History says that Phishing Attacks are one of the most common security challenges that both individuals and companies face in keeping their information secure. You should always be careful about giving out personal information over the Internet. Luckily, companies have begun to employ tactics to fight against phishers, but they cannot fully protect you on their own. Remember that you may be targeted almost anywhere online, so always keep an eye out for those “Phishy” schemes and never feel pressurize to give up personal information online.


What Is Phishing ?

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.

Communications purporting to be from popular social websites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing emails may contain links to websites that are infected with malware etc. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

Different Types Of Phishing Techniques:

1# Spear Phishing: Phishing attempts directed at specific individuals or companies have been termed spear phishing. Attackers may gather personal information about their target to increase their probability of success. This technique is, by far, the most successful on the internet today, accounting for 91% of attacks.

2# Clone Phishing: A type of phishing attack whereby a legitimate, and previously delivered, the email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email.

3# Whaling: Several recent phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, and the term whaling has been coined for these kinds of attacks. In the case of whaling, the masquerading web page/email will take a more serious executive-level form. The content will be crafted to target an upper manager and the person’s role in the company. The content of a whaling attack email is often written as a legal subpoena, customer complaint, or executive issue. Whaling scam emails are designed to masquerade as a critical business email, sent from a legitimate business authority. The content is meant to be tailored for upper management, and usually involves some kind of falsified company-wide concern. Whaling phishers have also forged official-looking FBI subpoena emails and claimed that the manager needs to click a link and install special software to view the subpoena.

4# Link Manipulation: Most methods of phishing use some form of technical deception designed to make a link in an e-mail (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are the common tricks used by phishers. In the following example URL, http://www.yourbank.example.com/, it appears as though the URL will take you to the example section of the yourbank website; actually, this URL points to the “yourbank” (i.e. phishing) section of the example website. Another common trick is to make the displayed text for a link (the text between the <A> tags) suggest a reliable destination when the link actually goes to the phishers’ site. Many email clients or web browsers will show previews of where a link will take the user to the bottom left of the screen while hovering the mouse cursor over a link. This behavior, however, may in some circumstances be overridden by the phisher.

5# Filter Evasion: Phishers have even started using images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing emails. However, this has led to the evolution of more sophisticated anti-phishing filters that are able to recover hidden text in images. These filters use OCR (Optical Character Recognition) to optically scan the image and filter it. Some anti-phishing filters have even used IWR (Intelligent Word Recognition), which is not meant to completely replace OCR, but these filters can even detect cursive, hand-written, rotated (including upside-down text), or distorted (such as made wavy, stretched vertically or laterally, or in different directions) text, as well as text on colored backgrounds.

6# Website Forgery: Once a victim visits the phishing website, the deception is not over. Some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of a legitimate URL over the address bar or by closing the original bar and opening up a new one with the legitimate URL.

An attacker can even use flaws in a trusted website’s own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic because they direct the user to sign in at their bank or service’s own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, making it very difficult to spot without specialist knowledge. Just such a flaw was used in 2006 against PayPal.

A Universal Man-In-The-Middle (MITM) Phishing Kit, discovered in 2007, provides a simple-to-use interface that allows a phisher to convincingly reproduce websites and capture log-in details entered at the fake site.

To avoid anti-phishing techniques that scan websites for phishing-related text, phishers have begun to use Flash-based websites (a technique known as “Phlashing”). These look much like the real website but hide the text in a multimedia object.

7# Covert Redirect: Covert Redirect is a subtle method to perform phishing attacks that make links appear legitimate, but actually redirect a victim to an attacker’s website. The flaw is usually masqueraded under a login popup based on an affected site’s domain. It can affect OAuth 2.0 and OpenID based on well-known exploit parameters as well. This often makes use of Open Redirect and XSS vulnerabilities in the third-party application websites.

Normal phishing attempts can be easy to spot because the malicious page’s URL will usually be different from the real site link. For Covert Redirect, an attacker could use a real website instead by corrupting the site with a malicious login popup dialogue box. This makes Covert Redirect different from others.

8# Phone Phishing: Not all phishing attacks require a fake website. Messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the phisher, and provided by a Voice over IP service) was dialed, prompts told users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization.

