NOTE2:IF YOU HAVE PROBLEMS IN IMAGES GO TO LINKS AT END OF PAGE FOR FULL SCREEN!!!
In this tutorial i will try to guide you through making your very first phisher.
Yes, there are many other guides out there on this subject, but this guide will also explain to you how everything works instead of just telling you to do this and then that.
This tutorial works for pretty much every site you want to phish. I will try to include some common examples of popular sites to phish, too.
The very first thing you want to do is to decide what site you want to phish users from. Runescape.com? Steam users? Facebook? Myspace? This could be anything you want, just make sure you actually know which kind of users you want to phish.
First of all, go to http://www.ripway.com.
This site is designed to allow you to upload files in .txt and .php format. This is very useful for us, since we really need somewhere on the internet to actually host our pages with all the login information. We also need someone to host our phisher page, Ripway works for this as well.
Now, create a user on Ripway.com.. The username and password really doesn't matter, since people will not be able to see this anyways. Choose something you can remember and if you're planning to make a popular phisher, make sure the password is not able to be brute-forced too easily.
Now, the next step is to create all the files you need for your phisher to work.
A phishers structure is split up into 3 files:
The actual page of the phisher - The one your "costumers" will see and log into.
The script that makes phishing possible - This script makes sure your phisher actually work. It takes the info the users typed and writes it down into the last file of your phisher:
The log file - This is a .txt file that includes all the phished login information. This is the file you look in to find the passwords and usernames.
First of all, we need to create the actual page you want your "costumers" to see. Think of what page you want to copy.. For Facebook, you obviously need the Facebook log in page. For Steam or Runescape, this is not so obvious though. Make sure you copy a page that really looks official and that people will think they have to log in to get access to. For steam, i personally chose "https://store.steampowered.com/login/", but Runescape is more tricky.. It depends on whether you want a Runescape Classic Phisher or just a normal one.. If you want a normal one, you can copy the page where you in to the forums, but if you need a Classic one, try searching http://www.google.com for "Log in to play Runescape Classic" or something like that. This way you can find other people phishers and then copy them.
This can also be a very useful way to make your phisher for generally any site.
Now that you have the page you want to copy, make sure there is a login box on the site. In this example, i will use "https://store.steampowered.com/login/" to demonstrate how everything works. Go to the site you want to copy. Next, you need to view the source code of the site.
The source code of a site is made in HTML which is a language. The source code is generally how all websites are built up: For example, a source code could say "Here's a picture" and "Here's a login form" and "here's some text".. That is what a HTML code is. Since you want to copy the site totally, we just need to view the Source code and copy everything into our own Ripway.com directory. We will do that in the following steps:
First, as i said earlier, go to the desired page. I am using https://store.steampowered.com/login/. If you want to copy another site like Facebook or Runescape or anything really, just go to that site instead of Steam's, and copy that source code instead!
Now, in Firefox, simply right-click somewhere on the page and press "View Page Source".. Alternatively, you can go to the menu on top of Firefox and press View -> Page Source. This will do the trick.
Now a text-editor will pop up. Press Ctrl+A to mark everything. Then right click it and press "Copy"..
Now go to Ripway.com and log in to your account. Go to "My Files" and press "Create Text File".. For "File Name", enter login.php.
In the big blank box, you simply right click and press "Paste" to paste all the nice source code information into your own page. Now that you have copied the desired site, click the "Create" button, and Voila! You have made an exact copy of the site you wanted.
Now, when people log in to your site, there is a problem: The information they enter is send to Steam (or Facebook, or Runescape, or whatever).. This is a problem! We need to make sure the Login Information is send to our Script, which we will make soon. The script will then arrange it into the passwords.txt file which contains all the passwords.
Good, now that you understand that, go to "My Files" and click "Edit" on you login.php file.. You will see the Source Code you entered before. You will have to edit this to make sure your code is sent to your script. To do this, simply press Ctrl+F in Firefox (or Ctrl+b in Internet Explorer i think) to bring up a Search Bar. Search for "action=" .. This will search the source code and find all instances of "action=".. action= is a part of the HTML code, and tells that when Action is done (Which means that someone pressed the Login button) then something is done. Anyways, when the Search tool finds an instance of "action=" then your line that you found should look somewhat like this:
Code:
Code:
What we have now done, is simply this: When a victim pressed the log in button, his information is now send to the script we will make soon.. The script we will make will be stored in a file called phishing.php, so the code we just entered actually just sends the log in Information to our script file.
Make sure your code is edited to what i told you, save you file, and then continue.
The next thing we have to do is actually make the script! Luckily, i found a script for you already.
Now, make sure you've saved your previous file, and then click "My Files" once again. Go to "Create Text File" again and in the "Enter a file name:" enter "phishing.php" without the "" marks.
Now, the code you have to copy and paste into your new file is this:
Code:
$value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?>
What does this code do, you ask? Well, it received a Username and a Password from your actual site, and then writes them down in a file called "passwords.txt" as you can probably see from the code above.
Now that we are done with our script, make sure you save it as phishing.php and then we are almost done with our Phisher!
The next thing to do is to try it out! Go to "My Files" once again, and press the "Direct link:" at your login.php page. You should be forwarded to the page your victims see. Does it look good? I thought so! It should look like a total copy of the page you wanted it to look like. Now, try to enter some random words in the Username and Passwords field and press "Log in".. Go to "My Files" and check if there is a new file called passwords.txt.. There should be! Open the file, and you should see the phished passwords and usernames! Congratulations, you've just phished yourself!
