Phishing Analysis

Contents
What is Phishing? ......................................................................................................................................... 2
4 Common Ways Attackers Do Phishing .................................................................................................. 2
How Phishing Works: Key Steps ............................................................................................................... 3
Phishing Case Studies ............................................................................................................................... 4
Email Fundamentals: .................................................................................................................................... 5
Phishing Attack Types ................................................................................................................................... 7
Anatomy of URL............................................................................................................................................ 8
Email URL Analysis Tools .............................................................................................................................. 8
Reactive Phishing Defense ........................................................................................................................... 8
Proactive Phishing Defense .......................................................................................................................... 9
What is Phishing?
Phishing is a type of online scam where attackers try to trick people into giving away sensitive
information like passwords, credit card numbers, or personal details. They do this by pretending
to be a trusted person or company, often using fake emails, websites, or messages that look
real.

4 Common Ways Attackers Do Phishing

1. Email Phishing
• Attackers send fake emails that look like they come from legitimate companies (e.g.,
banks, social media, or online stores).
• The email often contains a link to a fake website where the victim is asked to enter
personal information.
• The message might create urgency like "Your account is compromised" to make the
victim act quickly.

2. Spear Phishing
• More targeted and personalized than regular phishing.
• The attacker researches their victim (like a specific person or company) and crafts a
convincing message just for them.
• The message might appear to come from a known colleague, boss, or trusted
partner.

3. Smishing (SMS Phishing)

• Attackers use text messages to deliver phishing content.
• The message might contain a link to a fake website or ask the victim to call a fake
customer service number.
• It often involves messages like "You've won a prize!" or "There's an issue with your
bank account."

4. Vishing (Voice Phishing)

• Attackers use phone calls to try and trick victims into revealing personal information.
• They might pretend to be from a bank, government agency, or tech support, claiming
there is an urgent problem that needs resolving.
• The attacker may ask for sensitive information like account numbers or social
security numbers over the phone.
How Phishing Works: Key Steps

1. Planning the Attack

• The attacker decides on a target (individuals, groups, or organizations).
• They gather information about the target to make the phishing attempt more
convincing.

2. Crafting the Bait

• The attacker creates a fake email, website, message, or phone call.
• The bait is designed to look legitimate, often mimicking trusted entities like banks,
government agencies, or popular websites.

3. Luring the Victim

• The attacker sends the phishing email, text message, or makes a call to the target.
• The message usually creates a sense of urgency or fear (e.g., "Your account is at
risk!").
• The victim is prompted to click a link, download a file, or provide sensitive
information.

4. Redirecting to Fake Website

• If the victim clicks the link, they are taken to a fake website that looks almost
identical to a legitimate one.
• The website may ask for personal information, such as login credentials, credit card
details, or social security numbers.

5. Collecting Victim's Information

• Once the victim enters their details on the fake site or over the phone, the attacker
collects this information.
• The attacker can now use this data for financial gain, identity theft, or further attacks.

6. Exploiting the Information

• The attacker uses the stolen information to access accounts, steal money, or sell the
information to other cybercriminals.
• The victim may be unaware of the attack until it’s too late (e.g., their bank account is
drained).

7. Covering Tracks
• After collecting the data, the attacker may take steps to hide their activities, such as
deleting fake websites or masking their identity to avoid detection.
Phishing Case Studies

1. Canonial Pipeline (2021)

• Ransomware delivered as phishing attack
• Disrupted operations and $4.4 million ransom
• https://abnormalsecurity.com/blog/colonialpipelineattackphishingemaillikelytheculp
rit

2. Levitas Capital (2020)

• Whaling – spoofing a zoom invite email
• Fraudulent invoice of ~$8.7 million
• https://www.secureworld.io/industrynews/hedgefundclosesafterbeccyberattac

3. Ubiquiti Networks (2015)

• CEO Fraud (Business Email Compromise)
• $46.7 million
• https://krebsonsecurity.com/2015/08/techfirmubiquitisuffers46mcyberheist/

4. Ukraine’s Power Grid (2015)

• Spear Phishing by APT group sandworm
• Power outages for ~230,000 people
• https://en.wikipedia.org/wiki/2015_Ukraine_power_grid_hack
Email Fundamentals:

1. Email Address

2. Email Header
• From: Sender's email address.
• To: Recipient's email address.
• Cc (Carbon Copy): Other recipients who receive a copy of the email.
• Bcc (Blind Carbon Copy): Recipients who receive a copy of the email without others
knowing.
• Subject: Topic or purpose of the email.
• Date: Time when the email was sent.
• Message ID: Unique identifier for the email.
• Reply To: Address where replies should be sent (can be different from the "From"
address).
• Return Path: Address to which email delivery failures are sent.
3. Email Body
• Text Body: The main content of the email can be plain text or HTML.
• Attachments: Files, images, or documents attached to the email.
• Signature: Optional closing text, often with contact details, name, and title.

