Website Templates - Introduction – Knowledge Base

Allowlisting Note: Are you having issues with accessing our simulated phishing websites? Check out our website allowlisting support article.

Important Note: All links to our managed phishing websites are for one-time use. i.e. we allow users to access the simulated phishing website but then expire the link within 15-30 minutes so future attempts to access the webpage will lead to a 404 error page. This is designed to replicate the same masquerading techniques that real-world threat actors use.

This introduction will take you through every step involved in the creation and use of phishing website templates.

What is a phishing website template?
Website functionality deep-dive
Using your own phishing website
Example phishing websites
What Information Is Captured On CanIPhish Phishing Websites?

1. What is a phishing website template?

A phishing website template is the landing page a target goes to if they click a phishing link embedded within a phishing email. At this stage, the target has already fallen for the phishing campaign, however use of the phishing website adds an additional layer of testing to see if the target would be willing to give up sensitive information in the form of user credentials.

2. Website functionality deep-dive

Template Page Options:
- New Website: A single-page template creation popup. Designed for speed and efficiency.
- View Website (Magnifying Glass): Opens the website in a new web browser tab for viewing purposes.
- Update Template: Provides the ability to view and update the back-end configuration used to create the template (i.e. description and website url).
- Duplicate Template: Allows for duplication of the template. Useful for editing the template while keeping the original intact.
- Delete Template: Provides the ability to delete a template.
Template Setup/Update:
1. Template Name: The name given to the website template
2. Template Description: A brief description of what the website template is doing
3. Website URL: The public location of the phishing website.

3. Using your own Phishing Website

The CanIPhish platform supports the use of third-party phishing websites, should one of our hosted websites not be sufficient for your needs. In the event you do use your own website, you need to perform the following actions to ensure that CanIPhish can track user movements on who landed on the website and who had their sensitive information stolen.

3.1. Add the following Javascript/JQuery functions and scripts to the bottom of your website. Or see here for the GitHub project.

Note: Replace the REDIRECT_TO variable with the learning website you want users to be directed to once they fall victim to credential harvesting.

<script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>
<script type="text/javascript">
    const REDIRECT_TO = 'https://learning.authwebmail.com/index'; // The destination URL once data has been submitted

    var responseEndpoint = "https://vmb1fx4bod.execute-api.ap-southeast-2.amazonaws.com/interaction-capture";
    var signInCalled = false;
    function signIn() {
        uri = responseEndpoint + document.location.search + "&webClick=true&callback=myFunction";
        console.log(uri);
        if (signInCalled === false) {
            $.ajax({
                url: uri,
                type: 'GET',
                dataType: 'jsonp',
                complete: function (response) {
                    console.log(response); // server response
                    redirectPage();
                }
            });
            signInCalled = true;
        }
    }

    function redirectPage() {
        //HARDCODED REDIRECTION SPECIFIED USING THE REDIRECT_TO VARIABLE - COMMENT OUT IF USING CAMPAIGN REDIRECTION
window.location.href = REDIRECT_TO;

//UNCOMMENT IF YOU WANT TO USE REDIRECTION LOGIC SPECIFIED WITHIN PHISHING CAMPAIGNS
//var redirectUri = "../index" + document.location.search;
//const urlParams = new URLSearchParams(document.location.search);
//const myParam = urlParams.get('t');
//var decodedString = atob(myParam);
//var parsedQuery = parseQuery(decodedString);
//var decodedEducation = parsedQuery.eType;
//var decodedURL = parsedQuery.eURL;
//if (decodedEducation == "CanIPhish") {
// redirectUri = "../index" + document.location.search;
//} else if (decodedEducation == "BYO") {
// if (decodedURL.indexOf("http://") == 0 || decodedURL.indexOf("https://") == 0) {
// redirectUri = decodedURL;
// } else {
// redirectUri = "https://" + decodedURL;
// }
//} else if (decodedEducation == "NONE") {
// redirectUri = REDIRECT_TO;
//} else {
// console.log(`Got decodedEducation: ${decodedEducation} ... and redirectUri: ${redirectUri}`);
//}
//window.location.href = redirectUri;
    }

    function parseQuery(queryString) {
        var query = {};
        var pairs = (queryString[0] === '?' ? queryString.substr(1) : queryString).split('&');
        for (var i = 0; i < pairs.length; i++) {
            var pair = pairs[i].split('=');
            query[decodeURIComponent(pair[0])] = decodeURIComponent(pair[1] || '');
        }
        return query;
    }
</script>
<script>
    $(document).ready(function () {
        uri = responseEndpoint + document.location.search;
        console.log(uri);

        $.ajax({
            url: uri,
            type: 'GET',
            dataType: 'jsonp',
            success: function (response) {
                console.log(response); // server response
            },
            error: function (response) {
                console.error("Got error during first callback: " + response);
            }
        });
    });
</script>

3.2. Add an event listener to the sensitive data input (e.g. password input) that executes 'onkeydown' which then calls the 'signIn()' function. Similar to the below example:

<input onkeydown="signIn()" type="password" id="session_password-login" class="password" name="session_password" placeholder="Password">

4. Example Phishing Websites

Dropbox Phishing Website:

Facebook Phishing Website:

Google Phishing Website:

5. What Information Is Captured On CanIPhish Phishing Websites?

No usernames, email addresses, or passwords are captured on any CanIPhish managed phishing websites. CanIPhish simply captures that an interaction occurred. There are two interactions that can be recorded:

Page Load Interaction: This interaction occurs automatically when the phishing page is loaded. This interaction is used to record the "Payload Interaction" statistic within phishing campaigns.
Credential Entered Interaction: This interaction occurs either on a username submission or when a character is entered into the password field on any phishing page. This interaction is used to record the "Employee Compromised" statistic within phishing campaigns. At no point is any of the information provided in username/email address or password fields recorded by CanIPhish. This information never leaves the client's browser, and an immediate redirect to an education page is performed after this interaction is recorded.

When a page load or credential entered interaction is recorded, CanIPhish will also record the Source IP and User Agent String of the browser that performed that interaction. This information is used for campaign evidence purposes in case an employee disputes performing the interaction.

1. What is a phishing website template?

2. Website functionality deep-dive

Template Page Options:

Template Setup/Update:

3. Using your own Phishing Website

4. Example Phishing Websites

5. What Information Is Captured On CanIPhish Phishing Websites?

Related articles