Manual šŸŽ£ Create Any Scampage/Phisher From Scratch šŸŽ£

How do I click ā€˜Likeā€™ to access the hidden data in d0ctrineā€™s post? Anyone help pls
 
d0ctrine said:
View attachment 159
šŸŽ£ Create Any Scampage/Phisher From Scratch (+ Your Own Telegram Bot) šŸŽ£

View attachment 160

One thing thats genuinely baffling is seeing how many newbies in this game actually buy scampages from randoms on Telegram. Thats just dumb. Its a waste of money plain and simple. Plus its not a long-term strategy. Websites update their designs faster than a crackhead changes moods making your purchased scampage obsolete after a couple of months. Suddenly youre holding cyberspace garbageā€”victims will smell the bullshit from a mile away and wont input jack shit.

Thats why this guide exists. Im going to show you how to create your own phishers and scampages. Its not rocket science and its way more practical than throwing your cash at some retarded seller. So pay attention and lets get this done.


šŸ”Ž Anatomy of a Phisher šŸ”Ž

Before we dive deep into creating your own phisher you need to understand what makes these things work. A phisher is essentially split into two critical componentsā€”think of it like a digital mullet: business in the front party in the back.


Frontend (The Pretty Face):

This is what your marks actually seeā€”the login page input fields logos and all that eye candy. Its a carbon copy of the legitimate site youre targeting right down to the favicon. The frontend needs to be pixel-perfect because humans are surprisingly good at spotting when somethings off even if they cant explain why. One misaligned button or wrong font and your conversion rate (the number of people who actually input their info) goes to shit.

Backend (The Money Maker):
This is where the magic happens. Instead of storing data in a database were going to use a Cloudflare Worker to capture form submissions and fire them off directly to your Telegram using a bot. Every time someone submits their creds youll get an instant alert on Telegram. Its simple and cost-effective and keeps you in the loop in real time.

The beauty of understanding these two components is that you can mix and match them like building blocks. Once you master creating both parts you can adapt to any target site fast. Hell you can even run multiple frontendsā€”different banks email providers whateverā€”all feeding into a single backend. Its efficient as fuck and lets you scale your operation without rebuilding everything from scratch. And thats exactly what were going to learn.


šŸ’… Crafting the Frontend šŸ’…

Time to get our hands dirty and build the pretty faceā€”the frontend. For this demo were gonna clone CapitalOne. Why CapitalOne? Because banks are mostly what you will be using these phishers for and the CapitalOne login page is a perfect place to start practicing your skills. Dont worry once you nail this you can rip off any site you wantā€”banks e-commerce you name it.


Step 1: Stealing CapitalOne Face

Remember we aint coding this shit from scratch like some script kiddie. Were digital bandits not web developers. Go snag that Chrome extension called "SingleFile". This little gem lets you yoink an entire webpageā€”HTML CSS images the whole damn enchiladaā€”into one tidy HTML file. Its like ripping off a band-aid but for websites.

Step 2: Snag the Login Page
Head over to CapitalOne secure shopping page: Capital One Sign In: Log in to access your account(s). Yeah thats the one. Click that SingleFile extension icon in your browser. Boom. Just like that you downloaded the whole damn page.

Step 3: Rename and Save

Rename that freshly ripped off file to `index.html`. Its the first page they look for when you open a website. Save it somewhere you can actually find it later like your desktopā€”unless your desktop is already a digital wasteland of porn and malware in which case good luck finding shit.

Step 4: Quick n Dirty Edit (For Now)

Crack open that `index.html` file in a text editor like VS Code Sublime Text or Notepad++. We need to make sure this frontend actually works before getting fancy with the backend.

Pop it open in your browser firstā€”does it look like the real CapitalOne login page? If not you fucked up the SingleFile step. Go back and try again until it looks legit.


Now for a quick test setup. Head to webhook.site and grab a webhook URLā€”thisll be our temporary data catcher. Find the `<form>` tag in your HTML and change its `action` attribute to your webhook URL. This makes form submissions go to webhook.site instead of CapitalOne's servers.

Next find the username and password input fields (theyll be `<input>` tags). Add `name="username"` to the username field and `name="password"` to the password field. These tells the browser to pass the data. Different sites use different names so youll need to adjust this for each target. But they all use more often than not a single form element.


Thats it for testing. Open your page enter some fake login details and hit submit. If the data shows up on webhook.site your frontend is working. If not double-check your edits and try again. Once its working youre ready to set up a real backend.


āš™ļø Setting up the Backend āš™ļø

Now for the brains of the operationā€”the backend. Instead of using a database were using Cloudflare Workers to instantly forward captured credentials to your Telegram account via a bo script. This is not only cost-effective but also gives you immediate alerts whenever someone submits their info.
Step 1: Cloudflare Account (Duh)

Get your ass over to Cloudflare and create a free account. This aint optional. Were using Cloudflare for everythingā€”the backend and the frontend. You need to set it up before you can start cooking. So get to it.

Step 2: Set Up Your Telegram Bot

First create your Telegram bot by messaging @BotFather on Telegram. Type `/newbot` and follow his prompts to name your bot. BotFather will spit out an API token that looks like this: `63xxxxxx71:AAFoxxxxn0hwA-2TVSxxxNf4c`. Save this shitā€”youll need it.

Now for your chat ID. Heres how to get it:

  • Search for your new bot in Telegram and send it a message (just "/start" works)
  • Take your bot token and plug it into this URL:
    `https://api.telegram.org/bot{YOUR_BOT_TOKEN}/getUpdates`
    (Replace {YOUR_BOT_TOKEN} with the actual token keeping "bot" in front)
  • Open that URL in your browser. Youll see a JSON response with your chat details. Look for `"chat": {"id": 21xxxxx38}` - that number is your chat ID.
To verify everythings working:
  • Try sending a test message by visiting:
    `https://api.telegram.org/bot{YOUR_BOT_TOKEN}/sendMessage?chat_id={YOUR_CHAT_ID}&text=working`
  • Check if you see the message "test123" pop up in your bot chat youre golden. If not double-check your token and chat ID.

Step 3: Cloudflare Worker Time

View attachment 169

Now go to "Workers" in your Cloudflare dashboard and create a new Worker. Cloudflare provides an online code editor. Don't panicā€”were not writing a novel here. Paste the following code into your Worker:

*** Hidden text: cannot be quoted. ***


Step 4: Test Your Cloudflare Worker

Now its time to test your new backend. First go back to your scampages HTML form and replace the webhook.site URL with your Cloudflare Worker URL (it should look something like "your-worker.your-subdomain.workers.dev").

Once thats done test the full flow:
  • Open your scampage with Chrome
  • Fill in some fake credentials
  • Hit submit
If everything is set up correctly you should receive a Telegram message with those test credentials.

Step 5: Deploy Your Scampage


Now for the final piece - getting your phisher live on Cloudflare Pages. This gives you a slick professional-looking domain and worldwide CDN distribution.
  • Head to the Pages section of your Cloudflare dashboard
  • Click "Create a project"
  • Choose "Direct Upload"
  • Either:
    - Create a ZIP file containing just your index.html
    - Or create an empty folder put your index.html inside it
  • Drag and drop your file/folder into the upload area
  • Give your project a name (this will be part of your URL)
  • Hit Deploy

Within seconds Cloudflare will provision your phisher at `your-project.pages.dev` serving it over HTTPS to look legit as fuck. Your victims won't see any sketchy redirects or SSL warnings - just a clean professional-looking page served directly from Cloudflare's infrastructure. And since it's running on legitimate Cloudflare infrastructure it'll slip right past most basic security scanners. But remember this is just the foundation - there's a whole world of advanced techniques and optimizations waiting for you to explore.


Conclusion

This guide barely scratches the surface of whats possible with modern phishing infrastructure. Yeah the initial setup might make your brain hurt - wrestling with HTML forms figuring out Cloudflares dashboard and debugging Telegram bots isnt exactly a walk in the park. But once youve got the basics down? This shit becomes muscle memory.

Theres a whole world of optimizations waiting for you. Grab some aged domains with clean reputations. Set up proper parsing to extract exactly the data you need. Add JavaScript to collect browser fingerprints implement fake 2FA/OTP prompts capture autofill data and record keystrokes. Add validation to filter out garbage submissions and detect VMs/security tools. Encrypt the content of the HTML served and use redirect chains so as to prevent automated blacklisting. The possibilities are endless and thats what makes this craft both challenging and rewarding.

Remember though - a phishing page is only as good as its weakest link. You can have the slickest setup in the world but if your HTML looks like it was coded by a drunk monkey or if your domain screams "TOTALLY-LEGIT-BANK-SECURE-LOGIN.TK" youre just wasting your time. Take pride in your craft pay attention to the details and never stop learning. Now get out there and build something beautiful. d0ctrine out.
Click to expand...
Fraud Daddy you the goat for this one !!!!
 
d0ctrine said:
View attachment 159
šŸŽ£ Create Any Scampage/Phisher From Scratch (+ Your Own Telegram Bot) šŸŽ£

View attachment 160

One thing thats genuinely baffling is seeing how many newbies in this game actually buy scampages from randoms on Telegram. Thats just dumb. Its a waste of money plain and simple. Plus its not a long-term strategy. Websites update their designs faster than a crackhead changes moods making your purchased scampage obsolete after a couple of months. Suddenly youre holding cyberspace garbageā€”victims will smell the bullshit from a mile away and wont input jack shit.

Thats why this guide exists. Im going to show you how to create your own phishers and scampages. Its not rocket science and its way more practical than throwing your cash at some retarded seller. So pay attention and lets get this done.


šŸ”Ž Anatomy of a Phisher šŸ”Ž

Before we dive deep into creating your own phisher you need to understand what makes these things work. A phisher is essentially split into two critical componentsā€”think of it like a digital mullet: business in the front party in the back.


Frontend (The Pretty Face):

This is what your marks actually seeā€”the login page input fields logos and all that eye candy. Its a carbon copy of the legitimate site youre targeting right down to the favicon. The frontend needs to be pixel-perfect because humans are surprisingly good at spotting when somethings off even if they cant explain why. One misaligned button or wrong font and your conversion rate (the number of people who actually input their info) goes to shit.

