Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicious or is it malicious?


Published on


What thoughts currently make tech defenders uneasy as they go to bed at night? Despite implementing and properly configuring the latest technological controls and security solutions into our environments, end users typically remain the most vulnerable point of entry into nearly any network. Unfortunately, only one misstep by a single user provides attackers with the foothold they need to begin compromising an entire enterprise network environment. The safety of our inboxes is a key initiative on the battlefront of protecting staff from the scourge of phishing and spear phishing attacks. We will perform a deep-dive look at the latest techniques used by criminals to bypass security products and traditional defense-in-depth strategies. We then focus heavily on conducting a digital forensic investigation on a sample phishing email message. Topics covered include technical analysis of message headers, message source code, message attachments, and malicious landing web pages even when a dedicated sandbox environment is unavailable.


Matt Scheurer is a Systems Security Engineer working in the Financial Services industry. Matt holds a CompTIA Security+ Certification and possesses a number of Microsoft Certifications including: MCP, MCPS, MCTS, MCSA, and MCITP. Matt has presented on numerous Information Security topics as a featured speaker at a number of area Information Security meetup groups. Matt also had notable speaking engagements as a presenter at DerbyCon 5.0, DerbyCon 7.0, and the 10th Annual Northern Kentucky University Cyber Security Symposium. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), and Information Systems Security Association (ISSA). Matt is a regular attendee at monthly Information Security meetings for 2600, the CiNPA affiliated Security Special Interest Group (CiNPA Security SIG), Ohio Information Security Forum (OISF), and Cincinnati Security MBA (SMBA).

Published in: Internet
  • Be the first to comment

  • Be the first to like this

(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicious or is it malicious?

