Phishing Campaign with Gophish – Practice.

1. Introduction.


Implementing and launching a phishing awareness campaign is essential in today’s world where phishing attacks have become increasingly sophisticated and frequent. Gophish is an open-source tool that allows organizations to simulate phishing attacks in a controlled and safe manner to educate employees on how to identify and handle phishing attempts. The following points describe how to do this using Gophish.


2. Setting up the Phishing Campaign with Gophish.


To implement a phishing awareness campaign with Gophish, the following steps have been taken.

  • Environment Setup: We installed Gophish on our attacker machine following the installation instructions provided by Gophish on its GitHub repository https://github.com/gophish/gophish.
  • Phishing Email Setup: We created an email template that is convincing and realistic, tailored to the target. The campaign carried out was a type of “spear phishing”, that is, phishing conscientiously directed at a direct target, in this case, the executive positions of the company JAYMON SECURITY S.L. For this, we have personalized the content of the email, including the subject, the sender, and the body of the message, to fit the goal of your awareness campaign.
  • Phishing Site Setup: We created a fake webpage imitating the admin access panel of the JAYMOSECURITY.COM website. Once the access credentials are entered, they will be captured by Gophish.
  • Target and Groups Setup: The objectives of the awareness campaign are defined, which can be employees of the company or organization. We create target groups and assign the email templates and phishing sites to each group.
  • Sending Phishing Emails: Through the campaign creation with Gophish, it takes care of sending the phishing emails to the selected target groups. Regarding the registration and tracking of interactions, we will see how Gophish records and tracks the recipients’ interactions, such as email openings, link clicks, and the submission of information through the phishing sites. This allows the auditor to obtain statistics and metrics to assess the effectiveness of the awareness campaign.

It is important to highlight that after the awareness campaign, the results obtained should be used to educate and raise awareness among participants about the risks and best practices to avoid phishing. The campaign will also serve to provide useful information on how to detect and avoid phishing attacks and reinforce the importance of information security.

It should be noted that when carrying out a phishing awareness campaign, we must take into account that its implementation will require the consent and informed participation of the employees or targets involved. In addition, compliance with privacy and data protection laws and regulations applicable in your jurisdiction must be ensured.

Having clarified the above points, we proceed to the practical exercise.


a) Email account setup.


Next, we proceed to configure the email account from which we will send the phishing attack. In this case, we simulate having obtained access to a support account of the target company (Jaymon Security), and it will be from this account that we will send the phishing.



b) Phishing web page setup.


Next, we proceed to configure the phishing webpage to which the victim will be directed after clicking on the trap link. For this, we have used the “import site” option that allows us to pass the URL of the original website, in this case, the admin access panel to WordPress of Jaymonsecurity.com.



At this point, we have to manually configure the URL to which the victim must be directed to land on the trap webpage. For this, we go to the Docker container where we have Gophish and point to the port where the Web server runs, in this case, 8083, which will do a port forwarding to the internal port 80 where the web server hosting the trap webpage will be running.



c) Phishing email configuration.


Thus, we set the trap email to include the URL where the victim will be directed when clicking on the trap link. In this case, we will do it manually, which entails a bit more work than a simple email import. We will also look at this second option later on.



d) Setting up the victim group and launching the Phishing Campaign.


Next, we create the group with the emails of the victims of the phishing campaign.



Once we have everything set up as described above, we proceed to create the campaign as follows:



After clicking the “Launch Campaign” button, Gophish sends out the emails to the victims established in the campaign group.




In the previous image, we see the ID “vEyQpze” assigned to the campaign. This value is important because it is where Gophish will present the trap webpage. Therefore, we must edit the trap link as follows:



e) Landing of the Phishing email.


As we see in the following image, the phishing email has successfully reached its victim, in this case, the CEO of the company with the email [email protected].



Upon viewing the email, the victim sees the following:



When the victim clicks on the “administration panel” link, they are redirected to the trap webpage. The URL http://localhost:8083/?rid=vEyQpze can be observed.



After clicking the link, we see how Gophish keeps us informed.



f) Credential theft through Phishing.


Next, the victim enters their access credentials.



After clicking the “Log In” button, the redirection is carried out as had been set up in Gophish.



If we go to the Gophish control panel, we can see that we have obtained the victim’s access credentials.



At this point, we can consider the exercise completed. However, the following point explains the email import function in Gophish, as I believe it is pertinent to understand the previously described complexity of setting up a custom and manual email.


3. Importing a Phishing email in Gophish.


For this proof of concept, we will obtain a typical advertising email. For this, we download it, and obtain the file with the “eml” extension, as shown below.



As we can see below, in the “eml” file we have all the headers of the exported message.



a) Importing the email.


At this point, it is as simple as copying all the content of the previous message and pasting it into the text field provided by the Gophish “import email” option.



Automatically, Gophish will replace the URLs in the message with the URL where it will provide the trap webpage. In this case, no manual action is necessary on our part to figure out the appropriate URL, unlike in the case of creating a manual email.



b) Email verification.


As we can see below, after launching the campaign, the email properly reaches the victim.



When the victim clicks on the “View offers” button, they will be redirected to the trap webpage.



c) Credential capture verification.


Once again, we can observe how Gophish has appropriately captured the victim’s access credentials.



4. Conclusions.


As can be seen, Gophish constitutes a powerful tool for conducting various phishing awareness campaigns for companies.


If you require a training or awareness plan in Cybersecurity, you can contact us through our contact form.

Spain

No puedes copiar el contenido