2014/10/13

Phishing with www.SafeLogin.co

As a security consultant and penetration tester, one of my various activities I would have to perform was a phishing exercise.
“Phishing is misrepresentation where the criminal uses social engineering to appear as a trusted identity. They leverage the trust to gain valuable information; usually details of accounts, or enough information to open accounts, obtain loans, or buy goods through e-commerce sites. Up to 5% of users seem to be lured into these attacks, so it can be quite profitable for scammers . many of whom send millions of scam e-mails a day.” — as quoted from OWASP
A few days ago, a colleague pointed me to www.webscript.io and to a simple phishing site he created on it. I took a look and was very impressed by the simplicity of it and how easy it was to set up the phishing site. For a complete writeup on his “Phishing with WebScript.io” experience, check out his site: http://averagesecurityguy.info

This got me thinking, while webscript.io is an amazing site, it is overkill for a simple phishing site. I thought I could create a simple site (just a few back-end scripts, apache, etc…) that could act as a “Proof of Concept” phishing site generator.

…and thus was born: http://www.safelogin.co

www.SafeLogin.co is a bare bones web site which allows a visitor to set up a phishing site of their very own (only for sites they are legally allowed to, as per the Terms of Use). All they need to provide is a target URL (the site to be cloned) and a unique phishing site name (.safelogin.co). All sites are kept alive for 7 days, at which time all data is erased. 

www.SafeLogin.co does not (at this time) provide capabilities for sending the phishing emails, that must be handled by the user.

Please take a look and if you experience any issues or have any suggestions, please feel free to let me know.

No comments:

Post a Comment