cryptedhood
Newbie
- Joined
- 04.03.25
- Messages
- 1
- Reaction score
- 0
thanks buddy
Fraud Daddy you the goat for this one !!!!View attachment 159
Create Any Scampage/Phisher From Scratch (+ Your Own Telegram Bot)
View attachment 160
One thing thats genuinely baffling is seeing how many newbies in this game actually buy scampages from randoms on Telegram. Thats just dumb. Its a waste of money plain and simple. Plus its not a long-term strategy. Websites update their designs faster than a crackhead changes moods making your purchased scampage obsolete after a couple of months. Suddenly youre holding cyberspace garbageâvictims will smell the bullshit from a mile away and wont input jack shit.
Thats why this guide exists. Im going to show you how to create your own phishers and scampages. Its not rocket science and its way more practical than throwing your cash at some retarded seller. So pay attention and lets get this done.
Anatomy of a Phisher
Before we dive deep into creating your own phisher you need to understand what makes these things work. A phisher is essentially split into two critical componentsâthink of it like a digital mullet: business in the front party in the back.
Frontend (The Pretty Face):
This is what your marks actually seeâthe login page input fields logos and all that eye candy. Its a carbon copy of the legitimate site youre targeting right down to the favicon. The frontend needs to be pixel-perfect because humans are surprisingly good at spotting when somethings off even if they cant explain why. One misaligned button or wrong font and your conversion rate (the number of people who actually input their info) goes to shit.
Backend (The Money Maker):
This is where the magic happens. Instead of storing data in a database were going to use a Cloudflare Worker to capture form submissions and fire them off directly to your Telegram using a bot. Every time someone submits their creds youll get an instant alert on Telegram. Its simple and cost-effective and keeps you in the loop in real time.
The beauty of understanding these two components is that you can mix and match them like building blocks. Once you master creating both parts you can adapt to any target site fast. Hell you can even run multiple frontendsâdifferent banks email providers whateverâall feeding into a single backend. Its efficient as fuck and lets you scale your operation without rebuilding everything from scratch. And thats exactly what were going to learn.
Crafting the Frontend
Time to get our hands dirty and build the pretty faceâthe frontend. For this demo were gonna clone CapitalOne. Why CapitalOne? Because banks are mostly what you will be using these phishers for and the CapitalOne login page is a perfect place to start practicing your skills. Dont worry once you nail this you can rip off any site you wantâbanks e-commerce you name it.
Step 1: Stealing CapitalOne Face
Remember we aint coding this shit from scratch like some script kiddie. Were digital bandits not web developers. Go snag that Chrome extension called "SingleFile". This little gem lets you yoink an entire webpageâHTML CSS images the whole damn enchiladaâinto one tidy HTML file. Its like ripping off a band-aid but for websites.
Step 2: Snag the Login Page
Head over to CapitalOne secure shopping page: Capital One Sign In: Log in to access your account(s). Yeah thats the one. Click that SingleFile extension icon in your browser. Boom. Just like that you downloaded the whole damn page.
Step 3: Rename and Save
Rename that freshly ripped off file to `index.html`. Its the first page they look for when you open a website. Save it somewhere you can actually find it later like your desktopâunless your desktop is already a digital wasteland of porn and malware in which case good luck finding shit.
Step 4: Quick n Dirty Edit (For Now)
Crack open that `index.html` file in a text editor like VS Code Sublime Text or Notepad++. We need to make sure this frontend actually works before getting fancy with the backend.
Pop it open in your browser firstâdoes it look like the real CapitalOne login page? If not you fucked up the SingleFile step. Go back and try again until it looks legit.
Now for a quick test setup. Head to webhook.site and grab a webhook URLâthisll be our temporary data catcher. Find the `<form>` tag in your HTML and change its `action` attribute to your webhook URL. This makes form submissions go to webhook.site instead of CapitalOne's servers.
Next find the username and password input fields (theyll be `<input>` tags). Add `name="username"` to the username field and `name="password"` to the password field. These tells the browser to pass the data. Different sites use different names so youll need to adjust this for each target. But they all use more often than not a single form element.
Thats it for testing. Open your page enter some fake login details and hit submit. If the data shows up on webhook.site your frontend is working. If not double-check your edits and try again. Once its working youre ready to set up a real backend.
Setting up the Backend
Now for the brains of the operationâthe backend. Instead of using a database were using Cloudflare Workers to instantly forward captured credentials to your Telegram account via a bo script. This is not only cost-effective but also gives you immediate alerts whenever someone submits their info.
Step 1: Cloudflare Account (Duh)
Get your ass over to Cloudflare and create a free account. This aint optional. Were using Cloudflare for everythingâthe backend and the frontend. You need to set it up before you can start cooking. So get to it.
Step 2: Set Up Your Telegram Bot
First create your Telegram bot by messaging @BotFather on Telegram. Type `/newbot` and follow his prompts to name your bot. BotFather will spit out an API token that looks like this: `63xxxxxx71:AAFoxxxxn0hwA-2TVSxxxNf4c`. Save this shitâyoull need it.
Now for your chat ID. Heres how to get it:
To verify everythings working:
- Search for your new bot in Telegram and send it a message (just "/start" works)
- Take your bot token and plug it into this URL:
`https://api.telegram.org/bot{YOUR_BOT_TOKEN}/getUpdates`
(Replace {YOUR_BOT_TOKEN} with the actual token keeping "bot" in front)- Open that URL in your browser. Youll see a JSON response with your chat details. Look for `"chat": {"id": 21xxxxx38}` - that number is your chat ID.
- Try sending a test message by visiting:
`https://api.telegram.org/bot{YOUR_BOT_TOKEN}/sendMessage?chat_id={YOUR_CHAT_ID}&text=working`- Check if you see the message "test123" pop up in your bot chat youre golden. If not double-check your token and chat ID.
Step 3: Cloudflare Worker Time
View attachment 169
Now go to "Workers" in your Cloudflare dashboard and create a new Worker. Cloudflare provides an online code editor. Don't panicâwere not writing a novel here. Paste the following code into your Worker:
*** Hidden text: cannot be quoted. ***
Step 4: Test Your Cloudflare Worker
Now its time to test your new backend. First go back to your scampages HTML form and replace the webhook.site URL with your Cloudflare Worker URL (it should look something like "your-worker.your-subdomain.workers.dev").
Once thats done test the full flow:
If everything is set up correctly you should receive a Telegram message with those test credentials.
- Open your scampage with Chrome
- Fill in some fake credentials
- Hit submit
Step 5: Deploy Your Scampage
Now for the final piece - getting your phisher live on Cloudflare Pages. This gives you a slick professional-looking domain and worldwide CDN distribution.
- Head to the Pages section of your Cloudflare dashboard
- Click "Create a project"
- Choose "Direct Upload"
- Either:
- Create a ZIP file containing just your index.html
- Or create an empty folder put your index.html inside it- Drag and drop your file/folder into the upload area
- Give your project a name (this will be part of your URL)
- Hit Deploy
Within seconds Cloudflare will provision your phisher at `your-project.pages.dev` serving it over HTTPS to look legit as fuck. Your victims won't see any sketchy redirects or SSL warnings - just a clean professional-looking page served directly from Cloudflare's infrastructure. And since it's running on legitimate Cloudflare infrastructure it'll slip right past most basic security scanners. But remember this is just the foundation - there's a whole world of advanced techniques and optimizations waiting for you to explore.
Conclusion
This guide barely scratches the surface of whats possible with modern phishing infrastructure. Yeah the initial setup might make your brain hurt - wrestling with HTML forms figuring out Cloudflares dashboard and debugging Telegram bots isnt exactly a walk in the park. But once youve got the basics down? This shit becomes muscle memory.
Theres a whole world of optimizations waiting for you. Grab some aged domains with clean reputations. Set up proper parsing to extract exactly the data you need. Add JavaScript to collect browser fingerprints implement fake 2FA/OTP prompts capture autofill data and record keystrokes. Add validation to filter out garbage submissions and detect VMs/security tools. Encrypt the content of the HTML served and use redirect chains so as to prevent automated blacklisting. The possibilities are endless and thats what makes this craft both challenging and rewarding.
