Curious how you can clone websites, harvest credentials, and simulate website phishing attacks?
Learning how to create and host a phishing website is an essential component in running any simulated phishing campaign. They're used in just about every form of phishing (e.g., email phishing, SMS phishing, malvertising, etc.) and used to determine if employees would fall victim to credential harvesting attacks.
Just about every service we use has an internet-based component to it; this includes social media, financial services, collaboration platforms, and the list goes on. If a cybercriminal can compromise any of these, the entirety of your online presence is at risk, particularly if you haven't enabled Multi-Factor Authentication (MFA) and have re-used passwords.
While phishing websites are a crucial component of running successful simulated phishing campaigns, there's a lack of information on how to clone websites and host your own. In this blog, we'll outline simple steps you can follow to create your own phishing website from scratch.
Locate A Website To Clone
This is arguably the most important component of creating a phishing website. When choosing a website to clone, you need to choose one that is in use by your target(s). This could be a global service such as Microsoft 365 or Gmail, which most businesses around the world use, or something more personalized such as a Password Manager, Bank, or another service the target(s) may be using.
Clone The Website
Now it's time for what we're all here for! Let's walk through the website cloning process.
Step 1. Identify The Login Page.
Traverse to the website you've decided to clone and locate the login page. For this blog, we'll focus on cloning a Password Manager.
Step 2. Review The Web Page.
Check the web page source and see if external images, CSS, and JavaScript functions include relative paths or are hardcoded. For example, this Password Manager's external references are mostly hardcoded. Also, check to see if the webpage source looks quite empty. Does it contain many of the HTML elements you’d expect to see from the loaded page? If not, then that could indicate that the webpage is being dynamically loaded through various JavaScript functions.
Step 3. Download The Web Page Source.
Depending on whether the web page is statically or dynamically loaded - which is identified as part of step 2, you'll need to adjust your approach to downloading the web page.