We covered phishing attacks, how they work, components of a phishing email, components of phishing infrastructure, phishing assessment tools such as Gophish and SET and how to stay guarded and protected from phishing attacks. This video used the lab material from TryHackMe room named phishing and part of the red team track.
We also covered practical phishing email analysis scenarios using PhishTool and Any.run. The first scenario we analyzed an email pretending to becoming from Netflix and the other two scenarios contained malicious attachments that performed calls to malicious servers and dns names. This was part of TryHackMe Phishing Analysis Tools.
We also went over a practical email phishing analysis scenario using Thunderbird. We highlighted specific areas for analysis such as the sender email, return-path, sender domain, SPF records, originating IP address and the email attachment. We found the email attachment to be malicious by analyzing it using VirusTotal. Addtionally the email contained grammatical errors and was addressed to a general recipient. That was part of TryHackMe Greenholt Phish.
Understanding and Assessing Phishing Attacks
I recently delved into the world of phishing attacks, covering their definition, various components, the infrastructure they rely on, how to assess them, and crucial protection measures.
What Phishing Attacks Are
I learned that phishing attacks are a form of social engineering 🎣. Social engineering involves using psychological methods to extract information from people by exploiting their weaknesses. While phishing relies on technology, it heavily leverages human vulnerabilities.
The psychological methods often seen in phishing emails include:
- Urgency: Creating a sense of immediate need, like claiming an account is compromised or blocked, to pressure the recipient into clicking a link to “solve” the problem.
- Greed: Luring users with promises of benefits such as rewards, coupons, discounts, or giveaways if they click a link or provide information.
In essence, a phishing attack is a social engineering attack that uses email to harvest user information or infect computers.
Types of Phishing
I explored two main types of phishing:
- Spear Phishing: This targets a specific individual, often using personalized information to make the email appear more legitimate and convincing.
- Mass Phishing: This targets a large number of people indiscriminately, hoping that a percentage will fall for the scam.
Components of a Phishing Email
I broke down the key elements of a phishing email:
- Sender Address: This is critical for credibility. For spear phishing, attackers might mimic a target’s company domain (e.g.,
julian@x.com
for someone atx.com
). Attackers often spoof the sender address to make it look legitimate. - Email Subject: This typically employs psychological tricks like urgency or greed (e.g., “Your account has been blocked,” “Here’s a giveaway”).
- Email Content: The body of the email aligns with the subject. If the goal is to harvest information, it will include a link to a fake login page. If the goal is to infect a computer, it will contain an attachment (e.g., a fake bill) designed to install malware.
Infrastructure for Phishing Attacks
I also covered the infrastructure attackers need to set up a phishing campaign:
- Domain Name: Attackers buy domain names that look legitimate. Techniques include typo squatting (using similar-looking domains like
gooogle.com
instead ofgoogle.com
) or buying expired domains that might have a good reputation to avoid spam filters. - SSL Certificate: This is used to make the fake landing page appear secure with
https
. - Email Hosting: To create and send emails from the purchased domain name.
- Web Hosting: To host the fake landing page.
- Analytics Platform (Optional): Used to track who opened emails, clicked links, or downloaded attachments, especially useful in red team engagements.
Phishing Assessment
I discussed how red teamers or penetration testers conduct phishing assessments to test an organization’s security awareness and culture. This involves sending simulated phishing emails to employees and monitoring their actions.
Tools commonly used for phishing assessments include:
- Social Engineering Toolkit (SEToolkit): This comes pre-installed in Kali Linux.
- GoPhish: A powerful framework that I demonstrated in the video, which helps manage all components of a phishing campaign.
How to Protect from Phishing Attacks
I emphasized that awareness is the best defense against phishing attacks. Key protection measures include:
- Verify Sender Address: Always carefully check the sender’s email address and domain name for subtle differences or typos.
- Be Cautious with Links and Attachments: Never click on links or open attachments from unrecognized senders or if the email seems suspicious.
- I also recommended “The Art of Deception” by Kevin Mitnick for further insights into the psychological factors used by attackers.
GoPhish Framework Demonstration
I walked through a practical demonstration of using the GoPhish framework for a phishing campaign:
- Sender Profile: I configured the sender’s email address and SMTP server details (e.g.,
no-reply@redteam.thm
). - Landing Page: I created the fake page where users would be directed, either by pasting HTML code or importing an existing site. I enabled “Capture submitted data” and “Capture passwords.”
- Email Template: I designed the content of the phishing email, including the subject and body, inserting a URL variable (e.g.,
{{.URL}}
) for the phishing link. - User Groups (Targets): I defined the list of recipients, adding them manually or importing from a CSV.
- Campaigns: I launched the phishing campaign by selecting the configured email template, landing page, redirection URL, sending profile, and target group.
- Analytics (Dashboard): I showed how to monitor the campaign’s progress, including emails sent, opened, links clicked, and data submitted, and how to view captured credentials.
