I tried InfoSec Institute’s Phishing service, and here is how it played out!
Over the past couple of days, while having some discussions regarding social engineering at work, I stumbled across this service. The InfoSec Institute provides phishing as a service, called Phish.io, and will give you 10 free phishing attempts to mock-attack, non-maliciously, your family, friends, and co-workers, with tried and true fake emails.
I went ahead and opened the email to check it’s authenticity :)
Since I’ve never banked at Chase, I have no true way of knowing if this is what it legitimately looks like. I do remember being a poor network administrator back in my early 20s though and having received low balance emails from a bank I did bank at, back in the day. :|
There are two links in the email, which will let me know as the sender, what my victim/target clicked on. I’m not suggesting that you copy and paste those into a browser!
http://mandrillapp.com/track/click/30337826/www.phish.io?p=eyJzIjoiWThBMklSV3ZyM1R4aFN3aXdOdmxoekJrTXZvIiwidiI6MSwicCI6IntcInVcIjozMDMzNzgyNixcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvd3d3LnBoaXNoLmlvXFxcL3BoaXNoZWRcXFwvaW5kZXhcXFwvNWIzNmFhNTAtYzlkNi00NGRlLTg2MWYtM2E4MDk2ZTgwYjBiXCIsXCJpZFwiOlwiYTM2NjMzYjQ2MTI2NDJlNGI4NmQ3MjBiMTRhOGJmMTdcIixcInVybF9pZHNcIjpbXCJiMTBhNmNjOTc0ZDg4YWVjZDJjNDE0N2RjZmQ5ZTFiMWRiODJjNGRiXCJdfSJ9
http://mandrillapp.com/track/click/30337826/www.chase.com?p=eyJzIjoiVFl4X09KUERwaG1fbVlyT2tKSTI2QXkwa0IwIiwidiI6MSwicCI6IntcInVcIjozMDMzNzgyNixcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvd3d3LmNoYXNlLmNvbVxcXC9wcml2YWN5XCIsXCJpZFwiOlwiYTM2NjMzYjQ2MTI2NDJlNGI4NmQ3MjBiMTRhOGJmMTdcIixcInVybF9pZHNcIjpbXCI4MjUxZTlmYTMxYTA3NWEwM2I2OTQyN2MyZGVmNGViNDcxZWQwZmRiXCJdfSJ9
To check out the reporting functions, I’ve decided to click on the “see your statement” link.
I immediately got notified:
And as a mock-victim, I had to sit through an interactive video.
The report I got wasn’t all that spectacular, definitely not something I could build metrics off of. But it did let me know what type of email I sent and if that person fell for it or not.
This is definitely a cool service to use, with a nice lesson to help your family and friends learn about spear phishing. Give it a try, go to http://phish.io