Phishing attacks are some of the fastest-growing forms of cybercrime, and the top targets are social media users. New vulnerabilities are discovered daily on numerous social media platforms, including thousands on Facebook alone. There hasn’t been a complete collection of the most efficient social media phishing tools on the market…until now!
Social Media Phishing tools include fake accounts and pages which function as an attack vector into your network. To protect your organization from this advanced, stealthy cyber-attack, organizations must better understand these bot networks and know how to detect them.
Instagram phishing
Instagram is a popular photo- and text-sharing platform. Instagrammers worldwide use this platform as sort of a video diary to share everyday activities and moments.
A phishing attack on Instagram begins when a hacker creates a fake Instagram login page. To fool you, these sham pages are crafted to look as much like the real site as possible. When you provide an Instagram user ID and password to the phony page, the attacker captures your credentials. You will usually be redirected to the real Instagram login page for authentication, but the damage has already been done. With your Instagram credentials, the attacker has full access to your account.
If you use those same credentials to log on to other social media sites, or worse yet, your bank account, the attacker will have access to those accounts as well.
After gaining access to your Instagram account, the hacker can spy on you. The hacker can also now pose as the legitimate user and request personal information from your friends and followers. Naturally, the hacker covers any tracks by deleting fraudulent messages.
Taking things to the next level, the attacker can take complete ownership of your Instagram account. The hacker can change your personal information, preferences, and even your password, thus locking you out of your own account.
LinkedIn phishing
LinkedIn is the world’s most-used professional networking platform. Hackers send emails, LinkedIn messages, and links to you to con you into divulging sensitive information, credit card data, personal information, and login credentials. The threat actor could hack into your LinkedIn account to pose as you and send phishing messages to your connections to collect personal data.
The hacker can also send out emails that appear to be coming directly from LinkedIn. This is possible due to the fact that the official LinkedIn site has several legitimate email domains, including linkedin@e.linkedin.com and linkedin@el.linkedin.com. This makes it difficult to keep up with the authentic domains verses the bogus ones that may be used by an attacker.
Facebook phishing
Launched in the early 2000s, and having over 2.9 billion active users worldwide, Facebook is the king of all modern social media platforms. Sites like Friendster and MySpace preceded it, but Facebook has set the blueprint for how people and businesses connect with friends, family, and customers.
A typical Facebook phishing attack is delivered through a message or link that asks you to provide or confirm your personal information. Delivered via a Facebook post or through the Facebook Messenger platform, it is often difficult to separate a prospective friend’s legitimate message from a phishing attempt.
The information gathered via a Facebook phishing attempt gives attackers the information they need to gain access to your Facebook account. You could receive a message informing you that there is an issue with your Facebook account and that you need to log in to correct the issue.
These messages have a convenient link to follow that leads to a Facebook lookalike site. Once you land on this imposter website, you are prompted to log in. From there, the hacker is able to harvest your credentials. Pay careful attention to the URL to be certain you are being redirected to www.facebook.com. Anything else is likely to be a fake.
Twitter phishing
While Facebook is marketed as a way to keep in touch with friends and family and LinkedIn is used as an avenue for working professionals to connect, Twitter enables you to interact with people you’ve never met in the real world. This level of comfort users adopt when interacting with strangers has made Twitter a popular platform for phishing attacks.
Hackers operating in Twitter use the same phishing tactics and techniques they do for other social media platforms. A threat actor sends fake messages that claim to come from Twitter. These messages attempt to lure you into divulging sensitive information such as login credentials, personal information, and even credit card data. Twitter has made clear that they only send emails to users from two domains: @twitter.com or @e.twitter.com.
These phishing attacks can lead to other related attacks, this includes the “pay for followers” attack. In this method of phishing, you receive messages from hackers claiming to provide you with a specific number of “followers” for the low price of five dollars. Providing your personal information and credit card number opens the door for hackers to withdraw funds from your account and/or to log on to your Twitter account and continue the scam across your list of followers.
