How I exploited the situation to phish participants of a competition!!.
Tinkering brain of mine always keeps me busy with something. There was an announcement in march of 2016 at a local engineering college (pretty famous one) about the IET India Present Around The World (PATW). There were some set of screening rounds and one was in the city Hubli. The topics were open and obviously constrained around technology itself. I thought of giving a talk on Browser security. I believe in practical experience rather than just talks so I took the talk one step futher than other participants and planned on demonstrating one of most popular hack — Phishing.
Ok now lets get to the playground.
A day before the main event. At around 7pm I sat infront of my old laptop at my friend’s place and started planning out a way to conduct a succesful and clean phish and decided to let in users from Facebook , Google and to not store any of their passwords (I swear am clean on this). I wanted to come clean the next day I didnt give much importance on my identity, kept almost all the services I used like gmail, heroku etc. were all verified.
A successful phish always depends on how appealing ( you might call decieving ) your approach is, I had a situation already in place, folks were under extreme stress of the next day’s event and the email discussion were on fire. blah blah blah….( I will give a reference to it later ). So I thought of sending them a carefully crafted email from an email address which seemed very authentic and similar to the event coordinator’s email.
This is the exact email that I had sent to all the participants and sent one myself.
Dear participant, We request you to register yourself here so that you can manage your dashboard of all talks that you make. You will be getting an unique id after registration which will be needed for further process on the day of event. Register within 12:00pm 10/3/2016 You can register here Regards, Team PATW
Now I went on to setup the fake pages. Saved the IET landing page, wrote some php scripts to log the incoming details and modified the pages to the below view.
Then had a redirection after they clicked on register with Google to here(the image below).
I left few extremly doubtful things onscreen like the dual input fields in the page, whereas google has a different flow. Then when the user typed in content and hit submit the data was pushed to server and saved into a file (JUST THE EMAIL AS I WANTED TO KNOW WHO WERE THE ONES) and then they were taken to the same landing page with a status now saying “site under maintainence please come back later”.
This routine was same with the facebook signup too.
Hosted this thing on Heroku (its so easy to get started ) . Everything was set and tested it out with my friend’s email.
Now came in the real swing. It was around 8'o clock and I sent the emails to the 60 students list who were participating the next day and shut the laptop for half an hour. Played around a little and by the time I opened my laptop again the file was filled with around 10 emails and I was like thank god I got something to speak about tomo ;P and then it kept on filling till it reached around 32 users or so. I got all that I needed so I just shut the whole thing down deleted my accounts and wiped clean after an hour. I am sure that if I had continued for some more hours everybody would be on that list.
Then I sent this email. So that people wont freak out. Am a sweet potato right??
We request you to excuse us for the problem. You can register yourself later as there is some problem with the site. Regards, Team PATW.
Followed by this
Dear participants, We are sorry for the inconvenience caused. There is no need of any registration to the event you can directly attend the event tomorrow. Lunch and breakfast will be available, be present at 8:30 AM, Thank you, Best of luck. Regards, Team PATW
I was ready with full confidence about my talk the next day. The event coordinators were flooded with emails. The next day things got a bit serious and participants seemed worried about it so I went down to a coordinator that I knew over there and explained her the situation and that it was me and had done just to demonstrate. I was asked not to tell anyone just go with your plan. I was like ok cool.
After the routine things the event started , I started my presentation with all the normal things in order at first and then explained the phishing attack, how I carried it out , there was some disturbance in the crowd when they got to know about this.
Of course I was selected for the next round that took place in Bangalore but what people missed over here was that its their mistake or negligence that fools them into doing something like this. Although everybody knows how to handle these kind of situations nowadays, but nobody takes them seriously.
Its hard to find loop holes in a computer but its too easy to find one to exploit in humans.
Key things the particiants missed out — Domain name of the fake website (patw.herokuapp.com) — Email address was suddenly changed from the routine email address the team used. — The design flaws in the google/facebook login pages. — Or mainly the lame idea of suspicious registration :D
If you liked what you read. Then clap for me and share this article and let others know. Please do suggest if any.
Follow me on @medium and Twitter here to stay updated with the stuff I post. P.S More things to come.