Maskphish | Mask Phishing URL

Nowadays people are smart enough. They don't get trapped under phishing. Because the link does not look like the original website. For an example a phishing link may be like, https://ngrok.io/xxxxxxx but it opens pages like Gmail Login. People got the trap and a user with minimum tech knowledge will not put the credentials(Username & Password). So it becomes tough to phish anyone.

Then what to do ? The answer is Social engineering. An attacker needs to be skilled enough in social engineering. What is Social Engineering ? In short,social engineering is "bugs in human hardware". An attacker plays with victim's mind and trick it.

Hiding phishing links in normal looking trust-able links is a bigger part of social engineering. By using this method the attacker owns the trust of the victim, and the victim treats the phishing link as a normal link. Because the top-level domain (like Google, YouTube, New York Times, etc) is considered clean.

To make things easier we're gonna use a tool that will convert a phishing link to a normal web link like Google or YouTube.

It is a small & simple tool written in bash, named "MaskPhish".

To install maskphish, copy and paste it in Termux

First we have to clone it - type

git clone https://github.com/jaykali/maskphish

After this command this tool will be downloaded, as shown in the following screenshot:

Now we just need to navigate in to maskphish directory by simply using cd command:

cd maskphish

Now run MaskPhish by using following command:

bash maskphish.sh

Then MaskPhish will open the main menu in front of us just like the screenshot:

Now we need to put our phishing URL here whatever it is(with http:// or https://).

Then We need to put a trusted URL, whatever can phish victim's mind like https://google.com or https://youtube.com or http://anything.com. As we did in the following screenshot:

Here we need to use some social engineering words separated with "-" for an example if the victim is a football fan then we can use something like best-footaball-skills mind that here we don't use any space.

Then we just enter it and we got our MaskPhish link. We got our URL started with facebook.com and the URL doesn't have ngrok in URL directly.

Let's open this trusted looking URL(also contains special juicy words for target) on our browser are we reached to our destination ngrok (example phishing url).

Oh crap, we got a "Warning!".

The warning comes from browser's security functions. Every method have own limitations. But in mobile browsers it did not show this warning, it works like magic.

 

Anyway after click on "Yes" we reached to our phishing website.

This is an example Phishing link, for educational purpose

It is a fact that attackers can gain victim's trust by this kind of URL and many people don't check the warnings and click on "Yes".

 

When our target is on a Android mobile then the Warning will not come.

In our opinion this is a really good thing for Social Engineering Attacks. Using this attacker's success rate will increase, and the attacker earns the trust of the victim by showing off the URL.


Another technique is Google search's redirect method.
This is also super easy the attacker can redirect any URL on Google search as following:

https://www[dot]google[dot]com/url?q=https://www.phishingurl.link

Replace the [dot]s with . and try on browser.

These are the clever ways to used by attackers in phishing attack. But there are more methods (like homograph) to mask a phishing URL on the Internet. To be safe from these we should not click on any 3rd party link even it looks like trusted.

Warning⚠️

This tutorial is for educational and research purposes only. Hacking or Phishing is a serious crime. If anyone does any illegal activity then we are not responsible for that.

Liked our tutorial then don't forget to follow us on Instagram and Blog, we post update about our articles there. For any questions please join our Telegram Group