Nowadays launching a phishing attack or creating an online service fake website is quite an easy task for anybody. There is no need for advanced technical knowledge or significant financial resources.
Generally we tend to relate phishing only to fake webs of banking entities. However, there are also kits related to other online services such as Gmail, Yahoo, Youtube, Fotolog, Hi5, etc… as we have commented in a previous post.
It is possible to find information or even instructions of how to use these kits and how to carry out the attacks in forums, blogs, online videos, etc. Additionally, sometimes not only you can find the instructions but the tools themselves for free.
Below you can see some examples of the availability of these kits:
The way these kits work is similar whether the attack is launched against a banking entity or any other service. Using a mass mailing tool, a fake message -which passes itself off as the real entity or service-, is sent to a wide list of email addresses. This message contains an obfuscated link of the legitimate URL which will point to a fake website imitating the original one.
If the users are not aware of the fraud and enter their login credentials to that service, that information will be sent via email to the cyber-crook or hosted in a file at the cyber-crook’s disposal.
The phishing attacks are also evolving and not only are they hidden in domains similar to the legitimate ones. I have recently read in the blog of Dancho Danchev a curious phishing attack against myspace. In this case, the fake website is located in a profile of the legitimate domain of myspace, in which the cyber-crook has inserted a fake login website to myspace service in order to obtain the access keys of the unaware users that try to login in order to see the content of the profile.