9# Tabnabbing: This technique takes advantage of tabbed browsing, with multiple open tabs. This method silently redirects the user to the affected site. This technique operates in reverse to most phishing techniques in that it doesn’t directly take you to the fraudulent site, but instead loads their fake page in one of your open tabs.

10# Evil Twins: This is a phishing technique that is hard to detect. A phisher creates a fake wireless network that looks similar to a legitimate public network that may be found in public places such as airports, hotels or coffee shops. Whenever someone logs on to the bogus network, fraudsters try to capture their passwords and/or credit card information.

Precautions Against Phishing:

  1. Guard Against Spam: Be especially cautious of emails that Come from unrecognized senders and ask you to confirm personal or financial information over the Internet and/or make urgent requests for this information.
  2. Communicate personal information only via phone or secure websites. In fact, When conducting online transactions, look for a sign that the site is secure such as a lock icon on the browser’s status bar or a “https:” URL whereby the “s” stands for “secure” rather than an “http:”.
  3. Beware of phone phishing schemes. Do not divulge personal information over the phone unless you initiate the call. Be cautious of emails that ask you to call a phone number to update your account information as well.
  4. Do not click on links, download files or open attachments in emails from unknown senders. It is best to open attachments only when you are expecting them and know what they contain, even if you know the sender.
  5. Never email personal or financial information, even if you are close with the recipient. You never know who may gain access to your email account, or to the person’s account to whom you are emailing.
  6. Beware of links in emails that ask for personal information, even if the email appears to come from an enterprise you do business with. Phishing web sites often copy the entire look of a legitimate web site, making it appear authentic. To be safe, call the legitimate enterprise first to see if they really sent that email to you. After all, businesses should not request personal information to be sent via email.
  7. Protect your computer with a firewall, spam filters, anti-virus and anti-spyware software. Do some research to ensure you are getting the most up-to-date software, and update them all regularly to ensure that you are blocking from new viruses and spyware.
  8. Check your online accounts and bank statements regularly to ensure that no unauthorized transactions have been made.

Note: – This guide is only for knowledge purpose and shouldn’t be used for any illegal activities as we are not responsible for anything happens with this.

We hope that HACKAGON matched our readers expectations regarding Phishing Attacks. so, if you like this article then don’t forget to share it with your friends and always feel free to drop a comment below if you have any query or feedback.

Everybody is so much familiar with facebook and also about its huge amount of data storage. Facebook is one of the most widely used social networking sites, with more than 750 million users, as a reason if which it has become the number one target of hackers. So, HACKAGON will show the Best ways to Hack Facebook so that the readers of HACKAGON will stay aware from hackers and protect their facebook account from getting hacked.

Best ways to Hack Facebook Hackagon

So, know the top 10 methods of How Hackers Can Hack Facebook Account Password:

1# Phishing:

Phishing is the most popular assault vector utilized for hacking Facebook accounts. There are variety methods to carry out phishing attack. In a simple phishing attacks, a hacker creates a fake login page which exactly looks like the real Facebook page and then asks the victim to log in. Once the victim logs in through the fake page the, the victims credentials like “Email Address” and “Password” is stored into a text file, and the hacker then downloads the text file and gets his hands on the victims credentials.

To make it simple, let’s say that facebook phishing is a way to make and create fake facebook website according to the real website for negative purposes, such as stealing credentials, data, etc.

2# Keylogging:

A keylogger is a suspicious program that record your keystrokes, Keylogging is the easiest way to hack a Facebook password. Keylogging sometimes can be so dangerous that even a person with good knowledge of computers can fall for it. A Keylogger is basically a small program which, once installed on victim’s computer, will record everything victim types on his/her computer. The logs are then sent back to the attacker by either FTP or directly to hackers email address. Some advanced keylogger’s are also there which can even take the screenshot of the victim’s desktop.

3# Stealers:

Almost 80% percent of facebook users uses stored password in their browser to access the Facebook. This is quite convenient, but can sometimes be extremely dangerous. Stealers are software specially designed to capture the saved passwords stored in the victim’s Internet browser.

4# Session Hijacking & Cookie Stealing:

Session Hijacking & Cookie Stealing can be exceptionally perilous if you are accessing Facebook on an HTTP (nonsecure) connection. In Session Hijacking attack, a hacker steals the victim’s browser cookie which is used to authenticate the user on a website and use it to access the victims account. Session hijacking is widely used on LAN and WiFi connections.

