The Required Software

We will be using this software for this guide:

• The Apache Websever
• Optional: DNS Server Software, e.g. BIND or PowerDNS

Apache Configuration

The crux of this tutorial centers around configuring Apache to “be” a certain website. For this example, we want to masquerade as Google. The first step is to configure Apache to pretend to be the site we wish to masquerade as, from the machine destined to be the phishing server.

The Apache master host configuration file (which is the traditional/deprecated httpd.conf within your installation directory) should have sections such as this for each website you wish to masquerade as:

(note that the paths are relative to a Unix/Linux installation; modify them for your system; comments are everything after the ‘#’ character for clarification)

NameVirtualHost: *:80 # Any hostname/IP, TCP port 80 (default for HTTP)
 # Virtual Host delimiter, e.g. a website under this installation
ServerName www.google.com # main website name
ServerAlias google.com google.com. www.google.com. *.google.com # Any other name for Google.com
DocumentRoot /var/www/google # where the fake website's pages are stored
 # Per-directory configuration directives
                Options FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all # we phish for anyone, you could modify this for only select hosts, however

CustomLog /var/log/apache2/google.log combined  # log the visits to the fake website

With Apache's httpd.conf containing that, and optionally some other Apache optimization within the other configuration files, a service restart will make the fake site (Google in this case) "live", but without any content or visitors.

Appearing as the intended site

In our configuration file, we told Apache that any requests for "Google.com" from our server should be directed to the "/var/www/google" directory for content (which should be empty). In order to appear as Google to the visitors we wish to phish, we need Google's content within this directory.

The easiest way to retrieve content from the existing website is via the "wget" command, which is standard on Linux/Unix installations (Windows users can simply visit the page and save it directly to the content folder instead). For our example, our wget command:


user@Phisher:/var/www/google$ wget -O index.html http://www.google.com/


...would retrieve Google's home page and store it within the file index.html within the content directory used by Apache2 for requests made to "Google.com" to our server. Keep in mind that "index.html" is (by default) the file sent to the users' browser when a request is made to the root directory '/' of a site.

Tailoring

Before we get to the step of directing users to our Google.com instead of Google's Google.com, we should modify the site's content so we can retrieve (phish) the content we want.

This is where this could easily turn malicious, and I would like to remind you, dear non-malicious reader, of the extensive disclaimer at the end of this article.

As a non-malicious example, we will pretend we are a parent seeking to monitor Google searches from a network of children (a very probable and applicable scenario). All that is required is a little modification of the index.html file, and/or creation of a Google-compliant search.php file.

Although the access logs for the server would suffice (providing IP information to identify the searcher), you will still probably want to return real Google results so as to convince the visitors that this is the real Google website.

Modifying the "form" HTML element to point to an alternative search processing file may be necessary, while in most cases it would suffice to create your own "search.php" file (with the Apache PHP module installed) to process search queries and retrieve results from Google.

Easiest way to retrieve search queries from Google is probably to pass the query string from your phishing site's search.php as HTTP POST data to http://www.scroogle.org/cgi-bin/nbbw.cgi, and using some simple XML parsing and formatting to present the results in a results page that exactly mimics Google's.

That last bit requires a bit of PHP/Perl programming skill (over the head of most parents I know), and represents the biggest challenge in phishing: changing the pages to get what you want.

Redirecting Visitors To Your Site

At this stage, your Apache server installation should be set up and ready to serve up requests aimed for the site you're masquerading as, and it the content for the site should be filled with content that looks exactly like the real site, only providing you with the data the user thinks they are entering on the real site.

Now, for the process of sending users to your site instead of the real one: simple DNS manipulation.

In short, you need to make your target machines manually resolve "Google.com" (as in our example) to the IP address of your phishing server.

This means that you can't make the entire Internet redirect a given domain name to your site, at least not without severe and easily-detectable DNS hijacking. Instead, you should focus on your target set of hosts, i.e. the children in our parenting example we explained earlier.

To do this manually, you must modify the host file of each system. The host file is a manually-editable "database" of domain names and their corresponding IP addresses, and takes authority over DNS queries to a remote system.

On Windows systems, this file is located at "C:\Windows\System32\drivers\etc\hosts", and on Linux/Unix/Macintosh systems this file is at "/etc/hosts". The format is extremely basic, with examples in both as to how to statically enter DNS entries.

On Windows systems, after entering this information, it is necessary to execute the command "ipconfig -flushdns" to clear the memory-cached DNS resolution entries so the new changes can take effect.

