Phishing Analysis Flashcards
What are common attack vectors for phishing?
phone call, text message, email
What is the easiest way to find the original sender of an email?
by looking for the X-Originating-IP header
What exactly is the IP address found in the X-Originating-IP header?
IP address of the client machine, not IP address ofthe forwarding SMTP server
remember that the header can be easily spoofed
How can you read all the elements of the email even though some parts of it were blocked/removed by an email security apppliance?
by inspecting the HTML code of the email
What is malspam?
malicious form of spam
What is whaling?
similar to spear phishing, but it’s targeted specifically to C-Level high-position individuals (CEO, CFO, etc.), and the objective is the same
What is smishing?
phishing to mobile devices by targeting mobile users with specially crafted text messages
What is vishing?
similar to smishing, but instead of using text messages for the social engineering attack, the attacks are based on voice calls
What are typical characteristics phishing emails have in common?
- The sender email name/address will masquerade as a trusted entity (email spoofing)
- The email subject line and/or body (text) is written with a sense of urgency or uses certain keywords such as Invoice, Suspended, etc.
- The email body (HTML) is designed to match a trusting entity (such as Amazon)
- The email body (HTML) is poorly formatted or written (contrary from the previous point)
- The email body uses generic content, such as Dear Sir/Madam.
- Hyperlinks (oftentimes uses URL shortening services to hide its true origin)
- A malicious attachment posing as a legitimate document
What is defanging?
- way of making the URL/domain or email address unclickable to avoid accidental clicks, which may result in a serious security breach
- replacing special characters, like “@” in the email or “.” in the URL, with different characters
<br></br>hxxp[://]www[.]suspiciousdomain[.]com
What is BEC (Business Email Compromise)?
when an adversary gains control of an internal employee’s account and then uses the compromised email account to convince other internal employees to perform unauthorized or fraudulent actions
What are web beacons?
tracking pixels
What is the purpose of web beacons used by phishers?
-
Confirmation of Active Email Accounts
- when a recipient opens an email containing a tracking pixel, the pixel requests to load an image from a server controlled by the phisher
- confirms to the phisher that the email address is active and that the email has been opened
-
Gathering Information
- provide information such as the time and date the email was opened, how many times it was opened, the IP address of the recipient, the type of device used, and even the email client or browser
-
Campaign Effectiveness
- assess the effectiveness of their email campaigns
-
Targeted Attacks
- enable phishers to conduct more targeted and sophisticated attacks, such as spear-phishing
-
Avoiding Spam Filters
- tracking pixels are typically small and unobtrusive (often just a 1x1 pixel image), they can be inserted into emails without raising immediate suspicion or being easily detected by spam filters
What are the 3 common tools that are used to analyze email headers?
https://toolbox.googleapps.comhttps://mha.azurewebsites.nethttps://mailheader.org
What information should an analyst collect from an email header?
- sender email address
- sender IP address
- reverse lookup of the sender IP address
- email subject line
- recipient email address (this information might be in the CC/BCC field)
- reply-to email address (if any)
- date/time
