Saturday, December 10, 2011

How to hack Facebook accounts with a Phishing Scam

Facebook phishing scam

Its so amazing how easily people's emails and passwords are stolen in a matter of seconds. Phishing scams happen all the time, however the "frfacebook.fr" phishing scam went on for sometime, stealing hundreds of people's account information.

Most phishing scams involve Social Engineering, in which the attacker must talk the victim into doing at least one step in order for them to steal their information. In these Facebook phishing scams, they are much easier because Facebook is very social as it is. This particular Facebook scam simply posted the user's credentials in plain text in a text file located on the website.

So, I figured I would create my own to show how easy it really is.
Things you need: website, html, php
-extra: able to create long subdomains
1. Get the source code of the Facebook homepage: 
   curl -s -L facebook.com > index.html
2. Create a sub-domain on your website or buy a website name
3. I simply created a sub-domain called "facebook.com"
   This sub-domain adds on to your real domain. 
   Ex. facebook.com.(your domain).com
4. Now create Facebook-like folders that resemble legitimate 
   Facebook url
      I copied how Facebook did the groups folder and numbering. 
      Ex. facebook.com.(domain).com/groups/(15 digit number)/
5. The last step is to actually retrieve the data. Since php 
   is installed on my server, i created a login php script called
   "index.php" that takes the posts and saves them to a .txt file.
7. For the source code, submit form:
   a. change the action to action="/PATH/TO/PHP/SCRIPT/"
      - best to name the script index.php
   b. change the text field "name" of the email field to something 
      simple "VICTIM_EMAIL"
   c. then change the password field "name" to "VICTIM_PASS"
8. Make sure you have the "pass.txt" for the dumped passes in the 
   specified directory
9. Script I used (index.php): 
In the script above, the header() function redirects the real Facebook url I want my victim to get to after I took their email and pass. This way they believe they were logged out when they clicked the link and will most likely just "sign" back in.



The final result: facebook.com.(domain).com/groups/(15 digit number)/index.php.
Simply give the victim the url without the "index.php" and check the "pass.txt" for the results.