Testing the Waters: How to Perform Internal Phishing Campaigns

As it is a known haven of phishing attacks, I have chosen to use an unused Russian domain for these purposes. This obviously will not work well if you send or receive a lot of email from Russia.

Once you have chosen your domain or domains, create a DNS zone in your environment and create a host record for "tlbank". This host will come into play during your second campaign.

I landed on the e-mail address of somzvanets@fakerussiandomain (use an actual domain) as the testing address. Make sure to mark your domain as safe and/or whitelist it on any spam-filtering software or agents you have deployed in your environment. This also includes anti-virus, as many products combine protection into one agent.

Let me add one more thing. You have the tools and the ability to get really creative and successfully deceive your users. However, I believe the goal is not to dupe users completely, but to give them clues to trigger the critical thinking centers of their brains. It is specifically those skills that you want to test and measure, as they are the most valuable in combatting phishing attacks. Leave breadcrumbs that can assist users in the threat identification process—things like misspelled words, poor grammar, strange phrasing and so on. You have to give your users a hand through the process. Otherwise, you aren't really testing your users, you're simply testing your ability to deceive them. Now, on to the first campaign.

Campaigns in Gophish are made up of several components. The first is a Sending Profile. This is the phony address from which you will send mail. You can have multiple sending profiles on your Gophish server, but you can use only one at a time per campaign. Click on the Sending Profile link and fill in the fields displayed (Figure 3). Enter your fake address in the From field and enter an internal SMTP host.

Figure 3. Sending Profile

Note, I strongly recommend using only internal resources available to you in your testing. Some paid phishing services are web- or cloud-based and may require additional network configuration. I like keeping everything inside so I absolutely know what is taking place when and on what hardware. It also will help keep your company's mail servers off internet blacklists. If your internal SMTP host requires a login, enter that as well. When your Profile information is complete, use the Send Test Mail button to confirm that your settings work. When you are comfortable with your settings, click Save Profile.

The next component to configure is a Landing Page. A landing page is where the link in your phishing message will send users if they click the link you provide. Click the Landing Page link on the left. On the new window, name the page "Blank Page". For the first campaign, let's use a simple redirect page. Click the Source button and enter the following code in the space (enter a site your users commonly use in the url= section):

<head><meta http-equiv="refresh" content="0;
 ↪url=http://somewebsite/" />

Click Save.

Next, you'll create your first Email Template. Templates are the email messages used in the campaign. Click the Email Templates link on the left, then click New Template at the top of the page. Give your template the name of "Malicious Link" as an identifier for this campaign. On the New Template screen, you have the option of creating your own template or importing a custom email. Here you'll use a simple message with a link to your Blank Page with the redirect code.

If you choose to use a custom email tailored after a real-world phishing message, do not directly use anything from the web. You can scrub those messages with a fine-tooth comb, but the last thing you want is to miss something that inadvertently brings malware onto your network. My advice is to transcribe any examples you want to use. Never copy and paste. Transcribing is the only sure-fire way to avoid accidentally using any malicious code in your testing. Thoroughly scan any images you want to download and use. Be cautious in using images that are not your own.

It is not necessarily a bad idea to create a template that resembles a well-known company or, let's say, financial institution, but be aware there is a chance your users may actually use services from that company/financial institution. This becomes a double-edged sword. On the one hand, users actually may have a connection/account with the company you are impersonating, which could lead them to click on something they are not sure of. On the other hand, you want your users to view every message with a critical eye, even the ones that may affect them.

You can see the text of the message I've created in Figure 4. I have set the Subject to "Delinquent Account" as it is both generic and something that may still catch users' eyes. When creating the link in the message, use Link Type = URL and set the URL to {{.URL}} (Figure 5). This sends users who click the link to a unique URL on the Landing Page you just set up, which the Gophish server uses to track data for the campaign. Click on Save Template to save and close the template.

Figure 4. Creating a Template

Figure 5. Adding the Landing Page URL