Emails and Phishing Analysis (Part-1)

Phishing ?

It is type of social engineering attack, it is a serious attack vector that you, as a defender, will have to defend against.

Little Background of emails

The man who invented the concept of emails and made the @ symbol famous. THe person responsible for the contribution to the way we communicate was Ray Tomlinson. The invention of the email dates back to the 1970s for ARPANET (United states defense program, experimental computer networks that was forerunner of the Internet).

Format of email address:

EXAMPLE = try@hotmail.com

1. User Mailbox or Username (e.g try in example case is username)
2. @ (e.g works as seperator of the Username and Domain)
3. Domain (e.g in the example hotmail.com)

So, Basically the username means whom the mail is to send and domain refers to the service the user is using like gmail, yahoo or hotmail etc. Or you can consider domain as a your street number and username is the person's first name or last name.

Email Delivery:

Moving further, How to mail is delivered from one person to another. A handful of protocols are involved in sending the email. By now, you should already know that certain protocols were created to handle specific network-related tasks, such as email.

There are 3 specific protocols involved to facilitate the outgoing and incoming email messages, and they are briefly listed below:

1. SMTP (Simple Mail Transfer Protocol): It is utilized to handle the sending of emails.
2. POP3(Post Office Protocol): It is responsible of transferring email between a client and a mail server.
3. IMAP (Internet Message Access Protocol): It is responsible for transferring email between a client and a mail server.

You should have noticed that both POP3 and IMAP have similar definition. But there are differences between the two.

The differences between the two is listed below:

• POP3:
  • Emails are downloaded and stored on a single device.
  • Sent messages are stored on the single device from which the email was sent.
  • Emails can only be accessed from the single device the emails were downloaded to.
  • If you want to keep messages on the server once downloaded to the single device's app or software.
• IMAP:
  • Emails are stored on the server cand can be downloaded to multiple devices.
  • Sent messages are stored on the server.
  • Messages can be synced and accessed accross multiple devices.

Now let's talk about how email travels from the sender to the recipient.

To best illustrate this, see the below image example:

Below is the explanation of the travelling of the email:

1. ALexa composes an email to Billy (billy@johndoe.com) is her favorite email client. After she's done, she sits the send button.
2. The SMTP server needs to determine where to sen Alexa's email. It queries DNS for information associated with johndoe.com.
3. The DNS server obtians the information johndoe.com and sends that information to the SMTP server.
4. The SMTP server sends Alexa's email across the Internet to Billy's mailbox at johndoe.com.
5. In this stage, ALexa's email passes through various SMTP servers and is finally relayed to destination SMTP server.
6. Alexa's email finally reached the destination SMTP server.
7. Alexa's email is forwarded and is now sitting in the local POP3/IMAP server waiting for Billy.
8. Billy logs into his email client, which queris the local POP3/IMAP server for new emails in his mailbox.
9. Alexa's email is copied (IMAP) or downloaded (POP3) to Billy's email client.

So, In last every protocol has its unique/associated port number. So, the port numbers for the above protocols are given below:

• SMTP: 25
• SMTPS (secure): 465
• IMAP: 143
• IMAPS (secure): 993
• POP3: 110
• POP3 (secure): 995

Email Headers:

After learning the delivery of the email, we will know what makes up an email message when it arrives in an inbox.

This Understanding is necessary if you wish to analyze potentially malicious emails manually.

Basically, we need to understand that there are two parts to an email:

• Email Header: Information about the email such as the email servers that relayed the email.
• Email Body: Text and/or HTML formated text or content.

The syntax for email messages is known as the Internet Message Format (IMF).

Let's look at email headers first.

What do you look for when analyzing a potentially malicious email?

Let's start with the email header fields:

1. From - (The sender's email address)
2. Subject - (The emails subject line)
3. Date - (The date when the email was sent)
4. To - (The recipent's email address)

This is usually clearly visible in any email client. Let's look at an example of these fields in the below image:

Warning: This is example email.

Note: The numbers in the above image correspond to the email header fields bullet list above.

Another method to obtain the same email header information, and more, is by viewing the 'raw' email details.

When looking at an email header in detail, it can be intimidating at first, but it's not so bad if you know what is look for.

Note: Depending on your email client, whether a web client or a desktop app, the steps to view these email header fields will vary, but the concept is the same.

Review this Knowledge Base (KB) artcile from Media Temple on viewing the raw/full email headers in various email clients.

In the below image, we can see how to view this information within Yahoo.

Below is a snippet of the raw message for the email sample.

Note: The above image shows some, not all, of the information within an email header.

You can view the complete GMAIL HEADER, here.

Some other details of email header:

1. X-Originating-IP: The IP of the email was sent from. (This is Known as an X-Header)
2. SMTP.mailfrom/header.from: The domain the email was sent from (these headers are within Authentication-Results).
3. Reply-To: This is the email address a reply email will be sent to instead of the From email address.

