Phishing Analysis Fundamentals

Published on December 12, 2023 by Khafagy

Security Analyst

4 min READ

Introduction

Explore the fundamentals of phishing analysis in this comprehensive journey, covering the intricacies of email addresses, delivery mechanisms, headers, body content, and various types of phishing attacks.

Explore these concepts in a hands-on way with the resources available at TryHackMe - Phishing Analysis Fundamentals.

Task 2: The Email Address

In Task 2, we explore the historical context of email. The invention of the email dates back to the 1970s, marking a significant milestone in communication technology.

Screenshot_2023-12-14_19_25_14

Answer the question: 1970s

Task 3: Email Delivery

To comprehend the nuances of various email protocols, we refer to an article. The article highlights that secure IMAP employs port 993, insecure IMAP uses port 143, secure SMTP operates on port 465, and insecure SMTP utilizes ports 587. Similarly, secure POP3 is on port 995, and insecure POP3 employs port 110.

Screenshot_2023-12-14_19_34_32

Article Link: https://help.dreamhost.com/hc/en-us/articles/215612887-Email-client-protocols-and-port-numbers

Screenshot_2023-12-14_21_24_25

  • Secure Transport for SMTP: Port 465

  • Insecure Transport for SMTP: Port 587

  • Secure Transport for IMAP: Port 993

  • Insecure Transport for IMAP: Port 143

  • Secure Transport for POP3: Port 995
  • Insecure Transport for POP3: Port 110

Task 4: Email Header Analysis

Before addressing Task 4 questions, it’s imperative to read the provided article on understanding email headers, available at Media Temple.

Also this Article to view email headers.

Return-Path The email address for return mail. This is the same as Reply-To:.

Screenshot_2023-12-14_19_41_47

Once the email sender’s IP address is found, you can search for it at http://www.arin.net/

Screenshot_2023-12-14_19_42_11

image

Q1: Return-Path
Q2: http://www.arin.net/

Task 5: Email Body

Task 5 requires a careful examination.

Q1: In the above screenshots, what is the URI of the blocked image? Inspect the HTML code segment for the image URI.

Screenshot_2023-12-14_21-59-44

Q2: Answer within the source code

Screenshot_2023-12-14_22-02-42

In the attached virtual machine, view the information in email2.txt and reconstruct the PDF using the base64 data. What is the text within the PDF?

Screenshot_2023-12-14_19_47_26

Screenshot_2023-12-14_19_47_43

Q3: Answer using CyberChef or Terminal

We can solve it using terminal or cyberchef.

Using terminal:

Step 1: Take this and open terminal and write this command nano encode.txt and Ctrl + Shift + c to paste and Ctrl + x to save.

Step 2: run this command to echo content file and use base64 decode then redirect output to file khafagy.pdf cat encode.txt | base64 -d > khafagy.pdf

Step 3: run this command to open pdf ` open khafagy.pdf `

Screenshot_2023-12-14_22_14_57

Screenshot_2023-12-14_22_15_01

Screenshot_2023-12-14_22_15_22

Using CyberChef:

Step 1: Paste content in cyberchef
Step 2: Drag and Drop From Base64
Step 3: Click on magic wand

Screenshot_2023-12-14_22_20_12

Step 4: We found output PDF format, save it and open file

Screenshot_2023-12-14_22_20_15

Screenshot_2023-12-14_19_54_13

Task 6: Types of Phishing

Upon analyzing the contents of email3.eml, we discover relevant information in its headers. The following details are found:

  • Received: from 10.253.62.157 by atlas102.free.mail.gq1.yahoo.com
  • In: Sun, 11 Jul 2021 11:48:13
  • Return-Path: <support@teckbe[.]com>
  • From: =?UTF-8?B?VGhhbmsgeW91ISBIb21lIERlcG90?= <support@teckbe[.]com>
  • To: alexa@yahoo[.]com
  • Subject: =?UTF-8?B?T3JkZXIgUGxhY2VkIDogWW91ciBPcmRlciBJRCBPRDIzMjE2NTcwODkyOTEgUGxhY2VkIFN1Y2Nlc3NmdWxseQ==?=
  • Message-ID: <tkbe_204456168_28443456_28260243_2164817_269_520_5436[.]1626003191881.com[.]root@tcbe-236083[.]teckbe[.]com>
  • X-Complaints-To: <abuse@teckbe[.]com>
  • List-Unsubscribe: http[://]t[.]teckbe[.]com/p/?j3=EOowFcEwFHl6EOAyFcoUFVTVEchwFHlUFOo6MjL6EbTT

Check any text encoded to decode using cyberchef.

Additionally, there is a base64-encoded string. Upon decoding, we find:

Hqh9q7comz8ABZhkUYUnXLmXLhksUBky1IEInhysFNPo5Yl0B6oldn9/jCCe+rJUXDNpOo4W6
KQq2okdMZ8XpIvNEq5yAWboBtBlog+8qYcQPbRjcEToW4kwWdq21D9neKZR/eiiadneR6qjl+RX
YXjVaKA1bDJ1HBZFWx5TakL0hRjzSf8Q/JMVq7kZvOs6UDAwiUltSQ6SSC1KtwDc76MzqHC1bmk
ZGEH2Qm5Z6KpcQULBHj4KKynb13jBRRU5aX/aqGCMC9UIQn+YqyzMqfSz02oKd8hf8Az8pl5lWX
g4lF1c+4rhhJWlNhScA9bcQ9jZezlYaBpsaMr00Ap5XA==

Noting !!

image

From header include =?UTF-8?B?VGhhbmsgeW91ISBIb21lIERlcG90?= <support@teckbe[.]com> may be base64.

Good output: Answer Q1

image

Also form this header answer Q2 => support@teckbe[.]com

Also subject contain == base64 Subject: =?UTF-8?B?T3JkZXIgUGxhY2VkIDogWW91ciBPcmRlciBJRCBPRDIzMjE2NTcwODkyOTEgUGxhY2VkIFN1Y2Nlc3NmdWxseQ==?=

Nice, Answer Q3

image

Q4: What is the URL link for - CLICK HERE? (Enter the defanged URL) Click Ctrl + f to search in body => CLICK

Screenshot_2023-12-14_20_08_23

Reminder: When dealing with hyperlinks and attachments, you need to be careful not to accidentally click on the hyperlink or the attachment. Upon decoding, we find answers to the following questions:

image

Hint There are repeat characters that you can remove from the URL. CyberChef can help you with this, along with defanging.

Screenshot_2023-12-14_22-56-32

Q1: Home Depot

Q2: support@teckbe[.]com

Q3: Order Placed : Your Order ID OD2321657089291 Placed Successfully

Q4: hxxp[://]t[.]teckbe[.]com/p/?j3=EOo=wFacEwFHl6EOAyFcoUFVTVEchwFHlUFOo6lVTTDcATE7oUE7AUET==

Tools:

With this, we conclude the phishing attack lab. Goodbye.