Ideas for improovments

Question

Ideas for improovments

Closed this issue 7 years ago · 4 comments

Hi Chris,

First of all I'd like to thank you for your work on this script you've got some nice work done here :)
I have a few questions and maybe some ideas to enhance the coherence of gophish statistics

To put on some context, we've laucnhed a few phishing campaigns in my company,
The top managment were only interested by the click rate (mail opened / link clicked)

I think it would be interesting to have that statistic in the "high level results", I see two points which need some attention:

to this day you count the total of mail opened even if the same user has opened the mail several times as an exemple: i had a campain running with around 1k targets and i got 2k "opened" events
I guess it's the same thing with the "clicked link" event

What's your opinion on this subject ?

Regars,
Robin

Answer 1 · 2017-05-25T03:59:11.000Z

Hi Robin,

Thanks for the feedback and the question. I am aware of this and have kicked around some different ideas a few times. First, I'll try to add the version of this stat you're looking for into the results produced by GoReport. It's the difference between counting the number of events and counting the number of recipients with one of those events. That shouldn't be difficult and I'm currently working on a very big update. I can probably squeeze it into that update, which I hope to have done this week or next.

That said, and assuming asking my opinion on this subject means you want my take on how these statistics can be used, I'll say phishing statistics are complicated. What your management wants is typical. How many people clicked? Can we get that number lower?

However, seeing both versions of the stat can reveal interesting trends. I've tried to infuse GoReport with checks for some of the events I like to look for when I review phishing results, but you'll always need to do a manual review to catch some of the most interesting events.

For example, what does it mean if one recipient clicked three times and has four different IP addresses tied to them? The details might show multiple user-agents that, when combined with the IP address info, reveal this person viewed the email on their phone using an LTE connection, clicked on their phone on the company's BYOD WiFi, clicked again on their work laptop, and then again later that evening at home. If you're seeing a lot of that sort of behavior (maybe not so extreme) that might change how you view the company's security awareness and training needs. It paints a very different, and more complete, picture than showing that person clicked at least once.

You can also catch emails that were forwarded to other people. I have seen emails travel through two or more people, each one clicking the link, even when those recipients weren't on my target list or didn't click their own emails. You'll see unusual activity sometimes and then you may have to ask the person what they did to understand how you ended up with 5 clicks from 3 IP addresses.

However, a lot of this depends on how much time you can really spend on this project and what the end game is for you and your team.

On the subject of the "opened" events, those are tough figures to use. It's really just showing you how many people are willing to let an email load remote content. it's a good indicator your emails have reached inboxes while the campaign is new and active, but after that it's a much less useful figure.

I'll split-up the stats to show the total events and the total number of targets with at least one opened/clicked/submitted event. My advice is take a look at both versions. If you notice a big difference, that might mean you have some people clicking/submitting more than once.

Answer 2 · 2017-05-26T03:25:12.000Z

I have updated GoReport to offer both "Total X Events" and "Individuals Who X," where X is Opened/Clicked/Submitted.

In other words, there will now be two stats available in all report formats: the total number of times each event occurred and how many individuals are attached to at least one of those events.

Updated code will be pushed very soon. I need to do some final testing but then it'll be ready to go. Maybe not tomorrow because I have to do some traveling, but this weekend anyway.

Answer 3 · 2017-05-26T08:09:06.000Z

Hey Chris, thanks for your answer,

I agree with your point of view, I hadn't thought of the fact that these global statistics could be interpreted in this way
Actually, I depends a lot from you company functional organisation, for an exemple we don't have any BYOD policy yet etc.. and we didn't used all of Gophish abilities yet :)

I got another point to ask you about, what do you think about the idea of merging multiple campains?
I had this idea because as we deploy phishing campaigns with a target list with about 3k users, we need to separate them in multuple groups but with the same senders and templates. i guess i'm not the only one doing this !

Anyway i'm looking foreward for your next update
Thanks a lot,

Robin

Answer 4 · 2017-05-26T18:30:58.000Z

Exactly. Interpreting the statistics gets complicated. It really does depend on the organization and the goal(s) of the exercises.

The new statistics tracking will be in the update I will be pushing this weekend. That update includes combining campaigns :)

You will soon be able to do something like this:

Goreport.py --id 50-59,61 --format CSV --combine