Backend (The Money Maker):
This is where the magic happens. Instead of storing data in a database were going to use a Cloudflare Worker to capture form submissions and fire them off directly to your Telegram using a bot. Every time someone submits their creds youll get an instant alert on Telegram. Its simple and cost-effective and keeps you in the loop in real time.

The beauty of understanding these two components is that you can mix and match them like building blocks. Once you master creating both parts you can adapt to any target site fast. Hell you can even run multiple frontendsā€”different banks email providers whateverā€”all feeding into a single backend. Its efficient as fuck and lets you scale your operation without rebuilding everything from scratch. And thats exactly what were going to learn.


šŸ’… Crafting the Frontend šŸ’…

Time to get our hands dirty and build the pretty faceā€”the frontend. For this demo were gonna clone CapitalOne. Why CapitalOne? Because banks are mostly what you will be using these phishers for and the CapitalOne login page is a perfect place to start practicing your skills. Dont worry once you nail this you can rip off any site you wantā€”banks e-commerce you name it.


Step 1: Stealing CapitalOne Face

Remember we aint coding this shit from scratch like some script kiddie. Were digital bandits not web developers. Go snag that Chrome extension called "SingleFile". This little gem lets you yoink an entire webpageā€”HTML CSS images the whole damn enchiladaā€”into one tidy HTML file. Its like ripping off a band-aid but for websites.

Step 2: Snag the Login Page
Head over to CapitalOne secure shopping page: Capital One Sign In: Log in to access your account(s). Yeah thats the one. Click that SingleFile extension icon in your browser. Boom. Just like that you downloaded the whole damn page.

Step 3: Rename and Save

Rename that freshly ripped off file to `index.html`. Its the first page they look for when you open a website. Save it somewhere you can actually find it later like your desktopā€”unless your desktop is already a digital wasteland of porn and malware in which case good luck finding shit.

Step 4: Quick n Dirty Edit (For Now)

Crack open that `index.html` file in a text editor like VS Code Sublime Text or Notepad++. We need to make sure this frontend actually works before getting fancy with the backend.

Pop it open in your browser firstā€”does it look like the real CapitalOne login page? If not you fucked up the SingleFile step. Go back and try again until it looks legit.


Now for a quick test setup. Head to webhook.site and grab a webhook URLā€”thisll be our temporary data catcher. Find the `<form>` tag in your HTML and change its `action` attribute to your webhook URL. This makes form submissions go to webhook.site instead of CapitalOne's servers.

Next find the username and password input fields (theyll be `<input>` tags). Add `name="username"` to the username field and `name="password"` to the password field. These tells the browser to pass the data. Different sites use different names so youll need to adjust this for each target. But they all use more often than not a single form element.


Thats it for testing. Open your page enter some fake login details and hit submit. If the data shows up on webhook.site your frontend is working. If not double-check your edits and try again. Once its working youre ready to set up a real backend.


āš™ļø Setting up the Backend āš™ļø

Now for the brains of the operationā€”the backend. Instead of using a database were using Cloudflare Workers to instantly forward captured credentials to your Telegram account via a bo script. This is not only cost-effective but also gives you immediate alerts whenever someone submits their info.
Step 1: Cloudflare Account (Duh)

Get your ass over to Cloudflare and create a free account. This aint optional. Were using Cloudflare for everythingā€”the backend and the frontend. You need to set it up before you can start cooking. So get to it.

Step 2: Set Up Your Telegram Bot

First create your Telegram bot by messaging @BotFather on Telegram. Type `/newbot` and follow his prompts to name your bot. BotFather will spit out an API token that looks like this: `63xxxxxx71:AAFoxxxxn0hwA-2TVSxxxNf4c`. Save this shitā€”youll need it.

Now for your chat ID. Heres how to get it:

  • Search for your new bot in Telegram and send it a message (just "/start" works)
  • Take your bot token and plug it into this URL:
    `https://api.telegram.org/bot{YOUR_BOT_TOKEN}/getUpdates`
    (Replace {YOUR_BOT_TOKEN} with the actual token keeping "bot" in front)
  • Open that URL in your browser. Youll see a JSON response with your chat details. Look for `"chat": {"id": 21xxxxx38}` - that number is your chat ID.
To verify everythings working:
  • Try sending a test message by visiting:
    `https://api.telegram.org/bot{YOUR_BOT_TOKEN}/sendMessage?chat_id={YOUR_CHAT_ID}&text=working`
  • Check if you see the message "test123" pop up in your bot chat youre golden. If not double-check your token and chat ID.

Step 3: Cloudflare Worker Time

View attachment 169

Now go to "Workers" in your Cloudflare dashboard and create a new Worker. Cloudflare provides an online code editor. Don't panicā€”were not writing a novel here. Paste the following code into your Worker:

*** Hidden text: cannot be quoted. ***


Step 4: Test Your Cloudflare Worker

Now its time to test your new backend. First go back to your scampages HTML form and replace the webhook.site URL with your Cloudflare Worker URL (it should look something like "your-worker.your-subdomain.workers.dev").

Once thats done test the full flow:
  • Open your scampage with Chrome
  • Fill in some fake credentials
  • Hit submit
If everything is set up correctly you should receive a Telegram message with those test credentials.

Step 5: Deploy Your Scampage


Now for the final piece - getting your phisher live on Cloudflare Pages. This gives you a slick professional-looking domain and worldwide CDN distribution.
  • Head to the Pages section of your Cloudflare dashboard
  • Click "Create a project"
  • Choose "Direct Upload"
  • Either:
    - Create a ZIP file containing just your index.html
    - Or create an empty folder put your index.html inside it
  • Drag and drop your file/folder into the upload area
  • Give your project a name (this will be part of your URL)
  • Hit Deploy

Em segundos, o Cloudflare provisionarĆ” seu phisher em `your-project.pages.dev` servindo-o por HTTPS para parecer legĆ­timo pra caramba. Suas vĆ­timas nĆ£o verĆ£o nenhum redirecionamento suspeito ou avisos de SSL - apenas uma pĆ”gina limpa e de aparĆŖncia profissional servida diretamente da infraestrutura do Cloudflare . E como ele estĆ” sendo executado na infraestrutura legĆ­tima do Cloudflare , ele passarĆ” direto pela maioria dos scanners de seguranƧa bĆ”sicos. Mas lembre-se de que isso Ć© apenas a base - hĆ” um mundo inteiro de tĆ©cnicas e otimizaƧƵes avanƧadas esperando vocĆŖ explorar.


ConclusĆ£o

Este guia mal arranha a superfĆ­cie do que Ć© possĆ­vel com a infraestrutura moderna de phishing. Sim, a configuraĆ§Ć£o inicial pode fazer seu cĆ©rebro doer - lutar com formulĆ”rios HTML, descobrir o painel do Cloudflare e depurar bots do Telegram nĆ£o Ć© exatamente um passeio no parque. Mas quando vocĆŖ domina o bĆ”sico? Essa merda vira memĆ³ria muscular.

HĆ” um mundo inteiro de otimizaƧƵes esperando por vocĆŖ. Pegue alguns domĆ­nios antigos com reputaƧƵes limpas. Configure uma anĆ”lise adequada para extrair exatamente os dados que vocĆŖ precisa. Adicione JavaScript para coletar impressƵes digitais do navegador, implemente prompts falsos de 2FA/OTP, capture dados de preenchimento automĆ”tico e registre pressionamentos de tecla. Adicione validaĆ§Ć£o para filtrar envios de lixo e detectar VMs/ferramentas de seguranƧa. Criptografe o conteĆŗdo do HTML servido e use cadeias de redirecionamento para evitar listas negras automatizadas. As possibilidades sĆ£o infinitas e Ć© isso que torna esse ofĆ­cio desafiador e gratificante.

Lembre-se, porĆ©m, de que uma pĆ”gina de phishing Ć© tĆ£o boa quanto seu elo mais fraco. VocĆŖ pode ter a configuraĆ§Ć£o mais bacana do mundo, mas se seu HTML parece ter sido codificado por um macaco bĆŖbado ou se seu domĆ­nio grita "TOTALMENTE-LEGƍTIMO-BANCO-SEGURO-LOGIN.TK", vocĆŖ estĆ” apenas desperdiƧando seu tempo. Tenha orgulho de sua arte, preste atenĆ§Ć£o aos detalhes e nunca pare de aprender. Agora, vĆ” lĆ” e construa algo bonito. d0ctrine out.
Click to expand...
vl mano
 
d0ctrine said:
View attachment 159
šŸŽ£ Create Any Scampage/Phisher From Scratch (+ Your Own Telegram Bot) šŸŽ£

View attachment 160

One thing thats genuinely baffling is seeing how many newbies in this game actually buy scampages from randoms on Telegram. Thats just dumb. Its a waste of money plain and simple. Plus its not a long-term strategy. Websites update their designs faster than a crackhead changes moods making your purchased scampage obsolete after a couple of months. Suddenly youre holding cyberspace garbageā€”victims will smell the bullshit from a mile away and wont input jack shit.

Thats why this guide exists. Im going to show you how to create your own phishers and scampages. Its not rocket science and its way more practical than throwing your cash at some retarded seller. So pay attention and lets get this done.


šŸ”Ž Anatomy of a Phisher šŸ”Ž

Before we dive deep into creating your own phisher you need to understand what makes these things work. A phisher is essentially split into two critical componentsā€”think of it like a digital mullet: business in the front party in the back.


Frontend (The Pretty Face):

This is what your marks actually seeā€”the login page input fields logos and all that eye candy. Its a carbon copy of the legitimate site youre targeting right down to the favicon. The frontend needs to be pixel-perfect because humans are surprisingly good at spotting when somethings off even if they cant explain why. One misaligned button or wrong font and your conversion rate (the number of people who actually input their info) goes to shit.