Remember though - a phishing page is only as good as its weakest link. You can have the slickest setup in the world but if your HTML looks like it was coded by a drunk monkey or if your domain screams "TOTALLY-LEGIT-BANK-SECURE-LOGIN.TK" youre just wasting your time. Take pride in your craft pay attention to the details and never stop learning. Now get out there and build something beautiful. d0ctrine out.
vl manoView attachment 159
View attachment 160
One thing thats genuinely baffling is seeing how many newbies in this game actually buy scampages from randoms on Telegram. Thats just dumb. Its a waste of money plain and simple. Plus its not a long-term strategy. Websites update their designs faster than a crackhead changes moods making your purchased scampage obsolete after a couple of months. Suddenly youre holding cyberspace garbageâvictims will smell the bullshit from a mile away and wont input jack shit.
Thats why this guide exists. Im going to show you how to create your own phishers and scampages. Its not rocket science and its way more practical than throwing your cash at some retarded seller. So pay attention and lets get this done.
Before we dive deep into creating your own phisher you need to understand what makes these things work. A phisher is essentially split into two critical componentsâthink of it like a digital mullet: business in the front party in the back.
Frontend (The Pretty Face):
This is what your marks actually seeâthe login page input fields logos and all that eye candy. Its a carbon copy of the legitimate site youre targeting right down to the favicon. The frontend needs to be pixel-perfect because humans are surprisingly good at spotting when somethings off even if they cant explain why. One misaligned button or wrong font and your conversion rate (the number of people who actually input their info) goes to shit.
Backend (The Money Maker):
This is where the magic happens. Instead of storing data in a database were going to use a Cloudflare Worker to capture form submissions and fire them off directly to your Telegram using a bot. Every time someone submits their creds youll get an instant alert on Telegram. Its simple and cost-effective and keeps you in the loop in real time.
The beauty of understanding these two components is that you can mix and match them like building blocks. Once you master creating both parts you can adapt to any target site fast. Hell you can even run multiple frontendsâdifferent banks email providers whateverâall feeding into a single backend. Its efficient as fuck and lets you scale your operation without rebuilding everything from scratch. And thats exactly what were going to learn.
Time to get our hands dirty and build the pretty faceâthe frontend. For this demo were gonna clone CapitalOne. Why CapitalOne? Because banks are mostly what you will be using these phishers for and the CapitalOne login page is a perfect place to start practicing your skills. Dont worry once you nail this you can rip off any site you wantâbanks e-commerce you name it.
Step 1: Stealing CapitalOne Face
Remember we aint coding this shit from scratch like some script kiddie. Were digital bandits not web developers. Go snag that Chrome extension called "SingleFile". This little gem lets you yoink an entire webpageâHTML CSS images the whole damn enchiladaâinto one tidy HTML file. Its like ripping off a band-aid but for websites.
Step 2: Snag the Login Page
Head over to CapitalOne secure shopping page: Capital One Sign In: Log in to access your account(s). Yeah thats the one. Click that SingleFile extension icon in your browser. Boom. Just like that you downloaded the whole damn page.
Step 3: Rename and Save
Rename that freshly ripped off file to `index.html`. Its the first page they look for when you open a website. Save it somewhere you can actually find it later like your desktopâunless your desktop is already a digital wasteland of porn and malware in which case good luck finding shit.
Step 4: Quick n Dirty Edit (For Now)
Crack open that `index.html` file in a text editor like VS Code Sublime Text or Notepad++. We need to make sure this frontend actually works before getting fancy with the backend.
Pop it open in your browser firstâdoes it look like the real CapitalOne login page? If not you fucked up the SingleFile step. Go back and try again until it looks legit.
Now for a quick test setup. Head to webhook.site and grab a webhook URLâthisll be our temporary data catcher. Find the `<form>` tag in your HTML and change its `action` attribute to your webhook URL. This makes form submissions go to webhook.site instead of CapitalOne's servers.
Next find the username and password input fields (theyll be `<input>` tags). Add `name="username"` to the username field and `name="password"` to the password field. These tells the browser to pass the data. Different sites use different names so youll need to adjust this for each target. But they all use more often than not a single form element.
Thats it for testing. Open your page enter some fake login details and hit submit. If the data shows up on webhook.site your frontend is working. If not double-check your edits and try again. Once its working youre ready to set up a real backend.
Now for the brains of the operationâthe backend. Instead of using a database were using Cloudflare Workers to instantly forward captured credentials to your Telegram account via a bo script. This is not only cost-effective but also gives you immediate alerts whenever someone submits their info.
Step 1: Cloudflare Account (Duh)
Get your ass over to Cloudflare and create a free account. This aint optional. Were using Cloudflare for everythingâthe backend and the frontend. You need to set it up before you can start cooking. So get to it.
Step 2: Set Up Your Telegram Bot
First create your Telegram bot by messaging @BotFather on Telegram. Type `/newbot` and follow his prompts to name your bot. BotFather will spit out an API token that looks like this: `63xxxxxx71:AAFoxxxxn0hwA-2TVSxxxNf4c`. Save this shitâyoull need it.
Now for your chat ID. Heres how to get it:
To verify everythings working:
- Search for your new bot in Telegram and send it a message (just "/start" works)
- Take your bot token and plug it into this URL:
`https://api.telegram.org/bot{YOUR_BOT_TOKEN}/getUpdates`
(Replace {YOUR_BOT_TOKEN} with the actual token keeping "bot" in front)- Open that URL in your browser. Youll see a JSON response with your chat details. Look for `"chat": {"id": 21xxxxx38}` - that number is your chat ID.
- Try sending a test message by visiting:
`https://api.telegram.org/bot{YOUR_BOT_TOKEN}/sendMessage?chat_id={YOUR_CHAT_ID}&text=working`- Check if you see the message "test123" pop up in your bot chat youre golden. If not double-check your token and chat ID.
Step 3: Cloudflare Worker Time
View attachment 169
Now go to "Workers" in your Cloudflare dashboard and create a new Worker. Cloudflare provides an online code editor. Don't panicâwere not writing a novel here. Paste the following code into your Worker:
*** Hidden text: cannot be quoted. ***
Step 4: Test Your Cloudflare Worker
Now its time to test your new backend. First go back to your scampages HTML form and replace the webhook.site URL with your Cloudflare Worker URL (it should look something like "your-worker.your-subdomain.workers.dev").
Once thats done test the full flow:
If everything is set up correctly you should receive a Telegram message with those test credentials.
- Open your scampage with Chrome
- Fill in some fake credentials
- Hit submit
Step 5: Deploy Your Scampage
Now for the final piece - getting your phisher live on Cloudflare Pages. This gives you a slick professional-looking domain and worldwide CDN distribution.
- Head to the Pages section of your Cloudflare dashboard
- Click "Create a project"
- Choose "Direct Upload"
- Either:
- Create a ZIP file containing just your index.html
- Or create an empty folder put your index.html inside it- Drag and drop your file/folder into the upload area
- Give your project a name (this will be part of your URL)
- Hit Deploy
Em segundos, o Cloudflare provisionarĂĄ seu phisher em `your-project.pages.dev` servindo-o por HTTPS para parecer legĂtimo pra caramba. Suas vĂtimas nĂŁo verĂŁo nenhum redirecionamento suspeito ou avisos de SSL - apenas uma pĂĄgina limpa e de aparĂŞncia profissional servida diretamente da infraestrutura do Cloudflare . E como ele estĂĄ sendo executado na infraestrutura legĂtima do Cloudflare , ele passarĂĄ direto pela maioria dos scanners de segurança bĂĄsicos. Mas lembre-se de que isso ĂŠ apenas a base - hĂĄ um mundo inteiro de tĂŠcnicas e otimizaçþes avançadas esperando vocĂŞ explorar.
ConclusĂŁo
Este guia mal arranha a superfĂcie do que ĂŠ possĂvel com a infraestrutura moderna de phishing. Sim, a configuração inicial pode fazer seu cĂŠrebro doer - lutar com formulĂĄrios HTML, descobrir o painel do Cloudflare e depurar bots do Telegram nĂŁo ĂŠ exatamente um passeio no parque. Mas quando vocĂŞ domina o bĂĄsico? Essa merda vira memĂłria muscular.
HĂĄ um mundo inteiro de otimizaçþes esperando por vocĂŞ. Pegue alguns domĂnios antigos com reputaçþes limpas. Configure uma anĂĄlise adequada para extrair exatamente os dados que vocĂŞ precisa. Adicione JavaScript para coletar impressĂľes digitais do navegador, implemente prompts falsos de 2FA/OTP, capture dados de preenchimento automĂĄtico e registre pressionamentos de tecla. Adicione validação para filtrar envios de lixo e detectar VMs/ferramentas de segurança. Criptografe o conteĂşdo do HTML servido e use cadeias de redirecionamento para evitar listas negras automatizadas. As possibilidades sĂŁo infinitas e ĂŠ isso que torna esse ofĂcio desafiador e gratificante.
