How Hackers steal credentials by phishing attack?

Phishing Attack with Shellphish

Written by Darshit Varotaria

I'm a Web Application Pentester, Security Researcher and Bug Hunter.

May 12, 2020

In this blog we will see that how hacker can steal data using phishing attack. Phishing attacks are one of the oldest attacks, but still in trends because of various new methodologies. The only aim of phishing attack is to steal victims sensitive data falling them into the traps. This can be through a fake form, clone of the login page or a phone call.

The phishing attack takes place due to human errors, so the only way to get rid of it is to make people aware about it. But, new trends and methodologies develop by hackers makes this very difficult because not everyone will have an idea about the current phishing attack trend.

New phishing attacks enters the market, when there is any popular event or official announcement from Government, Banking Sectors or National/Global disasters. Recently, we have seen phishing scams by UPI address which was used to donate funds for fighting against COVID-19. The hackers took benefit of it and created a new UPI address with a small change in it which was difficult for people to get noticed.

How Hackers steal credentials by phishing attack?

Note: The demonstration is for Educational purpose only. We are not responsible for any kind of criminal activity perform by user after reading this blog.

For demonstrations we will be using a tool called “ShellPhish” available on Github. The tool can generate phishing page and sharable link. Follow the simple steps given below to get started with the tool.

01. The first this we need to do is to clone the tool from Github.

$ git clone

Shellphish phishing attack tool
Screenshot of my device

02. Next, go to shellphish folder.

$ cd shellphish

03. Simply, Execute the file “”

$ bash

Phishing attack with shellphish
Screenshot of my device

04. Choose the Social Media login page you want to use.

05. Share link with victim.

Netflix Phishing Page
Screenshot of my device

Once, the victim enters the credentials and click on Sign In, the data will be sent to the hacker.

Screenshot of my device

Hope you will get the idea, that how realistic it can be. Follow cyber hygiene and stay safe online.

You May Also Like…

1 Comment

  1. vamsi

    thanks for posting like this information. still we requiredd such type of information.


Submit a Comment

Your email address will not be published. Required fields are marked *