Creating WordPress Phishing Pages – Updated Guide
Creating WordPress Phishing Pages
Hi, welcome back today I will show you how to create WordPress phishing pages. Phishing is the practice of sending emails or fake pages in order to trick targets into unknowingly giving personal information such as passwords and credit and debit card numbers.
Phishing attacks are a Social Engineering method that relies solely on human error and trickery.
Let’s assume we are doing a Pentest on a popular WordPress website the admin has given us permission to try and phish information from staff members without breaking into their WordPress or gaining information from the SQL databases. The site admin has spent thousands of dollars maintaining the security of his website and believes it to be quite safe although he can’t be too sure that his staff members will compromise his website through human error.
A lot of people come to the conclusion that a user must be stupid or an idiot to fall for phishing pages. This is not the case with 1000’s of emails per day going to businesses and personal inboxes it can be quite easy to fall into the trap especially in the shared inbox with multiple staff reading and responding to messages. Phishing pages can look identical and very believable. However, we don’t blame the targets as most have not had sufficient training. The Admin’s idea of the Pentest is not to make the staff users feel stupid for falling for the phishing pages but to educate them in order to prevent further attacks in the future.
We could use SEToolkit to clone a login page to the WordPress site but this can be unconventional if running listeners for long periods of time using the output PHP from WP-Phishing-Maker script we can store plain text, MySQL Databases, etc. This Phishing method will require a Web server to host the files generated by the script.
Linux-based operating system
First of all Download WP-Phishing-Maker.
You can download WP-Phishing Maker from the following download location.
First of all, we need to navigate to the script directory using the cd command (change directory).
Then we will need to make the WP-Phishing-Maker bash script executable we can do this by using command chmod.
chmod +x WP-Phishin-Master
Now the bash script is ready to run from the same directory run command.
Now that WP-Phishing-Maker has loaded use options 1. Start
The script will then prompt for an output location this can be any directory you would like to save the WordPress phishing page generated by WP-Phisher-Maker. I will create a new directory inside the root.
Open up a new terminal and create an empty directory using mkdir command.
The script will now prompt for a WordPress website to clone as a phishing page.
Choose if the target is using HTTP or HTTPS and press Enter when the script has finished generating the WordPress phishing page you will see a message telling you that the pages have been completed and ready to use.
We can now upload the Php files generated by WP-Phishing-Maker to a Webhost.
So we made a clone of a WordPress website that we own for testing purposes called Iphonegiveaway.co.uk the idea of this type of phishing attack is to trick the website admin into logging into a fake WordPress admin panel.
We have uploaded the generated Php files from the bash scripts output directory to a shared webhost.
Demo (Don’t enter any personal information into this page.)
You will then be able to gather credentials in plain text and receive them from your FTP directory.
WE ARE HERE FOR SERIOUS BUSINESS, WE DO NOT TOLERATE TIME WASTERS AND BEGGARS TRYING TO BEG OR SCAM US OF OUR PRODUCTS. Payment is Upfront, Our services are not free