
Show HN: Phishing as a service - naftaliharris
https://cuttlephish.com
======
chrissnell
I wrote some Perl years back to take the fight to phishers. You would provide
my script with the field names and POST URL of the HTML form within the
phishing email, along with some generic types for each form field. There were
types for firstnames, lastnames, email, addresses, usernames, passwords,
social security numbers, and credit card numbers. The script would generate
fake but real-looking values for each of these things--the credit card numbers
would even pass a checksum test--and then post to the URL. It would do this as
fast as the remote end would accept them with the aim of filling out their
database (typically a text file on some compromised server) with bullshit
data, making it hard to pick out the legit data from victims.

It worked wonderfully. I used it through proxies when I could and watched the
phishers try to block me or even attack me back.

~~~
badinker
Do you still have a copy of that script? Would love to look at it.

------
pspace
I work in security at a large Fortune 500 company. I know at first it sounds
like phishing your employees will give you good insight, but you realize
quickly that the data you get is not very useful. Here are the roadblocks I've
hit with these kinds of simulation phishing services:

1\. They rely on e-mail while phishing attacks come from multiple sources like
Facebook and LinkedIn. Sadly, using those services to simulate phishing
attacks violates their ToS.

2\. Simulation phishing only provides pass or fail data meaning you cannot
determine your weakest links in the organization. At best you get an "average"
snapshot.

3\. The data isn't very accurate or precise because there are too many
confounding variables involved. Time of day, subject matter, type of phishing
(attachment, social engineering, etc). Normally we ran our campaigns once a
month but this wasn't enough to produce stable results.

4\. Clicking doesn't mean they fell victim to the attack -- lot's of people
click to investigate then report the links. Ideally, I'd like to specifically
know WHY the employee clicked the link and HOW MUCH was actually at stake.

4\. It pisses people off. There is enough animosity against us security folks
that tricking your employees really hurts that relationship. People feel taken
advantage of.

5\. It doesn't actually improve security in any meaningful way. I found that
it didn't actually improve people's ability to spot and report phishing
attempts. They either became paranoid to the point where they were no longer
productive in legitimate emails, or they had no improvements over time.

6\. There's a growing body of knowledge that dismisses the effectiveness of
this kind of phishing training
([http://www.govinfosecurity.com/interviews/training-doesnt-
mi...](http://www.govinfosecurity.com/interviews/training-doesnt-mitigate-
phishing-i-2148?)) .

With that being said, our company has tried about a dozen of these kinds of
services and the best one so far has been one called Apozy that is rather new.
It's a different approach but the data and insight you get back is actually
very useful.

~~~
lifeisstillgood
I get these (contracting at a Fortune 500) pretty regularly (last week for
example). They are pretty easy to spot and probably have some worthwhile
training value, but Incan see that teasing out any useful data might be hard -
I suspect you will need a huge corpus of templates and a lot of employees.

Sadly I thought of setting up a company like this to do just this job. But
Apozy's gasification approach seems a good idea

------
jedberg
There are many sites like this and I love what they are doing for raising
awareness. As one of the first people to ever fight phishing (I worked at eBay
and PayPal fighting phishing before there was a word for it), I'm keenly aware
that awareness is the only way to really stop it.

That being said, I don't like these reports, because any time I get a phishing
email I immediately load it up in a protected VM to see what it does, so it
would count me as a victim. Since the page you go to isn't a real looking
login page, you can't differentiate between those who fall for it and those
who just clicked to see what it was.

You need to actually set up the fake page and see who puts in valid
credentials to get a true report.

~~~
twelvechairs
Not to dismiss your experience (perhaps you had not heard the term yet) but
the term 'phishing' has been around longer (mid 90s at least) than ebay and
paypal have been big enough to be phishing targets.

~~~
peteretep
I was deeply involved in the fledgling anti-spam industry in the early 2000s,
by way of the anti-virus industry, and it was not a common term then.
Wikipedia gives the first recorded use as '95, and that refers to it as
"fishing", and as being AOL-specific.

~~~
marpstar
I definitely remember old AOL "progz" referring to "fishing"/"phishing".
"Phreaking" was a very popular term before that, which is where I'm guessing
the f/ph replacement came from.

------
zensavona
the FAQ page is 10/10

[https://cuttlephish.com/faq](https://cuttlephish.com/faq)

~~~
ninjakeyboard
I noticed a serious issue with the documentation. I'm not able to go any
farther until this is corrected...

The documentation's FAQ page asks:

"How much phish could a cuttlephish phish if a cuttlephish could phish phish?"

This is not accurate based on my own testing. This should actually read:

" "How much phish could a cuttlephish phish if a cuttlephish could phish phish
phish?"

If you can correct this error, I would love to start using your service

~~~
Intermernet
Also:

>Are cuttlephish phish?

>No. The term "phish" is deeply offensive to cuttlephish, who are proud
cephalopods.

s/cephalopods/cefalopods

------
x0ry
Love it! My recommendation would be to offer an option for allowing the target
to be tricked through the whole process. (Even if credentials are discarded
completely.) The idea here is nothing is left to the imagination. What you
have is great, but it requires them to read and be observant, which is not the
type of person who falls for phishing emails. Clicking the link is "No-No" #1,
don't exclude "No-No" #2 from your process.

