Do you really want to steal your friends' password? 😉 All right you are in the correct place.
First of all you need to have a basic idea of phishing. Here is the definition of 'Phishing'. But I know you all will skip this part. Anyway first I am going to talk about what is phishing and concepts related to it.
Phishing-"the fraudulent practice of sending emails purporting to be from
reputable companies in order to induce individuals to reveal personal
information, such as passwords and credit card numbers."
Phishing can be done in so many ways. But the most popular method is sending phishing emails to a specific person also known as "spear phishing" or to a group of people. This mail can be sent using a spoofed(forged) email address. And it requires a free mail server to send this email, otherwise the phishing mail will be stored under receiver's spamming mail section. Normally phishing emails contain links which can direct users to fake login pages where they can enter credentials. These emails should be very attractive and should give the vibe to users that it is sent by a trusted party.The other method is directly sending a link to victims which will direct them to a fake(phishing) website. This website looks very similar to the original website. In this case checking the url of the website might be the only option for victim. Since many of victims don't have tech knowledge they easily fall for these kind of phishing traps. But if you are a tech guy you can do some digging here. If the website is advanced chances of identifying whether it is phishing or not is high. Why because most of the advanced websites, social media sites use so many scripting languages when they are making pages( eg- ajax). With the help of these scripting languages there can be so many proprietary features(validations, validation effects etc) in the web page. Sometimes the attacker may not be skillful enough to implement them.
Other methods:
1. Installing trojan horses on victim's computer- an attacker can attach a trojan horse to an email and send it to the victim. Once the victim clicks on it virus gets download and executes. Payload of the trojan horse can be take screenshots of the display when the victim visits a specific website and send it to the attacker.
2. Using spywares and keyloggers. ( Keyloggers can record every single key user presses in the keyboard)
How to do phishing
Step 01.
Go to facebook home page.
Right click -> save as ( save as type should be "Web Page, Complete ) -> save
Step 02.
Let's edit "Facebook - Log In or Sign Up.html" file.
Why we need to edit this .html file? why we can't use it as it is?
The reason is there are some ajax codes inside this html file that communicate with the server. So when the server realizes that these requests are coming from a fake site (not from the original https://www.facebook.com) it prevents us from hosting this phishing facebook website. So you have to make sure that you delete all ajax codes in the html file.
( eg: XMLHttpRequest(), XMLHttpResponse() )
.html file should be like this after removing ajax.
https://github.com/sajith01prasad/Phishing-on-Facebook.git
Step 03.
Now, you should find a free hosting site (which allows you to write PHP ). Sign up and be a member. You don't have to get a premium account.
Step 04.
It is time to host your site now. Most of the free hosting sites have upload files feature.
Go to their file manager and upload "Facebook - Log In or Sign Up.html" file and "Facebook - Log In or Sign Up" folder there.
Note - If you haven't deleted ajax codes and links to facebook original site properly your hosting site will shut down your account immediately. So you have to be careful with this process.
Step 05
Now you can publish your website and see whether it looks like real facebook sign up page or not.
Here is my login page.
Step 06
Now Let's think of how to take credentials. There are two ways to do this.
method 1:
Since data is sent by POST method we can write a php file to get textbox values from POST method.
Then we can send username and password to our email using php mail function.
method 2:
You can create a file inside the free hosting site file manager where all other files are stored and write credentials to that file.(You can see in the image below I commented out that part because we are using php email in here.)
( Note : sendEmail.php which is in the git hub repository is initially created for you to test this on localhost. So in there I commented out the email sending code part. You can choose the method you want according to the way you are going to set up the phishing.
Read readme file in there if you are planning to set this up on localhost. )
This is my php file I have written to get credentials (php send mail method used)
As you can see I have put a echo command in this php file. That helps you to avoid user suspicion.
Because I am redirecting user to the original facebook sign in page again once he/she type credentials in my phishing site. (if the user is already logged in rest of the process will be done. If not user will be directed to the original facebook sign in page). So user will think he came to the sign up page again because of the bad internet connection 😉
Step 07
Now let's add textbox validation. But before that we have to remove "novalidation" attribute from the login form. Otherwise our validations will not work. After removing it we can simply add "required" attribute available in HTML.