While this method works, it is not practical for, says, 5-100 hosts. In that case, it is then necessary to simply add a real DNS server to the network using one of the free tools mentioned above. I won't go into detail as to configuring an individual piece of DNS server software to resolve a domain to your phishing server's IP (RTFM), but I will tell how to make the server's resolutions take effect for the whole network.

Most networks, especially those within homes, have a DHCP server, many times integrated into their router. Simply place the IP Address of your new rogue DNS server (presumably the same as your web server) to the top of the list of DNS servers within your DHCP parameters, and following the next renewal, your server will take the top authority for DNS resolutions for your network (other than the host file).

There is also a way to, using a *nix router, manually route all traffic to a host for processing - see the Upside-down-ternet page for these details (and for a guide to dick around with wardrivers).

What you've done...

...is this: everytime someone requests (in this example) Google.com, either a rogue DNS server you set up or a host's host file will resolve the domain name to the IP address of your phishing server, which will accept the request and serve up content from a directory containing content that appears as the targeted site, only with some other purpose for your benefit.

There may be other ways to set this up, but this is certainly the fastest. Keep in mind that if your server goes down, all queries will still go to the real site unless you de-listed all DNS servers except the rogue one you set up.

Other Suggestions

Instead of drastically modifying the content for your site, for example if you wish to simply have a static web history via access logs, then you could simply make your rogue DNS server (via wildcards) resolve all traffic to your phishing server, which simply retrieves the target content via wget and serves it to the client.

To accomplish this proxy solution, you would need to modify the VirtualHost directive to make the 404 (not found) error page the same page as the "index.php" page, which calls and processes the wget script (I recommend using stdout to redirect the content from wget to the browser as opposed to saving every piece of content to a file before serving it)

Also, please note that none of this guide applies to secure (HTTPS) websites. HTTPS communication takes place on port 443 instead of port 80, and there is a solid authentication process for verifying secure sites as opposed to insecure sites.

* Disclaimer *

Don't use this guide for malicious purposes, despite how easily this guide could be adopted for such goals. The example I used throughout the article was for a parent wishing to monitor children's Google searches, and as such any possible malicious purposes are not in any way implied.

We have no affiliation with Google, inc. We simply used their site as an example to phish because they are very popular and a parent may wish to monitor a child's Google activity, realistically.

If you get detained for phishing, or any other criminal activity for that matter, then the mere visit to this page does not place any of the blame on us: you chose to do whatever you did based on your own decision.

This guide is educational only, and should not be interpreted as an invitation to violate one's privacy.

Don't be a jerk.

That said, I hope this guide benefits anybody needing a guide on how to do this. Thanks for reading, and leave any suggestions/additional notes in the comments.

How To Set Up A Phishing Web Site originally appeared on The Coffee Desk on September 12, 2009.

Facebook's Updated Relationship Statuses, Including the Newly-added 'Widowed' Option

You wouldn’t really guess that many widows would be using Facebook, but the group behind the petition is a sign that Facebook is increasing their reach throughout the population – even to widows.

For many of us, the relationship status doesn’t change very often, but the new option should allow a very specific set of users the ability to make their relationship status more accurate than before.

Nothing real exciting, but still a major change for Facebook.

Facebook Adds New ‘Widowed’ Relationship Option originally appeared on The Coffee Desk on September 1, 2009.

This post is more of a “Dos and Don’ts” post as far as SEO is concerned. There is a point where optimization tactics become spam for all practical purposes, and here I aim to define the difference more clearly.

Editing Wikis

One thing Wikis have brought to the Internet is something I tried once when I first had a web browser as a teenager, and that is the ability to edit web pages while they remain live on the Internet.

But adding links to your website for the Pagerank and user link-clicking benefits is an act that has a right way and wrong way to do it. Overall, you should never add links to your own website: if it is notable enough, someone else will do it.

Otherwise, you could be outed by other members of that wiki’s community for blatantly link-spamming to your website, potentially even banned from the site along with links directed at your website.

Wikipedia seems to be the largest target for this, and they have a very large set of editors dedicated solely at removing spam links from the site. It’s just best not to personally edit these sites yourself, for all practical purposes.

Directories

With DMOZ being the best example, directories are a white-hat method of gaining link love for your site, without resorting to unethical means.

However, even directories can be abused. Submitting your site for four or five different categories and subcategories is a bit much, and luckily the DMOZ folks are pretty good at stopping this sort of nonsense.

But a single link to your site in the proper category will benefit both your site’s ranking as well as the users of the directory.

Blog Comments

Most blogging software has support for comments with a “website” form field. This is perfectly acceptable and a common practice for a sort of “pingback” to the commentator’s blog simply for leaving a comment.

It is unacceptable, however, to leave an additional URL to the root of your website/blog at the bottom of an overly-generic or non-contributing comment. There is already a growing problem of spam crawlers going through the Web looking for Wordpress/Blogger comment forms for the purpose of leaving a comment with a URL and keywords.

So while filling out the Website field of a comment form is acceptable, leaving another root URL at the bottom of a comment is not. While links to a related article on your website may be okay, in most cases its just best not to push the envelope.

Twitter Spamming

This is a pet peeve we’ve covered many times on this site.

Using Twitter to propagate (tracked) links to your website or blog is both annoying and pointless. If anything else, it will get your blog/website listed within spam databases for life and royally piss off any otherwise potential readers.

That’s not to say that using a Twitter account isn’t an ethical way to gain traffic: actually tweeting news and tips from a Twitter account, without following everyone in the public timeline and/or posting a link to your site in every tweet, is a good practice.

It allows you to connect with your readers/visitors in real-time, and might actually attract a few more readers via valid RT’s and mentions from other followers. This is only possible, of course, if you don’t scare everyone away as a potential spammer.

Emailing Links

This is a big one, and should be fairly obvious. Email spam remains the largest spam medium in existence, and if you don’t know the rights and wrongs of Emailing links to people, then here’s a few examples:

Hey, person I know and are on good speaking terms with. Remember that completely-relevant talk we had the other day? I found an article on this website (or alternatively “posted an article on my website/blog”) that you may find interesting:
(link)
Tell me what you think.

-(your name)

Hey check out my blog: (link)

Never just give links to anyone you are not on good speaking terms with. Doing so will get both your site and your email address listed in spam DBs.

Over-advertising

I already acquire a low opinion about websites and URLs I see advertised all over the Internet on seemingly every page I visit.

Examples include the game Evony (“come begin your journey, my lord”), the “Single mom’s teeth-whitening secret” ads, and the “Go back to school” ads that always feature distracting dancers.

Putting a discreet textual advertisement to be deployed on a few relevant pages here and there is okay, but large, distracting Flash ads to be deployed on hundreds of sites is a no-no, and will draw negative attention to your site.

Final Words

In a nutshell, SEO ethics should be fairly common-sensical to most. Understanding the fine line between genuine SEO and blatant spamming is important for your site, as swaying too far in the wrong direction will do more harm than good.

SEO has no direct relationship with spamming, although both of them aim to promote and increase the rank of a given website. Everything covered here in this article is related to SEO that escapes the boundaries of the website’s code, which we have also discussed on this website (check the “Top Articles” section.)

Even placing keywords with no direct relation to the page can be more of a spammy practice, so SEO ethics do not necessarily stop at methods of gaining incoming links.

That said, be sure your methods of promoting your website follow conservative and discreet practices. Think about what might turn users off about your site with every potential link you post, and whether or not it has the probability of being interpreted as spam before you go through with it.

When SEO Becomes Spamming: Crossing The Fine Line originally appeared on The Coffee Desk on August 27, 2009.

“Let us handle your data”

I can’t be the only person bothered by this – Google Docs aims to own your documents, Google Maps wants to know where you are and where you are going (or even looking at), and now Google Chrome OS wants everything that you don’t put on the Internet.

I’m no conspiracy theorist, I swear. I don’t think Google tries to be evil (though they missed a pretty good chance), and I don’t think they sit there all sweaty and peering at all the private data they collect from users. But they do have it, don’t they?

And now with Chrome OS atop your hardware and Chrome (the browser) atop Chrome OS, you can give everything you do within the OS userspace sandbox a nice, fat red Google stamp across it.

How “sandboxed” the Chrome OS environment is has yet to be seen, but if it fits the netbook idealogy then there won’t be very much done outside of the Chrome browser and/or user environment (possibly iGoogle?)

The Largest Violator of Privacy…

…is almost always the user. People like myself realize the dangers of your information exchanging too many hands, but 90% of people do not, and will freely hand it over if the receiver has a shiny appeal and a trusted name (like, say, “Google“).

Chrome OS will be no different, just with a more streamlined way of going from hardware -> boot -> Internet -> Google for the information exchange.

And there’s no doubt that, with Google controlling the entire GUI layout and design, there will be a heavy slant towards Google Docs and other products to take the place of Word etc. for the new netbook.

While this will undoubtedly appeal highly to users, the exchange of so much information into the hands of one entity will trouble many concerned about privacy on the Web (such as myself).

