Testing the Waters: How to Perform Internal Phishing Campaigns

Click the Users & Groups link. Give the group a descriptive name, and add users either one at a time using the provided fields or bulk import a .csv file. Divide your users into groups as you feel necessary. You could divide them by geography or site, by job title or by internal groups. Use whatever strategy best matches your testing goals. I have simply named mine "Test Group".

With all the necessary components in place, click the Campaigns link, and fill out the fields using the items you created earlier to match Figure 6. In the URL field, enter the IP address or host name of your Gophish server. If you don't want the campaign to kick off right away, click the Schedule button. You can see the test message as delivered to the test group in Figure 7.

Figure 6. Creating a New Campaign

Figure 7. Test Message

With the campaign underway, you can view the results on either the Dashboard or Campaigns link (Figure 8). Leave your campaigns in place for as long as you feel necessary. A few days normally should suffice, as users have short memories. When you are ready, you can complete your campaign by using the Complete button. You should see a Timeline displaying when the emails were sent and (if successful) when the link was clicked. If you scroll down, you'll see the results listed by the users in your group. Any success represents legitimate opportunities for a user to be lured to a malicious site using a phishing message.

Figure 8. Viewing the Results

The next campaign is centered around a phony web site that captures credentials. Because you're re-using the same Sending Profile for each campaign, you can move on to the Landing Page. This will be a simple page with a form input for a user name/password combo. On the new Landing Page window, enter the "Capture Credentials". You are free to use my basic HTML code below and customize it to your needs, but my suggestion is to use the Import Site feature to clone a real-world site that would require a login. I personally have received phishing email messages of this sort—claiming to be from a well-known bank with which I have an account, a data provider I use or popular streaming service to which I subscribe. You may get better results by mimicking a real site than an obvious fake site like this one. To use my page, copy the code below in the source view of the Landing Page window. When you click the submit button, it'll redirect the user to whatever page you like. I have removed some of the style tags to keep the code short:

    <title>The Totally Legitimate Bank</title>
<h2><strong>$$$$$ The Totally Legitimate Bank
 ↪$$$$$</strong><br />
     <em>Your Trusted (wink, wink) Hometown Bank</em><br />
<p>User ID:<input type="text" /></p>
<p>Password:<input type="password" /></p>
<p><input onclick="document.location.href
 ↪='http://tlbank.tresk.ru'" type="button"
 ↪value="Click to Login" /></p>
<p><strong>Member FDIP</strong>&trade;2017</p>

You may notice the option to Capture Submitted Data under the code box. I wouldn't use this option unless management or the decision-makers explicitly agree to it in your scope. A phishing campaign can be paired with other kinds of security testing where it may be relevant to capture this data, but that's not what the goal is here.

For this new Email Template, as you may have guessed, you'll be impersonating the Totally Legitimate Bank. I have crafted the email shown in Figure 9 to entice users to visit the site. As before, use {{.URL}} for your link code in the body. When crafting phishing email that also uses a complementary site, it's important to match the branding (either real or fake). Users rarely fall for a site that doesn't match up visually or otherwise in these scenarios.

Figure 9. Impersonating the Totally Legitimate Bank