1. Setting up secure Environment. Follow this guide for Downloading kali linux onto usb stick. https://docs.kali.org/downloading/kali-linux-live-usb-install Setting up TOR in kali linux. Open console and type ‘sudo apt-get install tor proxychains filezilla’ **StayMobile with 3g dongle. 2. Anonymously Paying for the servers and equipment. I suggest you use BITCOIN to pay for the host so noone can trace financial history, I suggest doing this in person so there is no direct bank transfer only cash. To do this jump on localbitcoin and find someone local who will meet you. Now you need to find scampages SMTP's and RDP's which are forsale on hackforums.net and pay for them with bitcoin. 2. Find Host and Domain. Any webhost will do however I would pick a 4GB website for optional extras later, or go cheap for disposable server. When asked which OS you want, look for Ubuntu to make life simple its quick and easy to setup with no hassle. Deciding Host Name Sometimes when hosting scam pages you want a generic domain you can use to hide the domain from the user and that does not make the user suspicious. I suggest something like barclays.cloud.authenticationsystem.uk or barclays.uk-secure-cloud.co.uk and to do this we can make use of sub domains so in this case you could register something like "authenticationsystem.uk" and setup multiple scampages under one domain. www.barclays.cloud.authenticationsystem.uk www.lloyds.cloud.authenticationsystem.uk www.apple.cloud.authenticationsystem.uk www.paypal.cloud.authenticationsystem.uk you basically want to blag the "authenticationsystem.uk" bit so be creative, as long as it looks like it tech and COULD be bank related like "financial-authentication.system.tk" then you should be fine as the domain will be shortened later. 3. Setup Host When you have the login information via email login to the main shell using ssh in the console. Just open a command prompt and run 'proxychains ssh (username)@(hostip)' eg 'proxychains ssh email@example.com' this will ask you to save a key, just type yes and press enter. First you want to setup a LAMP server for hosting websites, so in the shell which you logged into type 'sudo apt-get install lamp-server^' follow the onscreen instructions and then create a new user called security via 'createuser (username) or adduser (username)' one of them works depending on the server. Now the LAMP server is operational you need to start the service. So in the console again now type ‘sudo service httpd start’ or ‘systemctl start httpd’ Now you need to install an FTP server to transfer your files across, so using the console type ‘sudo apt-get install vsftpd’ and press enter, this will install an FTP server which needs starting. So in the console again now type ‘sudo service vsftpd start’ or ‘systemctl start vsftpd’ 3. Host Pages Now that we have a host setup, we need to upload our pages to the host. There is a number of possibilities here, one is that you received the scampages via email attatchment in which case you need to either upload them to a host then use wget to pull the file directly. To do this using commandline use the commands 'wget (file url)' this will pull the file from the net. Another method is if you have downloaded the file to the laptop. If so you will need to use filezilla and connect to the ip address and port under the security account. You need to then execute the following command into a NEW kali console as we are installing it locally ‘sudo apt-get install filezilla’ to install filezilla and then run it. This should allow you now to drag and drop a file over to the host from kali. Once the file is on the server, you will need to decompress it (pain in the ass to explain) or we cheat and install midnight commander. To install MC use the following ‘sudo apt-get install mc’ and follow instructions. Now we can run ‘sudo mc’ to make sure we are running as r00t level and we can select the file, press enter and see the contents on the left screen. On the right screen look for /var /www /public_html or /srv/http. You can now copy the files into the folder. Now you should check to see if the web page works by opening ‘http://127.0.0.1/ and see if your page comes up. If you see your page, you should now configure the subdomains in the panel of your webhost, just create new domains and point them to the relvent scampage folders. You want to make sure that if someone goes to www.barclays.(domain).com they see the barclays page or equivelent. 4. Decide on Vector Now comes the difficult bit, deciding whether to target people via email or sms. SMS is recommended as we can fill with leads phone numbers or random numbers generated for o2 as a fair few will be using Iphone. 6. Find SPAM service As I recommended SMS is probably currently the most effective due to email spam filters in place, however SMS spam is mainly unprotected via smartphone applications. We can use Any BULK SMS UK provider so just google for one. I recommend using http://www.monsterbulksms.com/ as they take bitcoin. 7. Design spam content. OK The main objective of SMS spam is to send as many text messages as possible in the shortest amount of time at the RIGHT time of the day. If people are asleep it delays the results and increases chances of detection. If people are busy, they may start thinking about the message and again its increases the chance of detection. As we are working with preconfigured SCAM pages, we will need to make sure they are working and configured. We need to check the configuration to make sure the email address specified is pointing to our server so find config.php or something similar and look for an email address Replace them all with the account you want the emails sending to. You can also set other options if you want. With most scampages, you will get a letter to go with it. What I suggest is reword the email as simple as possible and attatch your link. Make it sound URGENT. 8. Sending spam Now comes the fun bit goto http://bit.ly in your webbrowser and put the url to the scampage, this will shorten the scampage to a smaller link, which can be dropped into the SMS. Now login to the bulk sms provider and edit your message. You will now need to gather phone numbers, and as I said a lot of o2 numbers use Iphone lol if they are stupid enough to buy Iphone they are stupid enough for spam. **O2 have now released mobile numbers starting 07511 and 07512. Mobile numbers start 078, 077, 079, and now 075. Thought some people might like to know they are available!** Use a phone number generator for around 10k – 100k phone numbers which can be found via google to generate number lists. And buy equivelent SMS credit. Next edit your text message, add the link and send. I would seriously think about the time your send these messages, it could depend on whether successful or not. I recommend breaktimes, and targeting people when they are tired not asleep. If they are tired then they are likely to rush though it without realising. 9. Collecting Results. Wait a few hours and then login to the collection email address. Personally I would use yahoo to have this sent to.