Testing the Waters: How to Perform Internal Phishing Campaigns

Phishing is one of the most dangerous threats to modern computing. Phishing attacks have evolved from sloppily written mass email blasts to targeted attacks designed to fool even the most cautious users. No defense is bulletproof, and most experts agree education and common sense are the best tools to combat the problem. The question is how can you safely test your users to determine their response? The answer in most cases is a phishing campaign—an ongoing attempt to test your own users on these types of risks.

In this article, I examine an open-source tool called Gophish that fits the bill for most businesses. I describe how to perform multiple phishing campaigns with Gophish and create a foundation for ongoing testing. For the example campaigns, I have selected three popular types of phishing threats: malicious links within the body of an email that redirect to unwanted sites, links to phony sites that can capture credentials and, finally, attachment-borne malware.

Before proceedng, I feel the need to insert a few disclaimers. One, do not perform this work at your business, or any business for that matter, without the express written approval from that company's management. Two, make sure to define the scope of your campaign. What types of attacks will you use? Who do you want to target? What is the time frame for your campaigns? Answer as many of these questions as thoroughly as you can. Three, don't diverge from your scope. Limit your testing only to defined areas. Follow these disclaimers, and if you do encounter any issues arising from your campaigns, always use caution and consult with the same management that signed off on them.

Installing Gophish is a snap. You can install it on Linux or Windows. I chose to use a CentOS 7 distribution for my Gophish server. To install the program, simply download and extract the install file provided on the project's site. In my case, I extracted it to the /etc folder. Use the chmod command to allow the Gophish executable to run.

To start the program, run gophish from a terminal window. This launches a script that starts the various components of the Gophish program. Once the script has completed, you are notified that an admin page is running on http://127.0.0.1:3333 (Figure 1). Open a browser on the local machine and log in with the default credentials of "admin/gophish". Upon logging in, you are presented with a minimalist interface from which you can start working (Figure 2).

Figure 1. Gophish Login Page

Figure 2. Gophish Interface

Before proceeding to the first campaign, you need to complete some preliminary work that will be re-used throughout your testing. The first item is to create a test domain and email address to use with your campaigns. It's generally a good idea to use a different email/domain combination for each campaign, but you're going to re-use this information between the campaigns to conserve space here.

As it is a known haven of phishing attacks, I have chosen to use an unused Russian domain for these purposes. This obviously will not work well if you send or receive a lot of email from Russia.

Once you have chosen your domain or domains, create a DNS zone in your environment and create a host record for "tlbank". This host will come into play during your second campaign.

I landed on the e-mail address of somzvanets@fakerussiandomain (use an actual domain) as the testing address. Make sure to mark your domain as safe and/or whitelist it on any spam-filtering software or agents you have deployed in your environment. This also includes anti-virus, as many products combine protection into one agent.

Let me add one more thing. You have the tools and the ability to get really creative and successfully deceive your users. However, I believe the goal is not to dupe users completely, but to give them clues to trigger the critical thinking centers of their brains. It is specifically those skills that you want to test and measure, as they are the most valuable in combatting phishing attacks. Leave breadcrumbs that can assist users in the threat identification process—things like misspelled words, poor grammar, strange phrasing and so on. You have to give your users a hand through the process. Otherwise, you aren't really testing your users, you're simply testing your ability to deceive them. Now, on to the first campaign.

Campaigns in Gophish are made up of several components. The first is a Sending Profile. This is the phony address from which you will send mail. You can have multiple sending profiles on your Gophish server, but you can use only one at a time per campaign. Click on the Sending Profile link and fill in the fields displayed (Figure 3). Enter your fake address in the From field and enter an internal SMTP host.

Figure 3. Sending Profile

Note, I strongly recommend using only internal resources available to you in your testing. Some paid phishing services are web- or cloud-based and may require additional network configuration. I like keeping everything inside so I absolutely know what is taking place when and on what hardware. It also will help keep your company's mail servers off internet blacklists. If your internal SMTP host requires a login, enter that as well. When your Profile information is complete, use the Send Test Mail button to confirm that your settings work. When you are comfortable with your settings, click Save Profile.

The next component to configure is a Landing Page. A landing page is where the link in your phishing message will send users if they click the link you provide. Click the Landing Page link on the left. On the new window, name the page "Blank Page". For the first campaign, let's use a simple redirect page. Click the Source button and enter the following code in the space (enter a site your users commonly use in the url= section):


<html>
<head><meta http-equiv="refresh" content="0;
 ↪url=http://somewebsite/" />
        <title></title>
</head>
<body></body>
<html>

Click Save.