~~~
naftaliharris
Thanks and thanks for the suggestion! One thought I'd had was longer/more in
depth campaigns. It's good to know other people would be interested in that as
well.

One thing I was concerned about was that people might not trust some random
guy on the internet to properly discard those credentials.

~~~
bigiain
I think you are completely correct in your second sentence there - there's no
way I'd use this if there was any chance of my colleagues actually disclosing
real credentials to a third party.

(Suspicious me is wondering if you're evil - 'cause if evil-me was in your
position, I'd be selectively showing your "you've been phished, ha ha!"
landing page to most people, but mining LinkedIn/Rapportive/Google for key
contacts at any domains that sign up, and displaying genuinely evil
credential-collecting-login pages if I got a hit from senior sysadmins or a
CTO/CIO/CSO...)

~~~
ThrustVectoring
The phishing page could be set up to have a fake form that sends no data, and
says "you've been phished" when someone tries to submit information to it.

At that level, though, the pen-tester really ought to have control over the
phishing landing page.

------
randomflavor
You should send the emails, and charge me to view the report.

~~~
TeMPOraL
That is an excellent idea! In fact, we've just implemented the billing
service, so please go to
[http://cuttIeph1sh.com/account/billing](http://cuttIeph1sh.com/account/billing),
log in to your account and provide your payment information to continue
receiving our phishing reports!

~~~
Intermernet
Cyrillic homographs[1] are your friend here :-)

[http://сuttlерhish.com/account/billing](http://сuttlерhish.com/account/billing)

(PunyCode [2]: [http://xn--uttlhish-f8g4if.com/account/billing](http://xn--
uttlhish-f8g4if.com/account/billing) )

Also, it seems that Firefox (v38.0.5 Windows) doesn't convert URL interpuncts
(mid-dots) into punycode, so clicking on something like
[http://www.billing·cuttlephish.com/](http://www.billing·cuttlephish.com/)
doesn't actually rewrite the URL in the address bar. Chrome converts it to
[http://www.xn--billingcuttlephish-c4a.com/](http://www.xn--
billingcuttlephish-c4a.com/) .

[1]:
[https://en.wikipedia.org/wiki/IDN_homograph_attack](https://en.wikipedia.org/wiki/IDN_homograph_attack)

[2]:
[https://en.wikipedia.org/wiki/Punycode](https://en.wikipedia.org/wiki/Punycode)

~~~
Manishearth
Filed
[https://bugzilla.mozilla.org/show_bug.cgi?id=1178095](https://bugzilla.mozilla.org/show_bug.cgi?id=1178095),
thanks!

~~~
Intermernet
No problem.

Out of interest, do the Firefox team and the Chromium team compare notes on
decisions like this?

Purely in this one area (IDN homograph attacks), it might be an idea to look
at the Chromium Unicode vetting rules (Which characters and combos get
"punycoded") as they seem to be more conservative from a "Latin" perspective.

I'm not sure if a "blacklist" (mentioned in the bug report) is the best way of
handling this. Perhaps only direct-encoding the "exemplar characters" for the
language setting, and punycoding everything else? I'm pretty sure it would
have eliminated the mid-dot issue, but perhaps this "whitelist" is too
prohibitive.

------
watmough
Neat, but doesn't seem very IT/corporate, which would surely be the intended
audience.

My company uses these guys: [http://www.knowbe4.com/](http://www.knowbe4.com/)

------
Buge
I often intentionally click links to phishing sites, and sometimes enter in
fake usernames and passwords. (I even wrote several bots to auto enter
thousands of random usernames and passwords.)

I don't like the click link = you lose idea.

~~~
ta92929
What if the phishing site also has a 0 day?

~~~
Buge
If they have a 0 day for my browser, then they likely have an enormous budget
with tons of ways of getting it to me besides phishing. I click so many links
per day via reddit, HN, and other sites that the security gained by not
clicking a phishing like is likely less than the education value of clicking
it.

I think the actual danger for me of clicking a phishing link is opening a
phishing tab, then moving on to another tab, then a while later coming back to
the phishing tab but forgetting it was phishing and entering my password. 95%
of the time I remember to check the url before entering my stuff, but everyone
makes mistakes.

------
runn1ng
Hm. I often click on obviously phishing links to see what's there. Would this
tool classify me as a victim?

~~~
amjd
Me too. I often intentionally click on phishing links to see how well the page
is done and where it's hosted.

OP should probably consider adding login pages etc (discarding the
credentials) to actually find people who would fall for it, as someone here
suggested. Many people click the links just out of curiosity.

------
jwcrux
Neat! I really like the easy pricing model.

Quick question - are you concerned about trademarks (Amazon and such) being
included as the phishing templates? Reason I ask is that I'm working on a
hosted project [1] similar to this and have considered including default
templates. I've held off for this exact reason.

Edit - another question, your screenshot in the intro page shows an email (in
the Gmail client) coming from "support@github.com". Github has spf records
setup so I would be interested to know how you manage to spoof the actual
email address itself without getting flagged as spam.

[1] [http://github.com/jordan-wright/gophish](http://github.com/jordan-
wright/gophish)

~~~
naftaliharris
Thanks, and very cool project!

