Allowlisting Note: Are you having issues with accessing our simulated phishing websites? Check out our website allowlisting support article.
Important Note: All links to our managed phishing websites are for one-time use. i.e. we allow users to access the simulated phishing website but then expire the link within 15-30 minutes so future attempts to access the webpage will lead to a 404 error page. This is designed to replicate the same masquarading techniques that real-world threat actors use.
This introduction will take you through every step involved in the creation and use of phishing website templates.
- What is a phishing website template?
- Website functionality deep-dive
- Using your own phishing website
- Example phishing websites
1. What is a phishing website template?
A phishing website template is the landing page a target goes to if they click a phishing link embedded within a phishing email. At this stage, the target has already fallen for the phishing campaign, however use of the phishing website adds an additional layer of testing to see if the target would be willing to give up sensitive information in the form of user credentials.
2. Website functionality deep-dive
-
Template Page Options:
- New Website: A single-page template creation popup. Designed for speed and efficiency.
- View Website (Magnifying Glass): Opens the website in a new web browser tab for viewing purposes.
- Update Template: Provides the ability to view and update the back-end configuration used to create the template (i.e. description and website url).
- Duplicate Template: Allows for duplication of the template. Useful for editing the template while keeping the original intact.
- Delete Template: Provides the ability to delete a template.
-
Template Setup/Update:
- Template Name: The name given to the website template
- Template Description: A brief description of what the website template is doing
- Website URL: The public location of the phishing website.
3. Using your own Phishing Website
The CanIPhish platform supports the use of third-party phishing websites, should one of our hosted websites not be sufficient for your needs. In the event you do use your own website, you need to perform the following actions to ensure that CanIPhish can track user movements on who landed on the website and who had their sensitive information stolen.
3.1. Add the following Javascript/JQuery functions and scripts to the bottom of your website. Or see here for the GitHub project.
Note: Replace the REDIRECT_TO variable with the learning website you want users to be directed to once they fall victim to credential harvesting.
<script src="https://code.jquery.com/jquery-3.6.0.min.js"></script> <script type="text/javascript"> const REDIRECT_TO = 'https://learning.authwebmail.com/index'; // The destination URL once data has been submitted var responseEndpoint = "https://awo0vrpjg3.execute-api.ap-southeast-2.amazonaws.com/default/caniphish-phish-response"; var signInCalled = false; function signIn() { uri = responseEndpoint + document.location.search + "&webClick=true&callback=myFunction"; console.log(uri); if (signInCalled === false) { $.ajax({ url: uri, type: 'GET', dataType: 'jsonp', complete: function (response) { console.log(response); // server response redirectPage(); } }); signInCalled = true; } } function redirectPage() {
//HARDCODED REDIRECTION SPECIFIED USING THE REDIRECT_TO VARIABLE - COMMENT OUT IF USING CAMPAIGN REDIRECTION
window.location.href = REDIRECT_TO;
//UNCOMMENT IF YOU WANT TO USE REDIRECTION LOGIC SPECIFIED WITHIN PHISHING CAMPAIGNS
//var redirectUri = "../index" + document.location.search;
//const urlParams = new URLSearchParams(document.location.search);
//const myParam = urlParams.get('t');
//var decodedString = atob(myParam);
//var parsedQuery = parseQuery(decodedString);
//var decodedEducation = parsedQuery.eType;
//var decodedURL = parsedQuery.eURL;
//if (decodedEducation == "CanIPhish") {
// redirectUri = "../index" + document.location.search;
//} else if (decodedEducation == "BYO") {
// if (decodedURL.indexOf("http://") == 0 || decodedURL.indexOf("https://") == 0) {
// redirectUri = decodedURL;
// } else {
// redirectUri = "https://" + decodedURL;
// }
//} else if (decodedEducation == "NONE") {
// redirectUri = REDIRECT_TO;
//} else {
// console.log(`Got decodedEducation: ${decodedEducation} ... and redirectUri: ${redirectUri}`);
//}
//window.location.href = redirectUri; } function parseQuery(queryString) { var query = {}; var pairs = (queryString[0] === '?' ? queryString.substr(1) : queryString).split('&'); for (var i = 0; i < pairs.length; i++) { var pair = pairs[i].split('='); query[decodeURIComponent(pair[0])] = decodeURIComponent(pair[1] || ''); } return query; } </script> <script> $(document).ready(function () { uri = responseEndpoint + document.location.search; console.log(uri); $.ajax({ url: uri, type: 'GET', dataType: 'jsonp', success: function (response) { console.log(response); // server response }, error: function (response) { console.error("Got error during first callback: " + response); } }); }); </script>
3.2. Add an event listener to the sensitive data input (e.g. password input) that executes 'onkeydown' which then calls the 'signIn()' function. Similar to the below example:
<input onkeydown="signIn()" type="password" id="session_password-login" class="password" name="session_password" placeholder="Password">
4. Example Phishing Websites
- Dropbox Phishing Website:
- Facebook Phishing Website:
- Google Phishing Website:
Comments
0 comments
Please sign in to leave a comment.