Phishing is the easiest way to steal your password, since only one mistake is needed to log in to the wrong website. A compelling phishing site is the key to a successful attempt, and the tools to create it have become more intuitive and sophisticated. With SocialFish, a hacker can create a compelling phishing site for just about any web site and provide a web interface with an Android remote control app.
In previous phishing guides, one of the most common questions was how easy it would be to customize the default page to resemble a specific login. SocialFish can easily clone a social media site to create a link to a password harvesting attack in just a few clicks, so you do not have to create a template yourself. While there is also an earlier version of SocialFish with Ngrok integration, we'll look at the new version.
The Next Generation of SocialFish
While the previous versions of SocialFish were impressive, the latest update includes a clean web interface for creating and managing phishing links. Switching to web-based user interfaces for tools such as Kismet has made SocialFish more accessible to beginners, and the ingenious simplicity makes cloning nearly any website incredibly easy.
A disadvantage of the new SocialFish is that the documentation is so sparse or absent for many features. This means that many of the features, such as the attached Android application, are not easy to use and troubleshooting can be difficult because the wiki contains minimal information.
Still, as a cutting-edge tool with a clear user interface and well With SocialFish, you can easily demonstrate how easy it is to create custom phishing links. An important note for this article is that, due to the potential for abuse and incomplete documentation, we provide this link only in our internal network and not on a destination on the external Internet.
What you need  To use SocialFish, Python3 or later must be installed on your computer. You also need to have PIP3, the package manager of Python3, installed. In addition, several libraries are required for this tool to run. We will install it in the next steps. Note, however, that downloading and setting up over a slow network can take some time.
To use SocialFish, we can See the GitHub repository for information about previous versions and the mobile app that is part of the primary tool. To get it working, some dependencies need to be installed. With a good internet connection, we can install everything with a few lines in a terminal window.
In a new terminal window, enter the following commands to install the required dependencies, clone the repository, and run the setup script.
~ $ sudo apt-get install python3 python3-pip python3-dev -y ~ $ git clone https://github.com/UndeadSec/SocialFish.git ~ $ cd Social Fish ~ $ python3 -m pip install -r requirements.txt
Once the execution is complete, you should be ready to use SocialFish. We will use our browser to interact with it. Therefore, open a FireFox window before proceeding to the next step.
Step 2: Log in to the web interface
Let's create a web interface to help you manage our phishing links. To do this, open a terminal window and type the following to change to the SocialFish folder. Choose a username and password to log in to the web interface and replace it with the fields "youruser" and "yourpassword".
~ $ cd SocialFish ~ $ python3 SocialFish.py youruser yourpassword
Once setup is complete, we should be able to access the web interface by navigating to the URL 0.0.0.0:5000 in our browser. Enter the user name and password that you have set up and click Sign in to access the SocialFish portal.
we can see some important information. Above we see the box for the site we want to clone to, the site we want to redirect to, and the URL for our attack.
We can also see some information about links that we have already created. In my case, I've already created eight attack links that have attracted 15 clicks and four sets of credentials.
For our attack we have to decide which website we want to clone. In this case we choose twitter.com/login . To simplify matters, we will return to twitter.com afterwards. If you are already logged in, it looks like a normal login was successful.
Enter the URL you want to clone and the URL you want to redirect to in the boxes at the top right of the page. Click on the flash to activate the link.
Now navigate in a separate browser window to the attack link – the link we would use to the victim during a real attack serve. You will be redirected to a true-looking phishing site and can enter a username and password to test it.
During a live deployment, you must redirect the target to this URL. This is just a sketch in the current documentation, and I'll skip it to reduce the risk of malicious use of this script. Currently we can access it in our internal network.
Once we have entered our test credentials, we should be redirected to the link provided. After we've collected some credentials, let's examine how SocialFish logs them.
Back in the main menu, we can see that the number of logged credentials has increased. We can also see that "Successful Attacks" lists a set of protocols that we can access.
In the most recent log, click Show to see the intercepted credentials. It should open a page where the collected information is saved in a format like the following.
That was easy! With just a few clicks, we were able to create a website that looks virtually identical to the real Twitter.com website. Once we've entered our credentials, SocialFish has captured them and stored them in an interactive log so we can easily manage phishing campaigns – a powerful tool for creating compelling phishing sites for social media sites. We have not explained in this article how SocialFish is deployed on a network. As you can see in our example, the hardest part of creating a convincing counterfeit on the fly is actually easy. One limitation of SocialFish as a tool is the current lack of documentation. However, I expect that this will lead to an improvement of the mobile companion app in the future.
I hope you liked this guide to phishing social media sites! If you have questions about this phishing tutorial on social media, leave a comment below and feel free to contact me on Twitter @KodyKinzie .
Do not miss: Easily generate hundreds of phishing domains