Lembre-se, porĂŠm, de que uma pĂĄgina de phishing ĂŠ tĂŁo boa quanto seu elo mais fraco. VocĂŞ pode ter a configuração mais bacana do mundo, mas se seu HTML parece ter sido codificado por um macaco bĂŞbado ou se seu domĂnio grita "TOTALMENTE-LEGĂTIMO-BANCO-SEGURO-LOGIN.TK", vocĂŞ estĂĄ apenas desperdiçando seu tempo. Tenha orgulho de sua arte, preste atenção aos detalhes e nunca pare de aprender. Agora, vĂĄ lĂĄ e construa algo bonito. d0ctrine out.
good thread, doesn't cover critical components like autofill flagging and cloaking the website. dyor as always. nevertheless, good thread, didn't know about the Cloudflare thing.View attachment 159
View attachment 160
One thing thats genuinely baffling is seeing how many newbies in this game actually buy scampages from randoms on Telegram. Thats just dumb. Its a waste of money plain and simple. Plus its not a long-term strategy. Websites update their designs faster than a crackhead changes moods making your purchased scampage obsolete after a couple of months. Suddenly youre holding cyberspace garbageâvictims will smell the bullshit from a mile away and wont input jack shit.
Thats why this guide exists. Im going to show you how to create your own phishers and scampages. Its not rocket science and its way more practical than throwing your cash at some retarded seller. So pay attention and lets get this done.
Before we dive deep into creating your own phisher you need to understand what makes these things work. A phisher is essentially split into two critical componentsâthink of it like a digital mullet: business in the front party in the back.
Frontend (The Pretty Face):
This is what your marks actually seeâthe login page input fields logos and all that eye candy. Its a carbon copy of the legitimate site youre targeting right down to the favicon. The frontend needs to be pixel-perfect because humans are surprisingly good at spotting when somethings off even if they cant explain why. One misaligned button or wrong font and your conversion rate (the number of people who actually input their info) goes to shit.
Backend (The Money Maker):
This is where the magic happens. Instead of storing data in a database were going to use a Cloudflare Worker to capture form submissions and fire them off directly to your Telegram using a bot. Every time someone submits their creds youll get an instant alert on Telegram. Its simple and cost-effective and keeps you in the loop in real time.
The beauty of understanding these two components is that you can mix and match them like building blocks. Once you master creating both parts you can adapt to any target site fast. Hell you can even run multiple frontendsâdifferent banks email providers whateverâall feeding into a single backend. Its efficient as fuck and lets you scale your operation without rebuilding everything from scratch. And thats exactly what were going to learn.
Time to get our hands dirty and build the pretty faceâthe frontend. For this demo were gonna clone CapitalOne. Why CapitalOne? Because banks are mostly what you will be using these phishers for and the CapitalOne login page is a perfect place to start practicing your skills. Dont worry once you nail this you can rip off any site you wantâbanks e-commerce you name it.
Step 1: Stealing CapitalOne Face
Remember we aint coding this shit from scratch like some script kiddie. Were digital bandits not web developers. Go snag that Chrome extension called "SingleFile". This little gem lets you yoink an entire webpageâHTML CSS images the whole damn enchiladaâinto one tidy HTML file. Its like ripping off a band-aid but for websites.
Step 2: Snag the Login Page
Head over to CapitalOne secure shopping page: Capital One Sign In: Log in to access your account(s). Yeah thats the one. Click that SingleFile extension icon in your browser. Boom. Just like that you downloaded the whole damn page.
Step 3: Rename and Save
Rename that freshly ripped off file to `index.html`. Its the first page they look for when you open a website. Save it somewhere you can actually find it later like your desktopâunless your desktop is already a digital wasteland of porn and malware in which case good luck finding shit.
Step 4: Quick n Dirty Edit (For Now)
Crack open that `index.html` file in a text editor like VS Code Sublime Text or Notepad++. We need to make sure this frontend actually works before getting fancy with the backend.
Pop it open in your browser firstâdoes it look like the real CapitalOne login page? If not you fucked up the SingleFile step. Go back and try again until it looks legit.
Now for a quick test setup. Head to webhook.site and grab a webhook URLâthisll be our temporary data catcher. Find the `<form>` tag in your HTML and change its `action` attribute to your webhook URL. This makes form submissions go to webhook.site instead of CapitalOne's servers.
Next find the username and password input fields (theyll be `<input>` tags). Add `name="username"` to the username field and `name="password"` to the password field. These tells the browser to pass the data. Different sites use different names so youll need to adjust this for each target. But they all use more often than not a single form element.
Thats it for testing. Open your page enter some fake login details and hit submit. If the data shows up on webhook.site your frontend is working. If not double-check your edits and try again. Once its working youre ready to set up a real backend.
Now for the brains of the operationâthe backend. Instead of using a database were using Cloudflare Workers to instantly forward captured credentials to your Telegram account via a bo script. This is not only cost-effective but also gives you immediate alerts whenever someone submits their info.
Step 1: Cloudflare Account (Duh)
Get your ass over to Cloudflare and create a free account. This aint optional. Were using Cloudflare for everythingâthe backend and the frontend. You need to set it up before you can start cooking. So get to it.
Step 2: Set Up Your Telegram Bot
First create your Telegram bot by messaging @BotFather on Telegram. Type `/newbot` and follow his prompts to name your bot. BotFather will spit out an API token that looks like this: `63xxxxxx71:AAFoxxxxn0hwA-2TVSxxxNf4c`. Save this shitâyoull need it.
Now for your chat ID. Heres how to get it:
To verify everythings working:
- Search for your new bot in Telegram and send it a message (just "/start" works)
- Take your bot token and plug it into this URL:
`https://api.telegram.org/bot{YOUR_BOT_TOKEN}/getUpdates`
(Replace {YOUR_BOT_TOKEN} with the actual token keeping "bot" in front)- Open that URL in your browser. Youll see a JSON response with your chat details. Look for `"chat": {"id": 21xxxxx38}` - that number is your chat ID.
- Try sending a test message by visiting:
`https://api.telegram.org/bot{YOUR_BOT_TOKEN}/sendMessage?chat_id={YOUR_CHAT_ID}&text=working`- Check if you see the message "test123" pop up in your bot chat youre golden. If not double-check your token and chat ID.
Step 3: Cloudflare Worker Time
View attachment 169
Now go to "Workers" in your Cloudflare dashboard and create a new Worker. Cloudflare provides an online code editor. Don't panicâwere not writing a novel here. Paste the following code into your Worker:
*** Hidden text: cannot be quoted. ***
Step 4: Test Your Cloudflare Worker
Now its time to test your new backend. First go back to your scampages HTML form and replace the webhook.site URL with your Cloudflare Worker URL (it should look something like "your-worker.your-subdomain.workers.dev").
Once thats done test the full flow:
If everything is set up correctly you should receive a Telegram message with those test credentials.
- Open your scampage with Chrome
- Fill in some fake credentials
- Hit submit
Step 5: Deploy Your Scampage
Now for the final piece - getting your phisher live on Cloudflare Pages. This gives you a slick professional-looking domain and worldwide CDN distribution.
- Head to the Pages section of your Cloudflare dashboard
- Click "Create a project"
- Choose "Direct Upload"
- Either:
- Create a ZIP file containing just your index.html
- Or create an empty folder put your index.html inside it- Drag and drop your file/folder into the upload area
- Give your project a name (this will be part of your URL)
- Hit Deploy
Within seconds Cloudflare will provision your phisher at `your-project.pages.dev` serving it over HTTPS to look legit as fuck. Your victims won't see any sketchy redirects or SSL warnings - just a clean professional-looking page served directly from Cloudflare's infrastructure. And since it's running on legitimate Cloudflare infrastructure it'll slip right past most basic security scanners. But remember this is just the foundation - there's a whole world of advanced techniques and optimizations waiting for you to explore.
Conclusion
This guide barely scratches the surface of whats possible with modern phishing infrastructure. Yeah the initial setup might make your brain hurt - wrestling with HTML forms figuring out Cloudflares dashboard and debugging Telegram bots isnt exactly a walk in the park. But once youve got the basics down? This shit becomes muscle memory.
Theres a whole world of optimizations waiting for you. Grab some aged domains with clean reputations. Set up proper parsing to extract exactly the data you need. Add JavaScript to collect browser fingerprints implement fake 2FA/OTP prompts capture autofill data and record keystrokes. Add validation to filter out garbage submissions and detect VMs/security tools. Encrypt the content of the HTML served and use redirect chains so as to prevent automated blacklisting. The possibilities are endless and thats what makes this craft both challenging and rewarding.
