Phishing
Phishing is the technique of fooling people into entering information into a
bad website. You show end users an interface that looks legit (for a bank or
what have you) but that in reality sends their information to your database.
Because phishing is a felony, I cannot show you a demo.
The trick with phishing is to make the form really look like it comes from a
website you trust. You have probably gotten emails saying that your “XYZ
bank account” has been compromised, and you know for certain that this
isn’t the case because you have no account with that bank and may not
have even heard of it. This is a wild-guess phishing attempt, which is not
usually effective.
On the Web, though, an attacker can perform a JavaScript trick to find out
where you’ve been. As Jeremiah Grossman showed some years ago, you
can use JavaScript to determine the state of a link on the page. Because the
colors of visited and unvisited links are different, we can use this technique
to figure which websites a user has been to and then display the
appropriate logo above the form. This demo shows this quite effectively.
Funny enough, you can also use this trick for good reasons; for example, by
showing people only the buttons of social media websites they use.
Clickjacking
Clickjacking is a terribly clever way to use CSS and inline frames to trick
users into clicking something without knowing it. Probably the most
famous example of this was the “Don’t click me” exploit of Twitter a few
months ago. All of a sudden, Twitter was full of messages pointing to a
website with a button that read “Don’t click me”. Here is an examples for
Jason Kottke’s stream: