Good Hunting!
Greetings to everyone,
As you know, malicious people target an organization/organization/company, while targeting the human factor, which is the weakest link in cybersecurity. Sometimes they target regular employees, sometimes they target senior employees. At this point, they sometimes create regular, carefully prepared phishing emails, and sometimes amateurishly prepared emails that expose themselves and attack them with C2s that they hide behind a cloud.
In this investigation I just use the tools which shown below:
- WHOIS
- Cyberchef
- Virustotal: https://www.virustotal.com/gui/url/b7622ac64db1a6a51470978d62517ea905f3f975a99b1ca43b70f5883d1a6fa4?nocache=1
- Urlscan.io: https://urlscan.io/result/a1e74986-4ddc-4ded-b426-2e0538821aa1/
- Talosintelligence: https://talosintelligence.com/reputation_center/lookup?search=carlosslimhelu56590266.lt.emlnk.com%2FProd%2Flink-tracker
We will do a phishing email analysis on the topic that we will discuss today and try to find the attacker. Shall we start?
The story begins with an e-mail sent to a senior manager. The title of the e-mail has been sent as “A Contract_Documents_Has Been Shared For Your Review” and its contents are as follows:
After the changing the target person’s e-mail, I wondered about landingpage of the phishing mail. For check that I used urlscan.io.
As you can imagine this is a snapshot. When the loading is completed you will see the landingpage directly which is containing the credential form. In addition of these you will be able to see “submitted url” and “effective url” itself here:
This link does 8 http requests which should be checked afterwards. We can see this link already reported by someone else before.
Now, we can check the HTTP requests to find some urls can give an information for us.
While I was checking these requests, I figure out a script.js in the requests and wanted to investigate deeply.
You will see the bunch of codes here:
In this page I wondered where the credentials sends after inserted them and search for the “password” in the page.
Something caught my attention during my review. I accessed a data encoded as base64 in one of the words I searched for as a password. For the decode of it I use cyberchef for it and find the information below:
The asotrading is real company and domain registration date is 2003.
In this case, the hacker uses a meaningless gmail and hides behind a real company, so that’s all the research that can be done for now. In order to detail the research in an interactive way, you can open the relevant e-mail to trick you by opening the topic and using your social engineering skills to direct the person to provide you with more information.
At this point, I just wanted to tell you what to look for and where to look when viewing an average phishing email. Of course, at this point you can apply methods up to accessing the hacker’s server. I hope that I have been able to provide some information at this point and add valuable information to you.
Stay Safe!
MSc. Ata Sahan Erdemir
Cyber Security Engineer
