- The 30 Second Phish
I spend a long time taking down websites overpopulated by script kiddies and wannabe hackers. Mostly, the people on these sites are running wild with no real clue as to the seriousness of their actions until they get caught - at which point, they invariably beg for mercy and suddenly grow a conscience. Many hardcore phishers I see, for example, are anything from 11 years of age and up. They seem to get younger all the time - why is this? Well, the demand for custom made phishing tools plays a large part in this as the programs spring up on hacking sites, trickle down onto the more general "gaming and coding" sites (that usually host a hacking section) before winding up on the script kiddy sites.
Today, we'll take a look at one such application. The ease with which this program can be used to generate fake login pages is truly frightening, yet not at all uncommon. We'll begin, as we do all too often, with a wonderfully hypocritical "disclaimer" on the program EULA (yep, phishers come with EULAs and scrolling credits that roll up the screen nowadays):
The text reads:
"The Author Of This Program Is NOT Responsible For ANYTHING You Do With This Program, I encourage you not to use it. It was only created for educational purposes and to demonstrate how web pages are vulnerable. If you EVER see a phisher please report it.
This is just a quick disclaimer. I want to get straight to the point, PHISHERS ARE ILLEGAL. Well they're not illegal Per Se, but it depends how you use them and I would like to give you a little memo so you dont get yourself in ANY trouble.
If you use this program in order to create a fake web login in order to gain someone's password that is Illegal and against the law and can get you a sentence in prison. Do not create a phisher of any website without the owner of the website's permission.
For More Information On Phishers Go Here."
I've always wondered how someone that created a tool specifically to perform illegal actions is somehow not responsible for the actions of the people they distributed it to. Oh, but of course we have those wonderful caveats - "for educational purposes only" (you need to make a fake login, upload it then steal someone's login details to educate yourself that "people can make fake logins"? Couldn't you just be told that instead?) and my other favourite, "Do not create a phisher of any website without the owner of the website's permission".
This begs the question, and it's a very obvious question, but I'll ask it anyway.
Why would anybody ever give you permission to make a fake login of their website?
Oh well, let's see what it does anyway.
Talk about being idiot-proof. Yes, that really does say "Click the numbers for the details to be read out aloud". Double click the Begin marker, and you see this:
At this point, you take the code from the source of the page you want to spoof, paste it into the program, push a button and tell it where you want your fake login to redirect the victim to once they've entered their details:
...job done, and you've created a perfect Phish page in 30 seconds or less. It even places your fake login page in an upload folder for you, just to ensure you don't screw up at the last minute and wonder where it went. Here's my fake page:
Worrying, isn't it? Hopefully you can see exactly why kids are getting into phishing in a big way at such a young age with programs such as these around. This is just one example in a very big collection of Phishers currently in circulation - and a steadily growing audience eager to try them out will ensure they're around for a long time to come.