4. Email Protocols
a. SMTP (Simple Mail Transfer Protocol):
• Used for sending emails from a client to a server or between servers.
• Operates on ports 25, 465, or 587.
• Handles outgoing email traffic.

b. POP (Post Office Protocol):

• Used to retrieve emails from the server to the client.
• Downloads emails from the server to a device.
• Works on port 110 (unencrypted) or 995 (encrypted).
• Once downloaded, emails are typically deleted from the server.

c. IMAP (Internet Message Access Protocol):

• Allows users to view emails while keeping them on the server.
• Synchronizes email across multiple devices.

5. Mail Agents
a. MTA (Mail Transfer Agent):
• Software responsible for sending and receiving emails between servers (e.g., Send
mail, Postfix).
• Routes emails to their destination.

b. MUA (Mail User Agent):

• Email client software used by end users to send, receive, and read emails (e.g.,
Outlook, Thunderbird).
• Interacts with the user and displays emails.

c. MDA (Mail Delivery Agent):

• Responsible for the final delivery of an email to a user's inbox (e.g., Procmail).
• Works in conjunction with the MTA.

d. MSA (Mail Submission Agent):

• Accepts outgoing emails from the MUA and forwards them to the MTA.
• Authenticates and forwards the email to the next stage in the delivery process.

e. MRA (Mail Retrieval Agent):

• Retrieves email from a remote server using POP or IMAP for the MUA.
• Handles email fetching from servers to clients.
Phishing Attack Types
1. Pretexting:
• Attackers create a fabricated scenario or lie (the "pretext") to steal sensitive
information.
• Often involves pretending to be someone trustworthy, such as a coworker or an
authority figure.

1. Spoofing and Impersonation:

• Attackers forge email addresses, caller IDs, or website URLs to appear as legitimate
sources.
• They impersonate trusted entities (banks, IT support, etc.) to trick the victim.

2. URL Manipulation:
• Attackers create misleading or lookalike URLs to deceive users into visiting malicious
websites.
• Tactics include slight changes in domain names, using subdomains, or hidden URLs in
clickable text.

3. Encoding:
• Attackers obscure malicious content using encoding techniques like Base64 to bypass
security filters.
• Encoded malicious payloads (scripts, malware) are often embedded in emails or web
pages.

4. Attachments:
• Malicious files are sent as email attachments, often disguised as legitimate
documents (e.g., invoices, reports).
• When opened, these files execute malware or steal information.

5. Abuse of Legitimate Services:

• Attackers use trusted services (e.g., Dropbox, Google Drive) to host and deliver
phishing content.
• Victims are more likely to trust links and files hosted on well-known platforms.

6. Pharming:
• Attackers redirect users to fraudulent websites by tampering with DNS settings or
host files.
• Even when the correct URL is entered, users are sent to fake, malicious sites.
Anatomy of URL

Email URL Analysis Tools

• https://gchq.github.io/CyberChef/
• https://github.com/MalwareCube/Email-IOC-Extractor
• https://phishtank.org/
• https://www.url2png.com/
• https://urlscan.io/
• https://www.virustotal.com/gui/home/upload
• https://www.urlvoid.com/
• https://www.wannabrowser.net/
• https://unshorten.it/
• https://urlhaus.abuse.ch/
• https://transparencyreport.google.com/safe-browsing/search
• https://www.joesandbox.com/

Reactive Phishing Defense

Containment Eradication
• Determine scope • Remove malicious emails
• Quarantine • Content search and eDiscovery
• Block sender artifacts • Remove malicious files
• Block web artifacts • Abuse form submissions
• Block file artifacts • Credential changes
• Reimaging

Recovery Communication
• Restore systems • Notify affected users
• Update stakeholders
Proactive Phishing Defense
Email Filtering URL Scanning and Blocking
• Email security appliances • Real Time URL Inspection
• Marking External Emails • Block Recently registered Domains

Attachment Filtering Email Authentication Methods

• File Extension Blocks • SPF
• Attachment sandboxing • DKIM
• DMARC

User Training
• Security awareness training
• Phishing simulation exercises
• Reporting functionality

https://www.linkedin.com/in/adnan-musa-b62879319/