Phishing - the basics
Phishing
is a technique of obtaining sensitive data such
username,password,credit card details etc by an attacker by claiming to
be a trusted or genuine organisation/company.
The most common type of phishing is Fake Login Pages. The basic methodology of this attack is written below
1.Suppose
an attacker wants to hack gmail/yahoo/facebook/bank account of the
victim. Attacker creates a fake login page of that website . This fake
login page looks exactly like real/genuine login page.
2.Attacker then sends the link
of that fake login page to victim through an email or any other
means.The sender's email Id is usually spoofed to give an authentic look
to it.
3. Victim clicks
on the link, fake login page appears in his browser and he enters his
credentials in that page thinking that it is genuine.
4.The credentials that are username and password go to the attacker. Hence victim's account gets hacked.
5.Victim is then redirected to any webpage as chosen by attacker. Most probably the victim is redirected
to genuine website or a page displaying an error.
I hope the idea is clear to you.
This is the best method to hack anyone's gmail/yahoo/orkut/facebook/bank
account.Creating a fake login page is very simple. Then it depends on
attacker's smartness that how he manages to fool the victim to get his
credentials entered in fake login page. Simply this attack depends on
attacker's intelligence as well as victim's carelessness.
Countermeasuers :
The
obvious countermeasure is that just dont blindly enter your sensitive
data in a webpage that exactly looks likea genuine/real page. Carefully
check the URL .But URLs can also be spoofed. The protocol must be
hopefully https(secure) instead of http. If you still have doubts, you
should check the digital certificate of the website. Take care.
Note: This was just a theoretical basic guide to phishing. Read my detailed step by step tutorial on