If this did not work like it should, go through my guide again and make sure you did EXCACTLY what i told you to. If you're still having problems, please post here and i will help you out :)
Anyways, now that our files for the phisher is done and ready to use, we still have a few things to do.
Think about it.. Who would want to go the a site called http://www.ripway.com/youusernamehere and type in their password? Noone!
That is why you need to go to http://www.Dot.Tk.
This site gives you a new .tk domain name for FREE! This domain then redirects your victim to your site!
Now, go to http://www.dot.tk and enter your link to your phishing page. This link can be found by going to http://www.ripway.com -> "My files" and at the file "login.php" there should be something called "Direct link:".. Copy the address that is listed there! Then paste it into http://www.dot.tk. You will be brought to a page where you can try to get a good site name.
Now try to find a name that actually sounds convincing! Try to use words like "Official" to make it sound more convincing. Anyways, i chose to use "www.officialsteampowered.tk" when i did my phishing, so try to get something along the lines of that. Be creative, and remember to make it something that sounds so real that your victims will believe it to be the real Site!
Once you have found a good site name, register it. If you want to, you can choose "Free user" and not have to enter an email, but you will not be able to change the domain.. It doesn't really matter if you choose to register with or without an email, so do whatever pleases you.
Now that this is done, we are almost done with our phisher. Open a new tab and in the address bar, try to type in the domain you just registered. Does it lead to your page? If it does, you have succeeded in making your very own phisher!
"Finally, we are done" you might be thinking. This is not correct, though. You will have to spread your link around to actually be able to get Usernames and Passwords. This is the final step, and i will try to give you ideas on how to do this..
For getting steam accounts, i simply made a new account with no games and started adding a LOT of friends through the steam community profiles. The next day i had 115 friends, and i send this message to everyone who were online:
"Hey mate, i saw you play some time ago and you were really good! I have just got a new server, and i really need some admins.. Would you like to help me out? :)"
Most of those CSS players are desperate to be admins, and quite a few people told me that yes, they would like to.
Then i send them this message:
"Ok, that sounds great! I send you a message on http://www.yourdomainhere.tk with the RCON password and the IP of the server. I believe you just have to log in to receive the message i send you."
This might sound a bit lame, but surprisingly a big number of players actually go to the site and try to log in. They think the site is down or something, but that doesn't matter. You have their passwords now.
Log out of steam and try to log in to their account. They will see the "Another user has logged on to your steam account, press reconnect now to reconnect to your account".. When they press reconnect, you will get the message. Then you press reconnect, and they will get it.. And so on.
Now, you have to be quicker than them! Go to "File" -> "Settings" -> "Change Your Password" and quickly enter the information and change the password! In most cases you will be way faster than them since they get shocked and they are not prepared for this to happen. I have never tried losing an account by being too slow, but try to practice quickly changing passwords on your own account just to practice it.
Anyways, now that you have a Steam account or 3, they will hopefully have some friends. Now you send the same message to all their friends, and there you go! Even more accounts. Repeat this process as many times as desired. Free Steam accounts.
Now is a good time to find a forum that sells/trades steam account, and try to sell them for Paypal money. I made more than 100$ in a week with almost no work by doing this.
Anyways, for Facebook phishing the process is pretty much the same. You make a new user and add a lot of friends. Then you send some message you make up to all your friends, and hopefully get a couple of accounts. Then you use those accounts to send more messages, and repeat as necessary. The message could be pretty much anything, just make sure it makes the person want to press that nice, sexy link.
Something like "Hey, check out these pictures of you that someone uploaded! http://www.yourphishingdomain.tk" often works, but try to use your SE (Social Engineering) skills to compose a nice message. Think about what you would feel if you received that same message and if you did not know anything about phishing.
Anyways, this is pretty much how you would go about spreading your phisher link.
For Runescape accounts, create a new account, get an autotyper from google.com and start saying something like "Play Runescape Classic here! http://www.youphishingdomain.com" or anything you can imagine. Just make sure it makes users want to go to the site.
There are of course other ways to spread your phisher - some are even automated. Try making a video on Youtube about something related to your phisher site.. For facebook, it could be "Wow, check out this amazing Facebook glitch! Watch peoples profiles without being friends with them! Go to this link to do it! http://www.yourphisher.tk" basically, just make a new video in Windows Movie Maker, and make a lot of titles and write down anything you want the users to see. You don't even need a video of anything. Anyways, you could use Screen Capture programs like Hypercam to record something from facebook just to get more hits.
Anyways, this is of course possible for anything - "Get free Admin in Counter-Strike Source here!" or "Play Runescape classic here!" all works perfectly.
This is going to be the end of my guide. I enjoyed writing it! (;
The reason why i wrote it is, that there are many other phishing guides, but they don't explain how everything works.
Images Used:
http://img43.imageshack.us/img43/4397/phish01.jpg
http://img3.imageshack.us/img3/3392/phish02.jpg
http://img3.imageshack.us/img3/8330/phish03.jpg
http://img40.imageshack.us/img40/7302/phish04.jpg
http://img196.imageshack.us/img196/9039/phish05.jpg
http://img11.imageshack.us/img11/3476/phish06.jpg
http://img188.imageshack.us/img188/3931/phish07.jpg