Backend (The Money Maker):
This is where the magic happens. Instead of storing data in a database were going to use a Cloudflare Worker to capture form submissions and fire them off directly to your Telegram using a bot. Every time someone submits their creds youll get an instant alert on Telegram. Its simple and cost-effective and keeps you in the loop in real time.

The beauty of understanding these two components is that you can mix and match them like building blocks. Once you master creating both parts you can adapt to any target site fast. Hell you can even run multiple frontendsā€”different banks email providers whateverā€”all feeding into a single backend. Its efficient as fuck and lets you scale your operation without rebuilding everything from scratch. And thats exactly what were going to learn.


šŸ’… Crafting the Frontend šŸ’…

Time to get our hands dirty and build the pretty faceā€”the frontend. For this demo were gonna clone CapitalOne. Why CapitalOne? Because banks are mostly what you will be using these phishers for and the CapitalOne login page is a perfect place to start practicing your skills. Dont worry once you nail this you can rip off any site you wantā€”banks e-commerce you name it.


Step 1: Stealing CapitalOne Face

Remember we aint coding this shit from scratch like some script kiddie. Were digital bandits not web developers. Go snag that Chrome extension called "SingleFile". This little gem lets you yoink an entire webpageā€”HTML CSS images the whole damn enchiladaā€”into one tidy HTML file. Its like ripping off a band-aid but for websites.

Step 2: Snag the Login Page
Head over to CapitalOne secure shopping page: Capital One Sign In: Log in to access your account(s). Yeah thats the one. Click that SingleFile extension icon in your browser. Boom. Just like that you downloaded the whole damn page.

Step 3: Rename and Save

Rename that freshly ripped off file to `index.html`. Its the first page they look for when you open a website. Save it somewhere you can actually find it later like your desktopā€”unless your desktop is already a digital wasteland of porn and malware in which case good luck finding shit.

Step 4: Quick n Dirty Edit (For Now)

Crack open that `index.html` file in a text editor like VS Code Sublime Text or Notepad++. We need to make sure this frontend actually works before getting fancy with the backend.

Pop it open in your browser firstā€”does it look like the real CapitalOne login page? If not you fucked up the SingleFile step. Go back and try again until it looks legit.


Now for a quick test setup. Head to webhook.site and grab a webhook URLā€”thisll be our temporary data catcher. Find the `<form>` tag in your HTML and change its `action` attribute to your webhook URL. This makes form submissions go to webhook.site instead of CapitalOne's servers.

Next find the username and password input fields (theyll be `<input>` tags). Add `name="username"` to the username field and `name="password"` to the password field. These tells the browser to pass the data. Different sites use different names so youll need to adjust this for each target. But they all use more often than not a single form element.


Thats it for testing. Open your page enter some fake login details and hit submit. If the data shows up on webhook.site your frontend is working. If not double-check your edits and try again. Once its working youre ready to set up a real backend.


āš™ļø Setting up the Backend āš™ļø

Now for the brains of the operationā€”the backend. Instead of using a database were using Cloudflare Workers to instantly forward captured credentials to your Telegram account via a bo script. This is not only cost-effective but also gives you immediate alerts whenever someone submits their info.
Step 1: Cloudflare Account (Duh)

Get your ass over to Cloudflare and create a free account. This aint optional. Were using Cloudflare for everythingā€”the backend and the frontend. You need to set it up before you can start cooking. So get to it.

Step 2: Set Up Your Telegram Bot

First create your Telegram bot by messaging @BotFather on Telegram. Type `/newbot` and follow his prompts to name your bot. BotFather will spit out an API token that looks like this: `63xxxxxx71:AAFoxxxxn0hwA-2TVSxxxNf4c`. Save this shitā€”youll need it.

Now for your chat ID. Heres how to get it:

  • Search for your new bot in Telegram and send it a message (just "/start" works)
  • Take your bot token and plug it into this URL:
    `https://api.telegram.org/bot{YOUR_BOT_TOKEN}/getUpdates`
    (Replace {YOUR_BOT_TOKEN} with the actual token keeping "bot" in front)
  • Open that URL in your browser. Youll see a JSON response with your chat details. Look for `"chat": {"id": 21xxxxx38}` - that number is your chat ID.
To verify everythings working:
  • Try sending a test message by visiting:
    `https://api.telegram.org/bot{YOUR_BOT_TOKEN}/sendMessage?chat_id={YOUR_CHAT_ID}&text=working`
  • Check if you see the message "test123" pop up in your bot chat youre golden. If not double-check your token and chat ID.

Step 3: Cloudflare Worker Time

View attachment 169

Now go to "Workers" in your Cloudflare dashboard and create a new Worker. Cloudflare provides an online code editor. Don't panicā€”were not writing a novel here. Paste the following code into your Worker:

*** Hidden text: cannot be quoted. ***


Step 4: Test Your Cloudflare Worker

Now its time to test your new backend. First go back to your scampages HTML form and replace the webhook.site URL with your Cloudflare Worker URL (it should look something like "your-worker.your-subdomain.workers.dev").

Once thats done test the full flow:
  • Open your scampage with Chrome
  • Fill in some fake credentials
  • Hit submit
If everything is set up correctly you should receive a Telegram message with those test credentials.

Step 5: Deploy Your Scampage


Now for the final piece - getting your phisher live on Cloudflare Pages. This gives you a slick professional-looking domain and worldwide CDN distribution.
  • Head to the Pages section of your Cloudflare dashboard
  • Click "Create a project"
  • Choose "Direct Upload"
  • Either:
    - Create a ZIP file containing just your index.html
    - Or create an empty folder put your index.html inside it
  • Drag and drop your file/folder into the upload area
  • Give your project a name (this will be part of your URL)
  • Hit Deploy

Within seconds Cloudflare will provision your phisher at `your-project.pages.dev` serving it over HTTPS to look legit as fuck. Your victims won't see any sketchy redirects or SSL warnings - just a clean professional-looking page served directly from Cloudflare's infrastructure. And since it's running on legitimate Cloudflare infrastructure it'll slip right past most basic security scanners. But remember this is just the foundation - there's a whole world of advanced techniques and optimizations waiting for you to explore.


Conclusion

This guide barely scratches the surface of whats possible with modern phishing infrastructure. Yeah the initial setup might make your brain hurt - wrestling with HTML forms figuring out Cloudflares dashboard and debugging Telegram bots isnt exactly a walk in the park. But once youve got the basics down? This shit becomes muscle memory.

Theres a whole world of optimizations waiting for you. Grab some aged domains with clean reputations. Set up proper parsing to extract exactly the data you need. Add JavaScript to collect browser fingerprints implement fake 2FA/OTP prompts capture autofill data and record keystrokes. Add validation to filter out garbage submissions and detect VMs/security tools. Encrypt the content of the HTML served and use redirect chains so as to prevent automated blacklisting. The possibilities are endless and thats what makes this craft both challenging and rewarding.

Remember though - a phishing page is only as good as its weakest link. You can have the slickest setup in the world but if your HTML looks like it was coded by a drunk monkey or if your domain screams "TOTALLY-LEGIT-BANK-SECURE-LOGIN.TK" youre just wasting your time. Take pride in your craft pay attention to the details and never stop learning. Now get out there and build something beautiful. d0ctrine out.
Click to expand...
good thread, doesn't cover critical components like autofill flagging and cloaking the website. dyor as always. nevertheless, good thread, didn't know about the Cloudflare thing.
 
d0ctrine said:
View attachment 159
šŸŽ£ Create Any Scampage/Phisher From Scratch (+ Your Own Telegram Bot) šŸŽ£

View attachment 160

One thing thats genuinely baffling is seeing how many newbies in this game actually buy scampages from randoms on Telegram. Thats just dumb. Its a waste of money plain and simple. Plus its not a long-term strategy. Websites update their designs faster than a crackhead changes moods making your purchased scampage obsolete after a couple of months. Suddenly youre holding cyberspace garbageā€”victims will smell the bullshit from a mile away and wont input jack shit.

Thats why this guide exists. Im going to show you how to create your own phishers and scampages. Its not rocket science and its way more practical than throwing your cash at some retarded seller. So pay attention and lets get this done.


šŸ”Ž Anatomy of a Phisher šŸ”Ž

Before we dive deep into creating your own phisher you need to understand what makes these things work. A phisher is essentially split into two critical componentsā€”think of it like a digital mullet: business in the front party in the back.


Frontend (The Pretty Face):

This is what your marks actually seeā€”the login page input fields logos and all that eye candy. Its a carbon copy of the legitimate site youre targeting right down to the favicon. The frontend needs to be pixel-perfect because humans are surprisingly good at spotting when somethings off even if they cant explain why. One misaligned button or wrong font and your conversion rate (the number of people who actually input their info) goes to shit.

Backend (The Money Maker):
This is where the magic happens. Instead of storing data in a database were going to use a Cloudflare Worker to capture form submissions and fire them off directly to your Telegram using a bot. Every time someone submits their creds youll get an instant alert on Telegram. Its simple and cost-effective and keeps you in the loop in real time.

The beauty of understanding these two components is that you can mix and match them like building blocks. Once you master creating both parts you can adapt to any target site fast. Hell you can even run multiple frontendsā€”different banks email providers whateverā€”all feeding into a single backend. Its efficient as fuck and lets you scale your operation without rebuilding everything from scratch. And thats exactly what were going to learn.


šŸ’… Crafting the Frontend šŸ’…

Time to get our hands dirty and build the pretty faceā€”the frontend. For this demo were gonna clone CapitalOne. Why CapitalOne? Because banks are mostly what you will be using these phishers for and the CapitalOne login page is a perfect place to start practicing your skills. Dont worry once you nail this you can rip off any site you wantā€”banks e-commerce you name it.


Step 1: Stealing CapitalOne Face

Remember we aint coding this shit from scratch like some script kiddie. Were digital bandits not web developers. Go snag that Chrome extension called "SingleFile". This little gem lets you yoink an entire webpageā€”HTML CSS images the whole damn enchiladaā€”into one tidy HTML file. Its like ripping off a band-aid but for websites.

