Today, a network administrator or an information security engineer spends a lot of time and effort to protect the perimeter of an enterprise network from various threats, masters new systems for preventing and monitoring events, but even this does not guarantee him complete security. Social engineering is actively used by attackers and can have serious consequences.
How often have you caught yourself thinking: “It would be nice to arrange a check for staff for literacy in information security”? Unfortunately, thoughts run into a wall of misunderstanding in the form of a large number of tasks or the limited time of the working day. We plan to tell you about modern products and technologies in the field of automation of personnel training, which will not require long preparation for piloting or implementation, but first things first.
Theoretical foundation
Today, more than 80% of malicious files are distributed by mail (data taken from the reports of Check Point experts over the past year using the Intelligence Reports service).
Malicious File Attack Vector Report (Russia) - Check Point
This suggests that the content in email messages is vulnerable enough to be exploited by attackers. If we consider the most popular malicious file formats in attachments (EXE, RTF, DOC), then it is worth noting that they usually contain automatic code execution elements (scripts, macros).
Annual Report on File Formats in Malicious Messages Received - Check Point
How to deal with this attack vector? Checking mail is using security tools:
-
Antivirus — Signature detection of threats.
-
Emulation - a sandbox with which attachments are opened in an isolated environment.
-
Content Awareness — extraction of active elements from documents. The user receives a cleaned document (usually in PDF format).
-
AntiSpam - checking the domain of the recipient / sender for reputation.
And, in theory, this is enough, but there is another equally valuable resource for the company - corporate and personal data of employees. In recent years, the popularity of the following type of Internet fraud has been actively growing:
Phishing (English phishing, from fishing - fishing, fishing) - a type of Internet fraud. Its purpose is to obtain user identification data. This includes stealing passwords, credit card numbers, bank accounts, and other sensitive information.
Attackers are perfecting phishing attacks, redirecting DNS requests from popular sites, and deploying entire campaigns using social engineering to send emails.
Thus, to protect your corporate email from phishing, two approaches are recommended, and using them together leads to the best results:
-
Technical protection tools. As mentioned earlier, various technologies are used to check and forward only legitimate mail.
-
Theoretical training of personnel. It consists in comprehensive testing of personnel to identify potential victims. Further, they are retrained, statistics are constantly recorded.
Don't trust and verify
Today we will talk about the second approach to preventing phishing attacks, namely, automated training of personnel in order to increase the overall level of security of corporate and personal data. Why can it be so dangerous?
Social Engineering - psychological manipulation of people in order to perform certain actions or disclose confidential information (in relation to information security).
Diagram of a typical phishing attack deployment scenario
Let's take a look at an entertaining flowchart that briefly depicts the path to promote a phishing campaign. It has different stages:
-
Collection of primary data.
In the 21st century, it is difficult to find a person who is not registered in any social network or in various thematic forums. Naturally, many of us leave detailed information about ourselves: place of current work, group for colleagues, phone, mail, etc. Add to that personalized information about a person's interests, and you have the data to form a phishing template. Even if it was not possible to find people with such information, there is always a company website from where you can find all the information we are interested in (domain mail, contacts, connections).
-
Campaign launch.
Once the foothold is set up, you can launch your own targeted phishing campaign using free or paid tools. In the course of the mailing list, you will accumulate statistics: delivered mail, open mail, clicking on links, entering credentials, etc.
Products on the market
Phishing can be used by both cybercriminals and employees of the company's information security in order to conduct a continuous audit of employees' behavior. What does the market offer us for free and commercial solutions for an automated training system for company employees:
-
is an open source project that allows you to deploy a phishing company in order to check the IT literacy of your employees. The advantages I would include ease of deployment and minimum system requirements. The disadvantages are the lack of ready-made mailing templates, the lack of tests and training materials for staff.
-
— a platform with a large number of available products for personnel testing.
-
— an automated system for testing and training employees. It has different versions of products supporting from 10 to more than 1000 employees. Training courses include theory and practical tasks, it is possible to identify needs based on the statistics obtained after a phishing campaign. The solution is commercial with the possibility of trial use.
-
— automated system of training and control of security. A commercial product offers periodic mock attacks, employee training, etc. As a demo version of the product, a campaign is offered that includes deploying templates and conducting three training attacks.
The above solutions are only a part of the products available on the market of automated personnel training. Of course, each has its own advantages and disadvantages. Today we will get to know , simulate a phishing attack, explore the available options.
GoPhish
So, it's time for practice. GoPhish was not chosen by chance: it is a user-friendly tool that has the following features:
-
Simplified installation and launch.
-
REST API support. Allows you to generate requests from and apply automated scripts.
-
Convenient graphical user interface.
-
Cross-platform.
The development team has prepared an excellent on deploying and configuring GoPhish. In fact, you only need to go to , download the ZIP archive for the corresponding OS, run the internal binary file, after which the tool will be installed.
IMPORTANT NOTE!
