How To: Advanced Social Engineering, Part 1: Exact Revenge on Craigslist Scammers with Tabnab Phishing

Advanced Social Engineering, Part 1: Exact Revenge on Craigslist Scammers with Tabnab Phishing

A while back, I decided to sell my laptop on Craigslist. As many people know, when you post an item worth anything over the threshold of garbage, you get a million different shady emails from people pretending to be legitimate buyers.

After a deluge of emails flooding my inbox, none were legitimate, which understandably irked me. After some contemplation, I devised a plan on how I could get back at these scammers using a bit of social engineering and phishing. I was out for revenge.


  • Phishing is illegal in any shape or form. If you think you can justify to yourself that phishing a Nigerian scammer is okay, by all means, try it. However, take responsibility for whatever legal issues you could face. This is a proof of concept, nothing more.


  • A free cpanel hosting website or your own webserver
  • The domain of the email used by the scammer in question (i.e. Gmail, Hotmail, etc.)
  • Pictures of the valuable item that lured scammers

The Concept

The goal we are trying to accomplish here is to somehow trick scammers into logging onto a phishing site that we created, so we can take their password and wreak havoc on their digital scamming operation.

A perfect place to start would be the common line that all scammers seem to use:

"Hi, is the item still available and is it in working condition? Do you have pics?"

We are going to exploit this by pretending to be a dim-witted idiot and act like we have fallen for the scammer.

Step 1 Create the Tabnabbing Phishing Page

Tabnabbing phishing pages work by injecting JavaScript in a normal looking page, and then when the page lies idle, it switches to a phishing page without the user noticing, which would convince them that their session timed out, thus, granting us login credentials.

  1. Create 2 files. Name them: bgattack.js and pictures.html.
  2. Create a phishing page by following this Null Byte. You can apply the same concept to any website. For this guide, I'm using Gmail.
  3. Open pictures.html in a notepad and on seperate lines, add <img src="&lt;image name here" /> for as many images as you have of your item. You only need a few.
  4. Copy and paste the code below into the page as well. It will make the page switch when idle for 5 seconds. Paste the future link to your phishing page in between the quotes after the HREF tag.
    <DIV align="center">
    <A href="">
    <script type="text/javascript" src="bgattack.js"></script>
  5. Upload all of the pages to your webserver and get the link to the page with your pictures ready.

Step 2 Social Engineer

When you drop them the link, say something like this in response to their request to see the item:

"Of course, it's still available. You can take a look at the item here to make sure it is what you want and that everything meets your expectations. Thanks so much!"

This will make them think you have fallen for their trickery. But since they won't be focusing on the immutability of tabs, they will likley look at the pictures, then click back to the tab and reply to you. And what happens by the time they click back? It'll be our phishing page.

This plays out very well 90% of the time, simply because people don't expect their tabs to change on them. After you get the scammer's password, pass it around the internet and hand out their Paypal account to a homeless fellow.

Want more Null Byte?

Want to start making money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals.

Buy Now (90% off) >

Other worthwhile deals to check out:

Image via activerain

Join the Next Reality AR Community

Get the latest in AR — delivered straight to your inbox.


that's awesome dude, more and more I'm feeling sorry for anyone who would mess with you XD

Sweet, I hope I dont mess with him anymore, all them links in IRC. Tisk Tisk Tisk.

How do the scammers generally scam you on craigslist? Get you to send them your laptop for free or something?

Inbox spamming, and other things can happen

Yeah, they try to tell you BS reasons that they can't pay upfront, or they'll use Paypal and report that they never got your merchandise. Anything deal that would require you send your stuff away is probably a scam, haha.

Hmm... not sure if your example sentence is exactly a scammer in every case... "Hi, is the item still available and is it in working condition? Do you have pics?".

I don't spend a lot of time on Craigslist buying things, but I know people who do, and one person in particular I know sends really short emails like that all the time because its not worth putting tons of effort into writing a long email, because a lot of people do not respond back. And pictures are something every Craigslister should do anyway... if they're selling something. Then there would be no need for people to ask that particular question.

But I don't really sell on Craigslist, so I don't get emails myself, so I don't know what really goes on!

so what goes in the bgattack.js file

It merely changes the page after 5 seconds of idle time.

Cripes. That's the email I send whenever I want to know more about the listed item -- and I'm just an out of work Jane looking to save a few bucks here and there. At least I know now to look out for the tab switching thingie and 'session timout' message. Thx for the article.

Share Your Thoughts

  • Hot
  • Latest