Jump to content

New Tool: Simple Phishing Toolkit


42spt

Recommended Posts

"Millions for defense, but not one cent for education!"

The spt project is a small step toward securing the mind as opposed to securing computers. Millions are spent safeguarding information systems, but under trained and susceptible minds then operate them. A simple, targeted link is all it takes to bypass the most advanced security protections. The link is clicked, the deed is done.

spt was developed from the ground up to provide a simple and easy to use framework to identify your weakest links so that you can patch the human vulnerability.

If the project sounds interesting to you, please consider taking a look at it. Demo it (read-only mode), download it and use it yourself. We are looking for all feedback and ideas as we take the next steps on the project. Please feel free to contact us via replies to this thread, or via the contact form on our project web site.

http://www.sptoolkit.com/

Thanks!

Link to comment
Share on other sites

It's an interesting idea, are you going to develop it open source?

My main question is once you do identify the "weakest" link, what are you going to do with him? Educate him? Fire him, in a corporate world? How does one patch the human vulnerability.

Link to comment
Share on other sites

My main question is once you do identify the "weakest" link, what are you going to do with him? Educate him? Fire him, in a corporate world? How does one patch the human vulnerability.

Firing its not something an employer should do, if they want their staffs to understand and know how to handle such situation, the employer should train and expose them to real world cases, that's the only way they can succeed.

Firing them off, would be considered a discrimination.

Edited by Infiltrator
Link to comment
Share on other sites

@Morfir: The project is open source and we intend for it to always be open source. We've been inspired by many other great open source tools (BT, SET, Metasploit, etc.) and felt there was a place for something simpler and more along the lines of where we're going with the spt. As to the the follow-up after finding out who the weakest link is, education is the next natural step we see. In future releases we have plans to integrate training into the spt so you can go from identification to reporting to training in an intelligent manner.

@Infiltrator: You've said it exactly, the spt was developed to be used as that tool to expose employees in a SAFE fashion to phishing efforts to see what happens.

Thanks both for the comments.

Link to comment
Share on other sites

In future releases we have plans to integrate training into the spt so you can go from identification to reporting to training in an intelligent manner.

Sounds good, it's an interesting idea to focus on the human vuln. Usually people develop software to safeguard them from having to deal with things like phishing. I'll try it out a little bit later.

Link to comment
Share on other sites

I gave it a brief test run this morning. It's a good idea, good concept and I like how it's database driven, but I think it needs more different attack vectors.

You can email the bogus links, but those emails are probably going to end up in a spam folder to whoever they're sent to. Sorry to be so critical, but in a real life pen test I don't see many people changing their bank password or their webmail password from an email from an unknown address. If you could somehow incorporate email header spoofing into the attack (it'd be original too) then I think the success rates will rise. Or if you could add a spear-phishing attack vector.

Phishing reports are down 50% in the first half of 2011 from 2010 so I think people are finally realizing not to click links in emails.

Link to comment
Share on other sites

@bobbyb1980: We are definitely to be adding features over times. The project is still very new so it certainly many not show its full potential yet. The usage for spear phishing is certainly possible I think, just some simple modifications to the templates to "personalize" the attack for the target. Thanks for the suggestion. I'm not sure yet what the feasibility is of full header spoofing, but we know it gets done all the time by the bad guys. That might find it's way into the project at some time. Thanks for your comments.

@Mr-Protocol: We are very much aware of the SET and its uses. We are certainly not trying to replicate or replace SET, but instead we're trying to offer a simpler alternative that can be used by those who might not have the technical knowledge required to really use SET and BackTrack correctly. That's why we chose the word "simple" as the first in the title. Thanks for taking the time to read and reply.

Link to comment
Share on other sites

I don't think the usage for spear phishing is realistic with something like this. SET claims to have spear phishing but it isn't much more than an automated emailer. People use the term "spear phishing" so loosely, I don't think theres a real definition for it besides a personalized attack, and your program is based on automation and it's near impossible to automate personalization.

I also think the day is near where phishing will be protected by the browser with reverse DNS lookups, same thing for emails (hence why I said most major email providers aren't vulnerable to this attack).

Link to comment
Share on other sites

@bobbyb1980: I'm not sure at the current time that we'd add something like you've described as that gets away from the intent of the spt as a whole which is to evaluate the security of the human.

@all: We're certainly not trying to compete with any other tool out there, especially SET. We're big fans of SET and its integration within BackTrack overall. I think the "market" is certainly large enough though for more than one tool, even more so given that each will have its own unique use cases and features over time.

Phishing by itself, I'd argue, is plenty dangerous enough and not on the decline. Read into the recent Delta phishing emails that were sent out. Fall for the email (and not even that well composed as compared to what it was supposed to look like) and you're the proud recipient of shiny new rootkit that starts phoning home in less than 10 seconds. We did a fair bit of analysis on this one and it seems to be the natural progression of most of these attacks today: get the target to click that link and download malicious code for phase 2 of the attack, whatever that might be.

We do appreciate the feedback from everyone on this project. Thanks!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...