Introduction
The article provides an in-depth analysis of a phishing attack case, focusing on real-world techniques. It details how phishing emails, disguised as legitimate communications, trick users into divulging credentials. Through investigating malicious PDF and HTML attachments, phishing kits, and SSL certificates, the article illustrates how attackers lure victims to fake login pages and steal sensitive data. Tools like VirusTotal and open-source intelligence are used to investigate the phishing infrastructure. This article is part of the TryHackMe “Snapped Phishing Line” challenge.
Computer Forensics Study Notes
Scenario Overview
As a member of the IT department of SwiftSpend Financial, your task is to investigate a phishing incident reported by multiple employees.
Some have already compromised their credentials.You take on the role of a security analyst, tasked with analyzing phishing emails to extract malicious activity indicators.
Phishing Email Investigation
You begin by examining a phishing email with an attached PDF from a sender, “William McLean.”
The email looks legitimate, stating that it contains a “code for services.” However, the attachment could potentially be malicious, so you investigate it within an isolated virtual machine (VM).
Using VirusTotal, you scan the attachment and find potential threats.
Malicious PDF Analysis
The PDF resembles an Office 365 document, but it includes a suspicious call-to-action (CTA) button that redirects to a phishing page.
You avoid clicking directly on the link and instead copy the URL into a safe browser to investigate further.
The URL points to a suspicious domain, “kroads.buzz,” rather than a legitimate Office 365 site, indicating a phishing attempt.
HTML Email Investigation
Another phishing email is sent to an employee, Zoe Duncan. It contains an HTML attachment that redirects the user to a phishing page.
The analysis shows the HTML page attempts to redirect users to a fake login page to steal credentials.
Discovering the Phishing Kit
Further investigation leads to uncovering the phishing kit used by the attacker, hosted on a compromised server.
The video demonstrates how to analyze the phishing kit archive by downloading and extracting its contents to gather more threat intelligence.
Hashing and VirusTotal Scans
You generate a hash (SHA-256) for the phishing kit and submit it to VirusTotal for analysis, revealing it as a malicious file previously flagged by others.
SSL Certificate and Domain Information
The video explains how to use open-source tools like ThreatBook to gather additional information, including SSL certificates and domain registration data.
Log File Examination
The attacker’s server contains logs of collected information, including IP addresses, user agents, and credentials submitted by victims.
You discover user passwords stored in these logs, revealing details about the phishing campaign’s victims.
Room Answers | TryHackMe Snapped Phishing Line
Who is the individual who received an email attachment containing a PDF?
William McClean
What email address was used by the adversary to send the phishing emails?
Accounts.Payable@groupmarketingonline.icu
What is the redirection URL to the phishing page for the individual Zoe Duncan? (defanged format)
hxxp[://]kennaroads[.]buzz/data/Update365/office365/40e7baa2f826a57fcf04e5202526f8bd/?email=zoe[.]duncan@swiftspend[.]finance&error
What is the URL to the .zip archive of the phishing kit? (defanged format)
hxxp[://]kennaroads[.]buzz/data/Update365[.]zip
What is the SHA256 hash of the phishing kit archive?
ba3c15267393419eb08c7b2652b8b6b39b406ef300ae8a18fee4d16b19ac9686
When was the phishing kit archive first submitted? (format: YYYY-MM-DD HH:MM:SS UTC)
2020-04-08 21:55:50 UTC
When was the SSL certificate the phishing domain used to host the phishing kit archive first logged? (format: YYYY-MM-DD)
2020-06-25
What was the email address of the user who submitted their password twice?
michael.ascot@swiftspend.finance
What was the email address used by the adversary to collect compromised credentials?
m3npat@yandex.com
The adversary used other email addresses in the obtained phishing kit. What is the email address that ends in “@gmail.com”?
jamestanner2299@gmail.com
What is the hidden flag?
THM{pL4y_w1Th_tH3_URL}
