Hi there! Today I going to tell you about my little experiment which I conducted yesterday and yeah its about phishing.
So lets get started!
Whenever we read or hear the word Phishing the first thing which comes to our mind is a fake login page asking for our credentials. Hence most of the people think they know what phishing is, they just don’t login to a page a which asks for their credentials and has been sent by someone. But I have proved previously that phishing isn’t about asking to login someone in the link that you sent them and now lets prove that again!
Well my plan was to create a sign up page so I can tell people to sign up in there and get their details. You might be asking why would I do that? What if they use a different password?
Lets consider two things:
- A study indicated that approximately 80% people use the same password on more than one website
- Even if they use a different password for our sign up page, we will still get an awesome piece of information i.e. what kind of passwords they prefer.
The Set Up
I am not really a rich guy so I grabbed a free domain and quickly uploaded a coming soon template on it.
So this page says that there will be a forum for security professionals very soon and you can sign up for it. Whats the big deal about this page?
- Why I didn’t use that hacker looking green-black interface? Because that doesn’t look good. That looks skidish.
- I used an elegant font and a pleasing background.
- In the last line, I am talking about IRCs, facebook and linkedin because I want to build a connection with the reader and I want him to feel relatable.
I put my email and phone in there to show the user that I am serious about this. That number has 11 digits tho :p
So what happens when a user clicks on the sign up button? Another page opens which has this ugly sign up box:
Yeah I completely agree with the fact that this box is ugly. Well I was running short on time so I used a template and sent the link to around 9-10 people.
Here are the results
I got 5 passwords!
blogname-stuti a1s2d3f4g5 kkk.dsbhsghzobr.hy cl4w @forum! thisisashitpassword @123
First one contained name of victim’s blog name (I can’t tell you the exact name of course), followed by a name which is an indian feminine name and could be of her crush or girlfriend.
Second password may seem randomly typed and strong but try typing the same with your keyboard, you will see a pattern.
I am unable to find any pattern or something like that in the third password. I am sure that he didn’t typed some random characters because he entered his original email address so I don’t think he was pranking me at all.
Fourth contains cl4w which I guess is an alias name. It is followed by @forum! so if this guy’s bank password is cl4w @bank! , I wouldn’t be surprised.
The last password is probably a prank lol.
So I didn’t check if the passwords were working for their facebook or email account because I am not a bad guy at all but it gave me some really wealthy information about their password habits.
Thats pretty much all. Its 1 AM and I going to get some sleep now.
Phishing isn’t dead, Your creativity is…
Also Read: WAF, IPS and IDS : Working Explained