How Hackers Create Phishing Sites?

 Ever received a weird-looking e-mail (most likely full of typos) from Google saying that your account has been compromised and that you have to log in immediately with your username and password to recover your account? Well, that is almost 100% of the time a phishing attempt to steal your credentials. No website will ever ask you for your password other than in normal sign-in screens. However, when it is our precious e-mails and files at stake, we tend to forget this fact.

A famous example of this took place in 2016 where social media team of John Podesta, chair of Hillary Clinton’s 2016 U.S. presidential campaign received an e-mail seemingly from Google saying that his personal account was compromised. His team immediately contacted the IT support about the legitimacy of this e-mail, who, through a clear misunderstanding, confirmed this very obvious spear-phishing attempt to be legitimate and advised that Podesta should login immediately to keep his account intact. This incident led to around 20,000 pages of e-mails being exposed to public, by WikiLeaks. Some believe this to be a crucial point in 2016 U.S. presidential elections. This goes to show how successful phishing attacks can have such a severe real-life impact.

Disclaimer: This simulation was carried out completely for educational purposes. Please read SocialFish disclaimer as well before trying this out yourself.

I will be using Kali Linux VM, SocialFish by UndeadSec along with ngrok to simulate a phishing attack. Clone the repository with the following command:

git clone https://github.com/UndeadSec/SocialFish.git

Setup Python version 3.x & pip3

sudo apt-get install python3 python3-pip python3-dev

Then change your directory to where SocialFish repository has been cloned and build it using:

cd SocialFish python3 -m pip install -r requirements.txt

If everything was successful up to this point, you can now run SocialFish by typing:

python3 SocialFish.py <user> <password>

within the directory it was installed.

You should now see a terminal screen telling you that SocialFish has started on 0.0.0.0:5000. In fact, if you open a web browser and go to this address, you will see a screen with a fish in the middle saying that you have not set up an attack vector yet. To do this, you should instead go to 0.0.0.0:5000/neptune. Enter your username and password that you used to start SocialFish in the previous command. Clicking login will take you to a screen similar to the following:

Few things to note here:

At the top, we see two text boxes with placeholders “Clone” and “Redirection”.

Since SocialFish can also be used as a mobile application, there is a QR code.

“Send Mail” button that does what it says.

And finally,

Some statistics about the attacks carried out before.

What I will now do is a very quick demonstration of how to clone a website’s login screen. I will go to LinkedIn login page and copy the link in the address bar. Then, come back to the screen shown in the above screenshot. Paste the link in the clone box. Now, I need to decide which site I want to redirect users to. In order not to raise a suspicion, my best chance is to redirect victims to the homepage of the same website assuming that they were already logged in beforehand. After I fill in both “Clone” and “Redirection” boxes, I can now click on the thunder icon. As can be seen below, I now have an almost identical LinkedIn login page running on my local machine.

However, there are three major problems with the copied login screen.

It is currently running locally, so no one else can access it.

It is not an HTTPS connection, therefore tells users that their passwords are in danger (we do not want that).

Its address does not look anything similar to a proper LinkedIn page.

Well, there are very easy solutions to problems 1 and 2 with a few commands. And if you have enough budget, support and the willingness, there is also a possibility that you can get a domain name pretty similar to LinkedIn, which will trick victims into thinking that your fake login page is legitimate. I will now go on to solve problems 1 and 2 with ngrok.

ngrok is a very handy tool that can expose your local websites to the Internet. It is great for testing, demos and much more. Unfortunately, it can also be used for malicious purposes such as this one. Download and unzip ngrok in a directory that is convenient.

unzip /path/to/ngrok.zip

Then, to serve my fake login screen, I can issue the following command from within my ngrok directory:

./ngrok http 5000

This command will make whatever is on port 5000 (in my case, a fake login screen) accessible through the Internet. Even though the command says “http” only, ngrok can also serve HTTPS websites. The benefit of this for the adversaries is that your browser will not warn you about the possible dangers of this website (e.g. data that you enter can be stolen etc.).

Anyone with a stable Internet connection can now access this website. With the free version of ngrok, the addresses are random and the domain is always ngrok.io. But, pro features enable users to have reserved domains, custom subdomains and more. For the purposes of this demo, I am using the free version.

Well, any user who peeks at the address bar can realize that there is something wrong with this website and often go to the legitimate LinkedIn login page. That makes the attack unsuccessful. To make it look a bit more realistic, I am going to shorten the URL using a free URL shortener service. Most of these services also offer a custom alias, so including words like “linkedin” and “help” or “account” can make the attack a bit more sophisticated. Another option is to share a post and get the URL shortened by LinkedIn, then delete the post right after. This could also potentially make the fake login page look more legitimate. Now that I have a shortened URL that looks just like any other millions of shortened URLs, I can send this to anyone via e-mail or a private message. When victims enter an e-mail and a password to this fake website, what happens is that they get redirected to the LinkedIn homepage (if they are logged in) or to the login page.

As an attacker, I can now go back to SocialFish interface and scroll down to get to a section titled “Successful attacks”, which lists information such as URL that was used in the attack, IP address of the victim, browser and operating system they are using, date of the attack. SocialFish also gives me the option to run a port scan on victims public IP address or check whether it has even been picked up by Shodan. Lastly, there is the Post Log column which is what I will mostly use. The following is an example:

Clicking “View” under Post Log column takes me to the following page where the key information about the victim was captured:

The output is quite long, however the e-mail address and the password can be seen very clearly.

This experiment was done in a safe computing environment with no side effects to anyone. Phishing is a dangerous form of social engineering, arguably the easiest hacking there is to perform. In order to fight these types of attacks, please report any phishing site that you encounter to the responsible entities. As employees, train your users against phishing and as users, please check where shortened URLs take you, remember that no social media platform or any type of website will ask you to fill in your password in an e-mail and always make sure that the address bar says what it should. Finally, I would like to remind you that phishing of any type is a crime and punishable by law in most countries.