Sovy io
January 2nd, 2018
What was it?
Sovy was the madeup name of a project I worked on during my junior year of undergrad and into my first internship with Tesla. Ben, a friend of mine who was in his second and final year of grad school, had the idea of giving people hands-on experience with phishing but in a safe and educational way.
In case you aren't familiar, phishing is a type of social engineering where an attacker sends a fraudulent message designed to trick a person into revealing sensitive information or to deploy malicious software on the victim's computer. A common example of phishing are fake emails that look like they came from Amazon notifying you that an order you never placed has been shipped. Conveniently there's a way to dispute the charge, and if you click on it you're taken to a login page that looks near-identical to Amazon's login page. If you enter your Amazon credentials you've just revealed sensitive information to a malicious person.
Ben wanted to create a service that would send customers phishing emails to expose them and get people more comfortable spotting a phishing attempt.
Why did we build it?
Phishing, and phishing emails specifically, can be very difficult to detect. All of us that worked on Sovy were in the Information Systems program at BYU, and even some of us had fallen for phishing scams. We were aware that some companies sent phishing emails to their own employees to give them practice recognizing malicious emails. We wanted to offer the same kind of training/hands-on experirence to anyone.
What did it do?
Random Phishing Emails
The idea was simple, when you signed up for the Sovy service you would start to receive phishing emails. You might get 3 emails one week, and no emails the next. You would receive emails at random intervals and they would always be disguised as if they were from someone other than Sovy. Some of the emails were generic phishing attempts, below are a coupe of examples.
Two separate examples of generic phishing emails we created.
Other phishing emails were much more targeted. They used the names and logos of well known brands that many people would be familiar with and likely use. For these targeted phishing emails we would also recreate the login forms, so that if a user clicked on a link they'd be taken to a legitimate looking login page. This gave users even more exposure and practice. These login forms weren't actually capturing any user information, and as soon as they clicked submit or login they'd be taken to the Sovy website. Here are two examples of the more tailored phisihing attempts.
A phishing email that looks like it came from Facebook
A fake login page that a user would be redirected to if they clicked on a link in our Yahoo phishing email.
Each phishing email could track if it had been opened and if any links had been clicked. We would give you a passing grade if the email was never opened, or if the email was opened but no links were clicked within a specific period of time after it had been sent. Once the test was over and it was determined that you had passed, we would send a follow up email. The follow up would include a screenshot of the phishing email and gave a summary of the various ways you could've determined it was phishing.
If you received a phishing email from us and you did click on a link you would be redirected to the Sovy website. On our site we had explanations for how you could spot the red flags for each of our phishing emails. We also had more general educational information on phishing and miscellaneous online securty. If you failed one of our phishing tests you would receive the same email again sometime in the future to retest and guage improvement.
How did it go?
Sovy never really made it off the ground. The group of students that worked on it were all graduate students (aside from me), and when they graduated it was quickly forgotten. For ~6 months after graduation Ben and I continued making improvments, I worked on the website and our phishing emails while Ben worked on business plans/pricing/sales/etc. We did get a handful of paying customers who subscribed for a few months, but as my Tesla internship progressed I had less time to devote to Sovy and Ben started his first job out of school.
This was my first real experience writing code out of school and I learned a lot, both technically and how to work with a team scattered across the country. Even today I think Sovy was a great idea and could help a lot of people. There were so many ideas we never had the chance to implement so who knows, maybe one day I'll pick up where we left off.
