A new open source toolkit makes it ridiculously simple to set up phishing Web sites and lures. The software was designed to help companies test the phishing awareness of their employees, but as with most security tools, this one could be abused by miscreants to launch malicious attacks.
The Simple Phishing Toolkit includes a site scraper that can clone any Web page — such as a corporate Intranet or Webmail login page — with a single click, and ships with an easy-to-use phishing lure creator.
An education package is bundled with the toolkit that allows administrators to record various metrics about how recipients respond, such as whether a link was clicked, the date and time the link was followed, and the user’s Internet address, browser and operating system. Lists of targets to receive the phishing lure can be loaded into the toolkit via a spreadsheet file.
The makers of the software, two longtime system administrators who asked to be identified only by their first names so as not to jeopardize their day jobs, say they created it to help companies educate employees about the dangers of phishing scams.
“The whole concept with this project started out with the discussion of, “Hey, wouldn’t it be great if we could phish ourselves in a safe manner,’” said Will, one of the toolkit’s co-developers. “It seems like in every organization there is always a short list of people we know are phishable, who keep falling for the same thing every six to eight weeks, and some of this stuff is pretty lame.”
First released in October 2011, the Simple Phishing Toolkit is already in its fourth revision. The latest version includes an education module with the options to ‘educate on link click’ (to warn users about the dangers of drive-by malware downloads), upon form submission (credential harvesting), or not at all.
Partly to deflect criticism about the tool’s potential for abuse by miscreants, the toolkit doesn’t include the capability to capture data that recipients enter into forms in the phishing pages, although its creators say this feature will be offered in a future version as an optional add-on.
While more comprehensive open source phishing toolkits (the Social Engineer Toolkit for Backtrack/Metasploit, e.g.) have been in existence for some time, Will and project co-developer Derek said they wanted a more lightweight approach.
“We wanted a stand alone project that doesn’t cost money and doesn’t take a lot of devotion to learning,” Derek said.
The toolkit lives up to its name: It’s extremely simple to install and to use. Using a copy of WampServer — a free software bundle that includes Apache, PHP and MySQL — I was able to install the toolkit and create a Gmail phishing campaign in less than five minutes.
It seems that not long ago, the idea of organizations phishing their own employees was controversial. These days, there are a number of organizations that offer this awareness training as a service. If you’d rather design and execute the training in-house, SPT looks like a great option.