Skip to Content
Author's profile photo Eddy De Clercq
Eddy De Clercq
August 19, 2007 4 minute read

Big Phish

As promised, I’m getting back to you on the  phishing subject and will divulge the correct answers for the challenge that I initiated  in that previous weblog.

         

              Screenshots
            As said in the weblog, the screenshots aren’t  that easy as they all look alike. To be honest, I tricked you a bit.

            Screen 1:

image

            This is a real version of the SDN home page  as it is before the login. Why does it look so different then? Remember the  pimp up the jam Pimp up the jam: choose your favourite?  I’m still using the Simperlify theme by Dries Horions which results in this  screen

         

Screen 2:

image

            Again, this is a real version of the SDN  home page before login. I must admit that I was in heaven when I saw this  screen. Not that I like this kind of error, but these are typical of the sort  of messages that you can expect to get on a fake site. Add this up with the  above mentioned theme and you end up with a very suspicious looking screen.  Maybe the SDN admins could provide a more self explanatory message when  problems occur.

         

Screen 3:

image

            This is the normal version of the SDN home  page before login.          

None of the entries had 100% correct  answers. So why is it so difficult to tell real from fake? Well import  information is missing, namely the URL. It was my main point of criticism on  the Phishing quiz that I mentioned in my earlier A phish called Wanda.

         

 

         

Tricky  links
            So what if we provide links? Can you then  tell the difference between fake and real? Let’s have a look.

         

Link 1: http://www-sdn-sap-com.idizaai.be/index.htm points to a page which looks like the S(D)N forums page. This page is a fake. The  important indicator is the URL.
            First of all, a typical phishing site will try to imitate the original URL by  putting the original URL in the domain of the phishing site. I’ve put hyphens,  but a phishing site will make their own domain name as small as possible and  put full stops between the subdomains.
            Secondly, the real URL for the forums is http://www.sdn.sap.com/irj/sdn/forums.  Note the http://www.sdn.sap.comhttp://www.sdn.sap.com/irj/sdn/forums at the end.
            Thirdly when you click on the login, you  would go to http://www-sdn-sap-com.idizaai.be/login.html.  This might be a page that captures your userid and password, but in this case  just redirects you to the genuine S(D)N main page.
           

         

Link 2: http://www-sdn-sap-com.idizaai.be/index.html looks rather similar to the URL of the first link. The only difference is that  it’s not a fake. Why not? Well, it’s not the starting hyperlink that would make  a site suspicious, although I admit that this URL doesn’t look very trustworthy.
            It’s the end URL that counts. In this case the end result is nothing more than  a redirect to the S(D)N logout. The SDN admins could make things more secure by  not making the logout direct callable.
            I received good answers for the link  challenge, despite the fact that the supporting arguments weren’t always 100%  correct.

         

 

         

Conclusion
   I  didn’t get that much feedback on this particular challenge, despite the fact  that 76 ‘people’ visited the links in the earlier mentioned weblog. Now that gives  me some rather mixed feelings. On the one hand I wish that more people had reacted.  On the other hand, people clicked on the links not knowing what they would end  up with, just taking my word for it that I wouldn’t infringe anybody’s privacy.  Some (5!) people even clicked on the login button of the fake page, which was rather  disquieting. That page might have saved critical info, which wasn’t the case in  this particular example.

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.