I’ve been following training offered by a company called TCM Security whilst preparing for a job as a Security Operations Centre (SOC) analyst.
Their website can be found here, and the specific course I’ve been following from their Academy can be found here. The course is the Security Operations (SOC) 101.
I’ve not completed the entire course yet. But I wanted to go over what I’ve learned so far, regarding email phishing analysis, as I found this fascinating.
When someone gets an email, it can often be difficult for them to know what’s genuine or not. So, people with little knowledge of cyber issues, or threats, may unknowingly click on things unintentionally, or even respond to those emails.
This can cause them to divulge information that might be used by threat actors to steal their information (or money for example), or be used to compromise a corporate system, and enable the attacker to infiltrate even further into a network.
Whilst going through the learning path provided by TCM Security, I looked at the sample emails they provided and followed along with their analysis.
I then decided to take some examples from my own email inboxes to analyse further, sending these to my virtual Ubuntu machine to ensure I was working with them in a safe and isolated/segmented environment.
I gathered multiple emails from my inbox to analyse, and which I’m certain are phishing attempts. But I won’t include an assessment of each email here for the sake of brevity.
Email Header and Sender Analysis
The first email I looked at claims to be from Fedex Shipping.
In this example, whilst the email claims to be from Fedex Shipping, the email address of “newsletter[.]etwua[@]jodeweb[.]com” bears no relation to Fedex.
And when reviewing the eml file in Sublime Text, this also provided a return path/email address of “BXUCZRHTNP[@]exist[.]jodeweb[.]com” which again bears no relation to Fedex.
Additionally, when looking at the received headers (from bottom to top) the sender IP address is 78[.]142[.]61[.]148.
Having checked this IP address in DomainTools, this reveals that this IP address links to a company based in Bulgaria, with the reverse DNS lookup (resolve host) and the ASN pointing to a company called BGO Cloud.
BGO – Cloud is a web hosting service operating from Bulgaria. And as far as I’m aware, Fedex are unaffiliated with them.
At this point, I’m more than confident that the email I received is a phishing attempt. But I wanted to look into things a bit further.
Email Content Analysis
In the body of the email, there are three different sections which when hovered over, give a mouse icon showing these can be clicked on. I’ve marked these in red below.
In this case, the phisher has made each of these sections clickable, which makes it more likely that someone might accidentally click on these.
We can also see the URLs these link to when hovering over the boxes, but to make this easier to view, I changed the view settings to plain text so we can more clearly see these URLs as follows:
When checking these URLs in VirusTotal, the first URL is flagged as phishing.
The second one isn’t flagged, but the third one is flagged as suspicious. I’ve not included screenshots of the second two here though.
Under the details tab for the first URL, this shows another URL and IP address as follows:
So, it’s clear to me that the original URL redirects elsewhere. And when checking this URL, there’s now even more evidence to support that this URL is phishing/malicious as follows:
The IP address of 66.55.92.203 also points to a Resolve Host of mwbutler.com as follows:
When Googling who this might be linked to, information I’ve found suggests this web address is for an electrical company in the USA. Again, this doesn’t appear to be linked to Fedex.
Finally, going into the details tab for this newly revealed phishing/malicious URL, another IP address is provided as follows:
And when checking this IP address, this then returns the following result:
This IP address links to a company based in Serbia. And if I wasn’t already suspicious, this additional evidence supports that the URLs are malicious, as they have no affiliation with Fedex.
Conclusion
In conclusion, if I were completing this analysis as part of my job as a SOC analyst, and I was asked to provide a report detailing my findings, I would include in my report, details such as the date, subject, to/from, reply-to, return-path, sender IP, resolve host, message ID, URLs, attachments plus their file hashes (if applicable) along with my findings on those file hashes using tools such as VirusTotal.
Additionally, the description of my findings on this email would be as follows:
Description
This email is claiming to be from “Fedex Shipping” and is asking the recipient to confirm shipping details for a package.
Although claiming to be from Fedex, the “from” address clearly indicates a mailbox originating from an unrelated domain.
Additionally, the “Return-Path” and the received headers indicate that this email originated from a mail server that isn’t affiliated with Fedex, and the sender utilised a Bulgarian based cloud and web based hosting service, unrelated to Fedex.
After performing a URL reputation check using VirusTotal, the URL within the first clickable body of text in the email was also found to likely be phishing.
Additionally, the first URL redirects to another URL, which was then further confirmed as being phishing and malicious.
Whilst no sandbox analysis was carried out, it was found that the multiple URL redirects and IP address checks eventually lead to a Serbian telecommunications and IT provider, offering voice, data, and SMS services, with no affiliation to Fedex.
Verdict
Due to the original sender being unaffiliated with Fedex, the email is a clear impersonation and spoofing attempt.
Additionally, after analysing the URLs, these were flagged on VirusTotal as malicious.
Defence actions
To prevent the malicious sender from sending any other emails to the organisation, we’ve blocked the email addresses of X, Y, and Z on the email gateway.
Additionally, and to ensure users are unable to access the malicious URLs or domains, we’ve also blocked X, Y, and Z URLs on the EDR and Web Proxy.
Additional note
Finally, below are typical characteristics phishing emails have in common:
- The sender email name/address will masquerade as a trusted entity (email spoofing)
- The email subject line and/or body (text) is written with a sense of urgency or uses certain keywords such as Invoice, Suspended, etc.
- The email body (HTML) is designed to match a trusting entity (such as Amazon)
- The email body (HTML) is poorly formatted or written (contrary from the previous point)
- The email body uses generic content, such as Dear Sir/Madam.
- Hyperlinks (oftentimes uses URL shortening services to hide its true origin)
- A malicious attachment posing as a legitimate document
Source: tryhackme.com