Manual Collection - Web Artifacts Flashcards

1
Q
A

The term “web artifact” is used to describe a hyperlink in an email that will redirect the recipient to a domain, an IP address, or a specific URL. These can be used to host fake login portals that steal any entered credentials or pages that host malware which is downloaded when the site is visited. Collecting these artifacts is extremely straightforward and can be done in just a few clicks. We are looking to retrieve:

The full URL (the complete web address as it is sent in the email)
The root domain (only the domain name, not including specific pages)

Below we’ll show you how to do it within an email client such as Outlook or Thunderbird, and how to do it from a text editor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Email Client Extraction

A

In this phishing email, we can see that this section of text is hyperlinked, and the user is told to click on it. By hovering the mouse over this text we can see the URL, which definitely doesn’t belong to PayPal.

We can right-click the URL and select “Copy Hyperlink” to send the URL to our clipboard, which we can post elsewhere.

Although this method is much faster than using a text editor, there is always the risk that you could accidentally click on the malicious URL and end up visiting the page. Be careful when right-clicking and selecting Copy Hyperlink to avoid this mistake, and remember to always analyze phishing emails inside a virtual machine or on a dirty system!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Text Editor Extraction

A

In a text editor, we can use the CTRL+F keyboard shortcut to enable the “Find” feature. There are three quick ways to find the URL(s) we want:

Search for “http” as this will identify any http or https addresses being mentioned within the email.
Search for anchor HTML tags <a> which are used to perform hyperlinking.
Search for the text from the email body that is a hyperlink, in this example, we could search for “you can cancel it”.
We’re going to use the last method.</a>

And there we have it, we can see the URL within the <a> HTML tags, and can copy it without fear of accidentally clicking on the link and being taken to a potentially malicious site.</a>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly