When is the last time you received a phishing email? Did you ever fall for a scam campaign? Have your credentials already been leaked?
We continuously strive to improve software security based on a better understanding of the software risks and threats by implementing prototypes in dynamic languages. In this project, we want to shed light on different phishing schemes, their flexibility, and likelihood of being unnoticed by victims. Traditional internet surf sessions are non-deterministic: Highly dependent on the surfers’ environment and mood, their web site visits become completely different and (almost) unpredictable. Therefore, such behavior requires phishing pages that can be built on demand.
A few problems you’ll be confronted with:
In the internet, one can find countless step-by-step guides on how to turn a regular page into a phishing site [1]. In addition, there exist many professional phishing frameworks [2] [3] [4], however, they all require hand-crafted phishing site templates to perfectly suit the needs of the creators. We found no tool which can build phishing web sites on demand without any manual intervention.
In this project, we want to explore the limitations, difficulties, and likelihood of tricking people into providing their credentials to a dynamically generated phishing web site.
Your task will consist of:
[1] How to create a phishing page (in 11 steps)
[2] Gophish
[3] Ninja Phishing Framework
[4] Phishing Frenzy