Nettitude are sent many suspected phishing emails for investigation. This week we received one that is a great example of how to analyse phishing emails in a bit more depth.

When attempting to block a phishing email campaign, it is usually necessary to look beyond just the domain that the email comes from.  In this post, we’ll take a quick look at an example where we do just that.

The phishing email we received was very generic and had the potential to target anyone in the UK. With a slight modification, the same message could target anyone in any country.

As is often the case with phishing emails, this one contained a link that took the target user to an external website, rather than containing an attachment.

In what follows, we are recommending 4 steps to analyse a SPAM email in order to gather the maximum number of Indicators of Compromise (IoC’s). These IoC’s will then be used to block all future SPAM emails from the same campaign. 

Step 1: Extracting the attack link

The first step was to extract the link as shown below.  Note, it would not be prudent to visit the URL on a production machine. A right click on the email body will give the option “View Source”.  We do not advise hovering over the link as they could be malicious event linked to such actions.

So far, we have one domain name to be blocked: abentertainment.lk. The top level domain .lk is to help Sri Lankan organizations and individuals to create their unique identity on the web.

A quick WHOIS look up did not reveal anything significant at this stage, but we performed more in-depth research later on.

Step 2: Visiting the malicious website

We visited the malicious link using an isolated environment and behind a proxy. We didn’t want the attacker to know about us and raising the alert that one of the emails is being analysed. We changed the email addressed in the link to a random one.

hxxp://royalmail.com.abentertainment.lk/track.php?email=Donal.Trump@usoffice.com

The malicious website was then visited and we noticed that the email address that we used was populated in the field on the malicious page as shown below. We also noticed that we were redirected to another domain name, sahabatqq.tk. This will be our second domain to block.

Step 3: Analysing the malicious website

Looking at the source code behind the malicious page, we quickly noticed that the form was submitted to another domain; masafirestaurant.com.

So far, we have three domains in our blacklist: abentertainment.lk, sahabatqq.tk and masafirestaurant.com.

Step 4: Advanced domain registry analysis

We went on to look at the WHOIS records of all the domains. When we came across the last domain, pertaining to be a restaurant, we thought a restaurant website was compromised to serve malicious content. We looked at the restaurant website and all the pages were exactly the same with one item on the menu.

After performing a WHOIS analysis on masafirestaurant.com we were glad to have an email address used to register the domain. We then performed a reverse WHOIS analysis on the email address. We then found 18 other domains registered by the same email.

Out of curiosity, we visited the treasurekart.com domain as shown below and all items were free - what a wonderful world! Some of the websites listed above return “under construction” or were otherwise barren.

Impact: Blocking the phishing campaign

In order to minimise the impact on the phishing campaigns used by this malicious group, all the domains above need to be blocked. Further analysis can be done of each individual domain. We were satisfied that blocking these domains would significantly reduce or stop the impact of this campaign and it didn’t take long to run through the analysis.

Speak with one of our experts today! Get in touch...