If you or any friend, family member, or acquaintance has ever used an email account, chances are that at some point, they've received a phishing email. And while during the early stages of the internet, such deception usually looked so fake and misaligned that you could spot it right away as an attempt to mislead you, this isn't so true anymore.
An accustomed internet user with a keen eye might spot the fakery in the above picture, mainly because of the suspicious-looking email address. But its look and feel are very similar to that of an actual, legitimate message.
This design task (worthy of a craftsman web designer) used to be a time-consuming endeavor that could take several hours to get right, but that's no longer the case with the arrival of complete frameworks that make today's "Deception as a Service" ecosystem feasible.
Today we're taking our previous article Phishing Toolkit: Top 20 Best Phishing Tools one step further, by highlighting one of the tools listed: Gophish, the open-source phishing framework.
- Red Team Phishing Exercise
- Phishing 101
- Protective measures
Red Team Phishing Exercise
For this post, what we propose is for you to take the lead in a red team exercise for your own company. We'll target fake characters, giving you an example of how you can do it to yourself—by using our own apps and infrastructure to simulate the test (just as a cyber espionage team would do).
By doing this we intend to show you today's tool-goodies, but more importantly, we also want to show you a great way to test your own company's behavior against this kind of attack.
Lastly, we'll explore how easy it is to clone any web page and corporate email template to make it look "almost real" (with an emphasis on the real part), as these techniques and frameworks have evolved to the point where you could easily pretend to be anyone or anything, and not just the usual social networks and global free email services that are usually targeted.
Phishing is one of the most common types of cybercrime that may require getting several pieces together to work, with their different flavors depending on the focus of the attack (such as so-called "whaling" when specifically targeting very high profile executives or government individuals). In comparison with other types of attacks, such as its little (but more widespread) brother the scam (like the infamous Nigerian scam), you may find phishing attacks more on the technical side.
This attack requires not only a good-looking and carefully crafted email to work, but also a functioning link that leads the deceived users to its real core, the prize-collecting webpage.
While this may be at the frontier of the phishing definition, it is somewhat unusual for people to "just find" phishing websites. Instead, they're usually cleverly conducted toward them by malicious actors who commonly host fake websites in awkward domain names and URL paths.
By creating clever ways to deceive people into entering the link within an email, victims fall into the trap and end in a hostname similar to the one in the image above.
This link will contain the necessary files to appear as the real service the victims believe they are in, working in conjunction with methods to store and forward gathered information to the attacker.
Getting the software
Gophish is available here for the three main operating systems (Windows, Linux, and MacOS). Once downloaded (and after comparing the hash checksum) to the obtained .zip file we can execute the binary to start the application.
When running, Gophish (by default) will start two listeners on TCP ports 3333 for the admin interface and 80 for phish-webpage requests.
Once the process has started, we can invoke the browser on https://127.0.0.1:333 and enter the admin interface using the admin:gophish credentials. If desired, you can create and configure your own set of certificates or place your own in case you have any for this purpose. In any event, the installation documentation may help.
Ok, we're inside! Let us tell you again that this tool, surprisingly, has the look and feel of a professional dashboard. So now let's see what we can do to achieve our deceptive goals.
Starting a phishing campaign
To start a phishing campaign there are several things you must do before hitting the actual "Create a new campaign" button. We'll need to fulfill a few requirements first.
To enumerate the steps for this red team exercise, here's a simple list, configuring an order that best suits our needs:
User and groups
While this is the path we took to create this phishing campaign, we also recommend you explore all the different Gophish features to find what suits you best.
Let's get to it!
Landing the victim for your trap
If you compare these phishing techniques to a honey fly trap, "email" would be the jar where you trap it. And what about the honey? That's the landing page.
This feature allows us to set up a web server to expose a web page, which will in turn trap all the information this user decides to put in. What web page? Well, that's up to you; in our case, we'll hit the import site button to place the link of our desired SurfaceBrowser™ login.
Once the compromised user opens the email, gets misled to this landing page, and a user-password is tried against the fake login form, our Gophish system will capture those credentials and save them for later analysis.
When the task is completed, the user may be redirected to a different web page—perhaps even the actual login page, to avoid any user suspicion.
Templating the victim's deception
Email templating is useful for maintaining different options regarding what content to send to victims' mailboxes. Once the email reaches its destination and is opened by the user, something very close to a real message can make this deceptive technique work.
To accomplish this, let's test two different attack vectors within the SurfaceBrowser™️ portal by using the code in the login page as well as the automatic emails sent by the company.
One approach as an attacker could be the registration of a new user, by accessing the sign-up page located here. While this itself won't do much, it's the email codebase we want to extract to create our own "almost-legit" phishing email.
Responding to a sign-up email (a part of almost every existing service) will most likely yield an account verification message. This is a great way to obtain the look and feel of a company's branding.
Another approach is to create an account, and after confirmation, try to reset its password. This will also provide a nice codebase for you to build on and tweak as necessary.
Getting this message also helps you mimic its style, to create a similar email that asks your victims to log in to their accounts.
To create an email template, Gophish lets you copy and paste the source code of the desired original email. As with all of the cases presented, extract the code and paste it in the email content box. Once that's done, check the "change links to point to landing page" option, so all needed links are directed to point at the malicious server hosting the landing page we've previously configured.
Now we can preview the email, polish all the details, and finish configuring the message that will bring the misled users into our trap.
