How To Do Analysis of a Phishing E-mail
We all received emails from sources we didn’t know. These emails can sometimes be about an invoice, and sometimes about an email notification that we don’t read in our outlook account. Among us, there were necessarily those who clicked on it and stolen their personal information. ( Come on, we can all make mistakes :) ) The important thing is that we don’t fall into this phishing line after that. So we need to be aware these kind of social engineering tricks. In this article, I will show you how you can understand the mail is phishing or not. Thus you can do your own analysis at home.
As you can see this is looks like normal Outlook login page. Till here, everything is normal but if you check the url part you will see such as “ https://www[.]your-job.info/vrfy/?__ASL_=notreal@nocorp[.]com “ Lets accept you got this link from your outlook mail. For phishing forensics there are some basic websites such as:
· Urlscan.io
· Tallosintelligence.com
· Virustotal.com
Mostly I’m using the urlscan.io because you are able to see if there is a landing page or not. Also urlscan provides you many information about the url. For example you can see the redirect chain after the search completed. I will explain all of them with images.
Note: The links are generally not short such as this one. We need to get after the “url=(http……..)&data. This means we need the piece after the “url=” before the “&data”. This specific part which we need.
URLSCAN.IO
As you can see, many users are searching about some suspicious links. Now, I will use our “phishing” link in the “url to scan” button.
However, there are some important things here. Firstly, we need to consider privacy issues here. Because these type links can contain user credentials. Therefore, we need to make some changes on the link. This can be like changing the e-mail itself. (example@example.com).
Now, we are ready to search.
This is the first page after the scanning done. You have some section on the top such as, summary, HTTP, Behaviour, IoCs, Similar, DOM, Content and API. We are generally using Summary, HTTP, DOM pages as a security analyst. But of course it depends of your purpose what you want to achieve.
Summary
This part is describing the general information about web site such as contacted IP addresses with countries , domains, HTTP Transactions, IPv6 information, location, domain itself TLS Certificate valids etc. Another feature is it shows the web site tagged as a malicious or not. In the image as you can see this tagged as a Malicious website. Also you can see the how many times it’s searched on urlscan
HTTP
Here, we able to see methods such as GET or it could be also POST. You can see the status, resource path, size of the data, type, IP location. Here we have some jpg and svg files but also in different example you could see the .js files. You can click show response for them too.
Behaviour
Here we able to see some objects and urlscan’s category, tag, phishing against functions. Also there is JavaScript Global Variables for identify possible client-side frameworks and codes.
IoCs
As described in the image, this is describing indicators around the attack such as IPs, hashes, domains, etc.
Similar
It contains URLs with similar structure and gives the information about when it was submitted and size of it http connects, flags and location.
DOM
Document Object Model shows us the web site structure. In here we can investigate the url more deeper, generally we are looking for js codes
Content
Here, we are able to see POST methods for this case. If you scroll down you will be able to see text content in addition.
API
In this case there is not much to say. As named it is.
Talos Intelligence
The place you can insert the URL
Virus Total
You can download a file, insert an URL or you can make searches for hashes, IP address or domain.
As you can see this check various sources about the URL itself. Every source has own tag for the URL.
Online Curl
This is really useful if the Proxy or Firewall blocks you. Because you can do our request on this website. For our example the output is like;
There are some important points here. Some phishing campaigns target specific geographies, this means if you are not in the right place for the phishing (as a location) you, probably will be redirected to some unrelated page such as Wikipedia etc.
Conclusion
This is the really basic one. Nowadays, phishing attacks getting more smarter and hard detect. The attackers always developing creative social engineering tricks and technical ways. Therefore, we need to follow new phishing campaigns frequently. There are a lot of source on the internet. There are thousands of blogs about cyber security and news website about just cyber security. You can follow some of those. For the still on-going campaigns I can recommend “phishtank.com” for track the campaigns. Keep you update, do not eat baits.
