Email Phishing Using Kali Linux

No matter how often you go online and how or why you primarily use the Internet, you’ve probably seen phishing attack attempts. They’re now so common and problematic that cybersecurity professionals regularly provide information to help people spot and avoid phishing attacks.

Phishing can be extremely damaging and have widespread consequences for victim organizations including financial losses, data theft, and severe, lasting reputational harm. For this reason, many cybersecurity teams have in-house training that tests how employees respond to phishing attacks. Cybersecurity teams use phishing training tools to send spoofed emails, create fake login pages and otherwise behave as genuine scammers would. 

Kali Linux is an open-source, Debian-based Linux platform for digital forensics and penetration tests. Using open-source tools with it allows people to run phishing simulations. The results of those efforts can illuminate vulnerabilities and indicate what leaders should do to make phishing attacks less likely. This article will demonstrate how you can conduct your own email phishing training using open-source tools on Kali Linux to improve your organization’s security posture and protect against cyberattacks and data breaches.

What Is Email Phishing?

Email phishing occurs when cybercriminals create fake emails to get recipients to provide personal details and sensitive information that malicious parties can later exploit. Phishing targets generally receive messages with at least one urgent element. They may warn people must give the requested details to avoid a missed parcel delivery, late payment or unfulfilled order. Some phishing attacks take a positive approach, urging people to provide information in exchange for supposed prizes or funds.

If the victim falls for it, they typically click on a link that redirects them to a page to provide the details. Some phishing attacks ask people to download seemingly harmless files containing malware. Then, the associated viruses can infect entire networks. Evidence also suggests it pays for cybercriminals to focus on phishing attacks. Because phishing attacks are highly successful in tricking victims into sharing sensitive credentials with attackers or downloading harmful malware, over 90% of modern cyberattacks begin with a phishing email.

Email Security Best Practices to Protect Against Phishing Attacks

Whether you’re an individual user or involved with organizational cybersecurity, it’s vital to engage in email security best practices that will keep you safe while setting a good example. Here are some to strongly consider:

• Avoid immediately trusting any email, even if it seems legitimate.
• Learn the telltale characteristics of phishing emails.
• Never click on suspicious links or attachments.
• Use electronic signatures for emailed documents when applicable.
• Schedule regular employee training sessions and phishing simulations.
• Apply a spam filter to the email system to screen for malicious content.
• Stay abreast of all well-known and emerging phishing threats.
• View phishing prevention as everyone's responsibility.
• Implement a comprehensive, adaptive cloud-based email security solution.

Following foundational steps doesn’t stop all attacks but makes them significantly less likely to happen. Plus, when people know an organization takes phishing prevention seriously, they’ll see their role in recognizing and stopping such attacks.

Why Is Security Awareness Training Critically Important?

Security awareness training (SAT) is an organization-wide effort that helps people identify and protect themselves against cyber threats at work and while using the Internet at home. It is an integral part of organizations’ cybersecurity defenses.

Consider a 2022 study that exposed participants to five categories of emails. The results found people generally had trouble recognizing modern phishing attacks. Although 50% identified the phishing email red flags of spelling and grammar mistakes, people’s responses were more varied when the phishing signs were less obvious or more ambiguous.

Organizations must implement SAT because human error is an element in most cyberattacks. The people who organize phishing attacks know how to tap into what people want and what they’re most likely to believe. In addition, many people work in high-pressure environments with numerous expectations placed on them. Those realities may mean they don’t take enough time to study emails to determine validity. However, if individuals get continual education about what constitutes a phishing attack, they’ll be more alert to suspicious characteristics and know not to engage with emails that have them.

It’s also essential that any SAT efforts center on online threats. Some people spend dozens of hours online weekly, so it’s highly likely they’ll eventually encounter Internet dangers. Security awareness training done well will equip each employee to spot and avoid threats. As a result, organizations have better protection from cyberattacks that could halt operations, make them lose money and customers, or mean the business must recover from reputational damage.

How to Conduct Your Own Email Phishing Training

Internal testing and training will help people become more aware of and avoid common email phishing strategies. Fortunately, Kali Linux gives you excellent options for open-source tools that facilitate phishing training. We’ll cover many of them below.

Running phishing training at your business allows you to create authentic examples of phishing attacks and see how employees respond to them. You can then find gaps in workers’ awareness and focus on those in upcoming training sessions.