Next, you'll create your first Email Template. Templates are the email messages used in the campaign. Click the Email Templates link on the left, then click New Template at the top of the page. Give your template the name of "Malicious Link" as an identifier for this campaign. On the New Template screen, you have the option of creating your own template or importing a custom email. Here you'll use a simple message with a link to your Blank Page with the redirect code.

If you choose to use a custom email tailored after a real-world phishing message, do not directly use anything from the web. You can scrub those messages with a fine-tooth comb, but the last thing you want is to miss something that inadvertently brings malware onto your network. My advice is to transcribe any examples you want to use. Never copy and paste. Transcribing is the only sure-fire way to avoid accidentally using any malicious code in your testing. Thoroughly scan any images you want to download and use. Be cautious in using images that are not your own.

It is not necessarily a bad idea to create a template that resembles a well-known company or, let's say, financial institution, but be aware there is a chance your users may actually use services from that company/financial institution. This becomes a double-edged sword. On the one hand, users actually may have a connection/account with the company you are impersonating, which could lead them to click on something they are not sure of. On the other hand, you want your users to view every message with a critical eye, even the ones that may affect them.

You can see the text of the message I've created in Figure 4. I have set the Subject to "Delinquent Account" as it is both generic and something that may still catch users' eyes. When creating the link in the message, use Link Type = URL and set the URL to {{.URL}} (Figure 5). This sends users who click the link to a unique URL on the Landing Page you just set up, which the Gophish server uses to track data for the campaign. Click on Save Template to save and close the template.

Figure 4. Creating a Template

Figure 5. Adding the Landing Page URL

Click the Users & Groups link. Give the group a descriptive name, and add users either one at a time using the provided fields or bulk import a .csv file. Divide your users into groups as you feel necessary. You could divide them by geography or site, by job title or by internal groups. Use whatever strategy best matches your testing goals. I have simply named mine "Test Group".

With all the necessary components in place, click the Campaigns link, and fill out the fields using the items you created earlier to match Figure 6. In the URL field, enter the IP address or host name of your Gophish server. If you don't want the campaign to kick off right away, click the Schedule button. You can see the test message as delivered to the test group in Figure 7.

Figure 6. Creating a New Campaign

Figure 7. Test Message

With the campaign underway, you can view the results on either the Dashboard or Campaigns link (Figure 8). Leave your campaigns in place for as long as you feel necessary. A few days normally should suffice, as users have short memories. When you are ready, you can complete your campaign by using the Complete button. You should see a Timeline displaying when the emails were sent and (if successful) when the link was clicked. If you scroll down, you'll see the results listed by the users in your group. Any success represents legitimate opportunities for a user to be lured to a malicious site using a phishing message.

Figure 8. Viewing the Results

The next campaign is centered around a phony web site that captures credentials. Because you're re-using the same Sending Profile for each campaign, you can move on to the Landing Page. This will be a simple page with a form input for a user name/password combo. On the new Landing Page window, enter the "Capture Credentials". You are free to use my basic HTML code below and customize it to your needs, but my suggestion is to use the Import Site feature to clone a real-world site that would require a login. I personally have received phishing email messages of this sort—claiming to be from a well-known bank with which I have an account, a data provider I use or popular streaming service to which I subscribe. You may get better results by mimicking a real site than an obvious fake site like this one. To use my page, copy the code below in the source view of the Landing Page window. When you click the submit button, it'll redirect the user to whatever page you like. I have removed some of the style tags to keep the code short:


<html>
<head>
    <title>The Totally Legitimate Bank</title>
</head>
<body>
<h2><strong>$$$$$ The Totally Legitimate Bank
 ↪$$$$$</strong><br />
     <em>Your Trusted (wink, wink) Hometown Bank</em><br />
</h2>
<p>User ID:<input type="text" /></p>
<p>Password:<input type="password" /></p>
<p><input onclick="document.location.href
 ↪='http://tlbank.tresk.ru'" type="button"
 ↪value="Click to Login" /></p>
<p>&nbsp;</p>
<p><strong>Member FDIP</strong>&trade;2017</p>
</body>
</html>

You may notice the option to Capture Submitted Data under the code box. I wouldn't use this option unless management or the decision-makers explicitly agree to it in your scope. A phishing campaign can be paired with other kinds of security testing where it may be relevant to capture this data, but that's not what the goal is here.

For this new Email Template, as you may have guessed, you'll be impersonating the Totally Legitimate Bank. I have crafted the email shown in Figure 9 to entice users to visit the site. As before, use {{.URL}} for your link code in the body. When crafting phishing email that also uses a complementary site, it's important to match the branding (either real or fake). Users rarely fall for a site that doesn't match up visually or otherwise in these scenarios.