Step 08
Create a subdomain to your site and link it so people cannot know about your hosting site.
How to attract victims ( also can be considered as Step 09)
This is social engineering part. We have to be very careful in here. All we have done will be useless if we cannot make our victims to click on our link and enter username and password on the site. It depends on our situation.
eg:- You can send this to your friends saying there is a survey to answer and this is the link for that survey. You can direct to user to a secret group in facebook adding a code inside the php file ( after taking credentials). Since the user is not a member of this group he/she won't be able to see group content. he/she will see an error message saying the content is removed or expired. So now you can tell them that the survey time is over so the lecturer has put it down.
Or you can use a phishing email. Since you are doing phishing for facebook you can say that there is a new login system they have implemented for all users and update user account by clicking on a link. When you are working with phishing emails there are some basic stuffs you should know.
1.Always follow the theme. Since this is facebook you have to use the same color combination that facebook uses which is blue and white.
2.Do not capitalize words (eg-: CLICK HERE TO UPDATE )
3.Do not show the user that you are in a hurry (eg- hurry up! update your account as soon as possible)
4.Do not force users (eg- If you don't update your account you will use your account )
This is an image of a sample email to get an idea for you
How to avoid phishing attacks
This is very important. If you got trapped into phishing which is meant to steal fb, gmail password maybe it is not a big deal. But what if an attacker steals your credentials for bank account? that is a disaster right? so let's see how to fight phishing.
1. Do not click on links sent by untrusted people or third parties.
2. Check web address.
3. Update web browser.
4. Install anti-virus software which can trace phishing sites and update it.
5. Always check sender's email address to make sure that it is sent by the original website owners.
6. If you are not 100% sure about the website first give incorrect credentials and see what happens.
7. Phishing websites don't serve under https.
8. You can call the mentioned company or bank and ask whether they have actually sent an email to their customers or not if you are suspicious about an email you got before you click on anything in the mail body.
This is my blog post about phishing. Hope you got something out of it. Comment section is always open.
Cheers !
Create a subdomain to your site and link it so people cannot know about your hosting site.
How to attract victims ( also can be considered as Step 09)
This is social engineering part. We have to be very careful in here. All we have done will be useless if we cannot make our victims to click on our link and enter username and password on the site. It depends on our situation.
eg:- You can send this to your friends saying there is a survey to answer and this is the link for that survey. You can direct to user to a secret group in facebook adding a code inside the php file ( after taking credentials). Since the user is not a member of this group he/she won't be able to see group content. he/she will see an error message saying the content is removed or expired. So now you can tell them that the survey time is over so the lecturer has put it down.
Or you can use a phishing email. Since you are doing phishing for facebook you can say that there is a new login system they have implemented for all users and update user account by clicking on a link. When you are working with phishing emails there are some basic stuffs you should know.
1.Always follow the theme. Since this is facebook you have to use the same color combination that facebook uses which is blue and white.
2.Do not capitalize words (eg-: CLICK HERE TO UPDATE )
3.Do not show the user that you are in a hurry (eg- hurry up! update your account as soon as possible)
4.Do not force users (eg- If you don't update your account you will use your account )
This is an image of a sample email to get an idea for you
How to avoid phishing attacks
This is very important. If you got trapped into phishing which is meant to steal fb, gmail password maybe it is not a big deal. But what if an attacker steals your credentials for bank account? that is a disaster right? so let's see how to fight phishing.
1. Do not click on links sent by untrusted people or third parties.
2. Check web address.
3. Update web browser.
4. Install anti-virus software which can trace phishing sites and update it.
5. Always check sender's email address to make sure that it is sent by the original website owners.
6. If you are not 100% sure about the website first give incorrect credentials and see what happens.
7. Phishing websites don't serve under https.
8. You can call the mentioned company or bank and ask whether they have actually sent an email to their customers or not if you are suspicious about an email you got before you click on anything in the mail body.
This is my blog post about phishing. Hope you got something out of it. Comment section is always open.
Cheers !
