Wednesday, July 3, 2019

Wow - my blog is really blowing up!

Thanks to everyone that has been following me, I'm really glad that you find my posts interesting. My post views have been skyrocketing over the past day, and I've been getting a lot of private messages with questions. I can't use my mobile phone at work, but if you need to get in touch, feel free to email my personal address d1ved33p@gmail.com and I'll get back to you ASAP.

With that out of the way, this next blog post is going to be about phishing emails, and how to properly analyse them. I hope this is helpful to some of you wanna-be security researchers out there! (I won't go super deep, you can learn the rest by yourselves!)


  • What is a phishing email?
  • How to analyse a phishing email
  • How to analyse a malicious domain
  • How to implement blocks to stop phishing campaigns
In this post, you may see URLs shown like this "google[.]com". The square brackets are used to stop the text turning into a hyperlink, making it clickable. This form of sanitisation is to prevent people accidentally clicking on malicious link!

What is a phishing email?
In this example, we'll cover a Credential Harvester phishing email attack. In this attack, an actor will create an email that claims to be from a legitimate company. Some popular imitated companies include: Dropbox, Office365, Microsoft Outlook, DHL, Banks, amongst others. This email, despite looking genuine, is fake, and the URL hyperlink will take you to a malicious website that is trying to steal your information. Users will be asked to enter in their account details, or email and password, which will then be sent off to the attacker.
This is a screenshot of the email we will be looking at in this blog post. Looks pretty authentic right? Well it's not. Let's find out why!


How to analyse a phishing email
Firstly, we need to determine who the email has actually come from, whether that's a free email account (such as @gmail, @outlook). You can usually see this at the top of the email, and hovering your mouse over the name should show you the actual email address. Another way to check, is to open the email file in a text editor (such as Sublime Time) and search (CTRL + F) for "Env-Sender".

Here we can see the email has come from "service@newemail.com" - which definitely isn't an official American Express address. The x-originating-ip also tells us where the email has come from, which can be useful to identify whether an attacker has successfully spoofed(imitated) a genuine email address. This is why phishing emails can appear to come from "support@DHL.com".
We can also take the "x-originating-ip" and put it into websites like VirusTotal, IPVoid, and AbuseIPDB to see if it has been recognised as acting maliciously, and who actually owns it.

DO NOT CLICK ANY LINKS IN AN EMAIL. You need to carefully extract them, so you don't end up visiting the malicious website yourself. We can get the URL by carefully right-clicking the button (or wherever the URL hyperlink is located. It may be on some text, or an image) and choosing the "copy hyperlink" option. This can be used in the next section to analyse the destination website. You can also retrieve any URLs by opening the email file in a text editor (such as Sublime Text) and searching (CTRL + F) for "http://".

Now we have the malicious URL. It is clear that the website is NOT American Express, and is actually "suite.mapable[.]co[.]za".

How to analyse a malicious domain
There's a number of searches we can do against the domain/website, to check for authenticity, and gather information about it. Firstly, we want to see what the webpage looks like, WITHOUT going to it in our browser. This is incase the site is hosting malware, or gathering information about visitors. A great free tool for this is URL2PNG (Link). All we need to do is enter the URL we want to view, and hit the button! This is great for checking what kind of credential harvester the webpage is holding, and how good/effective it looks. Here's a look at the REAL credential harvester I worked on earlier today, which spoofs American Express:

Ignore the sh*t quality, it's Blogger.

As you can see, the above screenshot from URL2PNG shows a really well made American Express credential harvester. It looks genuine, and people may fall for this. Next, we need to look at the root domain to see what this website is supposed to be hosting


If our URL is:
suite.mapable[.]co[.]za/themes/SuiteR/tmp/?session==3DQ5LDTgMSQfaIASkrDmIj2r9lWRXijUMrwBpEU3djmIj2r9MrwBpEU3djMrwBpEU3djlWRXV3=OQfql1MrwBpEU3djWZMrwBpEU3dj

We need to take it back to:
suite.mapable[.]co[.]za
Now we'll look at this again in URL2PNG. The result of this will help us to determine whether this domain is legitimate, and has been compromised, or was created purely for malicious purposes. Putting the root domain in URL2PNG displays the following log-in portal:
From this, we're not able to determine if this site is legitimate or malicious. Let's try searching for "mapable[.]co[.]za" in URL2PNG, removing the "suite." sub-domain. This search simply shows a blank white page, meaning there is no content. This is unusual. You'd think a company would have something on their homepage, right?
A Google search reveals that they have other pages, such as "About" and "Contact Us":



Searching for these URLs in URL2PNG again gives us white screens, meaning there is no content to view. Very weird. There's a lot more analysis techniques you can use to determine the authenticity of a domain, but that starts getting a bit too technical for this post. So in this example case, I'm going to assume this domain doesn't appear to be operating legitimately, and the only active content we've found has been a malicious credential harvester, and a log-in portal.



Another good thing to do is a WHOis search, which gives you information about the domain and website. In the below screenshot, we're able to see when the domain was first registered, who registered it (in this case it is marked as "REDACTED" - meaning the user has paid for additional privacy settings, which can sometimes be an indicator that a malicious actor has registered a domain, and wants to remain anonymous), and other useful details! The free website I'm using here is http://whois.domaintools.com/.


From this information we can tell that the website is currently hosted by Wix, the domain was registered 2171 days ago, the owner is REDACTED, and the website title is "none given", which makes sense considering we couldn't see a homepage in URL2PNG.


As I mentioned, there's a LOT more to investigating phishing emails, but I've covered the basics, and hope you guys have found this post interesting! If you want to know more about phishing, get on Google and have a search! And if you decide to analyse some phishing emails yourselves, BE CAREFUL. Do not open attachments on your computer (use a free online tool like VirusTotal, or a virtual machine to detonate any potentially malicious files) and don't click on links. Use tools like VirusTotal, URL2PNG, and WannaBrowser to do it for you!

I'll put together an example for you guys to interact with in a few days, hosted on my own web server. This way you can safely interact with a REAL credential harvester, from a previous investigation I conducted (obviously I'll make it safe). I'll also explain how the code works, so you can get a good understanding of phishing attacks! :)



Hope to see you guys again soon,

Sammie

Wow - my blog is really blowing up! Thanks to everyone that has been following me, I'm really glad that you find my posts interesting....