GoPhish: A Journey into Phishing Simulation
GoPhish is an open-source phishing framework that empowers users to launch real-world phishing simulations. It’s designed to help organizations teach their employees how to recognize and avoid phishing attacks. Here’s an account of how I set up GoPhish, launched a campaign against my teammates (for fun!), and ultimately contributed to an assignment at the Georgia Institute of Technology.
What is GoPhish?
GoPhish is an open-source phishing toolkit aimed at making industry-grade phishing training available to everyone. Phishing is one of the most common and dangerous cyber threats faced by organizations. It involves tricking users into giving away sensitive information, such as login credentials, through seemingly legitimate emails or websites. GoPhish allows you to simulate these attacks to help users learn to recognize the warning signs.
Motivation Behind GoPhish
As a cybersecurity student, I’ve received numerous phishing attempts disguised as emails from our institute. The aim is to make us wary of such attacks in real-world scenarios. Even if you don’t enter credentials, a mere click on a phishing link can expose your IP address, name, and the institute’s email pattern. The aim of GoPhish is to prepare users for such scenarios through realistic phishing simulations.
Setting Up GoPhish
To get GoPhish up and running, you can download the software from its GitHub repository. Here’s how I set it up:
1. Download and Unzip: Download the GoPhish release and unzip it.
2. Make Executable: Run sudo chmod +x gophish to make it executable.
3. Run GoPhish: Execute it with sudo ./gophish.
4. Access Dashboard: After running GoPhish, the terminal will display a message with your first-time login credentials. Access the dashboard by visiting https://127.0.0.1:3333.
Once inside, GoPhish’s interface is straightforward. To launch a campaign, you’ll need to configure several elements:
• Users & Groups: Add the target users (your “phishing victims”).
• Email Templates: Craft a phishing email.
• Landing Pages: This is the fake login page where targets are lured to enter credentials.
• Sending Profiles: GoPhish requires an SMTP server to send emails. I used Gmail’s SMTP server, which required me to set up a Google App password.
My First Campaign: Phishing My Teammates
With the basic setup in place, I launched a playful phishing campaign on my teammates. Using GoPhish’s user-friendly interface, I created a simple yet realistic phishing email and landing page. The Gmail SMTP server handled the email delivery. Though this campaign was lighthearted, it helped us understand how these attacks are executed.
Advanced Phishing Campaign for Our Assignment
Our final assignment involved phishing our TA at Georgia Tech. To make this more sophisticated, we collaborated with a colleague from Cisco to understand Georgia Tech’s technology stack, which included Cisco’s IronPort with SPF, DKIM, and DMARC. These security mechanisms prevent emails from being flagged as spam or malicious, making the phishing emails look legitimate.
We cloned a legitimate academic event page from Georgia Tech using “Ctrl+S” and added a few elements to the cloned page:
• _headers.js: Used to prevent crawlers from indexing our page.
• _worker.js: Ensures that search engine crawlers can’t find the page by serving a 404 error on repeated requests.
• Encrypted HTML: To prevent client-side safe browsing mechanisms from detecting our phishing page.
We sent out phishing emails with links to our cloned page, and the results were fascinating. This campaign involved advanced techniques for avoiding detection, allowing us to see how phishing campaigns could evolve in the real world.
Conclusion
Through GoPhish, we learned how to simulate phishing attacks, configure SMTP profiles, and clone legitimate pages to make the phishing attempt convincing. While this was all done in a controlled, educational environment, it highlighted the importance of being vigilant in the face of increasingly sophisticated cyber threats.
This experience gave me an appreciation for the complexity of phishing attacks and a better understanding of how organizations can defend against them.
