Advanced Social Engineering, Part 1: Exact Revenge on Craigslist Scammers with Tabnab Phishing
A while back, I decided to sell my laptop on Craigslist. As many people know, when you post an item worth anything over the threshold of garbage, you get a million different shady emails from people pretending to be legitimate buyers.
After a deluge of emails flooding my inbox, none were legitimate, which understandably irked me. After some contemplation, I devised a plan on how I could get back at these scammers using a bit of social engineering and phishing. I was out for revenge.
- Phishing is illegal in any shape or form. If you think you can justify to yourself that phishing a Nigerian scammer is okay, by all means, try it. However, take responsibility for whatever legal issues you could face. This is a proof of concept, nothing more.
- A free cpanel hosting website or your own webserver
- The domain of the email used by the scammer in question (i.e. Gmail, Hotmail, etc.)
- Pictures of the valuable item that lured scammers
The goal we are trying to accomplish here is to somehow trick scammers into logging onto a phishing site that we created, so we can take their password and wreak havoc on their digital scamming operation.
A perfect place to start would be the common line that all scammers seem to use:
"Hi, is the item still available and is it in working condition? Do you have pics?"
We are going to exploit this by pretending to be a dim-witted idiot and act like we have fallen for the scammer.
Step 1 Create the Tabnabbing Phishing Page
- Create 2 files. Name them: bgattack.js and pictures.html.
- Create a phishing page by following this Null Byte. You can apply the same concept to any website. For this guide, I'm using Gmail.
- Open pictures.html in a notepad and on seperate lines, add <img src="<image name here" /> for as many images as you have of your item. You only need a few.
- Copy and paste the code below into the page as well. It will make the page switch when idle for 5 seconds. Paste the future link to your phishing page in between the quotes after the HREF tag.
- Upload all of the pages to your webserver and get the link to the page with your pictures ready.
Step 2 Social Engineer
When you drop them the link, say something like this in response to their request to see the item:
"Of course, it's still available. You can take a look at the item here to make sure it is what you want and that everything meets your expectations. Thanks so much!"
This will make them think you have fallen for their trickery. But since they won't be focusing on the immutability of tabs, they will likley look at the pictures, then click back to the tab and reply to you. And what happens by the time they click back? It'll be our phishing page.
This plays out very well 90% of the time, simply because people don't expect their tabs to change on them. After you get the scammer's password, pass it around the internet and hand out their Paypal account to a homeless fellow.
Want more Null Byte?