SpearPhish Your Phamily and Phriends!

I tried InfoSec Institute’s Phishing service, and here is how it played out!

Over the past couple of days, while having some discussions regarding social engineering at work, I stumbled across this service. The InfoSec Institute provides phishing as a service, called Phish.io, and will give you 10 free phishing attempts to mock-attack, non-maliciously, your family, friends, and co-workers, with tried and true fake emails.

lowbalanceSpearPhish

lowbalanceSpearPhishsent

I went ahead and opened the email to check it’s authenticity :)
lowbalancereceived

Since I’ve never banked at Chase, I have no true way of knowing if this is what it legitimately looks like. I do remember being a poor network administrator back in my early 20s though and having received low balance emails from a bank I did bank at, back in the day. :|

There are two links in the email, which will let me know as the sender, what my victim/target clicked on. I’m not suggesting that you copy and paste those into a browser!
http://mandrillapp.com/track/click/30337826/www.phish.io?p=eyJzIjoiWThBMklSV3ZyM1R4aFN3aXdOdmxoekJrTXZvIiwidiI6MSwicCI6IntcInVcIjozMDMzNzgyNixcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvd3d3LnBoaXNoLmlvXFxcL3BoaXNoZWRcXFwvaW5kZXhcXFwvNWIzNmFhNTAtYzlkNi00NGRlLTg2MWYtM2E4MDk2ZTgwYjBiXCIsXCJpZFwiOlwiYTM2NjMzYjQ2MTI2NDJlNGI4NmQ3MjBiMTRhOGJmMTdcIixcInVybF9pZHNcIjpbXCJiMTBhNmNjOTc0ZDg4YWVjZDJjNDE0N2RjZmQ5ZTFiMWRiODJjNGRiXCJdfSJ9

http://mandrillapp.com/track/click/30337826/www.chase.com?p=eyJzIjoiVFl4X09KUERwaG1fbVlyT2tKSTI2QXkwa0IwIiwidiI6MSwicCI6IntcInVcIjozMDMzNzgyNixcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvd3d3LmNoYXNlLmNvbVxcXC9wcml2YWN5XCIsXCJpZFwiOlwiYTM2NjMzYjQ2MTI2NDJlNGI4NmQ3MjBiMTRhOGJmMTdcIixcInVybF9pZHNcIjpbXCI4MjUxZTlmYTMxYTA3NWEwM2I2OTQyN2MyZGVmNGViNDcxZWQwZmRiXCJdfSJ9

To check out the reporting functions, I’ve decided to click on the “see your statement” link.

I immediately got notified:

phishedNotify2

And as a mock-victim, I had to sit through an interactive video.
gotchabitch2

The report I got wasn’t all that spectacular, definitely not something I could build metrics off of. But it did let me know what type of email I sent and if that person fell for it or not.
phishedreport

This is definitely a cool service to use, with a nice lesson to help your family and friends learn about spear phishing. Give it a try, go to http://phish.io

This entry was posted in Security Blog and tagged , , , , , , , , . Bookmark the permalink.