# Ethical Hacking Course: GDT2Y3 - Final Project # Analysis and Insights from a Controlled Phishing Simulation and Email Traceback Investigation ## Student Information * Student Name: Mohamad Hadaia * Date Due: 21/03/2024 * Last Edited: 21/03/2024 * Project Authored By: Mohamad Hadaia - h21mohad@du.se ## Project Goal The primary aim of this project was to simulate a realistic phishing attack to assess the vulnerability of individuals within an organizational setting to such threats and to evaluate the effectiveness of current cybersecurity awareness measures. By creating a phishing campaign that mimics a legitimate Microsoft 365 login page, we sought to understand user behavior in response to deceptive email practices, including the likelihood of users entering sensitive information on a fraudulent page. Additionally, the project aimed to leverage Email Tracking Pro to trace the origins of phishing emails, assess the integrity of email headers, and enhance overall email security by identifying potential points of failure and deception in email communication. Through this comprehensive approach, the project intended to provide actionable insights into improving cybersecurity protocols and training programs, ultimately reducing the risk of successful phishing attacks within the organization. ## Project Summary The project aimed to test organizational cybersecurity awareness by launching a controlled phishing simulation using the GoPhish framework. By mimicking a Microsoft 365 login page, we evaluated employee reactions to phishing emails and their likelihood of entering credentials on a fake login page. Additionally, we utilized Email Tracking Pro to trace the simulated phishing emails' origins and assess email header integrity. This integrated approach provided insights into the organization's vulnerability to phishing, aiming to bolster future cybersecurity training and protocols. ## Project Demonstration Video The video provides a step-by-step guide on setting up a phishing simulation with GoPhish and tracking email origins using Email Tracking Pro. It covers creating a fake login page, sending phishing emails, and analyzing them for security insights, offering a practical overview for enhancing organizational cybersecurity measures. https://www.youtube.com/watch?v=JOHg7k-0s6Q ## Necessary Equipment * Linux-Based Computer: For running GoPhish. * GoPhish Framework: For phishing simulation setup and execution. * Email Tracking Pro: For email origin tracing and header analysis. * Internet Connection: To manage the campaign and send emails. ## Background and Theory Phishing attacks are a prevalent method used by cybercriminals to deceive individuals into revealing sensitive information, such as login credentials or financial data, by masquerading as a trustworthy entity in digital communication. These attacks often leverage emails as the primary vector, directing victims to fraudulent websites that mimic legitimate ones to capture personal information. The theory behind phishing simulations, like the one conducted using GoPhish, is rooted in behavioral psychology and cybersecurity education. By exposing individuals to simulated phishing scenarios in a controlled environment, organizations can educate their employees about the hallmarks of phishing attempts, thereby enhancing their ability to identify and avoid real-life threats. This proactive approach is based on the principle that practical, experiential learning is one of the most effective ways to improve cybersecurity awareness and foster a culture of vigilance among team members. Email tracking and analysis tools, such as Email Tracking Pro, complement phishing simulations by providing insights into the technical aspects of phishing campaigns. These tools allow investigators to trace the origin of an email, examine the authenticity of its headers, and detect any attempts at manipulation. Understanding these technical elements is crucial for IT security professionals to defend against sophisticated phishing attacks and to develop strategies for mitigating their impact on organizations. ## Pre-lab Reading Before engaging in the phishing simulation and email tracing lab activities, it's essential to familiarize yourself with key concepts and tools that will be used throughout the project. This pre-lab reading is designed to provide a foundational understanding necessary for a successful and informative lab experience. ### Understanding Phishing Attacks Definition and Types of Phishing: Learn about the various forms of phishing, including spear-phishing, whaling, and vishing, to understand the scope of threats. Mechanics of a Phishing Email: Study the common characteristics of phishing emails, such as urgent language, sender impersonation, and deceptive links. ### GoPhish Framework Introduction to GoPhish: Explore what GoPhish is, its purpose, and how it's used for creating and managing phishing simulations. Setup and Configuration: Review the basics of setting up the GoPhish framework on a Linux system, including installation steps and initial configuration. ### Email Tracking and Analysis Email Headers and Their Importance: Gain an understanding of what email headers are, how they work, and what information they contain. Using Email Tracking Pro: Learn about the features of Email Tracking Pro, focusing on tracing email origins, analyzing headers, and detecting header manipulation. ### Cybersecurity Awareness Best Practices for Email Security: Familiarize yourself with strategies to identify and avoid phishing attempts, such as scrutinizing email content and verifying sender authenticity. Legal and Ethical Considerations: Understand the legal and ethical dimensions of conducting phishing simulations and handling sensitive information. This pre-lab reading not only prepares participants for the technical aspects of the lab but also emphasizes the importance of cybersecurity awareness and the ethical considerations involved in simulating phishing attacks. ## Lab Scenario ### Step 1: Downloading and Setting Up Ubuntu 22.04 LTS **Objective:** * Prepare the environment for the phishing simulation. **Actions:** * Download the Ubuntu 22.04 LTS image from Ubuntu's official website. * Create a virtual machine (VM) using virtualization software like VMware or VirtualBox and install Ubuntu 22.04 LTS. Follow the setup guidelines on the Ubuntu website for accurate configuration. ### Step 2: Setting Up the GoPhish Framework **Objective:** * Install and configure GoPhish on Ubuntu for simulating phishing attacks. **Actions:** * Visit the GoPhish GitHub page and download the version compatible with your OS. https://github.com/gophish/gophish $ cd /home/kali/Downloads/gophish-v0.12.1-linux-64bit/ $ chmod +x gophish $ ./gophish   * Extract the downloaded zip file.  * Navigate to the extracted GoPhish directory and run the executable to start GoPhish. Note down the admin URL and default credentials displayed in the terminal (admin is the default username).    ### Step 3: Configuring GoPhish **Objective:** * Prepare GoPhish for launching a phishing campaign. **Actions:** * In the GoPhish web interface, set up a new sending profile with your email details: name, SMTP from, host, username, and password. Test the setup by sending a test email.  * For the landing page, choose an HTML template from GoPhish Templates on GitHub. https://github.com/FreeZeroDays/GoPhish-Templates  * Similarly, select an email template from the same GitHub repository for your phishing email. https://github.com/FreeZeroDays/GoPhish-Templates  * Create a recipient group with the target details for your campaign.  ### Step 4: Launching the Phishing Campaign **Objective:** * Execute the phishing campaign and collect data. **Actions:** * With the sending profile, email template, landing page, and group configured, create a new campaign in GoPhish and launch it.    * When the phishing email is received, clicking the link in the email navigates the user to the fake landing page where they can enter login information.   * Monitor the campaign in GoPhish to collect the data entered by the recipients.  ### Step 5: Analyzing the Phishing Email * Objective: Examine the phishing email's authenticity and trace its origin. **Actions:** * In your email client, inspect the received phishing email for signs of being a scam by checking its SPF, DKIM, and DMARC records. If these records are missing or fail, proceed to the next step.  * Copy the email header for further analysis.  ### Step 6: Using Email Tracking Pro for Investigation **Objective:** * Trace the origin of the phishing email and analyze its header. **Actions:** * Download and install Email Tracking Pro from its official site or trusted source. https://emailtrackerpro.en.softonic.com/?ex=RAMP-1768.00 * Run Email Tracking Pro as an administrator and paste the copied email header into the software.   **It looks like this **  **Paste your email header here and then click the trace button.**  * Analyze the header to trace the email's origin, assess its authenticity, and detect any signs of manipulation.  **Email Details:** Sender and Recipient: hadayamhmd@gmail.com Date and Time: March 21, 2024, at 21:23 (Eastern Time) Subject: "your email access" Location: America Misdirected: No Abuse Reporting: Provides an option to generate an email abuse report automatically. **Sender IP and System Analysis:** From IP: 209.85.233.108, indicating the origin of the email. Mail Server: Running ESMTP identified with a specific server ID, capable of sending email via port 25. Web Services: Both HTTP and HTTPS servers are not running on this system, indicating the ports are closed. Additionally, there is no FTP server running, showing no file transfer service is active.  **Tracing**  **First Hop:** Address: 192.168.0.1 Name: (Private) Location: Not specified, indicating a local network router or gateway. **Second Hop:** Address: 83.233.116.193 Name: 83-233-116-193.cust.bredband2.com Location: Sweden, suggesting the packet traverses through an ISP's network infrastructure in Sweden. **Final Hop:** Address: 209.85.233.108 Name: lr-in-f108.1e100.net Location: America, indicating the packet reaches a server located in America, likely part of a larger network infrastructure. ## Result This mail is totally spam and also may target the Hadayamhmd@gmail.com ### Generic Subject Line: The subject "your email access" is vague and could be used in phishing attempts to alarm recipients into taking immediate action, such as clicking a link or providing login credentials. ### Use of a Private Address in the Hop Sequence: * The journey starts from a private IP address, which is typical for emails sent from a local network. This alone doesn't indicate a scam but is part of understanding the email's path. ### Intermediate and Final IP Addresses: * The path includes an intermediate hop in Sweden and ends at an IP address identified as belonging to a network in America. The presence of international hops isn't inherently suspicious, as internet packets often traverse global paths. However, the context of the email's content and the relationship between the sender and recipient can make this noteworthy. * The final IP address, 209.85.233.108, resolves to lr-in-f108.1e100.net, a domain owned by Google. This could lend some legitimacy if the email is sent through a Google service, such as Gmail. However, scammers can also spoof email headers to make emails appear as if they're coming from reputable services. ### Content and Call to Action: * The email provides a link for automatically generating an abuse report, which could be legitimate or a tactic to gain trust. Scammers often include such links to add a veneer of authenticity to their emails. ### Unknown Sender IP: * The fact that the sender's IP address is not clearly identified as belonging to a known, reputable entity adds a layer of uncertainty. In legitimate email communications, especially from corporate entities, the sender's IP often corresponds to known corporate or service provider addresses. ## Lab feedback a) Was this a relevant and appropriate lab and what about length etc? This lab is relevant for learning about phishing and email tracing, with an appropriate length for foundational skills. b) What corrections and/or improvements do you suggest for this lab? Enhancements could include simplifying instructions, adding phishing prevention tips, and making the content more interactive for better engagement. ## References https://mailtrack.email/blog/free-email-trackers. https://mysignature.io/blog/email-trackers-your-ultimate-guide/ https://github.com/topics/email-tracker https://github.com/gophish/gophish