How To Create A Phishing Website In 10 Steps
Learning how to create and host a phishing website is an essential component in running any simulated phishing campaign. They're used in just about every form of phishing (e.g., email phishing, SMS phishing, malvertising, etc.) and used to determine if employees would fall victim to credential harvesting attacks.
While phishing websites are a crucial component of running successful simulated phishing campaigns, there's a lack of information on how to clone websites and host your own. In this blog, we'll outline simple steps you can follow to create your own phishing website from scratch.
Prerequisite: Locate A Website To Clone
This is arguably the most important component of creating a phishing website. When choosing a website to clone, you need to choose one that is in use by your target(s). This could be a global service such as Microsoft 365 or Gmail, which most businesses around the world use, or something more personalized such as a Password Manager, Bank, or another service the target(s) may be using.
Now it's time for what we're all here for! Let's walk through the website creation process.
Step 1. Identify The Login Page.
Traverse to the website you've decided to clone and locate the login page. For this blog, we'll focus on cloning a Password Manager.
Step 2. Review The Web Page.
Check the web page source and see if external images, CSS, and JavaScript functions include relative paths or are hardcoded. For example, this Password Manager's external references are mostly hardcoded. Also, check to see if the webpage source looks quite empty. Does it contain many of the HTML elements you’d expect to see from the loaded page? If not, then that could indicate that the webpage is being dynamically loaded through various JavaScript functions.
Step 3. Download The Web Page Source.
Depending on whether the web page is statically or dynamically loaded - which is identified as part of step 2, you'll need to adjust your approach to downloading the web page.
-
If the web page is statically loaded.
Download the web page by right-clicking anywhere on the page and selecting “Save As”.
Save as "Webpage, Complete" to your preferred folder.
-
If the web page is dynamically loaded.
Copy the web page HTML to the clipboard by right-clicking anywhere on the web page and clicking “Inspect”.
Under the Elements heading on the Browser Developer Tools, scroll to the top and right-click on the “<html>” HTML object. Select the Copy heading followed by the Copy Element.
Open your favorite text editor or IDE and copy the HTML contents into an empty page. Then save this page as a .html file type (e.g., Password-Manager-Login.html).
Step 4. Load Your Copy Of The Web Page.
Load the newly saved copy of the login page in your browser and check to see if the page loads. If the web page fails to load or presents some form of error message after a few seconds, then this indicates that there may be a JavaScript function causing the page to fail. This could be a technique implemented by the service to prevent cloning, but in many cases, it's just an unintended side-effect of cloning. In the case of this Password Manager page, there is a JavaScript function causing page failure a few seconds after opening.
Step 5. Remove All The JavaScript!
Begin by editing the raw web page HTML to remove all JavaScript references and scripts. Remove JavaScript progressively and continue refreshing the page to ensure the page is loading as expected. If the removal of a certain JavaScript function results in page load failure, then revert the change and continue to the next function or script. The reason we delete JavaScript is because it may execute code that leaks information back to the original website. This could include monitoring for activity such as web page cloning or other monitoring that we don’t want to occur (e.g., Google Analytics tracking, etc.). Instead of reviewing each script and function line-by-line, the easiest approach is to simply remove it altogether.
Step 6. Confirm That The Web Page Loads.
After removing the necessary JavaScript functions and confirming the page loads, check to see if any images, CSS, or other objects fail to load. These are all indicators that certain page objects may have relative file paths within their respective HTML elements that need replacing. In the case of this Password Manager, the panel on the right-hand side of the page has failed to load. Upon re-inspection of the source website, this is because the right-side panel is being loaded from an iFrame HTML element.
-
If the web page has an iFrame.
An HTML iFrame is typically loaded from an external source. During the cloning process, this typically causes iFrame elements to fail due to Cross-Origin-Resource-Sharing (CORS) related issues.
To remediate an issue such as this, we need to traverse to the iFrame src and then copy the raw HTML out of this page and save it as another HTML page that we will then reference in this src. With this process, we need to follow many of the same steps we followed earlier. We need to check for relative references, replace these with hardcoded references, and check that the page loads as intended.
Step 7. Replace HTML Element References.
Once the page is loading as intended with all images and styles being displayed. Go through each .CSS and image file referenced and ensure these are downloaded to your local desktop. Once downloaded, upload these images to a publicly accessible cloud storage location (e.g., Amazon S3, Azure Blob, CDN service, etc.) and then update the references for these to point to your copy of these files. The reason for this is that service providers will often update or delete images and .CSS files, which will negatively impact our hosted phishing websites if we still point to these locations to load a resource.
Step 8. Insert Your Own Capture Functions.
As CanIPhish provides simulated phishing, we need to track user interactions such as page load events and on-page activity. To do this, we insert a JavaScript function that executes on both page loads and also when any input is provided into the password or sensitive data fields. This is typically best handled through an onkeydown event listener. In the case of CanIPhish, the moment we track interactions with sensitive data fields, we perform an immediate redirect to an education website. Just before this redirect, we forward user activity to an API used for campaign tracking purposes.
Step 9. Replace Hyperlinks!
As a final step, load the webpage and ensure any hyperlinks to the legitimate website are replaced or removed to prevent a target from unintentionally leaving the phishing website before the interaction is captured.
Step 10. You're All Done!
Your phishing website is now operational. All you need to do now is choose a hosting provider, and you can begin conducting simulated phishing attacks.
Conclusion
Learning how to create phishing websites can be a difficult task. One of the reasons our customers use CanIPhish is that we provide 50+ hosted phishing websites that can be used whenever you need them.
To use the phishing simulator provided by CanIPhish, simply sign up for a free account and begin phishing! If you have any questions, don’t hesitate to contact the team at CanIPhish.
Frequently Asked Questions
Do Web Browsers Have Built-In Protections To Defend Against Phishing Websites?
Yes. Depending on the type of web browser, different browser-based defensive technologies are enabled by default. For Microsoft Edge, there is Microsoft SmartScreen. For Google Chrome, Apple Safari, and Mozilla Firefox, there is Google Safe Browsing. If a phishing website is found by one of these anti-phishing technologies, it'll cause the browser in use to display a large red warning banner when the website attempts to load. This banner warns the user that the website has been found to host malicious content and advises the user against proceeding.
How Are Phishing Websites Hosted?
Where a phishing website can be hosted depends on the technology used to code it and its intended purpose. For example, if the website is a simple static webpage, it can be hosted on a simple storage service that allows HTML files to be publicly accessible. If the website has any server-side logic, it'll need to be hosted on more complex web-hosting platforms that allow for the hosting of a dedicated virtual server.
Depending on the intent of the phishing website, different types of cloud computing providers are available. If used for educational purposes, then major cloud computing providers, such as Amazon Web Services, Google Cloud, and Microsoft Azure, typically allow the hosting of phishing infrastructure so long as it's for legitimate and legal purposes. Cybercriminals will commonly use bulletproof hosting providers because these providers are much more lenient with who they take as customers.
A Security Professional who loves all things related to Cloud and Email Security.