How to Hide a Phishing Link

Nowadays people are smart enough. They don't get trapped under phishing. Because the link does not look like the original website. For an example a phishing link may be like, https://ngrok.io/xxabcd but it opens pages like Gmail Login. People got the trap and a user with minimum tech knowledge will not put the credentials(Username & Password). So it becomes tough to phish anyone.

Then what to do ? The answer is Social engineering. An attacker needs to be skilled enough in social engineering. What is Social Engineering ? In short,social engineering is "bugs in human hardware". An attacker plays with victim's mind and trick it.

Hiding phishing links in normal looking trust-able links is a bigger part of social engineering. By using this method the attacker owns the trust of the victim, and the victim treats the phishing link as a normal link. Because the top-level domain (like Google, YouTube, New York Times, etc) is considered clean.
how to hide phishing URL
To make things easier we're gonna use a tool that will convert a phishing link to a normal web link like Google or YouTube.

It is a small & simple tool written in bash, named "MaskPhish". This tool is made by us and exclusively available on our GitHub repository. We can clone this from our GitHub repository by using following command:
git clone https://github.com/jaykali/maskphish
After this command this tool will be downloaded on our system, as shown in the following screenshot:
maskphish clonning from github
Now we just need to navigate in to maskphish directory by simply using cd command:
cd maskphish
We can run this by using following command:
./maskphish.sh
Then MaskPhish will open the main menu in front of us just like the screenshot:
maskphish main menu
Now we need to put our phishing URL here whatever it is(with http:// or https://).
putting phishing URL
Then We need to put a trusted URL, whatever can phish victim's mind like https://google.com or https://youtube.com or http://anything.com. As we did in the following screenshot:
putting trusted domain
Here we we need to use some social engineering words separated with "-" for an example if the victim is a football fan then we can use something like best-footaball-skills mind that here we don't use any space.

Then we just enter it and we got our MaskPhish link. We got our URL started with facebook.com and the URL doesn't have ngrok in URL directly.
we got our masked phishing link
Let's open this trusted looking URL(also contains special juicy words for target) on our browser are we reached to our destination ngrok (example phishing url).

Oh crap, we got a "Warning!".
browser warning
The warning comes from browser's security functions. Every method have own limitations. But in mobile browsers it did not show this warning, it works like magic.
 
Anyway after click on "Yes" we reached to our phishing website.
redirected to phishing page
This is an example Phishing link, for educational purpose

It is a fact that attackers can gain victim's trust by this kind of URL and many people don't check the warnings and click on "Yes".

In our opinion this is a really good thing for Social Engineering Attacks. Using this attacker's success rate will increase, and the attacker earns the trust of the victim by showing off the URL.

There are some other ways to hide our phishing URL. Suppose the attacker sending phishing links via email then there is already a classic way to hide a URL. For another example we are assuming our website URL kalilinux.in as destination. Now the example :

Log in on: https://www.facebook.com/

Kool, Now try to go on Facebook by using the link above !!!

This is easy,  just HTML. Got the trick 😎? Describe it in the comment section.

Another technique is Google search's redirect method.
This is also super easy the attacker can redirect any URL on Google search as following:

https://www[dot]google[dot]com/url?q=https://www.phishingurl.link

Replace the [dot]s with . and try on browser.

These are the clever ways to used by attackers in phishing attack. But there are more methods (like homograph) to mask a phishing URL on the Internet. To be safe from these we should not click on any 3rd party link even it looks like trusted.

This tutorial is for educational and research purposes only. Hacking or Phishing is a serious crime. If anyone does any illegal activity then we are not responsible for that.

Liked our tutorial then don't forget to follow us on Twitter and Medium, we post short news and update about our articles there. For any questions please leave a comment, we always reply.

20 comments:

  1. hey the tool is awesome but it does not works with ngrok link it shows error I have used in camphish tool link please reply

    ReplyDelete
    Replies
    1. Yes it is not working with ngrok links... We are looking on to it. If there is some update we reply here. Thanks for notice this issue. We filed this issue to the developer on GitHub. Check it.

      Delete
  2. How You Merge & Hide That Kalilinux.in into Facbook Link ?
    Please Tell !

    ReplyDelete
    Replies
    1. Ohh

      This is very simple the "https://www.facebook[dot]com is not a link it is a anchor text in this hyperlink. The link is www.kalilinux[dot]in.

      For an example
      a href="https://www.kalilinux.in">https://www.facebook.com</a{check the tags}

      Basic HTML used to trick a mind. Isn't it cool?

      Delete
  3. virus@localhost:~$ sudo pip3 install pyshorteners
    [sudo] password for virus:
    WARNING: pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available.
    Collecting pyshorteners
    WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/pyshorteners/
    WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/pyshorteners/
    WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/pyshorteners/
    WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/pyshorteners/
    WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/pyshorteners/
    Could not fetch URL https://pypi.org/simple/pyshorteners/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pyshorteners/ (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.")) - skipping
    ERROR: Could not find a version that satisfies the requirement pyshorteners (from versions: none)
    ERROR: No matching distribution found for pyshorteners
    WARNING: pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available.
    Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.")) - skipping
    help sir pls

    ReplyDelete
    Replies
    1. I think you forgot to use this command
      sudo pip3 install pyshorteners

      Delete
    2. I did you can see in previous comment, this what error I m getting.

      Delete
    3. This error is coming from pip, you can try searching the error message on Google.

      Delete
  4. A nice tool that I have gotten working myself. The error message and how pronounced it is does depend on the browser in use. So results may vary.

    ReplyDelete
    Replies
    1. Yes. We agreed. Did you checked the new tool we have updated?

      Delete
  5. Tunnel .ngrok.io not found

    ReplyDelete
    Replies
    1. It might be the problem comes from the ngrok server. You should check if it is working perfectly.

      Delete
  6. you are a simple copy of @perez_mascato, use URLCADIZ V.2

    ReplyDelete
    Replies
    1. You might be right but we are a better copy than him. He wrote this tool in python that requires pyshortner to run. but our tool is batter than URLCADIZ V2. Ya that tool inspired us but we write it in simple bash language. So we think copy is not a right word.

      Delete
  7. /maskphish.sh: 4: Bad substitution

    ReplyDelete
  8. I use it with setoolkit but it seems it doesn't gather data, idk why

    ReplyDelete
    Replies
    1. You should try our weeman tutorial with localhost.run services

      Delete
    2. Thank you for the response, I'm just stupid and new, I didn't realized I run ngrok on http and use maskphish to https, that's why it doesn't gather anything. It's all good now. I'm sorry.

      Delete

Please do not spam here. It is comment box not a spambox. Promotional links are not allowed.

Powered by Blogger.