Security teams constantly worry about phishing scams. Of all the social engineering attacks, phishing is the most significant and effective.
Despite thorough guidance to help employees avoid falling victim to phishing schemes and technologies that help prevent many scams from ever reaching employees' inboxes, phishing attacks continue to plague enterprises. Employees are tricked into revealing sensitive information they would not typically expose, including login credentials, sensitive information and company data. These attacks -- usually delivered by email or on fake websites -- are particularly potent because they often appear to originate from a trusted source, such as a coworker, financial institution or other business entity.
It's important to understand phishing weaknesses before throwing another security awareness training at employees -- that's where Gophish comes in. This free and open source framework enables security teams to test how employees respond to potential phishing messages. It relies on a web-based UI for simplicity and clarity, making it compatible with Linux, macOS and Windows.
The tool was designed to help organizations identify training opportunities and strengthen their overall security postures. Its main uses are social engineering education and demonstration, cybersecurity awareness training and penetration testing. Gophish is often part of a larger pen testing initiative because it can validate employee responses, including those that might serve as an entry point.
Gophish is often part of a larger pen testing initiative because it can validate employee responses, including those that might serve as an entry point.
Let's go over how to use Gophish to train users to avoid actual phishing attacks.
How to install Gophish
The tool has two installation options: Use the precompiled binary or compile the application yourself. For most use cases, rely on the precompiled binary. Note that the application has not been updated in a few years, but it should remain fully functional on modern systems.
When learning how to use Gophish, you might need to add sudo to the following commands on Linux systems, depending on your login credentials. MacOS might have similar restrictions that require privilege elevation.
Install Gophish by running the following command to pull the latest version from GitHub:
go install github.com/gophish/gophish@latest
If you prefer the wget utility, type this command instead:
The /opt/gophish directory now contains the application's supporting files and the gophish executable. Change to this directory using the cd /opt/gophish command.
Run the following two commands to set the permissions on the config.json file and the gophish executable:
chmod 0640 config.json
chmod +x gophish
Finally, run the application from the /opt/gophish directory:
./gophish
You can add the directory to your $PATH variable if desired.
Gophish also supports the use of a Docker image file. Running Gophish in a container is a great way to get started.
Because Gophish is written in the Go programming language, it's portable among Linux, macOS and Windows systems. Check the online documentation for details on compiling Gophish. The short version is that you must install the Go programming language and a GCC compiler before downloading the source code.
How to configure Gophish
Modify the config.jsonJSON file to customize Gophish settings or define specific requirements. You can also configure an OpenSSL certificate to establish HTTPS connections to the Gophish admin site. The primary setting is the listen_url field, which should point to your target IP address.
Gophish uses SQLite, which should be sufficient for most environments. Larger organizations might need to use MySQL instead.
Run Gophish manually by executing the ./gophish command. You can also create a Linux service file to launch the application automatically.
How to launch a Gophish campaign
Initiating a mock phishing scheme using Gophish is straightforward. Log into the interface using a browser, set up groups to target, create the phishing email and landing page and then schedule your campaign. Here are the specific steps:
Run the gophish executable to launch the application.
Log into the http://localhost:3333 admin site using the default credentials. The username is admin and the password is gophish.
Change your login credentials immediately. Some Gophish versions require this step and others trust you to do it yourself.
Configure an SMTP sending profile, enabling Gophish to send email.
Configure target groups using the Users & Groups interface. These users will receive Gophish phishing email messages. You can enter individual addresses for testing or import a CSV file if you're targeting many users.
Select the Email Templates interface to craft phishing messages. These messages must contain a URL for users to click. The URL leads them to a landing page.
Select the Landing Pages interface to create a sample webpage related to the link you included in the message. The landing page simulates an actual login prompt or other interface where users might expose sensitive information.
Select the Campaigns interface, then choose +New Campaign. Create a campaign name, choose the sending profile, target group, email template and landing page. Select scheduling information to complete the process.
A Gophish dashboard enables real-time monitoring using displays that reflect how users interact with the email and landing page.
Consider using multiple campaigns to target various users with different kinds of phishing attempts. Use the schedule to spread the messages out, helping to make them seem legitimate.
If you encounter any issues with the process, check the Gophish User Guide. It has plenty of resources for initiating and troubleshooting campaigns.
Advanced use cases
Gophish offers several advanced management options, including the following:
Teaching users how to recognize -- or at least question -- suspicious email is a critical component in avoiding phishing attacks.
Using Gophish to log interactions enables security teams to generate reports, present their findings and customize their organization's phishing training approach based on their employees' phishing challenges.
Gophish is a simple but effective way to mitigate phishing attacks.
Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to Informa TechTarget, The New Stack and CompTIA Blogs.