Remember though - a phishing page is only as good as its weakest link. You can have the slickest setup in the world but if your HTML looks like it was coded by a drunk monkey or if your domain screams "TOTALLY-LEGIT-BANK-SECURE-LOGIN.TK" youre just wasting your time. Take pride in your craft pay attention to the details and never stop learning. Now get out there and build something beautiful. d0ctrine out.
umView attachment 159
View attachment 160
One thing thats genuinely baffling is seeing how many newbies in this game actually buy scampages from randoms on Telegram. Thats just dumb. Its a waste of money plain and simple. Plus its not a long-term strategy. Websites update their designs faster than a crackhead changes moods making your purchased scampage obsolete after a couple of months. Suddenly youre holding cyberspace garbageâvictims will smell the bullshit from a mile away and wont input jack shit.
Thats why this guide exists. Im going to show you how to create your own phishers and scampages. Its not rocket science and its way more practical than throwing your cash at some retarded seller. So pay attention and lets get this done.
Before we dive deep into creating your own phisher you need to understand what makes these things work. A phisher is essentially split into two critical componentsâthink of it like a digital mullet: business in the front party in the back.
Frontend (The Pretty Face):
This is what your marks actually seeâthe login page input fields logos and all that eye candy. Its a carbon copy of the legitimate site youre targeting right down to the favicon. The frontend needs to be pixel-perfect because humans are surprisingly good at spotting when somethings off even if they cant explain why. One misaligned button or wrong font and your conversion rate (the number of people who actually input their info) goes to shit.
Backend (The Money Maker):
This is where the magic happens. Instead of storing data in a database were going to use a Cloudflare Worker to capture form submissions and fire them off directly to your Telegram using a bot. Every time someone submits their creds youll get an instant alert on Telegram. Its simple and cost-effective and keeps you in the loop in real time.
The beauty of understanding these two components is that you can mix and match them like building blocks. Once you master creating both parts you can adapt to any target site fast. Hell you can even run multiple frontendsâdifferent banks email providers whateverâall feeding into a single backend. Its efficient as fuck and lets you scale your operation without rebuilding everything from scratch. And thats exactly what were going to learn.
Time to get our hands dirty and build the pretty faceâthe frontend. For this demo were gonna clone CapitalOne. Why CapitalOne? Because banks are mostly what you will be using these phishers for and the CapitalOne login page is a perfect place to start practicing your skills. Dont worry once you nail this you can rip off any site you wantâbanks e-commerce you name it.
Step 1: Stealing CapitalOne Face
Remember we aint coding this shit from scratch like some script kiddie. Were digital bandits not web developers. Go snag that Chrome extension called "SingleFile". This little gem lets you yoink an entire webpageâHTML CSS images the whole damn enchiladaâinto one tidy HTML file. Its like ripping off a band-aid but for websites.
Step 2: Snag the Login Page
Head over to CapitalOne secure shopping page: Capital One Sign In: Log in to access your account(s). Yeah thats the one. Click that SingleFile extension icon in your browser. Boom. Just like that you downloaded the whole damn page.
Step 3: Rename and Save
Rename that freshly ripped off file to `index.html`. Its the first page they look for when you open a website. Save it somewhere you can actually find it later like your desktopâunless your desktop is already a digital wasteland of porn and malware in which case good luck finding shit.
Step 4: Quick n Dirty Edit (For Now)
Crack open that `index.html` file in a text editor like VS Code Sublime Text or Notepad++. We need to make sure this frontend actually works before getting fancy with the backend.
Pop it open in your browser firstâdoes it look like the real CapitalOne login page? If not you fucked up the SingleFile step. Go back and try again until it looks legit.
Now for a quick test setup. Head to webhook.site and grab a webhook URLâthisll be our temporary data catcher. Find the `<form>` tag in your HTML and change its `action` attribute to your webhook URL. This makes form submissions go to webhook.site instead of CapitalOne's servers.
Next find the username and password input fields (theyll be `<input>` tags). Add `name="username"` to the username field and `name="password"` to the password field. These tells the browser to pass the data. Different sites use different names so youll need to adjust this for each target. But they all use more often than not a single form element.
Thats it for testing. Open your page enter some fake login details and hit submit. If the data shows up on webhook.site your frontend is working. If not double-check your edits and try again. Once its working youre ready to set up a real backend.
Now for the brains of the operationâthe backend. Instead of using a database were using Cloudflare Workers to instantly forward captured credentials to your Telegram account via a bo script. This is not only cost-effective but also gives you immediate alerts whenever someone submits their info.
Step 1: Cloudflare Account (Duh)
Get your ass over to Cloudflare and create a free account. This aint optional. Were using Cloudflare for everythingâthe backend and the frontend. You need to set it up before you can start cooking. So get to it.
Step 2: Set Up Your Telegram Bot
First create your Telegram bot by messaging @BotFather on Telegram. Type `/newbot` and follow his prompts to name your bot. BotFather will spit out an API token that looks like this: `63xxxxxx71:AAFoxxxxn0hwA-2TVSxxxNf4c`. Save this shitâyoull need it.
Now for your chat ID. Heres how to get it:
To verify everythings working:
- Search for your new bot in Telegram and send it a message (just "/start" works)
- Take your bot token and plug it into this URL:
`https://api.telegram.org/bot{YOUR_BOT_TOKEN}/getUpdates`
(Replace {YOUR_BOT_TOKEN} with the actual token keeping "bot" in front)- Open that URL in your browser. Youll see a JSON response with your chat details. Look for `"chat": {"id": 21xxxxx38}` - that number is your chat ID.
- Try sending a test message by visiting:
`https://api.telegram.org/bot{YOUR_BOT_TOKEN}/sendMessage?chat_id={YOUR_CHAT_ID}&text=working`- Check if you see the message "test123" pop up in your bot chat youre golden. If not double-check your token and chat ID.
Step 3: Cloudflare Worker Time
View attachment 169
Now go to "Workers" in your Cloudflare dashboard and create a new Worker. Cloudflare provides an online code editor. Don't panicâwere not writing a novel here. Paste the following code into your Worker:
*** Hidden text: cannot be quoted. ***
Step 4: Test Your Cloudflare Worker
Now its time to test your new backend. First go back to your scampages HTML form and replace the webhook.site URL with your Cloudflare Worker URL (it should look something like "your-worker.your-subdomain.workers.dev").
Once thats done test the full flow:
If everything is set up correctly you should receive a Telegram message with those test credentials.
- Open your scampage with Chrome
- Fill in some fake credentials
- Hit submit
Step 5: Deploy Your Scampage
Now for the final piece - getting your phisher live on Cloudflare Pages. This gives you a slick professional-looking domain and worldwide CDN distribution.
- Head to the Pages section of your Cloudflare dashboard
- Click "Create a project"
- Choose "Direct Upload"
- Ou:
- Crie um arquivo ZIP contendo apenas seu index.html
- Ou crie uma pasta vazia coloque seu index.html dentro dele- Arraste e solte seu arquivo/pasta na ĂĄrea de upload
- DĂŞ um nome ao seu projeto (isso farĂĄ parte do seu URL)
- Clique em Implantar
Em segundos, a Cloudflare provisionarĂĄ seu phisher em 'your-project.pages.dev', servindo-o por HTTPS para parecer legĂtimo pra caralho. Suas vĂtimas nĂŁo verĂŁo nenhum redirecionamento incompleto ou aviso de SSL - apenas uma pĂĄgina limpa e com aparĂŞncia profissional servida diretamente da infraestrutura da Cloudflare. E como estĂĄ sendo executado na infraestrutura legĂtima da Cloudflare, ele passarĂĄ direto pela maioria dos scanners de segurança bĂĄsicos. Mas lembre-se de que esta ĂŠ apenas a base - hĂĄ um mundo inteiro de tĂŠcnicas avançadas e otimizaçþes esperando por vocĂŞ para explorar.
ConclusĂŁo
Este guia mal arranha a superfĂcie do que ĂŠ possĂvel com a infraestrutura moderna de phishing. Sim, a configuração inicial pode fazer seu cĂŠrebro doer - lutar com formulĂĄrios HTML, descobrir o painel do Cloudflaree depurar bots do Telegram nĂŁo ĂŠ exatamente um passeio no parque. Mas uma vez que vocĂŞ tenha aprendido o bĂĄsico? Essa merda se torna memĂłria muscular.
