Simulating Phishing Attacks with Gophish: A Comprehensive Guide

Credit

Phishing is one of the most common tactics cybercriminals use to steal sensitive data like login credentials, financial details, and personal information. While anti-phishing technologies are continuously improving, phishing attacks remain a significant threat due to the ongoing cat-and-mouse game between attackers and defenders. Unfortunately, human error is still a major vulnerability, with employees often being the weakest link in an organization’s security.

Source: Cloudflare

What is Gophish and How Does It Work?

Gophish is an open-source phishing framework that helps organizations test their readiness against phishing attacks. With Gophish, you can create custom phishing email templates, launch targeted campaigns, and track responses in real-time. It’s a user-friendly tool developed in Go that works on Windows, Mac, and Linux operating systems, and also provides a Docker container for easy deployment.

What is Railway?

Railway

Railway is a modern cloud platform that simplifies the process of deploying production-ready applications. In this guide, we will use Railway to deploy Gophish quickly and with minimal configuration.

Step-by-Step Guide to Deploying Gophish Using Railway

To deploy Gophish with Railway, you first need to fork the Gophish repository and set up a new Railway project. Here’s how you can get started:

• Fork the Gophish Repository: Log in to your GitHub account and fork the Gophish repository.

Fork the repo

• Create a New Railway Project: Sign up for Railway and link your GitHub account. Deploy the Gophish project directly from your forked repository.

Create a New Project

Deploy from GitHub repo

The deployment will begin right away, but there are a few additional steps required to properly configure Gophish

• Configure Deployment Settings: Once the deployment is finished, go to Settings > Domains and click Generate Domain to expose the service publicly.

Generating the Domain

• Railway will assign a default xxx.up.railway.app domain.

Create a New Variable: In the Variables tab, add a new variable called PORT with the value 3333 (the port the admin server listens on).

Check the Logs for Credentials: Head to Deployments and click View Logs. Look for a log entry that contains the message:
“Please log in with the username admin and the password XXXXXXXXX.”

Checking logs for credentials

Update config.json: Modify the config.json file in your forked Gophish repository:

• Change listen_url from 127.0.0.1:3333 to 0.0.0.0:3333 to allow the service to listen on the public IP.
• Set use_tls to false since Railway handles the TLS connection.
• Add your Railway domain to trusted_origins, for example, "xxx.up.railway.app", or use your custom domain.

config.json

Commit Changes and Deploy: After committing your changes, Railway will automatically trigger the deployment again. If everything is set up correctly, you’ll see the Gophish Admin Login Page when you access the deployment URL.

Gophish Admin Login Page

Running Phishing Attack Simulations: A Hands-On Approach

Gophish Dashboard

Once your Gophish instance is deployed, log into the admin panel and update the password for security purposes. You can now configure your phishing attack simulations to mimic real-world threats by setting up the following elements:

• Users and Groups: Create specific users or groups to target with phishing emails.

Creating the User Groups

• Email Templates: Customize phishing email templates with realistic content, attachments, and links.

Creating the Phishing Template

• Sending Profiles: Set up SMTP relay details to send the phishing emails.
• Landing Pages: Build fake landing pages where users are redirected after clicking phishing links.

After configuring these elements, you can start a phishing campaign. Navigate to the Campaigns section, create a new campaign, and select the appropriate email templates and landing pages. Once the campaign is launched, monitor its progress in real-time through the dashboard.

Create new Gophish campaign

Tracking Campaign Effectiveness

While it’s crucial that employees recognize phishing attempts and avoid falling victim, tracking the results of your simulations is just as important. Gophish provides instant feedback, showing which users clicked on links, entered sensitive information, and more. While it may not have all the advanced features of premium phishing simulation tools, Gophish is a great option for organizations on a budget or those just starting to explore phishing simulations.

Source: getgophish.com

Phishing simulations are a valuable tool for assessing and improving your organization’s security posture. They help raise awareness among employees and allow you to identify weak spots in your training program. With Gophish, you can easily launch phishing campaigns and track results, making it an excellent solution for both small startups and large enterprises looking to enhance their cybersecurity awareness.

Stay vigilant, stay informed, and stay secure!

Thank You for Reading!

Your interest and attention are greatly appreciated.