Skip to content

Create A Facebook phishing page

  • by

In this tutorial, I’ll show you how to create a Facebook phishing page to intercept usernames and passwords that can be used to hack other users’ Facebook accounts.

However, this knowledge should never be used to hack someone else’s Facebook account. It is simply not legal, in Germany it violates the Criminal Code StGB § 202c.

Please also read the disclaimer.

But for aspiring and ethical hackers, it’s very valuable to understand how phishing works. Not only does it help prevent bugs that threaten your safety and privacy, it also helps you spot phishing sites.


What is phishing?

Phishing means intercepting user data such as username and password with a fake website. The fake phishing website is basically an imitation of the original website, like Facebook here. Attackers often use this method to steal usernames and passwords. Most often, the process works as follows:

A user clicks on a link to a phishing website. Believing that he is on the real website, he enters his credentials. There’s only one problem. The victim of the attacker entered his private information on the website of a hacker. And now the hacker has the sensitive access data!

For example, if it is a company’s Facebook profile, it can hurt the company significantly. In this tutorial, I’ll set up a fake Facebook login page to show you how easy it is to run a phishing attack.


Create a Facebook phishing page – Tutorial

Required equipment

Step 1

Open the website

Step 2

Then right-click an empty area of the login page. At this moment you are not allowed to be logged in to Facebook. Open the “Show page source text” feature (google Chrome browser).

Step 3

Copy the entire source code of the page and paste it into a new Notepad document (or in the plain text editor of your operating system).

Step 4

If you are using Notepad, press “Ctrl F” and look for “Action =“.
You should see a line that looks like this:
action = “”
Delete everything inside the quotes and paste “post.php” instead.
Save this file to your computer with the filename index.htm.

Step 5

Next, create a new Notepad document called post.php. Copy the following code and paste it into the document. Then the document can be saved.

header (‘Location:’);
$handle = fopen(“usernames.txt”, “a”);
foreach($_POST as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, “=”);
fwrite($handle, $value);
fwrite($handle, “rn”);
fwrite($handle, “rn”);

Step 6

At this point you should now have saved two files:
index.htm and post.php

Next, this code actually needs to be uploaded to a web hosting service. There are free hosting providers, but I would not recommend that you actually publish this code online. From then on, you would commit a crime. Because once the phishing site is online, it could be accessed by any Internet user. Already the preparation of spying and interception of data is punishable!
Therefore, I refer here once again to the disclaimer.

Step 7

After the created data index.htm and post.php have been uploaded, the Facebook phishing page is ready.
If you now click on the link to the index.htm file, the created Facebook phishing page will open. This should look almost identical to the Facebook login page. If a victim now enters his user data, a text file named username.txt is automatically generated on the web server. This file now contains the sensitive user data of the victim.



Creating a Facebook phishing site is really easy. Copy the code from the Facebook login screen, add some PHP code and make it available online. Please do not do this on a publicly accessible web server, the criminal consequences could be terrible for you. However, in a home environment on your own offline server, this tutorial will give you a good idea of how attackers can access usernames and passwords.

Of course, a Facebook account can also be hacked with a software or hardware keylogger. A tutorial on the AirDrive Hardware Keylogger can be found here – AirDrive Hardware Keylogger with Wi-Fi