Phishing Attack Simulation
I'm using Gophish, an open-source phishing framework designed for testing an organization's resilience to phishing attacks. It’s a flexible tool that allows you to create custom phishing templates with a full HTML editor, launch email campaigns, and track responses in near real-time.
The reason I chose Gophish is because of its simplicity and robust feature set. It’s written in Go and offers binaries for multiple platforms like Windows, Mac, and Linux, making it easy to deploy. You can even set it up using cloud services like DigitalOcean, though for this project, I’m deploying it through Railway for integration.
Railway is a modern app hosting platform that makes it easy to deploy production-ready apps quickly. Railway offers GitHub repository as the deployment source.
# Creating deployment to gophish by forking gophish via Github
attractive-curiosity-gophish-playground.up.railway.app
Deployment Successful to procure gophish!
Obtained credentials through deployment logs
Need to update config.json file, the highlighted values
Commiting changes triggers deployment on Railway
(Scrubbed sensitive data)
Logs- of password being updated
time="2024-09-22T18:14:23Z" level=info msg="Please login with the username [REDACTED] and the password [REDACTED]"
time="2024-09-22T18:14:23Z" level=info msg="Starting IMAP monitor manager"
time="2024-09-22T18:14:23Z" level=info msg="Starting phishing server at [http://0.0.0.0:80](http://0.0.0.0/)";
time="2024-09-22T18:14:23Z" level=info msg="Background Worker Started Successfully - Waiting for Campaigns"
time="2024-09-22T18:14:23Z" level=info msg="Starting admin server at [http://0.0.0.0:3333](http://0.0.0.0:3333/)";
time="2024-09-22T18:14:23Z" level=info msg="Starting new IMAP monitor for user [REDACTED]"
time="2024-09-22T18:14:47Z" level=info msg="[REDACTED IP] - - [22/Sep/2024:18:14:47 +0000] \"GET / HTTP/1.1\" 307 51 \"\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36\""
time="2024-09-22T18:14:47Z" level=info msg="[REDACTED IP] - - [22/Sep/2024:18:14:47 +0000] \"GET /login?next=%2F HTTP/1.1\" 200 1039 \"\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36\""
time="2024-09-22T18:14:48Z" level=info msg="[REDACTED IP] - - [22/Sep/2024:18:14:47 +0000] \"GET /css/dist/gophish.css HTTP/1.1\" 200 52514 \"[https://attractive-curiosity-gophish-playground.up.railway.app/login?next=%2F\\](https://attractive-curiosity-gophish-playground.up.railway.app/login?next=%2F%5C%5C)" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36\""
Logged in with obtained credentials from deployment above
Tasks performed for phishing simulation project using Gophish:
- Configured user groups for targeted phishing email simulations, ensuring diverse role-based testing across departments.
- Created phishing email templates, including attachments such as PDFs and documents, to mimic real-world phishing attacks and test user responses.
- Set up sending profiles, specifying SMTP relay details for seamless email delivery across the simulated phishing campaigns.
- Designed custom landing pages that users are redirected to upon clicking phishing links, enabling accurate tracking of responses and user interaction.
Created a CSV file on Excel with a complication of a Cybersecurity Consulting Team from Secure Defense Group (group I created). With emails and relevant positions to each staff member.
In this project, I developed a series of phishing email templates to demonstrate the techniques used in social engineering attacks. The templates include:
- Account Verification Email: Designed to mimic a notification from Workday, this email prompts users to verify their accounts.
- Password Change Notification: This template alerts users to change their passwords for enhanced security.
- Survey Invitation: Aimed at encouraging user interaction, this email leads recipients to a survey link.
HTML pulled from an old survey email I received, to make it appear more realistic to bait employees into clicking. Honeypot theory with a reward. Attempting survey would send users to a landing page that they got phished.
Created a simple account verification request email using HTML I created-
Mailtrap for Transactional Email API Service For Developers
-
Testing and Security: I utilized Mailtrap to conduct safe testing of my phishing simulations, ensuring that no real emails were sent to unsuspecting recipients. This approach reflects my commitment to ethical cybersecurity practices.
-
Technical Skills Demonstration: By setting up a simulated email environment, I showcased my ability to create controlled and secure settings for effective testing.
-
Purpose: I used Mailtrap to verify that the emails were correctly formatted and functioned as intended, ensuring readiness for any potential real-world deployment.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Update Your Password</title>
<style>
body {
font-family: Arial, sans-serif;
background-color: #f4f4f4;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
margin: 0;
}
.container {
background: white;
padding: 20px;
border-radius: 8px;
box-shadow: 0 0 10px rgba(0,0,0,0.1);
width: 300px;
}
h2 {
text-align: center;
}
input[type="password"], input[type="submit"] {
width: calc(100% - 20px);
padding: 10px;
margin: 10px 0;
border: 1px solid #ddd;
border-radius: 5px;
}
input[type="submit"] {
background-color: #4CAF50;
color: white;
border: none;
cursor: pointer;
}
input[type="submit"]:hover {
background-color: #45a049;
}
</style>
</head>
<body>
<div class="container">
<h2>Update Your Password</h2>
<form action="https://your-server-url.com/submit" method="POST">
<label for="current-password">Current Password</label>
<input type="password" id="current-password" name="current-password" required>
<label for="new-password">New Password</label>
<input type="password" id="new-password" name="new-password" required>
<label for="confirm-password">Confirm Password</label>
<input type="password" id="confirm-password" name="confirm-password" required>
<input type="submit" value="Submit">
</form>
</div>
</body>
</html>
Setting up campaign to batch send phishing emails out to Cybersecurity group
In this phishing simulation project, we successfully created and deployed several phishing emails designed to test the awareness and responsiveness of users to potential threats. The campaign included various templates, including password update requests, account verifications, and survey invitations.
Results:
- Email Delivery: All emails were sent successfully to the targeted recipients.
- Engagement Metrics: Notably, none of the recipients opened the phishing emails. This outcome is promising, indicating a high level of awareness among users regarding potential phishing attempts.
If this simulation had been executed in a real-world environment, we would have expected to see results across several key metrics:
- Emails Opened: A measure of how many users recognized and engaged with the phishing attempt.
- Links Clicked: This would indicate whether users were lured into interacting with the malicious content.
- Data Submitted: Capturing any data entered by users on the phishing landing page would reveal susceptibility to such attacks.
- Emails Reported: Tracking how many users reported the phishing attempt would provide insights into the effectiveness of training and awareness programs.
The results of this simulation suggest that user education and awareness training are effective in preventing phishing attacks. However, ongoing education and testing are crucial in maintaining vigilance against evolving threats. This project has provided valuable insights into user behavior and the effectiveness of our phishing awareness strategies!