Examples of Identifying Phishing Emails
I went through several examples from a TryHackMe challenge to illustrate how to spot phishing attempts:
- Example 1 (Google): An email from
support@google.com
with a link that textually appeared legitimate (myaccount.google.com
), but the actual link (visible on hover) pointed tomyaccount.gooogle-support.com
. This was a phishing email due to the typo squatting in the domain. - Example 2 (Banking Group): An email from
accounts@thebankinggroup.thm
with a “Finance report” link pointing tobankinggroup.shared-hosting.thm
. This was a phishing email due to the suspicious link domain and a subtle misspelling in the sender’s domain (thebanknggroup.thm
). - Example 3 (TryHackMe): An email from
no-reply@tryhackme-support.thm
with a link pointing to the legitimatetryhackme.com
. This was considered safe in the context of the challenge. - Example 4 (Acme IT Support): An email from
accounts@acmeitsupport.thm
with a PDF attachment. Since the sender was unknown and attachments can contain malware, I treated it as phishing, advising against trusting PDF attachments from untrusted or unexpected sources.
Finally, I showed how the GoPhish dashboard displays analytics, allowing me to view captured usernames and passwords from users who fell for the simulated attack.
Room Answers | TryHackMe Phishing
What type of phishing campaign do red teams get involved in?
What should be changed on an HTML anchor tag to disguise a link?
What protocol has TXT records that can improve email deliverability?
What tool can automate a phishing campaign and include analytics?
What is the term used to describe registering a similar domain name with a spelling error?
Room Answers | TryHackMe Phishing Analysis Fundamentals
What port is classified as Secure Transport for IMAP?
What port is classified as Secure Transport for POP3?
What email header is the same as “Reply-to”?
Once you find the email sender’s IP address, where can you retrieve more information about the IP?
In the above screenshots, what is the name of the PDF attachment?
In the attached virtual machine, view the information in email2.txt and reconstruct the PDF using the base64 data. What is the text within the PDF?
What trusted entity is this email masquerading as?
What is the sender’s email?
What is the subject line?
What is the URL link for – CLICK HERE? (Enter the defanged URL)
Room Answers | TryHackMe Phishing Analysis Tools
What is the official site name of the bank that capitai-one.com tried to resemble?
What brand was this email tailored to impersonate?
What is the From email address?
From what you can gather, what do you think will be a domain of interest? Defang the domain.
What is the shortened URL? Defang the URL.
What is the name of the PDF file?
What is the SHA 256 hash for the PDF file?
What two IP addresses are classified as malicious? Defang the IP addresses. (answer: IP_ADDR,IP_ADDR)
What Windows process was flagged as Potentially Bad Traffic?
What is the name of the Excel file?
What is the SHA 256 hash for the file?
What domains are listed as malicious? Defang the URLs & submit answers in alphabetical order. (answer: URL1,URL2,URL3)
What IP addresses are listed as malicious? Defang the IP addresses & submit answers from lowest to highest. (answer: IP1,IP2,IP3)
What vulnerability does this malicious attachment attempt to exploit?
Room Answers | TryHackMe Phishing Emails in Action
Room Answers | TryHackMe Phishing Prevention
Referencing the dmarcian SPF syntax table, what prefix character can be added to the “all” mechanism to ensure a “softfail” result?
~
What is the meaning of the -all tag?
What Wireshark filter can you use to narrow down the packet output using SMTP status codes?
Correct Answer: smtp.response.code
Per the network traffic, what was the message for status code 220? (Do not include the status code (220) in the answer)
Correct Answer: <domain> service ready
One packet shows a response that an email was blocked using spamhaus.org. What were the packet number and status code? (no spaces in your answer)
Correct Answer: 156,553
Based on the packet from the previous question, what was the message regarding the mailbox?
Correct Answer: mailbox name not allowed
What is the status code that will typically precede a SMTP DATA command?
Correct Answer: 354
What port is the SMTP traffic using?
Correct Answer: 25
How many packets are specifically SMTP?
Correct Answer: 512
What is the source IP address for all the SMTP traffic?
Correct Answer: 10.12.19.101
What is the filename of the third file attachment?
Correct Answer: attachment.scr
How about the last file attachment?
Correct Answer: .zip
Per MITRE ATT&CK, which software is associated with using SMTP and POP3 for C2 communications?
Correct Answer: Zebrocy
Room Answers | TryHackMe Phishing Prevention
Who is the email from?
What is his email address?
What is the Originating IP?
Who is the owner of the Originating IP? (Do not include the “.” in your answer.)
What is the SPF record for the Return-Path domain?
What is the DMARC record for the Return-Path domain?
What is the name of the attachment?
What is the SHA256 hash of the file attachment?
What is the attachments file size? (Don’t forget to add “KB” to your answer, NUM KB)
What is the actual file extension of the attachment?