Mature AudiencesThe content in the story below is intended is for INFORMATIONAL PURPOSES ONLY. Do not undertake any project based upon any information obtained from this or any other web site. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site. Before continuing, please ensure you read and agree to our Terms of Service.
- View Story
“ How To: Phishing Scams™ (hotmail, Etc. Hack) ”
DO NOT TRY THIS AT HOME : Text files and message bases are for INFORMATIONAL PURPOSES ONLY. Do not undertake any project based upon any information obtained from this or any other web site.We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.Phishing is a new way of tricking people into giving you* their information. Credit card fraud is the most common. You can use the technique to get almost anything, like Hotmail, AIM stuff…whatever. Phishing and DoS attacks (my next egg?) are the two biggest security problems of the internet today.
More info: http://www.wordspy.com/words/phishing.asp
Disclaimer: This egg and all information found herein is for informational purposes only. Read at your own risk. I or RE am not responsible for misuse or abuse of the following information. If you get caught...yadda yadda yadda...
I'll tell you now: Phishing is not dead simple. Its something you practise. You want to know a little HTML. If you're a real noob, I suggest you start off with some different way of making money/attacking somebody.
STEP 1: THE LINK
The way Phishing works is someone goes to a website thinking it is legitimate but it is actually made by you. The website looks
like you have to log in to your account, when they do, the info they put in goes to you.
The way the person goes to the site is through a link you give to them. This could be while on MSN, if the person is gullible and you have a reason for them to login to something. Most of the time, though, phishers send an email. This is where the art of Phishing comes in. Anything that you send has to trick the person into thinking it is legitimate. What you need to do is copy an email from the legitimate source and duplicate its format as closely as possible (logos, header, footer, tables) and make the object of the email to get the person to do something that requires them to enter in their info, by clicking on a link. A common one is an invitation for a new version of Hotmail. Copy the format of an email that users occasionally get from 'hotmail staff'. The following is an example to copy of a paypal email:
To add pictures to a Hotmail email, the best way i know how to is to drag and drop them from a website or an email.
In the email, since you want maximum legitimacy, you need to have the right subject, from name and from email address. Getting a legit looking from email address for hotmail accounts is easy (email@example.com), but paypal is harder. You could try using Outlook Explorer to make a POP3 address that you create with tthe paypal.com domain, but I'm not an expert. It may or may not be worth investigation. The from name and subject should be fairly easy. If you end up using firstname.lastname@example.org, it will probably be enough to fool some people. They may not check too closely. It doesn't matter if an address is a little obvious or a lot, if it creates enough suspicion, it won't work.
The reason could be:
account info lost
account to be deleted
For extra security, the link you send and want the victim to click on (could be every link on the page) should go to a different address that what the link says. Like this: www.yahoo.com. Also, a primer email could be used. This means send an email a few days before the real email with information saying something like, "later this week, we may ask for your account to be verified."
An interesting idea that is actually quite ingenious is to send an email meant to look like it IS a fraud and puts emphasis on the section of the email about reporting a fraud. The victim clicks on this and logs in (the fake site) to register the complaint. With paypal you only really need the victim's user name and password and you're set. All the things to do with a paypal account and how to do them is another topic.
STEP 2: THE WEBSITE
Once the person goes to the site, they enter their info. You need to recreate or copy a legitimate login page from hotmail or whatever.
http://www.geocities.com/broon_pa/webscr.htm a copy of paypal (paypal\’s website doesn\’t like to show this screen for people to copy)
Naturally, since we are changing web pages a program like macromedia dreamweaver is helpful. Download this of Limewire if you haven\’t already.
Now for the tricky part:
Go to the page you want to copy. Under file, go to 'save as.' You really need Microsoft
Internet Explorer™ to do this.
You will now edit the page you have saved/downloaded. This is where the previous knowledge of HTML comes into play. You need to edit the form on the page to send the info to you. I will tell you how to do it with a Yahoo email account.
Change the first line of the form to:
Just before the submit button, add the following hidden fields:
You may actually need to make a completley new form because of all of the security and redirecting invisible fields on the login screens. Something like this should be easy enough:
Save the file. Now you need to make the page that shows after the person presses the submit button. This is called thankyou.htm in this code (changable of course.) Simplay make it say what needs to be said, \"your account has been saved,\" whatever. Use the background and pictures from the login screen. Next create a yahoo geocities web site. Upload the files you saved to the web page. What you name the file should look like what the URL of the legit login site is. The URL of this page on your geocities account will be the 'real' link that your email link should go to. If you have some money or become a good phishers you can upgrade your site so that it doesn't say 'geocities' in it.
pic that doesn\’t work
To use a web site host other than geocities is possible, you just have to find out their 'host form URL' which you need to get emailed the information.
To include pictures and background graphics, etc., you must also upload the folder that downloaded with the site. I don't need to go on for people that know anything about HTML.
This link show how to remove the ads from yahoo geocities: http://www.nsaneproductions.com/greasemonkey/geo.user.js
You probably want to get the Hotmail account info for someone and make it look like it was perfectly fine and make the not suspect anything after they hand over their info. This way, they won't change their password immediately and you can monitor their email and maybe find paypal info or something after. It's a good idea to have access to paypal and hotmail because if you charge something on their paypal account, it'll send an email, so you can delete the email in the account before the person reads it. Other options that get the same thing are key loggers, available from http://www.hackology.com. That isn't the topic of this egg, though. I hope this is the best
Phishing egg on RE. It wouldn\’t let me put the codes in the egg, so i had to make links.
For noobs: If you don\’t know how to use HTML, dont\’ complain. Do not post negative comments whining about how you wanted a simple
download or novel length info on how to make web pages. hey, this is long enough and I didn\’t need to go into too much detail. Msg me for phishing info.