i'm nervous about my first foray into social engineering, i have the fake login page but i don't know how long it's going to be up (assuming hosting sites take down these sorts of things as i have read they do) and i'm not sure what's the best approach to take with my mark(s)... although i feel with the right story i could trick them into using it...

here are the cons with my fake login:

it will only be useful for yahoo passwords
the newest version of ie has phishing security, and it will tell you that the page is suspicious
when the mark types in the password, it doesnt show up in asterisks

here are the pros:

if someone actually is tricked into putting in their password i will get it... lol

does anyone have any marks for me to test run it on?

i'm nervous about my first foray into social engineering, i have the fake login page but i don't know how long it's going to be up (assuming hosting sites take down these sorts of things as i have read they do) and i'm not sure what's the best approach to take with my mark(s)... although i feel with the right story i could trick them into using it...

This part is really up to you and your own creativity. Try to imagine the times when you've been convinced to click a link, either by legitimate people or other social engineers. E-mail spoofing can help.


the newest version of ie has phishing security, and it will tell you that the page is suspicious

Those filters only work with lists of known bad URLs. It depends on how long it takes for someone to report your site.


when the mark types in the password, it doesnt show up in asterisks

Why? The input tag should have its type set to password (<input type="password" />. Fake pages should be copied from the original website, URLs modified to fit the new location and the form pointed to your new processing script. There's no need to write the whole HTML page from scratch (as this would be pointless and not look genuine).

if ur looking for hosting i can host ur fake login for cheap and it wont be taken down :)

evilthoutz, i may take you up on that if i need to.

mike, where would i need to edit this: (<input type="password" />

can i just open the html in notepad and replace all? what is the original text that i need to replace with this code? all the input values are "hidden". should i change to "password" instead?

oh never mind. i figured it out but it did make a few minor changes to the rest of the page. but the password does type in in asterisks now.

ok if anybody wants to try it out on someone they know, i can give you the link and if they use it, i can give you the pw too... for a small fee :)

if you have hosted on domains like geocities,tripod ect,best is not to publish it,keep it private and just send out a link to the victim with a spoofed email.
The redirection after they click on sign in or submit should be a obvious one.

its not on any of those popular sites, i had to (didnt necessarily want to) go out of my way to find a somewhat obscure hosting site, and im not planning on making it public but will send it out on an individual basis... the redirect is to the REAL login page so you are just under the impression that its not registering or something

if you have hosted on domains like geocities,tripod ect,best is not to publish it,keep it private and just send out a link to the victim with a spoofed email.
The redirection after they click on sign in or submit should be a obvious one.

Geocities, Tripod, Freewebs and all the other hosts from the *0s are for static HTML pages only -- unless you pay for a hosting plan, you won't be able to use any PHP or Perl scripts on them. Without that, you can't really host any phishing pages without resorting to form mailing services.

lol i wish i knew how to create one of those fake pages, it would sure be usefull to me.