HĂĄ todo um mundo de otimizaçþes esperando por vocĂŞ. Pegue alguns domĂnios antigos com reputação limpa. Configure a anĂĄlise adequada para extrair exatamente os dados necessĂĄrios. Adicione JavaScript para coletar impressĂľes digitais do navegador, implementar prompts 2FA/OTP falsos, capturar dados de preenchimento automĂĄtico e registrar pressionamentos de tecla. Adicione validação para filtrar envios de lixo e detectar VMs/ferramentas de segurança. Criptografe o conteĂşdo do HTML servido e use cadeias de redirecionamento para evitar listas negras automatizadas. As possibilidades sĂŁo infinitas e ĂŠ isso que torna este ofĂcio desafiador e recompensador.
Lembre-se, porĂŠm, - uma pĂĄgina de phishing ĂŠ tĂŁo boa quanto seu elo mais fraco. VocĂŞ pode ter a configuração mais elegante do mundo, mas se o seu HTML parece ter sido codificado por um macaco bĂŞbado ou se o seu domĂnio grita "TOTALLY-LEGIT-BANK-SECURE-LOGIN.TK", vocĂŞ estĂĄ apenas perdendo seu tempo. Orgulhe-se do seu ofĂcio, preste atenção aos detalhes e nunca pare de aprender. Agora vĂĄ lĂĄ e construa algo bonito. d0ctrine fora.
great stuffView attachment 159
View attachment 160
One thing thats genuinely baffling is seeing how many newbies in this game actually buy scampages from randoms on Telegram. Thats just dumb. Its a waste of money plain and simple. Plus its not a long-term strategy. Websites update their designs faster than a crackhead changes moods making your purchased scampage obsolete after a couple of months. Suddenly youre holding cyberspace garbageâvictims will smell the bullshit from a mile away and wont input jack shit.
Thats why this guide exists. Im going to show you how to create your own phishers and scampages. Its not rocket science and its way more practical than throwing your cash at some retarded seller. So pay attention and lets get this done.
Before we dive deep into creating your own phisher you need to understand what makes these things work. A phisher is essentially split into two critical componentsâthink of it like a digital mullet: business in the front party in the back.
Frontend (The Pretty Face):
This is what your marks actually seeâthe login page input fields logos and all that eye candy. Its a carbon copy of the legitimate site youre targeting right down to the favicon. The frontend needs to be pixel-perfect because humans are surprisingly good at spotting when somethings off even if they cant explain why. One misaligned button or wrong font and your conversion rate (the number of people who actually input their info) goes to shit.
Backend (The Money Maker):
This is where the magic happens. Instead of storing data in a database were going to use a Cloudflare Worker to capture form submissions and fire them off directly to your Telegram using a bot. Every time someone submits their creds youll get an instant alert on Telegram. Its simple and cost-effective and keeps you in the loop in real time.
The beauty of understanding these two components is that you can mix and match them like building blocks. Once you master creating both parts you can adapt to any target site fast. Hell you can even run multiple frontendsâdifferent banks email providers whateverâall feeding into a single backend. Its efficient as fuck and lets you scale your operation without rebuilding everything from scratch. And thats exactly what were going to learn.
Time to get our hands dirty and build the pretty faceâthe frontend. For this demo were gonna clone CapitalOne. Why CapitalOne? Because banks are mostly what you will be using these phishers for and the CapitalOne login page is a perfect place to start practicing your skills. Dont worry once you nail this you can rip off any site you wantâbanks e-commerce you name it.
Step 1: Stealing CapitalOne Face
Remember we aint coding this shit from scratch like some script kiddie. Were digital bandits not web developers. Go snag that Chrome extension called "SingleFile". This little gem lets you yoink an entire webpageâHTML CSS images the whole damn enchiladaâinto one tidy HTML file. Its like ripping off a band-aid but for websites.
Step 2: Snag the Login Page
Head over to CapitalOne secure shopping page: Capital One Sign In: Log in to access your account(s). Yeah thats the one. Click that SingleFile extension icon in your browser. Boom. Just like that you downloaded the whole damn page.
Step 3: Rename and Save
Rename that freshly ripped off file to `index.html`. Its the first page they look for when you open a website. Save it somewhere you can actually find it later like your desktopâunless your desktop is already a digital wasteland of porn and malware in which case good luck finding shit.
Step 4: Quick n Dirty Edit (For Now)
Crack open that `index.html` file in a text editor like VS Code Sublime Text or Notepad++. We need to make sure this frontend actually works before getting fancy with the backend.
Pop it open in your browser firstâdoes it look like the real CapitalOne login page? If not you fucked up the SingleFile step. Go back and try again until it looks legit.
Now for a quick test setup. Head to webhook.site and grab a webhook URLâthisll be our temporary data catcher. Find the `<form>` tag in your HTML and change its `action` attribute to your webhook URL. This makes form submissions go to webhook.site instead of CapitalOne's servers.
Next find the username and password input fields (theyll be `<input>` tags). Add `name="username"` to the username field and `name="password"` to the password field. These tells the browser to pass the data. Different sites use different names so youll need to adjust this for each target. But they all use more often than not a single form element.
Thats it for testing. Open your page enter some fake login details and hit submit. If the data shows up on webhook.site your frontend is working. If not double-check your edits and try again. Once its working youre ready to set up a real backend.
Now for the brains of the operationâthe backend. Instead of using a database were using Cloudflare Workers to instantly forward captured credentials to your Telegram account via a bo script. This is not only cost-effective but also gives you immediate alerts whenever someone submits their info.
Step 1: Cloudflare Account (Duh)
Get your ass over to Cloudflare and create a free account. This aint optional. Were using Cloudflare for everythingâthe backend and the frontend. You need to set it up before you can start cooking. So get to it.
Step 2: Set Up Your Telegram Bot
First create your Telegram bot by messaging @BotFather on Telegram. Type `/newbot` and follow his prompts to name your bot. BotFather will spit out an API token that looks like this: `63xxxxxx71:AAFoxxxxn0hwA-2TVSxxxNf4c`. Save this shitâyoull need it.
Now for your chat ID. Heres how to get it:
To verify everythings working:
- Search for your new bot in Telegram and send it a message (just "/start" works)
- Take your bot token and plug it into this URL:
`https://api.telegram.org/bot{YOUR_BOT_TOKEN}/getUpdates`
(Replace {YOUR_BOT_TOKEN} with the actual token keeping "bot" in front)- Open that URL in your browser. Youll see a JSON response with your chat details. Look for `"chat": {"id": 21xxxxx38}` - that number is your chat ID.
- Try sending a test message by visiting:
`https://api.telegram.org/bot{YOUR_BOT_TOKEN}/sendMessage?chat_id={YOUR_CHAT_ID}&text=working`- Check if you see the message "test123" pop up in your bot chat youre golden. If not double-check your token and chat ID.
Step 3: Cloudflare Worker Time
View attachment 169
Now go to "Workers" in your Cloudflare dashboard and create a new Worker. Cloudflare provides an online code editor. Don't panicâwere not writing a novel here. Paste the following code into your Worker:
*** Hidden text: cannot be quoted. ***
Step 4: Test Your Cloudflare Worker
Now its time to test your new backend. First go back to your scampages HTML form and replace the webhook.site URL with your Cloudflare Worker URL (it should look something like "your-worker.your-subdomain.workers.dev").
Once thats done test the full flow:
If everything is set up correctly you should receive a Telegram message with those test credentials.
- Open your scampage with Chrome
- Fill in some fake credentials
- Hit submit
Step 5: Deploy Your Scampage
Now for the final piece - getting your phisher live on Cloudflare Pages. This gives you a slick professional-looking domain and worldwide CDN distribution.
- Head to the Pages section of your Cloudflare dashboard
- Click "Create a project"
- Choose "Direct Upload"
- Either:
- Create a ZIP file containing just your index.html
- Or create an empty folder put your index.html inside it- Drag and drop your file/folder into the upload area
- Give your project a name (this will be part of your URL)
- Hit Deploy
Within seconds Cloudflare will provision your phisher at `your-project.pages.dev` serving it over HTTPS to look legit as fuck. Your victims won't see any sketchy redirects or SSL warnings - just a clean professional-looking page served directly from Cloudflare's infrastructure. And since it's running on legitimate Cloudflare infrastructure it'll slip right past most basic security scanners. But remember this is just the foundation - there's a whole world of advanced techniques and optimizations waiting for you to explore.
