With the increased usage of social media around the globe, stealing of social media credentials by hackers has become a major problem around the globe. The stolen social media credentials are later used to lure and steal money and other valuable from unsuspecting social media users, friends and family. In this guide, we will be explaining how the hackers use a tool “zphisher” to get login details to social media platforms. The process has been made easy by use of this tool, you only need to have basic knowledge of using the terminal and some social engineering skills to get your targets’ login credentials.
What is required?
- Have Kali Linux.
- Have ability to use the terminal.
- Target. (Important Note: You should obtain consent from the target)
DISCLAIMER:
This tutorial has been made for educational purposes. The writers are not liable to any law infringed by the use of this tool. Obtain the consent of the involved parties to avoid being against the set laws.
Introduction About Zphisher
Zphisher is a tool developed by hr-tech to be used for advanced social media credentials phishing. The tool is an improvement of another tool, shellphish. Difference between zphisher and shellphish is that zphisher has updated templates for different social media platforms. Zphisher also allows port forwarding using Ngrok.
Other features of zphisher includes;
- Mask URL support.
- It has latest login pages.
- It has multiple tunneling option.
- Easy to use and User-friendly tool.
Installing zphisher on Kali Linux
Step 1: Download zphisher tool from the github repository
We will clone the zphisher tool from their official git-hub repository. We clone the repository using the below command.
git clone git://github.com/htr-tech/zphisher.git
Step 2: Giving zphisher tool execution permission
After download is complete we can change directory into the zphisher directory where we give the zphisher tool permission to run as an executable.
cd zphisher
Give zphisher permission to execute using the below command.
chmod +x zphisher.sh
Step 3: Using zphisher tool for automated phishing
We can now run zphisher to install the dependencies. [Running zphisher for the first time you will require to be connected to the internet in order for all the dependencies that are required to be installed].
Hack social media credentials using zphisher tool
Step 1: Running zphisher and choosing a platform
Now that we have installed zphisher, we are ready to launch our social media credentials phishing attack. We run zphisher tool using command.
./zphisher.sh
As shown in the screen below, we have over 30 platform templates available on zphisher ready to launch phishing attacks. On choosing the template based on the platform you are using, you may be required to choose the type of phishing attack you want to carry out. This is because when phishing for social media credentials, different techniques are used of different platforms. The templates are made readily available on zphisher. In our case, we can choose to carry out social media credentials phishing for Facebook.
Step 2: Choosing the type of phishing attack
After we choose we want to get Facebook social media credentials, we are given a few types of phishing attacks that are available for this platform. Different individuals will react differently to each of phishing attacks. You have to choose that will go undetectable depending on your target. In our case, we can use a fake security login page.
Step 3: Selecting a port forwarding service
On our next step, we have to select the port forwarding service that we will use on our attack. Zphisher has 3 port forwarding services; Localhost, Ngrok and the recently updated cloudflared. These port forwarding services are useful especially when the target is not in the same local area network as you. In our case we will be using cloudflared port forwarding service.
After confirming the port forwarding service you prefer, two links will be generated as shown on the image below. Both of the link can be used to phish the social media credentials depending on the way you convince your target to click on the phishing link.
Step 4: Sending phishing link to the target
After get the phishing link, we can now send it to our target. Avoid using messaging platforms which detect phishing links. You can also make an extra step of hiding the link behind some text as a hyperlink. Using trusted way of sending the phishing link will also play a big part in ensuring the success of the attack. Below is an example of an email that can be delivered to target via email.
Dear {name}
This Facebook account has been set to be deleted due to suspicious activity. Please login to Facebook to avoid you your account being suspended.
Regards.
Step 5: Getting the social media credentials
Once the target clicks on the link. He/She will be redirected to the malicious login page asking for his/her social media credentials. Zphisher will automatically fetch the targets’ IP address as shown below.
After the credentials have been submitted, you can view them on the terminal as shown on the image below. Zphisher goes on to save the social media credentials on a text file just in case you need to use them later.
The IP address in this situation can be used to determine the location of the target or be used to bypass the Facebook security which may report a login attempt from a new location.
Conclusion
On the above guide we were able to acquire social media credentials of our target through phishing and use of social engineering. Zphisher tool has readily available phishing templates which make the launching of a phishing attack even more successful. Attacks using zphisher especially on unsuspecting individuals have proven to be more successful as the templates used. It should be noted that zphisher should only be used for education purposes only and all the parties involved should have been informed prior to the attack.