Phishing question?

[MikeL]

Can some one explain how this works - you receive the standard please login etc phishing e-mail.

Example:
http://xxxxxxxxxx.xx/images/professionnel/image/itansecuritym/www.halifax-online.co.uk/secure/_mem_/formslogin.asp/index.html

The site is obviously fraud yet the first part of the URL (http://xxxxxxxxxx.xx) is a legitimate website.

Are the phishers hi-jacking the genuine site or is it an inside job?

Mike

 

[Howard]

Hi Mike

When you hold the cursor over the link , does the same address come up in the bar at the bottom of the page ?

You can hide false addresses under real ones in links , i have no idea how i'm about as computer minded as an apple , but i have seen it done ...

The link might say www.abc.com but the bar at the bottom of the page will read www.xyz.com ..... sort of thing ....

H

 

[Merc-C180K]

The Phishers have copied a portion of the website and downloaded it to their server.

They then try and hide the fact you are on a different site.

 

[Dieselman]

Spot on Howard. The hyperlink hidden under the icon isn't what you believe it to be.
A bit like if we show a link say: only it isn't. Try it.

http://www.MBClubco.uk/forums

 

[MikeL]

Hi Mike

When you hold the cursor over the link , does the same address come up in the bar at the bottom of the page ?

You can hide false addresses under real ones in links , i have no idea how i'm about as computer minded as an apple , but i have seen it done ...

The link might say www.abc.com but the bar at the bottom of the page will read www.xyz.com ..... sort of thing ....

H

In this case yes - not very sophiticated, just catching the unwary.

Mike

 

[gaz_l]

i have no idea how i'm about as computer minded as an apple

Cheers,

Gaz

 

[Rumble]

Phisher-men also make use of website addresses that are input incorrectly for example

www.nbclub.co.uk

if you happen to type this and not check what you're typing you might end up at a site set up for phishing, one that looks very similar to the one you intended to go to but just there to get your log in details.

 

[masqueraid]

http://www.safe_website.com

For example

Some browsers, older version of Internet Explorer for example, can also be fooled by some of these addresses into displaying an address that looks legitimate but bears no relationship to the site your have actually reached.

Some other tips here

 

[MikeL]

In this case there were no "deliberate" errors - so I guess they hijacked part of the real website.

Mike

 

[Howard]

Doubt they'd be able to hijack a banks website ( presuming the Halifax ) ...

Those things are locked down tight ...

If they could do that , they'd be counting their millions , and snorting coke out of high class hookers belly buttons , not sending out Phishing mails ....

I expect i'm wrong , i usually am !!

Slightly OT , your 'fly avatar' caught me out earlier !! tried to sweep it away !!

 

[HughJarse]

Its is the simplest simplest thing to add an IP after a website address stored in your windows folder.
Then whenever you type the url into your browser, the browser will show the correct address and will think its gone to the correct address; however it has really gone to the IP that you typed in. This IP could quite easily be a copy of the original designed to captre your data.
Luckily modern browsers are aware of this trick and anti-phishing sofware spots it too.

 

[Spinal]

In addition to the methods mentioned above, there are a few more:

www.safe_website.com
(as mentioned above) the text you see, though it looks like an address, is only a piece of text. The embedded link goes somewhere else

http://192.168.0.1/www.safe_website.com/
Here you are actually on a server on 192.168.0.1, in a folder called "www.safe_website.com".

http://3235415306/www.safe_website.com/
as above, but now the IP address is in decimal only

http://C0D8850A/www.safe_website.com/
http://0xd3.0×90.0xcc.0×87/www.safe_website.com/
as above, but the IP addresses are in hexadecimal


http://[email protected]/login.safe
this one is getting more creative... Now the IP address is at the end.

http://www.one_compromised_website.com/another_site.com/login.unsafe
here, one_compromised_website.com was compromised, and the spammer wants you to believe that you are on another_site.com. This makes it harder to trace him, but this url is fairly rare - usually people tend to change the one_compromised_website to its IP address.

Note that you can pick and mix the above! So you can put the IP in any form (hex, decimal, etc) at the beggining or end!

Safest thing possible? DON'T click on any links in your email - open your browser of choice, manually type in the url and press enter. (though you still aren't safe. If your computer is compromised, the cracker can have edited your DNS file, so typing in www.ebay.co.uk brings you to http://192.168.0.1/login.unsafe or anything else...

Here is a nice example:
www.safe_website.com
Notice that when you hover over the link, (or click on it) it brings you somewhere totally different?
Michele

 

[comports]

And it does not take them long to make things LOOK right.

This took me 5 minutes this morning.

Click here to login in to your account using our secure server

I have not added anything more than this or I might get done for phishing but it would not be difficult to make a few pages to collect all this data and then rip you off.

 

[Dieselman]

I have not added anything more than this or I might get done for phishing but it would not be difficult to make a few pages to collect all this data and then rip you off.

My Zonealarm picked up on that as a phishing site and has sent the details off.

 

[comports]

Oops. No worries. I can prove it was posted as a "Help prevent fraud" page on a forum.

At least it shows as an example that things like "Zone Alarm" picks these things up as well.

Thanks Dieselman

 

[Dieselman]

Good job I was only joking....

 

[comports]

The words "Bar" and "Steward" spring to mind..!!

 

[Bobby Dazzler]

My Zonealarm picked up on that as a phishing site and has sent the details off.

 

[poole72]

also wen u put your details in then click login if it takes longer thn usual for the next page to open is usually a sign as your info is being redirected to the phishers server not your banks

 

[Merc-C180K]

And it does not take them long to make things LOOK right.

This took me 5 minutes this morning.

Click here to login in to your account using our secure server

I have not added anything more than this or I might get done for phishing but it would not be difficult to make a few pages to collect all this data and then rip you off.

Erm... can I have my bank account details back please... I accidently gave them to you...