Conclusion
This guide barely scratches the surface of whats possible with modern phishing infrastructure. Yeah the initial setup might make your brain hurt - wrestling with HTML forms figuring out Cloudflares dashboard and debugging Telegram bots isnt exactly a walk in the park. But once youve got the basics down? This shit becomes muscle memory.
Theres a whole world of optimizations waiting for you. Grab some aged domains with clean reputations. Set up proper parsing to extract exactly the data you need. Add JavaScript to collect browser fingerprints implement fake 2FA/OTP prompts capture autofill data and record keystrokes. Add validation to filter out garbage submissions and detect VMs/security tools. Encrypt the content of the HTML served and use redirect chains so as to prevent automated blacklisting. The possibilities are endless and thats what makes this craft both challenging and rewarding.
Remember though - a phishing page is only as good as its weakest link. You can have the slickest setup in the world but if your HTML looks like it was coded by a drunk monkey or if your domain screams "TOTALLY-LEGIT-BANK-SECURE-LOGIN.TK" youre just wasting your time. Take pride in your craft pay attention to the details and never stop learning. Now get out there and build something beautiful. d0ctrine out.
greatView attachment 159
View attachment 160
One thing thats genuinely baffling is seeing how many newbies in this game actually buy scampages from randoms on Telegram. Thats just dumb. Its a waste of money plain and simple. Plus its not a long-term strategy. Websites update their designs faster than a crackhead changes moods making your purchased scampage obsolete after a couple of months. Suddenly youre holding cyberspace garbageâvictims will smell the bullshit from a mile away and wont input jack shit.
Thats why this guide exists. Im going to show you how to create your own phishers and scampages. Its not rocket science and its way more practical than throwing your cash at some retarded seller. So pay attention and lets get this done.
Before we dive deep into creating your own phisher you need to understand what makes these things work. A phisher is essentially split into two critical componentsâthink of it like a digital mullet: business in the front party in the back.
Frontend (The Pretty Face):
This is what your marks actually seeâthe login page input fields logos and all that eye candy. Its a carbon copy of the legitimate site youre targeting right down to the favicon. The frontend needs to be pixel-perfect because humans are surprisingly good at spotting when somethings off even if they cant explain why. One misaligned button or wrong font and your conversion rate (the number of people who actually input their info) goes to shit.
Backend (The Money Maker):
This is where the magic happens. Instead of storing data in a database were going to use a Cloudflare Worker to capture form submissions and fire them off directly to your Telegram using a bot. Every time someone submits their creds youll get an instant alert on Telegram. Its simple and cost-effective and keeps you in the loop in real time.
The beauty of understanding these two components is that you can mix and match them like building blocks. Once you master creating both parts you can adapt to any target site fast. Hell you can even run multiple frontendsâdifferent banks email providers whateverâall feeding into a single backend. Its efficient as fuck and lets you scale your operation without rebuilding everything from scratch. And thats exactly what were going to learn.
Time to get our hands dirty and build the pretty faceâthe frontend. For this demo were gonna clone CapitalOne. Why CapitalOne? Because banks are mostly what you will be using these phishers for and the CapitalOne login page is a perfect place to start practicing your skills. Dont worry once you nail this you can rip off any site you wantâbanks e-commerce you name it.
Step 1: Stealing CapitalOne Face
Remember we aint coding this shit from scratch like some script kiddie. Were digital bandits not web developers. Go snag that Chrome extension called "SingleFile". This little gem lets you yoink an entire webpageâHTML CSS images the whole damn enchiladaâinto one tidy HTML file. Its like ripping off a band-aid but for websites.
Step 2: Snag the Login Page
Head over to CapitalOne secure shopping page: Capital One Sign In: Log in to access your account(s). Yeah thats the one. Click that SingleFile extension icon in your browser. Boom. Just like that you downloaded the whole damn page.
Step 3: Rename and Save
Rename that freshly ripped off file to `index.html`. Its the first page they look for when you open a website. Save it somewhere you can actually find it later like your desktopâunless your desktop is already a digital wasteland of porn and malware in which case good luck finding shit.
Step 4: Quick n Dirty Edit (For Now)
Crack open that `index.html` file in a text editor like VS Code Sublime Text or Notepad++. We need to make sure this frontend actually works before getting fancy with the backend.
Pop it open in your browser firstâdoes it look like the real CapitalOne login page? If not you fucked up the SingleFile step. Go back and try again until it looks legit.
Now for a quick test setup. Head to webhook.site and grab a webhook URLâthisll be our temporary data catcher. Find the `<form>` tag in your HTML and change its `action` attribute to your webhook URL. This makes form submissions go to webhook.site instead of CapitalOne's servers.
Next find the username and password input fields (theyll be `<input>` tags). Add `name="username"` to the username field and `name="password"` to the password field. These tells the browser to pass the data. Different sites use different names so youll need to adjust this for each target. But they all use more often than not a single form element.
Thats it for testing. Open your page enter some fake login details and hit submit. If the data shows up on webhook.site your frontend is working. If not double-check your edits and try again. Once its working youre ready to set up a real backend.
Now for the brains of the operationâthe backend. Instead of using a database were using Cloudflare Workers to instantly forward captured credentials to your Telegram account via a bo script. This is not only cost-effective but also gives you immediate alerts whenever someone submits their info.
Step 1: Cloudflare Account (Duh)
Get your ass over to Cloudflare and create a free account. This aint optional. Were using Cloudflare for everythingâthe backend and the frontend. You need to set it up before you can start cooking. So get to it.
Step 2: Set Up Your Telegram Bot
First create your Telegram bot by messaging @BotFather on Telegram. Type `/newbot` and follow his prompts to name your bot. BotFather will spit out an API token that looks like this: `63xxxxxx71:AAFoxxxxn0hwA-2TVSxxxNf4c`. Save this shitâyoull need it.
Now for your chat ID. Heres how to get it:
To verify everythings working:
- Search for your new bot in Telegram and send it a message (just "/start" works)
- Take your bot token and plug it into this URL:
`https://api.telegram.org/bot{YOUR_BOT_TOKEN}/getUpdates`
(Replace {YOUR_BOT_TOKEN} with the actual token keeping "bot" in front)- Open that URL in your browser. Youll see a JSON response with your chat details. Look for `"chat": {"id": 21xxxxx38}` - that number is your chat ID.
- Try sending a test message by visiting:
`https://api.telegram.org/bot{YOUR_BOT_TOKEN}/sendMessage?chat_id={YOUR_CHAT_ID}&text=working`- Check if you see the message "test123" pop up in your bot chat youre golden. If not double-check your token and chat ID.
Step 3: Cloudflare Worker Time
View attachment 169
Now go to "Workers" in your Cloudflare dashboard and create a new Worker. Cloudflare provides an online code editor. Don't panicâwere not writing a novel here. Paste the following code into your Worker:
*** Hidden text: cannot be quoted. ***
Step 4: Test Your Cloudflare Worker
Now its time to test your new backend. First go back to your scampages HTML form and replace the webhook.site URL with your Cloudflare Worker URL (it should look something like "your-worker.your-subdomain.workers.dev").
Once thats done test the full flow:
If everything is set up correctly you should receive a Telegram message with those test credentials.
- Open your scampage with Chrome
- Fill in some fake credentials
- Hit submit
Step 5: Deploy Your Scampage
Now for the final piece - getting your phisher live on Cloudflare Pages. This gives you a slick professional-looking domain and worldwide CDN distribution.
- Head to the Pages section of your Cloudflare dashboard
- Click "Create a project"
- Choose "Direct Upload"
- Either:
- Create a ZIP file containing just your index.html
- Or create an empty folder put your index.html inside it- Drag and drop your file/folder into the upload area
- Give your project a name (this will be part of your URL)
- Hit Deploy
Within seconds Cloudflare will provision your phisher at `your-project.pages.dev` serving it over HTTPS to look legit as fuck. Your victims won't see any sketchy redirects or SSL warnings - just a clean professional-looking page served directly from Cloudflare's infrastructure. And since it's running on legitimate Cloudflare infrastructure it'll slip right past most basic security scanners. But remember this is just the foundation - there's a whole world of advanced techniques and optimizations waiting for you to explore.
Conclusion
This guide barely scratches the surface of whats possible with modern phishing infrastructure. Yeah the initial setup might make your brain hurt - wrestling with HTML forms figuring out Cloudflares dashboard and debugging Telegram bots isnt exactly a walk in the park. But once youve got the basics down? This shit becomes muscle memory.
