PHISHING ANALYSIS: A SIMPLE GUIDE FOR BEGINEERS
It is imperative to acknowledge that phishing attacks continue to be the most prevalent method of initiating unauthorized access, and ignorance of this fact cannot absolve one from the potentially severe consequences that may ensue. Within the context of this blog, we shall delve into the subject of phishing, focusing on methods of identifying compromised emails and potential phishing attempts.
</> What is Phishing?
A phishing is a malicious tactic that involves attempting to obtain sensitive personal information from individuals by encouraging them to click on malicious links in emails or run harmful files on their computer. Phishing attacks correspond to the “Delivery” phase in the Cyber Kill Chain model created to analyze cyber-attacks. The delivery stage is where the attacker transmits the previously prepared harmful content to the victim systems or people.
Within the context of this blog, we shall focus on email phishing and how it can be detected.
</>Spoofing
Attackers can send emails on behalf of someone else, this technique is called spoofing. It is important to know that Emails have an authentication method to make sure the incoming emails are reliable. There are basically 3 main authentication protocols that you need to be aware of: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication Reporting, and Conference). We would not go deep into this protocol but just know they exist and help to verify the email.
To verify the authenticity of an email, it is necessary to determine the SMTP (Simple Mail Transfer Protocol) IP address. One way to obtain this information is by searching for the SMTP address on Mxtoolbox. By doing so, Mxtoolbox can provide information regarding SPF, DKIM, DMARC, and MX records. Some email servers, such as Google, use SPF, DKIM, and DMARC checks to determine if an email is legitimate or not. If the SMTP IP address matches the From/Reply-To address, the email is considered to have passed (PASS) these checks and is not considered spam. Conversely, if the SMTP IP address does not match the From/Reply-To address, the email is considered to have failed (FAIL) these checks.
Larger institutions use their own emails servers, we can run whois on the SMTP address. Below is an illustration using Kali linux Terminal:
# We can find the SMTP IP address of institutions using the following:
whois medium.com
# @8.8.8.8: uses Google's public DNS to find the source address
# -t any: get all records
dig -t any medium.com @8.8.8.8
It is important to note that if an email isn’t spoofed, it does not mean that the email is safe. Trusted entities can send harmful emails. A perfect example is the MailChimp Breach where spoof emails were coming from trusted entity as a result of a breach in their server.
Next, we would explain what header information of an email is, what can be done with this information and how to access this information for proper detection of possible spoofing. Headers is basically a section of the mail that contains information such as sender, recipient and date. However, there are other fields which are important, and they include:
From: Indicates the name and address of the sender
To: Receiver’s details — includes CC and BCC
Date: Timestamp
Subject: Topic of email
Return-Path: aka Reply-To. If you reply to an email, the message will be sent to the address in the Return-Path field. If the Reply-Path doesn’t match From, good indication of spam.
Domain Key and DKIM Signatures: The DKIM are email signatures that help email providers id and authenticate your email like SPF signatures.
Message-ID: Unique alphanumeric id for each mail
MIME-Version: Multipurpose Internet Mail Extensions is an internet standard of encoding. Converts non-text content like images, videos, and other attachments into text so they can be attached to an email and sent through SMTP.
Received: Lists each mail server the email went through before arriving to recipient’s mailbox. The top is the most recent server and bottom is where the email originated.
X-Spam Status: Spam level. If a message beats the spam rating, it will automatically be sent to the spam folder.
Next, we would see how to access your email header on Gmail.
- Click on the 3 dots as show in the picture:
2. Click on “Show original.”
3. A new tab will open like in the image below (Check if all the 3 protocols are having “PASS” written on them or not)
From here you can very whether an email is legitimate or not and also whoever the sender is claiming to be is not fake. The above image indicates “PASS” for all the protocol. This is just one way of checking, they showed pass doesn’t mean the email is not a potential phishing attack. During this blog, we will go further in our detection. But note that this is just one step to phishing detection.
Now that we’ve known these terms, let’s dive into email traffic analysis. We would gather certain important information from the email: Sender address, SMTP IP Address, Domain base, Subjects.
It is important to note that if harmful emails are constantly sent to the same recipients, their email addresses may have been leaked. Emails addresses can be pulled from theHarvester tool.
There are two key questions we’ll focus our phishing analysis on:
- Was the email sent from the correct SMTP server?
- Are the data “From” and Return-Path/Reply-To” same?
Let’s get started:
Now, look at the image above, was the email sent from the correct SMTP server?
Looking at the image, the sender says it’s from info@letsdefend.io
Having known this, looking at the header, we want the originator with the “From”
We can see that the originator was emkei.cz at 101.99.94.116. To see if the “From” is the same as the originator in the Received section, we use the MxToolbox tool. Now let’s look up letsdefend.io
Now looking at the image, we can see after looking up the SMTP IP of letsdefend.io, it doesn’t correlate with emkei.cz at 101.99.94.116. This alone can suggest this was spoofed.
It is important to note that most email won’t be this easy, phishing emails most often have the “From” matching with the originator in Received. Let’s further determine if an email is phishing from our illustration. Let’s continue to the next question.
Are the data “From” and “Return-Path/Reply-To” the same?
Here, we want to see if the From field domain matches the Reply-To or Return-Path
Looking at it, they obviously do not match. From this alone, we cannot determine if this is a phishing email based on these two questions alone but would give you an insight into detecting a phishing email. After doing this, it is important to look at the email as a whole. There are some suspicious situations to consider such as desperation in text and also harmful attachment, URL or misleading content.
Helpful Resources to check URLs and SMTP IP Address:
Virus Total
Talos Intelligence
AbuseIPDB
Hope this blog helps you in identifying and thwarting phishing emails.
Happy investigating! Keep Learning!
Stay connected and subscribe to this blog, in our upcoming blog we would discuss more about cybersecurity.
Thank you for taking the time to read my blog; your attention and support are greatly appreciated. It is my desire to share my ideas and thoughts with you, and I hope you find my content interesting and informative.
If you enjoyed reading my blog, I encourage you to subscribe to receive future updates. By subscribing, you’ll never miss a post and you’ll be the first to know about my latest content.
Here is my Github repo:
Your Repositories (github.com)
My twitter:
rising_segun (@DurojayeOluseg5) / Twitter
My Linkedin:
