After a recent simulated phishing exercise, we received a number of questions on how the emails were sent and how my team managed to craft such realistic looking phishing emails.
Most were convinced that the team consisted of technical wizards but this is not true. The truth is, you do not need technical wizards in your team or an expensive infrastructure setup to kick-start a simulated phishing exercise.
If you are an educator, IT manager or a security awareness programme manager, I hope that at the end of this article, you would have a better understanding of the basic technical requirements for a simulated phishing exercise.
The goal of this blog post is to provide you with an understanding of how to administer a simulated phishing campaign. With this guide, you should be able to send your first simulated phishing email in the next hour or so.
Setting up the mail server
To begin, you will need a Simple Mail Transfer Protocol (SMTP) server. You can either install it locally on your Internet enabled personal computer or use a cloud service like Digital Ocean or Amazon Web Services (AWS) to do this.
For the recent simulated phishing exercise, we had set up my SMTP server on Digital Ocean. We had the server setup in the cloud because we observed that emails originating from a cloud service IP space were less likely to be caught in the spam filter. To make sure that your phishing emails get read, use a cloud service with a good reputation.
To get started on your first server on Digital Ocean, you can refer to this manual by Digital Ocean. Link: https://www.digitalocean.com/community/tutorials/how-to-create-your-first-digitalocean-droplet-virtual-server. This should take you less than 5 minutes. Assuming that you have your account and payment already set up.
Proceed to create a droplet (server instance) with Ubuntu as your operating system (OS). Also, make sure to select the New York data centre region. This is just a preference; you may choose another data centre region. We chose this because we have had the least problems with spam filters using the New York data centre region.
Figure 1 — Select Ubuntu > $5/month (cheapest option) > New York
Once the server is up and running, you will need to set up a (send-only) SMTP service to send your phishing emails. For our simulated phishing exercise, I used PostFix.
To get PostFix installed, you can refer to this manual by Digital Ocean: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-as-a-send-only-smtp-server-on-ubuntu-14-04. The installation is simple and straightforward. It takes about 10 minutes to get PostFix up and running.
Crafting the phishing email
A huge factor in effective phishing emails is the use of HTML. Most of the legitimate emails in your inbox are formatted in HTML. Formatting an email in HTML allows you to use fancier fonts, change the colours of the text and arrange / align text with pictures. It goes a long way in making your email look believable.
One quick and dirty way is to use the HTML codes from an existing email and modify it accordingly. We have provided a template for you here.
Figure 2 — A preview of the base template. You can add graphics to improve on it.
Here are some items that we thought were particularly useful at convincing people to believe a phishing email:
Use the title attribute for HTML links. This way, you can prevent the malicious link from revealing itself when the recipient hovers over the link. This only works if your victim reads the email using a web browser. This does not work for email clients. For example:
<A href=http://malicious-site.com title="http://example.com"> http://example.com </A>
Note: You should replace http://malicious-site.com with a site that allows you to track the number clicks and preferably on that brings the victim to a training page.
Add a Contact Number. We were told that recipients do not think that an email would be fake if it had a believable phone number in it. This is based on the misconception that a cyber-criminal would not want to communicate over the phone with their victims. I guess providing a realistic phone number can help make your phishing emails look a lot more believable.
Email Verification. Most phishing emails would not have a line that says “*** Click here to verify the authenticity of the message ***” or “Click here to unsubscribe”.
Since most people will not expect a phishing email to have such security features, you can always add lines like the ones above to make it more believable.
Sending the phishing email
Once you have the mail server up and your HTML template ready, you are ready to send the email. This is where you spoof the sender’s address.
In the terminal of your hosted phishing server, you can run the following command:
mail -a "content-type:text/html;" \ -aFrom:Tim Kang\<TimKang@example.com\> \ -aReply-To:email@example.com \ -aReturn-Path:firstname.lastname@example.org \ -s 'Dining Survey' email@example.com \ < template.html
–aFrom: allows you to specify your sender. In this example, we spoofed the identify of Tim Kang. Do note that this email address can be any email address.
–aReply-To: allows you to specify the email address that the recipient or victim will use when he or she hits reply. Instead of replying to Tim Kang, the email will be sent to firstname.lastname@example.org instead.
-aReturn-Path: allows you to specify where all the bounced mail will go to. Without specifying this, any bounced mail will go to the spoofed sender (Tim Kang). In most cases you do not want to alert the spoofed sender unnecessarily, so remember to set up a return-path to accommodate for bounced emails.
–s: specifies the subject title.
–a: specifies that you want the email to be HTML formatted.
To test whether your phishing email has been delivered successfully, send it to yourself using a different email address where the sender is your email and the receiver is your second email.
More mail command and its options are elaborated further in this article: http://www.binarytides.com/linux-mail-command-examples/.
We hope that you received the phishing email in your inbox. And if you don’t, you might want to check your spam or junk folder. Sometimes you might need to tweak your email to bypass your email spam filter.
Please use this as a means of educating your peers / colleagues / clients on the “traps” used in phishing emails and make the Internet a safer place.
Thank you, and stay safe!
Other training materials
Special thanks to my team:
Daniel Widya Suryanata
Edison Jun Hao Lim
Ika Yulianti Rosita
Thank you for being the pillars of this exciting project.