Final Notes

I know Google isn’t evil (at least 90% sure). But the very fact that Google owns so much information about users along with a history of sharing it with other entities (including governments), it is troublesome. Not to mention the fact that they own doubleclick.net.

It worried me even before the giant was behind every bit of software running on my hardware (I like netbooks), and it troubles me even more so now. If Google, say, was ever compromised on a large scale, could you imagine just how devastating that would be to the general population?

Just some thoughts on the privacy concerns introduced along with Chrome OS.

Is Chrome OS Too Orwellian Or Big Brother-ish? originally appeared on The Coffee Desk on August 13, 2009.

So Microsoft owned up to the bug in their “security” blog, where they were even nice enough to disclose the offending lines of code.

The Typo

The main cause of the bug was a single misplaced ampersand, used to reference the memory address of a particular variable in C and C++ programming. But when used to denote the address of a pointer (itself a memory reference to another variable), bad things happen. Namely, security issues.

Here is the code that hackers found useful in the latest ActiveX exploit for the browser:

__int64 cbSize;
hr = pStream->Read((void*) &cbSize, sizeof(cbSize), NULL);
BYTE *pbArray;
HRESULT hr = SafeArrayAccessData(psa, reinterpret_cast(&pbArray));
hr = pStream->Read((void*)&pbArray, (ULONG)cbSize, NULL);

The first pStream->Read() call is valid – if you notice, the ampersand is used to reference the address of the cbSize variable, since Read() requires a reference rather than a pass-by-value argument.

The second pStream->Read() call, however, uses the ampersand to denote the address of `BYTE *pbArray`. oops.

pbArray is a pointer, which means that pbArray stores the memory location that contains the actual value, with the value itself referenced at ‘*pbArray’ (asterisks are used to retrieve the value a pointer points to).

So instead of passing a reference to the value stored at ‘*pbArray’, the Read() function was passed a reference to a pointer (a reference to a reference, if you will). With pbArray being an array and all, this could lead to all sorts of exploits – arrays are common causes of stack-based programming attacks and buffer overflows.

The Patch

The valid way to use the code would have been this:

__int64 cbSize;
hr = pStream->Read((void*) &cbSize, sizeof(cbSize), NULL);
BYTE *pbArray;
HRESULT hr = SafeArrayAccessData(psa, reinterpret_cast(&pbArray));
hr = pStream->Read((void*)pbArray, (ULONG)cbSize, NULL); // pbArray is already a reference

Voila, bug fixed and no more exploiting this bug. Not that there isn’t a history of exploitable bugs in ActiveX or anything

The Apology

So what did Microsoft have to say about being caught with their pants down? Well, Microsoft’s Michael Howard had this to say on his blog:

I want to drill a little deeper into casting issues. This will be a side project for me over the next few months, as I wade through bug databases and code to see if there are other related issues. I’ll also speak to various static analysis and C/C++ language experts here at Microsoft and across the industry to get their views and insight. If you have a professional opinion on casting issues, please feel free to let me know through this blog.

Translation: we’ve fucked up here and there, and I’ve got to dig through the code and find the issues.

I don’t claim to be a C/C++ god, and I understand that at 3am stuff as simple as this tend to run together. I’m just surprised that Microsoft doesn’t check behind its individual programmers a little better than that, and the fact they admitted to using an older library to accomplish this bug and even told the compiler to ignore the issue.

And all the more reason, we’re talking about ActiveX here, a security nightmare given its past history. Good job on finding the one typo Microsoft, and a crate of Red Bull awaits you as you find all the other issues in what can only be described as the worst “secure” code I’ve ever seen.

Microsoft Can’t Even Type Cast Correctly originally appeared on The Coffee Desk on August 7, 2009.

I got bored one day (on the toilet, no less) and started looking at the privacy policy on my iPhone. While the whole point of it is to make you feel safe about what you input to your device overall, there are some surprising clauses in there that might scare you, while others are borderline humorous in Google’s attempt to satisfy even the tin foil hat-wearing types.

Google Maps Privacy Policy

Probably one of the best examples of humor within a legal disclosure, it appears that Google is desperately trying to shed the ever-growing “Big Brother” image they have acquired over the years:

Well, enough of that. In case you’re wondering where I’m getting this from, look here for the whole thing, although I covered the majority of it.

This post would be too long if I were to cover Apple too, so I’ll stop at Google Maps for today.

I’m honestly not the “tin foil hat” type, but some of the stuff in this policy really worries me, and I hope others are equally concerned. Its amazing what you blindly agree to these days.

