17. 03. 2023 Beatrice Dall'Omo Red Team, SEC4U

How to Set Up an Effective Phishing Campaign

In 2022, more than half of Italian companies suffered at least one email attack despite the presence of spam filters, blacklisted domains and other available solutions for blocking threats. This shows how crucial it is for companies to both test their employees’ awareness about security and invest in training.

A phishing campaign includes scam emails designed by cyber-criminals to steal sensitive information from victims such as login credentials or credit card details with social-engineering techniques like impersonating a trustworthy organization or a reputable sender. Normally, they ask victims to do something urgently which requires them to input personal data.  

At Würth Phoenix, we organize periodic phishing campaigns for our customers to test employees’ awareness in identifying phishing emails as well as the robustness of the technologies employed for email filtering. Only after a kick-off meeting with a company’s business representatives to decide targets and goals of the activity do we start setting up the phishing campaign following the steps detailed in the following paragraphs.

Information Gathering

This step consists of gathering tons of information to get to know the company, people, business line and news in order to better define a credible scenario. In this phase our OSINT and Cyber Threat Intelligence SATAYO platform is a valuable source of information. 

First, we identify the domain of the company, and then through OSINT tools like Phonebook.cz and CrossLinked we get more details about domains, subdomains, business emails and their format. Sometimes it happens that we are provided with a set of target emails, other times we have to retrieve them from OSINT analysis.

By entering a domain or subdomain in Phonebook.cz, a list of related email addresses is returned allowing you to understand the format of the business emails. 

CrossLinked is a LinkedIn enumeration tool that extracts valid employee names from an organization through search engine scraping. Given the email format, CrossLinked can generate a list of business emails following that format (passed as input). We often use Linkedin Sales Navigator to look for C-level (CEO, CTO, CFO etc..) candidates to employ as targets or as senders for the campaigns.

The next step is to determine a scenario which will arouse curiosity and spur victims to click links and / or enter sensitive data. We look for publicly available news, documents and websites related to the target company. Clearly, the scenarios created depend on the sender and on the target.

Examples of broad targeting scenarios would be a production award, signing a petition for something or updating your password.

On the other hand, narrow targeting scenarios, where the victims are the C-level executives, require more effort because precise and sometimes sensitive data is needed. Examples of topics would be an investment plan to evaluate, planned resource cuts or business changes. 

Launching the Campaign

We often employ Gophish to organize phishing campaigns. It’s a cross-platform and open-source framework that makes it easy to launch or schedule phishing campaigns offering real time monitoring of the results (emails sent, emails opened, links clicked, data submitted and email reported) and other features.

First we add a sending profile using a domain similar to the original one that we registered. Second, in the Users & Groups section we add the email addresses of the target users. After that, we create an email template that looks like the original company’s email, especially the signature and logo. Next we set up the landing page which is generally a login page where the victim enters their credentials and is then redirected to the malicious page specified in the “Redirect to” field.

Finally we create a new campaign under Campaigns , setting all the items created before. We always test the phishing email with the managers of the target company to check that the email is received. After the test, we schedule the campaign by announcing to the business representatives (non-targets of the phishing campaign) the day and time of launch. Normally we do this on Friday at around 6 PM, which is when employees are typically at home and the chances of talking to each other about it are reduced.

To conclude, spam filters and technical solutions help to filter out spam emails and avoid threats, however educating employees about the dangers of phishing emails is a critical cybersecurity issue for any organization.

These Solutions are Engineered by Humans

Did you learn from this article? Perhaps you’re already familiar with some of the techniques above? If you find security issues interesting, maybe you could start in a cybersecurity or similar position here at Würth Phoenix.

Beatrice Dall'Omo

Beatrice Dall'Omo

Red Team & Offensive Security Specialist | Cybersecurity Team | Würth Phoenix


Beatrice Dall'Omo

Red Team & Offensive Security Specialist | Cybersecurity Team | Würth Phoenix

Leave a Reply

Your email address will not be published. Required fields are marked *