Step 2: Snag the Login Page
Head over to CapitalOne secure shopping page: Capital One Sign In: Log in to access your account(s). Yeah thats the one. Click that SingleFile extension icon in your browser. Boom. Just like that you downloaded the whole damn page.

Step 3: Rename and Save

Rename that freshly ripped off file to `index.html`. Its the first page they look for when you open a website. Save it somewhere you can actually find it later like your desktopā€”unless your desktop is already a digital wasteland of porn and malware in which case good luck finding shit.

Step 4: Quick n Dirty Edit (For Now)

Crack open that `index.html` file in a text editor like VS Code Sublime Text or Notepad++. We need to make sure this frontend actually works before getting fancy with the backend.

Pop it open in your browser firstā€”does it look like the real CapitalOne login page? If not you fucked up the SingleFile step. Go back and try again until it looks legit.


Now for a quick test setup. Head to webhook.site and grab a webhook URLā€”thisll be our temporary data catcher. Find the `<form>` tag in your HTML and change its `action` attribute to your webhook URL. This makes form submissions go to webhook.site instead of CapitalOne's servers.

Next find the username and password input fields (theyll be `<input>` tags). Add `name="username"` to the username field and `name="password"` to the password field. These tells the browser to pass the data. Different sites use different names so youll need to adjust this for each target. But they all use more often than not a single form element.


Thats it for testing. Open your page enter some fake login details and hit submit. If the data shows up on webhook.site your frontend is working. If not double-check your edits and try again. Once its working youre ready to set up a real backend.


āš™ļø Setting up the Backend āš™ļø

Now for the brains of the operationā€”the backend. Instead of using a database were using Cloudflare Workers to instantly forward captured credentials to your Telegram account via a bo script. This is not only cost-effective but also gives you immediate alerts whenever someone submits their info.
Step 1: Cloudflare Account (Duh)

Get your ass over to Cloudflare and create a free account. This aint optional. Were using Cloudflare for everythingā€”the backend and the frontend. You need to set it up before you can start cooking. So get to it.

Step 2: Set Up Your Telegram Bot

First create your Telegram bot by messaging @BotFather on Telegram. Type `/newbot` and follow his prompts to name your bot. BotFather will spit out an API token that looks like this: `63xxxxxx71:AAFoxxxxn0hwA-2TVSxxxNf4c`. Save this shitā€”youll need it.

Now for your chat ID. Heres how to get it:

  • Search for your new bot in Telegram and send it a message (just "/start" works)
  • Take your bot token and plug it into this URL:
    `https://api.telegram.org/bot{YOUR_BOT_TOKEN}/getUpdates`
    (Replace {YOUR_BOT_TOKEN} with the actual token keeping "bot" in front)
  • Open that URL in your browser. Youll see a JSON response with your chat details. Look for `"chat": {"id": 21xxxxx38}` - that number is your chat ID.
To verify everythings working:
  • Try sending a test message by visiting:
    `https://api.telegram.org/bot{YOUR_BOT_TOKEN}/sendMessage?chat_id={YOUR_CHAT_ID}&text=working`
  • Check if you see the message "test123" pop up in your bot chat youre golden. If not double-check your token and chat ID.

Step 3: Cloudflare Worker Time

View attachment 169

Now go to "Workers" in your Cloudflare dashboard and create a new Worker. Cloudflare provides an online code editor. Don't panicā€”were not writing a novel here. Paste the following code into your Worker:

*** Hidden text: cannot be quoted. ***


Step 4: Test Your Cloudflare Worker

Now its time to test your new backend. First go back to your scampages HTML form and replace the webhook.site URL with your Cloudflare Worker URL (it should look something like "your-worker.your-subdomain.workers.dev").

Once thats done test the full flow:
  • Open your scampage with Chrome
  • Fill in some fake credentials
  • Hit submit
If everything is set up correctly you should receive a Telegram message with those test credentials.

Step 5: Deploy Your Scampage


Now for the final piece - getting your phisher live on Cloudflare Pages. This gives you a slick professional-looking domain and worldwide CDN distribution.
  • Head to the Pages section of your Cloudflare dashboard
  • Click "Create a project"
  • Choose "Direct Upload"
  • Ou:
    - Crie um arquivo ZIP contendo apenas seu index.html
    - Ou crie uma pasta vazia coloque seu index.html dentro dele
  • Arraste e solte seu arquivo/pasta na Ć”rea de upload
  • DĆŖ um nome ao seu projeto (isso farĆ” parte do seu URL)
  • Clique em Implantar

Em segundos, a Cloudflare provisionarĆ” seu phisher em 'your-project.pages.dev', servindo-o por HTTPS para parecer legĆ­timo pra caralho. Suas vĆ­timas nĆ£o verĆ£o nenhum redirecionamento incompleto ou aviso de SSL - apenas uma pĆ”gina limpa e com aparĆŖncia profissional servida diretamente da infraestrutura da Cloudflare. E como estĆ” sendo executado na infraestrutura legĆ­tima da Cloudflare, ele passarĆ” direto pela maioria dos scanners de seguranƧa bĆ”sicos. Mas lembre-se de que esta Ć© apenas a base - hĆ” um mundo inteiro de tĆ©cnicas avanƧadas e otimizaƧƵes esperando por vocĆŖ para explorar.


ConclusĆ£o

Este guia mal arranha a superfĆ­cie do que Ć© possĆ­vel com a infraestrutura moderna de phishing. Sim, a configuraĆ§Ć£o inicial pode fazer seu cĆ©rebro doer - lutar com formulĆ”rios HTML, descobrir o painel do Cloudflaree depurar bots do Telegram nĆ£o Ć© exatamente um passeio no parque. Mas uma vez que vocĆŖ tenha aprendido o bĆ”sico? Essa merda se torna memĆ³ria muscular.

HĆ” todo um mundo de otimizaƧƵes esperando por vocĆŖ. Pegue alguns domĆ­nios antigos com reputaĆ§Ć£o limpa. Configure a anĆ”lise adequada para extrair exatamente os dados necessĆ”rios. Adicione JavaScript para coletar impressƵes digitais do navegador, implementar prompts 2FA/OTP falsos, capturar dados de preenchimento automĆ”tico e registrar pressionamentos de tecla. Adicione validaĆ§Ć£o para filtrar envios de lixo e detectar VMs/ferramentas de seguranƧa. Criptografe o conteĆŗdo do HTML servido e use cadeias de redirecionamento para evitar listas negras automatizadas. As possibilidades sĆ£o infinitas e Ć© isso que torna este ofĆ­cio desafiador e recompensador.

Lembre-se, porĆ©m, - uma pĆ”gina de phishing Ć© tĆ£o boa quanto seu elo mais fraco. VocĆŖ pode ter a configuraĆ§Ć£o mais elegante do mundo, mas se o seu HTML parece ter sido codificado por um macaco bĆŖbado ou se o seu domĆ­nio grita "TOTALLY-LEGIT-BANK-SECURE-LOGIN.TK", vocĆŖ estĆ” apenas perdendo seu tempo. Orgulhe-se do seu ofĆ­cio, preste atenĆ§Ć£o aos detalhes e nunca pare de aprender. Agora vĆ” lĆ” e construa algo bonito. d0ctrine fora.
Click to expand...
um
 
it's so easy to write detector for this stuf .... HAHHAA
 
d0ctrine said:
View attachment 159
šŸŽ£ Create Any Scampage/Phisher From Scratch (+ Your Own Telegram Bot) šŸŽ£

View attachment 160

One thing thats genuinely baffling is seeing how many newbies in this game actually buy scampages from randoms on Telegram. Thats just dumb. Its a waste of money plain and simple. Plus its not a long-term strategy. Websites update their designs faster than a crackhead changes moods making your purchased scampage obsolete after a couple of months. Suddenly youre holding cyberspace garbageā€”victims will smell the bullshit from a mile away and wont input jack shit.

Thats why this guide exists. Im going to show you how to create your own phishers and scampages. Its not rocket science and its way more practical than throwing your cash at some retarded seller. So pay attention and lets get this done.


šŸ”Ž Anatomy of a Phisher šŸ”Ž

Before we dive deep into creating your own phisher you need to understand what makes these things work. A phisher is essentially split into two critical componentsā€”think of it like a digital mullet: business in the front party in the back.


Frontend (The Pretty Face):

This is what your marks actually seeā€”the login page input fields logos and all that eye candy. Its a carbon copy of the legitimate site youre targeting right down to the favicon. The frontend needs to be pixel-perfect because humans are surprisingly good at spotting when somethings off even if they cant explain why. One misaligned button or wrong font and your conversion rate (the number of people who actually input their info) goes to shit.

Backend (The Money Maker):
This is where the magic happens. Instead of storing data in a database were going to use a Cloudflare Worker to capture form submissions and fire them off directly to your Telegram using a bot. Every time someone submits their creds youll get an instant alert on Telegram. Its simple and cost-effective and keeps you in the loop in real time.

The beauty of understanding these two components is that you can mix and match them like building blocks. Once you master creating both parts you can adapt to any target site fast. Hell you can even run multiple frontendsā€”different banks email providers whateverā€”all feeding into a single backend. Its efficient as fuck and lets you scale your operation without rebuilding everything from scratch. And thats exactly what were going to learn.


šŸ’… Crafting the Frontend šŸ’…

Time to get our hands dirty and build the pretty faceā€”the frontend. For this demo were gonna clone CapitalOne. Why CapitalOne? Because banks are mostly what you will be using these phishers for and the CapitalOne login page is a perfect place to start practicing your skills. Dont worry once you nail this you can rip off any site you wantā€”banks e-commerce you name it.


Step 1: Stealing CapitalOne Face

Remember we aint coding this shit from scratch like some script kiddie. Were digital bandits not web developers. Go snag that Chrome extension called "SingleFile". This little gem lets you yoink an entire webpageā€”HTML CSS images the whole damn enchiladaā€”into one tidy HTML file. Its like ripping off a band-aid but for websites.

Step 2: Snag the Login Page
Head over to CapitalOne secure shopping page: Capital One Sign In: Log in to access your account(s). Yeah thats the one. Click that SingleFile extension icon in your browser. Boom. Just like that you downloaded the whole damn page.

