A new open source toolkit makes it ridiculously easy to set up phishing Web sites and lures. The software was designed to help companies test the phishing awareness of their employees, but as with most security tools, this one can be abused by miscreants to launch real-life attacks.
The Simple Phishing Toolkit includes a site scraper that can clone any Web page — such as a login page — with a single click, and ships with an easy-to-use phishing lure creator. An education package is bundled with the toolkit that allows administrators to record various metrics about how recipients respond, such as whether a link was clicked, the date and time the link was followed, and the user’s Internet address, browser and operating system. Lists of targets to receive the phishing lure can be loaded into the toolkit via a spreadsheet file.