Thursday, February 1, 2018

Hacking Facebook Accounts With IDN Homograph Attack

Grab a cup of coffee and sit comfortably on your chair because shit is going to be serious today. Today we are going to learn IDN Homograph Attack and then we will use it to do phishing and….well lets keep the latter one a surprise.

Homographs

There are a lot of languages in the world and everyone wants to type in their own language thats why we have developed different characters for different languages. For example,
  • Latin: A B C D E F G H I J K L M N O P Q R S T U
  • Cyrillic: а б в г д е ж з и й к л
  • Devnagri: ऄ अ आ इ ई उ ऊ ऋ ऌ ऍ
  • Arabic: ﺵ ﺶ ﺷ ﺸ ﺹ ﺺ ﺻ ﺼ ﺽ
Feeling bored already? Ok here’s a question for you, is this character “а” is same as this one “a“?
No they are not the same. The first “а” is in Cyrillic while second “a” is in Latin. Such characters which have similar appearance are called Homographs. Our eyes may not see a difference between homographs but computers treat them as different characters.

Phishing with IDN Homograph Attack

Someone sends you this link facebokk.com/loot.php and when you open this it asks for your username and password. Will you enter your password? Maybe not because its facebokk.com and not facebook.com. So its clear that its phishing attack.
But today we are going to do phishing. Oh! Do you think phishing is an old technique?
Well I am going to change your thinking today. I will be using IDN Homograph Attack with social engineering to pull off a phishing attack.
Step 1. English is written in Latin script but I am going to buy this domain “fаcebook.com” (The a and o‘s are not in Latin, I have replaced them with Cyrillic characters). So our fаcebook.com is different than the original facebook.com.
I am buying this domain from namecheap.com

punycode attack

Wait…Do you see that weird looking domain name that I have marked? Well its meaning is fаcebook.com but the hosting service converted it to Punycode format. If you enter this punycode domain it will also get changed to fаcebook.com. Just host the website somewhere and move on to the next step.
Step 2. Our website is up and running. Now the only thing we need is a phishing page. No! I am not talking about that old login page thing. We are Ultimates so lets do something creative. Here’s how it looks:
phishing

This page asks for the profile URL of a person whom the victim wants to hack and when the victim clicks that Takeover button he gets the following popup







punycode attack

He has to enter his password to confirm his identity and as soon as he enters the password it gets saved on our server. The captcha form makes it more trust able.
Isn’t it beautiful? Well its time to make it even better.
Step 3. Take a look at these two screenshots:

phishinglatest phishing trick

First one is our fake website while second one is the original Facebook. Facebook and all other major websites use HTTPS instead of HTTP, we need to have it on our website too. To get HTTPS we need to get SSL certificate for our website. For this purpose, I will be using a free SSL certificate from here, its a 90 day trial actually.
Step 4. Finally! Everything is ready and now its time to deliver our fake webpage to our victim. But always keep in mind that “Do not send the phishing link directly.” I talked with the victim (he’s my friend) for nearly 5-7 minutes and then passed the phishing link:

Social engneering in phishing
Looks like he is going to fall into the trap….and he did.

hacker got hacked

Damn! The hacker got hacked! #Tango_Down
All I did was to create a phishing page which seems to be a part of facebook and doesn’t require you to enter username and password both. Facebook usually asks for a password to confirm something critical and I did the same so the victim didn’t get alerted.
Well you can use IDN Homograph attack in many ways if you are creative enough. Lets take a look at another example with a different approach.