As a result, you should receive information about the deployed portal in the terminal, as well as data for authorization (relevant for versions older than version 0.10.1). Don't forget to save your password!
msg="Please login with the username admin and the password <ПАРОЛЬ>"Understanding the GoPhish setup
After installation, a configuration file (config.json) will be created in the application directory. Let's describe the parameters for changing it:
Key
Value (default)
Description
admin_server.listen_url
127.0.0.1:3333
GoPhish server IP address
admin_server.use_tls
false
Is TLS used to connect to the GoPhish server
admin_server.cert_path
example.crt
Path to the SSL certificate for the GoPhish Admin Portal
admin_server.key_path
example.key
Path to private SSL key
phish_server.listen_url
0.0.0.0:80
Phishing page hosting IP address and port (hosted on the GoPhish server itself on port 80 by default)
—> Go to the management portal. In our case: https://127.0.0.1:3333
-> You will be prompted to change a sufficiently long password to a simpler one or vice versa.
Creating a sender profile
Go to the "Sending Profiles" tab and specify the data about the user from whom our mailing will be sent:
Where:
Name
Sender name
from
Sender's mail
Host
The IP address of the mail server from which incoming mail will be listened to.
Username
Mail server user account login.
Password
The password for the mail server user account.
You can also send a test message to make sure the delivery was successful. Save the settings using the "Save profile" button.
Create a destination group
Next, you should form a group of recipients of “letters of happiness”. Go to “User & Groups” → “New Group”. There are two ways to add: manually or importing a CSV file.
The second method requires the presence of required fields:
-
First Name
-
Last Name
-
Email
-
Position
As an example:
First Name,Last Name,Position,Email
Richard,Bourne,CEO,[email protected]
Boyd,Jenius,Systems Administrator,[email protected]
Haiti,Moreo,Sales & Marketing,[email protected]Create a phishing email template
After we have identified the imaginary attacker and potential victims, we need to create a message template. To do this, go to the “Email Templates” → “New Templates” section.
When forming a template, a technical and creative approach is used, you should specify a message from the service that will be familiar to victim users or cause them a certain reaction. Possible options:
Name
Template name
Subject
Topic of the letter
Text/HTML
Field for entering text or HTML code
Gophish supports email import, but we'll create our own. To do this, we simulate a scenario: a company user receives a letter with a proposal to change the password from his corporate mail. Next, we analyze his reaction and look at our “catch”.
We will use built-in variables in the template. More details can be found in the above In chapter .
First, let's load the following text:
{{.FirstName}},
The password for {{.Email}} has expired. Please reset your password here.
Thanks,
IT TeamAccordingly, the user name will be automatically substituted (according to the previously set “New Group” item) and his postal address will be indicated.
Next, we should provide a link to our phishing resource. To do this, select the word “here” in the text and select the “Link” option on the control panel.
As the URL, we will specify the built-in variable {{.URL}}, which we will fill in later. It will be automatically embedded in the body of the phishing email.
Don't forget to enable the "Add Tracking Image" option before saving the template. This will add a 1x1 pixel media element that will track when the user has opened the email.
So, there is not much left, but first we summarize the required steps after authorization on the Gophish portal:
-
Create a sender profile;
-
Create a distribution group where to specify users;
-
Create a phishing email template.
Agree, the setup did not take much time and we are almost ready to launch our campaign. It remains to add a phishing page.
Creating a Phishing Page
Go to the "Landing Pages" tab.
We will be prompted to specify the name of the object. It is possible to import the source site. In our example, I tried to specify a working mail server web portal. Accordingly, it was imported as HTML code (albeit not completely). The following are interesting options for capturing user input:
-
Capture Submitted Data. If the specified site page contains various input forms, then all data will be recorded.
-
Capture Passwords - capture entered passwords. The data is written to the GoPhish database without encryption, as is.
Additionally, we can use the “Redirect to” option, which will redirect the user to the specified page after entering the credentials. Let me remind you that we have set a scenario when the user is prompted to change the password for corporate mail. To do this, he is offered a fake page of the mail authorization portal, after which the user can be sent to any available company resource.
Do not forget to save the completed page and go to the "New Campaign" section.
Launching GoPhish fishing
We have provided all the required information. In the "New Campaign" tab, create a new campaign.
Campaign launch
Where:
Name
Campaign Name
Email Template
Message Template
Landing Page
Phishing page
URL
IP of your GoPhish server (must have network reachability with the victim's host)
Launch Date
Campaign start date
Send Email By
Campaign end date (mailing is evenly distributed)
Sending Profile
Sender profile
Groups
Mailing recipient group
After the start, we can always get acquainted with the statistics, which indicate: sent messages, open messages, clicks on links, data left, transfer to spam.
From the statistics we see that 1 message was sent, let's check the mail from the recipient's side:
Indeed, the victim successfully received a phishing email asking them to follow the link to change their corporate account password. We perform the requested actions, we are sent to the Landing Pages page, what about the statistics?
As a result, our user followed a phishing link where he could potentially leave his account information.
Author's note: the data entry process was not fixed due to the use of a test layout, but there is such an option. At the same time, the content is not encrypted and is stored in the GoPhish database, please note this.
Instead of a conclusion
Today we touched upon the topical issue of conducting automated training for employees in order to protect them from phishing attacks and educate them in IT literacy. As an affordable solution, Gophish was deployed, which performed well in terms of deployment time to result. With this affordable tool, you can check your employees and generate reports on their behavior. If you are interested in this product, we offer assistance in deploying it and auditing your employees ([email protected]).
However, we are not going to stop at a review of one solution and plan to continue the cycle, where we will talk about Enterprise solutions for automating the learning process and monitoring the security of employees. Stay with us and be vigilant!
Source: habr.com