This post provides a detailed step-by-step breakdown of analyzing a real-world phishing campaign named #.Foxwhoops. It demonstrates how a SOC (Security Operations Center) engineer investigates and mitigates the threat posed by phishing emails targeting airline customers. We used AnyRun online malware analysis sandbox to perform the analysis.

Analysis

Scenario Overview:

  • Users reported suspicious emails claiming to be from Delta Airlines, offering discounts on tickets and products in exchange for completing a survey.
  • The true intent of the campaign was to steal users’ credit card information.

Phishing Email Breakdown:

  • The email appeared legitimate, with a survey button that promised rewards (e.g., discounts, free products).
  • Upon clicking the button, users were redirected to a fake airline website that resembled an official airline page.

The Attack Flow:

  • Step 1: Users complete a survey on the fake page.
  • Step 2: A reward is offered (e.g., a product at $0 cost), prompting users to provide credit card details for “shipping fees.”
  • Step 3: Attackers harvest the credit card details.

Dynamic Behavior:

  • The phishing URL exhibited conditional behavior:
    • For regular users: It redirected to the phishing site.
    • For bots or crawlers (e.g., Googlebot): It redirected to a harmless Fox News RSS feed.
  • This mechanism allowed the phishing campaign to avoid detection by automated systems.

Technical Analysis:

  • Investigated the phishing email, URLs, and scripts.
  • Extracted Indicators of Compromise (IOCs):
    • URLs: The fake survey and redirection links.
    • IP Addresses: Associated with the phishing domains.
  • Scripts embedded in the phishing URL used user-agent checks and cookie validation to control redirection behavior.

Mitigation Steps:

  • Collect and block IOCs:
    • Use firewalls or security tools to block phishing URLs and associated IPs.
  • Write detection rules:
    • Prevent users in the organization from accessing these malicious resources.
  • Educate end users:
    • Train them to recognize phishing attempts.

Design of the Phishing Page and Survey

  1. Mimicking a Trusted Brand:
    • The phishing email claimed to be from Delta Airlines, leveraging the reputation of a trusted airline brand.
    • The visual design of the phishing page closely resembled legitimate airline websites, including logos, fonts, and layout styles to establish credibility.
  2. Promises of Rewards:
    • The email and landing page promised enticing rewards, such as discounts on tickets, cash offers, or free products.
    • For example, users were offered products like a wireless doorbell or portable vacuum for “free” (priced at $0) after completing a survey.
  3. Use of Surveys to Engage Users:
    • The survey was short and simple, creating a low barrier for participation. Users felt it was a legitimate interaction.
    • Completing the survey created the illusion of earning a reward, increasing their commitment and likelihood of proceeding further.

Techniques Employed in The Attack

Dynamic Redirects: Attackers used JavaScript to detect bots and avoid detection by cybersecurity tools.

Fake Rewards: The lure of “free products” cleverly exploited human psychology to encourage users to act impulsively.

Detailed Investigation: The use of tools like network inspectors, hex viewers, and threat intelligence platforms helped unravel the attack.

Social Engineering Tactics Tactics

  1. Urgency and Exclusivity:
    • The survey offered “exclusive rewards” for a “limited time,” pressuring users to act quickly.
    • Messages like “Congratulations!” or “Select your exclusive offer!” gave users the impression that they were chosen or special.
  2. Trust-Building through Familiarity:
    • The site appeared to belong to a well-known airline, creating a sense of familiarity.
    • The branding, language, and structure mimicked official channels to lower suspicion.

Phishing Steps Taken by The Attacker

  1. Email Content:
    • Users were encouraged to click a button labeled “Continue” or something similar to begin the process.
    • This action led them to a phishing site disguised as an official airline page.
  2. Landing Page:
    • The landing page greeted users with a personalized tone: “Dear American Airlines Traveler.”
    • It highlighted attractive offers (up to $100 value) and framed the survey as a way to improve services or earn rewards.
  3. Survey Interaction:
    • The survey consisted of harmless, generic questions to maintain legitimacy (e.g., How often do you travel? What’s your favorite airline?).
    • After completion, users were presented with “exclusive rewards” that seemed legitimate.
  4. Reward Page:
    • The rewards included products labeled as “free” with no upfront payment required.
    • Clicking “Claim Reward” redirected users to a form requesting sensitive information, including credit card details.

Windows Privilege Escalation

Windows Token Impersonation

  • Impersonation is the key to escalating privileges in Windows systems.
  • Checked user privileges:
    • Found impersonation privilege and delegation privilege, enabling token impersonation.
  • Used Metasploit’s Incognito module:
    • Listed available tokens.
    • Impersonated the administrator token to gain full system access.

Manual Method

  • As an alternative, downloaded a tool to manually list and impersonate tokens, which could be done without Metasploit.

How Airlines Users Were Tricker in FoxWhoops Phishing Campaign

  1. Familiarity and Credibility:
    • By using a trusted airline’s branding and a professional-looking design, users were less likely to suspect foul play.
    • The survey and free product offer reinforced trustworthiness, as surveys are common customer engagement tools.
  2. Progressive Commitment:
    • Users began with a harmless action (filling out a survey), which gradually escalated to providing sensitive information.
    • Once users invested time in the survey, they were more likely to complete the process to “claim” their reward.
  3. Lack of Immediate Red Flags:
    • The phishing site didn’t display obvious errors, such as broken links or spelling mistakes, which often indicate scams.
    • The URLs seemed normal at a glance, hiding malicious intent until users clicked further.
  4. Deceptive Redirect Mechanism:
    • For users or crawlers suspected of investigating, the phishing URL redirected them to a legitimate-looking Fox News RSS feed instead of the phishing page, concealing the scam.

Security Key Takeaways

Be cautious of free offers: If something seems too good to be true (e.g., free products or money), it likely is.

Recognize urgency and exclusivity as red flags: Offers that pressure immediate action often aim to bypass rational thinking.

Verify the source: Always double-check URLs and email senders to ensure they come from official channels.

Video Walkthrough

Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles