There are many different options available for executing phishing exercises in an organization. For the purposes of this post we will look at King Phisher since it is open source. The purpose of King Phisher is to enable organizations to execute phishing exercises that closely mimic those of attackers.
King Phisher provides a robust platform for test execution. It will allow for multiple phishing campaigns to run simultaneously and will additionally allow for the multiple campaigns to be configured to meet the specific goals of the organization. This also allows for the tests to more closely target different departments within the organization. For instance, if there is a software development group the phishing email may be crafted specifically to trick a developer.
The configurability also allows for the emails to be crafted with features such as embedding images or calendar invites to further create a more realistic looking email. Further, it provides the functionality to clone a webpage to provide a legitimate looking site when the malicious link is clicked in the email. Creating these clones can allow for the tester to harvest credentials and demonstrate the danger of successful phishing campaigns by an attacker. It can also connect to the Browser Exploitation Framework to launch a browser-based exploit.
The architecture of King Phisher is a server client architecture. The server is the component of the software that executes the phishing emails. The server does not allow access via a web interface. The client software provides the user interface for all of the test configuration. The client software also allows for the security engineer to configure the reports to present to leadership. King Phisher can provide reports that break the results down by department, timeline of individuals clicking the link, and password complexity.
There are many different tools available for conducting phishing tests. Some companies provide the service of conducting phishing tests, while others provide commercial products that can be hosted on premise. This post reviewed one of the options, specifically an option that is suitable for a small business or an organization that has limited financial resources. Also, this could allow for a security department to demonstrate the value of using a phish testing framework. More can be learned about King Phisher by visiting https://github.com/securestate/king-phisher