Fishing Phishers : How to Fish a Scammer [ENG]

Por Nebu73Análisis forense, OSINT

Hi H@x0rs!

The truth is, either I don’t wax this or all of a sudden you even have me in the soup. Many of you know that I have been with a friend and colleague @Carol12Gory giving a talk called «Fishing Phishers» in which we explained on the one hand how to get information about phishings and how to link the information of these fake pages with possible groups and campaigns and on the other hand how to set up a Phising distribution system that works better than the botched jobs that we get in the mail every day.

In this first article we are going to focus on the tools and techniques to distinguish a false mail from the real one and to get as much information as possible about the attacker.

How many of you don’t wake up every morning and find the Mail full of mails that…?

  • They call you ugly because they’re looking for a Chinese girlfriend?
  • They insinuate that you are impotent by offering you the blue pill? (Not the one of Morpheus)
  • Ehh! or is that you are very hot and half-worldly women want hot things with you…
  • Amazon writes to you and it turns out you haven’t ordered anything?
  • Oh my non-existent Netflix account now has problems with my card that I have never given?

These are several examples and the list would never end, but of course if you are somewhat restless minds and want to learn … why not a boring day we take our knowledge and put them to do «mischief»?

Of course … apart from because they are SPAM, how can I know that they are not LEGITIMATE emails?

WHERE DO WE START?

Well for the principle? is worth jokes apart depends on how we have configured the email account all this crap will reach us SPAM, rare is the one that sneaks into our «Inbox» but as a recommendation … put a filter that everything that is not known senders …. TO THE SPAM MAILBOX!

Okay, we already have a malicious email but … and now what? In this case you have in your mail the option to look at the headers of the mail?

EMAIL ANATOMY

  • Mail header: Contains all the useful information from a security point of view
    • Origin (From:)
    • From: "AsianMelodies.." <HGOptKNLVeIy.@patri.unaux.com>
    • Destination (Delivered to: )
    • Delivered-To: XXXXXXX@gmail.com
    • Date (Date: )
    • Date: Wed, 16 Oct 2019 18:18:25 -0400
    • Subject (Subject:)
    • Subject: nebu_73 -L0VE 0f Your Life Is Waiting F0r Y0U...
    • Recieved From  (Received: from ) =>This data is usually the most interesting because it brings all the jumps that has stuck this mail to us. In many cases is where we can detect that this is a mail that is not legitimate.
    • Received: from SN1NAM02HT110.eop-nam02.prod.protection.outlook.com (2603:10a6:207:4::17) by AM0PR06MB6179.eurprd06.prod.outlook.com with HTTPS via AM3PR07CA0059.EURPRD07.PROD.OUTLOOK.COM; Thu, 17 Oct 2019 04:18:51 +0000
Received: from SN1NAM02FT024.eop-nam02.prod.protection.outlook.com (10.152.72.54) by SN1NAM02HT110.eop-nam02.prod.protection.outlook.com (10.152.73.58) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2367.14; Thu, 17 Oct 2019 04:18:50 +0000
Authentication-Results: spf=none (sender IP is 63.32.62.171) smtp.mailfrom=vrpholds.sytes.net; hotmail.com; dkim=none (message not signed) header.d=none;hotmail.com; dmarc=none action=none header.from=;
Received-SPF: None (protection.outlook.com: vrpholds.sytes.net does not designate permitted sender hosts)
Received: from ec2-34-244-162-151.eu-west-1.compute.amazonaws.com (63.32.62.171) by SN1NAM02FT024.mail.protection.outlook.com (10.152.72.127) with Microsoft SMTP Server id 15.20.2367.14 via Frontend Transport; Thu, 17 Oct 2019 04:18:50 +0000
X-IncomingTopHeaderMarker: OriginalChecksum:75E154C14E7D90406EA3B480663B3B2D3FC2E4891180E5D8C4FE8DC282A97CBC;UpperCasedChecksum:15E549F87C1786A363C342302B55FC22FE6E7F8DD5733179FAB336EE5FD020A5;SizeAsReceived:523;Count:10
    • Content Type (Content type)=>Sets the content type of the body of the HTML message, plain text, etc.
    • Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset="UTF-8"
    • ID del Mensaje (Message ID)
    • Message-ID: <04a335c5-ce1e-4232-89f8-ede0c48ea606@SN1NAM02FT024.eop-nam02.prod.protection.outlook.com>
    • Recieved (Received by)
    • Received: by 2002:a05:6402:6cb:0:0:0:0 with SMTP id n11csp294912edy;
        Wed, 16 Oct 2019 21:21:43 -0700 (PDT)
X-Google-Smtp-Source: APXvYqy6JcJ16/6Hl/ioHHhncRd44HjPCTWwj8I9okm+EGBsMmThEc4UxtsXLCIo77zjajtVQdXQod9V7vmeulS6+w==
X-Received: by 2002:aa7:de12:: with SMTP id h18mr1652253edv.226.1571286103102;
        Wed, 16 Oct 2019 21:21:43 -0700 (PDT)
    • Send to (Reply to)
    • Reply-To: reply@vrpholds.sytes.net
  • Message Body (Message Body) => Contains the message that transports the mail
    • The «interesting things that can contain an email in this part are the links or even «buttons» (which are still a nice link) and that later in the article we will also analyze.
    • <html>
<head>

