To carry out this phishing attack, the first thing we have to do is to obtain a domain with a name similar to the one we want to impersonate. In this case, I have chosen the domain linkedln.com (note that there is an L instead of the second i in Linkedin).
Attackers often use a subtle difference like this in the name to fool clueless users who don’t do a thorough check of the domain name.
Secondly, we need to enable HTTPS on our fake domain. All browsers today will display a warning to the user if a page requests access over HTTP. Also, many users make the association HTTP -> not secure, HTTPS -> secure. Therefore, having HTTPS in our fake domain will allow us to gain a little more trust from the victim.
We must remember that HTTPS simply means that communications between client and server are secure, as they are encrypted. But if the server is controlled by the attacker, you are simply giving them your data… securely.
To get your domain to have HTTPS, you need to verify it with a Certificate Authority, which certifies that you are who you say you are and gives you the SSL/TLS certificate. This used to be a long and expensive process, but Google has had its own Certificate Authority, Let’s Encrypt, for years, which is completely free, so anyone can get HTTPS on their website.
Hi, I’m trying to use this and getting shut down.
The page I generated is showing the “One more step
Please complete the security check to access” page
with “This web property is not accessible via this address.” in place of the captcha
Do you know why this would happen?
Thank you!
What kind of domain are you using to generate the fake website? If you are using your localhost, probably you are having issues with the certificate, you need to generate your own certificate. Check the videos of official github website, I hope it can help you > https://github.com/kgretzky/evilginx2
Cheers