Phishing is one of the most popular methods of attack among cyber criminals today – if not the most popular. This is because the victims are often people who are less tech-savvy. But even tech-savvy people can be affected if they are not sufficiently sensitised.
People often imagine a phishing set-up to be complex. But that doesn’t necessarily have to be the case. In this tutorial, I’ll show you how to use ErisPhisher, a phishing framework, to create a ready-to-use phishing setup within minutes that will allow an attacker to steal login credentials.
Disclaimer: All tutorials on cyberphinix.de are for informational and educational purposes only. We trust that you will not use this knowledge for malicious purposes. It is important to be aware of attacks so that you can defend against them effectively. Ethical behaviour is paramount and should also be important to you. Please note that the use of ethical hacking methods without permission is a criminal offence and, in the worst case, can result in a prison sentence. Use this knowledge to make the world a safer place – and not the other way round!
How to - Out of the Box
In the first step, I will show you how you can use ErisPhisher directly. You should note that the supplied templates for login pages, such as Google, may not be up to date. This can impair the effectiveness of a phishing attack if the template no longer corresponds to the current layouts. However, in the next chapter, I’ll explain how you can easily integrate up-to-date templates to ensure your setup is as realistic and effective as possible.
However, before we start with the setup, we need to clone ErisPhisher from the appropriate repository and switch to the newly created directory. This forms the basis for all further steps and allows you to utilise the full functionality of the framework.
git clone https://github.com/k4itrun/ErisPhisher && cd ErisPhisher
To use ErisPhisher, you must execute the following command at this point:
sudo /eris.sh
As soon as ErisPhisher has been successfully started, you will have several ready-made templates at your disposal that can be used directly. However, it is important to note that the login pages included may not be up to date and should therefore be adapted to current requirements. This may be necessary to achieve a higher success rate with your phishing setup. The following screenshot shows what the ErisPhisher user interface looks like after startup:
Suppose you want to launch an attack on a YouTube channel. In this case, you need to enter the number 26 in the console. Once this is done, the script will automatically perform all the necessary steps to create a phishing page that is ready to use.
For a real attack, the URL generated by default is easily recognisable as suspicious, but the script offers the possibility to create custom links. For example, instead of a conspicuous URL like https://terror-tag-club-bbc.trycloudflare.com, you could use a URL like login.y0utube.com, assuming you own the domain y0utube.com. This significantly increases the credibility of the phishing page and can increase the success rate of the attack.
In this example, no individual link is generated and the step is skipped by pressing the Enter key. ErisPhisher now waits for the victim to make an entry and confirm it.
To simulate the process, we assume that the victim clicks on the link and does not recognise that it is a phishing page. To do this, we open the generated URL in any browser. The following screenshot shows the phishing page provided by ErisPhisher. Although the design of the page is not particularly appealing, it illustrates the basic principle of the attack. It is important to emphasise that in a real-world scenario, the quality and authenticity of the design are critical to the success of the attack.
Let’s assume that the victim enters their YouTube login details and sends them off. This data is then not forwarded to YouTube or another trusted recipient, but transferred to our tool, as can be seen in the next screenshot.
Instead of ending up in safe hands, the credentials entered end up directly in our ErisPhisher console, where they can be viewed and misused by the attacker. This example shows how effective a well-prepared phishing page can be if the victim does not realise the deception.
It can be that easy! Once the user data has been captured, it is now known to the attacker. Not only can they use the stolen credentials to access the YouTube account, but they can also try to log in to other platforms, such as Facebook, Gmail, Outlook or even work email accounts.
The reusability of such data on different platforms poses a significant risk, as many users may use their credentials for multiple services. This increases the attacker’s chances of accessing additional accounts and potentially confidential information. It is therefore crucial to use strong, unique passwords for each platform and to take immediate action if a security incident is suspected.
But...
Even if the attacker is now in possession of the username and password, having two-factor authentication (2FA) enabled could present additional hurdles. To circumvent these, it is important to carry out the attack at the right time and ensure that the attacker is ready to log in before the victim completes the authentication process. In such a case, the victim could possibly interpret the attack as their own successful login.
The role of awareness and carelessness should not be underestimated. If two-factor authentication is not active, it becomes much easier for the attacker to gain access to the account. A well-implemented 2FA represents an important additional layer of security and can make the attack considerably more difficult, as the attacker would have to overcome the second authentication step in addition to the login data.
How to - Advanced usage
Use your own page
As shown in the first screenshot above, entering the number 66 allows you to create a customised phishing page. When designing this page, you can use the existing templates available in the zphisher repository as a guide. To implement this successfully, knowledge of web development with PHP is required.
In the following example, I demonstrate how I replicated the Google login page and modified it accordingly so that both username and password are captured at login. This procedure shows how a targeted phishing page specifically designed for the desired attack can be created by making adjustments to the existing templates.
Mask URL
If you want to avoid the hassle of using a customised domain, you can use online link shorteners to mask the URL instead. This technique disguises the actual destination address so that the victim cannot recognise at first glance which website is behind the link. Depending on the victim’s awareness level, this may or may not be successful.
This method is often used in phishing simulations within organisations to raise employee awareness of security risks. In such cases, only the fact that someone has clicked on the link is checked. No data is tapped, as this would be illegal and would violate data protection guidelines.
An example of a link shortener that you can use is https://free-url-shortener.rb.gy/. With this service, you can not only shorten the URL, but also track who has clicked on the link and when this happened. This enables effective monitoring and analysis as part of training measures.
Summary
In this tutorial, I have demonstrated how easy it can be to launch a realistic phishing attack. The aim was to show you that such attacks can be carried out quickly and that freely available tools are used. However, it is important to note that the approach also has some weaknesses that an attacker must fix, such as IP address obfuscation.
Now you know how a phishing attack is structured and are better prepared to take appropriate countermeasures. I hope you also realise how important it is to be critical of shortened URLs and always check the actual destination address before entering your user details.
If you are an ethical hacker, you could modify your templates so that no passwords or email addresses are captured. This way, you could only check how many users in your organisation have clicked on the link. Note, however, that you absolutely need written authorisation for such tests. This type of test is known as a phishing simulation and is used solely for the purpose of raising awareness and training employees.