Introduction

Intro to Emails and phishing

Email Format: local@domain

protocols

SMTP

Simple mail transfer protocol
Port 25
New standard port is 587 used with TLS encryption.

POP3

Post office protocol 3
Application layer
Retrieves email from email server
Deleted from server after they are downloaded

IMAP

Internet Mail Access Protocol
Can read emails from any device
Stored email on server
Have the option to manually download

Anatomy

Header

Contains information about emails transportation
Updated when passes through each server
Can view emails exact path
Must include who the email is from, who is receiving the email and the date it was sent.
It can include but might not, date message was processed, a reply address, the subject, the message ID and the message body.
Can easily change header information so not very reliable
Custom headers must start with x

Email Body

Where information is written by sender
Can include text, hyperlinks, images or HTML styling
Common to be encoded to rescue file size, common encoding is base 64
Use CYBERCHEF to decode

What is Phishing

Phishing is the act of sending an email with malicious intent, to coerce recipients into disclosing information, downloading malicious files, or otherwise completing an action that they would not normally do, by exploiting a human using one or more social-engineering techniques.

Consequences of phishing

90% of all data breaches in 2019, were because of phishing
Average data breach cost is $3.86 million
1.5 million new phishing sites created each month

Types of Phishing

Reconnaissance

Attacker is trying to find if the email is active.
Can tell this without the recipient replying to the email.
Recon emails can either contain random letters in the header (check for error codes being sent back)
Use social engineering to get the recipient to respond
Use tracking pixels to see if the email has been viewed

The following data can potentially be acquired and analysed using a tracking pixel.

The operating system used (gives information on the use of mobile devices).
Type of website or email used, for example on mobile or desktop.
Type of client used, for example, a browser (webmail) or mail program (email client).
Client’s screen resolution.
Date and time the email was read.
IP address (gives information on the Internet Service Provider and location).

Spam

Often harmless
Signed up to mailing lists without permission or hidden in terms and conditions when signing up to a website
Be careful it's not malspam (malicious emails sent to a lot of recipients)

Credential harvester

Malicious URL in email, taking victim to a webpage (often designed to look like a legitimate company) and prompted to enter login information.

Imitates commonly-used websites and services (such as Outlook, Amazon, HMRC, DHL, FedEx, and many more).
Entices the recipient to enter credentials into a fake login portal.
Uses social-engineering tactics including; creating a sense of urgency, and using false authority.
URLs may be completely random or attempt to copy the legitimate domain name of the organisation they are masquerading as.
Often have small spelling or styling mistakes, something that is extremely rare with legitimate emails coming from big brands and organisations.

Manipulating people to think the email is from someone they know
Making people think there's a sense of urgency, this is to make them panic and do something without thinking too much into it, or checking if it's true.
Convincing the recipient to reply to an attacker’s initial email (recon emails).
Convincing the recipient to transfer money by posing as the CEO, CTO, CFO, or another employee on the executive board.
Convincing the recipient to provide the attackers with information that is confidential or private by posing as the data subject or someone in a higher position within the company.

Microsoft macro attacks

Make sure macros are disabled in your Microsoft Office applications. In enterprises, IT admins set the default setting for macros: Enable or disable macros in Office documents
Don’t open suspicious emails or suspicious attachments.
Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro malware spreads.
Enterprises can prevent macro malware from running executable content using ASR rules.

Tactics

Spear phishing

This is like a normal phishing attack, however the attacker gets information on the target, before launching the attack.

Impersonation

This is pretending to be someone the victim knows to get them to trust the malicious email.

Typosquatting

This is when you purposely misspell a name to make it look legitimate. For example putting a capital I (i) to pretend it's a lowercase l (L). This can trich someone into thinking a fake domain is legitimate.

Homograph

This uses letters from different character sets that look the same but have different unicode codes.

Sender Spoofing

This technique is the process of making the sending address of an email look like a legitimate email.

You do this by editing the From: address. This isn't verified when you send an email.

HTML Styling

This is when HTM coding is used to style an email. This helps the email look more professional and legitimate.

<a> </a> – Anchor tags allow for items (such as text or buttons) to be hyperlinked to a web resource.
<table> </table> – Table tags can be used for spacing or tables that include text or images. These are typically used to structure an email into different sections.
<b> </b> – Bold tags can allow text to be formatted as bold.
<I> </I> – Italic tags can allow text to be formatted as italic.
<u> </u> – Underline tags can allow text to be underlined.

Email Attachments

Three different files could be sent: non malicious (used for social engineering), Non malicious which have malicious hyperlinks or malicious files.

Hyperlinks

Hyperlinks can be sent in an email or attachment. They can be used for many different techniques, like taking the target to a webpage to download malware or credential harvesting.

URL-Shorteners

This is a tactic for shortening URLS, to hide their true address.
To see where a shortened url goes, use an online service like wannabrowser. This lets you visit the site without worrying if it is malicious or not.

Using Legitimate services

Attackers use legitimate services since administrators wont block popular domains like ‘@gmail.com’

Business Email Compromise

An attacker will gather date on relationships between businesses which transfer money to each other.
Once they have enough knowledge, they will comprimist a email account, and spoof the email so they can tell the other business to direct their payments to a different account (an account owned by the attacker)
This is a simple attack that is very successful since it exploits human nature to trust.

PreviousMalware and Global Campaigns NextInvestigating a Phishing Email

Last updated 2 years ago

Introduction

Intro to Emails and phishing

Email Format: local@domain

protocols

SMTP

Simple mail transfer protocol
Port 25
New standard port is 587 used with TLS encryption.

