informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/uploads/phishing.txt

189 lines
6.8 KiB
Plaintext
Raw Permalink Blame History

==----...+----------------------+...----==
===----...| |...----===
====----...|Phishing for Beginners|...----====
=====----...| tutorial by |...----=====
====----...| _cracked.anarchist |...----====
===----...| |...----===
==----...+----------------------+...----==
Wikipedia defines phishing as "In computing,
phishing is the act of attempting to...acquire
sensitive information, such as passwords...by
masquerading as a trustworthy person...with a
real need for such information in a seemingly
official electronic notification or message
(most often an email, or an instant message).
It is a form of social engineering attack.
When phishing for something, there are four
key areas that you want to focus on. Keep
in mind that this tutorial is focused on
web-based phishing.
* Sounding the same as the party you are
masquerading as
* Having a seemingly legitamit need for
the information
* Having the same type of website design/
email template as the trustworthy party
* Having a similar domain as the
trustworthy party.
Let's go over the first key point. When
phishing, you want to look as though you are
the party you are pretending to be. An example,
is if you are pretending to be from a bank, you
would want to use correct grammar and not use
1337 sp34k in your email.
Now to tackle the second key point. You need to
make up a NEED for the information. Don't just
bring them to a webpage saying "Please give us
your password". Sound as though you need it.
e.g. You have been selected for a trial upgrade
in membership/removal of ads/free tools, but to
confirm your identity you must provide your
login credentials.
The third area you need to pay special attention
to is how your email/webpage looks in comparison
to the actualy party's. If you are pretending
to be from myspace, you wouldn't want to say,
have a webpage made in 30 seconds in notepad
that looks like a 12-year-old made it. It's
always a good idea to mke an exact copy
(save the source) of a page from the actual
site, but make it post the data to your own
site.
The last area, is to ake sure that the domain
you are bringing them to looks legit. If you
are pretending to be google looking for a gmail
password, These are some good and bad
examples.
BAD-http://gmail.150m.com/phisher.html
GOOD-mail.google.com.login.tripod.com/login.html
OK, so now you know the very basics to phishing
over the web. Now, let's walk through an
example. For this example, we will be doing
myspace. We are looking for the password of
someone. So, first off, we need to make a page
which sounds like it came from myspace, and has
the same appearence. Lucky for us, they have a
login screen. Go to
http://login.myspace.com/index.cfm?fuseaction=login&nextPage=fuseaction%3dmail.friendRequests
and go to file >> save as and save it to your desktop.
Now, open up the page with notepad. Now search
for 'action="http://login.myspace.com/' without
the single quotes. Now, highlight everything
inside of the quotes (the url of the login
script). Downsize that window and open up a
browser window. Go to a free host of your
choice, perferably one with short subdomains,
but it has to allow server side scripting, look
for php. e.g. *.110mb.com, *.tripod.com, etc.
GO onto one using a proxy (find one at
picatta.homeip.net) and sign up for one wth a
temporary emaila ccount, like at
http://www.mailinator.com/. Make it sound legit
like myspace.110mb.com. Then login, and make
som folders to make it sound better,
e.g. myspace.150mb.com/login/auth/. Next,
bring the notepad window back up and change the
string of the url to whatever folder you just
and add process.php to the end (change if the
scripting language is different.) It may look
like
http://myspace.150mb.com/login/auth/process.php.
Now, save and upload the web page to your
webhost and change the name to like login.html.
After this, make a text file in the same
directory named log.txt. You may need to chmod
it to 0777.
Now, when you open up the page, type in login
info and hit submit, you should be looking at
the process.php page (or whatever you called
it). The next step is to program the
process.php page. The example I provide will
be in php, of course.
EXAMPLE:
<?php
$email = $_POST['email'];
$password = $_POST['password'];
$fw = fopen('log.txt', 'a');
fwrite($fw, 'email: ' . $email . ' | password: ' . $password . "\n");
fclose($fw);
header("Location: http://myspace.com/");
?>
OK, so, assuming the code works, when they
put in their info and hit submit, the info
should appear in log.txt, and they should
be re-directed to the myspace homepage.
The last thing, but certainly not least, to
worry about is how to get them to go there.
This tutorial will cover emailing. While
there are more ways to do this, I will only
cover emailing. First off, let's design the
email. Dig a myspace email (friend request)
out of your inbox. Let's change it. Here is
the basic form of one.
Hi (your name),
(someone) would like to be added to your MySpace friends list.
By accepting (someone) as your friend, you will be able to send (someone) personal messages, (someone)'s photos and journals, and you will be able to interact with each other's friends and network!
Click the following link to view (someone)'s profile and accept or reject this user as your friend:
http://www1.myspace.com/reloc.cfm?c=1&id=(8 random letters/numbers)-(4 random letters/numbers)-(4 random letters/numbers)-(4 random letters/numbers)-(12 random letters/numbers)
-------------------------
At MySpace we care about your privacy. We have sent you this notification to facilitate your use as a member of the MySpace.com service. If you don't want to receive emails like this to your external email account in the future, change your Account Settings to "Do not send me notification emails"
Click here to change your Account Settings:
http://www.myspace.com/reloc.cfm?c=11
You can also contact us with any questions or concerns regarding your privacy at:
mailto:privacy@myspace.com
MySpace.com 1223 Wilshire Blvd. 402, Santa Monica, CA 90403-5400 USA
<EFBFBD>2003-2006 MySpace.com. All Rights Reserved.
Fill in the areas in () and then take that long like,
and then replace the link to the person's profile with
<a href="(address of the fake login page)">(long link to someones profile provided above)</a>
This needs to be send as html mail.
Now, the very last step is to spoof the from address. You can send it by signing up like
somehotchick-myspace@yahoo.com, but it is not very convincing. Use google to find a mail
spoofer, and spoof your to like asdf1234.dsfre_@message.myspace.com. Try using something
like pySpoof from http://pythoncode.awardspace.com/.
And there you go, you now know some very basics of phishing!
Reference in New Issue View Git Blame Copy Permalink