spt v0.70 -Ghost Fish- Simple Fish Toolkit released
spt is a simple concept with powerful possibilities. It is what it’s name implies: a simple phishing toolkit.
The basic idea we (the spt project) had was that wouldn’t it be cool if there were a simple, effective, easy to use and free (most importantly!) tool that information security professionals could use to evaluate and train what we all know is the weakest link in any security minded organization: the people. Since the founders of the spt project are themselves information security professionals by day (and possibly either LOL cats or zombies by night), they themselves faced the frustration of dealing with people within their own organizations that claimed to know better, but 9 times out of 10 fell for the most absurdly obvious phishing emails ever seen. A malware outbreak here, a stolen password and loss of critical organizational data there and the costs of dealing with the results of phishing can get to be astronomical pretty darn quickly!
Enter spt. spt was made from scratch, like a baby (or maybe a zombie) with the goal of giving over-worked and under-staffed information security professionals a simple tool (more like a framework, as we hope to add more features over time) that could be used to identify and train those weakest links. spt is a fully self-contained phishing email toolkit that can be installed, configured and phishing in less than 15 minutes. Its design is modular and open-ended allowing for future expansion and additional features via easy to snap-in modules that are simply uploaded in the administration dashboard. Why not try out spt today and see who your weakest link is?
The spt is composed of three basic parts, detailed here.
- Web site front-end, or the net as we like to call it. This is the phishing site that those foolish enough to fall for your phishing emails will find themselves at. Will your front-end be a realistic looking webmail login page? Maybe it will be a site that promises the respondent a free iPad2 for just completing a short survey. What the front-end is is totally up to you. Just select one of the already available templates created for use with spt or make your own. You can make your own custom template easily enough and the limitation on what that template be is your imagination (well, and maybe your coding skills). When the target clicks through on the link in the phishing email and winds up at the site, they’ll be given the opportunity to submit the form on the page. The form might be requesting their webmail credentials or maybe it’s their email address for the win on that delicious iPad2. Regardless, spt never collects any actual data entered–only a record of what fields where submitted.
- Web site back-end, oddly enough we didn’t come up with a fun name for this one other than the administration dashboard. But hey, dashboards are cool, so we’re going to stick with that. The dashboard runs on a custom developed CMS that started its life under the name of JCMS a long time ago in a galaxy far away. The sptCMS, as we like to call it now, was built from the ground up to be quick, lightweight and standards compliant (well, most of the time at least!). From the dashboard you’ll do all those administrative tasks like upload templates, create or upload lists of targets, and create campaigns where you mix a template with some targets and get your phishing on. The dashboard runs on PHP.
- Database back-end, or the database as we like to call it. Snazzy, yes? Every good web application needs that obligatory database somewhere, so we felt compelled to include that feature with spt. After all, spt is good and it definitely appears to be a web application, though the zombies aren’t so sure about that. Anyhow, the database does what they typically do so well and that is to store all of your data. The database needs to be MySQL.
- Vast improvements in the editing functionality for templates and education packages. Major changes include: two different editors to choose from (the original spt text editor and TinyMCE), copy templates or education to new version and then customize them.
- Added education completion tracking, now you can determine if your targets completed the assigned education in a campaign.
- Support for the G0ogle and TinyURL URL shortener services. Now your phishing emails can have shortened URLs, making them harder to detect.
- Support for sending SMTP using SSL secured connections.
- Enhancements to the viewing of campiang information including SMTP relay used and destination URL used.
- Initial support for using spt in SSL/TLS secured installations, code updates to prevent insecure content warnings.
- All forms now generate inline errors with entered value retention, allowing easy correction of incorrect or missing items without requiring all information to be entered again.
- Email tracking times are now more accurate when viewing campaign information.
- Most items in the Quick Start module now feature links allowing you to quickly access the desired location in the spt User Interface.
- Enhancements to the browser detection script for more information on what you need vs. what you have.
- Many security and usability issues fixd.
- Additional improvements in authentication and session management security.
Note for rippers: Do not try to get the logo & text. I included many little traps :)