How to do phishing

Have you ever received emails saying that you have won a grand prize or an email claiming it’s something useful, such as a coupon to be used for a discount, a form to fill in to claim a tax rebate, or a piece of software to add security to your phone or computer ? 
Well that is what phishing is in real life.

Before creating a phishing site for your self lets have a look on what phishing is.

What is phishing ?

Phishing is the attempt to obtain financial or other confidential information from Internet users, typically by sending an email that appears it is from a legitimate organization such as financial institution, but contains a link to a fake website that replicates the real one.The phishing emails and the sites used for it will be designed very convincing so that its very hard to notice that its not the legitimate sours.

What are the types of phishing ?

• Spear phishing

These are targeted attacks at a specific person to obtain their personal information such as log in details ,bank account details .The targeted attacks has a higher probability of success as the phishing mails will be customized for the target to convince them in to providing their details.

• Clone phishing

These mails may claim to be a re-send of the original or an updated version to the original.The attachment or Link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender.

• Whaling

In this king of phishing ,the gain will be very high as the targeted victims of these kind of phishing are wealthy people.If that target becomes a victim the attacker will gain a big phish.
Hear the targets are carefully chosen as they will be having extra precautions to prevent the being victims. Normally the targeted crowd would be a CEO , CFO or senior executives of a company.

Now as you have an idea about phishing techniques lets start creating our  phishing site ! 👀  😈 😉 

I will be demonstrating how to do phishing based on the site of ikman.lk using the XAMPP  . 

How ever you can also use an public domain like a free hosting space and then share the link with the victim.
       eg : https://www.000webhost.com/

Step 1 Creating the Fishing files

1.1. Go to the site

 http://ikman.lk/en/users/login

• Right click ->View page source -> select all -> copy - > paste it in a note pad-> save it as in php file format.(The login file should be saved as index)

1.2.If the codes are not formatted use an IDE to format the code
1.3.Change the action in the index file .

• You can search the word "action" in the code to locate it as it will be a hectic task to do it manually. 

from

to

• Hear a new php file should be created as "validation" .This file will include the cods to extract the credentials received , write the credentials received in a text file and to redirect the browser to original log in page.

• I have also changed the site by displaying the below message .(This is optional , I have done this to make it more convincing to the victim and to encourage to login to the site)

• The code for this modification is as follows

• These changers are done to convince and encourage the victim to input his credentials to the phishing site.

1.4.Create the validation php file in the same location you saved the index file.

• Include the below code in the validation.php file.

1.5.Create a txt file to store the credentials.

• Hear i have created a text file as credentials.txt to store the inputs of the victims. Save this in the same folder with the index and the validation file.

Step 2 Using the XAMPP to host the site.

2.1 Open XAMPPand click on Start Apache and Start mySQL

2.2 Saving the fishing files in XAMPP

• Open XAMPP and click on ” Explorer” to open the files of Xampp’s located on hard disk
• Open the folder "htdocs" and create a file called "ikman"
• Save all the phishing files in this folder eg :  " C:\xampp\htdocs\ikman "

3.Creating the Phishing mail that will be sent .

3.1 Create a fake email account3.2 Create a convincing email to be sent

•  This should include the link that will be directing to our phishing site. Please refer to the below as a sample.

😆  All the files related to this demonstration are saved in my GitHub account.You can access them by the below link.

https://github.com/HarshaniSomarathne/Phishing-ikman.lk

Now lets find out how to attract victims .

• The mail should be convincing so that the victim will not suspect that the received email is a phishing mail.
• Use the same color theme as the legitimate company that you are used to phishing.
• Do social engineering to find out targets for the company you are using as phishing so that you have a better chance of succeeding. 
• Provide a convincing reason for them to click on the link provided. 

How to identify a phishing mail and be safe from them if received ?

It is important for us to be logical and always alert when dealing with communication of any sort and the below tips will further help you to be safe and identify phishing emails.

1. Link to a fake site :- The email will provide a link requesting the user to click on in order to direct the victim to gather his personal information
2. The senders email address will not match the legitimate senders email address.
3. The mail will require your personal details such as credit card number and account details.
4. Email says that you have won a competition that you have not entered.
5. Urgent action will be required :- Normally phishing mails require the receiver to act quickly in order to get details. The mail will have an urgent call for action.

• Do not click on the links or download or open any attachments provided form unknown and suspicious senders.
• Protect your computer with firewalls, spam filters and an antivirus guard.
•  Allays be logical and be alert. 
• Make sure you check thoroughly for the given tips above to make you self safe form being a phishing victim .
• Update your web browser  

I have included few email phishing samples for you to get an idea

The below will give you a brief idea bout the scope of operation of phishing emails around us