Now that we have SPToolkit up and running as detailed in part 1, and have tested out the functionality in part 2 we will get to the really evil... um… I mean really fun part of spear phishing training, customizing your attacks! In this final installment we will create our own customized message templates, use the built in site scraper to build a replica site to get users to enter their login credentials, and we'll modify the training materials to fit your organizations best practices.

The built-in templates are great but generally will get caught by phishing filters. Real life attackers won't be using these templates to target your organization. They will be creating customized and targeted messages that will make it past any of your spam/phishing filtering. So why would you want to test your organization's ability to know when a message is phishing them or not with a stock template? I recommend trying out a few different approaches on your employees. First, try spoofing a message from a popular social networking website.

One of the most notoriously clicked social networking messages I have seen is the popular LinkedIn Network invite email. Let's build one of these to send to our targets.

1. Open your SPT console and click the Templates tab on the left.

2. The easiest way to create a new template is to just copy one of the other ones. Click the copy button next to one of the templates.
3. Find the copy of the template you just copied and click the name of the template. This will allow you to change the name of the template. After you modify the template name click pencil icon next to it to edit it.

4. Start by removing the copied templates data.

5. Enter the Sender’s Friendly Name, Sender’s Email Address, Reply To Address, Subject, and a Fake Link. See the screenshot below for what I entered to make it look like a LinkedIn Invite. Note the use of “@fname”. This is a tag that will utilize the SPToolkit’s target database. You can use @fname and @lname in your phishing campaigns to include the first and last name of your target.

6. Next we need to work on the body of the message. To make this look similar to a real LinkedIn invite. You can Google Image search for “LinkedIn Invite” and find a few examples. You may have one of these in your inbox somewhere. Begin to populate body of the message.

7. As you can see in my example I added some images. To add images to your phishing messages you first need to upload the images to the SPToolkit server as they will be hosted there. SCP into your SPT system.

8. Change directories to /var/www/spt/templates/ and create a new folder called “images”. Copy the images you want to use into this folder.

9. To insert an image open the template editor, right click empty space and click “Insert/Edit Image”.

10. In the Image URL box you will need to enter the web address for the image file. This is case sensitive! If you entered the correct location of your image file you should see it in the preview box. Click Insert.

11. You can now right click that image and click “Insert/Edit link” to make it link to your phishing page using “@url”.

12. If you feel more comfortable editing your phishing message by coding html you can do so by clicking the “Text Editor” button, then click the drop down and select email.php then click load.

13. After you have your LinkedIn message configured to your liking test it out by sending it to yourself. The final product should look something like the below message.

Another effective attack that generally will get clicked by the unsuspecting user are holiday themed or news themed emails. For example, around Christmas is a good time to send e-card type messages. I have to warn you though; under any circumstances do not send Valentine’s Day phishing messages. People tend to get very upset when they realize they didn’t actually have a secret admirer sending them a Valentine’s Day card.

Instead of going through the trouble of creating your own custom templates you can scrape live websites. This will enable you to set up fake login pages to see if employees could be tricked into giving up their credentials. A good place to start here is to scrape your organization’s corporate webmail frontend.

1. In the template section click the Scrape button.

2. Give your template a name, description, and input the URL of the site you want to scrape.

3. Decide on how you want this campaign to be executed and input the rest of the email information. Click the green “Check” symbol.

4. Before you launch this campaign be sure to change the “Educate on link click” to “Educate on form submission” under the Education settings when setting up your campaign.

5. Now the URL’s in your phishing emails will send you to a mock version of the page you scraped.

The default education packages are good but I recommend creating your own to fit your organization.

1. Click the Education tab.
2. Copy one of the existing packages by clicking the copy icon on the right.
3. Click the pencil to edit it.
4. Click the load button to load index.htm.
5. Here is where you will modify the text the user will see when they have clicked a link in a phishing message.
6. You can upload your company’s logo to the SPT server and use it in this education package so when your users click a phishing link they are not worried they just let in an attacker. You want them to understand they just did something wrong but let them know this was a training exercise.
7. Add in some recommendations on what users can do in the future to ensure this doesn’t happen. For example, hover over the link to make sure you know where the link is taking you, never click links in emails that request personal information from you, or report any suspicious messages.
8. After you complete your customized Education package you can click the green “Check” symbol to save it.

This concludes my series on spear-phishing your employees. This how-to guide was catered towards an organization using SPToolkit as a training tool but this guide could also be used by penetration testers. A possible pentesting setup could involve setting up a malicious web server using SET or Metasploit to exploit the user’s browser or Java version, then using SPToolkit to send your targeted phishing message directing the link in the message to your attack server. Another item to consider would be to add a strange DNS name for your SPToolkit host. Something along the lines of 12mzsrv.webhost.mail.ru.organization.com would be good in testing your user’s ability to spot malicious links.

Phishing is a massive problem for organizations around the world. Attackers send many of these targeted messages around the clock. Having good spam filters, and anti-virus will help filter some of these out but some will still end up in your employee’s mailboxes. Ensuring they are trained in spotting these types of messages is critical to ensuring your organization remains uncompromised.