Introduction
I’m excited to announce that the gophish “alpha” release is almost complete! I’m just cleaning up a few bugs, touching some things up, etc. In the meantime, I wanted to write a quick post to show off some really slick features that I was able to add earlier than planned.
Creating pixel-perfect email templates and landing pages are crucial to delivering the best possible phishing training. Gophish has always had the ability to create these, but it was quite frankly a pain to use as you needed the raw HTML or text for both the email and site content. In this post, let’s take a look at how we can now import sites and emails directly into gophish.
Importing Sites
Attackers often create phishing kits containing exact copies of web site content in an attempt to fool users into entering credentials. To have training that keeps up with this pace, we need the ability to mimic this behavior and clone a site effectively.
Let’s take a look at how easy it is to import a site using gophish:
This works by grabbing the HTML content of the site and adding a <base>
tag so that relative resources (like CSS, JS, etc.) are loaded from the site itself.
You could use this functionality to clone things such as your own webmail login, company webpage, or other services that the users may be prone to entering sensitive information into. Of course, once you import a site, you’re free to edit it to add template variables, change links, etc. through the gophish editor.
Importing Email
The emails you use in your training are the bait to your phish. Having believable emails is the key to good training, since this will show users first-hand how legit phishing emails can look.
What better way to get some believable looking email templates than to use real emails? Now you can import an email in gophish via a simple copy/paste from your email client.
Here’s an example showing how we can import an email from Gmail:
This functionality is provided by the Go email library I initially created specifically for gophish. The import function takes care of most of the decoding for you, but if you have any issues please let me know by filing an issue!
Conclusion
I’m really excited to release gophish in the upcoming month or so and bring enterprise-grade phishing training to anyone who wants it. Until then, keep checking out the pre-alpha and let me know if you have any questions or comments!
Jordan (@jw_sec)