Posted on , tagged security

Using the Fullscreen API for password phishing

Osprey

A year ago I had a try on social engineering and phishing techniques.

Now I finally found the time to rework my code and to put it on GitHub:

https://github.com/jaylinski/osprey

The first – and only – module is using the Fullscreen API to spoof the address bar and make the user believe he’s on Facebook.

I researched on other fullscreen phishing attacks and found a similar approch:

http://feross.org/html5-fullscreen-api-attack/

The advantages of my version are:

  • If user detects fraud and tries to close fullscreen, the screen will go back to the original site.
  • Custom „Fullscreen-UI“, no need of OS-specific graphics.

But the current state of Osprey still lacks some useful features:

  • Detect if user is logged into Facebook, if not, do not start attack.
  • Make custom UI for Firefox and other popular browsers.
  • Check if attack works on mobile devices.

By implementing these features, the phishing success could be increased.

Osprey?

The osprey, also called fish hawk, is a fish-eating bird of prey.

Disclaimer

Since stealing digital data is illegal in almost all countries, using this software on real people may lead to arrest!

Do not use this code for fraud!