To clarify, in the email in the sample above, the Sender is newsletters@ant.anki-tech.com, but if a recipient replies to the email, the response will go to reply@ant.anki-tech.com, which is the Reply-To, and NOT to newsletters@ant.anki-tech.com.

Below is the additional resource from Media Template on how to analyze email headers: Media Template

Email Body

Email body is the part of email which contains the text (plain or HTML formatted) the sender wants you to view.

This is example of a text-only email.

And below is an example of the HTML formatted email.

The above email contains an image (which was blocked by the email client) and embeded hyperlinks.

To view an email's HTML code is the same approach shown below, but it may vary depending on the webmail client.

In the below example, the screenshot is from ProtonMail.

A snippet of the HTML code is shown below.

In this specifc email web client, Proton-mail, the option to switch back to HTML is called "View rendered HTML".

Again, it will be different for the other webmail clients.

Lastly, wmails may contain attachments. The same premise applies; you can view an email's attachment from an email's HTML format or by viewing the source code.

Let's look at afew examples below.

The following example in a HTML formatted email from "Netflix" with an attachment. The web client is Yahoo!.

1. The email body has an image.
2. The email attachment is a PDF document.

Now let's view this attachment within the source code.

From the above example, we can see the headers assiated with this attachment:

• Content-Type is application/pdf.
• Content-Disposition specifies it's an attachment.
• Content-Transfer-Encoding tells us it's base64 encoded.

With the base64 encoded data, you can decode it and save it to your machine.

Warning: When interacting with attachments, proceed with caution and make sure you don't double-click an email's attachment by accident.

Note: Headers specific to 'content' can be found in various locations within an email message source code, and they're not only associated with attachments. For example, Content-Type can be text/html, and Content-Transfer-Encoding can have other values, such as 8bit.

1. In the above screenshots, what is the URI of the blocked image?
2. In the above screenshots, what is the name of the PDF attachment?
3. View the information in email2.txt and reconstruct the PDF using the base64 data. What is the text within the PDF?

Types of Phishing

Now, we will discuss different types of Phishing attacks. Different types of Phishing attacks:

• Spam: Unsolicited junk emails sent out in bulk to a large number of recipients. The more malicious variant of Spam is known as MalSpam.
• Phishing: Emails sent to target(s) purposing to be from a trusted entity ti lure individuals into providing sensitive information.
• Spear Phishing: It takes phishing a step further by targeting a specific individual(s) or organization seeking sensitive information.
• Whaling: It is similar to spear phishing, but it's targeted specifically to C-Level high-position individuals (CEO, CFO, etc.), and the objective is the same.
• Smishing: It takes phishing to mobile devices by targeting mobile users with specially crafted text messages.
• Vishing: It is similar to smishing, but instead of using text messages for the social engineering attack, the attacks are based on voice calls.

When it comes to phishing, the modus operandi is usually the same depending on the objective of the email.

For example, the objective can be to harvest credentials, and another is to gain access to the computer.

Below are typical characteristics phishing emails have in common:

• The sender email name/address will masquerade as a trusted entity email spoofing.
• The email subject line and/or body (text) is written with a sense of urgency or uses certain keywords such as Invoice, Suspended, etc.
• The email body (HTML) is designed to match a trusting entity (such as Amazon)
• The email body (HTML) is poorly formatted or written (contrary from the previous point)
• The email body uses generic content, such as Dear Sir/Madam.
• Hyperlinks (oftentimes uses URL shortening services to hide its true origin)
• A malicious attachment posing as a legitimate document

Reminder: When dealing with hyperlinks and attachments, you need to be careful not to accidentally click on the hyperlink or the attachment.

Hyperlinks and IP addresses should be 'defanged'. Defanging is a way of making the URL/domain or email address unclickable to avoid accidental clicks, which may result in a serious security breach. It replaces special characters, like "@" in the email or "." in the URL, with different characters. For example, a highly suspicious domain, http://www.suspiciousdomain.com, will be changed to hxxp[://]www[.]suspiciousdomain[.]com before forwarding it to the SOC team for detection.

• Try to find following questions, by observing any mail:
  • What trusted entity is this email masquerading as?
  • What is the sender's email?
  • What is the subject line?
  • What is the URL link for - CLICK HERE? (Enter the defanged URL)

Conclusion:

In conclusion few things to explain:

BEC (Business Email Compromise):

• A BEC is when an adversary gains control of an internal emplouee's account nad then uses the compromised email account to convince other intenal empolyees to perform unauthorized or fraudulent actions.

After reading this, you should know following interview questions:

• What makes up an email address?
• How an email travels from sender to recipient.
• How to view source code of an email header.
• How to view the source code of an email body.
• Understand the pertinent information we should obtain from an email we'r analyzing.
• Some common techniques attackers use in spam and phishing email campaigns.

Reference:

• Tryhackme