Performing an Internal Controlled Phishing Campaign (Part 1 of 2)

By the end of this article series you will be able to:

+ (Part 1) Architect an internal phishing campaign
+ (Part 2) Gather metrics to present to the executive team

Phishing is getting to the point of annoyance now within every company. With whaling and spear phishing becoming far more targeted, emails getting intensely more legitimate theres little spam filters can do to combat it.

So how well prepared are your users? Likely hood is, if you haven’t conducted a controlled assessment yourself you wont know. Its very easy for someone whos proficient in IT to quickly view an email and tell you off the bat if its legitimate or not, but not all your users are IT pros…. in fact if they were you wouldnt have a job so be grateful somewhat to their ignorance.

First step in any info sec procedure is to perform your baseline. Once this is obtained you can then create your metrics and retest at a later point after implementing your mitigation, in this case it would likely be end user training.

In order to create said baseline…. we have to spam the users. Admittedly this is more fun than it should be. Countless companies offer this as a paid for service, but to just tread your foot in the water all you will need is a spare PC with a static IP and a copy of GoPhish.

To launch the GoPhish server you simply need to run the binary within the primary folder. A CMD window will appear. Leave this running.

In your browser (Not IE as there is compatibility errors) go to https://localhost:3333

User: admin
Password: gophish

Obvious first step is to change the password on the account through the settings menu (top right).

The menu options are pretty self explanatory. We will first start by designing a landing page. On the ‘landing pages’ page click new page and youll be greeted by a modal window with a somewhat sexy “import site” button at the top. This is gold to replicate sites quickly and easily. Using a site that the users are familiar with is known as a watering hole attack, since its familiar to everyone.

Once your site is cloned, or you have one created in HTML for yourself, you can choose via the checkbox to store the credentials entered. I advise against this on the basis that the file is in fact accessible from every user. It is feasible that during the audit, a user can obtain the very same list with all the passwords. If you DO NOT have this checked, you will still get detailed intelligence of who actually submitted data, just not what that data was.

Now to create the email template. This is again very straight forward and depends on how you want the initial attack to look like to your users. You can maybe use a replica of an attack you have seen on your company. IRS & HMRC scams are common alongside random emails from the chiefs of the companies. Setting the email address to what you like. You can use template functions all listed here <; to make the email more personal. An example email would be:

Hey {{.FirstName}},

I have this totally legit link to click right here {{.URL}}

You CAN add attachments… however support to identify who has opened them does not exist to my knowledge in current revisions of GoPhish. (I do have a workaround we can add on at a later point)

Youll then need a user list of people to target. This can be by department or just a blanket email. You can bulk upload via CSV, or input these addresses manually.

Last but not least you need to configure the sending profile. This is fairly straight forward also. SMTP hostname, user/pass, and custom headers if required to filter through the mail servers.

Now we have all components ready we can create our campaign!!

On the campaign setup page you just need to select all your configs. The only catch is you need to add the static IP of your server. This then populates in the {{.URL}} template function.

Then click launch campaign.

When running the campaign you can see a live update feed via the dashboard. Live metrics of:

Who opened the email (if a tracking image was used)
Who clicked the link
Who submitted data

We can then terminate the campaign when desired and download all metrics via CSV. We will discuss in part 2 how to process these metrics for management to be easily digestible (pretty pictures and stats).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s