Kali Linux Email Phishing Training Tools 

Kali Linux is an open-source distribution aimed at people who must run penetration tests and perform security audits. It comes with more than 600 penetration test tools. Kali Linux is also completely free and customizable to meet users’ needs. Now, let’s look at several phishing tools for Kali Linux.

PhishMailer

PhishMailer allows you to create email templates that seem to come from more than 20 well-known companies. This tool requires Python 3 and its developers tested it in Kail Linux. It has a user-friendly interface, but a potential downside is there have been no updates for a couple of years.

Install it by cloning the repository with the git clone command: 

git clone https://www.github.com/BiZken/PhishMailer.git

The following command will install it and let you access the tool’s directory

cd Desktop

git clone https://www.github.com/BiZken/PhishMailer.git

cd PhishMailer/

Now that you’ve downloaded the tool, run it with the following command: 

python3 PhishMailer.py

You’ll then have the opportunity to enter several pieces of information about your phishing target.

Next, the tool will generate a link you can open in a browser. Once a phishing target enters their email and password on the fake page, you’ll get relevant details, as seen below.

Within two minutes of installing, I was able to create this Dropbox sample phishing message. Each of the links in this screenshot (even the “I’m not sure” link) direct to my sample phishing site.

BlackPhish

BlackPhish is a robust but lightweight phishing email simulator tool. However, one downside is it’s still in beta, so numerous issues may crop up during use. The developers tested it on Kali Linux 2019.4, but compatibility checks on other platforms are ongoing. BlackPhish has six email templates, along with a user-friendly interface.

Install BlackPhish by moving to the desktop and using the following command: 

cd Desktop

git clone https://github.com/iinc0gnit0/BlackPhish

While inside the tool’s directory, continue the installation with the following command:

cd Blackphish

sudo bash install.sh

Finally, run BlackPhish with the command:

sudo python3 blackphish.py  

After doing that, you’ll reach the main screen. Choose the type of phishing simulation you want to make by pressing its corresponding number and the Enter key.

Progressing through the steps will give you further options to customize the content and you’ll get a preview of how the simulated message will look to users. Eventually, you’ll receive relevant information if someone falls for the phishing trick.

Lockphish

Lockphish is different from the other tools here because it creates phishing content to go on a smartphone’s lock screen and allows people to gain credentials. It generates phishing content for Android and iOS smartphones, as well as Windows PC operating systems. A potential downside is it does not detect people using Mac computers. Outside that limitation, the tool has an IP tracker and can automatically detect the kind of device a person has.

Start the installation by cloning Lockphish from its GitHub repository with the following command: 

git clone https://github.com/kali-linux-tutorial/lockphish

Then, use this command to reach the Lockphish directory:

cd lockphish  

Grant Lockphish root access before running it by using the command:

sudo chmod +x lockphish.sh 

Finally, run the tool by inputting:

./lockphish.sh

Doing this will launch the tool’s main screen, as seen below:

You then need to choose a website from which Lockphish will cause a redirect. YouTube is the default selection. Press the Enter key after selecting the desired website for the redirect. That will cause ngrok to download within Kali Linux and configure the phishing servers on the localhost.

The Lockphish screen will provide you with several options to change the parameters, as shown below:

Next, the simulated phishing attack mimics the users’ lock screens. Once a person enters credentials, they get captured and reach the Lockphish user through an ngrok tunnel.

Once a target clicks the phishing link, you’ll get several pieces of information about them, as shown below.

Final Thoughts on Kali Linux Open-Source Phishing Training Tools

Whether your organization has five or 500 team members, phishing testing and training are essential to minimizing cyber risk. Even if most employees know many of the characteristic signs of phishing attempts, cybercriminals frequently update their methods, which can fool many victims.

As you evaluate phishing training tools, prioritize those that allow making messages seemingly coming from various popular platforms. Then, as you consider how to make the content as realistic as possible, tweak the messaging to determine which phrases are most believable to the target audience. Realize, too, that people of certain ages and backgrounds may be more or less likely to fall for phishing attempts than others.

Before considering whether to use a tool, spend time using and becoming familiar with it. You’ll then better know if it will meet your goals and expectations. Finally, remember phishing training is not a one-and-done exercise. Making it a regular part of cybersecurity improvements and preparedness will help you gauge how people’s understanding of phishing evolves.