Phishing Analysis — Blue Team Labs Online
- This lab is about phishing.
- What is phishing —it is a type of cyber attack in which attackers attempt to deceive individuals into divulging sensitive information such as usernames, passwords, and financial details by posing as a trustworthy entity.
To perform the above task, download the attached file and use the password to access the downloaded file.
Scenario — A user has received a phishing email and forwarded it to the SOC. Can you investigate the email and attachment to collect useful artifacts?
Tools used include;
- Text Editor
- Mozilla Thunderbird
- URL2PNG
- WHOis
Q. Who is the primary recipient of this email?
Q. What is the subject of this email?
A. Undeliverable: Website contact form submission
Q. What is the date and time the email was sent?
A. 18 March 2021 04:14
Q. What is the Originating IP?
- Open the attachment using a text editor,
A. 103.9.171.10
Q. Perform reverse DNS on this IP address, what is the resolved host?
- Access the whois.domaintools.com to perform the reverse dns on the ip address 103.9.171.10
A. c5s2–1e-syd.hosting-services.net.au
Q. What is the name of the attached file?
A. website contact form submission.eml
Q. What is the URL found inside the attachment?
- Open the attachment via thunderbird,
A. https://35000usdperwwekpodf.blogspot.sg?p=9swghttps://35000usdperwwekpodf.blogspot.co.il?o=0hnd
Q. What service is this webpage hosted on?
A. blogspot
Q. Using URL2PNG, what is the heading text on this page? (Doesn’t matter if the page has been taken down!)
- go to https://www.url2png.com/ and paste the link found in the attachment.
A. Blog has been removed
