The Hooded HACK

March 25, 2016 Unknown 2 Comments


Nicole loved the gossip posts that spammed her Facebook wall. Ten celebrities to have extramarital affairs was the latest one she spotted. She clicked it. Her browser did a quick redirection and she was staring at her Gmail login page. This is strange, she mused. Posts on Facebook never lead to a google login page. What the hell, I want to know which celebrities cheated, she thought and punched in her username and password. 404 error; try again later was the error that popped up and the page killed itself. Nothing to worry about, she logged off her desktop and left for a jog.

What she didn't notice was the inconspicuous '1' in the URL of the page she just submitted her credentials on : www.gmail1.com.

Michael was eating poorly cooked Ramen straight off the vessel it was made in. Three work stations sat idly in front of him. He had just attempted a failed brute force attack on a banking website and needed a break to recuperate. The monitor on the third workstation came to life with a beep. He had received an e-mail. He used his legs to pull the office chair he was sitting on closer to the desk. It was a mail from his latest experiment. He opened it and smiled as he read through the contents.

Username: nicole.riley89@gmail.com
Password: porkchops@5

This was it. Someone had taken the bait, less than 24 hours since he launched the phishing website. This was good news. Considering people nowadays used their Gmail accounts to access literally everything online, from shopping websites, social networking platforms to even banking services, he now had complete control over Nicole's online assets.

He got back to his Ramen and thought of the brilliant idea that struck him only ten hours ago.

People are least cautious when responding to the one emotion that can kill even a cat: curiosity. Take a potential risk, wrap it in scandalous wrapping paper and present it to the world. Almost everyone will take a peek, out of curiosity of course.

Michael had a genius plan and the simplicity of it made him laugh. He logged on to godaddy, a domain provider, and for a meager price of Rs 600/year, bought the domain www.gmail1.com. He then downloaded and installed XAMPP, a free open source cross-platform web server solution stack package and with a few settings here and a few tweaks there, he had a hosting server equipped to launch a website.

The next step was to design his website to impersonate Gmail. This he would do with one hand tied behind his back. He logged on to gmail.com, hit f12 and voila, Gmail's source code appeared right in front of him. The days of work Google's developers put in was stolen in a matter of minutes. With a couple of copy pastes and a few lines of improvised code his webpage was ready. Not even Sergey Brin would be able to discern the original from the fake without having a look at the URL.

The magic however was in the few lines of improvised code.

The website was cloaked with the beautiful facade of the Gmail login page. It was the interiors that were modified to run the hack. A perfect example of wolf in sheep's clothing. He wrote a simple PHP code to accept the login forms input of username and password and then send the details as a mail to his own personal mail address. The code would then kill the session and terminate the browser process altogether. This was when he laughed at the simplicity of the hack.

His toy was ready. He now had to wrap it and present it to the unsuspecting citizens of the world. He logged in to Facebook, created a post about salacious celebrities and pasted a link that redirected to his gmail1.com page. He then sat back and waited for his victims to fall straight into the honey pot.

A beep brought him back to reality. He lazily cruised towards his desk and checked his e-mail again. He had twelve new emails, loaded with twelve new login credentials.

                       ----------------------------------------------------------------------------------------------------

A hack does not have to be pages of complex code and the victim does not have to be a government agency. The hacker could be a tenth grade miscreant and the victim could be a civilian like you and me.

Every time a link redirects you to a new page make sure you read the URL and if anything looks odd do not continue.

Although it's easy, do not set the same characters as a password for multiple applications. Make sure you recycle your password often.

I tried a similar experiment with a focus group(who was later notified to change passwords) and you will be surprised to know over 60% of the participants fell for the scam.

The internet is swarming with sharks and the responsibility of protecting your information belongs to you.


2 comments: