Lab) Phishing Response Challenge Solution Flashcards
This lesson will be replaced with a video in the very near future, however, we wanted to provide a walkthrough as quickly as possible, so we’re using a text lesson for now.
Question 1 - Which of the 5 emails have you identified as being malicious?
Email 1
This is arguably the longest question to answer because it requires us to investigate all of the five provided emails and apply our analysis skills to identify which two are malicious.
It is immediately clear that this email is highly suspicious:
The sending address is set as ‘auto-confirm.info-amazon.co.uk (where info-amazon.co.uk is the domain, not amazon.co.uk), but we can see it’s actually coming from QPE77756@mun.ca - this definitely isn’t Amazon
Formating/styling is inconsistent - emails from huge brands such as Amazon are styled well, and do not use varying fonts
The email is not addressed to a specific person which is often seen in legitimate emails, instead it is addressed to a generic recipient ‘Amazon user’
The email features poor and incorrect grammar such as ‘Your ID’ (should be your account), and ‘From Amazon Store’
Has an obvious call-to-action button, enticing the user to click on the link for the ‘Help Page - Refund Form’ (emails do use legitimate call-to-actions, but this is also a part of phishing with URLs)
We’ve found our first malicious phishing email!
Q1 contd
Email 2
If you thought this email was malicious, you may be rushing your analysis. Let’s consider a few points:
Email is spam-themed, trying to convince non-technical users that they are going to get a portion of someone’s lottery winnings
The email is not addressed directly to the recipient, suggesting it is being mass-mailed to a large list of people
There is a URL in the body, however it is not hyperlinked. A quick Google search tells us that ‘thescottishsun[.]co[.]uk’ is a legitimate news site, and is not malicious
The email provides an email address to contact that is different from the sender
Based on this information, this email is not malicious. It should be classed as spam/scam as it is trying to convince recipients to send personal details to a Gmail address, using the story behind a legitimate news article regarding lottery winners in Scotland.
Q1 contd
Email 3
Let’s start by noting down some key parts of this email:
The sender is a Gmail address, despite the email claiming to be from the UK’s National Health Service
The image used in the email is a generic stock image and doesn’t show any NHS or UK Government branding to match the theme of the email
The email is addressed to a generic recipient ‘Sir/Madam’
The email is telling the recipient to open the attached file (call-to-action)
A sense of urgency is created to generate an emotional response using the sentence ‘If you do not act soon, we will give your slot to someone else’ - this is trying to make people act quicker than they can think
The attachment is named ‘MALICIOUS ATTACHMENT REMOVED - SBT.txt’. This is extremely unlikely to be the name of the real attachment - some Email Gateways have the ability to strip out and replace attachments to let recipients know it was malicious.
As the attachment is just a text file, we can open it without fear of malicious code execution.
This informs us that the attachment was indeed malicious, and was actually an executable disguised as a PDF using the double extension ‘.pdf.exe’.
Here’s our second malicious email, giving us the answer of ‘1, 3’. Let’s look at the final two emails anyway for practice!
Q1 contd
Email 4
Based on the sender, styling, theme, and purpose of this email, we can classify this as spam/newsletter. The email is not using a real call-to-action despite a number of hyperlinks. Further analysis of the links could be conducted using tools such as URL2PNG or WHOis and reputation checks on the domain, however over time you’ll learn to understand what is suspicious, and what is just spam.
Q1 contd
Email 5
As with email four, we are seeing the same techniques being used. While parts of this email seem suspicious, such as the Reply-to address having the name set as ‘dfsdf’ and the subject line is misleading to individuals that aren’t familiar with cryptocurrencies or investing, this is another spam email trying to convince people to sign up to begin trading cryptocurrencies, and is not inherently malicious - although it should be avoided!
Question 2 - First Malicious Email: What is the sending address?
Opening Email One in Sublime Text and searching for (CTRL+F) ‘From’ we can find the sending email address, which is contained within the <> symbols at the end of the line (everything before this is just a friendly name that can be set as anything, only the final part matters!)
Question 3 - First Malicious Email: What is the subject line?
A few lines below, or by searching for ‘Subject’ we can find the subject line.
Question 4 - First Malicious Email: Who are the recipients?
Looking at line 42 we can see the email is being sent to jack.tractive@abcindustries.co.uk.
Question 5 - First Malicious Email: What is the Reply-to address? (If not present, write “none”)
Searching for ‘reply’ or ‘reply-to’ gives us no results, so we will enter the answer as ‘none’.
Question 6 - First Malicious Email: What is the date and time the email was sent? (Retrieve this via text editor!)
Searching for ‘Date’ in our text editor will show us the timestamp of the email.
Question 7 - First Malicious Email: What is the sending server IP?
Searching for the string ‘Sender’ we can see a number of references to the same IP address, including a mention of SPF checks that came back positive for this IP.
Question 8 - First Malicious Email: What is the reverse DNS hostname of the sending server IP? (check email headers and/or a WHOis lookup)
Searching for the sender IP 68.114.190.29 on https://whois.domaintools.com doesn’t show us a hostname, and states that the IP is owned by ‘United States Ashburn Charter Communications’. It seems that this IP is no longer owned by an individual company, so we won’t be able to get the hostname from here. While IP ownership can change, we’ll always have the original information preserved within the email file.
Searching for the IP in the text editor we find the following information, giving us the hostname of the sending server:
Question 9 - First Malicious Email: What is the full URL?
The easiest way to do this is by right-clicking the URL in the email when viewed through an email client, because email files can contain a lot of http/https links, making it time-consuming to go through them to find the right one.
Based on the formatting of the URL and the theme/intent of the email, this is very likely to be a credential harvester, where the email address on the fake Amazon login screen is being auto-filled (to make it seem more legitimate) by the email argument provided in the URL. This is speculation until we investigate further, but over time you will learn to understand attacks based on themes and techniques used.
Question 10 - Second Malicious Email: What is the sending address?
Opening the email in a text editor, we’ll use CTRL+F to search for the ‘From’ property.
Question 11 - Second Malicious Email: What is the subject line?
Looking down a few lines or searching for ‘Subject’ will give us the value.
Question 12 - Second Malicious Email: Who are the recipients?
Searching for the ‘To’ property we can find one recipient listed.
Question 14 - Second Malicious Email: What is the date and time the email was sent? (Retrieve this via text editor!)
Searching for ‘Date’ will give us the timestamp of the email.
Question 15 - Second Malicious Email: What is the sending server IP?
Searching for ‘Sender’ we can find the sending server’s IP address.
Question 16 - Second Malicious Email: What is the reverse DNS hostname of the sending IP? (check email headers and/or a WHOis lookup)
Searching for the IP address on Domain Tools WHOis lookup, we can see the resolved host is a Gmail sending server, owned by Google.
Question 17 - Second Malicious Email: What is the file name, including extension?
Typically we will retrieve the filename and extension that is shown in the email client (but can also be found in a text editor by looking through the body content at the end of the file). In this scenario we have ‘removed’ the malicious file, which some email gateways can do. In the below screenshot you can see our dummy attachment can be found within the eml file itself.
Looking in the Thunderbird client we can see the attachment shown at the bottom of the windows (however most email clients like Outlook and Gmail will display attachments at the top of an email).
In this scenario, we need to submit the ‘real’ name of the attachment that was removed by our email gateway, which can be found within the text file attachment.
