The Importance of Phishing
Over the last few years, trending has emerged that clearly indicates social engineering, specifically phishing, is the most consistently reliable attack vector through which hackers gain access to target organizations. Given the non-technical, weak-link factor involved in responding to a well crafted phishing attack, how can organization best combat this particular vector? It unquestionably boils down to training the end user and security awareness!
I order to determine if regular training is effective, organizations should be conducting internally-driven phishing assessments to make sure the training content is effective and well understood by the end users. Driving the company’s culture into a security mindset can be a difficult task. Live exercises offer the best overall results in assessing your organization’s phishing awareness.
To perform an effective phishing exercise, there are considerations that one must take into account. As users become more aware and transition to a security mind set, the phishing will become more complex. Therefore, testers should build and develop pretenses which will increasingly tempt users to execute action on the behalf of the “attacker.”
When creating a pretense, it’s import to understand your targets and the parent company or organization, particularly if you are working as a third party consultant. Which team members would most likely respond to the email in the intended manner (click a link, enter credentials, run a payload), and what is the end goal for the campaign? Once these factors have been decided, the next step is to build the email and the website template.
As specific pretenses are limited only by your imagination, flexible tools are required to execute these types of assessments. The tool needs to have the capability to track data points to improve the phishing of the “attacker” as well as provide feed back to the organization of their current status and if their Security Awareness training is effective.
This brings us to King Phisher. If you’re a regular reader of the War Room, you are probably familiar with King Phisher. It is an open source phishing tool developed at RSM with the goal of facilitating and executing dynamic phishing campaigns. Before jumping right into your first campaign there are a few things you will need first:
- A King Phisher Server
- The King Phisher Client
- CSV of targets
The King Phisher software and install guides can be obtained on Github, and it is also prepacked in Kali Linux. Once you have completed the installation process, you will need to have a pretense in mind, or you can feel free use a template(s) from King Phisher Template Repository.
Next you will need to create a csv file with the list of marks you would like to phish. This csv file must be in the format of firstname,lastname,email-address,department. The department column is optional but will provide additional metrics for you to analyze to help focusing phishing campaign and training for the organization. Note that an xls or xlsx file will not work here. If you create your document in Excel rather than a text editor, be sure to save it as a csv. Do not include column titles as King Phisher will not parse them appropriately.
You can also use your favorite text editor such as notepad to create the csv file. To do this open up notepad, put in the list of your targets in the above specified format and it should look like:
Now all you need to do set launch King Phisher and set your phish up. For this I’ve made two simple videos to guide you through the process. This guide uses the training templates that are found on the King Phisher Template Repository mentioned above. These templates have been found to be very effective, so feel free to use them.