Credential harvesting is one of the most common methods used in social engineering attacks when phishing. A sample can be viewed here. Some things about the cloner in social engineering toolkit:
- It doesn’t download assets i.e. images, css, javascript files
- The page cloned needs to be always reachable
I will be testing this on chrome as its the paranoid one.
What I noticed from this is that after setting up my default phishing page from SET it loaded as below on chrome:
So looking under the hood; the source looks fine linking to the files as required testing the hyperlinks loads the files so that isn’t the issue.
As is seen the page is fine but it would be very phishy if the victim comes and finds int in that shape. Chrome is used highly so this cannot be assumed; it loads fine on firefox though. So to fix this issue and increase chances of a successful attack. First things first download all assets into a folder just open the hyperlinks.
Replace they hyperlinks with the folder name as below then upload all to your server.
Test the page once again on chrome.
Hope this helps ; may the force be with you.