Old but a New Age Weapon
Author: Avinash Singh
Avinash is Technical Evangelist.
B.Tech from Punjab Technical University
He holds the following certifications in the field of Ethical Hacking & Information
SecurityAppin Certified Ethical Hacker (ACEH), Certified Penetration Testing Expert (CPTE).
He has also done training in the field of Network Security, which includes IDS (Intrusion
Detection Systems), Firewalls and Honeypot Technology.
He is also trained in other fields such as Linux, Microsoft Certified IT Professional (MCITP),
Firewall and CISCO Certified Network Associate.
He is also the admin and lead author at TechSpectrum.in (Blog).
He has a total experience of around 2 year in the field of Training and Security, and has
successfully conducted more than 60 workshops and training programmes till now all
over india covering more than 2500+ students.
In simple words, phishing is a fraudulent attempt to steal your login credentials or any of your
private information and it is growing rapidly.
Look at the following examples:
We need to verify your bank credentials please click on the following and verify your credentials
on the page that follows.
The link is www.c1tibank.com.
I just added some new cool pics of mine, hope you like it, please click on the link below and
Many a times you get these kind of mails and mostly without thinking much we click on the link
which takes us to a login page whether it be a page of your bank ,your email provider or your
favourite social networking website. You put your credentials there and error occurs or simply
you cant login in one go.
Have you ever realised what happened in the background, your id and password was sent to
some other place or you can say it has been revealed i.eHACKED.
Now, you must be wondering what is all this or how all this is happening???
Here is the answer, take a close look at the address provided in both the mails above, in Mail 1 it
is www.c1tibank.com instead of www.citibank.com. Just in place of I there it is written 1.
In Mail 2, the link provided is http://www.0rkut.com , there is a 0 (zero) in place of ‘o’.
This means that these are not the links of your bank of your social networking website but the
thing is that it takes you to a webpage that looks exactly similar to the original one, this is the
fake page that has been designed by some attacker to steal your login credentials or your private
information. These fake pages can ask you for various types of information like your personal
information, credit card numbers etc and are really convincing and make you reveal your
personal info. Most of the times you cant really make out the difference between the fake page
and the original page by simply looking at it. When you put your login credentials on that page
and submit it, what happens in the background is that your login credentials have been mailed to
an email id of the attacker or it has been stored at some place on the web as specified by the
attacker and you are simply redirected to the original page of the legitimate website.
This is PHISHING. Just like the conventional fishing, the attacker makes a fake webpage that
acts a food to the fish and waits for the fish ( victim ) to fall into the trap. Phishing messages ot
emails looks like they have come from a legitimate company and can easily be sent through
spoofed email ( emails not originating from the real sender, but by using the sender id ).The
reason most people fell into this trap is that they are not aware of it. They simply fall into the
trap and loose their confidentiality on the internet later on which can be used in numerous ways
by the attacker to cause you harm.
The best way you can be protected from phishing is to have a awareness about it and learning it.
The most common way of doing phishing is social engineering that is to make a person reveal
his secret or personal information by tricking them through a talk or any other social way. The
attackers generally copy the contents of the emails of the original website and simply replace the
original links with the links of their fake webpages.
Phishing – Not only Emails
If you are thinking that phishing can be done only through e-mails then probably you are
mistaken. Phishing can be done through the following ways also :
Fake banner ads
Fake browser tools
Free job search sites etc.
Sometimes, your phone rings and the person on the other side says that he is speaking from your
bank and something has happened through your account details or they are not able to verify
and say that your account may be cancelled if early response is not made prompting you to
immediately verify it on phone or via a message and no body wants to loose money, so you
simply fall into the trap. Some calls thank the victim for the purchase they never made, or lottery
scams are very common now a days , an e-mail saying that you have won a lottery worth millions
and to deposit a fixed amount of money in an account to claim the won money.
So phishing messages are designed in such a manner that they prompt you for immediate action.
The DNS ( Domain Name System ) contains the IPs address mapped with the website name (
Domain Name ) for all the websites on the internet, whenever we try to open a website we type
the name of the website, the request goes to the DNS server where the mapped IP address is
found and the a response is generated and we can view the webpage. But before going to the
DNS server, in a windows system a host file (Windows/System32/drivers/etc/hosts file , this file
controls the internet browsing in your PC )is consulted first which is located in the Windows
drive. The files contains mapping of IP address and Domain Names. For example :
If an entry is made into the host file such that the IP of the yahoo.com is written and the domain
name is specified as www.google.com. Then everytime you try to open www.google.com, the
page of yahoo will be displayed as the IP address of yahoo is given with that name.
This can be used for phishing, if a phisher page of facebook is to be made , an entry has to be
made in the host file which will contain the IP address of the fake page and the domain name
entry as www.facebook.com. Next time, when the user will type the address of facebook in the
address bar the fake page will come up. The point here to be noted is that the URL has no
tampering so it becomes more difficult to identify the phisher page. This type of phishing can
also be detected by some methods which are described afterwards in the article.
The host file can be modified easily through a batch program, so the attacker just sends a batch
file to the victim, and as the victim executes it, the attackers job is done.
Difference between phishing and desktop phishing
In phishing an e-mail containing the link has to be sent whereas in desktop phishing a batch file
does the job.
In phishing the victim has to be convinced about the legitimacy of the organisation or the
website where as in desktop phishing execution of the batch file matters.
In phishing the domain name of the fake page and the original page are different where as in
case of desktop phishing there is no difference in the domain name of the fake and original page.