Top phishing tools
King Phisher
Let’s start with one of the better-known open source phishing campaign tools, one that was included in our post about red team tools. King Phisher is written in Python, and as we mentioned, it’s a free phishing campaign tool used to simulate real world phishing attacks and to assess and promote an organization’s cybersecurity and phishing awareness.
Source: https://github.com/rsmusllp/king-phisher
A frequent tool of red team operations, King Phisher allows you to create separate phishing campaigns with different goals, whether it’s for simple phishing awareness, or for more complex situations where it’s used for credential harvesting. Its ability to capture credentials and different numbers of targets, is impressive—sometimes reaching 10k targets per campaign. And as King Phisher has no web interface, it can be difficult to identify its server, and whether it’s used for social engineering. This reduces its exposure to web vulnerabilities such as XSS.
Other features include:
- Graphs of campaign results
- Embedded images in emails
- Optional 2FA
- Templates using the Jinja2
- SMS alerts on campaign status
- Web page cloning
- SPF checks
- Geo location
- Gophish
Let’s continue with another tool that has made its way from the red team toolkit: Gophish. An open source phishing simulator written in GO, Gophish helps organizations assess their susceptibility to phishing attacks by simplifying the process of creating, launching and reviewing the results of a campaign.
Gophish can help you create email templates, landing pages and recipient lists, and assists in sending profiles. It then allows you to launch a campaign, and finally, generate and view reports on email opens, link clicks, submitted credentials and more.
This tool is very easy to use, which allows for quick execution; the idea behind Gophish is to be accessible to everyone. It’s free and offers Gophish releases as compiled binaries with no dependencies.
Main features include:
- Quick installation
- REST API
- Easy-to-use interface
- Binaries provided for Windows, Mac OSX and Linux
- Real-time reports
- evilginx2
With conventional phishing techniques, having 2FA enabled on user accounts can mitigate most attacker tactics. This is where Evilginx2 can be quite useful. A successor to Evilginx, Evilginx2 is a bit different from other tools and simulators on this phishing tool list, in the sense that it acts as a man-in-the-middle proxy.
Source: https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/
And how can this help with phishing campaigns? Well, in common phishing scenarios, you would serve templates of sign-in page lookalikes, but Evilginx2 works differently. It connects to websites that are protected with 2FA, becoming a web proxy between the phished website and the browser, and intercepting every packet, modifying it, then sending to the real website.
Additionally, it captures session token cookies that, if exported to a different browser, can give full authorization to access the user account.
Termux Nexphisher : Advanced Phishing Tool For Termux:
NexPhisher is a Simple Phishing tool for Termux. The phishing Pages are Taken from Zphisher so it looks like Hidden eye and Zphisher tool. The good this about this tool is, that it is not complex at all, you just have to select the website and it will generate the phishing link for you.
NexPhisher is the best Phishing tool that I have seen so far, it offers you all the things that you need in a basic phishing tool as well as it is simple and does not ask you for confirmation or anything, as well as you don’t have to put ngrok token here so you can Install it any time you want and you can use it directly.
Termux Zphisher : Advanced Phishing Tool For Termux:
Termux ZPhisher is an Advanced Phishing Tool that allows hackers to perform phishing attacks using termux on their Android phones. This tool is almost similar to the Hidden Eye Tool as well as it also has some features of ADV Phishing Tool. This tool has 30 phishing pages including Facebook, Instagram, Google, Microsoft, Netflix, Twitter, GitHub, LinkedIn, Snapchat, Pinterest, Twitch, Spotify, Adobe, WordPress, Yahoo, crypto coin, Xbox and all the other most-used websites.
The Zphisher is a Grate Phishing tool and it gets updated very frequently. This tool has almost thirty websites and it also has a different variant for some of the popular websites like Facebook and Instagram.
Conclusion
Social media phishing tools provides users with all the elements needed to create a high quality, customized social media phishing attack of their own. The user source code of the phishing attack is also included, allowing the user to change the source code at their discretion. The toolkit can be used in conjunction with any web-hosting service that provides PHP support, and has been successfully tested on Webhosting Hub’s cloud VPS hosting platform.