What a happy surprise to see my project on HN :)
My name is Jordan, I've been developing Gophish [0] for a few years now. The goal of the project is to let companies of all sizes perform high-quality phishing simulation regardless of their security budget.
Happy to answer any and all questions!
To me, phishing is email (or phone calls, links, websites, or other comms) that attempt to get someone to give something away that is a secret. I don't see the relationship between that and your tool yet.
[Edit / Update] Ok. After going 14 pages deep into the project, down through a user guide, it is clear what this project does. But 14 pages!? I recommend updating the readme to have, near the top, a section on selling/introducing the tool. "Gofish allows you to easily create a fake landing page that mimics your real landing page and send phishing email to get people in your organization to come to the phishing site. A UI shows stats collected on emails opened, links clicked, and data submitted to the phishing site. Set up multiple campaigns and much more. See our list of features." Add some relevant pics like the dashboard and your readme will really be helpful to folks like me.
Just out of curiosity, does the copy on the main website [0] give a better indication or does that still not make for a clear description?
I ask because, while the repo was linked in this case, the main website is where most people land.
This is meta right? You're phishing us with a meta toolkit.
Their response was lightheartedly asking me if I really just sent them an email about a phishing simulation toolkit and expected them to click the links in the email :D
The idea was that you would flood their valid data with bullshit data making it worth less to them. It was quite effective. Most skript kiddiez didn't know enough to stop me.
Recently, I did some analysis on phishing kits at a pretty large scale that sounds like it’d be of interest to you [0]
Thank you very much for a quality open source toolkit.
Don't get me wrong: I'm all for people having the tools to protect themselves, and the ability to write/publish/use whatever software you want.
So this question isn't provocation, but a real interest if there are any decisions that may make such software's use easier for white hats vs. black.
Because as a first approximation, it strikes me as plausible that being free-as-in-beer is unfortunately more useful to the perpetrators of phishing (usually small groups or individuals) than the victims (large organisations, usually with significant resources or they wouldn't be interesting). It's a really interesting dynamic actually, one where the weapon and the protection just happen to be the same.
Kali Linux is a prime example. It is a Linux distro prepackaged with some of the best hacking tools available.
While I'm sure some people use it maliciously it is in heavy use by security teams to discover vulnerabilities so they can be fixed.
I'm just thankful that as a unix person, we don't have "cmv", "ls4j", or "pyrm".
https://news.ycombinator.com/item?id=18145340
:P
I'm interested in how you plan on monetizing, enterprise support?
I view Gophish as a way to volunteer and give back to the larger security community. I love engaging with the Gophish community and seeing people use the software to measure their own exposure to phishing.
That said, there aren't any plans to monetize Gophish. It will always stay free and open-source so that anyone can use it. :)
As far as support, I try and respond to every issue as fast as possible. It's a best effort, but I managed to pass 1k closed issues recently, which I was pretty proud of! And I'm fortunate that there are so many amazing people in the Gophish community who are willing to jump into issues, help out, and bounce great ideas around.
While my experience with Gophish was one of the things that brought me to Duo, Insight is not based on Gophish at all. I had the privilege of working with the team of engineers who built Insight and they are amazingly talented. It's a really high-quality product from an incredible team.
You hit the nail on the head as to why someone may prefer Insight to Gophish. Gophish, while being easy to set up, still requires _some_ setup and hosting. With Insight, everything is managed for you. This has significant time savings and infrastructure savings.
The downside to this is flexibility, which is what Gophish offers. Insight offers a good few pre-built templates while Gophish lets you create your own. You control everything and have the ability to tailor phishing campaigns exactly how you want them. Gophish was also built from the ground-up to be driven by an API, and has other features that may useful in more red-team scenarios (such as credential capture).
The other benefit to Gophish that you mentioned is that, since you control the infrastructure, you control all of the data end-to-end.
So while they're in a similar space, they're pretty different products with different strengths and weaknesses. If you're just starting to look into running a phishing simulation, I'd lean towards giving Insight a shot since it's super quick and easy to get a campaign out the door. Once you need more flexibility and power, Gophish is an easy transition. :)
they've been growing like crazy; aggressive sales, and nearly giving it away for free. Most of their value comes from the educational content they provide though, and not the actual testing infrastructure which Gophish is focused on.
