In this blog, we will discuss emails and a prominent cyber attack known as phishing. We will analyze an email to determine whether it was a phishing attempt. Tools used include PowerShell, HashCalc, Mozilla Thunderbird, VirusTotal and AbuseIPDB.
What is Phishing
Phishing is one of the biggest threats businesses face today. 36% of all data breaches involved phishing according to Verizon’s 2022 report. It was estimated that by 2022 a ransomware or phishing attack will occur every 11 seconds.
First, let’s look at Social engineering. Social engineering relies heavily on human interaction. It is an attempt, by malicious individuals to gain information, access, or introduce unauthorized software into an organization’s environment through the manipulation of end-users. It uses psychological manipulation, persuasion, and exploitation to deceive users into making security mistakes or relinquishing sensitive information. Social engineering is fast becoming one of the primary attack techniques that hackers use to exploit a weakness in an organization. About 98 percent by some estimates of all cyberattacks use some form of social engineering.
Phishing
A Phishing attack is a type of social engineering threat that involves sending fraudulent communications while appearing to be a reputable source. This is typically performed via email or on the phone. The goal is to steal sensitive data such as financial information or login information, or to install malware onto a target’s device.
The most common type of phishing attacks occurs via email. The malicious attacker sends an email that appears to be from a trusted and legitimate source to the target, either prompting the user to download a malicious attachment or provide sensitive information. The name “phishing” alludes to the fact that attackers are “fishing” for access to confidential information, baiting the unsuspecting user with an emotional hook and a trusted identity.
A variation on phishing is “spear phishing”, where attackers send carefully crafted messages to individuals with special privileges, such as network administrators, executives, or employees in financial roles.
An estimated 3.4 billion phishing emails are sent every day. According to Deloitte, 91% of all attacks begin with a phishing email to an unsuspecting victim. On top of that, 32% of all successful breaches involve the use of phishing techniques
Analysis
Phishing email analysis steps should include:
- Checking the content of the email for anything uncharacteristic of the supposed sender
- Conducting email header analysis for phishing, such as checking for headers that are formatted differently than typical company emails
Let us begin,
We’ll be looking at the Email Analysis challenge from LETSDEFEND, to determine if the given email is malicious.
Email Analysis Scenario
You recently received an email from someone trying to impersonate a company, your job is to analyze the email to see if it is suspicious
To answer the questions we need to download the email and the attachment.
We have the email file BusinessEmail.zip and the attachment united_scientific_equipment.zip
We are going to use Mozilla Thunderbird as our email client to open the email
We also have the HTML code of the email by the side, with this we can view email headers which provide information about the email. We will begin analyzing the email and identifying particular information we can use for our analysis.
Q. What is the sending email address?
We can look at the From in the email or the From header in the HTML code to get our answer.
A: yanting@united.com.sg
Q. What is the email address of the recipient?
For this question, we will look for the To header as shown below.
A: admin@malware-traffic-analysis.net
Q. What is the subject line of the email?
For this question, we will look for the Subject header
A: United Scientific equipment
Q. What date was the Email sent? Date format: MM/DD/YYYY
For this question, we will look for the Date
A: 02/08/2021
Q. What is the originating IP?
For this question, we will look for the Received field. This is the IP address that the email was sent from.
A: 71.19.248.52
Q. What country is the IP address from?
We can use several tools to figure this out. But, we will make use of just two. We will search for the IP address in AbuseIPDB and VirusTotal. We can see the IP address is from Canada. We can also use these tools to check the reputation of the IP address; if it has a bad reputation i.e. has been reported multiple times or is blacklisted, that is a red flag and an indicator of phishing.
A: Canada
Q. What is the name of the attachment when you unzip it? (with extension)
We will navigate to our Files folder, and locate the compressed attachment document. We extract it and view the attachment. We can see it is an application by the .exe file extension.
A: united scientific equipent.exe
Q. What is the sha256 hash of the File?
We will open the application called HashCalc. This can be used to retrieve hashes of files etc. We opened the application and pasted the document. We can see the different hashes calculated.
We can also get the hash via PowerShell. Open a PowerShell window and use the Get-FileHash cmdlet to retrieve the SHA256 hash
A: 9909753BFB0AC8AB165BAB3555233D03B01A9274A92E57C022F87CCBE51CA415
Q. Is the email attachment malicious? Yes/No
Let us upload the file to VirusTotal to see the attachment’s reputation.
We can verify if this attachment is malicious by passing it through VirusTotal. We will upload the hash of the file to VirusTotal. The hash of a file is used to verify the authenticity of the file; it can also be used to determine if a file is malicious or not.
The result of the assessment shows that the file is extremely malicious. It was detected by 59/70 vendors. In the top right, we can see that it is a .exe file that is commonly used for malicious purposes.
Based on the above analysis we can see the attachment is extremely malicious. It appears to be a Trojan malware. This is a type of malware that poses as a legitimate or benign application with malicious intentions to compromise a system.
A.: Yes
This is where our analysis comes to an end. In the next section, we will look at security measures to be implemented
Control Measures
- Block traffic to and from untrusted/malicious IP Address
- Implement regular cybersecurity awareness training for employees, particularly Phishing Attacking Training to educate end-users
Tips to Identify Phishing Emails
Phishing attacks have been on the rise, and understanding how to recognize them is the first step in protecting your organization. Here are a few ways to spot scams.
- Look out for suspicious-looking email addresses, links, and domain names
- Identify threats or any sense of urgency to respond or take action
- Poor grammar or/and spelling errors
- Suspicious attachments
- Emails requesting login credentials, payment information, or sensitive data like passwords or account numbers
- Reviewing email headers like From, To, Subject, Return Path. Does the “From” address match who the email claims to be from? If not, that’s a red flag. The sender’s name and email, are easily forged. Is the “To” address a mass mailing or does it specifically name you? Phishers often use mass mailings. Is the subject line urgent, alarming or too good to be true? If so, it’s probably suspicious. Return-Path – Where bouncebacks go, often faked in phishing emails.
Phishing attacks are often the entry point for cybercriminals to launch more serious security breaches. As such, individuals and employees must learn to spot a phishing email to avoid potential security incidents.