POP3

Post office protocol 3
Application layer
Retrieves email from email server
Deleted from server after they are downloaded

IMAP

Internet Mail Access Protocol
Can read emails from any device
Stored email on server
Have the option to manually download

Anatomy

Header

Contains information about emails transportation
Updated when passes through each server
Can view emails exact path
Must include who the email is from, who is receiving the email and the date it was sent.
It can include but might not, date message was processed, a reply address, the subject, the message ID and the message body.
Can easily change header information so not very reliable
Custom headers must start with x

Email Body

Where information is written by sender
Can include text, hyperlinks, images or HTML styling
Common to be encoded to rescue file size, common encoding is base 64
Use CYBERCHEF to decode

What is Phishing

Consequences of phishing

90% of all data breaches in 2019, were because of phishing
Average data breach cost is $3.86 million
1.5 million new phishing sites created each month

Types of Phishing

Reconnaissance

Attacker is trying to find if the email is active.
Can tell this without the recipient replying to the email.
Recon emails can either contain random letters in the header (check for error codes being sent back)
Use social engineering to get the recipient to respond
Use tracking pixels to see if the email has been viewed

The following data can potentially be acquired and analysed using a tracking pixel.

The operating system used (gives information on the use of mobile devices).
Type of website or email used, for example on mobile or desktop.
Type of client used, for example, a browser (webmail) or mail program (email client).
Client’s screen resolution.
Date and time the email was read.
IP address (gives information on the Internet Service Provider and location).

Spam

Often harmless
Signed up to mailing lists without permission or hidden in terms and conditions when signing up to a website
Be careful it's not malspam (malicious emails sent to a lot of recipients)

Credential harvester

Malicious URL in email, taking victim to a webpage (often designed to look like a legitimate company) and prompted to enter login information.

Imitates commonly-used websites and services (such as Outlook, Amazon, HMRC, DHL, FedEx, and many more).
Entices the recipient to enter credentials into a fake login portal.
Uses social-engineering tactics including; creating a sense of urgency, and using false authority.
URLs may be completely random or attempt to copy the legitimate domain name of the organisation they are masquerading as.
Often have small spelling or styling mistakes, something that is extremely rare with legitimate emails coming from big brands and organisations.

Manipulating people to think the email is from someone they know
Making people think there's a sense of urgency, this is to make them panic and do something without thinking too much into it, or checking if it's true.
Convincing the recipient to reply to an attacker’s initial email (recon emails).
Convincing the recipient to transfer money by posing as the CEO, CTO, CFO, or another employee on the executive board.
Convincing the recipient to provide the attackers with information that is confidential or private by posing as the data subject or someone in a higher position within the company.

Microsoft macro attacks

Make sure macros are disabled in your Microsoft Office applications. In enterprises, IT admins set the default setting for macros: Enable or disable macros in Office documents
Don’t open suspicious emails or suspicious attachments.
Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro malware spreads.
Enterprises can prevent macro malware from running executable content using ASR rules.

Tactics

Spear phishing

This is like a normal phishing attack, however the attacker gets information on the target, before launching the attack.

Impersonation

This is pretending to be someone the victim knows to get them to trust the malicious email.

Typosquatting

Homograph

This uses letters from different character sets that look the same but have different unicode codes.

Sender Spoofing

This technique is the process of making the sending address of an email look like a legitimate email.

You do this by editing the From: address. This isn't verified when you send an email.

HTML Styling

This is when HTM coding is used to style an email. This helps the email look more professional and legitimate.

<a> </a> – Anchor tags allow for items (such as text or buttons) to be hyperlinked to a web resource.
<table> </table> – Table tags can be used for spacing or tables that include text or images. These are typically used to structure an email into different sections.
<b> </b> – Bold tags can allow text to be formatted as bold.
<I> </I> – Italic tags can allow text to be formatted as italic.
<u> </u> – Underline tags can allow text to be underlined.

Email Attachments

Three different files could be sent: non malicious (used for social engineering), Non malicious which have malicious hyperlinks or malicious files.

Hyperlinks

Hyperlinks can be sent in an email or attachment. They can be used for many different techniques, like taking the target to a webpage to download malware or credential harvesting.

URL-Shorteners

This is a tactic for shortening URLS, to hide their true address.
A way to do this is to use
To see where a shortened url goes, use an online service like wannabrowser. This lets you visit the site without worrying if it is malicious or not.

Using Legitimate services

Attackers use legitimate services since administrators wont block popular domains like ‘@gmail.com’

Business Email Compromise

An attacker will gather date on relationships between businesses which transfer money to each other.
Once they have enough knowledge, they will comprimist a email account, and spoof the email so they can tell the other business to direct their payments to a different account (an account owned by the attacker)
This is a simple attack that is very successful since it exploits human nature to trust.

PreviousMalware and Global Campaigns NextInvestigating a Phishing Email

Last updated 2 years ago

Intro to Emails and phishing

protocols

Anatomy

What is Phishing

Consequences of phishing

Types of Phishing

Reconnaissance

Spam

Credential harvester

Social Engineering

Microsoft macro attacks

Tactics

Spear phishing

Impersonation

Typosquatting

Homograph

Sender Spoofing

HTML Styling

Email Attachments

Hyperlinks

URL-Shorteners

Using Legitimate services

Business Email Compromise

Intro to Emails and phishing

protocols

Anatomy

What is Phishing

Consequences of phishing

Types of Phishing

Reconnaissance

Spam

Credential harvester

Social Engineering

Microsoft macro attacks

Tactics

Spear phishing

Impersonation

Typosquatting

Homograph

Sender Spoofing

HTML Styling

Email Attachments

Hyperlinks

URL-Shorteners

Using Legitimate services

Business Email Compromise