Phishy: A Phishing Simulation for Social Engineering Awareness

Phishing attacks remain one of the most effective and dangerous social engineering tactics used by cybercriminals. To better understand these threats and raise awareness, I developed Phishy — a phishing simulation project that demonstrates how attackers craft deceptive websites to manipulate users into revealing sensitive information. The full source code and details are available on my GitHub repository: Phishy.

Project Journey: From Idea to Execution

Inspiration

This project was inspired by an Instagram reel that showcased how phishing can be leveraged to trick users into scanning QR codes and unknowingly granting camera access. Recognizing the potential risks associated with such attacks, I wanted to explore the mechanics behind phishing to better understand and mitigate these threats.

Development Process

With limited coding experience but a foundational understanding of phishing, I leveraged ChatGPT to generate a script that would trigger camera access upon visiting the phishing webpage. Through multiple iterations, I refined the code to create a fully functional yet minimalistic phishing website.

The next challenge was automating the process of receiving captured images. To achieve this, I utilized BotFather to create a custom Telegram bot and UserInfo bot to obtain the necessary channel ID. By integrating these elements into the script, I successfully developed an end-to-end phishing simulation that could send retrieved images directly to my Telegram channel.

Understanding the Risks

This project serves as a basic proof-of-concept (PoC) demonstrating how easy it is to craft a deceptive website. However, in real-world attacks, adversaries can construct highly sophisticated phishing pages that closely resemble legitimate websites, making them even harder to detect.

Privacy Note: I have chosen not to include a publicly available Proof-of-Concept (PoC) demonstration to prevent potential misuse.

Disclaimer: This project is strictly for educational purposes and cybersecurity awareness. Misuse for illegal activities is strictly prohibited, and I do not take responsibility for any malicious use of this information.

Features of Phishy

• Realistic UI: Designed to resemble a legitimate e-commerce platform to enhance credibility.
• Credential Harvesting: Captures and logs user-submitted credentials (for educational purposes only).
• URL Masking Techniques: Demonstrates methods used by attackers to disguise phishing links.
• JavaScript-Based Logging: Simulates tracking user interactions for better phishing analysis.
• Security Awareness Training: Can be used in controlled environments to educate individuals on phishing tactics.

Ethical Considerations & Responsible Disclosure

The goal of Phishy is to educate users on the dangers of phishing and enhance their ability to identify and mitigate such threats. Understanding how attackers operate enables cybersecurity professionals to develop stronger defenses against these tactics.

Reminder: Engaging in unauthorized phishing activities is illegal and unethical. This project is strictly for security awareness and research purposes.

Additional Resources

There are many well-established phishing frameworks, such as CamPhish and ZPhisher, that offer more advanced features. Exploring these tools can further enhance your understanding of phishing techniques.

Conclusion

Phishing remains one of the most prevalent cybersecurity threats, and awareness is key to prevention. By simulating phishing techniques in a controlled environment, Phishy bridges the gap between theoretical knowledge and real-world attack scenarios.

For more details, visit the full source code on GitHub: Phishy. Check out the sample code there and understand the concepts behind phishing attacks and their implications.

Connect with Me

Have suggestions or feedback? Feel free to reach out. Stay safe, stay informed, and happy ethical hacking! 🚀