Go phish your own staff: Dev builds open-source fool-testing tool
Dear Colleague, what's your password again? Send to firstname.lastname@example.org please!
Security-oriented programmer Jordan Wright has published a capable and slick open source framework to help businesses defend against phishing attacks.
The anti-phishing tool runs on 64-and-32-bit Windows, Mac, and Linux, and allows tech shops to send benign phishing emails to their staff in a bid to track which employees fall for the ruse.
Fake phishing is an effective and proven mechanism with companies like PhishMe popping up to help businesses fight the attack vector, which has claimed the likes of Target, Home Depot, RSA, and ICANN.
Virtually every attack group in existence relies on tricking staff with the emailed links and attachments. Business email compromise, a subset of phishing that tricks executives into wiring money to attackers, is estimated by the FBI to have cost US$740 million in the US alone since 2013.
Twitter is one of the largest companies to go public with its internal phishing campaign, which thanks to company-wide acceptance and mature feedback loops has dramatically reduced its exposure.
Good anti-phishing programs should be designed to be seen by staff as fun with rewards for those who evade the traps, and slick and quick educational notes to help those who do.
Phishing emails should seem increasingly legitimate as staff become adept at spotting the more obvious mock attacks.
“Gophish is a phishing framework that makes the simulation of real-world phishing attacks dead simple,” Wright says describing the platform as industry-grade phishing training available to all.”
It allows admins to track campaigns, use templates, and capture credentials inserted into the phishing emails.
The platform was written in Go and has been posted to GitHub where it's had more than 300 commits at the time of writing. It differs from some other anti-phishing platforms in part because it is hosted on premises rather than in the cloud, “There are many commercial offerings that provide phishing simulation/training [but] unfortunately, these are SaaS solutions that require you to hand over your data to someone else,” the GoFish team says.
The Simple Phishing Toolkit is another established open source phishing platform along with the more capable and advanced Social-Engineer Toolkit which includes the ability to send payloads and be well suited for penetration testers.
Wright says Gophish is different from those in its ease of use adding that he hopes to integrate it with the advanced Toolkit in the future.
For now his team promises to regularly maintain the software. ®