As Cyber Threat students, we've done enough case studies to take one major thing from them. It doesn't matter if you have the best security money can buy, all it takes is one employee to click on the wrong link. One click, that's all it takes for all the security built around a network to be for show. This made us think how can we prevent or reduce these types of attacks from wreaking havoc. On average 46000 Phishing sites are created daily. These affect society every day, and not just in our homes but even worse, at work. People lose their jobs or have credentials compromised only to have to jump thru hoops to fix the damages caused. This is a plague on society and instead of being reactive in terms of defense, we've decided to take an offensive approach.
What it does
Social Engineering, Phishing attacks, Spear Phishing, and Executive Whaling are launched every day with one goal; compromise their intended targets. Whether it be to install malware or harvest credentials, all that is stopping its success is a simple click of a link. Clean Phishing will use the malicious actors wants against them. It is able to target the same cloned website being used in these types of campaigns and push massive amounts of credentials to it. Clean Phishing uses a python script to generate and push one thousand random user logins/passwords, using a JSON file database we created. In doing so making it very challenging for the attacker to know what's credible information gathered and what we have no feed them. The user has control of which site the code will run against, this is to prevent it from being used against innocent targets.
How we built it
We built Clean Phishing mostly with Python, we have a .JSON file with a list of 1,000 first names. It randomly generates an email account based off of the first names and adds random digits to the end of the first name. Then it randomly picks a common email domain (ex. @gmail.com). After that, it also generates a random password which consists of symbols, letters, and numbers. It also randomly generates user agents, session data keys, IP addresses, geo-location, and the original URL from which the information was sent from. Then, all of the information is sent to website filling in data fields where the host of the campaign will be able to see all of the details that were sent. This program also creates a text document where the person who launched the program will be able to see all credentials that were sent to the corresponding phishing campaign. This text document will be used as a permanent record and can be used for further exploitation down the line. The text document is also saved as CSV file so that it can be called upon by a machine learning program that we tried to incorporate. This program helps look at the data in a more simplified form, rather than a bunch of variables thrown together.
Challenges we ran into
This approach rides a thin line between being a tool used for good and one that is used on the wrong target, would make the user no better than the attacker (also known as the hacking back approach). With this in mind, we wanted our code to never cross over and this made it extremely difficult. We also had to make the data being generated believable to the attacker as to not set off any alarms.
Accomplishments that we're proud of
How far we got with the project and all the new things we learned along the way is what we are most proud of.
What we learned
The biggest thing we took away from our experience here at Codestellation, was truly understanding every single layer of both Social Engineering/Phishing attacks. Basic knowledge wasn't enough, we dove deeper than ever before even looking to cyber laws to ensure our project never crossed the line of malicious. More challenging was learning to use the Google API on the fly, to be able to incorporate it into our idea.
What's next for Clean Phishing
We want to embed our program into end point security so that it can be used in a corporate level. More AI functionality.