In this tutorial we’re going to learn how to write a good example of phishing emails in order to obtain sensitive credentials from the victim.
Starting with Social Engineering Toolkit which is built-in Kali Linux by default to send an email to the victim, and then using BlackEye tool which create the link embedded in the phishing email waiting for the victim to open it and follow the steps in the email in order to capture their information.
Let’s first download BlackEye tool from here and then open it by “./blackeye.sh”
In this case, I’m going with LinkedIn number 9:
It started “NGrok” and gave us a link to send it to the victim in the phishing email which we’re going to write it.
Now let’s start with Social Engineering ToolKit by running “setoolkit”:
From the main menu chose number 1 for Social-Engineering Attacks:
In this menu chose number 5 for “Mass Mailer Attack”:
We’re presented by two choices, either to send a single email which is number 1, or send mass emails which is number 2, in our case we’re going to choose number 1 to send only one email:
Then, use your Gmail account from number 1:
In this screen after you put your email address, you need to choose a name i used “LinkedIn” then answered no for attaching any files:
Now enter a subject name for the email “Account Activity” and send the email as plain, now start writing the email and when finish type END:
The email was successfully sent to the victim, now let’s take a look on how the email will look when it’s received on the victim’s phone:
As soon as the victim enter their login information, BlackEye will capture them:
We got the email address and the password of the victim as they try to login to the fake LinkedIn site that was created with BlackEye tool.
Now, there are some things to keep in mind, first you need to activate “Less Secure App Access” in your Gmail account:
This will able you to send emails from your email account via terminal as we did.
The second thing to keep in mind that the email you send some times in go straight to the Junk mail or the Spam folder and not to the Inbox, I made several attempts and 1 out of 3 went to the inbox.
So, you need to send the email a couple of times till it reach the Inbox.
One more thing, try to hide the NGRok link with bitly.com or any other shorten link site, this is what I normally do.