How I can reset your Email password? An MITM based Social Engineering (Phishing)attack!

This article of mine was first published on iViZ Security Blog!
Here is the actual article

Hacking email account is probably something which intrigues all of us. Phishing is an example of social engineering techniques used to take advantage of human ignorance. It allows unscrupulous people to exploit the weaknesses in web security technology.Here we will discuss about an advanced way which can be used to perform an advanced automated phishing attack.

Attack Strategy:
As cyber awareness is increasing day by day,number of failed phishing attempts is also increasing. Most of the Internet users goes through few check before entering critical information like user name password in an web form.This approach is a kind of an indirect phishing attack.Here instead of asking victims directly their user name and password attacker will put some challenges to victim which Google or any other email service provider gives us while trying to reset the password of his/her Email account. When victim solve those challenges we will take the solution of those challenges from victim and submit it to actual server and successfully reset password in an automated manner. These challenges can be related to answering security questions or SMS based password reset.

Attack Strategy at a Glance:

Here our main intention is to abuse the same password reset functionality of various email service providers in a smarter and automated manner.We will use selenium and its Python WebDriver api to automate this entire process.Selenium is a software testing framework for web applications. Selenium can automate browser locally or remotely. We will write a custom selenium web server in python and a dynamic fake survey form in PHP. The fake survey form will communicate with selenium web server using its custom APIs in back end(using PHP curl or something similar thing).


Step 1: Start the custom Selenium Server

First we will start our custom selenium web server and host the fake survey form to any hosting service provider supporting PHP and PHP Curl. And we will send the link of that fake survey from to victim.

After the server is started this custom selenium web server will be always monitoring the victim’s activity. When victim visits the fake survey form its will inform the selenium web server through PHP curl that victim has opened the page.

Step 2: Send the custom form to the target

Create a fake registration form of anything you like form which will ask the user for the email id. You can create a new interesting free coupon for restaurants, free download etc. When the victim user will enter his/her email id our the custom web server will try to recover the password of that entered email id received from fake survey from using selenium webdriver api automatically. As selenium is quite fast it will take maximum 5 to 6 seconds.

Step 3: Automatically initiate the recovery password reset process

Almost all well known web mail providers (e.g. Google Yahoo etc.)uses some anti automation techniques (Captcha)in these type of critical steps. And those captchas are not very easy to crack by human being also so trying to crack those with available OCR engines will be waste of time.So human effort is must to break those captcha. How? We have a trick for that also.

Step 4: Send back the captcha/secret question/any challenge to the user to break

After detecting an anti automation on page, our selenium web server will extract the captcha from password recovery form and ask the victim to solve the same captcha.When the victim will solve the captcha it will take that answer and submit the actual captcha form.BINGO!

When captcha is cracked it will face the first security question(if its available), then it will extract the first security question from actual password recovery form and add the question in the survey from with other fake questions to make the survey form bit more realistic.

Step 5: Send the user response to Gmail and reset the password

When the victim will answer that question it will instantly take that answer and submit it in actual password recovery from.We expect that the victim will answer the security questions correctly.

After that when it will face the second security question and it will treat this in the same manner. When its done upto this level it will change the account password to our desired one automatically.

Abusing SMS/Email Based Password Recovery system using the same technique:

SMS/Email Based Password Recovery system can also be abused using the same technique. If we consider gmail then it will be like when out custom selenium web server will detect that there is not option from Security question in password recovery from of target email account it will go for SMS based password recovery option. Generally google’s web application discloses the the last two digits of given phone number and it will send the SMS to that phone. Our custom selenium web server will also do the same. It will directly extract the last two digit from recovery form and send it to victim. The phishing from is designed is such a way that it will say something like this

“Hey you have to go through a verification process to download this software package. Please enter your mobile no.We will send a verification code through Google to that number”.

Luckily Google sends the password recover code through SMS very poorly. It will just send a sms like

“Your Google Verification Code is :123456”.

Within a second after entering the mobile number our selenium web server will submit the mobile number and the victim will receive the password reset code from Google. As currently no indication is present in that SMS sent by Google that its a very critical code not like other verification code, so its very obvious for a general Internet user to trust the application and share the password reset code.

In the next step it will ask for the received code and after getting the code our selenium server will do the rest part which is changing the password.

Video Demo:


As password recovery sections are very critical, service providers maintain very strict session information in these areas. Automatically passing these sections is very tough by sending http requests using any scripting languages. If some thing goes wrong it will entirely destroy the session so chances of attack getting failed is very high.If we consider gmail the application is very much dynamic so parsing java scripts from http response and getting required values is very much difficult.

A Very Basic Custom Selenium Web Server Code Used in this Demo:


  1. hi debasish
    can you please share the sample php survey form code you used here.

