Welcome to TechsAndGeeks Today, I'm going to show you how a saavy Social Engineer would trick a friend into unknowingly surrendering their Facebook password. My intent is to warn and demonstrate how easy to phishing via Social Engineering, and therefore expose yourself.
What is Phishing?
Phishing is the act of tricking someone into signing onto a fake website, which mimics a real site, such as Facebook. The phishing page will log the credentials that the user enters in the password field, and usually goes unnoticed with the right circumstances and some Social Engineering.
The phishing page is created by visiting the website you want to mock, copying the source HTML code, and then altering it to use a custom PHP script to log the victim's credentials. A good phishing page will seamlessly use cookies to bypass redirect filters. So if a cookie for the site exists, the user will be logged in and more than likely won't realize what happened.
Step 1 Get a Web Host
Now we need to create the site that will log the victim's credentials.
Step 3 Perform the Phish
In a status update on Facebook, post something like the following:
"Check out this funny picture on my website xD, Now Give post link to phishing page here>."
It's really that simple. You should start to see people's login credentials getting stored in your "passwords.txt" file. Simply because it comes from a "trusted" Facebook friend, they will go with their instincts and click the link without thinking twice about it. The best part about that PHP code posted above, is the header sends you back to the Facebook homepage, bypassing the redirect filter warning that Facebook has implemented, which will make it nearly seamless to the user who fell for it.
Got a burning question you want answered? Ask it in the comments or on Facebook and Twitter and subscribe for more Posts..
What is Phishing?
Phishing is the act of tricking someone into signing onto a fake website, which mimics a real site, such as Facebook. The phishing page will log the credentials that the user enters in the password field, and usually goes unnoticed with the right circumstances and some Social Engineering.
The phishing page is created by visiting the website you want to mock, copying the source HTML code, and then altering it to use a custom PHP script to log the victim's credentials. A good phishing page will seamlessly use cookies to bypass redirect filters. So if a cookie for the site exists, the user will be logged in and more than likely won't realize what happened.
Step 1 Get a Web Host
- You need a place to host your phishing page. I like BYET.HOST—they are free, and offer cPanel hosting.
- Make a free account on any free host provider.
- Go to your email that you used and click the link confirming the account.
Now we need to create the site that will log the victim's credentials.
- Open up a text document using notepad, or your choice in text editors.
- Go to the Facebook LOGIN PAGE.
- Right-click somewhere on the page, and click View page source.
- Copy all of the contents of the source code and paste them into your text document.
- Hit ctrl + f, and search for "action=" and change the method to "GET", and the text to the right of"action=" to "log.php".
- Click File > Save as and save it with the name "index.php" (make sure to click the drop-down menu to select "all files" if it's not selected already).
- Make a new text file, and paste THIS CODE as the contents (paste the raw text, not the numbered). This is the file written in PHP that logs the victim's login details.
- Save the file as "log.php". Again, make sure "all files" is selected in the file type drop-down menu.
- Log in to your Free Byet hosting account and click Upload. Upload both files to the root of your website (not in a folder).
- When credentials are logged, they will be in a file called "passwords.txt" in the root of your website. Check the box next to the "passwords.txt" file when you get some logs, and click chmod. Change the file to 466 permissions, so other people can't read the victim's passwords.
Step 3 Perform the Phish
In a status update on Facebook, post something like the following:
"Check out this funny picture on my website xD, Now Give post link to phishing page here>."
It's really that simple. You should start to see people's login credentials getting stored in your "passwords.txt" file. Simply because it comes from a "trusted" Facebook friend, they will go with their instincts and click the link without thinking twice about it. The best part about that PHP code posted above, is the header sends you back to the Facebook homepage, bypassing the redirect filter warning that Facebook has implemented, which will make it nearly seamless to the user who fell for it.
Got a burning question you want answered? Ask it in the comments or on Facebook and Twitter and subscribe for more Posts..
SHARING IS CARING!