SP Toolkit, a phishing kit to educate users with real attacks

SP Toolkit is a open source phishing kit Designed to facilitate the task of educating, it is ideal for administrators and security managers who want challenge users with real attacks.

The kit does it all with a few clicks, from creating the phishing page to sending the counterfeit email, but I do know, the data (users and passwords) are not stored, statistical data are simply recorded to know whether or not they fell for the deception.

The installation is quite fast, it is a php script so you need a web server and a MySQL database, in Windows it can be installed locally with WampServer:

In the previous screenshot you can see the control panel from which the campaigns are administered.

The tool allows you to falsify any website by uploading a template or directly copying the login page (scraping). The following image shows how easy it is to create a campaign, personalize the e-mail and indicate which page you want to falsify, in this case Facebook:

When the user receives the mail and accesses the false page, the activity is registered, remember that the idea is not to steal passwordsbut to assess safety and educate so once they fall into the trap they are shown a warning or educational message which can be customized.

In the following video created by the author of the SP Toolkit you can see the sending process and what happens when accessing the false page, the example is also with Facebook but it could be done with any page, for example, that of a intranet:

Some may think that this is not the best way to educate users, but sometimes the hard way you learn 🙂

Many companies hire professionals to assess their security and there is nothing better than carrying out real attacks to detect the problems, of course these are done with authorization and in a controlled manner. Generally the easiest way to compromise information is through employees, social engineering at that level is usually more effective than directly attacking computers where several hundred dollars has been spent on protection.

On the website of the tool you can find more details about its operation and a tutorial to install it step by step.