This is also the main drawback of normal phishing.
Tab Napping is Tab+Kidnapping. All the browsers are vulnerable to this. Suppose you are
browsing the internet in your favourite browser with multiple tabs open, in one of the tabs you
have your favourite social networking website open and your accessing multiple tabs, after that
when you browse to your social networking websites tab you find that the session has expired
and it requires you to login again and and you enter your credentials and successfully redirected
to your homepage or the inbox.
This seems normal and doesn’t matters but actually something happened in the background
when you were switching between the tabs, while you were browsing one of the pages in the
opened tabs has changed your social networking site’s tab to the look alike login page of that
social networking website, you innocently put your password over there and it gets kidnapped
any you get tabnapped. But in reality your session never expired and you wont to come to as
after putting your password your inbox or the home page is in front of you.
How to be protected from tab napping?
If you really think that your session has expired out or if there is any such notification, close that
tab and open the URL in a new tab or simply type the URL manually in the same tab.
Browser addons are also available but 100% percent dependency cant be assured but atleast
something is better than nothing. The browsers can only alert you sometimes and afterwards the
Whats the DAMAGE??
1. Not able to access the e-mail account or other online accounts.
2. Financial loss.
3. Identity theft.
The attackers can use the identity information to create fake accounts in the name of victim or
could destroy credit or the end result could be a destroyed life.
It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users
in the United States suffered losses caused by Phishing, totaling approximately US$929 million
How to detect phishing ??
Unsolicited Request: In the examples above, the mail from a bank is there but the fact is that
no financial organisation or bank asks for your login credentials or your information on calls or
e-mails. If you feel so that the information is required visit the bank or the organisation
Dear Customer ,no financial organisation or legitimate company addresses you by this, they
have your name in their records and will address you by the same.
‘Verify your account’ These are the favourite words of the attacker in a phishing message. If
you missed the above two points, be alert on reading these words atleast.
‘Click on the link below’ If you find these words in the message be alarmed, never click on the
link or check it properly otherwise. These links will probably take you to a fake page of the real
The phishing message generally contains many mistakes whether it is the language or the
Last but not the least trust your instincts, if you are feeling that the message then it probably is.
If you have a account with the bank or any legitimate organisation then you must be knowing the
website of it, so there is simply no need to click on the link in the phishing message, simply open
the website of the concerned organisation manually by typing the address.
Watch out for the URL ( Uniform Resource Locator ), in simple words it means the text that
appears in the address bar of your browser or the address of any website. Like in the above
examples at the beginning, the change or the tampering in the URL is visible , they are tampered
so as to look like the web address of the real company. Below is an example:
http://www.google.com Real Address
http://www.g00gle.com Fake Address
How to protect yourself ??
Now as you know what are the signs of phishing you can take some protective measures to
protect yourself from it.
1. Never respond to such mails.
2. Never give or punch your password on the telephone.
3. Inform the concerned organisation.
4. Check the URL,
5. Do not panic when you receive such messages.
6. Never provide your password on any unsolicited request over the internet or telephone
oe any other medium.
7. If you have doubts contact the organisation personally.
8. Never click on links provided in the mail, open the webpages manually.
9. Review your account statements periodically to make sure that all the charges are
10. If any popus seeks your personal information, it may be a phisher.
11. Updated antivirus software, link scanner, spyware program is of great help.
12. Be cautious when you download attachments irrespective of the sender.
13. Never run any type of script in your address bar while you are signed in with your
14. Use different passwords for different sites, in today world of technology it may be hard
but it helps a lot in protecting your information from phishers.
15. It is well said that a little info is not dangerous, be aware and updated about phishing
16. Never be taken away by money offers as in lottery scam or for a survey or it may be a
product you never purchased, greed doesn’t pays.
17. Logout everytime after accessing your bank info or any other website that is related to
your private info. Do not just close the browser specially at public terminals.
18. Two Factor authentication such as a combination of a software password and an ATM
card number can help you increase your security.
19. If any of your accounts have been compromised, shut down them at once.
20. If you even suspect that your password has gone to wrong hands, change it immediately.
21. Trust your Instincts.
22. Review the SSL certificate of the website on which you are providing your personal or
any other private info.
Every legitimate or original company has a SSL certificate so as to transmit the data securely over
the internet. Every genuine login page opens with https instead of http, s in https is for secure.
For example :
When you open a original page, you can see a golden lock either at the address bar or near the
bottom right corner of the browser which is absent in case of fake webpages.
You can also look for a verisign certified logo on the website link, it is organisation that provide
security certificates to the websites of various organizations.
Also , if while opening a webpage you receive a certificate error then there is a probability of the
website bring not real, a fake certificate may have been generated for the legitimate webpage.
There are various websites available on the internet that help you fight phishing and protect you
from it. These websites maintain a collection of database of phishing website, you can report a
phishing webpage if you discover any to these websites also. These sites also help you in
determining whether a given webpage is a real or a fake one, you simply have to provide a URL
you want to check. Some of these websites also teach you to discriminate between a phishing
page and the real one. Following are some of the website :
Anti-phishing softwares help you to detect phishing webpages and e-mails by scanning them and
looking for the phishing content. The attackers now a days are aware of this fact and instead of
sending text they are sending the e-mails in the form of images to make things difficult for these
Phishing pages can also be detected by the web browsers, web browsers now a days have the
capability to detect and report possible phishing pages to the user. Some of the browsers may
require extra plugins like that of an antivirus for detecting this.