How to create a phishing website
Curious how you can clone websites to simulate phishing attacks?
Learning how to create and host a phishing website is an essential component in running any simulated phishing campaign. They're used in just about every form of phishing (e.g. email phishing, SMS phishing, malvertising, etc.) and are critical to the success of any simulated phishing campaign. Just about every service we use has an internet-based component to it, this include social media, financial services, collaboration platforms and the list goes on. If a cyber criminal can compromise any of these, the entirety of your online presence is at risk, particularly if you haven't enabled Multi-Factor Authentication (MFA) and have re-used passwords.
While phishing websites are a crucial component of running successful simulated phishing campaigns, there's a lack of information on how to actually clone websites and host your own. In this blog, we'll outline how to create a phishing website. If you're interested in understanding how to host long-standing phishing infrastructure, see our blog which outlines some of the steps to consider.
Locating a website to clone
This is arguably the most important component of creating a phishing website. When choosing a website to clone, you need to choose one that is in-use by your target(s). This could be a global service such as Microsoft 365 or Gmail which most businesses around the world use, or something more personalised such as a Password Manager, Bank or other service the target(s) may be using.
Cloning the website
Step 1. Locate the login page. Traverse to the website you've decided to clone and locate the login page. For the purpose of this blog, we'll focus on cloning a Password Manager.
Step 3. Download the web page source. Depending on whether the web page is statically or dynamically loaded - which is identified as part of step 2, you'll need to adjust your approach to downloading the web page.
If the web page is statically loaded.
Download the web page by right clicking anywhere on the page and selecting “Save As”.
Save as "Webpage, Complete" to your preferred folder.
If the web page is dynamically loaded.
Copy the web page HTML to clipboard by right clicking anywhere on the web page and clicking “Inspect”.
Under the Elements heading on the Browser Developer Tools, scroll to the top and right click on the “<html>” HTML object. Select the Copy heading followed by Copy Element
Open your favourite text editor or IDE and copy the HTML contents into an empty page. Then save this page as a .html filetype (e.g. Password-Manager-Login.html).
If the web page has an iframe.
An HTML iframe is typically loaded from an external source. During the cloning process, this typically causes iframe elements to fail due to Cross-Origin-Resource-Sharing (CORS) related issues.
To remediate an issue such as this, we need to traverse to the iframe src and then copy the raw HTML out of this page and save it as another HTML page that we will then reference in this src. With this process we need to follow much of the same steps we followed earlier. We need to check for relative references, replace these with hardcoded references and check that the page loads as intended.
Step 7. Replacing HTML element references. Once the page is loading as intended with all images and styles being displayed. Go through each .css and image file referenced and ensure these are downloaded to your local desktop. Once downloaded, upload these images to a publiclly accessible cloud storage location (e.g. Amazon S3, Azure Blob, CDN service, etc.) and then update the references for these to point to your copy of these files. The reason for this is that service providers such as 1Password will often update or delete image and .css files which will negatively impact our hosted phishing websites if we still point to these locations to load a resource.
Step 9. Replace hyperlinks! As a final step, load the webpage and ensure any hyperlinks to the legitimate website are replaced or removed to prevent a target from unintentionally leaving the phishing website before the interaction is captured.
Step 10. You’re all done! You phishing website is now operational. All you need to do now is choose a hosting provider and you can begin conducting simulated phishing attacks.
Learning how to create phishing websites can be a difficult task. One of the reasons our customers use CanIPhish is that we provide 30+ hosted phishing websites that can be used whenever you need them.
To use the phishing simulation platform provided by CanIPhish, simply sign-up for a free account and begin phishing! If you have any questions, don’t hesitate to contact the team at CanIPhish.
A Security Professional who loves all things related to Cloud and Email Security.