The cookie which facebook uses to authenticate its users is called “Datr”, If an attacker can get hold of your authentication cookies, All he needs to do is to inject those cookies in his browser and he will gain access to your account. This is how a facebook authentication cookie looks like:
Cookie: datr=1276721606-b7f94f977295759399293c5b0767618dc02111ede159a827030fc;

An attacker can use a variety of methods in order to steal your facebook authentication cookies depending upon the network he is on, If an attacker is on a hub based network he would just sniff traffic with any packet sniffer and gain access to victims account or If an attacker is on a Switch based network he would use an ARP Poisoning request to capture authentication cookies, If an attacker is on a wireless network he just needs to use a simple tool called Firesheep in order to capture authentication cookie and gain access to victims account.

5# Sidejacking:

Sidejacking attack is basically another name for HTTP session hijacking, but it’s more targeted towards WiFi users. It went common in late 2010, however, it’s still popular nowadays.

Sidejacking Attack Involves two Major Steps:

  • Capturing packets (Session Cookie): There are a wide variety of tools available that can Sniff packets containing “session cookies“. Use any packet sniffer such as Wireshark to sniff the packets between the target IP and the host. These tools can capture packets such as POST or GET requests used by Web browsers to send and receive data from the HOST. But we are mainly interested in grabbing the cookies, so carefully take out the cookie information from the sniffed Packets. Popular packet Sniffers: WireShark, Ethereal, etc.
  • Using Captured Session Cookie: Once you have the cookie information, the next task is to use this information to get access to victims user account. Using Sniffed Cookie you can actually log into your victims account even without knowing his/her password. To do this, you will require browser plugin that can manage and edit cookies. For firefox Browser, you can use Cookie Manager+ or Edit Cookies to do this task. Chrome users can checkout: Edit This Cookie or Cookie Manager.

To simplify this Task, Mr.Eric Butler a software engineer introduced a firefox extension called Firesheep. It is widely used to carry out sidejacking attacks but it only works when the attacker and victim are on the same WiFi network.

6# Mobile Phone Hacking:

Besides PC/Laptops, Billions of Facebook users access Facebook through their Smartphones. In case the hacker can gain access to the victims mobile phone then he can probably gain access to his/her Facebook account. There are a bunch of Mobile Spying software’s used to monitor a Cellphone. The most popular Mobile Phone Spying software’s are:

  • Mobile Spy
  • Spy Phone Gold.

7# DNS Spoofing:

In DNS Spoofing attack if both, the victim and attacker are on the same network then an attacker can use a DNS spoofing attack and change the original Facebook page to his own fake page and hence can get access to victims Facebook account.

Basically, DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) resolver’s cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker’s computer (or any other computer).

8# USB Hacking:

In USB Hacking attacks, if an attacker has physical access to your computer, he could just insert a programmed USB with a function to automatically extract saved passwords in the Internet browser.

For USB Hacking attack you need two things:

  • A USB Drive devoted to this.
  • The programs and files with the capability of consequently concentrating the spared passwords.

9# Man In the Middle Attack:

In Man In The Middle Attack, if the victim and attacker are on the same LAN and on a switch based network then a hacker can place himself between the client and the server, or he could act as a default gateway and hence capturing all the traffic in between.

Basically, In cryptography and computer security, A Man In The Middle Attack (often abbreviated to MITM, MitM, MIM, MiM or MITMA) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

10# Botnet:

Botnets are not commonly used for hacking Facebook accounts, because of it’s high setup costs. They are used to carry more advanced attacks. A Botnet is basically a collection of compromised computer. The infection process is same as the key logging, however, a Botnet gives you additional options for carrying out attacks with the compromised computer. Some of the most popular Botnets include Spyeye and Zeus.

Basically, A botnet is a collection of compromised computers often referred to as “zombies” infected with malware that allows an attacker to control them.

Note: – This guide is only for knowledge purpose and shouldn’t be used for any illegal activities as we are not responsible for anything happens with this.

Hope you like this article. So, don’t forget to share it with your friends and also feel free to drop a comment below if you still have any query or update related to this.