PATCHING HUMAN STUPIDITY 101 - "Analysing Phishing Email"
Synopsis"The human is the weakest link in the cybersecurity chain." If you don't know about this "gossip" yet, well, it's a fact.When we hear about phishing, our normal response is to be careful about clicking links from email content that direct us to malicious websites on the Internet, yet we tend to forget about the risks in just an hour or days. Often times, we think that our antivirus program would be able to protect us, but it's a myth, no matter how "next generation" the antivirus program makers say their products are. That's what they are good at: marketing!As an IT security practitioner, I have my duty to the community not only to provide cybersecurity awareness but also to empower every human who has devices connected to a public network.
DisclaimerI highly recommend not performing this procedure to upload sensitive/confidential files in public, especially company-related files. Contact your awesome IT security team and strictly follow your organization's policy.
MethodologyIn this first article related to phishing, I will be sharing very basic, technical steps that even an elementary school student with a basic computer background could understand and follow.
1. Analyzing the Email SenderUsually, we are only focused on the sender's name but not the sender's email address, with which "spoofing" happens most of the time. If you know the correct spelling of your company's name, then it should be easy to spot the sender's domain address to see if the address is legit or fishy.If you want to confirm the domain is not bogus, you may simply copy and paste it on a public site that checks phishing domains and malware, like the site https://www.virustotal.com.An example is firstname.lastname@example.org, from which you can copy everything after the "@" sign and paste it in the search bar under the "Search" tab on the Virus Total site to see the verdict.
2. Analyzing the URL LinkHere, there are two ways to get the link that you can copy and paste in the search bar under the "Search" tab on the Virus Total site.1st Way: Hover your mouse pointer over the link, which is typically underlined and in blue by default. Right-click then select "Copy Hyperlink" and paste it into the search bar.2nd Way: If the URL link (e.g., https://parasabayan.org) is already visible, simply follow the same step as the first.
3. Analyzing Email AttachmentsWhenever your fingers are too itchy to double-click the attachment in the email, "smile." Yes, smile so you can remember this patching that I created merely for you.What you can do here is select "Save As" for the file in your favorite folder. Rename it if you wish. Go to the Virus Total site and upload it (Choose file) under the "File" tab and wait for the analysis.What Virus Total will do is generate a file signature called "Hash" and check against their database of IOC's (indicator of compromise) from 55+ different antivirus vendors. So if the file is confidential or personal, then most likely, Virus Total will have no results on this, as it is not yet known to be malicious.
Other Resources:Aside from Virus Total, there are plenty of free online antivirus and domain scanners to combat phishing. Below are a few to mention:
- OPSWAT - https://metadefender.opswat.com
- VirSCAN - http://www.virscan.org/
- URLVoid - http://www.urlvoid.com/
- Sucuri - https://sitecheck.sucuri.net/
- IsItHacked! - http://www.isithacked.com/
What is Next?Watch out for the next series on this topic: PATCHING HUMAN STUPIDITY 102 - "PHISHING DEFENSE WITH OSINT."
About the AuthorMichael Rebultan, aka “Art,” has more than 15 years of experience as an IT professional with a background in PCI-DSS audit, Unix/Linux server administration and lockdown, R&D, VAPT, and currently DFIR in both IT and the ICS/SCADA environment. He holds a master's degree in IT with a major in ecommerce security, and a professional graduate diploma in Digital Forensics and Cyber Security as continuing education. He has been a local speaker of FOSS Asia (Singapore), Null Singapore, PEHCON (Philippines), and Linux Meetup Group (Singapore).Specialties: Computer Forensics, Network Intrusion, Data Breach, Cybercrime Investigation, Volatile Memory, and Malware Analysis.