Protect yourself from fake login pages  

Tuesday, November 4, 2008

Using fake login pages is the easiest way to hack passwords. Identifying a fake login page is very easy but many people neglect to do some small checks before entering the login details and fall in the trap. I have seen a person paying 500$ for a fake login page of paypal. This proves that there are still people falling in this trap. This is just an example, there are many fake websites of banks, yahoomail, gmail,orkut,myspace etc …
This post is an attempt to show what a hacker does to hack your password using fake login pages and how to protect yourself from those fake logins.I will try to keep this post as simple as possible, there may be some technical details which you can safely skip.
Warning: I strongly advice you not to try this on anyone it may spoil your relation with the person on whom you are trying it and you may even end up behind the bars.


What goes on behind when you enter your login details in login form??

When you enter your login details in any login form and hit enter they are submitted to another page which reads these login details and checks the database if you entered the correct username and passowrd, if yes then you will be taken to your account else you will get an error page.
What an hacker does??

A hacker creates a fake page which looks exactly same as the original page and some how tricks you to enter your login details in that page. These login details are then submitted to a file.At this stage the hacker has two optionsHe can either store the login details on his server or he can directly get them mailed to his email id. All the above said things happen behind the scenes, you will have no clue of it. When you enter you login details for the first time your details are submitted to the hacker and you will be directed to a error page ( this is the original error page). When you enter ur login details again you will be logged in to your account. It’s quite common for us to enter the login details wrongly sometimes so you will not become suspicious when you get the error page.

How to identify fake login page traps ??

1. Never enter you login details in unknown sites.
2. Always type the address directly in to the browser.
3. Do not follows the links you get in mails and chatting even if they are from your friends
4. Always have a keen look in the address bar and verify if the address is correct. Check the screen shot below. Some people buy doamins which look simliar to the original site example: 0rkut for orkut, pay-pal for paypal,yahooo for yahoo. Some times you may over look these small differences and fall in trap.
5. Please do report to the hosting site or the original site owner when you find a fake login page.
6. If you feel like you entered your details in a fake login page change your password immediatley.

Now let’s go on with the trick..

You have to upload the fake login page on some server with php support. There are many free web hosting services available on the net, first sign up for anyone of them.Google for some free webhosting services,you will find many. Upload the files in the zipped folder on to your server and give the link of the fake login page to the person whose password you want to know. When the person enters his email id and password in to the fake login page they will be stored in a HTML file named “passwd.htm” on your server in the same directory where you uploaded the login page. Check that text file to get the passwords you wanted.

Here is the demo of the trick

Note:Don’t enter your actual password

click this link to view the fake login page of yahoo

The password you entered is saved into this page

AddThis Social Bookmark Button


 

Design by Shubham Aka Draco