Kudzanai Gomera | Phishing Analysis 101

Phishing Analysis 101

Phishing is the act of attemping to obatin sensitive information from individuals by using social engineering tactics

Impersonation

Posing as legitimate organizations or individuals

Stealing sensitive information

Password, credit card numbers, sensitive files

Deliver and install malware

Via attachments, embedded files, or URLs

Exploiting humans

Preys on emoitions
Human psychology

How does phishing work?

Authority

Spoofing executives, managers & IT staff

Trust

Spoofing customers, banks, partners

Intimidation

Instill a sense of fear of consequences

Social Proof

Validate legitimacy through consensus

Urgency

"Act Now!"

Scarcity

Instill a fear of missing out

Familiarity

Establish credibility through recognition

Phishing Case Studies:

Colonial Pipeline (2021)

Phishing as ransomware delivery
Disrupted operations and $4.4 million ransomware
https:://abnormalsecurity.com/blog/colonial-pipeline-attack-phishing-email-likely-the-culprit

Levitas Capital(2020)

Whaling - spoofing a Zoom invite email
Fraudulent invoices of $8.7 million
https://www.secureworld.io/industry-new/hedge-fund-closes-after-bec-cyber-attac

Email Fundermentals:

Bob(Sender) -> Bob's Mail Server(Gmail) -> Alice's Mail Server(Yahoo) -> Alice(Recipient)

Email Heders

Email headers are lines of metadata attached to an email and contains many useful strings of information for analysts and investigators.

Email Body

The email body is the main context of an email

Email Protocols

SMTP - Used to send outgoing mail, port 25 or 465, 587
POP3 - downloads email then deletes them, port 110 or 995
IMAP - advanced email synchronization, port 143 or 993

Mail Agents

Mail Transfer Agents(MTA) - Route and transfer email messages across mail servers
Mail User Agent(MUA) - Compose, send, receive, and manage email messages eg Gmail, outlook
Mail Delivery Agent - Accepting incoming email messages from MTAs

Phishing Attack Types

information gathering:

Collecting data through reconnaissance
Verify existing accounts, craft credible phishes

redential Harvesting

Obtain login credentials from victims
Fake login pages, deceptive URLs eg Fake Microsof login page

Malware Delivery

malicious attachment or links
Drive by downloads

Spear Phishing

Targeted and customized phishing
Research specific individuals or organizations

Whaling

Targeting high-profile individuals(CEOs, executives)
Crafting highly personalized and convincing emails

Vishing, Smishing, and Quishing

Attempts to obtain information over the phone
SMS messages containing malicious URLs
QR codes that lead to phishing sites

Business Email Compromise(BEC)

Compromise legitimate email accounts
Unauthorized wire transfers, invoice scams

Spams

Unsolicited, irrelevant, and unwanted email
Not typically with malicious intent

6. Mail Gateway Analysis

Review fields like:

From
To
Return-Path
Subject Line
Message ID
Verify how many users received the email from the same domain/email ID.
Export email details for documentation.

Phishing Attack Techniques

Pretexting

Fabricated a backstrory
Manipulation under false pretense

Spoofing and impersonation

Email Address Spoofing
Domain Spoofing

URL Manipulation

URL Shortening
Subdomain Spoofing
Homograph Attacks
Typosquatting

Encoding

Obfuscate and evade detection
Base64, URL encoding, HTML encoding
Obscure Javascript

Attachment

Download and execute

Abuse of Legitimate Services

Google Drive, Dropbox, etc
Using trsuted reputations to send malware

Pharming

Two-step technique
Malware-based Pharming
DNS-based Pharming

Phishing Analysis Methodology

Initial Triage

Quickly assess and prioritize
Identify potential threats

Header and Sender Examination

Investigate MTAs, addresses, IPs, etc
Identify the true origin and check authenticity

Content Examination

Analyze email content for language, formatting, etc
Looking for social engineering red flags

Web and URL Examination

Collecting web artifacts
Utilize tools to inspect URLs and domains

Attachment Examination

Securely extract and analyze attachments
Checking file reputation and sandboxing

Contextual Examination

Consider broader context, recent or current incidents
Looking for patterns and assess scope

Defense Measures

Take reactive defense actions(if needed)
Take proative defense actions
Communicate with Users and stakeholders

Documentation and Reporting

Maintain records of finding, verdicts and actions taken throguh detailed reports
Close out alerts and tickets

Mail authentication

SPF

This doesn't verify if a sender is legitimate or not but all it does is verify whether the sender matches or is authorized by domain specified in the emails from address
nslookup -type=txt shodan.io | grep -i spf

DKIM

Method used to authenticate the origin of email messages

DMARC

Works alongside SPF and DKIM to enhance overall email authentication with additional reporting mechanism.

Example Tool

Using a phishtool Community version during email analysis and add it to your asernal to save time as well.

Reactive Phishing Defense

Containment

Determine Scope e.g by email header(sent to or email gateway)
Quarantine
Block malicious URLs and domains
Block sender artifacts

Eradication

Remove malicious emails
Content search and eDiscovery
Remove malicious files
Abuse form submissions
Credential Changes
Reimaging

Recovery

Restore systems

Communication

Notify affected users
Update stakeholders

User Education

End-user training

Proactive Phishing Defense

Email Filtering

Email security applicances
Marking external emails

URL Scanning and Blocking

Real-time URL inspection
Block recently registered domains

Attachment Filtering

File extension blocks
Attachment sandbox

Email Authentication Methods

SPF, DKIM, DMARC
Update stakeholders

User Training

Security awareness training
Phishing simulation exercises
Reporting functionality