Phishing Analysis

Question 1

What are common attack vectors for phishing?

Answer 1

phone call, text message, email

Question 2

What is the easiest way to find the original sender of an email?

Answer 2

by looking for the X-Originating-IP header

Question 3

What exactly is the IP address found in the X-Originating-IP header?

Answer 3

IP address of the client machine, not IP address ofthe forwarding SMTP server

remember that the header can be easily spoofed

Question 4

How can you read all the elements of the email even though some parts of it were blocked/removed by an email security apppliance?

Answer 4

by inspecting the HTML code of the email

Question 5

What is malspam?

Answer 5

malicious form of spam

Question 6

What is whaling?

Answer 6

similar to spear phishing, but it’s targeted specifically to C-Level high-position individuals (CEO, CFO, etc.), and the objective is the same

Question 7

What is smishing?

Answer 7

phishing to mobile devices by targeting mobile users with specially crafted text messages

Question 8

What is vishing?

Answer 8

similar to smishing, but instead of using text messages for the social engineering attack, the attacks are based on voice calls

Question 9

What are typical characteristics phishing emails have in common?

Answer 9

• The sender email name/address will masquerade as a trusted entity (email spoofing)
• The email subject line and/or body (text) is written with a sense of urgency or uses certain keywords such as Invoice, Suspended, etc.
• The email body (HTML) is designed to match a trusting entity (such as Amazon)
• The email body (HTML) is poorly formatted or written (contrary from the previous point)
• The email body uses generic content, such as Dear Sir/Madam.
• Hyperlinks (oftentimes uses URL shortening services to hide its true origin)
• A malicious attachment posing as a legitimate document

Question 10

What is defanging?

Answer 10

• way of making the URL/domain or email address unclickable to avoid accidental clicks, which may result in a serious security breach
• replacing special characters, like “@” in the email or “.” in the URL, with different characters
  <br></br>
  hxxp[://]www[.]suspiciousdomain[.]com

Question 11

What is BEC (Business Email Compromise)?

Answer 11

when an adversary gains control of an internal employee’s account and then uses the compromised email account to convince other internal employees to perform unauthorized or fraudulent actions

Question 12

What are web beacons?

Answer 12

tracking pixels

Question 13

What is the purpose of web beacons used by phishers?

Answer 13

• Confirmation of Active Email Accounts
  
  • when a recipient opens an email containing a tracking pixel, the pixel requests to load an image from a server controlled by the phisher
  • confirms to the phisher that the email address is active and that the email has been opened
• Gathering Information
  
  • provide information such as the time and date the email was opened, how many times it was opened, the IP address of the recipient, the type of device used, and even the email client or browser
• Campaign Effectiveness
  
  • assess the effectiveness of their email campaigns
• Targeted Attacks
  
  • enable phishers to conduct more targeted and sophisticated attacks, such as spear-phishing
• Avoiding Spam Filters
  
  • tracking pixels are typically small and unobtrusive (often just a 1x1 pixel image), they can be inserted into emails without raising immediate suspicion or being easily detected by spam filters

Question 14

What are the 3 common tools that are used to analyze email headers?

Answer 14

• https://toolbox.googleapps.com
• https://mha.azurewebsites.net
• https://mailheader.org

Question 15

What information should an analyst collect from an email header?

Answer 15

• sender email address
• sender IP address
• reverse lookup of the sender IP address
• email subject line
• recipient email address (this information might be in the CC/BCC field)
• reply-to email address (if any)
• date/time

Question 16

What are the artifacts that an analyst needs to collect from the email body?

Answer 16

• any URL links (if an URL shortener service was used, then we’ll need to obtain the real URL link)
• the name of the attachment
• the hash value of the attachment (hash type MD5 or SHA256, preferably the latter)