We covered phishing attacks, how they work, components of a phishing email, components of phishing infrastructure, phishing assessment tools such as Gophish and SET and how to stay guarded and protected from phishing attacks. This video used the lab material from TryHackMe room named phishing and part of the red team track.
We also covered practical phishing email analysis scenarios using PhishTool and Any.run. The first scenario we analyzed an email pretending to becoming from Netflix and the other two scenarios contained malicious attachments that performed calls to malicious servers and dns names. This was part of TryHackMe Phishing Analysis Tools.
We also went over a practical email phishing analysis scenario using Thunderbird. We highlighted specific areas for analysis such as the sender email, return-path, sender domain, SPF records, originating IP address and the email attachment. We found the email attachment to be malicious by analyzing it using VirusTotal. Addtionally the email contained grammatical errors and was addressed to a general recipient. That was part of TryHackMe Greenholt Phish.
Phishing is a form of social engineering delivered through email to trick someone into either revealing personal information, credentials or even executing malicious code on their computer. These emails will usually appear to come from a trusted source, whether that’s a person or a business. They include content that tries to tempt or trick people into downloading software, opening attachments, or following links to a bogus website.
We have three things to work with regarding phishing emails: the sender’s email address, the subject and the content.
Different types of malicious emails can be classified as one of the following:
- Spam – unsolicited junk emails sent out in bulk to a large number of recipients. The more malicious variant of Spam is known as MalSpam.
- Phishing – emails sent to a target(s) purporting to be from a trusted entity to lure individuals into providing sensitive information.
- Spear phishing – takes phishing a step further by targeting a specific individual(s) or organization seeking sensitive information.
- Whaling – is similar to spear phishing, but it’s targeted specifically to C-Level high-position individuals (CEO, CFO, etc.), and the objective is the same.
- Smishing – takes phishing to mobile devices by targeting mobile users with specially crafted text messages.
- Vishing – is similar to smishing, but instead of using text messages for the social engineering attack, the attacks are based on voice calls.
When it comes to phishing, the modus operandi is usually the same depending on the objective of the email.
For example, the objective can be to harvest credentials, and another is to gain access to the computer.
Below are typical characteristics phishing emails have in common:
- The sender email name/address will masquerade as a trusted entity (email spoofing)
- The email subject line and/or body (text) is written with a sense of urgency or uses certain keywords such as Invoice, Suspended, etc.
- The email body (HTML) is designed to match a trusting entity (such as Amazon)
- The email body (HTML) is poorly formatted or written (contrary from the previous point)
- The email body uses generic content, such as Dear Sir/Madam.
- Hyperlinks (oftentimes uses URL shortening services to hide its true origin)
- A malicious attachment posing as a legitimate document
GoPhish is a web-based framework to make setting up phishing campaigns more straightforward. GoPhish allows you to store your SMTP server settings for sending emails, has a web-based tool for creating email templates using a simple WYSIWYG (What You See Is What You Get) editor. You can also schedule when emails are sent and have an analytics dashboard that shows how many emails have been sent, opened or clicked.
SET – (Social Engineering Toolkit) – trustedsec.com
The Social Engineering Toolkit contains a multitude of tools, but some of the important ones for phishing are the ability to create spear-phishing attacks and deploy fake versions of common websites to trick victims into entering their credentials.
Droppers are software that phishing victims tend to be tricked into downloading and running on their system. The dropper may advertise itself as something useful or legitimate such as a codec to view a certain video or software to open a specific file.
The droppers are not usually malicious themselves, so they tend to pass antivirus checks. Once installed, the intended malware is either unpacked or downloaded from a server and installed onto the victim’s computer. The malicious software usually connects back to the attacker’s infrastructure. The attacker can take control of the victim’s computer, which can further explore and exploit the local network.
Choosing the right Phishing domain to launch your attack from is essential to ensure you have the psychological edge over your target. A red team engagement can use some of the below methods for choosing the perfect domain name.
Although not essential, buying a domain name with some history may lead to better scoring of your domain when it comes to spam filters. Spam filters have a tendency to not trust brand new domain names compared to ones with some history.