</head>
<body>
<center>
<a href="http://ⓢⓣⓐⓣⓤⓐⓢ.ⓒⓛⓤⓑ/r.php?t=c&amp;d=39850&amp;l=3377&amp;c=80775"><b>&gt;&gt;Your Soulmate Is Here!&lt;&lt;</b></a><br><br>
<a href="http://ⓢⓣⓐⓣⓤⓐⓢ.ⓒⓛⓤⓑ/r.php?t=c&amp;d=39850&amp;l=3377&amp;c=80775"><img src="https://pbs.twimg.com/media/EG1fCQWWwAExV7Y?format=jpg&amp;name=small" alt="Click on show blocked content to see images"></a>
<br>
<a href="http://ⓢⓣⓐⓣⓤⓐⓢ.ⓒⓛⓤⓑ/r.php?t=u&amp;d=39850&amp;l=3377&amp;c=80775"><img src="https://pbs.twimg.com/media/EG1fFHjW4AEWD2J?format=jpg&amp;name=small"></a>
<br>
<p>
<br>
<a href="http://ⓢⓣⓐⓣⓤⓐⓢ.ⓒⓛⓤⓑ/opt.php?d=39850&amp;l=3377&amp;c=80775&amp;em=ad45af0b26d2bf9521ac9e716d7a2d94"><img src="https://storage.googleapis.com/mynewsbucket/optout.PNG"></a>
</center>
</body>
</html>
  •  

THE SENDER

The first thing we will analyze will be the language, since many phishings are so sloppy that they use automatic translators and what pretends to be Spanish or English ends up being a rare thing more similar to Swahili than what they intended:

The sender is important because … in some cases is so brazen that you send the mail … SPONGE BOB SQUARE PENTS?

THE LINKS

Before clicking anything… BE QUIET DO NOT CLICK!, you must look at the content of the links because the hyperlinks they bring can look like one thing and be another:

If we right click on the button «GO TO APPLE ID ACCOUNT» and choose the option «Copy link address» we’ll see that apple nothing, but this is the link that takes us to

 http://52.211.157.137/KqSGxvW

I don’t know about you but I don’t play the game by opening a link of these in my team so I throw miles with a tool that I already mentioned in my previous post and it’s none other than ANY.RUN .

  1. We create a machine with the link we got
  2. Let’s see what happens in the machine. What do I observe?
    1. New processes
    2. Changes in the registry
    3. Connections and requests you make (From here you can get new IPs ;P)
    4. Countries of origin
    5. Is there any download

In the case that we see that the web is innocuous and that it only looks for the theft of credentials it is interesting to open Burp and put it to see how it works underneath.

ANALIZING HIDDEN CONTENT

To analyze the headers we will use a couple of tools that are simple to use and that are available ONLINE :

  • MR. TOOLBOX
      • To see the content of the mail we are analyzing click HERE. Besides, the interesting thing about this tool is that it already has a Blacklist of servers and domains more or less updated, so you mark the reliability of the sender.
  • GOOGLE TOOLBOX 
  • AZURE TOOLBOX
  • KITTERMAN => SPF Analyzer Measures server reliability

NEXT STEP

Now we have data, don’t we?

Domains, Ips…

What do we do with them? The first thing is to organize them because if we don’t organize them at the end it’s a gibberish without ton ni son and the second thing is to go looking for information about them

  • Go to  Shodan and see what information it has
  • Review   Alienvault OTX  information
  • Search for information you have in CISCO TALOS
  • Tools like PENTEST TOOLS allow us to launch an nmap from the web, something limited but something is something
  • If it’s lucky there’s something on WhoIs?
  • In case the page is down (which can be normal) there are always tools like WAYBACK MACHINE to which we can turn to see what it was like and what it had

There are times when with such nonsense … we end up finding some panel of a C & C that is already sad but as well I say, there are bad … and bad bunglers and the latter abound in the network.

The vast majority of times are servers that have been compromised in some way by a bad configuration and have open RDP services for example that are vulnerable to attacks such as  Bluekeep.

We leave here the part corresponding to the ppt that we use in our workshop both Black Knife and HoneyCon.

This is all for the first part of the workshop we offered in both events. See you in the next part!

Nebu_73

«Zuretzat Ilargia Lapurtuko nuke Gauero» – Ken Zazpi