Video) Phishing Response Walkthrough Flashcards
Video Transcript
In this video, we’ll be walking through an entire phishing invesitgation. The email we’ll be analysing is a TV licensing-themed message, trying to entice the recipient to click on a link.
First we need to record a brief description of the email. This should typically be one or two sentences about the styling and intent. We are going to mention the email is impersonating TV Licensing, and is well styled.
Next, it’s time to retrieve artifacts. We’ll open the email using Sublime Text 2 and start collecting email-based artifacts. First we grab the sending address under the “from” property.
Below that is the subject line, date the email was sent, the recipient, and we can search for the sender IP address, which is 40.92.4.54 in this scenario. We need to get the reverse dns result of this IP, so let’s use the whois search by domain tools to retrieve the hostname. We can see it’s owned by Microsoft, and is an outlook server, which makes sense as the sending address is an @hotmail address.
We need to URL from the email, so we’ll carefully right-click and select copy-hyperlink.
Now we start the analysis stage. Let’s put the domain into VirusTotal to see the reputation. Looks like it’s been flagged for malicious and phishing activity. Next we’ll put the URL into URL2PNG to see what the page looks like. It seems the site is no longer active. Let’s double check in wannabrowser. Again, we’re told the site is no longer available.
Performing a WHOis search for the domain shows us that it was created 42 days ago. This is very suspicious – domains that are used for malicious activity and have a low domain age are typically created purely for malicious intent, as opposed to being a legitimate domain that has been compromised.
We need to note down the results from our virustotal, URL2PNG, wannabrowser, and WHOis searches.
Next we need to decide on defensive measures. As the domain has been flagged on virustotal for malicious and phishing activity, and that it has been linked in malicious emails sent to an employee, along with the fact it has a very young domain age, there doesn’t appear to be any negative impact to the business if we block the domain.
Next is the email defensive measures. As the sender is using a Hotmail address, the best response would be to block this address on the email gateway, preventing it from delivering more malicious emails.
And there we have it! It’s time to put your skills to the test. In the next activity you will be required to identify malicious emails mixed with legitimate emails, and analyse them to collect artifacts and determine appropriate defensive measures.
