Show HN: Phishing as a service

I wrote some Perl years back to take the fight to phishers. You would provide my script with the field names and POST URL of the HTML form within the phishing email, along with some generic types for each form field. There were types for firstnames, lastnames, email, addresses, usernames, passwords, social security numbers, and credit card numbers. The script would generate fake but real-looking values for each of these things--the credit card numbers would even pass a checksum test--and then post to the URL. It would do this as fast as the remote end would accept them with the aim of filling out their database (typically a text file on some compromised server) with bullshit data, making it hard to pick out the legit data from victims.<p>It worked wonderfully. I used it through proxies when I could and watched the phishers try to block me or even attack me back.

I work in security at a large Fortune 500 company. I know at first it sounds like phishing your employees will give you good insight, but you realize quickly that the data you get is not very useful. Here are the roadblocks I&#x27;ve hit with these kinds of simulation phishing services:<p>1. They rely on e-mail while phishing attacks come from multiple sources like Facebook and LinkedIn. Sadly, using those services to simulate phishing attacks violates their ToS.<p>2. Simulation phishing only provides pass or fail data meaning you cannot determine your weakest links in the organization. At best you get an &quot;average&quot; snapshot.<p>3. The data isn&#x27;t very accurate or precise because there are too many confounding variables involved. Time of day, subject matter, type of phishing (attachment, social engineering, etc). Normally we ran our campaigns once a month but this wasn&#x27;t enough to produce stable results.<p>4. Clicking doesn&#x27;t mean they fell victim to the attack -- lot&#x27;s of people click to investigate then report the links. Ideally, I&#x27;d like to specifically know WHY the employee clicked the link and HOW MUCH was actually at stake.<p>4. It pisses people off. There is enough animosity against us security folks that tricking your employees really hurts that relationship. People feel taken advantage of.<p>5. It doesn&#x27;t actually improve security in any meaningful way. I found that it didn&#x27;t actually improve people&#x27;s ability to spot and report phishing attempts. They either became paranoid to the point where they were no longer productive in legitimate emails, or they had no improvements over time.<p>6. There&#x27;s a growing body of knowledge that dismisses the effectiveness of this kind of phishing training (<a href="http:&#x2F;&#x2F;www.govinfosecurity.com&#x2F;interviews&#x2F;training-doesnt-mitigate-phishing-i-2148?" rel="nofollow">http:&#x2F;&#x2F;www.govinfosecurity.com&#x2F;interviews&#x2F;training-doesnt-mi...</a>) .<p>With that being said, our company has tried about a dozen of these kinds of services and the best one so far has been one called Apozy that is rather new. It&#x27;s a different approach but the data and insight you get back is actually very useful.

There are many sites like this and I love what they are doing for raising awareness. As one of the first people to ever fight phishing (I worked at eBay and PayPal fighting phishing before there was a word for it), I&#x27;m keenly aware that awareness is the only way to really stop it.<p>That being said, I don&#x27;t like these reports, because any time I get a phishing email I immediately load it up in a protected VM to see what it does, so it would count me as a victim. Since the page you go to isn&#x27;t a real looking login page, you can&#x27;t differentiate between those who fall for it and those who just clicked to see what it was.<p>You need to actually set up the fake page and see who puts in valid credentials to get a true report.

the FAQ page is 10&#x2F;10<p><a href="https:&#x2F;&#x2F;cuttlephish.com&#x2F;faq" rel="nofollow">https:&#x2F;&#x2F;cuttlephish.com&#x2F;faq</a>

Love it! My recommendation would be to offer an option for allowing the target to be tricked through the whole process. (Even if credentials are discarded completely.) The idea here is nothing is left to the imagination. What you have is great, but it requires them to read and be observant, which is not the type of person who falls for phishing emails. Clicking the link is &quot;No-No&quot; #1, don&#x27;t exclude &quot;No-No&quot; #2 from your process.

You should send the emails, and charge me to view the report.

Neat, but doesn&#x27;t seem very IT&#x2F;corporate, which would surely be the intended audience.<p>My company uses these guys: <a href="http:&#x2F;&#x2F;www.knowbe4.com&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.knowbe4.com&#x2F;</a>

I often intentionally click links to phishing sites, and sometimes enter in fake usernames and passwords. (I even wrote several bots to auto enter thousands of random usernames and passwords.)<p>I don&#x27;t like the click link = you lose idea.

Hm. I often click on obviously phishing links to see what&#x27;s there. Would this tool classify me as a victim?

Neat! I really like the easy pricing model.<p>Quick question - are you concerned about trademarks (Amazon and such) being included as the phishing templates? Reason I ask is that I&#x27;m working on a hosted project [1] similar to this and have considered including default templates. I&#x27;ve held off for this exact reason.<p>Edit - another question, your screenshot in the intro page shows an email (in the Gmail client) coming from &quot;support@github.com&quot;. Github has spf records setup so I would be interested to know how you manage to spoof the actual email address itself without getting flagged as spam.<p>[1] <a href="http:&#x2F;&#x2F;github.com&#x2F;jordan-wright&#x2F;gophish" rel="nofollow">http:&#x2F;&#x2F;github.com&#x2F;jordan-wright&#x2F;gophish</a>

Consider changing pricing to $&#x2F;click (pay per victim), so that companies are paying for the value you provide (detection security holes), and the CTO can &quot;bet&quot; the CEO that employees need better training&#x2F;protection.<p>Much more upside for you.

What if this site occasionally sends out real phishing mails? If a lot of sites are using it, they would have interesting stats one could use to target the right audience.<p>Not saying they would, but they could get hacked of course...

Another service which does a similar thing that&#x27;s been around some time, I used them but the spam filter ate all my fake mail, as it should :-) <a href="https:&#x2F;&#x2F;phish5.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;phish5.com&#x2F;</a>

How do you send your emails ?<p>If your customer is using google domains, microsoft 365 or what else, and the employees do not fall in your phishing attempt and report your mail as spam, you may be heading for some trouble with delivery afterward.

In case anyone one was curious, the &quot;phishing&quot; urls in the phishing emails lead to this page:<p><a href="https:&#x2F;&#x2F;cuttlephish.com&#x2F;cuttlephished" rel="nofollow">https:&#x2F;&#x2F;cuttlephish.com&#x2F;cuttlephished</a>

I was doing exactly the same project probably 8 years ago when I was still a high school student. I used to have a lot of websites, too but I never launched as I thought phishing is probably illegal and unethical.

This is a useful service. But I imagine there will be some nontrivial issues regarding spam filtering, server reputation, legal, etc.<p>How do you do email authentication? What are the headers that you put on your email?

Love the brand and name (reminds me of <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=GDwOi7HpHtQ" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=GDwOi7HpHtQ</a>).

Are you hiring?

Would a company want to give you a list of corporate email addresses?

That&#x27;s a refreshing idea for a change. Well done!

It&#x27;s a living.