These are the slides from my "Phishing Forensics - Is it just suspicious or is it malicious?" presentation at the BSides Cleveland Information Security Conference on 06/23/2018 in Cleveland, Ohio. Title: Phishing Forensics - Is it just suspicious or is it malicious? Abstract: What thoughts currently make tech defenders uneasy as they go to bed at night? Despite implementing and properly configuring the latest technological controls and security solutions into our environments, end users typically remain the most vulnerable point of entry into nearly any network. Unfortunately, only one misstep by a single user provides attackers with the foothold they need to begin compromising an entire enterprise network environment. The safety of our inboxes is a key initiative on the battlefront of protecting staff from the scourge of phishing and spear phishing attacks. We will perform a deep-dive look at the latest techniques used by criminals to bypass security products and traditional defense-in-depth strategies. We then focus heavily on conducting a digital forensic investigation on a sample phishing email message. Topics covered include technical analysis of message headers, message source code, message attachments, and malicious landing web pages even when a dedicated sandbox environment is unavailable.

1. BSides Cleveland - June 23, 2018
Matt Scheurer
@c3rkah
Slides:
https://www.slideshare.net/cerkah
Phishing Forensics
Is it just suspicious or is it malicious?

2. About Me
Matt Scheurer
Systems Security Engineer in the Financial Services Industry
Chair for the CiNPA Security SIG
Speaker at: DerbyCon 5.0, DerbyCon 7.0, the 10th
Annual NKU
Cyber Security Symposium, BSides Indianapolis 2018, BSides
Columbus 5.0, BSides Cincinnati 2018, the 11th
Annual Central
Ohio InfoSec Summit, Circle City Con 5.0, and BSides
Cleveland 2018
Certifications: CompTIA Security+, MCP, MCPS, MCTS,
MCSA, MCITP, and next is CCNA Cyber Ops!

3. Yes, I have a day job. However...Yes, I have a day job. However...
Opinions expressed
are solely my own and
do not express the
views or opinions of
my employer.

4. Legal DisclaimerLegal Disclaimer
The material presented is made
available for informational and
educational purposes only. Use
of these tools and techniques is
at your own risk! The presenter
hereby disclaims any and all
liability to any party for any
direct, indirect, implied, punitive,
special, incidental or other
consequential damages arising
directly or indirectly from any
use of these materials, which
are provided as is, and without
warranties.

5. Let’s BeginLet’s Begin
● Situation: You or a coworker receive a
suspicious email, or a ticket comes in from
another employee seeking guidance
concerning a suspicious email
● The email looks like it could possibly be
legitimate
● Nowadays it’s getting very hard to tell…
● Lets start by looking at the message headers

6. Viewing Email Headers - OutlookViewing Email Headers - Outlook
● Option 1
– Click on the expander
icon to the right of the
“Tags” ribbon

7. Viewing Email Headers - OutlookViewing Email Headers - Outlook
● Option 2, Step 1
– Click on the “File”
menu

8. Viewing Email Headers - OutlookViewing Email Headers - Outlook
● Option 2, Step 2
– Click on the
“Properties” button

9. Viewing Email Headers - OutlookViewing Email Headers - Outlook
● Message
Headers appear
at the bottom of
the Properties
window

10. Viewing Headers ContinuedViewing Headers Continued
● In Mozilla Thunderbird
– Options > View > Headers > All
– More > View Source
● In other email clients
– https://mxtoolbox.com/Public/Content/EmailHeaders/

11. Viewing Message Source - OutlookViewing Message Source - Outlook
● Right click in the
message body
whitespace, and
select “View Source”
if available
● NOTE: Sometimes
this functionality is
disabled by
JavaScript

12. Viewing Message Source - OutlookViewing Message Source - Outlook
● Option 2, Step 1
● Click on the “Actions”
menu

13. Viewing Message Source - OutlookViewing Message Source - Outlook
● Option 2, Step 2
● Expand the “Other
Actions” menu

14. Viewing Message Source - OutlookViewing Message Source - Outlook
● Option 2, Step 3
● Select “View Source”

15. Next Steps (Demo)Next Steps (Demo)
● Inspect the email message headers for clues
● Inspect the email message source code for
clues and traps
● Inspect any attachment(s) for more potential
traps

16. Tools to useTools to use
● URL Expander
● Online web page scanner (VirusTotal.com)
● Attachment to image file converter
● Web site Screen Shot generator
● Online web site source code viewer
● Decoders
● WHOIS engines / Abuse contacts
● File Scanners for attachments

17. URL ExpanderURL Expander
● Search Engine Query
– URL Expander
● www.checkshorturl.com
● Short URL:
https://bit.ly/2JQl0IC
● Long URL:
http://ihealthwealth.com/
wp-
content/themes/twentyse
venteen/docusign/

18. Online web page scannerOnline web page scanner
● http://www.virustotal.com/
– Tests with a large number of scanners
simultaneously
– Now owned and operated by Google
– Scans files as well as web site addresses for
malware
● https://urlquery.net/
– Scans and detects web-based malware

19. Attachment to image file converterAttachment to image file converter
● Search Engine Query
● Native Extension to
Image File Extension
● i.e., pdf2jpg.net
CAUTION:
Do not upload potentially
sensitive files to public web
sites!