Google Maps Privacy Policy In Plain English originally appeared on The Coffee Desk on July 19, 2009.

This is the fourth celebrity death this week, and the third today. Our very reliable witness states that the ex-president was eating dinner at Studio 54 when around noon he walked to the restroom claiming minor chest pains. He was found dead an hour later in Australia while at an Opera, our reliable sources say.

Fox News reporter Geraldo Rivera states, “I would say that my private, unlisted sources tell me that drugs were involved”, he said while stroking his mustache. “Nixon was a known Tylenol addict, and while he didn’t go out from overdosing, Michael Jackson did have a dependency that indirectly lead up to this day. Wait, who are we talking about again?”, Geraldo went on to say.

Geraldo was met with some differing opinion, however.

“Are you stupid? Nixon has been dead for years, dumbass”, stated some random person I interviewed on the street after my Fox News session. “Everybody knows that – he died in 1994. What are you, retarded?”, the source went on to say.

But, with an always-right mustache-endowed reporter like Geraldo freaking Rivera saying it, and the non-biased Fox News reporting it, I consider this to be confirmed. Everybody has their own opinion, but some are just wrong, as our second source clearly was.

Nixon was one of the best presidents we ever had, never putting his nose anywhere near trouble or any form of it. As a Republican, I side with Nixon on every decision he ever made, since they all must be better than any Fox-bashing democrat would make.

Our current “president” Obama could learn a lot from Nixon, being a non-Republican and all. I personally mourn the loss of any Republican party member, but I especially mourn the loss of an always-right never-wrong Republican president like Nixon.

If he instead went into the music industry, he would have outsold Michael Jackson at any show at any time. Likewise with acting compared with Fawcett or Goldblum. He’s just awesome for being Right-wing!

R.I.P. Richard Nixon, and may your head come back in a jar-thingie in the future like Futurama depicts.

(disclaimer: this is so fake its not even funny. You would think I wouldn’t have to do this, but these days, I have to cover my tracks before somebody goes around thinking this is real and tries to sue me later. Please don’t. If you thought this headline was real, please unplug your computer, go outside and sit in a tree while holding your breath all the way. May offend some hardcore, unable-to-laugh-at-themselves Republicans.)

BREAKING NEWS – Richard Nixon Dead At 81 originally appeared on The Coffee Desk on June 25, 2009.

Watching paint dry contest flyer

*remember, this is not real even by a long shot

The Coffee Desk’s Watching Paint Dry Contest originally appeared on The Coffee Desk on June 17, 2009.

There are some upsides and downsides to this decision, and there are some things you should consider regarding your privacy when choosing a username as I’ll outline below.

Facebook Benefits

Facebook themselves have several unseen benefits: now, since the site is largely unencrypted by default, email addresses are less likely to be compromised (as they are all of the time) and users don’t have to deal with the issue of several email addresses/one login.

But how this will be implemented remains, as of this writing, to be seen. With Facebook’s history of changing their site on what appears to be a weekly basis anyways, you can’t be certain about any changes, but one has to ask: will “real names” continue to be displayed at the top of pages, or will the new usernames replace them?

It would be great if Facebook were to go to a more username-based rather than email- and real name-based service for more privacy and less “employer”-friendly, which has turned into a problem for some people with “soapbox Facebook accounts” when possible future employers find their account.

Nothing is certain, but there are some things, as a user, that you must consider when picking and using a username:

Privacy

Facebook has a sad history of privacy (as we’ve pointed out here many times), so I wouldn’t trust the new usernames with a real-world firstname_lastname format, since most accounts use one’s real name anyways.

And using a username already heavily associated with your name is also a bad idea in case employers really put you under the microscope: it makes your social life that much easier to find in a regular web search, which you probably don’t want employers to see.

And while most accounts are not publicly viewable, employers’ demands can include the right to view an employee’s private Facebook account, under threat of termination (as most contracts/forms permit in larger, employee-reputation-aware businesses).

It has happened with YouTube users, Myspace users, and bloggers many times before, so don’t let it happen to you (or increase your chances of) now with Facebook usernames.

(and as a side note, did anyone notice Twitter user @facebook_rt getting “suspended for strange activity”? Makes you wonder)

Facebook Is Getting Username Support originally appeared on The Coffee Desk on June 10, 2009.

"me stoned"

Anyone else remember furbies? Yeah, I found this and think it’s amazing what a rolled up Taco Bell receipt and a red marker can do.

Furby Stoned originally appeared on The Coffee Desk on June 5, 2009.