Social Engineering, Part 2: Hacking a Friend's Facebook Password
Welcome to the second Null Byte in a series educating you on Social Engineering awareness and techniques. Today, I'm going to show you how a saavy Social Engineer would trick a friend into unknowingly surrendering their Facebook password. My intent is to warn and demonstrate how easy it is to succumb to phishing via Social Engineering, and therefore expose yourself.
Phishing is the act of tricking someone into signing onto a fake website, which mimics a real site, such as Facebook. The phishing page will log the credentials that the user enters in the password field, and usually goes unnoticed with the right circumstances and some Social Engineering.
- Phishing is illegal.
- Only phish your friends who give you consent to do so.
Step 1 Get a Web Host
You need a place to host your phishing page. I like T35—they are free, and offer cPanel hosting.
- Make a free account on T35.
- Go to your email that you used and click the link confirming the account.
Step 2 Create the Phishing Page
Now we need to create the site that will log the victim's credentials.
- Open up a text document using notepad, or your choice in text editors.
- Go to the Facebook login page.
- Right-click somewhere on the page, and click View page source.
- Copy all of the contents of the source code and paste them into your text document.
- Hit ctrl + f, and search for "action=" and change the method to "GET", and the text to the right of"action=" to "log.php".
- Click File > Save as and save it with the name "index.php" (make sure to click the drop-down menu to select "all files" if it's not selected already).
- Make a new text file, and paste this as the contents (paste the raw text, not the numbered). This is the file written in PHP that logs the victim's login details.
- Save the file as "log.php". Again, make sure "all files" is selected in the file type drop-down menu.
- Log in to your T35 account and click Upload. Upload both files to the root of your website (not in a folder).
- When credentials are logged, they will be in a file called "passwords.txt" in the root of your website. Check the box next to the "passwords.txt" file when you get some logs, and click chmod. Change the file to 466 permissions, so other people can't read the victim's passwords.
Step 3 Perform the Phish
In a status update on Facebook, post something like the following:
"Check out this funny picture of me on my website xD <post link to phishing page here>."
It's really that simple. You should start to see people's login credentials getting stored in your "passwords.txt" file. Simply because it comes from a "trusted" Facebook friend, they will go with their instincts and click the link without thinking twice about it. The best part about that PHP code posted above, is the header sends you back to the Facebook homepage, bypassing the redirect filter warning that Facebook has implemented, which will make it nearly seamless to the user who fell for it.