Phishing with Gophish on AWS

Introduction

I was recently asked to conduct phishing tests against our own Airwalk employees to assess our susceptibility to attack. We didn’t want to spend money engaging a third party testing company because, as a technology company, we thought we could probably do it ourselves.

In my previous story, Phishing Philosophy, I discussed the things one should consider before spamming colleagues with phoney emails, along with what form those messages should take.

Here I will discuss the practical implementation of the system I used to perform the test. This story will be more technically-focused than the last.

I will describe all the technical steps I took in case you wish to do something similar to test your company’s defences. I would emphasise here, please ensure you have the authority from the correct people in your organisation before emulating anything I describe here. While I’m happy to respond to any questions, don’t blame me if you get fired 🙂

Gone Phishing

Having previously answered all the questions of how I should form a phishing test email, I needed to choose a tool with which to create and send it. After some reading around I discovered Gophish, a piece of open-source software released under the the MIT License which handles the creation of email templates and landing pages, recipient lists, the actual email sending and campaign management. It feels a lot like an email marketing tool. Armed with this and a friendly SMTP relay I’d be on my way.

As is now natural, I decided to deploy Gophish to an EC2 instance in AWS.

I chose to use an AWS region that was far away from us here in London for two reasons. Firstly, to lower the chances of technical colleagues noticing my instance and suspecting a test was coming. Secondly, to add another little clue to the vigilant that this was going to be an unusual email should they choose to look at the headers. Therefore, I chose São Paulo.