Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
Phishing attacks are a common tactic for gaining initial access to a system. If an attacker can convince their target to hand over their login credentials or install and execute malware on their machine, this provides an attacker with a foothold that can be used to expand their access and achieve their operational objectives.
The Lockphish toolkit is a bit different from many phishing toolkits because it specifically targets Android PINs and iPhone passcodes. If the attacker can convince the target to visit a malicious webpage, they’ll be presented with a screen that looks like their device’s lock screen. Entering a PIN or passcode into this screen will send the login information to the attacker.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
In this article, we’ll walk through the process of compromising a user’s mobile device credentials using Lockphish. This includes everything from initial installation through actually compromising credentials for a target device.
Installing Lockphish
The Lockphish toolkit is available for download from GitHub here. You can either visit the site and download it directly or pull a copy using Git with the following command:
git clone https://github.com/kali-linux-tutorial/lockphish.
Lockphish is written in PHP and requires it to be installed on the system to run. If you don’t already have PHP installed on your system, install it with apt-get install php. Lockphish also requires unzip to be installed (apt-get install unzip).
After the dependencies are installed, use cd to move to the directory where you have installed Lockphish. Inside this directory, set the Lockphish script to be runnable with the command sudo chmod +x lockphish.sh.
Generating a phishing page with Lockphish
After completing the installation of Lockphish, run it with ./lockphish. You should be greeted with the following screen.
For this walkthrough, we’ll use the default redirection URL of YouTube, but this can be set to any site on the web. To use the default, just press Enter, which produces the following screen.
In this screen, Lockphish sets up its phishing server and generates a unique URL to use in the phishing attack. In this case, the URL is https://d4e61b4a6341.ngrok.io. This link needs to be delivered to the target in a way that encourages them to click on it (some form of phishing message).
Compromising a target device
Assuming that the link has been delivered successfully, we can see the impact of Lockphish on the target device. The image below shows what the target will be presented with once they open the Lockphish URL.
The screen above shows a redirect page. Clicking on the link to YouTube presents a screen like the following.
The screen above is intended to look like an Android lock screen. The attacker’s intention is that the user will enter their PIN number and click enter. If so, the PIN will be provided to the attacker, as shown below.
The screen above shows the Lockphish terminal. The PIN number entered by the user (1111) is shown and saved to a text file.
The pros and cons of Lockphish
Lockphish is an extremely versatile tool for collecting a target’s device login credentials. It supports Android, iOS and Windows devices. Additionally, it is very easy for the attacker to use, setting up its own phishing servers (using ngrok) and automatically storing device credentials in a file for future use.
That said, Lockphish is far from a perfect tool for phishing login credentials. Some limitations of Lockphish are:
- Odd landing page: The landing page for the phishing email requires a click on a redirect link on an otherwise blank page
- Click then lock: The user needs to take action on a webpage and then is immediately presented with a lock screen, presumably from a device timeout
- Static background image: The lock screen background image is static, making it unlikely that it actually looks like the user’s lock screen
- No PIN checking: Lockphish does not perform any verification of the user’s PIN number (the PIN on the device from the screenshots above isn’t actually 1111)
- Full-screen warning: Browsers on Android warn that they have entered full screen mode (as shown below)
- Inconsistent browser support: While Lockphish looks reasonably realistic on Chrome, it fails to mask password input on Firefox for Android (as shown below), which may cause suspicion
While all of these are limitations of Lockphish, it does not mean that it cannot be successful in a phishing attack. As past email scams have demonstrated, people will believe almost anything that comes with a good pretext.
See Infosec IQ in action
Sources
- lockphish, GitHub
- LockPhish -- Phishing Attack on Lock Screen, KaliLinux.in
In this Series
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Phishing-as-a-Service
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
