Testing the Waters: How to Perform Internal Phishing Campaigns

Phishing is one of the most dangerous threats to modern computing. Phishing attacks have evolved from sloppily written mass email blasts to targeted attacks designed to fool even the most cautious users. No defense is bulletproof, and most experts agree education and common sense are the best tools to combat the problem. The question is how can you safely test your users to determine their response? The answer in most cases is a phishing campaign—an ongoing attempt to test your own users on these types of risks.

In this article, I examine an open-source tool called Gophish that fits the bill for most businesses. I describe how to perform multiple phishing campaigns with Gophish and create a foundation for ongoing testing. For the example campaigns, I have selected three popular types of phishing threats: malicious links within the body of an email that redirect to unwanted sites, links to phony sites that can capture credentials and, finally, attachment-borne malware.

Before proceedng, I feel the need to insert a few disclaimers. One, do not perform this work at your business, or any business for that matter, without the express written approval from that company's management. Two, make sure to define the scope of your campaign. What types of attacks will you use? Who do you want to target? What is the time frame for your campaigns? Answer as many of these questions as thoroughly as you can. Three, don't diverge from your scope. Limit your testing only to defined areas. Follow these disclaimers, and if you do encounter any issues arising from your campaigns, always use caution and consult with the same management that signed off on them.

Installing Gophish is a snap. You can install it on Linux or Windows. I chose to use a CentOS 7 distribution for my Gophish server. To install the program, simply download and extract the install file provided on the project's site. In my case, I extracted it to the /etc folder. Use the chmod command to allow the Gophish executable to run.

To start the program, run gophish from a terminal window. This launches a script that starts the various components of the Gophish program. Once the script has completed, you are notified that an admin page is running on (Figure 1). Open a browser on the local machine and log in with the default credentials of "admin/gophish". Upon logging in, you are presented with a minimalist interface from which you can start working (Figure 2).

Figure 1. Gophish Login Page

Figure 2. Gophish Interface

Before proceeding to the first campaign, you need to complete some preliminary work that will be re-used throughout your testing. The first item is to create a test domain and email address to use with your campaigns. It's generally a good idea to use a different email/domain combination for each campaign, but you're going to re-use this information between the campaigns to conserve space here.