Creating a Template

Once the recipients of your first phishing campaign are created, it's time to create a template, which is the actual phishing email or, more precisely, its content. To do this, go to the Email Templates menu. You can import existing email content with the Import Email button. One typical attack vector in phishing email is to get the recipient of the message to reset the password. To this end, the templates provide various functions. Gophish also provides various variables for use in the email templates and on the landing page (Table 1). Note that the software is case-sensitive for templates. In the Subject line, use the following configuration to contact all recipients from an email address pool:

Reset password for {{.Email}}

In the text field you can then start entering the message content, which you design in the HTML tab. Gophish also has a simple visual editor, which you open by clicking the Source button. To illustrate how the template works, enter the following text in HTML view:

Hello {{.FirstName}},
Your password for {{.Email}} has expired. Please request a new password here.
Kind regards,
Your Support Team

You now need to serve up a here link to the message recipient by selecting the word here , clicking the chain icon, and assigning the URL link type http:// as the protocol and the target URL for the link on the Link Info tab. Instead of a fixed URL, you again need to use a variable; this time it's {{.URL}}. This configuration ensures that you can assign individual URLs to different campaigns. Make sure that Add Tracking Image is checked to ensure user tracking.

Grabbing Passwords

The goal of a phishing email is to gain personal information. The primary aim is to steal access credentials and use them for further attacks. To do this, attackers lure their victims to websites that are often perfect replicas of the purported target sites. Therefore, you also need a portal for your phishing test. You can set this up from the Landing Pages menu.

This step is quite simple. Clicking New Page lets you generate a copy of the page whose URL you store by selecting Import Site . In this example, I simulate access to the admin area of a web-based enterprise resource planning (ERP) installation. After the import, the HTML code of the page shows up and a click on the Source button provides a preview.

To record the forms the victims submit, check the Capture Submitted Data and Capture Passwords options. This input is not encrypted and is stored in the Gophish database in plaintext. Once the victim has given you this information, you can redirect them to another page that confirms, for example, that the password update has been changed, so that the victim feels secure. You can specify the redirect URL in the Redirect to: input box. A final click on Save Page saves the target page.

Running a Campaign

Preparations are complete for a first launch of your first phishing campaign. To do this, switch to the Campaigns menu and create an initial campaign by selecting New Campaign . Most of the settings are self-explanatory: Assign a name for the campaign, select the email template, and determine the landing page. The configuration of the URL input field is where you specify the IP address of the Gophish server. It is important for the server to be available during the campaign so it can track and record the client actions.

The campaign configuration supports time control in the Launch Date input box. Next, specify the channel profile (Sending Profile ) and the target audience (Groups ) and click Launch Campaign to launch your first test (Figure 2). After starting the campaign, you will be automatically redirected to the results page where you can track email sending and opened messages in real time (Figure 3). The visualization shows the number of email messages sent and opened and the number of email messages from which the target person followed the link and submitted the input form.

Figure 2: After you launch a campaign, the copy of the phishing landing page will look very similar to the default login page.

Figure 3: The Gophish dashboard gives you real-time phishing campaign results.

In the Details section, the dashboard lists information such as the name of the target and the respective status. The status column tells you which employees fell for the phishing email. From this information, you might be able to identify patterns in successful attacks and derive consequences for adapting the infrastructure. Making employees aware of the problem once again would be prudent.

The underpinnings of the report function come courtesy of the GoReport [4] module and include export options for downstream processing. Just follow the View Results link in the dashboard at the end of the respective test configuration. In the results view, GoReport lists the details of a campaign. From the detailed view, you can export the results or the raw data to a CSV file.

The Gophish API is available for custom reports (e.g., to bundle results from multiple campaigns). The developers provide a Python API client to implement appropriate functions. To end a campaign, execute the Complete command in the results overview. The current Gophish version does not support automatic termination of campaigns.