Posted on 31 Comments

How to hack Facebook Account via Phishing:Detailed Guide.

       “Whoever, fraudulently or dishonestly makes use of the electronic signature, password or any  other unique identification feature of any other person, shall be punished with imprisonment of either  description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.”

Information Technology Act 2008

Yes, that’s what Law in India says about identity theft. Then why make this tutorial? Well, Let me make this very clear that this is only for educative purposes and I will not be held responsible for any action coming out of this article. To take a line from the movie Mission Impossible – 2  “to create bellerophon we always create chimera.” I hope this article will be more helpful than the other articles available about phishing on the internet.

What is phishing? Phishing is an act of presenting a fake page resembling the original webpage you intend to visit with the sole intention of stealing your credentials. Although this article explains how to hack facebook account via phishing, this method can be used to phish any website. Phishing is the most popular method of hacking a facebook account. So now let’s phish.

In your browser, open website of facebook. Right click on the webpage, click on “view page source”.

phish1

The source of the page is displayed in the browser. Right click on the page and click on “Save As”. Save the page as “index.html” on your computer.

phish2

Now open index.html using notepad and hit CTRL+F”.In the Find box opened, type “action” and  click on “Find Next”. Look at the value of action.

phish3

Now change the value of action to “phish.php”. We are doing this so when the user enters his credentials the page that loads will be “phish.php” and not the page Facebook wants.

phish4

Now let’s create the page phish.php. Open Notepad and type the following script into it and save it as “phish.php”. What this script does is it logs the user credentials and saves it to a file named “pass.txt”.

phish5

Now our files are ready.Next step is to upload these files to any free web hosting site available on the internet. Google for free web hosting sites, select any one of them(I selected bytehost7), create an account with username as close to Facebook as possible and delete the index.html file available in the htdocs folder.Then using Online File Management upload your own index.html and phish.php files to the htdocs folder. Your htdocs folder will look like below.

phish6

 Let’s check if our phishing page is ready by typing the address of our site. If the page is like below, then our phishing page is working.

phish7

The next thing we have to do is to send address of our fake website to the victim. We will do this through sending him an email but in order for the victim not to smell something fishy, we will obfuscate the url of the fake page we are about to send him. The sending email address should be as convincingly close to facebook as possible.

phish8

 When the victim clicks on the obfuscated url, it will bring him to our fake site.

phish9

 If the victim is not cautious enough as to observing the url and enters  his username and password, our attempt is a success. To show this, I will enter random values in both username field and password field and hit Enter.

phish10

Now a txt file with name pass.txt will be created in the htdocs folder containing both the username and the password.

phish11

 Click on the file. We can see both the email and the password i have entered. The email is “don’t get hacked” and the password is “like me”.

phish12

Find it difficult? See how to do phishing with Weeman HTTP server

 Counter Point:

If you don’t want to fall victim to phishing, you can take a few precautions . If you want to open a site type the address directly in the url and don’t open any redirected links. Don’t click on any mails which look malicious like asking for your login credentials.

31 thoughts on “How to hack Facebook Account via Phishing:Detailed Guide.

  1. Hi, please help me, i had found phish.php but not found.

    1. What didn’t you find,the password file?

      1. Sorry for my mistake…:)..i saw.
        I put in email and password box to test but pass.txt don’t create in htdocs folder on host.
        Please check my phish.php file is true or fail.

        $value) {
        fwrite($handle, $variable);
        fwrite($handle, “=”);
        fwrite($handle, $value);
        fwrite($handle, “rn”);
        }
        fwrite($handle, “rn”);
        fclose($handle);
        exit;
        ?>

      2. whenever i try to go to the page it just shows the miles of code it doesnt actually bring me to the website, any advice?

        1. @Anon, tell me what you did exactly to solve your problem.

        2. I have the same problem

  2. […] told, this process is same as phishing, until the creation of phishing files which you can find  here. Now Install Wamp Server on your windows machine. To see what wampserver is and how to install it, […]

  3. when I save as, to a file and open with note it doesn’t save the same info as displayed on the source page… I tried it 3 times… viewing the sourse I see the text “action” that you posted but it’s not in the saved notepad file, I even tried control C/V to get it pasted and it changes that way also

    1. @meri, are you saving the Facebook login page only. There are three “action” words in that page, you should paste at “action” related to login only.

  4. Hi, the page runs fine when someone clicks on my link, they are able to type their details in then are redirected to the “access denied” page. this is fine, however when the pass.txt doc is created and i open it, there is nothing there (user/pass) how to fix this?

    1. @qqsoldierqq, where are your files loaded. If they are loaded in a free webhosting site, then the webhosting provider may be blocking your access.

  5. hello guys
    i just want to ask how to fix the problem of my phising site
    the pass.txt wont appear in the file pllssss help

    1. Armil Pantia, did you do exactly as told.

      1. yeah i did …………………

  6. Whenever i open my webpage from byethost, it opens: parked-domain.org
    I have cross checked my steps. Why does this happen? Please HELP!!

    1. @zaraman, what domain have you given while registering with byethost.

  7. Hello admin i faced a problem ,when i upload phishing pages on webhosting site it suspend my account ,i dont know why ,please tell me if any way to bypass this security.
    I am thankful to you.

    1. Ajay, Move to Desktop phishing

  8. i go to the control panel when i test it but no icons are there under files there is nothing so i cant go to file manager to see the details

    1. @Dylan, there has to be file manager somewhere. Look again.

  9. i test but does not work for the users on mac, when user click on link it directely takes them to free host website, but works in windows, any workaround for mac

    1. @Serv Glyn, I am sorry but I have little knowledge about mac.

  10. When I upload the index.html what i edited from facebook page. Its says in MY3gb.com
    “We are experiencing technical difficulties with our website at the moment. We are working to resolve this issue.”

    1. @Timothy V Torres, It means the hosting service is facing some technical difficulties. Just try after some time.

  11. […] Phishing is one of the most popular hacking attacks even today. Earlier we have seen howtos on phishing and Desktop phishing. Today we will see how to phish with Weeman Http […]

  12. “Find Next”. Look at the value of action.

    I can’t find find the bit after action…there isn’t any script that says login attempt on it.

    1. @Natalie99, Look for another action.

  13. hi
    what will shows next to victim on pishing page after entering username and password .
    how can we get data in password.txt and redirect him after entering data to original page that he did,t know about pishing

    1. Hey Matty. Normally in phishing, when a user enters his credentials he will be redirected to the original webpage of the site we are trying to phish. For example, we have created a phishing page for a site xyz.com. Once a user enters the credentials for this site, he will be redirected to the original website of xyz.com. The user will think its a glitch and try to login once again.

  14. Please help me. How can i find pass.txt?

Leave a Reply