In a previous post, I wrote about GoPhish.  Since then, I've been working quite a bit with GoPhish and there are some tricks to an effective campaign that I'd like to share.  First, I'd like to point out, this is not a game where you try to win but it's also not something you want to approach like a fake Nigerian Prince.  You want to fall somewhere in the middle.  With respect to the actual campaigns, rather than come at the company all at once, I want to break the company into groups.  In this campaign, we're targeting the sales group.

Our email template:

<html>
<head>
    <title></title>
    <link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet" />
</head>
<body>
<p>Hello {{.FirstName}},</p><br></br>

<p>We are trying to check stock / get a quote on the following item below.  We submitted a request through the contact form on your web site last week but we haven't heard back from anyone.</p><br></br>

<p>QTY 25</p><br></br>
<p><a href="/{{.URL}}">LINK TO 404 PAGE ON TARGET WEB SITE</a></p><br></br>

<p>Thanks for your help...</p><br></br>

<p>FAKE PERSON</p>
<p>FAKE COMPANY, INC.</p>
<p>GOOGLE VOICE NUMBER</p>
<p>LIVE DOMAIN YOU CONTROL</p>

{{.Tracker}}</body>
</html>

The {{URL}} placeholder will bring the target back to our phishing server but we need to fill the placeholder with the company's actual 404 page.

Our landing page:

<html><head><meta http-equiv="Refresh" content="0; url=COMPANY 404 URL"/></head><body></body></html>

When the target hits our landing page, we are immediately bouncing them off of our server to their 404 page.  This way we can track the link but not make the target suspicious.  Now you might be asking why I'm bouncing them to a 404 page and not a part page.  First, I might not know much about the company and maybe I don't know anything about their products.  Pointing them to an incorrect link will not give me up if I don't know what I'm talking about.  And, it could get us a follow up email which makes the campaign even more effective.

With this specific campaign, I have a reputable domain and I also have a mailbox setup to retrieve inbound emails.  This specific campaign is a VERY effective campaign and I just went 100% on clicked links.  I also received one inbound email apologizing for the lack of response on their web form and a follow up on the product since the link was broken.  ;)

Back to my previous comment about winning -- I have a campaign where I cloned the quarantine digest message.  I discovered the client was using a third party spam filtering service, I got a copy of the quarantine digest message, and I setup the campaign.  I decided against this approach because:

1.  I KNOW I will succeed.
2.  The users will lose faith in the quarantine digest. 

Will an attacker show mercy?  No.  But I'm going to use it as an example rather than using it in a campaign.  In other words -- "This is what I COULD do."  And then explain how they could recognize it from their normal digest.