Social Media Phishing Tools Pack is a tool used to obtain information from social media accounts. It is very simple and easy to use allowing you to obtain Facebook, Twitter and Instagram information in minutes.
Social Media is a way of life, and a great tool for engaging with prospects and customers. However, with social media comes an inherent risk of identity theft and corporate cybercrime – phishing attacks have gone “social” as well. And now the bad guys have the best social media phishing tools!
Let’s start with one of the better-known open source phishing campaign tools, one that was included in our post about red team tools. King Phisher is written in Python, and as we mentioned, it’s a free phishing campaign tool used to simulate real world phishing attacks and to assess and promote an organization’s cybersecurity and phishing awareness.
A frequent tool of red team operations, King Phisher allows you to create separate phishing campaigns with different goals, whether it’s for simple phishing awareness, or for more complex situations where it’s used for credential harvesting. Its ability to capture credentials and different numbers of targets, is impressive—sometimes reaching 10k targets per campaign. And as King Phisher has no web interface, it can be difficult to identify its server, and whether it’s used for social engineering. This reduces its exposure to web vulnerabilities such as XSS.
Other features include:
- Graphs of campaign results
- Embedded images in emails
- Optional 2FA
- Templates using the Jinja2
- SMS alerts on campaign status
- Web page cloning
- SPF checks
- Geo location
Infosec IQ by Infosec includes a free Phishing Risk Test that allows you to launch a simulated phishing campaign automatically and receive your organization’s phish rate in 24 hours.
You can also access Infosec IQ’s full-scale phishing simulation tool, PhishSim, to run sophisticated simulations for your entire organization. PhishSim contains a library of 1,000+ phishing templates, attachments and data entry landing pages. PhishSim templates are added weekly, allowing you to educate employees on the most topical phishing scams. Want to build your own phishing emails? PhishSim has a drag-and-drop template builder so you can build your phishing campaigns to your exact specification.
Signing up for a free Infosec IQ account gets you full access to the PhishSim template library and education tools, but you’ll need to speak with an Infosec IQ representative for the ability to launch a free PhishSim campaign.
Infosec offers a FREE personalized demo of the Infosec IQ simulated phishing and security awareness platform. Click here to get started.
The first commercial product on our list, LUCY provides a hassle-free download of the free (community) version of the platform. All you need is your email address and name, and you can download LUCY as a virtual appliance or a Debian install script. The web interface is attractive (if a bit confusing), and there are lots of features to explore: LUCY is designed as a social engineering platform that goes beyond phishing. The awareness element is there as well with interactive modules and quizzes. So, why didn’t we place LUCY higher up the list? Because we are talking about free phishing simulators, and the community version of LUCY has too many limitations to be effectively used in an enterprise environment. Some important features are not available under community license, such as exporting campaign stats, performing file (attachment) attacks, and, most importantly, campaign scheduling options. With that, the free version of LUCY gives you a taste of what the paid version is capable of, but doesn’t go much farther than that.
Let’s continue with another tool that has made its way from the red team toolkit: Gophish. An open source phishing simulator written in GO, Gophish helps organizations assess their susceptibility to phishing attacks by simplifying the process of creating, launching and reviewing the results of a campaign.
Gophish can help you create email templates, landing pages and recipient lists, and assists in sending profiles. It then allows you to launch a campaign, and finally, generate and view reports on email opens, link clicks, submitted credentials and more.
This tool is very easy to use, which allows for quick execution; the idea behind Gophish is to be accessible to everyone. It’s free and offers Gophish releases as compiled binaries with no dependencies.
Main features include:
- Quick installation
- REST API
- Easy-to-use interface
- Binaries provided for Windows, Mac OSX and Linux
- Real-time reports
With conventional phishing techniques, having 2FA enabled on user accounts can mitigate most attacker tactics. This is where Evilginx2 can be quite useful. A successor to Evilginx, Evilginx2 is a bit different from other tools and simulators on this phishing tool list, in the sense that it acts as a man-in-the-middle proxy.
And how can this help with phishing campaigns? Well, in common phishing scenarios, you would serve templates of sign-in page lookalikes, but Evilginx2 works differently. It connects to websites that are protected with 2FA, becoming a web proxy between the phished website and the browser, and intercepting every packet, modifying it, then sending to the real website.
Additionally, it captures session token cookies that, if exported to a different browser, can give full authorization to access the user account.
Simple Phishing Toolkit (sptoolkit)
While this solution may lack in the GUI attractiveness department compared with some of the previous entries, there is one important feature that puts it in so high on our list. Simple Phishing Toolkit provides an opportunity to combine phishing tests with security awareness education, with a feature that (optionally) directs phished users to a landing page with an awareness education video. Moreover, there is a tracking feature for users who completed the training. Unfortunately, the sptoolkit project has been abandoned back in 2013. A new team is trying to give it a new life, but as of now, the documentation is scarce and scattered all over the internet, making realistic implementation in an enterprise environment a difficult task.
Phishing Frenzy is an open source Ruby on Rails phishing framework designed to aid penetration testers and security professionals in creating and managing email phishing campaigns. By aiding in campaign management, generating detailed campaign statistics, and credential harvesting (among many other features), Phishing Frenzy makes the phishing process run more smoothly and efficiently.
Social Media Phishing Tools is a collection of tools designed to make a penetration testers social engineering skills more persuasive and believable. Blow cases open with our Facebook Phishing Tool!