
Show HN: Fake Google Oauth2 for Spear Phishin' - jwally
https://github.com/JWally/xGoogleSpearPhish
======
jwally
This is kind of a show-and-ask, but I always wondered why a fake authorization
site (google, fb, twitter, etc) isn't a security risk (ask); so I built one
(show).

This project comes with the following handy features to make your phishing
expeditions more productive:

-credential verification (through imap)

-redirects (send your victim to any web-site you choose after they log in)

-stay logged in (if the victim clicks the link after validation, they go straight to their target site)

-easy, remote data dump downloads what you've collected ([http://evil.com/dump?prison=time](http://evil.com/dump?prison=time))

I set up a dummy server @ 45.55.242.89.

If you want to play with it

-A. Be Careful. It requires GMail credentials which are not being transferred over ssl. I do (try to) sterilize your data by using public key encryption (kbpgp.js) and running imap over port 993

-B. I only store the first 5 chrs of your e-mail address, and do not store your password (I don't think). This project is running nginx, node.js, and express so I don't think anything is being logged

-C. Point your browser at 45.55.242.89?goto=[https://www.youtube.com/watch?v=dQw4w9WgXcQ](https://www.youtube.com/watch?v=dQw4w9WgXcQ)

------
goatsi
IMAP might be a poor choice to validate the credentials as I believe gmail has
it disabled by default.