20. Web site screen shot generatorWeb site screen shot generator
● Search Engine Query
● online website
screenshot generator
● i.e.,
screenshotmachine.com

21. Web site source code viewerWeb site source code viewer
● Search Engine Query
● online website source
code viewer
● i.e., www.visiospark.com
<input id="email" name="email"
type="email" placeholder="email" value=""
spellcheck="false" class="">
<span
class="textfieldRequiredMsg">email</span
><span
class="textfieldInvalidFormatMsg">email</s
pan></span>
<label class="hidden-label"
for="password">password</label>
<span id="sprypassword1">
<input id="password" name="password"
type="password" placeholder="password"
class="">
<span
class="passwordRequiredMsg">Enter your
password.</span></span>

22. DecodersDecoders
● Search Engine Query
– Base64 decoder
● i.e., base64decode.org

23. WHOIS engines / Abuse contactsWHOIS engines / Abuse contacts
● Domain WHOIS
– ICANN (https://whois.icann.org/en/)
● Regional Internet Registries, WHOIS
– AFRINIC
– ARIN
– APNIC
– LACNIC
– RIPE

24. Additional Tools and ResourcesAdditional Tools and Resources
● DNS Records
● NSLOOKUP
● DIG
● Web sites (domaintools.com, network-tools.com, etc.)
● MXtoolbox.com (Blacklists)
● SpamCop.net

25. Beware of Gotcha’sBeware of Gotcha’s
● Obfuscation by URL Shortener
● Evasion Code / DGA
● iFrames
● Redirects and Forwards
● Encoded content
● Relying too heavily on your defenses / tools...

26. Attachment / File ScannersAttachment / File Scanners
● VirusTotal - https://www.virustotal.com/
– Owned and operated by Google
● Jotti's malware scan - https://virusscan.jotti.org/
– Another good free multi-scanner site
● Hybrid Analysis / Malwr
– Free sandbox analysis
● https://www.hybrid-analysis.com/
● https://malwr.com/
CAUTION: Do not upload potentially sensitive files to
public web sites!

27. Jotti Malware Scan - messageJotti Malware Scan - message

28. VirusTotal Scan - messageVirusTotal Scan - message

29. Jotti Malware Scan - attachmentJotti Malware Scan - attachment

30. VirusTotal Scan - attachmentVirusTotal Scan - attachment

31. Actual Landing PageActual Landing Page

32. DocuPhish?DocuPhish?
● Crane Hassold, Senior Security Threat
Researcher at PhishLabs referred to this
technique in a 2017 Webinar as “DocuPhish”

33. ImpactImpact
● This attack technique is highly effective at
defeating our best-in-class security products,
best practices, and technical controls to reach
Inboxes across the enterprise
– Including
● Defense-In-Depth
● AV / Anti-Malware
● Firewalls / Secure email gateways
● Inline URL Sandboxing

34. The End GameThe End Game
● Determining what and/or where the final landing
page actually is!

35. Attendee Provided SuggestionsAttendee Provided Suggestions
● For Next-Level / Advanced Malware Analysis
– https://any.run/
– https://cuckoosandbox.org/
– https://remnux.org/
– SIFT Workstation
● https://digital-forensics.sans.org/community/downloads
● Can be combined with REMnux or vice versa

36. PreventionPrevention
● The only foolproof solutions to the DocuPhish
problem I am aware of are
– 100% pure email sandboxing
– Completely stripping out all email attachments
– Not allowing external email
● However, the appetite to do so at most
organizations is low

37. ConclusionsConclusions
● Block discovered bad domains and IP addresses
● User education and reporting will remain key until
vendors catch back up to to combat the growing
DocuPhish threat
● Report these incidents to the managing hosting
company or service provider
● Utilize RBL’s and Threat Feeds
● In lieu of being able to prevent this from coming in,
analyze what is going out of your network

38. When all else fails!When all else fails!
● Contact the purported message sender to find out
about the message’s authenticity
– Phone call
– In person visit, if possible
– Instant message
– Email directly to the person
● BEWARE: If the other person’s email has been
compromised, it will be difficult to tell if it is really
them replying back to you!

39. QuestionsQuestions
Who ...
What ...
When ...
Where ...
Why ...
How ...

40. BSides Cleveland - June 23, 2018
Matt Scheurer
@c3rkah
Slides:
https://www.slideshare.net/cerkah
Thank you for attending!