Another important feature is the ability to add files to the email. This improves the power of the framework, by allowing the inclusion of files infected with different payloads—such as exploits that can run different kinds of attacks and install software that enables a persistent compromise of victims' computers.
Email sender impersonation
The "sending profiles" section allows you to create multiple identities, so an attacker can send email messages containing the needed information to actually capture the attention of the victims. This will bring them to the specially crafted trap that is the landing page.
Email sending is one of the trickiest parts of the process, due to current security restrictions. For it to work you'll need to do extensive research about any protections in place that guard against these types of false messages.
To name just a few:
Sender Policy Framework DNS records (SPF inside TXT records)
IP address Reverse Pointer hostname checks (commonly known as rDNS or PTR)
All of these have the ability to tell the recipient SMTP server to reject connections from servers that aren't authorized to send emails with a certain domain name.
The following image shows how to complete the form for Gophish to connect to an SMTP server and begin sending emails as the configured user.
In this case, because we're conducting a self-assessment, we can simulate a user's password being guessed by a malicious third-party and impersonate a mail server sending-capable user.
Creating a victims group
This feature allows us to create a different mailing list for multiple purposes. This is especially useful for reaching top executives (as the ones who may be targeted in a whaling campaign).
If you already have a complete outline of those you want to target, it's probably a good idea to gather as much accurate information as possible about them. With that in hand, Gophish allows you to import all contacts from a CSV file. You may find a corresponding CSV template to use so you can merely click and download it to fill all the required columns.
Ours looks like this:
First Name,Last Name,Email,Position Some,CEO,email@example.com,CEO Ms.,CIO,firstname.lastname@example.org,CIO Any,CFO,email@example.com,CFO
After CVS file creation, just click on the "Bulk import users" button to select it. Then once that's done it will show Then once that’s done it will show all the gathered information in the same window. If you need to add a particular contact by hand you can also do it by completing the text boxes and hitting "+ Add".
Looks like we're done and ready to start this long-awaited phishing campaign exercise!
Running the campaign
Now we finally have all the pieces to run the campaign. On the left side of the screen you'll find the Campaign section, which leads you to the following screen:
As you see, all the items we've covered are prerequisites to executing this Gophish campaign. At this point there are several things we want to highlight:
You can modify the launch date. In this example, we tested sending the email in the future, at a point in time that might find users more confused, such as a Monday morning. (We ended up not doing so in this case.)
You can target multiple groups with one campaign and a single one with others. This is useful when you want to create different sources of phishing, and test which will affect different groups the most (whether accounting, IT support, developers, help desk, etc.). It will truly depend on the company's particular idiosyncrasies.
You may choose different sending profiles to ship emails from different names, servers, and users; and test which of them is more effective in reaching inboxes and bypassing filters.
You can do the same for email templates, and create different payloads with different antivirus evasion techniques to send files that compromise targets by using CVEs or (if you have any) 0day exploits.
Once the campaign is ready it will ask for confirmation. Then the system will tell you that everything is set up correctly to start.
Now you can check up on how this endeavor is doing, on the dashboard.
Phishing campaign visualization
For the sake of brevity we won't delve into it deeply, but know that visualization and compromise accountability with this tool is awesome. Once the campaign is started you'll be able to visually track its effectiveness. The dashboard will provide a broad view of which countries victim traffic is coming from, campaign status, how many emails have been sent and opened, and many other useful statistics.
You'll see there are several more in-depth details available, as you browse through the different options.
This visualization is extremely useful for gaining insight to how your creation took on a life of its own.
When it comes to attacks, it's often wondered how we can protect ourselves. Is it possible to avoid them?
As we've often told our readers, there are no silver bullets, but we do have some ideas on how to make the attacker's job harder:
Implement different controls that prohibit false mail servers from sending phishing emails and impersonating your organization's domain name, such as (but not limited to):
SPF records that deny false mail servers, by using "-all" to stop emails that fail this check from passing through (avoid at all cost the use of "+all").
Enable DKIM signing and validation on your servers.
Implement SMTP filters that don't let unauthenticated users send emails using your domain name in the FROM:<[email protected]> header.
Implement anti-spam and other policies, such as greylisting.
Implement anti-virus solutions that help in analyzing possible payloads inside attachments (AV will eventually be circumvented, but it's still necessary).
Train your employees to avoid becoming victims of these attacks, to stay alert, and to report odd findings in their mailboxes, help them to be familliar with the organization’s cybersecurity culture.
Train your IT support team on how to treat these kinds of threats and findings. One phishing email could be an isolated case, but it might also reveal an advanced persistent threat conducting an attack.
Without a doubt, there are other useful techniques, tools, and products that can help protect your organization from these threats, but as a general recommendation, we think this will add an important first barrier of defense.
In conclusion and to be fair about this piece of software, we must say that Gophish is an incredibly well-crafted solution for creating phishing campaigns against desired targets.
If you haven't already, we definitely encourage you to use it for your red team exercises or at different time intervals (like a fire drill). This will help with the much-needed task of creating employee consciousness toward both personal and corporate digital security best practices.
As an employee training platform it's highly useful, as well as an offensive weapon for testing your organization's blue team countermeasures and detection tools.
Last but not least, Gophish can be used as a learning platform for observing the behavior and tools that a phishing threat could be using to gain access to your assets. Much can be learned by experimenting with different email templates, malicious payloads (such as PDFs, pictures, documents, etc.) and discovering how these could evade mitigations.
Without a doubt, it's an extremely useful addition to your security toolkit!