Phishing Notes
Last updated
Last updated
Phishing is one of attack that aimed to steal any data from user by generally clicking any linked link to user through email or download malicious file to their computer.
In cyber chain , phishing attack happen in delivery phase. This phase is the step for attacker transmit the harmful content to victim system/user.
In conclusion, phishing mostly aim for user to click on their link given to gain initial access. In other words, phishing is attack on exploit human factor and weakness.
An attacker intent to trick target into giving up personal information to initiate or gain access to something valuable/secret.
Attack can send email behalf of other person since emails doesnβt need authentication mechanism to identify real user. This technique known as spoofing where user/target believe that incoming email come from legit person/reliable.
Since proofing technique being use, some of protocol had been created to counter this technique. Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and DMARC protocol being used to prevent email spoofing by checking sender address is fake or real one. However, this protocol is not mandatory since some cases it causes problems.
SMTP of email addresses need to be study first in manual analysis.
SPF, DKIM, DMARC and MX records of domain can be learned by third partiesβ software such as Toolbox.
From this software, it will show either email is from legit or not.
Beside that, since most of company had their own email server, it can be examined through SMTP address either it belongs to their company or not by looking at WHOIS record of SMTP IP addresses.
If the sender email not a spoof, it still can be harmful if the legit user being hacked/compromise and the attacker use their email.
Header is section of email that contain information such sender, recipient, and date. It also contains Return-Path, Reply-To and Received. Some of example email header:
Return-Path is hidden email header that indicates where and how bounced email will process. It also being referred as bounce address or reverse path.
Return path work by directing where bounced message should go when they cannot be delivered.
Reply to is where user reply to the message. It been used when the email address different from sender. Eg Sender:address@add.com Replyto:reply@add.com
Received are the important part. It will form a list of all server/computer through where the message travel in order to reach user.
First received indicated user mail server and the Lastreceived is where mail come.
From header, it have lot of receive. First receive refer to the top one and last receive is at bottom.
2. From field indicate name and email address of sender
Domain Key and DKIM Signature is email signature that help email services provide identify and authentication email, it like SPF signature.
Mime Version is internet standard of encoding. It convert attachment into text so that it can be send through SMTP.
Open email suspected.
2. Find download message/save as (.eml) on top right.
3. Open the file with .eml extension in any notebook application.
For outlook email platform
Go to file > Info > Properties>Internet Header (For outlook)
It will show the Internet Header.
In this cases, I used LetDefend Exercise to show how to analysis email header.
Do cross check for sender and received from field.
From the information, we know that sender from letsdefend[.]io
To conclude, sender and received from must have same address. To check we can use MxToolBox.
2. From our search, we know that letsdefend[.]io use google address as email server. Back to our finding in 1. It show different IP address.
3. This email are being spoofed.
4. Next, we also can check on reply-path/reply-to and From.
To conclude, this email is spoofing, and the attacker try to steal personal data from user.
This step being used to identify manually link URL or attachment are harmful to user or legit. For this case, I use sandbox environment which is anyrun.
From the email, download attachment file and add new task. Drag downloaded file into it section. Run a public task.
Open virusTotal to scan md5 hash.
Always look for md5 hash or sha256 for reference
From above research we know that file attachment are infected with trojan malware.
Next step, malware analysis. In this topic I donβt cover it since it just to search and detect specifically phishing email .
Donβt click any suspicious link or URL and downloaded unknown file attachment.
Do not reply to the email. Contact the sender institution or person directly to confirm it.
Do not enter any personal information or sensitive data from given unknown given URL.
Report suspicious email to IT department.
Delete the message.
If you had done replying, open the attachment or enter any sensitive information, let IT department known about this. Change your password and credential immediately.