Figure 9. Impersonating the Totally Legitimate Bank

Click the Campaigns link and open a new campaign. Set the options to match Figure 10. The URL I've entered is the FQDN of the host (tlbank) created earlier. If your DNS server has records for the zone and host, a valid URL will show in the user's browser. This is important, as you don't want any savvy users familiar with your IP scheme to catch on just by looking at the URL. Click Launch Campaign when ready. When you monitor this campaign, you will see the "Event: Clicked Link", and if the user entered data into the fake site, you will see a second red dot with the "Event: Submitted Data" indicating a user submitted information in the form.

Figure 10. Creating Another New Campaign

It's possible that users could have left the fields blank and clicked on the button, and there are two ways to deal with that if you want to be sure. One, code your form to check and make sure the fields are filled in before the submit occurs or capture the credentials, which I don't recommend. When you are satisfied with the results, complete the campaign. If you have a number of the second "Event: Submitted Data" messages in your results, you should be particularly concerned about your users' unknowingly submitting their credentials to an unknown party.

The third and last campaign involves sending users a malicious attachment. This is a very popular way to install ransomware. The two most currently used applications that infect users this way are Adobe Acrobat and Microsoft Word. Unfortunately, Gophish does not currently possess all of the tools needed to test this, so you'll need to set up additional resources for this campaign.

Like the previous "Totally Legitimate" web page, you'll use the quick-and-dirty method to get what you need. There is so much more you can do with this type of test, especially with tools like Metasploit, but that is beyond the scope of this article.

Start by downloading a LAMP appliance from here. I had mine up and running in less than five minutes. Create a web page called verify.php right off the root site using the code below:


<?php
session_start();
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
$counter_name = "/var/www/counter/counter.txt";
$iplog_name = "/var/www/counter/ip.txt";

// Check if a text file exists. If not create
// one and initialize it to zero.
if (!file_exists($counter_name)) {
$f = fopen($counter_name, "w");
fwrite($f,"0");
fclose($f);
}

// Read the current value of our counter file
$f = fopen($counter_name,"r");
$counterVal = fread($f, filesize($counter_name));
fclose($f);

// Has visitor been counted in this session?
// If not, increase counter value by one and append ip.txt file
if(!isset($_SESSION['hasVisited'])){
  $_SESSION['hasVisited']="yes";
  $counterVal++;
  $f = fopen($counter_name, "w");
  fwrite($f, $counterVal);
  fclose($f);
  $file = fopen($iplog_name,"a");
  $ip=$_SERVER['REMOTE_ADDR'];
  echo fwrite($file,$ip);
  echo fwrite($file, "\n");
  fclose ($file);
  header('Location:  http://somewebsite');
}
header('Location:  http://somewebsite');

This simple page will count the users as visiting, note their IP address in a text file and then redirect them to some external site.

Now, let's create the malicious attachment. Assuming you have Microsoft Word, open the program and a blank document, and press Alt-F11 to open the VB editor. Create a new module, and use the following code where http://somewebsite is the name of your LAMP web server:


Sub AutoOpen()
myURL = http://mylampserver/verify.php
ShellExecute 0, "OPEN", myURL, "", "", 0
End Sub

Save the document as type .docm, and close out of Word.

Back on the Gophish server, create a new Email Template named "Malicious Attachment", and use the document file you created as an attachment by clicking on the Add Files button. See Figure 11 for the wording of the template.

Figure 11. Malicious Attachment Template

In this example, you are claiming that the user has an unpaid invoice. You don't need a landing page, so set it as "Blank Page" like in the first campaign. Match the rest of the settings to Figure 12 and Launch the campaign. You can use a hostname in the URL field, but since you're not using Gophish to track the campaign, you can just use the the Gophish server's IP.

Figure 12. Campaign Settings

Unlike the previous campaigns, you'll have to track your results using the text files created with the verify.php page. One note to this campaign—most current word processors possess some form of macro protection, usually a warning prompt. Users will have to bypass those or enable macros to open the attachment, which means they really wanted to open it. If you have a lot of hits showing up in the text files on the LAMP server, you may want to think about increasing the intensity of scanning inbound attachments, disabling macros if you can, and as always, educating the affected users of the possible outcomes from opening suspicious attachments.

With the testing complete, take stock of the successes that you discovered and address them with either technical or educational resources. Use these results and push for regular testing if you can do it. This shouldn't be a one-time test. You should keep your users sharp, and like with any other skill, you have to exercise regularly to stay effective. There is an old adage in computer security "The bad guys only have to be right once." Make sure your users are prepared. With turnover, promotions and responsibility changes, the last thing on many users' minds is email security. Consistent reinforcement of good security practices and regular testing to validate your training approach is crucial to avoiding catastrophe.

Load Disqus comments