  1. 1. Phishing Forensics Is it just suspicious or is it malicious? November 14, 2017 Matt Scheurer @c3rkah Slides:
  2. 2. About Me Matt Scheurer Systems Security Engineer with First Financial Bank Chair for the CiNPA Security SIG Speaker at DerbyCon 5.0, DerbyCon 7.0, and the 10th Annual NKU Cyber Security Symposium Certifications: CompTIA Security+, MCP, MCPS, MCTS, MCSA, and MCITP
  3. 3. Yes, I have a day job. However...Yes, I have a day job. However... Opinions expressed are solely my own and do not express the views or opinions of my employer.
  4. 4. Legal DisclaimerLegal Disclaimer The material presented is made available for informational and educational purposes only. Use of these tools and techniques is at your own risk! The presenter hereby disclaims any and all liability to any party for any direct, indirect, implied, punitive, special, incidental or other consequential damages arising directly or indirectly from any use of these materials, which are provided as is, and without warranties.
  5. 5. Let’s BeginLet’s Begin ● Situation: You or a coworker receive a suspicious email, or a ticket comes in from another employee seeking guidance concerning a suspicious email ● The email looks like it could possibly be legitimate ● Nowadays it’s getting very hard to tell… ● Lets start by looking at the message headers
  6. 6. Viewing Email Headers - OutlookViewing Email Headers - Outlook ● Option 1 – Click on the expander icon to the right of the “Tags” ribbon
  7. 7. Viewing Email Headers - OutlookViewing Email Headers - Outlook ● Option 2, Step 1 – Click on the “File” menu
  8. 8. Viewing Email Headers - OutlookViewing Email Headers - Outlook ● Option 2, Step 2 – Click on the “Properties” button
  9. 9. Viewing Email Headers - OutlookViewing Email Headers - Outlook ● Message Headers appear at the bottom of the Properties window
  10. 10. Viewing Headers ContinuedViewing Headers Continued ● In Mozilla Thunderbird – Options > View > Headers > All – More > View Source ● In other email clients –
  11. 11. Viewing Message Source - OutlookViewing Message Source - Outlook ● Right click in the message body whitespace, and select “View Source” if available ● NOTE: Sometimes this functionality is disabled by JavaScript
  12. 12. Viewing Message Source - OutlookViewing Message Source - Outlook ● Option 2, Step 1 ● Click on the “Actions” menu
  13. 13. Viewing Message Source - OutlookViewing Message Source - Outlook ● Option 2, Step 2 ● Expand the “Other Actions” menu
  14. 14. Viewing Message Source - OutlookViewing Message Source - Outlook ● Option 2, Step 3 ● Select “View Source”
  15. 15. Next Steps (Demo)Next Steps (Demo) ● Inspect the email message headers for clues ● Inspect the email message source code for clues and traps ● Inspect any attachment(s) for more potential traps
  16. 16. Tools to useTools to use ● URL Expander ● Online web page scanner ( ● Attachment to image file converter ● Web site Screen Shot generator ● Online web site source code viewer ● WHOIS engines / Abuse contacts ● File Scanners for attachments
  17. 17. URL ExpanderURL Expander ● Search Engine Query – URL Expander ● ● Short URL: ● Long URL: id150319942000/infor mation/customer_cen ter/customer- IDPP00C475/myacco unt/settings/
  18. 18. Online web page scannerOnline web page scanner ● ● Tests with a large number of scanners simultaneously ● Now owned and operated by Google ● Scans files as well as web site addresses for malware
  19. 19. Attachment to image file converterAttachment to image file converter ● Search Engine Query ● Native Extension to Image File Extension ● i.e., CAUTION: Do not upload potentially sensitive files to public web sites!
  20. 20. Web site screen shot generatorWeb site screen shot generator ● Search Engine Query ● online website screenshot generator ● i.e.,
  21. 21. Web site source code viewerWeb site source code viewer ● Search Engine Query ● online website source code viewer ● i.e., <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>PayPal Safety & Security </title> <link rel="shortcut icon" type="image/x-icon" href="../../lib/img/favicon.ico"> <link rel="apple-touch-icon" href="../../lib/img/apple- touch-icon.png"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1, user-scalable=yes"> <!---------------------------- FONTS ROBOT CONDDENSED -----------------------------> <link href=" family=Roboto+Condensed" rel="stylesheet"> <!------------------------------- FILES CSS STYLE ---------------------------------> <link rel="stylesheet" href="../../lib/css/G-Z118.css"> </style>
  22. 22. WHOIS engines / Abuse contactsWHOIS engines / Abuse contacts ● Domain WHOIS – ICANN ( ● Regional Internet Registries, WHOIS – AFRINIC – ARIN – APNIC – LACNIC – RIPE
  23. 23. Additional Tools and ResourcesAdditional Tools and Resources ● DNS Records ● NSLOOKUP ● DIG ● Web sites (,, etc.) ● (Blacklists) ●
  24. 24. Beware of Gotcha’sBeware of Gotcha’s ● Obfuscation by URL Shortener ● Evasion Code / DGA ● iFrames ● Redirects and Forwards ● Relying too heavily on your defenses / tools...
  25. 25. Attachment / File ScannersAttachment / File Scanners ● VirusTotal - – Owned and operated by Google ● Jotti's malware scan - – Another good free multi-scanner site ● Malwr - – Free sandbox analysis CAUTION: Do not upload potentially sensitive files to public web sites!
  26. 26. Jotti Malware Scan - messageJotti Malware Scan - message
  27. 27. VirusTotal Scan - messageVirusTotal Scan - message
  28. 28. Jotti Malware Scan - attachmentJotti Malware Scan - attachment
  29. 29. VirusTotal Scan - attachmentVirusTotal Scan - attachment
  30. 30. This technique now has a nameThis technique now has a name ● Crane Hassold, Senior Security Threat Researcher at PhishLabs referred to this technique in a recent Webinar as “Docuphish”
  31. 31. ImpactImpact ● This attack technique is highly effective at defeating our best-in-class security products, best practices, and technical controls to reach Inboxes across the enterprise – Including ● Defense-In-Depth ● AV / Anti-Malware ● Firewalls / Secure email gateways ● Inline URL Sandboxing
  32. 32. The End GameThe End Game ● Determining what and/or where the final landing page actually is!
  33. 33. PreventionPrevention ● The only foolproof solutions to the Docuphish problem I am aware of are – 100% pure email sandboxing – Completely stripping out all email attachments ● However, the appetite to do so at most organizations is low
  34. 34. ConclusionsConclusions ● Block discovered bad domains and IP addresses ● User education and reporting will remain key until vendors catch back up to to combat the growing Docuphish threat ● Report these incidents to the managing hosting company or service provider ● Utilize RBL’s and Threat Feeds ● In lieu of being able to prevent this from coming in, analyze what is going out of your network
  35. 35. When all else failsWhen all else fails ● Contact the purported message sender to find out about the message’s authenticity – Phone call – In person visit, if possible – Instant message – Email directly to the person ● BEWARE: If the other person’s email has been compromised, it will be difficult to tell if it is really them replying back to you!
  36. 36. QuestionsQuestions Who ... What ... When ... Where ... Why ... How ...
  37. 37. Thank you for attending! November 14, 2017 Matt Scheurer @c3rkah Slides: