Phishing is a type of attack where an attacker tries to get the user's data by luring the user to click on links and making him enter his credentials. Phishing attack is usually carried out using emails(not the only way) where the attacker poses as an legitimate organization and tells the victim that his/her account has a problem and they must click the link below to Verify or rectify the error. The link directs the victim to a spoofed site which looks just like the original. The victim, fooled by the attacker's site, enters his/her login credentials.

That's it!! The attacker gets hold of the user's login credentials.

Such an attack can be carried out for many reasons such as stealing funds or stealing company secrets (by posing as an employee) which have devastating effects.

Working

Disclaimer: Only for Educational Purpose.

I am going to use a simple example which demonstrates the attack's working.

Step 1:

A mail which is posed to be from the legitimate organization is created. The mail will contain a kind of text which forces the user to act in a hurry. In this example, we use the link to redirect the victim to origina1.html (Spoofed site) instead of original.html (Example Org is an imaginary organization, which is used in this example).

phishing-email

The victim gets an email as shown in the image below (For demonstration purpose, I mailed it to myself).

phishing-mail-received

Step 2:

After arriving at the spoofed site, the victim is fooled by the site's appearance and enters his/her login credentials.

password-reset

Step 3:

This form submission runs the steal.php (Naming of the file can be as per your wish ) which retrieves the user entered data and insert it into his database while the victim gets a message (or the victim can be redirected to the original site).

fooled

Inserted data is present in the attacker's DB as shown in the image below.

database

Attack Accomplished!!!

Precautions & Conclusion

If the above text kind of freaked you, the only question that will be running in your mind is "How do I find the difference between a real and a phishing site?". There are many ways. The most prominent ones are

  • checking whether the sender's email ID is an official one.
  • checking whether the destination URL's host name is correct. Most of the phishing sites make minor changes to it to minimize the deviation from the real one. Example: Instead of www.google.com, attackers might use www.gogole.com to fool the users. But still if you give a careful check you will be able to find the difference.
  • checking whether the site is HTTP. If it is a HTTP site, avoid entering data in that site. NOTE: Not all HTTP sites are phishing sites.

Find the code of the above example in my github repo.