Full Report
Patterns, Tools, and Techniques
Analysis Summary
# Tool/Technique: GoPhish
## Overview
GoPhish is an open-source phishing simulation framework. It is used legitimately by organizations for cybersecurity awareness training to test employee resilience against phishing attempts. However, it is also exploited by threat actors for malicious phishing campaigns against unsuspecting users. It is characterized by an easy-to-use UI, HTML editor, and support for templates to create phishing campaigns.
## Technical Details
- Type: Tool / Framework
- Platform: Unknown (Framework typically deployed on servers accessible via HTTP/HTTPS, commonly Linux/Windows environments)
- Capabilities: Creation and management of phishing campaigns, template customization, easy-to-use dashboard.
- First Seen: Not specified in the text, but the software is widely known/available through its GitHub repository.
## MITRE ATT&CK Mapping
* T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Potential, depending on campaign payload)
- T1566.002 - Spearphishing Link (Highly applicable, as it delivers phishing links)
## Functionality
### Core Capabilities
- Allows users (both legitimate and malicious) to create phishing campaigns easily.
- Utilizes customizable templates and an HTML editor for crafting deceptive content.
- Deploys phishing pages mimicking legitimate services (e.g., Microsoft, PayPal, LinkedIn).
### Advanced Features
- Default administrative interface runs on TCP port **3333**.
- The default GoPhish login page often serves as a strong identification signature unless customized by the operator.
- Operators attempt to camouflage malicious domains using security/IT terminology (e.g., secure, admin, support) and impersonating major brands.
## Indicators of Compromise
The context focuses on discovery methods rather than specific IoCs to avoid listing active malicious infrastructure, but notable characteristics noted include:
- File Names: `gophish.css` (used as a key searching pivot point).
- Network Indicators (Default): Administrative interface exposure on port `3333`.
- Domain/URL Patterns: Domains often feature terms like `secure`, `safeguard`, `protected`, `login`, `auth`, `office365`, `paypal`, etc., often using alternative TLDs like `.online`, `.site`, `.io`.
## Associated Threat Actors
The article notes the tool is used by:
- Organizations for legitimate cybersecurity training.
- Unspecified "threat actors" for malicious phishing campaigns.
## Detection Methods
Detection relies heavily on passive scanning and infrastructure analysis:
- Signature-based detection: Searching for the default file identifier `gophish.css` via services like urlscan.
- Configuration checking: Identifying hosts exposing service interfaces on the default port `3333`.
- Service fingerprinting: Identifying common server technologies like **Nginx (version 1.18.0)**.
- Infrastructure correlation: Utilizing Censys to find hosts sharing HTML response patterns or identical **SSH fingerprints**, suggesting centralized provisioning (potentially by an adversary group utilizing many disposable domains).
## Mitigation Strategies
- Proper firewall configuration to block outbound/inbound traffic to non-standard administrative ports like 3333, especially externally.
- Monitoring web traffic for common GoPhish identifiers or default login pages.
- Domain monitoring and registration protection for brand terms frequently impersonated by phishing actors.
## Related Tools/Techniques
- Web infrastructure used for hosting phishing campaigns (e.g., utilizing AWS infrastructure, as it was noted as the top hosting provider for identified instances).
- Techniques involving domain name obfuscation/typosquatting to impersonate major brands.