Phishing Frenzy: 7 seconds from hook to sinker

DerbyCon 3.0 - All In The Family

Presented by: Brandon McCann
Date: Saturday September 28, 2013
Time: 09:00 - 09:25
Location: Stable
Track: Stable Talks

“Email Phishing attacks are a prevalent threat against any organization large or small. As professionals in the security field we need to be able to give our clients the “”look”" and feel of what a real “”bad guy”" hacker may do to attack an organization. Creating a email phishing campaigns can often times be complex and time consuming process. What if we could leverage a framework that could manage our phishing campaigns, phishing templates, and even track advanced statistics easily throughout the campaign. Feast your eyes on the new addition to the open source and infosec community. “”Phishing Frenzy”" The Advanced Phishing Framework. Phishing Frenzy is a database driven web application written in ruby on rails that helps penetration testers manage their phishing campaigns by providing a framework that is easy to build and mange templates for future engagements. Build a phishing template in the Phishing Frenzy architecture, and your ready to use that template for all future assessments. The framework allows for the creation and management of phishing campaigns. Some of this management includes configuring Apache to use virtual hosts so many campaigns can run on a single box, encoding email addresses within the url so unique visitors can be tracked using advanced statistic generation. No phishing campaign is complete without a phishing scenario. Thats why the Phishing Frenzy offers the ability to manage phishing scenarios through template creation, manipulation and reuse process. Templates can be assigned to any campaign for a quick easy creation of a phishing campaign that not only looks legit, but will bait end users into your trap to gain the keys to the clients kingdom. Reporting for phishing campaigns can often become a cumbersome task having to look through various web logs to determine users that visited the phishing website, or even downloaded a malicious executable or determine which users entered passwords into the web form. Phishing Frenzy manages all steps required for advanced statistic reporting. The reporting console is assisted with Google charts to plot and visualize the impact of your phishing campaign along with the results that are yielded throughout the timeline of the campaign. Email phishing is a prevalent threat against all organizations that cannot be taken lightly. Having the ability to launch effective email phishing campaigns to make an impact to our clients is key to the success of mitigating these type of risks to the organization. We must be able to create and stimulate real world threats within a given budget, and this is why pentesters can now leverage Phishing Frenzy to create, manage, and execute professional phishing attacks.

Screenshots:

https://dl.dropboxusercontent.com/u/18768757/pf-login.png

https://dl.dropboxusercontent.com/u/18768757/pf-dashboard.png

https://dl.dropboxusercontent.com/u/18768757/pf-templates.png

https://dl.dropboxusercontent.com/u/18768757/pf-options.png

https://dl.dropboxusercontent.com/u/18768757/pf-stats.png”

Brandon McCann

“Senior Security Assessor – Accuvant LABS Brandon is a Senior Security Assessor with over seven years of experience in the Information Technology field. Brandon currently performs red team attack simulations, network penetration testing, internal vulnerability assessments, social engineering engagements, and various other technology consulting projects. Brandon is the co-founder of pentestgeek.com and previously served as a Network Administrator for a nation-wide advertising firm. Brandon has also written many publications on Disaster Recovery that have been published in a variety of scholarly journals, and discussed at various conferences. Brandon is an active part of the open source, metasploit and infosec community. Certifications and Training • Degree in Accounting • Minor in Business Computer Information Systems • OSCP, GCFA, CCENT, MCP • SANS Lethal Forensicator”


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats