22/08/2020
Social media accounts are a favorite target for hackers, and the most effective tactics for attacking accounts on websites like Facebook ,
Instagram , and Twitter are often based on phishing. These password-stealing attacks rely on tricking users into entering their passwords into a convincing fake webpage, and they have become increasingly easy to make thanks to tools like BlackEye.
BlackEye is a tool to rapidly generate phishing pages that target social media websites, making it much easier to phish targets of opportunity on the same network. After redirecting a target to the phishing page, it's easy to capture passwords to social media accounts harvested from unwitting targets.
Users place a lot of trust in their social media accounts. If the target doesn't have 2FA enabled, the ease with which an attacker can access them may be surprising. A single mistake typing a password into the wrong website can be all it takes to lose access to your account. BlackEye is a proof of concept that shows how these phishing pages don't need to be sophisticated or customized to work effectively.
Don't Miss: Track a Target Using Canary Token Tracking Links
BlackEye is a straightforward bash script that presents several templates to pick from, allowing you to select which social media website to emulate. From there, it creates a functional phishing site on your device, with the ability to be port forwarded or connected in other ways to your target's machine.
BlackEye supports 32 different websites with phishing templates, but these range in quality. It's best to test them out before deploying them because some suffer from flaws that could give them away if a user is paying attention. While the default phishing pages provided with BlackEye are pretty good, it's always useful to be able to modify them. That way, you can remove things like a copyright notice from the wrong year.
Among the more interesting websites that BlackEye supports are Protonmail, Github, Gitlab, Adobe, Verizon,
Send a message to learn more
