Skip navigation

New Open-Source Phishing Tools: IsThisLegit and Phinn

Phishing affects every organization. The ability for attackers to easily send thousands of emails, many of which have significant success rates, makes phishing a common and effective attack method and a headache for administrators.

Duo is in the business of helping organizations solve some of the biggest challenges in security. This is why we're excited to announce two new open-source tools designed to help administrators prevent, manage, and respond to phishing attacks against their organization: IsThisLegit and Phinn.

IsThisLegit

We've written about building successful user awareness training programs in the past. At a high level, they can be divided into three parts: measuring, training, and reporting.

First, you want to measure your organization's exposure to phishing by sending simulated phishing emails. This also teaches users how to spot real phishing attempts when they inevitably land in their inbox. Duo Insight lets you test your organization's exposure to phishing for free.

The other side of building a user awareness training program is to enable users to easily report suspicious emails to their security team, as well as giving the security team the tools needed to investigate and manage these reports. This is where IsThisLegit shines.

IsThisLegit Logo

IsThisLegit is really two tools in one. To make it easy for users to report suspicious emails, IsThisLegit provides a Chrome extension that adds a "Report Phishing" button to Gmail. When a user clicks the button, the email is automatically submitted to the configured web application dashboard. This first release of IsThisLegit targets organizations using GSuite, but our goal is to provide clients for most major mail providers as soon as possible.

IsThisLegit Report Phishing

The analyst dashboard is a web application powered by Google App Engine. The dashboard lets analysts view, analyze, and respond to phishing reports. It's packed with features, including the ability to:

  • Create rules to automatically match and process reports
  • Easily create custom actions that can be used to integrate with other systems
  • Respond to users using templated responses
  • Integrate with other systems using webhook support
  • Much more!

IsThisLegit Dashboard

You can get up and running with IsThisLegit here.

Phinn

Phinn When it comes to detecting phishing, there are currently two similarly-flawed approaches that are available to aid the user in making the determination of whether a site asking for credentials is actually what it claims to be. The first, Google Safe Browsing, is a blacklist-based approach for known phishing sites which alerts the user when they first navigate to a page. The other, now-defunct and often ignored, Web of Trust extension presented an indication of accumulated “Trust Juice.”

The premise of Phinn is a simple one: If it looks like a Google login page, it should be hosted on a Google domain. Phinn takes a fundamentally different approach by enabling corporate administrators to generate and train a custom Chrome extension that can then be pushed out to the rest of their organization. The Chrome extension analyzes rendered page content for visual similarity to configured identity providers and login pages through the use of a machine learning algorithm called a convolutional neural network.

When a page with a login form is rendered in the browser, the Phinn extension captures a screenshot and passes it through the uniquely trained neural network and, within milliseconds, determines if there is a strong indication of given stylistic branding. Checks are then done against the serving domain to proactively alert the user if a phishing attack is suspected.

Phinn in Action

Utilizing convolutional neural networks for this has several benefits. As it works on raw image data obfuscation and minimization typically seen in phishing pages plays no role in the detection accuracy. But most importantly, it forces the attacker to deviate from the styling and branding that the user is used to, making the page appear more suspicious while lowering the burden on the users to be proactive.

Conclusion

We're excited for the potential these tools have when supported by the open-source community. While this is just the initial release, we hope that administrators find these tools useful in mitigating phishing for their organizations.

Jordan Wright

Senior R&D Engineer

@jw_sec

Jordan Wright is a Senior R&D Engineer at Duo Security as a part of the Duo Labs team. He has experience on both the offensive and defensive side of infosec. He enjoys contributing to open-source software and performing security research.

Mikhail Davidov

Principal Security Researcher

@duo_labs

From launching high altitude balloons into near-space to developing automated crash dump analysis tools for DARPA, Mikhail has been making and breaking things for the majority of his life. Acting as a Principal Security Researcher at Duo Labs Mikhail brings a wealth of reverse engineering and security consulting experience to bear looking at interesting attack surfaces in new and emerging technologies while blowing a few things up along the way.