Security – How does Desktop Phishing work?

I think most of you know about the work “Phishing”. “In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as user names, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.“. I think an example is easier to understand about phishing. For example, I am a Yahoo user and I use their email service. When I want to log into my email account, I go to, enter my user name and password and I can access my in-box. On one beautiful day, I decide to use a third party service which is relevant to yahoo, for example checks if my friends are invisible or makes my nick appear online as long as I want. To use this service, I must enter my user name and password. The services ensure that they will not steal my data by redirecting me to a page that looks like a yahoo login page.

Ah ha, I know this page. It “must” be Yahoo log in page, everything is same. I enter my data and some days later I lost my email account. If you are enough careful, you can immediately recognize this fake website through its URL. But what will happen, if you are hurry and have no time to check URL? Then your data will be phished. Man calls it Web Phishing.
Not long ago I heard about a new technique so called “Desktop Phishing”. This phishing will attack directly to your domain name resolver and redirect you to a phishing web page and you can not know that you are attacked because there are no fake URL anymore.
The main idea of this attack work as following (Windows OS) that your host file ( will be edited. A new entry with the format of “IP_Address domain_name” will be inserted. The IP_Address is the IP of the server of attacker. At this server he will build a web page that looks like the domain_name which he want to attack. To edit this host file, he’ll try to send to a victim a malicious file which runs malicious code to override our host file with his host file. Therefore when we try to access the reliable web page we will be redirected to attacker’s server.
For example, Yahoo page has its IP address, when we want to go to Yahoo page, our resolver will resolve the domain name to IP address and give the IP address back to our browser and the connection will be established. But at desktop phishing, a new entry will be inserted “”. Therefore if we want to go Yahoo page, instead of asking our DNS, the operating system will give this fake “” back to our browser and the connection will be established between our browser and this fake one.
For more details, you can see this video (it’s not made by me)
Mirror 1:
Mirror 2:

UPDATE 12.04.2012
Update download link


Leave a comment

Your email address will not be published. Required fields are marked *