Phish5: cloud based phishing for the good of all

Share on facebook
Share on twitter
Share on linkedin
Share on email

Want to launch a sophisticated phishing attack at your friends and colleagues? Of course you do, after all, how else are they ever going to learn how to avoid getting caught by the real thing? And now it’s even easier than ever thanks to South African firm Thinkst Applied Research, which has put together a handy little web app to automate the entire process of mailing dodgy links to co-workers.

It’s called Phish5, and it’s a rather useful and deceptively simple app to use. The idea is that an IT manager can generate a phishing mail to send out company-wide, and use it as a practical example of how such things work. Personally, I love the idea, because despite a decade of writing about phishing attacks and trying to educate readers of their dangers, many people only seem to learn how to avoid them after they’ve surrendered their Gmail login details or Twitter account credentials – or worse, the password to their bank account – to a phishing scammer.

For the uninitiated, phishing is the practice of luring web users to a site that appears to be genuine but is in fact harvesting any details that are entered in to it, remains one of the biggest problems on the internet. More and more companies are being targetted with ‘spear phishing’ campaigns that specifically try to fool their employees into entering log-in details that can be used to gain access to their systems.

The problem is that while web browsers are getting better at identifying fraudulent sites, they can’t keep up with the number of phishing pages out there, and people aren’t getting much better at recognising dodgy links in emails that appear genuine but for one or two letters changes out of sequence – the traditional way of propogating a phishing attack. Worse, browsers on mobile phones often hide the URL of the site you’re visiting, making them even more vulnerable to such attacks.

phish5Haroon Meer, founder of Thinkst and developer of Phish5, explained to htxt that the site was developed for a client whose employees were being specifically targetted by hackers. The IT department wanted a way of educating employees of the dangers of phishing, and why software defences aren’t enough – people need to be vigilant too. Now, he says, whenever an IT training session is organised, the IT department can test employee awareness before they begin.

“There are tools like Backtrack Security that IT managers can use to create fake phishing mails and sites,” Haroon explains, “But they’re complex to use and require a server to be set up and maintained. What we wanted to do was create something simple that even a small company can use, and is entirely web-based.”

And before you think it, no, you can’t use it for nefarious ends. Phish5 has an in-built protection: first of all, you can’t use it for free – it costs from $99 for five campaigns – and secondly you can only use it against colleagues on your own email domains. Check it out here.

Adam Oxford

Adam Oxford

Adam is the Editorial Director at htxt media. He has been writing about technology for almost two full decades now. In a previous life, he was the editor of PC Format and Digital Camera Shopper in the UK, before going on to work as a freelance journalist for seven years. His work has appeared in or on Stuff, The Guardian, Linux Format, TechRadar,, PC Gamer, Green Futures, The Journalist, The Ecologist and The Review. Adam moved to South Africa in 2012 and loves 3D printers, MakerFairs and tech hubs. He hates seafood. None of his friends remember this when cooking.