Creating a Phishing Framework in Python

Phishing is a dangerous and effective kind of social engineering attack, where an attacker uses human interaction to obtain or compromise information about an orga nization. To defend from phishing security trainings are necessary, in addition to good techical protections. In these series of articles, we present a phishing framework that we can use to assess the cyber awareness of an organization.

Introduction and Motivations

In the video at the end of this article, we will talk about building a custom Phishing Framework in Python. We will start by describing the motivations for such a phishing framework: indeed, in current cyber threat landscape, many advanced persistent threats are employing spear phishing campaigns to penetrate into target networks, relying on recipient to click on malicious links or download and run malicious (and hidden at various extent) scripts. We will provide an open source framework that a target organization can use to test the cyber awareness of its employees and partners, sending phishing emails that resemble emails coming from a legitimate company and embedding a malicious link on them. Then, we will see how we can store information about people who clicked on the link by setting up a Command and Control center in Python. We will then show how to build fake versions of the legitimate websites to trick users into providing their credentials. In case they insert credentials, they will be written into a file that will be at our own disposal. This way, an organization will be able to assess whether its employyes and partners are aware and are able to recognize phishing campaigns. Furthermore, this will also test email security products, which should be able to prevent, or at least detect, this phishing campaign, by showing warning messages to the user.

References

Phishing attacks are a kind of Social Engineering attacks, where an attacker uses human interaction to obtain or compromise information about an organization. In additional to technical measures used to detect and prevent such kind of attacks, security best practices generally recommend periodical user trainings to raise awareness with respect to these kind of attacks, that may happen in different forms.
As an example, CISA (Cibersecurity and Infrastracture Security Agency) released a short vademecum called Security Tip (ST04-014) to avoid social engineering and phishing attacks, that you can find at this link: https://www.cisa.gov/uscert/ncas/tips/ST04-014
In addition, also NIST (National Institute of Standards and Technology) published some tips at this page: https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/phishing and there is also a special publication that covers email security in-depth (although email is not the only vector for phishing attacks, it is still one of the most relevant if not the most relevant at all) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-177r1.pdf

Obviously, every Cyber Security certification references phishing in its program, being it CISSP (domain 1.13), CISA, CISM, C|EH, Comptia Security+ and alike.

Download

This Project is Open-Source and will be updated at this page: https://github.com/Balzu/PyPhish