This is a proof-of-concept of an advanced phishing attack.
Demo site - https://openworldoperations.github.io/FISHY/
It works by creating a fake browser window and inserting a phishing page into the fake window. In order for the attacker to set valid domain and SSL certificate. In order to deceive the victim into not being able to distinguish the difference.
The only way the victim could notice the attack, is if the victim tried to drag the phishing site window outside of their current browser.
You could further improve on this implementation and allow them to inspect the SSL certificate and input a valid certificate.
Be careful of what you think is a legitimate site! Sometimes the human eye can never tell.
- Loading/busy cursor before appearing, giving the effect their computer is loading the browser. Using system resources.
- SSL text isn't usually green like the this anymore. However, the brain correlates to: Green = "Go".
- Browser can be closed using caption buttons.
- Can be used with a reverse proxy server in order to phish your victims (in order to bypass 2FA).
- Fix caption buttons (alignment).
- Create the option to view the SSL certificate.
- Make the SSL icon the new icon.
- Tiny pixel changes because if I can notice something off, I will never let it go.
Warning: Only use this software according to your current legislation. Misuse of this software can raise legal and ethical issues which I don't support nor can be held responsible for.