Nettitude Blog

4 Steps to take to analyse a phishing email

Posted by Jules Pagna Disso on Jul 24, 2017 2:28:05 PM

Nettitude are sent many suspected phishing emails for investigation. This week we received one that is a great example of how to analyse phishing emails in a bit more depth.

When attempting to block a phishing email campaign, it is usually necessary to look beyond just the domain that the email comes from.  In this post, we’ll take a quick look at an example where we do just that.

The phishing email we received was very generic and had the potential to target anyone in the UK. With a slight modification, the same message could target anyone in any country.

As is often the case with phishing emails, this one contained a link that took the target user to an external website, rather than containing an attachment.

Phishing Email.png

In what follows, we are recommending 4 steps to analyse a SPAM email in order to gather the maximum number of Indicators of Compromise (IoC’s). These IoC’s will then be used to block all future SPAM emails from the same campaign. 

Step 1: Extracting the attack link

The first step was to extract the link as shown below.  Note, it would not be prudent to visit the URL on a production machine. A right click on the email body will give the option “View Source”.  We do not advise hovering over the link as they could be malicious event linked to such actions.

Extracting Attack link.png

So far, we have one domain name to be blocked: abentertainment.lk. The top level domain .lk is to help Sri Lankan organizations and individuals to create their unique identity on the web.

A quick WHOIS look up did not reveal anything significant at this stage, but we performed more in-depth research later on.

Step 2: Visiting the malicious website

We visited the malicious link using an isolated environment and behind a proxy. We didn’t want the attacker to know about us and raising the alert that one of the emails is being analysed. We changed the email addressed in the link to a random one.

hxxp://royalmail.com.abentertainment.lk/track.php?email=Donal.Trump@usoffice.com

The malicious website was then visited and we noticed that the email address that we used was populated in the field on the malicious page as shown below. We also noticed that we were redirected to another domain name, sahabatqq.tk. This will be our second domain to block.

Domain to block.png

Step 3: Analysing the malicious website

Looking at the source code behind the malicious page, we quickly noticed that the form was submitted to another domain; masafirestaurant.com.

malicious website.png

So far, we have three domains in our blacklist: abentertainment.lk, sahabatqq.tk and masafirestaurant.com.

Step 4: Advanced domain registry analysis

We went on to look at the WHOIS records of all the domains. When we came across the last domain, pertaining to be a restaurant, we thought a restaurant website was compromised to serve malicious content. We looked at the restaurant website and all the pages were exactly the same with one item on the menu.

After performing a WHOIS analysis on masafirestaurant.com we were glad to have an email address used to register the domain. We then performed a reverse WHOIS analysis on the email address. We then found 18 other domains registered by the same email.

1

addressstudio.com

7

leelapower.com

13

simcologistics.in

2

alfifaglobal.com

8

masafirestaurant.com

14

sreepathiconstruction.com

3

annsmagickitchen.com

9

peacocktravels.co.in

15

taxpointglobal.com

4

cobame.com

10

powertechnologies.co.in

16

totalcareenergy.com

5

credenztech.com

11

qbstore.in

17

treasurekart.com

6

fidelixme.com

12

sambhumemorial.org

18

urviconcepts.com

 

Out of curiosity, we visited the treasurekart.com domain as shown below and all items were free - what a wonderful world! Some of the websites listed above return “under construction” or were otherwise barren.

free shopping basket.png

 

Impact: Blocking the phishing campaign

In order to minimise the impact on the phishing campaigns used by this malicious group, all the domains above need to be blocked. Further analysis can be done of each individual domain. We were satisfied that blocking these domains would significantly reduce or stop the impact of this campaign and it didn’t take long to run through the analysis.

Topics: Security Blog

About Nettitude

Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

Our experts use an award winning Threat Intelligence led approach that incorporates real-time data, ensuring that your company is protected at every stage of its journey.

Receive an update when we post!

Recent Posts