using html5-fullscreen for facebook password phishing

A year ago I had a try on social engineering and phishing techniques.

Now I finally found the time to rework my code and to put it on GitHub:

https://github.com/jaylinski/osprey

The first – and only – module is using the HTML5-fullscreen API to spoof the address bar and make the user believe he’s on Facebook.

I researched on other HTML5-fullscreen phishing attacks and found a similar approch:

http://feross.org/html5-fullscreen-api-attack/

The advantages of my version are:

  • If user detects fraud and tries to close fullscreen, the screen will go back to the original site.
  • Custom „Fullscreen-UI“, no need of OS-specific graphics.

But the current state of Osprey still lacks some useful features:

  • Detect if user is logged into Facebook, if not, do not start attack.
  • Make custom UI for Firefox and other popular browsers.
  • Check if attack works on mobile devices.

By implementing these features, the phishing success could be increased.

 

Disclaimer

Since stealing digital data is illegal in almost all countries, using this software on real people may lead to arrest!

DO NOT use this code for fraud!

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Time limit is exhausted. Please reload the CAPTCHA.