Typosquatting is when a registered domain looks very similar to the target domain you’re trying to impersonate. Here are some of the common methods:
Misspelling: goggle.com Vs google.com
Additional Period: go.ogle.com Vs google.com
Switching numbers for letters: g00gle.com Vs google.com
Phrasing: googles.com Vs google.com
Additional Word: googleresults.com Vs google.com
These changes might look unrealistic, but at a glance, the human brain tends to fill in the blanks and see what it wants to see, i.e. the correct domain name.
Room Answers | TryHackMe Phishing
What type of phishing campaign do red teams get involved in?
What should be changed on an HTML anchor tag to disguise a link?
What protocol has TXT records that can improve email deliverability?
What tool can automate a phishing campaign and include analytics?
What is the term used to describe registering a similar domain name with a spelling error?
Room Answers | TryHackMe Phishing Analysis Fundamentals
What port is classified as Secure Transport for IMAP?
What port is classified as Secure Transport for POP3?
What email header is the same as “Reply-to”?
Once you find the email sender’s IP address, where can you retrieve more information about the IP?
In the above screenshots, what is the name of the PDF attachment?
In the attached virtual machine, view the information in email2.txt and reconstruct the PDF using the base64 data. What is the text within the PDF?
What trusted entity is this email masquerading as?
What is the sender’s email?
What is the subject line?
What is the URL link for – CLICK HERE? (Enter the defanged URL)
Room Answers | TryHackMe Phishing Analysis Tools
What is the official site name of the bank that capitai-one.com tried to resemble?
What brand was this email tailored to impersonate?
What is the From email address?
From what you can gather, what do you think will be a domain of interest? Defang the domain.
What is the shortened URL? Defang the URL.
What is the name of the PDF file?
What is the SHA 256 hash for the PDF file?
What two IP addresses are classified as malicious? Defang the IP addresses. (answer: IP_ADDR,IP_ADDR)
What Windows process was flagged as Potentially Bad Traffic?
What is the name of the Excel file?
What is the SHA 256 hash for the file?
What domains are listed as malicious? Defang the URLs & submit answers in alphabetical order. (answer: URL1,URL2,URL3)
What IP addresses are listed as malicious? Defang the IP addresses & submit answers from lowest to highest. (answer: IP1,IP2,IP3)
What vulnerability does this malicious attachment attempt to exploit?
Room Answers | TryHackMe Phishing Emails in Action
Room Answers | TryHackMe Phishing Prevention
Referencing the dmarcian SPF syntax table, what prefix character can be added to the “all” mechanism to ensure a “softfail” result?
What is the meaning of the -all tag?
What Wireshark filter can you use to narrow down the packet output using SMTP status codes?
Correct Answer: smtp.response.code
Per the network traffic, what was the message for status code 220? (Do not include the status code (220) in the answer)
Correct Answer: <domain> service ready
One packet shows a response that an email was blocked using spamhaus.org. What were the packet number and status code? (no spaces in your answer)
Correct Answer: 156,553
Based on the packet from the previous question, what was the message regarding the mailbox?
Correct Answer: mailbox name not allowed
What is the status code that will typically precede a SMTP DATA command?
Correct Answer: 354
What port is the SMTP traffic using?
Correct Answer: 25
How many packets are specifically SMTP?
Correct Answer: 512
What is the source IP address for all the SMTP traffic?
Correct Answer: 10.12.19.101
What is the filename of the third file attachment?
Correct Answer: attachment.scr
How about the last file attachment?
Correct Answer: .zip
Per MITRE ATT&CK, which software is associated with using SMTP and POP3 for C2 communications?
Correct Answer: Zebrocy
Room Answers | TryHackMe Phishing Prevention
Who is the email from?
What is his email address?
What is the Originating IP?
Who is the owner of the Originating IP? (Do not include the “.” in your answer.)
What is the SPF record for the Return-Path domain?
What is the DMARC record for the Return-Path domain?
What is the name of the attachment?
What is the SHA256 hash of the file attachment?
What is the attachments file size? (Don’t forget to add “KB” to your answer, NUM KB)
What is the actual file extension of the attachment?