42spt

Version 0.70 of the open source phishing education tool "spt" (Simple Phishing Toolkit) was released this week. Notable features and improvements in this version include: Vast improvements in the editing functionality for templates and education packages. Major changes include: two different editors to choose from (the oroginal spt text editor and TinyMCE), copy templates or education to new version and then customize them. Added education completion tracking, now you can determine if your targets completed the assigned education in a campaign. Support for the Google and TinyURL URL shortener services. Now your phishing emails can have shortened URLs, making them harder to detect. Support for sending SMTP using SSL secured connections. Enhancements to the viewing of campaign information including SMTP relay used and destination URL used. Initial support for using spt in SSL/TLS secured installations, code updates to prevent insecure content warnings. All forms now generate inline errors with entered value retention, allowing easy correction of incorrect or missing items without requiring all information to be entered again. Email tracking times are now more accurate when viewing campaign information. Most items in the Quick Start module now feature links allowing you to quickly access the desired location in the spt UI. Enhancements to the browser detection script for more information on what you need vs. what you have. Many security and usability issues fixed. Additional improvements in authentication and session management security. You can track all current, past, and future planned, changes on the spt project site on the "Change Log" tab of the Download page at http://www.sptoolkit.com/download/.'>http://www.sptoolkit.com/download/. If the project sounds interesting to you, please consider taking a look at it by downloading and testing it your environment. (We opted to remove the online demo of the spt after receiving some complaints from sites that were used to highlight the incredible effectiveness and ease of use of our site scraper). We always welcome all feedback and ideas as we continue to develop the project. Please feel free to contact us via replies to this thread, or via the contact form on the project web site. http://www.sptoolkit.com/ Thanks! - The spt project

Version 0.60 of the open source phishing education tool "spt" (Simple Phishing Toolkit) was released today. Notable features and improvements in this version include: Email sending process when starting campaign completely rewritten. Sendmail no longer used for sending emails, all email functions are handled by the SwiftMailer library. Campaign statistics displayed in easy to use charts with filters powered by the High Charts library. Thirteen built-in templates, twelve allowing for quick start campaigns. A quick start template just requires targets to exist and simulates an email where all you need is a link click (e.g. drive-by malware downloaders). Eight built-in education modules, including four that do not require Internet access. More education options for your campaigns. Quick Start content helps you get educating as quickly as possible. UI look has been completely updated with color icons throughout for a modern, standardized, look and feel. Improvements made to the module upload and design process for better install and removal results. Logic to prevent duplicate target email addresses in a single target group. New Admins - Test target group created that allows immediate testing of campaigns against the spt administrators (new v 0.60 installations only). Dashboard module block layout reorganized to improve usability and get the information you need to you as quickly as possible. Twitter feed for spt in the dashboard. Entire spt codebase (not including SwiftMailer and High Charts libraries) has been "beautified" to be consistent and use the One True Brace Style (1TBS) as much as possible. Many bug fixes and tweaks to improve usability. You can track all current, past, and future planned, changes on the spt project site on the "Change Log" tab of the Download page at http://www.sptoolkit.com/download/.'>http://www.sptoolkit.com/download/. If the project sounds interesting to you, please consider taking a look at it by downloading and testing it your environment. (We opted to remove the online demo of the spt after receiving some complaints from sites that were used to highlight the incredible effectiveness and ease of use of our site scraper). We always welcome all feedback and ideas as we continue to develop the project. Please feel free to contact us via replies to this thread, or via the contact form on the project web site. http://www.sptoolkit.com/ Thanks! - The spt project

Version 0.5 of the open source phishing education tool "spt" (Simple Phishing Toolkit) was released today. Notable features and improvements in this version include: Improved installation routine, with environmental checks for the most common installation problems. Improved campaign metrics and reporting, including export to CSV functionality. The editor module is now a core spt module and is installed with the spt. Improved target management including flexible support for an unlimited amount of custom target attributes. Target template download replaced with target export (and then import via Add many function). Improved template scraping process including options to personalize emails with target first and last name, and basic HTML support in the email message body. The entire spt source code has been cleaned and consolidated to eliminate tons of errors of duplicated code. Helpful links in the sidebar now get you straight to the sptoolkit.com site for documentation and support. Usability improvements in navigation within the dashboard. You can track all current, past, and future planned, changes on the spt project site on the "Change Log" tab of the Download page at http://www.sptoolkit.com/download/.'>http://www.sptoolkit.com/download/. If the project sounds interesting to you, please consider taking a look at it by downloading and testing it your environment. (We opted to remove the online demo of the spt after receiving some complaints from sites that were used to highlight the incredible effectiveness and ease of use of our site scraper). We always welcome all feedback and ideas as we continue to develop the project. Please feel free to contact us via replies to this thread, or via the contact form on the project web site. http://www.sptoolkit.com/ Thanks! - The spt project

