BTLO: Phishing Analysis 2
Put your phishing analysis skills to the test by triaging and collecting information about a recent phishing campaign.
BTLO: Phishing Analysis 2
Put your phishing analysis skills to the test by triaging and collecting information about a recent phishing campaign.
Investigative Environment
- Hypervisor: VirtualBox
- OS: REMnux (Linux Toolkit for Reverse Engineering and Malware Analysis)
- Tools: SciTE Text Editor, URL2PNG, Base64
Technical Walkthrough
1. What is the sending email address?
I searched for From: in the text editor.
2. What is the recipient email address?
Found it at the header section where I found the sending email address.
3. What is the subject line of the email?
Also at the header section.
4. What company is the attacker trying to imitate?
From the sending email, we can see who the attacker is trying to imitate.
5. What is the date and time the email was sent?
Also in the header section.
6. What is the URL of the main call-to-action button?
For the mail URL under the CTA, I couldn't find it on the raw file, I saw 2 base64 encoded text. I decoded the first one, it's not what I'm looking for
then the second one was too long.
I needed to paste it into a file before I can decode it, I did that, the text was much and it's in HTML format, I needed to carefully search it and I found a CTA, "Review Account". I tried the URL under it and it's the answer.
7. What is the first sentence (heading) displayed on this site?
We can just use url2png for that
8. What encoding scheme is being used?
We already know the answer to that, lol.
9. What is the URL used to retrieve the company's logo in the email?
Going back to how we got the CTA URL, we can see the logo URL. Hint: after the inline css.
10. What is the username of the Facebook profile based on the URL?
when we decoded the second base64 text, one of them contained a Facebook profile URL, the username is somewhere there.
and done
Success!
Thank you for reading, Stay tuned for more updates as I continue to expand my defensive capabilities!