How a Conversation with Friends Led Me to Explore Phishing Campaigns Using GoPhish

Harsimran SinghHarsimran Singh
3 min read

Recently, while catching up with a group of friends, the conversation turned to the increase in phishing emails and SMS messages we’d all been receiving. We shared stories of suspicious links, dubious emails from “banks,” and even fake messages claiming we’d won prizes. As we talked about the best practices to stay safe from such scams, a thought struck me: "How exactly are these phishing campaigns orchestrated?"

🔍 The Experiment Begins

With my curiosity piqued, I decided to dive into the world of phishing campaigns to better understand how attackers operate. I chose GoPhish, an open-source tool designed for simulating phishing attacks, and Mailhog as my email server to create a safe environment for my experiment.

💻 Setting Up the Environment

To start, the setup for GoPhish is easy using the Railway platform and following the instructions in the README file. You can find the Gophish repository on my GitHub. I installed Mailhog on an AWS EC2 instance, a straightforward process that allowed me to intercept emails locally for testing. Here’s how I set up the environment:

  1. Installation: Using a package manager, I installed Mailhog, which served as a testing ground for sending and receiving emails within a controlled environment.

  2. Configuration: I configured Mailhog to listen on specific ports to ensure compatibility with GoPhish’s requirements.

  3. Integration: I integrated Mailhog with GoPhish by setting the SMTP details in the sending profile configuration, enabling smooth email delivery during the phishing simulation.

📧 Launching the Phishing Campaign

With the setup complete, I created phishing email templates and designed a landing page to simulate credential capture. I targeted a small group of friends who were informed in advance about the simulation to avoid any real panic. Through GoPhish’s dashboard, I monitored their interactions with the emails and landing page.

📈 Discoveries and Insights

This experiment provided fascinating insights into the mechanics of phishing campaigns and underscored the importance of cybersecurity awareness. Here are some key observations:

  1. Human Vulnerability: Even with prior knowledge, some of my friends clicked on the links, highlighting how easy it is to fall for these scams.

  2. Effective Training: Regular security awareness training can significantly reduce the risk of successful phishing attacks.

  3. Tool Efficiency: Using tools like GoPhish and Mailhog made the simulation process seamless and provided valuable analytics.

💡 Pro Tip

When setting up a phishing simulation, ensure your sending profiles are accurately configured to avoid delivery issues. Utilizing a local mail server like Mailhog helps securely test emails before sending them out.

This experience has been an eye-opener, reminding me of the constant need to stay vigilant and informed about the latest cybersecurity threats.

If you're interested in exploring the project further or want to see more of my work, feel free to check out my GitHub account: https://github.com/Harsimran5967 .

#CyberSecurity #PhishingAwareness #GoPhish #Mailhog #ITSecurity #SocialEngineering #LearningJourney

0
Subscribe to my newsletter

Read articles from Harsimran Singh directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Gophishcybersecurity

Written by

Harsimran Singh
Harsimran Singh