Theres a whole world of optimizations waiting for you. Grab some aged domains with clean reputations. Set up proper parsing to extract exactly the data you need. Add JavaScript to collect browser fingerprints implement fake 2FA/OTP prompts capture autofill data and record keystrokes. Add validation to filter out garbage submissions and detect VMs/security tools. Encrypt the content of the HTML served and use redirect chains so as to prevent automated blacklisting. The possibilities are endless and thats what makes this craft both challenging and rewarding.
Remember though - a phishing page is only as good as its weakest link. You can have the slickest setup in the world but if your HTML looks like it was coded by a drunk monkey or if your domain screams "TOTALLY-LEGIT-BANK-SECURE-LOGIN.TK" youre just wasting your time. Take pride in your craft pay attention to the details and never stop learning. Now get out there and build something beautiful. d0ctrine out.
View attachment 159
View attachment 160
One thing thats genuinely baffling is seeing how many newbies in this game actually buy scampages from randoms on Telegram. Thats just dumb. Its a waste of money plain and simple. Plus its not a long-term strategy. Websites update their designs faster than a crackhead changes moods making your purchased scampage obsolete after a couple of months. Suddenly youre holding cyberspace garbageâvictims will smell the bullshit from a mile away and wont input jack shit.
Thats why this guide exists. Im going to show you how to create your own phishers and scampages. Its not rocket science and its way more practical than throwing your cash at some retarded seller. So pay attention and lets get this done.
Before we dive deep into creating your own phisher you need to understand what makes these things work. A phisher is essentially split into two critical componentsâthink of it like a digital mullet: business in the front party in the back.
Frontend (The Pretty Face):
This is what your marks actually seeâthe login page input fields logos and all that eye candy. Its a carbon copy of the legitimate site youre targeting right down to the favicon. The frontend needs to be pixel-perfect because humans are surprisingly good at spotting when somethings off even if they cant explain why. One misaligned button or wrong font and your conversion rate (the number of people who actually input their info) goes to shit.
Backend (The Money Maker):
This is where the magic happens. Instead of storing data in a database were going to use a Cloudflare Worker to capture form submissions and fire them off directly to your Telegram using a bot. Every time someone submits their creds youll get an instant alert on Telegram. Its simple and cost-effective and keeps you in the loop in real time.
The beauty of understanding these two components is that you can mix and match them like building blocks. Once you master creating both parts you can adapt to any target site fast. Hell you can even run multiple frontendsâdifferent banks email providers whateverâall feeding into a single backend. Its efficient as fuck and lets you scale your operation without rebuilding everything from scratch. And thats exactly what were going to learn.
Time to get our hands dirty and build the pretty faceâthe frontend. For this demo were gonna clone CapitalOne. Why CapitalOne? Because banks are mostly what you will be using these phishers for and the CapitalOne login page is a perfect place to start practicing your skills. Dont worry once you nail this you can rip off any site you wantâbanks e-commerce you name it.
Step 1: Stealing CapitalOne Face
Remember we aint coding this shit from scratch like some script kiddie. Were digital bandits not web developers. Go snag that Chrome extension called "SingleFile". This little gem lets you yoink an entire webpageâHTML CSS images the whole damn enchiladaâinto one tidy HTML file. Its like ripping off a band-aid but for websites.
Step 2: Snag the Login Page
Head over to CapitalOne secure shopping page: Capital One Sign In: Log in to access your account(s). Yeah thats the one. Click that SingleFile extension icon in your browser. Boom. Just like that you downloaded the whole damn page.
Step 3: Rename and Save
Rename that freshly ripped off file to `index.html`. Its the first page they look for when you open a website. Save it somewhere you can actually find it later like your desktopâunless your desktop is already a digital wasteland of porn and malware in which case good luck finding shit.
Step 4: Quick n Dirty Edit (For Now)
Crack open that `index.html` file in a text editor like VS Code Sublime Text or Notepad++. We need to make sure this frontend actually works before getting fancy with the backend.
Pop it open in your browser firstâdoes it look like the real CapitalOne login page? If not you fucked up the SingleFile step. Go back and try again until it looks legit.
Now for a quick test setup. Head to webhook.site and grab a webhook URLâthisll be our temporary data catcher. Find the `<form>` tag in your HTML and change its `action` attribute to your webhook URL. This makes form submissions go to webhook.site instead of CapitalOne's servers.
Next find the username and password input fields (theyll be `<input>` tags). Add `name="username"` to the username field and `name="password"` to the password field. These tells the browser to pass the data. Different sites use different names so youll need to adjust this for each target. But they all use more often than not a single form element.
Thats it for testing. Open your page enter some fake login details and hit submit. If the data shows up on webhook.site your frontend is working. If not double-check your edits and try again. Once its working youre ready to set up a real backend.
Now for the brains of the operationâthe backend. Instead of using a database were using Cloudflare Workers to instantly forward captured credentials to your Telegram account via a bo script. This is not only cost-effective but also gives you immediate alerts whenever someone submits their info.
Step 1: Cloudflare Account (Duh)
Get your ass over to Cloudflare and create a free account. This aint optional. Were using Cloudflare for everythingâthe backend and the frontend. You need to set it up before you can start cooking. So get to it.
Step 2: Set Up Your Telegram Bot
First create your Telegram bot by messaging @BotFather on Telegram. Type `/newbot` and follow his prompts to name your bot. BotFather will spit out an API token that looks like this: `63xxxxxx71:AAFoxxxxn0hwA-2TVSxxxNf4c`. Save this shitâyoull need it.
Now for your chat ID. Heres how to get it:
To verify everythings working:
- Search for your new bot in Telegram and send it a message (just "/start" works)
- Take your bot token and plug it into this URL:
`https://api.telegram.org/bot{YOUR_BOT_TOKEN}/getUpdates`
(Replace {YOUR_BOT_TOKEN} with the actual token keeping "bot" in front)- Open that URL in your browser. Youll see a JSON response with your chat details. Look for `"chat": {"id": 21xxxxx38}` - that number is your chat ID.
- Try sending a test message by visiting:
`https://api.telegram.org/bot{YOUR_BOT_TOKEN}/sendMessage?chat_id={YOUR_CHAT_ID}&text=working`- Check if you see the message "test123" pop up in your bot chat youre golden. If not double-check your token and chat ID.
Step 3: Cloudflare Worker Time
View attachment 169
Now go to "Workers" in your Cloudflare dashboard and create a new Worker. Cloudflare provides an online code editor. Don't panicâwere not writing a novel here. Paste the following code into your Worker:
*** Hidden text: cannot be quoted. ***
Step 4: Test Your Cloudflare Worker
Now its time to test your new backend. First go back to your scampages HTML form and replace the webhook.site URL with your Cloudflare Worker URL (it should look something like "your-worker.your-subdomain.workers.dev").
Once thats done test the full flow:
If everything is set up correctly you should receive a Telegram message with those test credentials.
- Open your scampage with Chrome
- Fill in some fake credentials
- Hit submit
Step 5: Deploy Your Scampage
Now for the final piece - getting your phisher live on Cloudflare Pages. This gives you a slick professional-looking domain and worldwide CDN distribution.
- Head to the Pages section of your Cloudflare dashboard
- Click "Create a project"
- Choose "Direct Upload"
- Either:
- Create a ZIP file containing just your index.html
- Or create an empty folder put your index.html inside it- Drag and drop your file/folder into the upload area
- Give your project a name (this will be part of your URL)
- Hit Deploy
Within seconds Cloudflare will provision your phisher at `your-project.pages.dev` serving it over HTTPS to look legit as fuck. Your victims won't see any sketchy redirects or SSL warnings - just a clean professional-looking page served directly from Cloudflare's infrastructure. And since it's running on legitimate Cloudflare infrastructure it'll slip right past most basic security scanners. But remember this is just the foundation - there's a whole world of advanced techniques and optimizations waiting for you to explore.
Conclusion
This guide barely scratches the surface of whats possible with modern phishing infrastructure. Yeah the initial setup might make your brain hurt - wrestling with HTML forms figuring out Cloudflares dashboard and debugging Telegram bots isnt exactly a walk in the park. But once youve got the basics down? This shit becomes muscle memory.
Theres a whole world of optimizations waiting for you. Grab some aged domains with clean reputations. Set up proper parsing to extract exactly the data you need. Add JavaScript to collect browser fingerprints implement fake 2FA/OTP prompts capture autofill data and record keystrokes. Add validation to filter out garbage submissions and detect VMs/security tools. Encrypt the content of the HTML served and use redirect chains so as to prevent automated blacklisting. The possibilities are endless and thats what makes this craft both challenging and rewarding.