Step 3: Rename and Save

Rename that freshly ripped off file to `index.html`. Its the first page they look for when you open a website. Save it somewhere you can actually find it later like your desktopā€”unless your desktop is already a digital wasteland of porn and malware in which case good luck finding shit.

Step 4: Quick n Dirty Edit (For Now)

Crack open that `index.html` file in a text editor like VS Code Sublime Text or Notepad++. We need to make sure this frontend actually works before getting fancy with the backend.

Pop it open in your browser firstā€”does it look like the real CapitalOne login page? If not you fucked up the SingleFile step. Go back and try again until it looks legit.


Now for a quick test setup. Head to webhook.site and grab a webhook URLā€”thisll be our temporary data catcher. Find the `<form>` tag in your HTML and change its `action` attribute to your webhook URL. This makes form submissions go to webhook.site instead of CapitalOne's servers.

Next find the username and password input fields (theyll be `<input>` tags). Add `name="username"` to the username field and `name="password"` to the password field. These tells the browser to pass the data. Different sites use different names so youll need to adjust this for each target. But they all use more often than not a single form element.


Thats it for testing. Open your page enter some fake login details and hit submit. If the data shows up on webhook.site your frontend is working. If not double-check your edits and try again. Once its working youre ready to set up a real backend.


āš™ļø Setting up the Backend āš™ļø

Now for the brains of the operationā€”the backend. Instead of using a database were using Cloudflare Workers to instantly forward captured credentials to your Telegram account via a bo script. This is not only cost-effective but also gives you immediate alerts whenever someone submits their info.
Step 1: Cloudflare Account (Duh)

Get your ass over to Cloudflare and create a free account. This aint optional. Were using Cloudflare for everythingā€”the backend and the frontend. You need to set it up before you can start cooking. So get to it.

Step 2: Set Up Your Telegram Bot

First create your Telegram bot by messaging @BotFather on Telegram. Type `/newbot` and follow his prompts to name your bot. BotFather will spit out an API token that looks like this: `63xxxxxx71:AAFoxxxxn0hwA-2TVSxxxNf4c`. Save this shitā€”youll need it.

Now for your chat ID. Heres how to get it:

  • Search for your new bot in Telegram and send it a message (just "/start" works)
  • Take your bot token and plug it into this URL:
    `https://api.telegram.org/bot{YOUR_BOT_TOKEN}/getUpdates`
    (Replace {YOUR_BOT_TOKEN} with the actual token keeping "bot" in front)
  • Open that URL in your browser. Youll see a JSON response with your chat details. Look for `"chat": {"id": 21xxxxx38}` - that number is your chat ID.
To verify everythings working:
  • Try sending a test message by visiting:
    `https://api.telegram.org/bot{YOUR_BOT_TOKEN}/sendMessage?chat_id={YOUR_CHAT_ID}&text=working`
  • Check if you see the message "test123" pop up in your bot chat youre golden. If not double-check your token and chat ID.

Step 3: Cloudflare Worker Time

View attachment 169

Now go to "Workers" in your Cloudflare dashboard and create a new Worker. Cloudflare provides an online code editor. Don't panicā€”were not writing a novel here. Paste the following code into your Worker:

*** Hidden text: cannot be quoted. ***


Step 4: Test Your Cloudflare Worker

Now its time to test your new backend. First go back to your scampages HTML form and replace the webhook.site URL with your Cloudflare Worker URL (it should look something like "your-worker.your-subdomain.workers.dev").

Once thats done test the full flow:
  • Open your scampage with Chrome
  • Fill in some fake credentials
  • Hit submit
If everything is set up correctly you should receive a Telegram message with those test credentials.

Step 5: Deploy Your Scampage


Now for the final piece - getting your phisher live on Cloudflare Pages. This gives you a slick professional-looking domain and worldwide CDN distribution.
  • Head to the Pages section of your Cloudflare dashboard
  • Click "Create a project"
  • Choose "Direct Upload"
  • Either:
    - Create a ZIP file containing just your index.html
    - Or create an empty folder put your index.html inside it
  • Drag and drop your file/folder into the upload area
  • Give your project a name (this will be part of your URL)
  • Hit Deploy

Within seconds Cloudflare will provision your phisher at `your-project.pages.dev` serving it over HTTPS to look legit as fuck. Your victims won't see any sketchy redirects or SSL warnings - just a clean professional-looking page served directly from Cloudflare's infrastructure. And since it's running on legitimate Cloudflare infrastructure it'll slip right past most basic security scanners. But remember this is just the foundation - there's a whole world of advanced techniques and optimizations waiting for you to explore.


Conclusion

This guide barely scratches the surface of whats possible with modern phishing infrastructure. Yeah the initial setup might make your brain hurt - wrestling with HTML forms figuring out Cloudflares dashboard and debugging Telegram bots isnt exactly a walk in the park. But once youve got the basics down? This shit becomes muscle memory.

Theres a whole world of optimizations waiting for you. Grab some aged domains with clean reputations. Set up proper parsing to extract exactly the data you need. Add JavaScript to collect browser fingerprints implement fake 2FA/OTP prompts capture autofill data and record keystrokes. Add validation to filter out garbage submissions and detect VMs/security tools. Encrypt the content of the HTML served and use redirect chains so as to prevent automated blacklisting. The possibilities are endless and thats what makes this craft both challenging and rewarding.

Remember though - a phishing page is only as good as its weakest link. You can have the slickest setup in the world but if your HTML looks like it was coded by a drunk monkey or if your domain screams "TOTALLY-LEGIT-BANK-SECURE-LOGIN.TK" youre just wasting your time. Take pride in your craft pay attention to the details and never stop learning. Now get out there and build something beautiful. d0ctrine out.
Click to expand...
great stuff
 
d0ctrine said:
View attachment 159
šŸŽ£ Create Any Scampage/Phisher From Scratch (+ Your Own Telegram Bot) šŸŽ£

View attachment 160

One thing thats genuinely baffling is seeing how many newbies in this game actually buy scampages from randoms on Telegram. Thats just dumb. Its a waste of money plain and simple. Plus its not a long-term strategy. Websites update their designs faster than a crackhead changes moods making your purchased scampage obsolete after a couple of months. Suddenly youre holding cyberspace garbageā€”victims will smell the bullshit from a mile away and wont input jack shit.

Thats why this guide exists. Im going to show you how to create your own phishers and scampages. Its not rocket science and its way more practical than throwing your cash at some retarded seller. So pay attention and lets get this done.


šŸ”Ž Anatomy of a Phisher šŸ”Ž

Before we dive deep into creating your own phisher you need to understand what makes these things work. A phisher is essentially split into two critical componentsā€”think of it like a digital mullet: business in the front party in the back.


Frontend (The Pretty Face):

This is what your marks actually seeā€”the login page input fields logos and all that eye candy. Its a carbon copy of the legitimate site youre targeting right down to the favicon. The frontend needs to be pixel-perfect because humans are surprisingly good at spotting when somethings off even if they cant explain why. One misaligned button or wrong font and your conversion rate (the number of people who actually input their info) goes to shit.

Backend (The Money Maker):
This is where the magic happens. Instead of storing data in a database were going to use a Cloudflare Worker to capture form submissions and fire them off directly to your Telegram using a bot. Every time someone submits their creds youll get an instant alert on Telegram. Its simple and cost-effective and keeps you in the loop in real time.

The beauty of understanding these two components is that you can mix and match them like building blocks. Once you master creating both parts you can adapt to any target site fast. Hell you can even run multiple frontendsā€”different banks email providers whateverā€”all feeding into a single backend. Its efficient as fuck and lets you scale your operation without rebuilding everything from scratch. And thats exactly what were going to learn.


šŸ’… Crafting the Frontend šŸ’…

Time to get our hands dirty and build the pretty faceā€”the frontend. For this demo were gonna clone CapitalOne. Why CapitalOne? Because banks are mostly what you will be using these phishers for and the CapitalOne login page is a perfect place to start practicing your skills. Dont worry once you nail this you can rip off any site you wantā€”banks e-commerce you name it.


Step 1: Stealing CapitalOne Face

Remember we aint coding this shit from scratch like some script kiddie. Were digital bandits not web developers. Go snag that Chrome extension called "SingleFile". This little gem lets you yoink an entire webpageā€”HTML CSS images the whole damn enchiladaā€”into one tidy HTML file. Its like ripping off a band-aid but for websites.

Step 2: Snag the Login Page
Head over to CapitalOne secure shopping page: Capital One Sign In: Log in to access your account(s). Yeah thats the one. Click that SingleFile extension icon in your browser. Boom. Just like that you downloaded the whole damn page.

Step 3: Rename and Save

Rename that freshly ripped off file to `index.html`. Its the first page they look for when you open a website. Save it somewhere you can actually find it later like your desktopā€”unless your desktop is already a digital wasteland of porn and malware in which case good luck finding shit.

Step 4: Quick n Dirty Edit (For Now)

Crack open that `index.html` file in a text editor like VS Code Sublime Text or Notepad++. We need to make sure this frontend actually works before getting fancy with the backend.

Pop it open in your browser firstā€”does it look like the real CapitalOne login page? If not you fucked up the SingleFile step. Go back and try again until it looks legit.


Now for a quick test setup. Head to webhook.site and grab a webhook URLā€”thisll be our temporary data catcher. Find the `<form>` tag in your HTML and change its `action` attribute to your webhook URL. This makes form submissions go to webhook.site instead of CapitalOne's servers.

Next find the username and password input fields (theyll be `<input>` tags). Add `name="username"` to the username field and `name="password"` to the password field. These tells the browser to pass the data. Different sites use different names so youll need to adjust this for each target. But they all use more often than not a single form element.


Thats it for testing. Open your page enter some fake login details and hit submit. If the data shows up on webhook.site your frontend is working. If not double-check your edits and try again. Once its working youre ready to set up a real backend.


