The Web Jacking Attack Vector is another phishing technique that can be used in social engineering engagements.Attackers that are using this method are creating a fake website and when the victim opens the link a page appears with the message that the website has moved and they need to click another link.If the victim clicks the link that looks real he will redirected to a fake page.

The social engineering toolkit has already import this kind of attack.So we are going to use the SET in order to implement this method.We are opening SET and we select the option 2 which is the Website Attack Vectors.

Website Attack Vectors


We will see a list with the available web attack methods.The attack that we are going to use is of course the Web Jacking Attack so we select option number 6.

Web Jacking Attack Method


In the next menu we have 3 options:

  • Web Templates
  • Site Cloner
  • Custom Import

We will select the site cloner in order to clone the website of our interest.Remember that this type of attack works with the credential harvester method so we need to choose a website that it has username and password fields in order the attack to have success.For this scenario as you can see in the image below we have select to clone Facebook because of its popularity.

Cloning Facebook


Now it is time to send our the link with our IP address to the victim.Lets see what the victim will see if he opens the link.

Message after opening the link


As you can see a message will appear informing the user that the website has moved to a new location.The link on the message seems valid so any unsuspicious users will click on the link.At that time a new page will load into the victim’s browser which it will be fake and is running on our web server.

Fake Facebook Page


If the victim enters his credentials into the fake Facebook page that looks like the real one then we will be able to capture his username and password.The next image is showing that:

Capturing the Credentials



The purpose of this attack is to try to harvest the credentials of users by using a webpage with a valid link which when someone opens that link a new fake page is loading.It is a quite interesting technique that tries to trick the user to believe that the webpage is real because the link is valid.Users must be aware of this type of attack especially when they are visiting a webpage that contains similar messages about websites or objects that have moved to new locations.

From the other hand as a social engineer you will need to create your scenario about the engagement and how you are going to deliver the link to the users and which website you are going to use.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s