Introduction

The article provides an in-depth analysis of a phishing attack case, focusing on real-world techniques. It details how phishing emails, disguised as legitimate communications, trick users into divulging credentials. Through investigating malicious PDF and HTML attachments, phishing kits, and SSL certificates, the article illustrates how attackers lure victims to fake login pages and steal sensitive data. Tools like VirusTotal and open-source intelligence are used to investigate the phishing infrastructure. This article is part of the TryHackMe “Snapped Phishing Line” challenge.

Computer Forensics Study Notes

OSCP Study Notes

Scenario Overview

As a member of the IT department of SwiftSpend Financial, your task is to investigate a phishing incident reported by multiple employees.

Some have already compromised their credentials.You take on the role of a security analyst, tasked with analyzing phishing emails to extract malicious activity indicators.

Phishing Email Investigation

You begin by examining a phishing email with an attached PDF from a sender, “William McLean.”

The email looks legitimate, stating that it contains a “code for services.” However, the attachment could potentially be malicious, so you investigate it within an isolated virtual machine (VM).

Using VirusTotal, you scan the attachment and find potential threats.

Malicious PDF Analysis

The PDF resembles an Office 365 document, but it includes a suspicious call-to-action (CTA) button that redirects to a phishing page.

You avoid clicking directly on the link and instead copy the URL into a safe browser to investigate further.

The URL points to a suspicious domain, “kroads.buzz,” rather than a legitimate Office 365 site, indicating a phishing attempt.

HTML Email Investigation

Another phishing email is sent to an employee, Zoe Duncan. It contains an HTML attachment that redirects the user to a phishing page.

The analysis shows the HTML page attempts to redirect users to a fake login page to steal credentials.

Discovering the Phishing Kit

Further investigation leads to uncovering the phishing kit used by the attacker, hosted on a compromised server.

The video demonstrates how to analyze the phishing kit archive by downloading and extracting its contents to gather more threat intelligence.

Hashing and VirusTotal Scans

You generate a hash (SHA-256) for the phishing kit and submit it to VirusTotal for analysis, revealing it as a malicious file previously flagged by others.

SSL Certificate and Domain Information

The video explains how to use open-source tools like ThreatBook to gather additional information, including SSL certificates and domain registration data.

Log File Examination

The attacker’s server contains logs of collected information, including IP addresses, user agents, and credentials submitted by victims.

You discover user passwords stored in these logs, revealing details about the phishing campaign’s victims.

Room Answers | TryHackMe Snapped Phishing Line

Who is the individual who received an email attachment containing a PDF?
William McClean

What email address was used by the adversary to send the phishing emails?
Accounts.Payable@groupmarketingonline.icu

What is the redirection URL to the phishing page for the individual Zoe Duncan? (defanged format)

hxxp[://]kennaroads[.]buzz/data/Update365/office365/40e7baa2f826a57fcf04e5202526f8bd/?email=zoe[.]duncan@swiftspend[.]finance&error

What is the URL to the .zip archive of the phishing kit? (defanged format)

hxxp[://]kennaroads[.]buzz/data/Update365[.]zip

What is the SHA256 hash of the phishing kit archive?

ba3c15267393419eb08c7b2652b8b6b39b406ef300ae8a18fee4d16b19ac9686

When was the phishing kit archive first submitted? (format: YYYY-MM-DD HH:MM:SS UTC)

2020-04-08 21:55:50 UTC

When was the SSL certificate the phishing domain used to host the phishing kit archive first logged? (format: YYYY-MM-DD)

2020-06-25

What was the email address of the user who submitted their password twice?

michael.ascot@swiftspend.finance

What was the email address used by the adversary to collect compromised credentials?

m3npat@yandex.com

The adversary used other email addresses in the obtained phishing kit. What is the email address that ends in “@gmail.com”?

jamestanner2299@gmail.com

What is the hidden flag?

THM{pL4y_w1Th_tH3_URL}

Video Walkthrough

,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles