• D-12/77, 2nd Floor, Pillar 392, Sector-8, Rohini East Metro, Delhi 110085

  • info@cyberdefentech.com

TRY HACK ME : PHISING EMAILS IN ACTION

TRY HACK ME : PHISING EMAILS IN ACTION

Task 1: Introduction

Now that we covered the basics concerning emails in Phishing Emails 1, let’s dive right into actual phishing email samples. 

Each email sample showcased in this room will demonstrate different tactics used to make the phishing emails look legitimate. The more convincing the phishing email appears, the higher the chances the recipient will click on a malicious link, download and execute the malicious file, or even send the prince of some country a wire transfer. 

Warning: The samples throughout this room contain information from actual spam and/or phishing emails. Proceed with caution if you attempt to interact with any IP, domain, attachment, etc.

Answer the questions below

Read the above.

No answer need

Task 2: Cancel your PayPAl order

The email sample in this task will highlight the following techniques:

  • Spoofed email address
  • URL shortening services
  • HTML to impersonate a legitimate brand

Here are some quick observations about this email sample:

  1. This is an unusual email recipient address. This is not the email address associated with the Yahoo account. 
  2. This mismatch should immediately stand out. The sender’s details (service@paypal.com) don’t match the sender’s email address (gibberish@sultanbogor.com). 
  3. The subject line hints that you made a purchase or a transaction of some sort. If you don’t recall this account, then it will grab your attention. This social engineering tactic is to prompt you to interact with the email with haste. 

Now let’s look at the contents of the email body.

Email Body Text (Image 1):

The second half of the same email body text (Image 2):

The email body compliments the sender information and subject line. The email was designed as a legitimate email from PayPal. 

There aren’t any attachments associated with this email. The only interactive element in this email is the Cancel the order button/link. 

Let’s investigate that further by reviewing the raw HTML source for the email…

Email Hyperlinks:

The link uses URL shortening services. It is not a good idea to click on the link if you don’t know where the link is taking you. 

Luckily, there are online tools that we can use to let us know the destination of a shortened URL. 

Strange. This link redirects to google.com. 

Note: Tools to expand shortened URLs will be discussed in the Phishing Emails 3 room.  

Answer the questions below

Question: What phrase does the gibberish sender email start with?

Answer: noreply

Task 3: Track your package

This email sample will highlight the following techniques:

  1. Spoofed email address
  2. Pixel tracking
  3. Link manipulation

Here are some quick observations about this email sample:

  1. The email is tailored to appear that it’s sent from a mail distribution center of some sort. 
  2. The subject line adds to the pretense with a ‘tracking number.’ 
  3. The link in the email body matches the subject line. 

Note: In this email sample, Yahoo blocked the images from automatically loading. Any guesses as to why? 

Typically one can hover the cursor over a link to see where the link is pointing to, but in this sample, that technique won’t work because Yahoo disabled links in the email.  We can look at the raw source code for the email and find out. 

Email Hyperlinks:

Here we see an image file, and it’s explicitly called Tracking.png. These trackers send information back to the spammer’s server. 

There are many reasons for spammers to embed tracking pixels (very small images) into their spam emails. To read more about this concept, refer to this post on The Verge here

Now we can understand why Yahoo automatically blocked the images in this email. Many email providers do the same. 

Back to the hyperlink, the link is pointing to a shady-looking domain. The only distribution center this domain can be associated with is malware, but further analysis is the only way to confirm that definitely. 

Answer the questions below

Question: What is the root domain for each URL? Defang the URL. 

Answer: devret[.]xyz

Task 4: Select your email provider to view document

This email sample will highlight the following techniques:

  • Urgency
  • HTML to impersonate a legitimate brand
  • Link manipulation
  • Credential harvesting
  • Poor grammar and/or typos

Let’s take a closer look…

Here are some quick observations about this email sample:

  1. The email was sent on Thursday, July 15th, 2021.  
  2. A sense of urgency is introduced in this email. Notice that the link to download the fax document expires on the same day.

There is an action to perform. In this case, a button to download the fax. 

The above image shows the victim is redirected to a page created to pass as OneDrive. Notice that the URL is not anything Microsoft-related. 

There are two more links for the victim to interact with. The victim has to click either button to obtain the fax document that is set to expire. 

The victim is directed to yet another site. This one was crafted to resemble Adobe. Again, notice the URL. It doesn’t look like it’s related to Adobe.

Also, notice the page title in the tab. It’s called “Share Point Online”, which is a Microsoft product.  There are a couple of grammatical errors as well. 

The victim has options to sign in with the email provider of their choice. 

Our victim chose to log in with Outlook because, per the instructions, “To read the document, please enter with the valid email credentials that this file was sent to.“; the email was viewed in Outlook.  

In this sample, we can tell that fake credentials were entered, but even if the victim would have entered valid credentials, the error message would be the same. This scenario happens because the victim is not really authenticating to an email provider. Instead, the credentials that were entered now reside on the criminal’s server. The criminal’s objective to harvest credentials has been met. 

Lastly, notice more grammatical errors. All this work they put into this, you would think they would run a spell check. 

This email sample was obtained from Any Run. If you wish to interact with the email and see the full analysis, refer to the link below.

  • Analysis: https://app.any.run/tasks/12dcbc54-be0f-4250-b6c1-94d548816e5c/#

Answer the questions below

Question: This email sample used the names of a few major companies, their products, and logos such as OneDrive and Adobe. What other company name was used in this phishing email?

Answer: Citrix

Task 5: Please update your payment details

This email sample will highlight the following techniques:

  • Spoofed email address
  • Urgency
  • HTML to impersonate a legitimate brand
  • Poor grammar and/or typos
  • Attachments

Here are some quick observations about this email sample:

  1. This email is made to appear that it’s from Netflix Billing, but the sender address is z99@musacombi.online. 
  2. Here is the element of urgency. The account was suspended, so the victim must act quickly. 
  3. There is more of this sense of urgency in the email body. 

Also, notice the different misspellings of the word Netflix. Not sure what was the purpose of that. 

Typically, you’ll see this technique when it comes to typosquatting, but that wasn’t the case here. 

Ok, here is the meat and potatoes of this email. Apparently, the victim needs to open the attachment (PDF) to update their Netflix account. 

Notice the phone number for ‘Netflix’. At first glance, that is an unusual phone number to send to a US-based victim. 

The attachment contains an embedded link titled ‘Update Payment Account’. 

We’ll look at this email attachment in closer detail in the upcoming Phishing Emails 3 room. 

Answer the questions below

Question: What should users do if they receive a suspicious email or text message claiming to be from Netflix?

Answer: forward the message to phishing@netflix.comTop of Form

 

Task 6: Your recent purchase

This email sample will highlight the following techniques:

  • Spoofed email address
  • Recipient is BCCed
  • Urgency
  • Poor grammar and/or typos
  • Attachments

Here are some quick observations about this email sample:

  1. This email is made to appear that it’s from Apple Support, but the sender’s address is gibberish@sumpremed.com. 
  2. This email wasn’t sent directly to the victim’s inbox but rather BCCed (Blind Carbon Copy). The recipient email looks like another spoofed email to appear as a legitimate Apple email address. 
  3. Here is the element of urgency. Action is required on behalf of the victim. 

There are a few noticeable typos in both the sender and recipient email addresses: donoreply and payament.

This particular email doesn’t necessarily have an email body. It’s totally blank. The email simply contains an attachment. 

This file extension you may not be familiar to you. A .DOT file is page layout template files associated with Microsoft Word. 

the above image shows what is contained within the attachment. You can see that the file contains a large image to resemble an App Store receipt. 

Notice the link contains certain keywords related to Apple: apps and ios

Answer the questions below

Question: What does BCC mean?

Answer: Blind Carbon Copy

Question: What technique was used to persuade the victim to not ignore the email and act swiftly?

Answer: Urgency

Task 7: DHL Express Courier Shipping notice

This email sample will highlight the following techniques:

  • Spoofed email address
  • HTML to impersonate a legitimate brand
  • Attachments

Here are some quick observations about this email sample:

  1. The sender’s email doesn’t match the company that is being impersonated, which in this case is DHL.
  2. The subject line gives the impression that there is a package DHL will ship for you.
  3. The HTML in the email body was designed to look like it was sent from DHL. 

Looking at the source code for the email, the link to view the email as a web page doesn’t contain an actual destination URL. 

The only element the victim can interact with in this email is the email attachment, which, in this case is an Excel document. 

The image below shows what is contained within the attachment.

The attachment runs a payload that throws an error. 

We’ll look at this email attachment in closer detail in the upcoming Phishing Emails 3 room. 

Answer the questions below

Question: What is the name of the executable that the Excel attachment attempts to run?

Answer: regasms.exe

Task 8: Conclusion

In this room, we looked at various phishing samples. 

Some of the samples shared similar techniques whereas, others introduced a new tactic for you to see and learn from. 

Understanding how to detect phishing emails takes awareness training.

Visit the resources below to acquaint yourself with other signs to look out for in phishing emails. 

Additional Resources:

  • https://www.knowbe4.com/phishing
  • https://www.itgovernance.co.uk/blog/5-ways-to-detect-a-phishing-email
  • https://cheapsslsecurity.com/blog/10-phishing-email-examples-you-need-to-see/
  • https://phishingquiz.withgoogle.com

The next room in this module: Phishing Emails 3

Top of Form

Top of Form

 

Categories: Applied AI Cyber Defentech Cyber Security Design emails Ethical Hacking Ethical hacking in delhi Ethical hacking institute in delhi Ethical hacking institute in rohini Passive reconnaissance Phishing Phishing emails Rohini Delhi rohini sec 8 Tools tryhackme Tryhackme passive reconnaissance
Related Tags:

Leave A Comment

Cyber Defentech offers comprehensive cybersecurity training and certifications, empowering professionals to safeguard digital environments against evolving cyber threats.

Contact Us

  • D-12/77, Sector-08, Near Rohini East Metro Station Gate No-02, Rohini Delhi 110085
  • info@cyberdefentech.com
  • +91 8448046612
  • +91 9310945866

News & Blog

Course

Copyright 2024 by Cyberdefentech