==----...+----------------------+...----== ===----...| |...----=== ====----...|Phishing for Beginners|...----==== =====----...| tutorial by |...----===== ====----...| _cracked.anarchist |...----==== ===----...| |...----=== ==----...+----------------------+...----== Wikipedia defines phishing as "In computing, phishing is the act of attempting to...acquire sensitive information, such as passwords...by masquerading as a trustworthy person...with a real need for such information in a seemingly official electronic notification or message (most often an email, or an instant message). It is a form of social engineering attack. When phishing for something, there are four key areas that you want to focus on. Keep in mind that this tutorial is focused on web-based phishing. * Sounding the same as the party you are masquerading as * Having a seemingly legitamit need for the information * Having the same type of website design/ email template as the trustworthy party * Having a similar domain as the trustworthy party. Let's go over the first key point. When phishing, you want to look as though you are the party you are pretending to be. An example, is if you are pretending to be from a bank, you would want to use correct grammar and not use 1337 sp34k in your email. Now to tackle the second key point. You need to make up a NEED for the information. Don't just bring them to a webpage saying "Please give us your password". Sound as though you need it. e.g. You have been selected for a trial upgrade in membership/removal of ads/free tools, but to confirm your identity you must provide your login credentials. The third area you need to pay special attention to is how your email/webpage looks in comparison to the actualy party's. If you are pretending to be from myspace, you wouldn't want to say, have a webpage made in 30 seconds in notepad that looks like a 12-year-old made it. It's always a good idea to mke an exact copy (save the source) of a page from the actual site, but make it post the data to your own site. The last area, is to ake sure that the domain you are bringing them to looks legit. If you are pretending to be google looking for a gmail password, These are some good and bad examples. BAD-http://gmail.150m.com/phisher.html GOOD-mail.google.com.login.tripod.com/login.html OK, so now you know the very basics to phishing over the web. Now, let's walk through an example. For this example, we will be doing myspace. We are looking for the password of someone. So, first off, we need to make a page which sounds like it came from myspace, and has the same appearence. Lucky for us, they have a login screen. Go to http://login.myspace.com/index.cfm?fuseaction=login&nextPage=fuseaction%3dmail.friendRequests and go to file >> save as and save it to your desktop. Now, open up the page with notepad. Now search for 'action="http://login.myspace.com/' without the single quotes. Now, highlight everything inside of the quotes (the url of the login script). Downsize that window and open up a browser window. Go to a free host of your choice, perferably one with short subdomains, but it has to allow server side scripting, look for php. e.g. *.110mb.com, *.tripod.com, etc. GO onto one using a proxy (find one at picatta.homeip.net) and sign up for one wth a temporary emaila ccount, like at http://www.mailinator.com/. Make it sound legit like myspace.110mb.com. Then login, and make som folders to make it sound better, e.g. myspace.150mb.com/login/auth/. Next, bring the notepad window back up and change the string of the url to whatever folder you just and add process.php to the end (change if the scripting language is different.) It may look like http://myspace.150mb.com/login/auth/process.php. Now, save and upload the web page to your webhost and change the name to like login.html. After this, make a text file in the same directory named log.txt. You may need to chmod it to 0777. Now, when you open up the page, type in login info and hit submit, you should be looking at the process.php page (or whatever you called it). The next step is to program the process.php page. The example I provide will be in php, of course. EXAMPLE: OK, so, assuming the code works, when they put in their info and hit submit, the info should appear in log.txt, and they should be re-directed to the myspace homepage. The last thing, but certainly not least, to worry about is how to get them to go there. This tutorial will cover emailing. While there are more ways to do this, I will only cover emailing. First off, let's design the email. Dig a myspace email (friend request) out of your inbox. Let's change it. Here is the basic form of one. Hi (your name), (someone) would like to be added to your MySpace friends list. By accepting (someone) as your friend, you will be able to send (someone) personal messages, (someone)'s photos and journals, and you will be able to interact with each other's friends and network! Click the following link to view (someone)'s profile and accept or reject this user as your friend: http://www1.myspace.com/reloc.cfm?c=1&id=(8 random letters/numbers)-(4 random letters/numbers)-(4 random letters/numbers)-(4 random letters/numbers)-(12 random letters/numbers) ------------------------- At MySpace we care about your privacy. We have sent you this notification to facilitate your use as a member of the MySpace.com service. If you don't want to receive emails like this to your external email account in the future, change your Account Settings to "Do not send me notification emails" Click here to change your Account Settings: http://www.myspace.com/reloc.cfm?c=11 You can also contact us with any questions or concerns regarding your privacy at: mailto:privacy@myspace.com MySpace.com 1223 Wilshire Blvd. 402, Santa Monica, CA 90403-5400 USA ©2003-2006 MySpace.com. All Rights Reserved. Fill in the areas in () and then take that long like, and then replace the link to the person's profile with (long link to someones profile provided above) This needs to be send as html mail. Now, the very last step is to spoof the from address. You can send it by signing up like somehotchick-myspace@yahoo.com, but it is not very convincing. Use google to find a mail spoofer, and spoof your to like asdf1234.dsfre_@message.myspace.com. Try using something like pySpoof from http://pythoncode.awardspace.com/. And there you go, you now know some very basics of phishing!