Usage of MaskPhish for attacking targets without prior mutual consent is illegal.
Nowadays people are smart enough. They don’t get trapped under phishing. Because the link does not look like the original website. For an example a phishing link may be like, https://ngrok.io/xxabcd but it opens pages like Gmail Login. People got the trap and a user with minimum tech knowledge will not put the credentials(Username & Password). So it becomes tough to phish anyone.
Then what to do ? The answer is Social engineering. An attacker needs to be skilled enough in social engineering. What is Social Engineering ? In short,social engineering is “bugs in human hardware”. An attacker plays with victim’s mind and trick it.
Hiding phishing links in normal looking trust-able links is a bigger part of social engineering. By using this method the attacker owns the trust of the victim, and the victim treats the phishing link as a normal link. Because the top-level domain (like Google, YouTube, New York Times, etc) is considered clean.
To make things easier we’re gonna use a tool that will convert a phishing link to a normal web link like Google or YouTube.
git clone https://github.com/jaykali/maskphish
Then MaskPhish will open the main menu:
Now we need to put our phishing URL here whatever it is(with http:// or https://).
Then We need to put a trusted URL, whatever can phish victim’s mind like https://google.com or https://youtube.com or http://anything.com.
Here we we need to use some social engineering words separated with “-” for an example if the victim is a football fan then we can use something like best-footaball-skills mind that here we don’t use any space.
Then we just enter it and we got our MaskPhish link. We got our URL started with facebook.com and the URL doesn’t have ngrok in URL directly.