Phishing emails might get a whole lot deadlier with a system that helps creators make the scams more convincing and targeted.
The PhishPoll application was designed to help phishers prep more enticing bait to lure victims and to provide them insight into what targeted users did and did not click on.
But while it could be seen as a boon for criminals, PhishPoll was built to help white hat security professionals make their organisations a harder nut for phishers to crack.
It worked by condensing the expertise of the blackhat phishing world into a tool to be used by IT security professionals for internal-facing phishing campaigns.
In this way, organisations like Twitter, Google and Johnson and Johnson were determining which of their staff were most likely to click on phishing emails and risk compromising their organisations.
Those staff would be offered security awareness training and later hit with more phishing emails of increasing sophistication.
Phishing emails were a hugely popular vector for attacking large organisations because if a staff member could be conned into typing in their work login details into a malicious web page or enticed to open a booby-trapped video, then crackers could bypass scores of existing security systems designed to look for unauthorised external intrusions.
Some of the world's largest organisations have been breached using such attacks. The social engineering vector was so effective that staff at businesses like Coca Cola, Shell and Ford have willingly handed hackers at police-monitored security competitions dozens of sensitive artifacts like the types of security technologies in use, the versions of operating systems used and staff information.
White hat security researcher Luis Santana (@hacktalkblog) said criminal phishers were skilled.
"I wanted to make my phishing emails better and so I thought why not learn from the best," Santana said. "These guys do this for a living. They do it to eat."
The tool contains email templates and intelligence that Santana has accured to helps phishers to create more effective scam emails.
Administrators could tap into a list of phishing templates that ranged in sophistication and could then track via graphical heat maps what links users clicked on and where those who did not hovered their mouse pointers.
The tool tracked the IP addresses of victims, what browser and operating system they used, their hostname and assigned them an identity. The data was SHA 512 hashed.
It also supported multiple users, created emails using the Markdown language and allowed live email previews.
A large blocklist prevented Yahoo, Google and others from indexing and blacklisting the platform.
Santana was also working on a function to help deliver payload exploits within phishing emails.
In phishing, research was king. Attackers needed a convincing pretext to first entice users to open and read the dodgy emails which could be formed from intelligence such as a staffers' birthday, gleaned perhaps from a public Facebook account, or from financial data sent to coincide with a company's revenue statements.
But even a crafty email could fail if an attacker did not research what operating systems the target used: a phishing scam carrying an exploit-laced Microsoft Word document would fail if staff used Apple Macs.
The best way to form a targeted phishing email -- known as spear phshing -- was to gain a copy of the target organisation's emails by signing up to newsletters or promotions, or by requesting product information. This provided intelligence on the type of language used, images and letterheads, and some staff details.
Landing web pages to which phishing emails direct users must be clean, professional and simple. "Your phishing email could be written by Shakespeare but noone is going to follow through if your landing page looks like crap," he said.
Reputation both with email filters and with target end users could be improved by pretending to forget an attachment within an email.
By sending a phishing email to a target and then writing back with the 'forgotten' attachment -- which would be a malicious payload -- Santana had increased the number of victims who fell for the ruse from next to nothing to 80 percent.
He said phishing emails should be simple to retain user attention and should not be filled with images that were often blocked by default by mail clients.
Phishing relies on both users being conned and white hats being kept at bay.
But the same organisations like Google and Spamhaus which disrupt criminal phishers could also hinder phishing projects run by security professionals and penetration testers.
He said for infosec phishing campaigns professionals should avoid PHP mail and use SMTP instead; avoid getting indexed by search engines especially by Google; don't spoof the reply-to field, and don't hide links within tags because users where too savvy and it was blocked by some mail clients.