[naftaliharris]

Thanks and thanks for the suggestion! One thought I'd had was longer/more in depth campaigns. It's good to know other people would be interested in that as well.

One thing I was concerned about was that people might not trust some random guy on the internet to properly discard those credentials.

[bigiain]

I think you are completely correct in your second sentence there - there's no way I'd use this if there was any chance of my colleagues actually disclosing real credentials to a third party.

(Suspicious me is wondering if you're evil - 'cause if evil-me was in your position, I'd be selectively showing your "you've been phished, ha ha!" landing page to most people, but mining LinkedIn/Rapportive/Google for key contacts at any domains that sign up, and displaying genuinely evil credential-collecting-login pages if I got a hit from senior sysadmins or a CTO/CIO/CSO...)

[ThrustVectoring]

The phishing page could be set up to have a fake form that sends no data, and says "you've been phished" when someone tries to submit information to it.

At that level, though, the pen-tester really ought to have control over the phishing landing page.

[pktgen]

Do something like Google's new authentication process - rather than asking for the username and password on a single page, ask for the username only with a "continue logging in" button. There's no need to actually ask for a password.

[magicseth]

Throwing up a javascript alert as soon as one character is typed in the password field could allow you to see who was about to actually type something in there. Of course some people troll phishers with fake passwords, but this narrows down your false positives without you actually collecting credentials.

[pixellab]

Totally legit concern. Seems like it would be an option that a customer might want after they've used the service for a bit and built up a level of trust. Overall, great idea.

[afarrell]

One option that might do something to ensure trust would be to have the javascript on the page that accepts the credentials be unminified and readable.

[nitrogen]

Or provide a self-hosting option; JavaScript can be changed at any moment. Request A might look fine, but request B for the same file 5 minutes later could be malicious.

[derefr]

I think that'd be the best way to go. Or, half-way between hosted and self-hosted: in exchange for payment, provide a button that lets them launch a CuttlePhish instance on Heroku. (I'm not sure if this can be automated to the point that regular non-developers would understand it, though.)