Phishing is the easiest way to get your password stolen, as it only takes one mistake to log in to the wrong website. A convincing phishing site is key to a successful attempt, and tools to create them have become intuitive and more sophisticated. SocialFish allows a hacker to create a convincing phishing page for nearly any website, offering a web interface with an Android app for remote control.
In previous guides on phishing, one of the most common questions has been about how easy it would be to adapt the default page to look like a particular login. SocialFish can simply clone a social media website to create a password-harvesting attack link in only a few clicks, eliminating the need to create such a template yourself. While there is also a previous version of SocialFish that featured Ngrok integration, we'll be taking a look at the new version.
While the previous versions of SocialFish were impressive, the latest update includes a clean web interface to create and manage phishing links. The shift to web-based interfaces for tools like Kismet has helped to make SocialFish more accessible to beginners, and the refined simplicity makes cloning nearly any website incredibly simple.
One downside to the new SocialFish is that the documentation is sparse or nonexistent for many features. That means that many of the features like the attached Android application are not simple to use, and troubleshooting can be difficult as the Wiki contains a minimal amount of information.
- Don't Miss: How to Clone Any Website Using HTTrack
Still, as a bleeding-edge tool with a straightforward interface and well-thought-out controls, SocialFish is an easy way to demonstrate how simple customized phishing links are to make. One important note for this article is that, due to the potential for misuse and sketchy documentation, we'll only be deploying this link on our internal network, not to a target on the external internet.
To use SocialFish, you'll need to have Python3 or higher installed on your computer. You'll also need PIP3, Python3's package manager, installed as well. In addition, several libraries are required for this tool to run. We'll cover installing them in the next steps, but keep in mind this can take quite some time to download and set up over a slow network.
To start using SocialFish, we can check out the GitHub repository for information on previous versions and the mobile app that goes with the primary tool. Getting it running requires quite a few dependencies to be installed, so on a good internet connection, we can install everything with a few lines in a terminal window.
In a new terminal window, type the following commands to install the necessary dependencies, clone the repository, and run the set-up script.
~$ sudo apt-get install python3 python3-pip python3-dev -y ~$ git clone https://github.com/UndeadSec/SocialFish.git ~$ cd SocialFish ~$ python3 -m pip install -r requirements.txt
Once it is finished running, you should be ready to use SocialFish. We'll be using our browser to interact with it, so open a FireFox window before proceeding to the next step.
Now, let's create a web interface that will help manage our phishing links. To do this, open a terminal window and type the following to change into the SocialFish folder. Pick a username and password to log in to the web interface, and substitute that for the "youruser" and "yourpassword" fields.
~$ cd SocialFish ~$ python3 SocialFish.py youruser yourpassword
Once it's finished setting up, we should be able to access the web interface by navigating to the URL 0.0.0.0:5000 in our browser. Enter the username and password you set up, and click "Login" to access the SocialFish portal.
Inside the SocialFish portal, we can see some important information. At the top, we see the field for the website we want to clone, the website we want to redirect to, and the URL for our attack.
We can also see some information about links we've already created. In my case, I've already created eight attack links, which have attracted 15 clicks and four sets of captured credentials.
For our attack, we'll need to decide what website we want to clone. In this case, we'll pick twitter.com/login. To make things simple, we'll redirect back to twitter.com afterward. If they are already logged in, it will just look like a normal login was successful.
Enter the URL you want to clone and the URL you want to redirect to into their respective fields on the top right of the page. Click the lightning bolt to activate the link.
Now, in a separate browser window, navigate to the attack link — the link we would be serving to the victim during a real attack. You will be directed to a real-looking phishing site, and you can enter a username and password to test it.
During a live deployment, you would need to redirect the target to this URL. The current documentation is sketchy on this, and I'm also leaving it out as to reduce the risk of malicious use of this script. For now, we can access it on our internal network.
- Don't Miss: Automating Wi-Fi Hacking with Besside-ng
Once we enter our test credentials, we should be redirected to the link we specified. Now that we've captured some credentials let's explore how SocialFish logs them.
Back on the main menu, we can see that the number of captured credentials has gone up. We can also see that listed under "Successful Attacks" are a number of logs we can access.
Click "View" on the most recent log to see the credentials we intercepted. It should open a page that dumps the collected information in a format like below.
That was easy! With only a couple of clicks, we were able to create a website that looks virtually identical to the real Twitter.com. As soon as we entered our credentials, SocialFish captured them and saved them to an interactive log, allowing us to manage phishing campaigns easily.
Though SocialFish has gone through many iterations, it continues to be a powerful tool for creating convincing phishing pages for social media websites. We haven't gone into how to deploy SocialFish across a network in this article, but as you can see in our example, the hardest part of creating a convincing fake on the fly is actually easy to do. One limitation of SocialFish as a tool is its current lack of documentation, but in the future, I expect this to improve to make the companion mobile app more useful.
I hope you enjoyed this guide to phishing social media websites! If you have any questions about this tutorial on phishing social media, leave a comment below, and feel free to reach me on Twitter @KodyKinzie.