Remember though - a phishing page is only as good as its weakest link. You can have the slickest setup in the world but if your HTML looks like it was coded by a drunk monkey or if your domain screams "TOTALLY-LEGIT-BANK-SECURE-LOGIN.TK" youre just wasting your time. Take pride in your craft pay attention to the details and never stop learning. Now get out there and build something beautiful. d0ctrine out.
thanksView attachment 159
View attachment 160
One thing thats genuinely baffling is seeing how many newbies in this game actually buy scampages from randoms on Telegram. Thats just dumb. Its a waste of money plain and simple. Plus its not a long-term strategy. Websites update their designs faster than a crackhead changes moods making your purchased scampage obsolete after a couple of months. Suddenly youre holding cyberspace garbageâvictims will smell the bullshit from a mile away and wont input jack shit.
Thats why this guide exists. Im going to show you how to create your own phishers and scampages. Its not rocket science and its way more practical than throwing your cash at some retarded seller. So pay attention and lets get this done.
Before we dive deep into creating your own phisher you need to understand what makes these things work. A phisher is essentially split into two critical componentsâthink of it like a digital mullet: business in the front party in the back.
Frontend (The Pretty Face):
This is what your marks actually seeâthe login page input fields logos and all that eye candy. Its a carbon copy of the legitimate site youre targeting right down to the favicon. The frontend needs to be pixel-perfect because humans are surprisingly good at spotting when somethings off even if they cant explain why. One misaligned button or wrong font and your conversion rate (the number of people who actually input their info) goes to shit.
Backend (The Money Maker):
This is where the magic happens. Instead of storing data in a database were going to use a Cloudflare Worker to capture form submissions and fire them off directly to your Telegram using a bot. Every time someone submits their creds youll get an instant alert on Telegram. Its simple and cost-effective and keeps you in the loop in real time.
The beauty of understanding these two components is that you can mix and match them like building blocks. Once you master creating both parts you can adapt to any target site fast. Hell you can even run multiple frontendsâdifferent banks email providers whateverâall feeding into a single backend. Its efficient as fuck and lets you scale your operation without rebuilding everything from scratch. And thats exactly what were going to learn.
Time to get our hands dirty and build the pretty faceâthe frontend. For this demo were gonna clone CapitalOne. Why CapitalOne? Because banks are mostly what you will be using these phishers for and the CapitalOne login page is a perfect place to start practicing your skills. Dont worry once you nail this you can rip off any site you wantâbanks e-commerce you name it.
Step 1: Stealing CapitalOne Face
Remember we aint coding this shit from scratch like some script kiddie. Were digital bandits not web developers. Go snag that Chrome extension called "SingleFile". This little gem lets you yoink an entire webpageâHTML CSS images the whole damn enchiladaâinto one tidy HTML file. Its like ripping off a band-aid but for websites.
Step 2: Snag the Login Page
Head over to CapitalOne secure shopping page: Capital One Sign In: Log in to access your account(s). Yeah thats the one. Click that SingleFile extension icon in your browser. Boom. Just like that you downloaded the whole damn page.
Step 3: Rename and Save
Rename that freshly ripped off file to `index.html`. Its the first page they look for when you open a website. Save it somewhere you can actually find it later like your desktopâunless your desktop is already a digital wasteland of porn and malware in which case good luck finding shit.
Step 4: Quick n Dirty Edit (For Now)
Crack open that `index.html` file in a text editor like VS Code Sublime Text or Notepad++. We need to make sure this frontend actually works before getting fancy with the backend.
Pop it open in your browser firstâdoes it look like the real CapitalOne login page? If not you fucked up the SingleFile step. Go back and try again until it looks legit.
Now for a quick test setup. Head to webhook.site and grab a webhook URLâthisll be our temporary data catcher. Find the `<form>` tag in your HTML and change its `action` attribute to your webhook URL. This makes form submissions go to webhook.site instead of CapitalOne's servers.
Next find the username and password input fields (theyll be `<input>` tags). Add `name="username"` to the username field and `name="password"` to the password field. These tells the browser to pass the data. Different sites use different names so youll need to adjust this for each target. But they all use more often than not a single form element.
Thats it for testing. Open your page enter some fake login details and hit submit. If the data shows up on webhook.site your frontend is working. If not double-check your edits and try again. Once its working youre ready to set up a real backend.
Now for the brains of the operationâthe backend. Instead of using a database were using Cloudflare Workers to instantly forward captured credentials to your Telegram account via a bo script. This is not only cost-effective but also gives you immediate alerts whenever someone submits their info.
Step 1: Cloudflare Account (Duh)
Get your ass over to Cloudflare and create a free account. This aint optional. Were using Cloudflare for everythingâthe backend and the frontend. You need to set it up before you can start cooking. So get to it.
Step 2: Set Up Your Telegram Bot
First create your Telegram bot by messaging @BotFather on Telegram. Type `/newbot` and follow his prompts to name your bot. BotFather will spit out an API token that looks like this: `63xxxxxx71:AAFoxxxxn0hwA-2TVSxxxNf4c`. Save this shitâyoull need it.
Now for your chat ID. Heres how to get it:
To verify everythings working:
- Search for your new bot in Telegram and send it a message (just "/start" works)
- Take your bot token and plug it into this URL:
`https://api.telegram.org/bot{YOUR_BOT_TOKEN}/getUpdates`
(Replace {YOUR_BOT_TOKEN} with the actual token keeping "bot" in front)- Open that URL in your browser. Youll see a JSON response with your chat details. Look for `"chat": {"id": 21xxxxx38}` - that number is your chat ID.
- Try sending a test message by visiting:
`https://api.telegram.org/bot{YOUR_BOT_TOKEN}/sendMessage?chat_id={YOUR_CHAT_ID}&text=working`- Check if you see the message "test123" pop up in your bot chat youre golden. If not double-check your token and chat ID.
Step 3: Cloudflare Worker Time
View attachment 169
Now go to "Workers" in your Cloudflare dashboard and create a new Worker. Cloudflare provides an online code editor. Don't panicâwere not writing a novel here. Paste the following code into your Worker:
*** Hidden text: cannot be quoted. ***
Step 4: Test Your Cloudflare Worker
Now its time to test your new backend. First go back to your scampages HTML form and replace the webhook.site URL with your Cloudflare Worker URL (it should look something like "your-worker.your-subdomain.workers.dev").
Once thats done test the full flow:
If everything is set up correctly you should receive a Telegram message with those test credentials.
- Open your scampage with Chrome
- Fill in some fake credentials
- Hit submit
Step 5: Deploy Your Scampage
Now for the final piece - getting your phisher live on Cloudflare Pages. This gives you a slick professional-looking domain and worldwide CDN distribution.
- Head to the Pages section of your Cloudflare dashboard
- Click "Create a project"
- Choose "Direct Upload"
- Either:
- Create a ZIP file containing just your index.html
- Or create an empty folder put your index.html inside it- Drag and drop your file/folder into the upload area
- Give your project a name (this will be part of your URL)
- Hit Deploy
Within seconds Cloudflare will provision your phisher at `your-project.pages.dev` serving it over HTTPS to look legit as fuck. Your victims won't see any sketchy redirects or SSL warnings - just a clean professional-looking page served directly from Cloudflare's infrastructure. And since it's running on legitimate Cloudflare infrastructure it'll slip right past most basic security scanners. But remember this is just the foundation - there's a whole world of advanced techniques and optimizations waiting for you to explore.
Conclusion
This guide barely scratches the surface of whats possible with modern phishing infrastructure. Yeah the initial setup might make your brain hurt - wrestling with HTML forms figuring out Cloudflares dashboard and debugging Telegram bots isnt exactly a walk in the park. But once youve got the basics down? This shit becomes muscle memory.
Theres a whole world of optimizations waiting for you. Grab some aged domains with clean reputations. Set up proper parsing to extract exactly the data you need. Add JavaScript to collect browser fingerprints implement fake 2FA/OTP prompts capture autofill data and record keystrokes. Add validation to filter out garbage submissions and detect VMs/security tools. Encrypt the content of the HTML served and use redirect chains so as to prevent automated blacklisting. The possibilities are endless and thats what makes this craft both challenging and rewarding.
Remember though - a phishing page is only as good as its weakest link. You can have the slickest setup in the world but if your HTML looks like it was coded by a drunk monkey or if your domain screams "TOTALLY-LEGIT-BANK-SECURE-LOGIN.TK" youre just wasting your time. Take pride in your craft pay attention to the details and never stop learning. Now get out there and build something beautiful. d0ctrine out.