishing I just took a snapshot of Facebook and added a username and password box with a simple PHP script that would email me the password and redirect them to the real Facebook. That is the cheap/quick method.

0

Share this post


Link to post
Share on other sites

The scam you have theorized occurs quite often. And i mean often.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0