navneeth31/phishing-attack-demo

ZPhishier – Social Media Phishing Simulaton

Summary ZPhishier is an educational phishing-simulation project built with ZPhisher on Kali Linux, running in a local VM environment. It automates the creation of cloned social-media login pages, demonstrating how easily credentials can be harvested from unsuspecting users. This documentation covers objectives, setup, execution details, results, and recommended best practices for security awareness and prevention.

Objective

• To illustrate phishing mechanics ethically for security awareness and training.
• To demonstrate capture of credentials via cloned login pages.

Scope

• Simulation only (no real targets).
• Local-only deployment (VM).
• Focused on social-media site templates.

Legal & Ethical Disclaimer

Important: This tool is strictly for educational and awareness purposes. Unauthorized phishing—against real users or networks—is illegal and unethical. Always obtain explicit permission before any penetration testing or phishing simulations IRJMETS.

Attack Overview

-Phishing Type

Cloning of popular social media login pages (e.g., Facebook, Instagram) to harvest credentials.

-Delivery Method

Links are generated and tested locally; no external distribution in this demo.

-Target Audience

General public (demonstration only on the attacker’s own machine).

Tools & Environment

• ZPhisher: automated open-source phishing tool with 30+ templates.
• Operating System: Kali Linux (inside a virtual machine).
• Environment: Local VM (no public hosting).

Setup & Configuration

1. VM Preparation
   1. Spin up a Kali Linux VM (VirtualBox/VMware).
   2. Ensure Internet access within VM for installing dependencies.
2. Install ZPhisher
3. Launch ZPhisher

cd zphisher
bash ./zphisher.sh

4. Choose the social-media template.

5. Select “Localhost” or “Cloudflared/LocalXpose” (for local demos, localhost is sufficient).

   

Execution Steps

1. Generate Phishing Link

   1. ZPhisher displays a URL (e.g., http://localhost:8080/facebook).

2. Simulate User Interaction

   1. Open the link in a browser tab.
   2. Enter any credentials (email/username + password).
   

3. Credential Capture

   1. ZPhisher logs credentials in the terminal and saves them to logs/ directory.
   

Results & Analysis

• Captured Data
  • Plaintext usernames/passwords printed in terminal and stored on disk.
• Security Triggers
  • No automated detection in this local setup (real-world defenses like anti-phish filters would block such URLs).

Mitigation & Recommendations

“Do not click on suspicious, catchy messages from unknown sources.”

1. User Training
   1. Regular phishing awareness programs with simulated tests CISACybeReady.
   2. Teach employees to verify links and check sender domains before interacting Microsoft Support.
2. Incident Response
   1. Establish clear reporting channels for suspected phishing (e.g., “Report Phish” button).
   2. Conduct follow-up training for any user who clicks or submits credentials