Infecting Users With Cloned Websites

Kali.org is the official website for the Kali Linux. So I repeated the same steps, purchased the domain and got SSL certificate.
Then I cloned (copied all its pages) kali.org using a program named Httrack and edited some of the webpages to show that a new version of Kali Linux is available. The latest Kali Linux version is Kali Linux Rolling 2017.1. but I edited the cloned pages to show that Kali Linux Rolling 2017.2. is released.
Take a look at the release notes,

homograph attack

And I added a backdoored iso image to the available downloads

fake website clone

So I can give the release notes to someone who likes Kali Linux and they will surely fall into the trap and will download my malicious Kali Linux image which will give full control of his system to me.
You see? Homograph attacks can be used in many ways.
Now I am going to end this article right here. I hope you enjoyed it and learned something new.
Keep Learning! Keep Homographing! Keep Hacking!
If you liked this article than you may also like these:

7 comments:

  1. This is where Facebook Hacker Pro comes in! This unique software allows users to hack into any Facebook account, even if the password is not known. The best part is that the user does not even require the username to access the profile. All that is needed is the public Facebook profile link and the account will be accessible within minutes.

    This is the best facebook hacking software that launches in mere seconds and no additional settings are needed. There is no need to call in a professional hacker nor do you need to spend hours with a shady online password recovery tool.

    The Facebook Hacker Pro software saves everyone’s time and money.

    ReplyDelete
  2. Do you need to increase your credit score?
    Do you intend to upgrade your school grade?
    Do you want to hack your cheating spouse Email, whatsapp, Facebook, instagram or any social network?
    Do you need any information concerning any database.
    Do you need to retrieve deleted files?
    Do you need to clear your criminal records or DMV?
    Do you want to remove any site or link from any blog?
    you should contact this hacker, he is reliable and good at the hack jobs..
    contact : cybergoldenhacker at gmail dot com

    ReplyDelete
  3. Have you heard about programmed ATM card? email: (williamshackers@hotmail.com) or WhatsApp +15592016732 for enquiring on how to get the ATM programmed card.
    We have special cash loaded programmed ATM card of $5000, $10000, $15000, $20000 and any amount your choice you need for you to buy your dream car, house and to start up your own business. Our ATM card can be used to withdraw cash at any ATM or swipe, stores and POS. Our card has daily withdrawal limit depending card balance you order. Contact us via Email if you need a card email: (williamshackers@hotmail.com) or WhatsApp +15592016732.

    ReplyDelete
  4. My boyfriend texted me yesterday that he wants a break and I was like what is going on but he kept on telling me he wants a break which made me contact russiancyberhackers@gmail.com for a quick phone hack. After the phone was hacked I saw that my boyfriend is trying to catch along with his new girl I smiled and kept it to my self right about now my eyes are still on his phone. russiancyberhackers@gmail.com really made things easy for me thank you

    ReplyDelete
  5. No one does It better than jeajamhacker@gmail.com am super happy
    #tested

    ReplyDelete
  6. If you have got problems differentiating between real and fake hackers or you have been involved with a hacker who scammed you just like I encountered in my research of hacking my cheating spouse phone till I found the best, so all I will say is worry not, I was privileged to come in contact with the best who has never failed me when it comes to hacking, spyexpert0@gmail.com is everything you are searching for. Email spyexpert0@gmail.com and thank me later for showing you the best of all…. spyexpert0@gmail.com am really grateful for everything you have done for me not just for me for the world you have indeed put a lot of smiles on so many people faces by giving the the best services ever we are forever grateful

    ReplyDelete
  7. Hack into Paypal accounts, B logs,Professional hacking into institutional servers-keylogging -University grades
    changing / Admin(staff) account hack -Access/Password (Facebook, Instagram, bbm,Skype, snap chat, twitter, badoo, Word Press,zoosk, various blogs, icloud, apple accounts etc.)-You can also learn some basic shit you wouldn't think you'd need on your everyday basis but find out how important and helpful they really are. use random credit cards to shop online, hack iphones, tap into your friends cal and monitor conversations, email and text message interception

    Contact: ( hackingsetting50@gmail.com) for any hacking jobs

    ReplyDelete

Are you looking for most trusted hosting website?

What is Web Hosting? Web hosting is a service that allows organizations and individuals to post a website or web page onto the Internet. A...