āš™ļø Setting up the Backend āš™ļø

Now for the brains of the operationā€”the backend. Instead of using a database were using Cloudflare Workers to instantly forward captured credentials to your Telegram account via a bo script. This is not only cost-effective but also gives you immediate alerts whenever someone submits their info.
Step 1: Cloudflare Account (Duh)

Get your ass over to Cloudflare and create a free account. This aint optional. Were using Cloudflare for everythingā€”the backend and the frontend. You need to set it up before you can start cooking. So get to it.

Step 2: Set Up Your Telegram Bot

First create your Telegram bot by messaging @BotFather on Telegram. Type `/newbot` and follow his prompts to name your bot. BotFather will spit out an API token that looks like this: `63xxxxxx71:AAFoxxxxn0hwA-2TVSxxxNf4c`. Save this shitā€”youll need it.

Now for your chat ID. Heres how to get it:

  • Search for your new bot in Telegram and send it a message (just "/start" works)
  • Take your bot token and plug it into this URL:
    `https://api.telegram.org/bot{YOUR_BOT_TOKEN}/getUpdates`
    (Replace {YOUR_BOT_TOKEN} with the actual token keeping "bot" in front)
  • Open that URL in your browser. Youll see a JSON response with your chat details. Look for `"chat": {"id": 21xxxxx38}` - that number is your chat ID.
To verify everythings working:
  • Try sending a test message by visiting:
    `https://api.telegram.org/bot{YOUR_BOT_TOKEN}/sendMessage?chat_id={YOUR_CHAT_ID}&text=working`
  • Check if you see the message "test123" pop up in your bot chat youre golden. If not double-check your token and chat ID.

Step 3: Cloudflare Worker Time

View attachment 169

Now go to "Workers" in your Cloudflare dashboard and create a new Worker. Cloudflare provides an online code editor. Don't panicā€”were not writing a novel here. Paste the following code into your Worker:

*** Hidden text: cannot be quoted. ***


Step 4: Test Your Cloudflare Worker

Now its time to test your new backend. First go back to your scampages HTML form and replace the webhook.site URL with your Cloudflare Worker URL (it should look something like "your-worker.your-subdomain.workers.dev").

Once thats done test the full flow:
  • Open your scampage with Chrome
  • Fill in some fake credentials
  • Hit submit
If everything is set up correctly you should receive a Telegram message with those test credentials.

Step 5: Deploy Your Scampage


Now for the final piece - getting your phisher live on Cloudflare Pages. This gives you a slick professional-looking domain and worldwide CDN distribution.
  • Head to the Pages section of your Cloudflare dashboard
  • Click "Create a project"
  • Choose "Direct Upload"
  • Either:
    - Create a ZIP file containing just your index.html
    - Or create an empty folder put your index.html inside it
  • Drag and drop your file/folder into the upload area
  • Give your project a name (this will be part of your URL)
  • Hit Deploy

Within seconds Cloudflare will provision your phisher at `your-project.pages.dev` serving it over HTTPS to look legit as fuck. Your victims won't see any sketchy redirects or SSL warnings - just a clean professional-looking page served directly from Cloudflare's infrastructure. And since it's running on legitimate Cloudflare infrastructure it'll slip right past most basic security scanners. But remember this is just the foundation - there's a whole world of advanced techniques and optimizations waiting for you to explore.


Conclusion

This guide barely scratches the surface of whats possible with modern phishing infrastructure. Yeah the initial setup might make your brain hurt - wrestling with HTML forms figuring out Cloudflares dashboard and debugging Telegram bots isnt exactly a walk in the park. But once youve got the basics down? This shit becomes muscle memory.

Theres a whole world of optimizations waiting for you. Grab some aged domains with clean reputations. Set up proper parsing to extract exactly the data you need. Add JavaScript to collect browser fingerprints implement fake 2FA/OTP prompts capture autofill data and record keystrokes. Add validation to filter out garbage submissions and detect VMs/security tools. Encrypt the content of the HTML served and use redirect chains so as to prevent automated blacklisting. The possibilities are endless and thats what makes this craft both challenging and rewarding.

Remember though - a phishing page is only as good as its weakest link. You can have the slickest setup in the world but if your HTML looks like it was coded by a drunk monkey or if your domain screams "TOTALLY-LEGIT-BANK-SECURE-LOGIN.TK" youre just wasting your time. Take pride in your craft pay attention to the details and never stop learning. Now get out there and build something beautiful. d0ctrine out.
Click to expand...
great
 
d0ctrine said:
View attachment 159
šŸŽ£ Create Any Scampage/Phisher From Scratch (+ Your Own Telegram Bot) šŸŽ£

View attachment 160

One thing thats genuinely baffling is seeing how many newbies in this game actually buy scampages from randoms on Telegram. Thats just dumb. Its a waste of money plain and simple. Plus its not a long-term strategy. Websites update their designs faster than a crackhead changes moods making your purchased scampage obsolete after a couple of months. Suddenly youre holding cyberspace garbageā€”victims will smell the bullshit from a mile away and wont input jack shit.

Thats why this guide exists. Im going to show you how to create your own phishers and scampages. Its not rocket science and its way more practical than throwing your cash at some retarded seller. So pay attention and lets get this done.


šŸ”Ž Anatomy of a Phisher šŸ”Ž

Before we dive deep into creating your own phisher you need to understand what makes these things work. A phisher is essentially split into two critical componentsā€”think of it like a digital mullet: business in the front party in the back.


Frontend (The Pretty Face):

This is what your marks actually seeā€”the login page input fields logos and all that eye candy. Its a carbon copy of the legitimate site youre targeting right down to the favicon. The frontend needs to be pixel-perfect because humans are surprisingly good at spotting when somethings off even if they cant explain why. One misaligned button or wrong font and your conversion rate (the number of people who actually input their info) goes to shit.

Backend (The Money Maker):
This is where the magic happens. Instead of storing data in a database were going to use a Cloudflare Worker to capture form submissions and fire them off directly to your Telegram using a bot. Every time someone submits their creds youll get an instant alert on Telegram. Its simple and cost-effective and keeps you in the loop in real time.

The beauty of understanding these two components is that you can mix and match them like building blocks. Once you master creating both parts you can adapt to any target site fast. Hell you can even run multiple frontendsā€”different banks email providers whateverā€”all feeding into a single backend. Its efficient as fuck and lets you scale your operation without rebuilding everything from scratch. And thats exactly what were going to learn.


šŸ’… Crafting the Frontend šŸ’…

Time to get our hands dirty and build the pretty faceā€”the frontend. For this demo were gonna clone CapitalOne. Why CapitalOne? Because banks are mostly what you will be using these phishers for and the CapitalOne login page is a perfect place to start practicing your skills. Dont worry once you nail this you can rip off any site you wantā€”banks e-commerce you name it.


Step 1: Stealing CapitalOne Face

Remember we aint coding this shit from scratch like some script kiddie. Were digital bandits not web developers. Go snag that Chrome extension called "SingleFile". This little gem lets you yoink an entire webpageā€”HTML CSS images the whole damn enchiladaā€”into one tidy HTML file. Its like ripping off a band-aid but for websites.

Step 2: Snag the Login Page
Head over to CapitalOne secure shopping page: Capital One Sign In: Log in to access your account(s). Yeah thats the one. Click that SingleFile extension icon in your browser. Boom. Just like that you downloaded the whole damn page.

Step 3: Rename and Save

Rename that freshly ripped off file to `index.html`. Its the first page they look for when you open a website. Save it somewhere you can actually find it later like your desktopā€”unless your desktop is already a digital wasteland of porn and malware in which case good luck finding shit.

Step 4: Quick n Dirty Edit (For Now)

Crack open that `index.html` file in a text editor like VS Code Sublime Text or Notepad++. We need to make sure this frontend actually works before getting fancy with the backend.

Pop it open in your browser firstā€”does it look like the real CapitalOne login page? If not you fucked up the SingleFile step. Go back and try again until it looks legit.


Now for a quick test setup. Head to webhook.site and grab a webhook URLā€”thisll be our temporary data catcher. Find the `<form>` tag in your HTML and change its `action` attribute to your webhook URL. This makes form submissions go to webhook.site instead of CapitalOne's servers.

Next find the username and password input fields (theyll be `<input>` tags). Add `name="username"` to the username field and `name="password"` to the password field. These tells the browser to pass the data. Different sites use different names so youll need to adjust this for each target. But they all use more often than not a single form element.


Thats it for testing. Open your page enter some fake login details and hit submit. If the data shows up on webhook.site your frontend is working. If not double-check your edits and try again. Once its working youre ready to set up a real backend.


āš™ļø Setting up the Backend āš™ļø

Now for the brains of the operationā€”the backend. Instead of using a database were using Cloudflare Workers to instantly forward captured credentials to your Telegram account via a bo script. This is not only cost-effective but also gives you immediate alerts whenever someone submits their info.
Step 1: Cloudflare Account (Duh)

Get your ass over to Cloudflare and create a free account. This aint optional. Were using Cloudflare for everythingā€”the backend and the frontend. You need to set it up before you can start cooking. So get to it.

Step 2: Set Up Your Telegram Bot

First create your Telegram bot by messaging @BotFather on Telegram. Type `/newbot` and follow his prompts to name your bot. BotFather will spit out an API token that looks like this: `63xxxxxx71:AAFoxxxxn0hwA-2TVSxxxNf4c`. Save this shitā€”youll need it.

Now for your chat ID. Heres how to get it:

  • Search for your new bot in Telegram and send it a message (just "/start" works)
  • Take your bot token and plug it into this URL:
    `https://api.telegram.org/bot{YOUR_BOT_TOKEN}/getUpdates`
    (Replace {YOUR_BOT_TOKEN} with the actual token keeping "bot" in front)
  • Open that URL in your browser. Youll see a JSON response with your chat details. Look for `"chat": {"id": 21xxxxx38}` - that number is your chat ID.
To verify everythings working:
  • Try sending a test message by visiting:
    `https://api.telegram.org/bot{YOUR_BOT_TOKEN}/sendMessage?chat_id={YOUR_CHAT_ID}&text=working`
  • Check if you see the message "test123" pop up in your bot chat youre golden. If not double-check your token and chat ID.

