One of the few things that - perhaps - alerts users that they've been phished is when (after entering perfectly valid login details) they see something like this:
...or like this:
Generally, when net-savvy users get phished, they're alert enough to know that messages such as the ones above are a clue that they might have stumbled onto a Phishing page (assuming they're 100% sure they entered their details correctly, of course). This "break" in the login cycle has always been a weakness of a phish page, and the typical flow of events is as follows:
1. Visit Phish page
2. Enter details
3. User is told "your login cannot be processed at this time", and your information is stolen
What if the process could go like this:
1. Visit Phish page
2. Enter details
3. Phish page steals your information, but logs you into the target site
You'd miss that vital clue - the failed login - and assume everything was okay.
Well, a Phish for the popular Habbo Hotel caught my eye today because it does just that - seamlessly logging you into Habbo Hotel once your details have been stolen. Here is the Phish page in question:
Click to Enlarge
Here I am, entering my login details into the page:
At this point, a regular Phish page risks giving the game away because of the familiar variations on "Your login could not be processed" that appear at this point in the procedure.
However, the Phish page takes you to a page hosting an encoded base64 script:
From there, the user is deposited onto the Habbo Hotel website, fully logged in - no "Your login could not be processed" messages here!
Click to Enlarge
Meanwhile, my login has been stolen (it's the one in red) and placed in the ever growing pile collected by the Phisher:
Click to Enlarge
From the point where I decided to login to Habbo Hotel, to the point where I'm actually logged into the site there is no break in the usual procedure and I have absolutely no indication I've just been phished. If this kind of devious tactic is employed for banking phishes, it'll make it all the more crucial that end-users start to think about running Anti-Phishing programs and browsers that have built-in Phish Detectors because the stakes seem to have raised once again.
...or like this:
Generally, when net-savvy users get phished, they're alert enough to know that messages such as the ones above are a clue that they might have stumbled onto a Phishing page (assuming they're 100% sure they entered their details correctly, of course). This "break" in the login cycle has always been a weakness of a phish page, and the typical flow of events is as follows:
1. Visit Phish page
2. Enter details
3. User is told "your login cannot be processed at this time", and your information is stolen
What if the process could go like this:
1. Visit Phish page
2. Enter details
3. Phish page steals your information, but logs you into the target site
You'd miss that vital clue - the failed login - and assume everything was okay.
Well, a Phish for the popular Habbo Hotel caught my eye today because it does just that - seamlessly logging you into Habbo Hotel once your details have been stolen. Here is the Phish page in question:
Click to Enlarge
Here I am, entering my login details into the page:
At this point, a regular Phish page risks giving the game away because of the familiar variations on "Your login could not be processed" that appear at this point in the procedure.
However, the Phish page takes you to a page hosting an encoded base64 script:
From there, the user is deposited onto the Habbo Hotel website, fully logged in - no "Your login could not be processed" messages here!
Click to Enlarge
Meanwhile, my login has been stolen (it's the one in red) and placed in the ever growing pile collected by the Phisher:
Click to Enlarge
From the point where I decided to login to Habbo Hotel, to the point where I'm actually logged into the site there is no break in the usual procedure and I have absolutely no indication I've just been phished. If this kind of devious tactic is employed for banking phishes, it'll make it all the more crucial that end-users start to think about running Anti-Phishing programs and browsers that have built-in Phish Detectors because the stakes seem to have raised once again.
