Introduction and Motivations
In the video at the end of this article, we will talk about building a custom Phishing Framework in Python.
We will start by describing the motivations for such a phishing framework: indeed, in current cyber threat landscape, many advanced persistent threats are employing spear phishing campaigns to penetrate into target networks, relying on recipient to click on malicious links or download and run malicious (and hidden at various extent) scripts.
We will provide an open source framework that a target organization can use to test the cyber awareness of its employees and partners, sending phishing emails that resemble emails coming from a legitimate company and embedding a malicious link on them.
Then, we will see how we can store information about people who clicked on the link by setting up a Command and Control center in Python.
We will then show how to build fake versions of the legitimate websites to trick users into providing their credentials. In case they insert credentials, they will be written into a file that will be at our own disposal.
This way, an organization will be able to assess whether its employyes and partners are aware and are able to recognize phishing campaigns.
Furthermore, this will also test email security products, which should be able to prevent, or at least detect, this phishing campaign, by showing warning messages to the user.
References
Phishing attacks are a kind of Social Engineering attacks, where an attacker uses human interaction to obtain or compromise information about an organization.
In additional to technical measures used to detect and prevent such kind of attacks, security best practices generally recommend periodical user trainings to
raise awareness with respect to these kind of attacks, that may happen in different forms.
As an example, CISA (Cibersecurity and Infrastracture Security Agency) released a short vademecum called Security Tip (ST04-014) to
avoid social engineering and phishing attacks, that you can find at this link: https://www.cisa.gov/uscert/ncas/tips/ST04-014
In addition, also NIST (National Institute of Standards and Technology) published some tips at this page: https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/phishing and there is also a special publication that covers email security in-depth (although email is not the only vector for phishing attacks, it is still one of the most relevant if not the most relevant at all) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-177r1.pdf
Obviously, every Cyber Security certification references phishing in its program, being it CISSP (domain 1.13), CISA, CISM, C|EH, Comptia Security+ and alike.
Download
This Project is Open-Source and will be updated at this page: https://github.com/Balzu/PyPhish