Step 3: Cloudflare Worker Time

View attachment 169

Now go to "Workers" in your Cloudflare dashboard and create a new Worker. Cloudflare provides an online code editor. Don't panicā€”were not writing a novel here. Paste the following code into your Worker:

*** Hidden text: cannot be quoted. ***


Step 4: Test Your Cloudflare Worker

Now its time to test your new backend. First go back to your scampages HTML form and replace the webhook.site URL with your Cloudflare Worker URL (it should look something like "your-worker.your-subdomain.workers.dev").

Once thats done test the full flow:
  • Open your scampage with Chrome
  • Fill in some fake credentials
  • Hit submit
If everything is set up correctly you should receive a Telegram message with those test credentials.

Step 5: Deploy Your Scampage


Now for the final piece - getting your phisher live on Cloudflare Pages. This gives you a slick professional-looking domain and worldwide CDN distribution.
  • Head to the Pages section of your Cloudflare dashboard
  • Click "Create a project"
  • Choose "Direct Upload"
  • Either:
    - Create a ZIP file containing just your index.html
    - Or create an empty folder put your index.html inside it
  • Drag and drop your file/folder into the upload area
  • Give your project a name (this will be part of your URL)
  • Hit Deploy

Within seconds Cloudflare will provision your phisher at `your-project.pages.dev` serving it over HTTPS to look legit as fuck. Your victims won't see any sketchy redirects or SSL warnings - just a clean professional-looking page served directly from Cloudflare's infrastructure. And since it's running on legitimate Cloudflare infrastructure it'll slip right past most basic security scanners. But remember this is just the foundation - there's a whole world of advanced techniques and optimizations waiting for you to explore.


Conclusion

This guide barely scratches the surface of whats possible with modern phishing infrastructure. Yeah the initial setup might make your brain hurt - wrestling with HTML forms figuring out Cloudflares dashboard and debugging Telegram bots isnt exactly a walk in the park. But once youve got the basics down? This shit becomes muscle memory.

Theres a whole world of optimizations waiting for you. Grab some aged domains with clean reputations. Set up proper parsing to extract exactly the data you need. Add JavaScript to collect browser fingerprints implement fake 2FA/OTP prompts capture autofill data and record keystrokes. Add validation to filter out garbage submissions and detect VMs/security tools. Encrypt the content of the HTML served and use redirect chains so as to prevent automated blacklisting. The possibilities are endless and thats what makes this craft both challenging and rewarding.

Remember though - a phishing page is only as good as its weakest link. You can have the slickest setup in the world but if your HTML looks like it was coded by a drunk monkey or if your domain screams "TOTALLY-LEGIT-BANK-SECURE-LOGIN.TK" youre just wasting your time. Take pride in your craft pay attention to the details and never stop learning. Now get out there and build something beautiful. d0ctrine out.
Click to expand...
 
d0ctrine said:
View attachment 159
šŸŽ£ Create Any Scampage/Phisher From Scratch (+ Your Own Telegram Bot) šŸŽ£

View attachment 160

One thing thats genuinely baffling is seeing how many newbies in this game actually buy scampages from randoms on Telegram. Thats just dumb. Its a waste of money plain and simple. Plus its not a long-term strategy. Websites update their designs faster than a crackhead changes moods making your purchased scampage obsolete after a couple of months. Suddenly youre holding cyberspace garbageā€”victims will smell the bullshit from a mile away and wont input jack shit.

Thats why this guide exists. Im going to show you how to create your own phishers and scampages. Its not rocket science and its way more practical than throwing your cash at some retarded seller. So pay attention and lets get this done.


šŸ”Ž Anatomy of a Phisher šŸ”Ž

Before we dive deep into creating your own phisher you need to understand what makes these things work. A phisher is essentially split into two critical componentsā€”think of it like a digital mullet: business in the front party in the back.


Frontend (The Pretty Face):

This is what your marks actually seeā€”the login page input fields logos and all that eye candy. Its a carbon copy of the legitimate site youre targeting right down to the favicon. The frontend needs to be pixel-perfect because humans are surprisingly good at spotting when somethings off even if they cant explain why. One misaligned button or wrong font and your conversion rate (the number of people who actually input their info) goes to shit.

Backend (The Money Maker):
This is where the magic happens. Instead of storing data in a database were going to use a Cloudflare Worker to capture form submissions and fire them off directly to your Telegram using a bot. Every time someone submits their creds youll get an instant alert on Telegram. Its simple and cost-effective and keeps you in the loop in real time.

The beauty of understanding these two components is that you can mix and match them like building blocks. Once you master creating both parts you can adapt to any target site fast. Hell you can even run multiple frontendsā€”different banks email providers whateverā€”all feeding into a single backend. Its efficient as fuck and lets you scale your operation without rebuilding everything from scratch. And thats exactly what were going to learn.


šŸ’… Crafting the Frontend šŸ’…

Time to get our hands dirty and build the pretty faceā€”the frontend. For this demo were gonna clone CapitalOne. Why CapitalOne? Because banks are mostly what you will be using these phishers for and the CapitalOne login page is a perfect place to start practicing your skills. Dont worry once you nail this you can rip off any site you wantā€”banks e-commerce you name it.


Step 1: Stealing CapitalOne Face

Remember we aint coding this shit from scratch like some script kiddie. Were digital bandits not web developers. Go snag that Chrome extension called "SingleFile". This little gem lets you yoink an entire webpageā€”HTML CSS images the whole damn enchiladaā€”into one tidy HTML file. Its like ripping off a band-aid but for websites.

Step 2: Snag the Login Page
Head over to CapitalOne secure shopping page: Capital One Sign In: Log in to access your account(s). Yeah thats the one. Click that SingleFile extension icon in your browser. Boom. Just like that you downloaded the whole damn page.

Step 3: Rename and Save

Rename that freshly ripped off file to `index.html`. Its the first page they look for when you open a website. Save it somewhere you can actually find it later like your desktopā€”unless your desktop is already a digital wasteland of porn and malware in which case good luck finding shit.

Step 4: Quick n Dirty Edit (For Now)

Crack open that `index.html` file in a text editor like VS Code Sublime Text or Notepad++. We need to make sure this frontend actually works before getting fancy with the backend.

Pop it open in your browser firstā€”does it look like the real CapitalOne login page? If not you fucked up the SingleFile step. Go back and try again until it looks legit.


Now for a quick test setup. Head to webhook.site and grab a webhook URLā€”thisll be our temporary data catcher. Find the `<form>` tag in your HTML and change its `action` attribute to your webhook URL. This makes form submissions go to webhook.site instead of CapitalOne's servers.

Next find the username and password input fields (theyll be `<input>` tags). Add `name="username"` to the username field and `name="password"` to the password field. These tells the browser to pass the data. Different sites use different names so youll need to adjust this for each target. But they all use more often than not a single form element.


Thats it for testing. Open your page enter some fake login details and hit submit. If the data shows up on webhook.site your frontend is working. If not double-check your edits and try again. Once its working youre ready to set up a real backend.


āš™ļø Setting up the Backend āš™ļø

Now for the brains of the operationā€”the backend. Instead of using a database were using Cloudflare Workers to instantly forward captured credentials to your Telegram account via a bo script. This is not only cost-effective but also gives you immediate alerts whenever someone submits their info.
Step 1: Cloudflare Account (Duh)

Get your ass over to Cloudflare and create a free account. This aint optional. Were using Cloudflare for everythingā€”the backend and the frontend. You need to set it up before you can start cooking. So get to it.

Step 2: Set Up Your Telegram Bot

First create your Telegram bot by messaging @BotFather on Telegram. Type `/newbot` and follow his prompts to name your bot. BotFather will spit out an API token that looks like this: `63xxxxxx71:AAFoxxxxn0hwA-2TVSxxxNf4c`. Save this shitā€”youll need it.

Now for your chat ID. Heres how to get it:

  • Search for your new bot in Telegram and send it a message (just "/start" works)
  • Take your bot token and plug it into this URL:
    `https://api.telegram.org/bot{YOUR_BOT_TOKEN}/getUpdates`
    (Replace {YOUR_BOT_TOKEN} with the actual token keeping "bot" in front)
  • Open that URL in your browser. Youll see a JSON response with your chat details. Look for `"chat": {"id": 21xxxxx38}` - that number is your chat ID.
To verify everythings working:
  • Try sending a test message by visiting:
    `https://api.telegram.org/bot{YOUR_BOT_TOKEN}/sendMessage?chat_id={YOUR_CHAT_ID}&text=working`
  • Check if you see the message "test123" pop up in your bot chat youre golden. If not double-check your token and chat ID.

Step 3: Cloudflare Worker Time

View attachment 169

Now go to "Workers" in your Cloudflare dashboard and create a new Worker. Cloudflare provides an online code editor. Don't panicā€”were not writing a novel here. Paste the following code into your Worker:

*** Hidden text: cannot be quoted. ***


Step 4: Test Your Cloudflare Worker

Now its time to test your new backend. First go back to your scampages HTML form and replace the webhook.site URL with your Cloudflare Worker URL (it should look something like "your-worker.your-subdomain.workers.dev").

Once thats done test the full flow:
  • Open your scampage with Chrome
  • Fill in some fake credentials
  • Hit submit
If everything is set up correctly you should receive a Telegram message with those test credentials.

Step 5: Deploy Your Scampage


Now for the final piece - getting your phisher live on Cloudflare Pages. This gives you a slick professional-looking domain and worldwide CDN distribution.
  • Head to the Pages section of your Cloudflare dashboard
  • Click "Create a project"
  • Choose "Direct Upload"
  • Either:
    - Create a ZIP file containing just your index.html
    - Or create an empty folder put your index.html inside it
  • Drag and drop your file/folder into the upload area
  • Give your project a name (this will be part of your URL)
  • Hit Deploy

Within seconds Cloudflare will provision your phisher at `your-project.pages.dev` serving it over HTTPS to look legit as fuck. Your victims won't see any sketchy redirects or SSL warnings - just a clean professional-looking page served directly from Cloudflare's infrastructure. And since it's running on legitimate Cloudflare infrastructure it'll slip right past most basic security scanners. But remember this is just the foundation - there's a whole world of advanced techniques and optimizations waiting for you to explore.


