Want to launch a sophisticated phishing attack at your friends and colleagues? Of course you do, after all, how else are they ever going to learn how to avoid getting caught by the real thing? And now it’s even easier than ever thanks to South African firm Thinkst Applied Research, which has put together a handy little web app to automate the entire process of mailing dodgy links to co-workers.
It’s called Phish5, and it’s a rather useful and deceptively simple app to use. The idea is that an IT manager can generate a phishing mail to send out company-wide, and use it as a practical example of how such things work. Personally, I love the idea, because despite a decade of writing about phishing attacks and trying to educate readers of their dangers, many people only seem to learn how to avoid them after they’ve surrendered their Gmail login details or Twitter account credentials – or worse, the password to their bank account – to a phishing scammer.
For the uninitiated, phishing is the practice of luring web users to a site that appears to be genuine but is in fact harvesting any details that are entered in to it, remains one of the biggest problems on the internet. More and more companies are being targetted with ‘spear phishing’ campaigns that specifically try to fool their employees into entering log-in details that can be used to gain access to their systems.
The problem is that while web browsers are getting better at identifying fraudulent sites, they can’t keep up with the number of phishing pages out there, and people aren’t getting much better at recognising dodgy links in emails that appear genuine but for one or two letters changes out of sequence – the traditional way of propogating a phishing attack. Worse, browsers on mobile phones often hide the URL of the site you’re visiting, making them even more vulnerable to such attacks.
Haroon Meer, founder of Thinkst and developer of Phish5, explained to htxt that the site was developed for a client whose employees were being specifically targetted by hackers. The IT department wanted a way of educating employees of the dangers of phishing, and why software defences aren’t enough – people need to be vigilant too. Now, he says, whenever an IT training session is organised, the IT department can test employee awareness before they begin.
“There are tools like Backtrack Security that IT managers can use to create fake phishing mails and sites,” Haroon explains, “But they’re complex to use and require a server to be set up and maintained. What we wanted to do was create something simple that even a small company can use, and is entirely web-based.”
And before you think it, no, you can’t use it for nefarious ends. Phish5 has an in-built protection: first of all, you can’t use it for free – it costs from $99 for five campaigns – and secondly you can only use it against colleagues on your own email domains. Check it out here.