In this post, I will be demonstrating on how to conduct a website phishing using a tool in Kali Linux called SET (The Social-Engineer Toolkit). The usage of this tool is that we are able to clone a website in order to get the information such as their username and password from our target, for example instagram, facebook, and even banking websites.
First, all we have to do is open your terminal and type “setoolkit” as shown below.
At the bottom of the terminal, there will be a list of choices as shown here. Proceed by choosing Social-Engineering Attacks by typing “1”.
Next, choose Website Attack Vectors by typing “2”.
Choose Credential Harvester Attack Method by typing “3”.
Then, there will be more choices like shown below. If we choose web templates, we are not required to type in the url of the site that we wish to clone as its template is already available. However, there are not many varieties of site which are available. In this case, I will be using the site cloner.
Once we are inside the Site Cloner option, we will be asked for the IP address which we wish to use as the clone website. In this case, my IP address is 10.0.2.15 and I will be cloning instagram.com
If your terminal appears the same as this, it means that you are ready to get all the information from our target.
This is what we will get if we enterred our local address. It shows the same page as the real site of instagram.com
If the user falls to our trap, he/she will input their information in the username and password fields. Once they pressed enter, an error message will appear which states that there was a problem in logging into the site. However, this event actually saves the input to our terminal which is shown earlier.
These are the information which we get from the user’s input. His/her username and password.
In the real world, people will not be visiting our local ip address to log into their instagram account. In order to attract people to the trap, usually hackers will send their target an email which tells them that they are required to sign in to solve the problems. If the target is not careful, he/she will fall into the trap and the hackers will get their target’s vital information.
Differences Between Phishing and Spam
This kind of attack is designed to steal a person’s information such as username/login and password or even bank accounts. Besides ordinary phishing, there is also a similar attack called vishing (Voice Phishing) which used voice as their media, for example through phone.
It is mainly consists of email messages which is sent by where its content is usually unwanted by the recipients. It is mostly used for commercial advertisements. Fortunately, email services such as yahoo mail and google mail are able to separate between “real” emails and spam. Therefore, we should be less worried in terms of receiving emails. However, we should never let our guard down as attacks may come anytime and anywhere using anything without us noticing.