Phishing Analysis- Blue Team Lab Walkthrough
In this article, we’ll be looking at the Phishing Analysis scenario from Blue Team Labs Online that I was able to solve. Below is the challenge solution.
Phishing is a form of cyber attack where an attacker tries to trick individuals into revealing sensitive information, such as usernames, passwords, credit card details, or social security numbers. The attackers usually pose as a trustworthy entity, such as a well-known company, a financial institution, or a government agency, to gain the victim’s trust.
Phishing Analysis Scenario
A user has received a phishing email and forwarded it to the SOC. Can you investigate the email and attachment to collect useful artifacts?
Analysis Tools
We are going to use Thunderbird as our email client and to retrieve the email artifacts we will be using a text editor called Sublime Text.
1.Text Editor(Sublime Text)
2. Mozilla Thunderbird
3. URL2PNG
4. WHOis
To answer the questions we need to download the Phishing email and enter the password to access the files. It is highly recommended to open the files in a virtual machine or dirty machine because they might be malicious and you don’t want o run them on your host pc.
1. Who is the primary recipient of this email? (1 point)
Opening the email we shown below.
Answer: kinnar1975@yahoo.co.uk.
2. What is the subject of this email? (1 point)
For this question, we will search for the “Subject” field as shown below.
Answer: Undeliverable: Website contact form submission
3. What is the date and time the email was sent? (1 point)
For this question, we’ll look for the “Date” field as shown below.
Answer: 18 March 2021 04:14
4. What is the Originating IP? (1 point)
For this question, we’ll search for the “X-Sender-IP” or “IP” as shown below.
Answer: 103.9.171.10
5. Perform reverse DNS on this IP address, what is the resolved host? (whois.domaintools.com) (1 point)
For this question, we need to perform a WHOIS lookup to get the hostname. Searching for the sender 103.9.171.10 on https://whois.domaintools.com we are able to get the hostname as shown below.
Answer: c5s2–1e-syd.hosting-services.net.au
6. What is the name of the attached file?
Looking at the Thunderbird client we can see the attachment name shown at the bottom.
Answer: Website contact form submission.eml
7. What is the URL found inside the attachment? (1 point)
There are two ways we can get the answer to this question, we can use our Thunderbird email client or the Sublime text editor.
Opening the email with the Thunderbird email client we can see the URL at the bottom.
Answer:https://35000usdperwwekpodf.blogspot.sg?p=9swghttps://35000usdperwwekpodf.blogspot.co.il?o=0hnd
8. What service is this webpage hosted on? (1 point)
For this question, we can get the answer by looking at the URL artifact for this email.
Answer: blogspot
9. Using URL2PNG, what is the heading text on this page? (Doesn’t matter if the page has been taken down!) (1 point)
URL2PNG is a URL visualization tool that lets you view a website snapshot without visiting it. For this question, we need to copy the URL above and paste it to https://www.url2png.com/.
Answer: Blog has been removed
To analyze the above Phishing Analysis practical challenge please go to Blue Team Labs and register for free.
All the best!