> Quick question - are you concerned about trademarks (Amazon and such) being
> included as the phishing templates?

I'm honestly not 100% sure, but I think in the context of a phishing site
using trademarks like that falls under fair use. But IANAL.

> Github has spf records setup so I would be interested to know how you manage
> to spoof the actual email address itself without getting flagged as spam.

I don't know much about spf records, honestly--for every site I had to try
multiple "From" and "Reply-To" addresses to get the emails past gmail's spam
filter. Some of them didn't even arrive in my spam folder, (apparently they
just got killed on some intermediate hop). support@github.com definitely
works, at least for me--you should try it yourself and see how it goes.

Hope this helps!

~~~
afarrell
IANAL. I took a seminar freshman year on IP law.

The root of trademark law is preventing consumers from being confused or
deceived about brand affiliations. I believe using a trademark to refer to the
product/service symbolized by the mark is a protected case, so long as you are
clear that no endorsement exists. Looking at your language, this is abundantly
(and amusingly) clear.

You might have something to worry about with your insinuations about Dropbox
though. I'm quite sure they are strongly pro-cephalopod.

------
reagency
Consider changing pricing to $/click (pay per victim), so that companies are
paying for the value you provide (detection security holes), and the CTO can
"bet" the CEO that employees need better training/protection.

Much more upside for you.

~~~
spydum
The problem there is that the person/group conducting the test (presumably
security team of a 500 person org) doesn't know if it will cost 500 x
PerClickRate, or 5 x PerClickRate.. They don't yet know the stupidity of their
users. Variable pricing like that can be a deal breaker for a small company.

~~~
mfenniak
You could address that by creating a control on the price. "I want to run this
campaign against 500 users. But my budget is $100." The service sends out
e-mails up to the $100 cost if they all clicked through, then deducts the
actual expenses from the budget. In a few days, it sends the next batch of
e-mails targeting the rest of the budget. Continue until either the e-mails
are all sent, or the budget is expired.

~~~
spydum
I suspect explaining that pricing model is a sales risk. flat fee or price per
contact is far more intuitive I suspect.

Even reading your explanation, I'm not clear on what it will cost me -- this
sounds more like pre-paying? how long should it wait between batches? how
effective will batching be? Rumors of phishing/testing could move quick in the
organisation making the report outcome misleading.

------
gitaarik
What if this site occasionally sends out real phishing mails? If a lot of
sites are using it, they would have interesting stats one could use to target
the right audience.

Not saying they would, but they could get hacked of course...

------
gnyman
Another service which does a similar thing that's been around some time, I
used them but the spam filter ate all my fake mail, as it should :-)
[https://phish5.com/](https://phish5.com/)

------
hrbrtglm
How do you send your emails ?

If your customer is using google domains, microsoft 365 or what else, and the
employees do not fall in your phishing attempt and report your mail as spam,
you may be heading for some trouble with delivery afterward.

~~~
naftaliharris
I'm sending the emails directly from my server with the unix "mail" utility.

Ending up in spam is actually what most concerns me about this idea, and in
fact this concern was what led me to choose the "you don't pay unless someone
clicks on a link" pricing--I was worried that some of the emails might
eventually start ending up in spam after a few customers and wanted to make
sure I wouldn't be charging people if that happened.

I'm planning to see what works once/if the phishing emails actually start
ending up in spam.

------
noobermin
In case anyone one was curious, the "phishing" urls in the phishing emails
lead to this page:

[https://cuttlephish.com/cuttlephished](https://cuttlephish.com/cuttlephished)

------
ahmetmsft
I was doing exactly the same project probably 8 years ago when I was still a
high school student. I used to have a lot of websites, too but I never
launched as I thought phishing is probably illegal and unethical.

------
fokz
This is a useful service. But I imagine there will be some nontrivial issues
regarding spam filtering, server reputation, legal, etc.

How do you do email authentication? What are the headers that you put on your
email?

------
mikeknoop
Love the brand and name (reminds me of
[https://www.youtube.com/watch?v=GDwOi7HpHtQ](https://www.youtube.com/watch?v=GDwOi7HpHtQ)).

------
it_learnses
Are you hiring?

~~~
avn2109
He just closed a series A with a $10 billion valuation, so he's hiring rock
star full stack data scientists.

~~~
gargarplex
Incidentally, I am a rock star full stack data scientist looking for work in
NYC.

------
reagency
Would a company want to give you a list of corporate email addresses?

------
talles
That's a refreshing idea for a change. Well done!

------
jmatthew3
It's a living.