  2. After reading this web site I am very satisfied simply because this site is providing comprehensive knowledge for you to audience.
    Thank you to the perform as well as discuss anything incredibly important in my opinion. We loose time waiting for your next article writing in addition to I beg one to get back to pay a visit to our website in

    Selenium training in Chennai
    Selenium training in Bangalore
    Selenium training in Pune

  3. This is my first visit to your web journal! We are a group of volunteers and new activities in the same specialty. Website gave us helpful data to work. hotmail correo electrónico

  4. I definitely enjoying every little bit of it. It is a great website and nice share. I want to thank you. Good job! You guys do a great blog, and have some great contents. Keep up the good work

  5. Now If the Dictionary attack feature doesn't work then you probably created a pretty tricky password, and you will have to use Brute Force attack to crack the password. reset windows 10 password

  6. Amazing post! I appreciate your hard work. Thank you for sharing. I have also share some use full information.
    Drone pro review
    PhotoStick Mobile Review
    PhotoStick Mobile worth
    eco beat earphones review

  7. We are really grateful for your blog post. You will find a lot of approaches after visiting your post. I was exactly searching for. Thanks for such post and please keep it up. Great work. saiba mais sobre o Hotmail

  8. It is amazing and wonderful to visit your site.Thanks for sharing this information,this is useful .Manual Testing Training in Bangalore

  9. I have read your blog its very attractive and impressive. I like it your blog. SELENIUM training in bangalor


  10. Great post!I am actually getting ready to across this information,i am very happy to this commands.Also great blog here with all of the valuable information you have.Well done,its a great knowledge.DOTNET training in bangalore

  11. Thanks for one marvelous posting! I enjoyed reading it; you are a great author. I will make sure to bookmark your blog and may come back someday. I want to encourage that you continue your great post.Microsoft Dynamics CRM Training in Bangalore

  12. Thank you for your post. This is excellent information. It is amazing and wonderful to visit your azure cloud computing training in bangalore

  13. I am happy for sharing on this blog its awesome blog I really impressed. thanks for sharing.

    Became an Expert In Cloud Computing Security Training! Learn from experienced Trainers and get the knowledge to crack a coding interview, @Softgen Infotech Located in BTM Layout.

  14. We are offering Social media training courses in Bangalore with Live projects and social tools. Learn to increase your business awareness through various social media channels. Please visit our website to know more information.

  15. Succeed! It could be one of the most useful blogs we have ever come across on the subject. Excellent info! I’m also an expert in this topic so I can understand your effort very well. Thanks for the huge help. crie uma conta no Hotmail email gratuito

  16. 360DigiTMG, Indore is a leading solutions provider of Training and Consulting to assist students, professionals by delivering top-notch, world-class classroom and online training. It offers courses in artificial intelligence course in indore.

  17. Great post i must say and thanks for the information. Education is definitely a sticky subject. However, is still among the leading topics of our time. I appreciate your post and look forward to more. data science using python and r programming coimbatore

  18. Thanks for a wonderful share. Your article has proved your hard work and experience you have got in this field. Brilliant .i love it reading. hotmail entrar

  19. When your website or blog goes live for the first time, it is exciting. That is until you realize no one but you and your. entrar hotmail

  20. Thank you because you have been willing to share information with us. we will always appreciate all you have done here because I know you are very concerned with our. best email marketing services

  21. However, instead of looking for web pages, an email spider scours the internet looking for email addresses. Data Scraper - Easy Web Scraping

  22. Email publicizing messages must be short and fresh enough to pull in the watcher's consideration. Bulk Email Sender

  23. It is a fantastic post – immense clear and easy to understand. I am also holding out for the sharks too that made me laugh. send out mass emails

  24. Great piece of content after reading all this I'm feeling so overwhleming that I've gain some sort of knowledge from this page. Keep up the good work!! Thank YOU!
    OshenWatch Luxe Review

  25. Freelance maintenance technicians also benefit from establishing relationships with multiple clients. Working as a freelancer, you’ll gain employment experience with a variety of businesses, boosting your overall skill set and providing you with more work opportunities in the future.

    maintenance technician

  26. The Research you have did on this topic, is really appreciable, thanks for posting this article, if you also want to read review about electronics gadget than visit to my site also.
    What is PureAir Max
    What is ZoomShot Pro
    How Bit Watch Works

  27. Wenn Sie CBD Öl möchten, ist es wichtig, dass Sie die verschiedenen verfügbaren Arten kennen. Auf diese Weise können Sie die besten auswählen. Einige Leute haben sogar CBD-Öl, das durch Einnahme von CBD-Blüten oder CBD-Knospen hergestellt wird. Dieses Verfahren wird jedoch nicht zur Herstellung von CBD-Öl verwendet, da das Öl wirksamer ist als die eigentliche Blume oder Knospe. Bevor Sie CBD-Öl kaufen, stellen Sie sicher, dass Sie das Original kaufen.

  28. This course is very helpful in awakening my inner creative thinking! Truly a bargain worth investing on. Best Email Extractor

  29. The Uttarakhand Board will release the UK Board tenth model paper 2020-21 at the side of the question papers quickly on its authentic internet site. Students could be capable of download the Uttarakhand Board Class 10 question papers UBSE 10th Question Paper 2021 As quickly as they may be launched, students who can be acting for UK Board Class 10 examinations should guide them as them in getting familiarised with the UK tenth exam pattern in a higher manner.

  30. There you can download for free, see the first of these data. Google Maps Scraper


Post a Comment