Facebook

All posts tagged Facebook

Note: This is for educative purposes only.

Have you ever read “Life on Earth” by David Attenborough. It’s a very nice book about the evolution of animals. What is evolution? Wikipedia defines it as the “change in the inherited characteristics of biological populations over successive generations”. Why are we talking about evolution now. Because personally I feel Desktop phishing is an evolution over Phishing. It evolved to overcome the disadvantages in phishing. Let’s see how.

The process in desktop phishing is same as in phishing. The only difference is in the method of uploading our phishing files. Whereas in phishing we upload our files to an external server, in desktop phishing we upload our files to the server on our desktop. Why? Because there are three disadvantages in the former  method.

One, however hard we may try the url always looks suspicious.

dphish1

 

Two, modern day browsers are capable of  detecting phishing sites.

dpish2

 

Three, as soon as the webhosting provider detects that you hosted a phishing site, he will suspend your account. This will most likely happen within 24 hours. Desktop phishing overcomes all these defects. So now, let’s see how to hack a Facebook account with desktop phishing.As already told, this process is same as phishing, until the creation of phishing files which you can find  here. Now Install Wamp Server on your windows machine. To see what wampserver is and how to install it, click here. Next, install a VPN on your system to keep your IP static. See here. We are going to host our phishing files on our desktop and redirect the victim to our site.

Now copy our phishing files to the folder C:/wamp/www. This is the root directory of the wamp server.

dpish3

Here is the script of the “phish.php” we used.

dphish3a

 

Go to folder “C:/wamp/bin/apache/Apache 2.4.4/conf” and make changes to the ‘httpd.conf’ file as below. These changes give permission to external users to access your fake website.

dpish4

 

Start your wamp server, open your browser and type localhost” in the url to see if your phishing site is working. Then open Notepad and create a batch file as shown below.We need to send this file to the victim machine and make him execute it. See how? Make sure you replace the IP address below with one assigned by VPN.

dpish5

 

What the above script does is it changes the hosts file in the victim’s system to redirect to your fake website when user tries to access Facebook. Now, what is hosts file?

Hosts file is a text file located in the folder “C:/windows/system32/drivers/etc” which resolves IP addresses associated with domain names.

dpish6

 

Usually when we try to vist any website say www.google.com our system sends a query for it’s IP address to the DNS server. When we make an entry in the hosts file of our computer, the query is not sent to the DNS server. When the victim clicks on the executable sent by us,it changes the hosts file like below.

dpish7

 

Now when victim types “www.facebook.com” in his browser, he is redirected to our wamp server. Notice that the url looks completely genuine and the browser didn’t detect it as a phishing site.

dpish8

When the unsuspecting victim enters his credentials,

dpish9

 

a text file called pass .txt is created in the www directory.

dpish10

Open the file and we can see the credentials.

dpish11

 

       “Whoever, fraudulently or dishonestly makes use of the electronic signature, password or any  other unique identification feature of any other person, shall be punished with imprisonment of either  description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.”

Information Technology Act 2008

Yes, that’s what Law in India says about identity theft. Then why make this tutorial? Well, Let me make this very clear that this is only for educative purposes and I will not be held responsible for any action coming out of this article. To take a line from the movie Mission Impossible – 2  “to create bellerophon we always create chimera.” I hope this article will be more helpful than the other articles available about phishing on the internet.

What is phishing? Phishing is an act of presenting a fake page resembling the original webpage you intend to visit with the sole intention of stealing your credentials. Although this article explains how to hack facebook account via phishing, this method can be used to phish any website. Phishing is the most popular method of hacking a facebook account. So now let’s phish.

In your browser, open website of facebook. Right click on the webpage, click on “view page source”.

phish1

The source of the page is displayed in the browser. Right click on the page and click on “Save As”. Save the page as “index.html” on your computer.

phish2

Now open index.html using notepad and hit CTRL+F”.In the Find box opened, type “action” and  click on “Find Next”. Look at the value of action.

phish3

Now change the value of action to “phish.php”. We are doing this so when the user enters his credentials the page that loads will be “phish.php” and not the page Facebook wants.

phish4

Now let’s create the page phish.php. Open Notepad and type the following script into it and save it as “phish.php”. What this script does is it logs the user credentials and saves it to a file named “pass.txt”.

phish5

Now our files are ready.Next step is to upload these files to any free web hosting site available on the internet. Google for free web hosting sites, select any one of them(I selected bytehost7), create an account with username as close to Facebook as possible and delete the index.html file available in the htdocs folder.Then using Online File Management upload your own index.html and phish.php files to the htdocs folder. Your htdocs folder will look like below.

phish6

 Let’s check if our phishing page is ready by typing the address of our site. If the page is like below, then our phishing page is working.

phish7

The next thing we have to do is to send address of our fake website to the victim. We will do this through sending him an email but in order for the victim not to smell something fishy, we will obfuscate the url of the fake page we are about to send him. The sending email address should be as convincingly close to facebook as possible.

phish8

 When the victim clicks on the obfuscated url, it will bring him to our fake site.

phish9

 If the victim is not cautious enough as to observing the url and enters  his username and password, our attempt is a success. To show this, I will enter random values in both username field and password field and hit Enter.

phish10

Now a txt file with name pass.txt will be created in the htdocs folder containing both the username and the password.

phish11

 Click on the file. We can see both the email and the password i have entered. The email is “don’t get hacked” and the password is “like me”.

phish12

Find it difficult? See how to do phishing with Weeman HTTP server

 Counter Point:

If you don’t want to fall victim to phishing, you can take a few precautions . If you want to open a site type the address directly in the url and don’t open any redirected links. Don’t click on any mails which look malicious like asking for your login credentials.