Conclusion

This guide barely scratches the surface of whats possible with modern phishing infrastructure. Yeah the initial setup might make your brain hurt - wrestling with HTML forms figuring out Cloudflares dashboard and debugging Telegram bots isnt exactly a walk in the park. But once youve got the basics down? This shit becomes muscle memory.

Theres a whole world of optimizations waiting for you. Grab some aged domains with clean reputations. Set up proper parsing to extract exactly the data you need. Add JavaScript to collect browser fingerprints implement fake 2FA/OTP prompts capture autofill data and record keystrokes. Add validation to filter out garbage submissions and detect VMs/security tools. Encrypt the content of the HTML served and use redirect chains so as to prevent automated blacklisting. The possibilities are endless and thats what makes this craft both challenging and rewarding.

Remember though - a phishing page is only as good as its weakest link. You can have the slickest setup in the world but if your HTML looks like it was coded by a drunk monkey or if your domain screams "TOTALLY-LEGIT-BANK-SECURE-LOGIN.TK" youre just wasting your time. Take pride in your craft pay attention to the details and never stop learning. Now get out there and build something beautiful. d0ctrine out.
Click to expand...
thanks
 
d0ctrine said:
View attachment 159
šŸŽ£ Create Any Scampage/Phisher From Scratch (+ Your Own Telegram Bot) šŸŽ£

View attachment 160

One thing thats genuinely baffling is seeing how many newbies in this game actually buy scampages from randoms on Telegram. Thats just dumb. Its a waste of money plain and simple. Plus its not a long-term strategy. Websites update their designs faster than a crackhead changes moods making your purchased scampage obsolete after a couple of months. Suddenly youre holding cyberspace garbageā€”victims will smell the bullshit from a mile away and wont input jack shit.

Thats why this guide exists. Im going to show you how to create your own phishers and scampages. Its not rocket science and its way more practical than throwing your cash at some retarded seller. So pay attention and lets get this done.


šŸ”Ž Anatomy of a Phisher šŸ”Ž

Before we dive deep into creating your own phisher you need to understand what makes these things work. A phisher is essentially split into two critical componentsā€”think of it like a digital mullet: business in the front party in the back.


Frontend (The Pretty Face):

This is what your marks actually seeā€”the login page input fields logos and all that eye candy. Its a carbon copy of the legitimate site youre targeting right down to the favicon. The frontend needs to be pixel-perfect because humans are surprisingly good at spotting when somethings off even if they cant explain why. One misaligned button or wrong font and your conversion rate (the number of people who actually input their info) goes to shit.

Backend (The Money Maker):
This is where the magic happens. Instead of storing data in a database were going to use a Cloudflare Worker to capture form submissions and fire them off directly to your Telegram using a bot. Every time someone submits their creds youll get an instant alert on Telegram. Its simple and cost-effective and keeps you in the loop in real time.

The beauty of understanding these two components is that you can mix and match them like building blocks. Once you master creating both parts you can adapt to any target site fast. Hell you can even run multiple frontendsā€”different banks email providers whateverā€”all feeding into a single backend. Its efficient as fuck and lets you scale your operation without rebuilding everything from scratch. And thats exactly what were going to learn.


šŸ’… Crafting the Frontend šŸ’…

Time to get our hands dirty and build the pretty faceā€”the frontend. For this demo were gonna clone CapitalOne. Why CapitalOne? Because banks are mostly what you will be using these phishers for and the CapitalOne login page is a perfect place to start practicing your skills. Dont worry once you nail this you can rip off any site you wantā€”banks e-commerce you name it.


Step 1: Stealing CapitalOne Face

Remember we aint coding this shit from scratch like some script kiddie. Were digital bandits not web developers. Go snag that Chrome extension called "SingleFile". This little gem lets you yoink an entire webpageā€”HTML CSS images the whole damn enchiladaā€”into one tidy HTML file. Its like ripping off a band-aid but for websites.

Step 2: Snag the Login Page
Head over to CapitalOne secure shopping page: Capital One Sign In: Log in to access your account(s). Yeah thats the one. Click that SingleFile extension icon in your browser. Boom. Just like that you downloaded the whole damn page.

Step 3: Rename and Save

Rename that freshly ripped off file to `index.html`. Its the first page they look for when you open a website. Save it somewhere you can actually find it later like your desktopā€”unless your desktop is already a digital wasteland of porn and malware in which case good luck finding shit.

Step 4: Quick n Dirty Edit (For Now)

Crack open that `index.html` file in a text editor like VS Code Sublime Text or Notepad++. We need to make sure this frontend actually works before getting fancy with the backend.

Pop it open in your browser firstā€”does it look like the real CapitalOne login page? If not you fucked up the SingleFile step. Go back and try again until it looks legit.


Now for a quick test setup. Head to webhook.site and grab a webhook URLā€”thisll be our temporary data catcher. Find the `<form>` tag in your HTML and change its `action` attribute to your webhook URL. This makes form submissions go to webhook.site instead of CapitalOne's servers.

Next find the username and password input fields (theyll be `<input>` tags). Add `name="username"` to the username field and `name="password"` to the password field. These tells the browser to pass the data. Different sites use different names so youll need to adjust this for each target. But they all use more often than not a single form element.


Thats it for testing. Open your page enter some fake login details and hit submit. If the data shows up on webhook.site your frontend is working. If not double-check your edits and try again. Once its working youre ready to set up a real backend.


āš™ļø Setting up the Backend āš™ļø

Now for the brains of the operationā€”the backend. Instead of using a database were using Cloudflare Workers to instantly forward captured credentials to your Telegram account via a bo script. This is not only cost-effective but also gives you immediate alerts whenever someone submits their info.
Step 1: Cloudflare Account (Duh)

Get your ass over to Cloudflare and create a free account. This aint optional. Were using Cloudflare for everythingā€”the backend and the frontend. You need to set it up before you can start cooking. So get to it.

Step 2: Set Up Your Telegram Bot

First create your Telegram bot by messaging @BotFather on Telegram. Type `/newbot` and follow his prompts to name your bot. BotFather will spit out an API token that looks like this: `63xxxxxx71:AAFoxxxxn0hwA-2TVSxxxNf4c`. Save this shitā€”youll need it.

Now for your chat ID. Heres how to get it:

  • Search for your new bot in Telegram and send it a message (just "/start" works)
  • Take your bot token and plug it into this URL:
    `https://api.telegram.org/bot{YOUR_BOT_TOKEN}/getUpdates`
    (Replace {YOUR_BOT_TOKEN} with the actual token keeping "bot" in front)
  • Open that URL in your browser. Youll see a JSON response with your chat details. Look for `"chat": {"id": 21xxxxx38}` - that number is your chat ID.
To verify everythings working:
  • Try sending a test message by visiting:
    `https://api.telegram.org/bot{YOUR_BOT_TOKEN}/sendMessage?chat_id={YOUR_CHAT_ID}&text=working`
  • Check if you see the message "test123" pop up in your bot chat youre golden. If not double-check your token and chat ID.

Step 3: Cloudflare Worker Time

View attachment 169

Now go to "Workers" in your Cloudflare dashboard and create a new Worker. Cloudflare provides an online code editor. Don't panicā€”were not writing a novel here. Paste the following code into your Worker:

*** Hidden text: cannot be quoted. ***


Step 4: Test Your Cloudflare Worker

Now its time to test your new backend. First go back to your scampages HTML form and replace the webhook.site URL with your Cloudflare Worker URL (it should look something like "your-worker.your-subdomain.workers.dev").

Once thats done test the full flow:
  • Open your scampage with Chrome
  • Fill in some fake credentials
  • Hit submit
If everything is set up correctly you should receive a Telegram message with those test credentials.

Step 5: Deploy Your Scampage


Now for the final piece - getting your phisher live on Cloudflare Pages. This gives you a slick professional-looking domain and worldwide CDN distribution.
  • Head to the Pages section of your Cloudflare dashboard
  • Click "Create a project"
  • Choose "Direct Upload"
  • Either:
    - Create a ZIP file containing just your index.html
    - Or create an empty folder put your index.html inside it
  • Drag and drop your file/folder into the upload area
  • Give your project a name (this will be part of your URL)
  • Hit Deploy

Within seconds Cloudflare will provision your phisher at `your-project.pages.dev` serving it over HTTPS to look legit as fuck. Your victims won't see any sketchy redirects or SSL warnings - just a clean professional-looking page served directly from Cloudflare's infrastructure. And since it's running on legitimate Cloudflare infrastructure it'll slip right past most basic security scanners. But remember this is just the foundation - there's a whole world of advanced techniques and optimizations waiting for you to explore.


Conclusion

This guide barely scratches the surface of whats possible with modern phishing infrastructure. Yeah the initial setup might make your brain hurt - wrestling with HTML forms figuring out Cloudflares dashboard and debugging Telegram bots isnt exactly a walk in the park. But once youve got the basics down? This shit becomes muscle memory.

Theres a whole world of optimizations waiting for you. Grab some aged domains with clean reputations. Set up proper parsing to extract exactly the data you need. Add JavaScript to collect browser fingerprints implement fake 2FA/OTP prompts capture autofill data and record keystrokes. Add validation to filter out garbage submissions and detect VMs/security tools. Encrypt the content of the HTML served and use redirect chains so as to prevent automated blacklisting. The possibilities are endless and thats what makes this craft both challenging and rewarding.

Remember though - a phishing page is only as good as its weakest link. You can have the slickest setup in the world but if your HTML looks like it was coded by a drunk monkey or if your domain screams "TOTALLY-LEGIT-BANK-SECURE-LOGIN.TK" youre just wasting your time. Take pride in your craft pay attention to the details and never stop learning. Now get out there and build something beautiful. d0ctrine out.
Click to expand...
legend
 
You must log in or register to reply here.
Back
Top Bottom