Many devices use PIN to protect privacy of their users. In this guide, we will be using lockphish tool to phish for pin locks for different target operating systems. Lockphish is actually the first tool which use a HTTPS link to phish unlock credentials on different user operating systems. i.e. Android OS, Windows OS and on iphones. Ngrok tunneling is used to deliver the attack to the victim and also deliver the captured credentials. Lockphish will automatically capture the IP address of the victim.
Some of the key features of lockphish include:
- Automatic device recognition – lockphish will automatically detect the target device and provide for the pin request page respectively. While launching the attack the user is not required to choose the operating system of target’s device.
- IP tracker - lockphish captures our target’s IP address which is vital for further information gathering against our target.
- Uses Ngrok to port forward and allow attack over the internet – Ngrok allows us to launch attacks to the target over the internet and also deliver back the captured credentials.
- Lockphish has ready made phishing website for android’s, iphone’s and windows lock screen.
Pre-requisites
- Have a running instance of Linux.
- Knowledge of using the terminal.
- An active internet connection.
Step 1: Installing lockphish
To ensure no errors while installing lockphish, we will first update the pre installed packages on the running instance using the below command.
sudo apt-get update
After the update is complete, we will now download lockphish tool from its official GitHub repository. We can either download the tool as a zip file or clone from GitHub using the below command.
git clone https://github.com/jaykali/lockphish.git
Step 2: Running lockphish
If you downloaded the zip file, you need to first extract the files using the command
unzip lockphish.zip
After unzipping we move into the directory so that we can launch our pin code phishing attack.
cd lockphish
To run lockphish we first need to give the lockphish.sh file permission to execute as root on the system. We will use the below command.
sudo chmod +x lockphish.sh
We can now generate our attacking link by running the file using the command.
./lockphish.sh
Before launching an attack , you are required to specify the link to which the victim will be redirected after providing the attacker with the PIN to their devices. For our case, we will be using the default redirect page on our attack hence we just click enter to start to generate the phishing link. Lockphish will first download Ngrok if it is not installed and automatically launch the attack. A phishing link to send to the target will be provided.
In our case, the phishing link was not displayed on the terminal. We have to open the Ngrok webpage on “localhost:4040” to get our phishing link as shown on the below image.
Step 3: Sending phishing link to the victim
Now we have to send the phishing link to the target, we need to employ some of the social engineering tactics to lure our victims into clicking the phishing link. Once the user clicks on the link, he/she will be taken to a page where he/she will be needed to click in order to view the YouTube video. When the link is opened a lock screen appears depending on the device requiring the user to provide his/her PIN. An extra step is included at the end of this guide on how to send the phishing link using an email to our targets.
Lockphish page on android device.
Lockphish page on windows device.
Step 4: Getting the captured PIN
After the PIN has been provided by the victim, we can be able to view it from our lockphish terminal. Lockphish will capture the user credentials such as the PIN, the operating system of the target and the target’s IP address. A hacker is now able to use the PIN code he/she acquired using lockphish. An example of the captured credentials is as shown on the image below.
On our extra step we will learn on how to use a free online email service to send a phishing email to our target. We will embed the phishing link we generated to an email we will send to the victim. As we learned earlier, emails can be spoofed easily to look like they come from a legitimate source. In this step we will use a free tool (emkei.cz) available online to send the email. We open the webpage and everything required is on the home page as shown below.
The user received an email in his spams folder as shown on the screenshot below. Once the user clicks on the link he/she will be redirected to the PIN phishing email. As you can see, the email has already been flagged as a spam since it contains the malicious link and also has been sent from a spoofed email.
Conclusion
Lockphish being the first tool to be able to phish for user PIN codes and passwords over https is a must have tool for any one in or planning to pursue a profession within the field of computer security. It also opens a new field for study by security researchers.
Device owners should also be aware of such kind of attacks to be able to detect phishing attempts on their devices since these kind of attacks are very hard to detect especially by those who have no prior training on phishing and social engineering. These kind of attacks would be very disastrous especially where the attacker does target a large group of people. It is always advisable to report phishing attempts to law enforcement agencies so as to promote attacks awareness among the citizens.
