King Phisher Diy phishing security Paul Wilson & Nick Haws, Dixon public Schools #170

Phishing Defined  Phishing is a form of fraud in which the attacker tries to learn information such as login credentials or account information by masquerading as a reputable entity or person in email, IM or other communication channels. Spear phishing is an attack designed for a specific person or group. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid.

Are School Districts Really a Target? In January 2017, an Illinois district was spear-phished resulting in the disclosure of 400 Social Security Numbers. The district provided affected employees with SSN monitoring tools. The emails were determined to have originated in Russia. May 3rd, Google-based phish led to many educators and administrators in the state disclosing their Google passwords. Morton School District

Phishing Defense 1) Educating employees 2) Restricting Access Ensure that employees are aware of the possibility of phishing and the dangers of downloads. 2) Restricting Access Keep access to sensitive files locked down to only necessary employees. 3) Backups Maintain (and TEST) healthy backups. 4) Good security Strong passwords, up to date security software, and physical protection

Why DIY? Consulting firms can charge $12 per user or more annually for their services. We were able to use an old server, free software, about a week of one person’s time. Set up time could be as little as a day if you already have the web domain, knowledge of SMTP, and basic web design skills.

What is King Phisher? King Phisher is an open-source, free phishing campaign toolkit. It was part of our larger effort to educate our employees and breed a sense of skepticism when asked for sensitive information. King Phisher is a tool for testing and promoting user awareness by simulating real world phishing attack Comprehensive tool with templates provided Features an easy to use, yet flexible architecture allowing full control over both emails and server content Good Documentation and Interface Can be used to run campaigns ranging from simple awareness training to more complicated scenarios in which user aware content is served for harvesting credentials

Minimum Requirements A minimum of 2048 MB of RAM and at least a CPU with 2 cores running at 1.5 GHz is sufficient. Furthermore, the hard disk should have enough space to accommodate the database and the web server, if on the same box. We used the Hyper-V default of 140GB, although it could run on far less. The client can be run on Linux or Windows. Linux does provide more available options. Server and client can be hosted on the same box, but it is not required.

Server Setup Installing King Phisher is as easy as downloading the appropriate installer from GitHub into your server King Phisher uses the packaged web server that comes standard with Python making configuring a separate instance unnecessary. We used a Hyper-V Linux server utilizing Ubuntu v17.04 Utilized a domain we had previously purchased for a web server Updated DNS records and Firewall to get server online(GoDaddy and Cisco ASA in our environment) The King Phisher client (if separate) connects over SSH to the server for communication The server needs to be configured with a database which is used to store campaign information. PostgreSQL is used in the install and is recommended Note that the domain was not previously used, so there should have been no recognition on the part of the staff.

SMTP In order for the King Phisher server to send emails, it needs to be configured with an SMTP server. This SMTP server is often either an open relay that the client can connect to or another SMTP server that can forward messages which typically requires the user to authenticate. Updated email server to allow email to flow(Added a Connector to our Microsoft 365 Exchange Configuration) The SMTP server that the King Phisher client connects to can be a different system than the King Phisher server. The two systems and connections are managed independently from each other and while the SMTP server can be installed on the same system as the King Phisher server, it is not necessary to do so.

Campaign Setup Select and Modify an email template Setup web landing page Import email rosters Set timeline for campaign Launch Campaign

Email Templates

Web Landing Page Fully customizable. On Linux you can also clone an existing website with only a few clicks.

Our own touch Jinja allows for easy HTML handles.

Setup Web Landing Page

3…2…1…Go! No one can get to the harvest page accidentally.

Catch of the Day Only grabs information you set it to take.

You can customize your dashboard, this is the format we chose You can customize your dashboard, this is the format we chose. The data is fully exportable.

Spring 2017 Phishing Campaign Results Generic Help Desk memo sent to all staff Campaign run over 4 days in May 273 Staff opened the email 53 staff members clicked on the link in the email 43 staff members entered their credentials 11.1% of staff fully comprised their accounts

Follow-up The phishing email itself generated a good amount of conversation among staff A follow-up email provided full disclosure about the campaign to all staff Individual staff results from the campaign are kept confidential Follow-up information emails are focused on: Explaining what phishing is Explaining that although we have security systems in place, staff need to be vigilant Enforcing the idea that all staff need to be skeptical of emails with links and asking for user data to be entered

Questions?