Testing the Waters: How to Perform Internal Phishing Campaigns

Click the Campaigns link and open a new campaign. Set the options to match Figure 10. The URL I've entered is the FQDN of the host (tlbank) created earlier. If your DNS server has records for the zone and host, a valid URL will show in the user's browser. This is important, as you don't want any savvy users familiar with your IP scheme to catch on just by looking at the URL. Click Launch Campaign when ready. When you monitor this campaign, you will see the "Event: Clicked Link", and if the user entered data into the fake site, you will see a second red dot with the "Event: Submitted Data" indicating a user submitted information in the form.

Figure 10. Creating Another New Campaign

It's possible that users could have left the fields blank and clicked on the button, and there are two ways to deal with that if you want to be sure. One, code your form to check and make sure the fields are filled in before the submit occurs or capture the credentials, which I don't recommend. When you are satisfied with the results, complete the campaign. If you have a number of the second "Event: Submitted Data" messages in your results, you should be particularly concerned about your users' unknowingly submitting their credentials to an unknown party.

The third and last campaign involves sending users a malicious attachment. This is a very popular way to install ransomware. The two most currently used applications that infect users this way are Adobe Acrobat and Microsoft Word. Unfortunately, Gophish does not currently possess all of the tools needed to test this, so you'll need to set up additional resources for this campaign.

Like the previous "Totally Legitimate" web page, you'll use the quick-and-dirty method to get what you need. There is so much more you can do with this type of test, especially with tools like Metasploit, but that is beyond the scope of this article.

Start by downloading a LAMP appliance from here. I had mine up and running in less than five minutes. Create a web page called verify.php right off the root site using the code below:

$counter_name = "/var/www/counter/counter.txt";
$iplog_name = "/var/www/counter/ip.txt";

// Check if a text file exists. If not create
// one and initialize it to zero.
if (!file_exists($counter_name)) {
$f = fopen($counter_name, "w");

// Read the current value of our counter file
$f = fopen($counter_name,"r");
$counterVal = fread($f, filesize($counter_name));

// Has visitor been counted in this session?
// If not, increase counter value by one and append ip.txt file
  $f = fopen($counter_name, "w");
  fwrite($f, $counterVal);
  $file = fopen($iplog_name,"a");
  echo fwrite($file,$ip);
  echo fwrite($file, "\n");
  fclose ($file);
  header('Location:  http://somewebsite');
header('Location:  http://somewebsite');

This simple page will count the users as visiting, note their IP address in a text file and then redirect them to some external site.

Now, let's create the malicious attachment. Assuming you have Microsoft Word, open the program and a blank document, and press Alt-F11 to open the VB editor. Create a new module, and use the following code where http://somewebsite is the name of your LAMP web server:

Sub AutoOpen()
myURL = http://mylampserver/verify.php
ShellExecute 0, "OPEN", myURL, "", "", 0
End Sub

Save the document as type .docm, and close out of Word.

Back on the Gophish server, create a new Email Template named "Malicious Attachment", and use the document file you created as an attachment by clicking on the Add Files button. See Figure 11 for the wording of the template.

Figure 11. Malicious Attachment Template

In this example, you are claiming that the user has an unpaid invoice. You don't need a landing page, so set it as "Blank Page" like in the first campaign. Match the rest of the settings to Figure 12 and Launch the campaign. You can use a hostname in the URL field, but since you're not using Gophish to track the campaign, you can just use the the Gophish server's IP.

Figure 12. Campaign Settings

Unlike the previous campaigns, you'll have to track your results using the text files created with the verify.php page. One note to this campaign—most current word processors possess some form of macro protection, usually a warning prompt. Users will have to bypass those or enable macros to open the attachment, which means they really wanted to open it. If you have a lot of hits showing up in the text files on the LAMP server, you may want to think about increasing the intensity of scanning inbound attachments, disabling macros if you can, and as always, educating the affected users of the possible outcomes from opening suspicious attachments.

With the testing complete, take stock of the successes that you discovered and address them with either technical or educational resources. Use these results and push for regular testing if you can do it. This shouldn't be a one-time test. You should keep your users sharp, and like with any other skill, you have to exercise regularly to stay effective. There is an old adage in computer security "The bad guys only have to be right once." Make sure your users are prepared. With turnover, promotions and responsibility changes, the last thing on many users' minds is email security. Consistent reinforcement of good security practices and regular testing to validate your training approach is crucial to avoiding catastrophe.