Tuesday, 17 May 2011

Facebook Phishing (how to freak out your friends)

Abstract:  In this post I will talk about the dangers of opening suspicious links and not exercising common sense.  I made a mock up phishing site for Facebook which with slight modification could be used to send user credentials to a server side database (MySQL).

Background:  The reason I am posting this is to highlight how easy it is for someone to mimic a popular website and with some social engineering can easily steal usernames and passwords.  The simplest method is to get a free web account such as 000webhost.com under a shell email so there is no trace of who you are, and then visit a site you want to phish and copy the login page source code.  This is exactly what I have done on Facebook.  The next step is to modify the login forms so that it will send the user information to your database and forward them to the real Facebook and they are none the wiser.
  In order to get people to your "Fakebook" you can use a variety of vectors such as email spamming or say going to the Apple store and setting up Facebook to redirect to the phisher site.

Product:  So here is a link to the pseudo-phisher site facebook.com.  As you can see I masked the fake URL with the real one so it is less conspicuous.  If you click and log into this site you will see a popup saying that you should be more careful in the future and no user data was taken.  You can check the source code on the register.php if you would like and see its just a javascript prompt.  If you would like you can send this link to family or friends that regularly buy into spam emails and have a little bit of fun watching them sweat.

Protection:  The way to protect from this is to use common sense.  Look at the URL of the page you are logging into, and of course dont open emails that seem suspicious or ask for user information.

Be safe,



  1. i tried 3 times and still couldn't log on

  2. After you log in a popup should appear saying that you are a dumbass :P.