Version 0.4 of the open source phishing education tool "spt" (Simple Phishing Toolkit) was recently released. Notable features and improvements in this version include: Education packages introduced. You can now educate your targets are a part of a campaign. You have the option to educate on link click (drive-by malware downloads), on form submission (credential harvesting) or not at all. A default education package is included, but you can easily author and upload your own custom education for usage. (We have plans for some additional education content and possibilities.) Response analytics have been added to the campaign details output. This includes details about the date and time a link was followed, the IP address the target used, browser name and version and operating system type. Basic geo-location information available. Click the target's IP on the campaign details output and open a new browser tab that shows the geo-location for that IP. (We have plans for a more full featured geo-location module in the future). Editor module improvements and enhancements. The editor now allows for editing of education packages as well from the spt dashboard, no FTP uploads required for edits to templates or education packages. You can track all past, and future planned, changes on the spt project site on the "Change Log" tab of the Download page at http://www.sptoolkit.com/download/.'>http://www.sptoolkit.com/download/. If the project sounds interesting to you, please consider taking a look at it by downloading and testing it your environment. (We opted to remove the online demo of the spt after receiving some complaints from sites that were used to highlight the incredible effectiveness and ease of use of our site scraper). We are welcome all feedback and ideas as we continue to develop the project. Please feel free to contact us via replies to this thread, or via the contact form on the project web site. http://www.sptoolkit.com/ Thanks! - The spt project

Version 0.3 of the open source phishing education tool "spt" (Simple Phishing Toolkit) was recently released. Notable features and improvements in this version include: - improvements to the site scraper introduced in version 0.1 (now you can build your email template while scraping a site) - a new editor module allowing you to edit your phishing templates on-line with no offline edit & FTP required - groundwork laid for more reporting and analytics on campaign effectiveness Please see the full change log on the spt project website at http://www.sptoolkit.com/project/change-log/.'>http://www.sptoolkit.com/project/change-log/. If the project sounds interesting to you, please consider taking a look at it. Demo it in read-only mode, download it and use it yourself. We are welcome all feedback and ideas as we continue to develop the project. Please feel free to contact us via replies to this thread, or via the contact form on the project web site. http://www.sptoolkit.com/ Thanks! - The spt project

@bobbyb1980: I'm not sure at the current time that we'd add something like you've described as that gets away from the intent of the spt as a whole which is to evaluate the security of the human. @all: We're certainly not trying to compete with any other tool out there, especially SET. We're big fans of SET and its integration within BackTrack overall. I think the "market" is certainly large enough though for more than one tool, even more so given that each will have its own unique use cases and features over time. Phishing by itself, I'd argue, is plenty dangerous enough and not on the decline. Read into the recent Delta phishing emails that were sent out. Fall for the email (and not even that well composed as compared to what it was supposed to look like) and you're the proud recipient of shiny new rootkit that starts phoning home in less than 10 seconds. We did a fair bit of analysis on this one and it seems to be the natural progression of most of these attacks today: get the target to click that link and download malicious code for phase 2 of the attack, whatever that might be. We do appreciate the feedback from everyone on this project. Thanks!

Version 0.1 of the spt (Simple Phishing Toolkit) was recently released. Notable features and improvements in this version include a site scraper that easily turns most websites into a phishing template in just a few seconds time and a new tool-tips system that provides content sensitive in-line help. Please see the full change log on the spt project website at http://www.sptoolkit.com/project/change-log/.'>http://www.sptoolkit.com/project/change-log/. If the project sounds interesting to you, please consider taking a look at it. Demo it in read-only mode, download it and use it yourself. We are looking for all feedback and ideas as we continue to develop the project. Please feel free to contact us via replies to this thread, or via the contact form on the project web site. http://www.sptoolkit.com/ Thanks! - The spt project

@bobbyb1980: We are definitely to be adding features over times. The project is still very new so it certainly many not show its full potential yet. The usage for spear phishing is certainly possible I think, just some simple modifications to the templates to "personalize" the attack for the target. Thanks for the suggestion. I'm not sure yet what the feasibility is of full header spoofing, but we know it gets done all the time by the bad guys. That might find it's way into the project at some time. Thanks for your comments. @Mr-Protocol: We are very much aware of the SET and its uses. We are certainly not trying to replicate or replace SET, but instead we're trying to offer a simpler alternative that can be used by those who might not have the technical knowledge required to really use SET and BackTrack correctly. That's why we chose the word "simple" as the first in the title. Thanks for taking the time to read and reply.

@Morfir: The project is open source and we intend for it to always be open source. We've been inspired by many other great open source tools (BT, SET, Metasploit, etc.) and felt there was a place for something simpler and more along the lines of where we're going with the spt. As to the the follow-up after finding out who the weakest link is, education is the next natural step we see. In future releases we have plans to integrate training into the spt so you can go from identification to reporting to training in an intelligent manner. @Infiltrator: You've said it exactly, the spt was developed to be used as that tool to expose employees in a SAFE fashion to phishing efforts to see what happens. Thanks both for the comments.

"Millions for defense, but not one cent for education!" The spt project is a small step toward securing the mind as opposed to securing computers. Millions are spent safeguarding information systems, but under trained and susceptible minds then operate them. A simple, targeted link is all it takes to bypass the most advanced security protections. The link is clicked, the deed is done. spt was developed from the ground up to provide a simple and easy to use framework to identify your weakest links so that you can patch the human vulnerability. If the project sounds interesting to you, please consider taking a look at it. Demo it (read-only mode), download it and use it yourself. We are looking for all feedback and ideas as we take the next steps on the project. Please feel free to contact us via replies to this thread, or via the contact form on our project web site. http://www.sptoolkit.com/ Thanks!