📨PATCHING HUMAN S2PDT 101 — “Analyzing Phishing Email”
Synopsis
“The human is the weakest link in the cybersecurity chain.” If you don’t know about this “gossip” yet, well, it’s a fact.When we hear about phishing, our normal response is to be careful about clicking links from email content that direct us to malicious websites on the Internet, yet we tend to forget about the risks in just an hour or days. Often times, we think that our antivirus program would be able to protect us, but it’s a myth, no matter how “next generation” the antivirus program makers say their products are. That’s what they are good at: marketing! As an IT security practitioner, I have my duty to the community not only to provide cybersecurity awareness but also to empower every human who has devices connected to a public network.
Disclaimer
I highly recommend not performing this procedure to upload sensitive/confidential files in public, especially company-related files. Contact your awesome IT security team and strictly follow your organization’s policy.
Methodology
In this first article related to phishing, I will be sharing very basic, technical steps that even an elementary school student with a basic computer background could understand and follow.
- Analyzing the Email Sender
Usually, we are only focused on the sender’s name but not the sender’s email address, with which “spoofing” happens most of the time. If you know the correct spelling of your company’s name, then it should be easy to spot the sender’s domain address to see if the address is legit or fishy.
If you want to confirm the domain is not bogus, you may simply copy and paste it on a public site that checks phishing domains and malware, like the site https://www.virustotal.com.An example is artrebultan@parasabayan.org, from which you can copy everything after the “@” sign and paste it in the search bar under the “Search” tab on the Virus Total site to see the verdict.
2. Analyzing the URL Link
Here, there are two ways to get the link that you can copy and paste in the search bar under the “Search” tab on the Virus Total site.
1st Way: Hover your mouse pointer over the link, which is typically underlined and in blue by default. Right-click then select “Copy Hyperlink” and paste it into the search bar.
2nd Way: If the URL link (e.g., https://parasabayan.org) is already visible, simply follow the same step as the first.
3. Analyzing Email Attachments
Whenever your fingers are too itchy to double-click the attachment in the email, “smile.” Yes, smile so you can remember this patching that I created merely for you.
What you can do here is select “Save As” for the file in your favorite folder. Rename it if you wish. Go to the Virus Total site and upload it (Choose file) under the “File” tab and wait for the analysis. What Virus Total will do is generate a file signature called “Hash” and check against their database of IOC’s (indicator of compromise) from 55+ different antivirus vendors. So if the file is confidential or personal, then most likely, Virus Total will have no results on this, as it is not yet known to be malicious.
Other Resources:Aside from Virus Total, there are plenty of free online antivirus and domain scanners to combat phishing. Below are a few to mention:
- OPSWAT — https://metadefender.opswat.com
- VirSCAN — http://www.virscan.org/
- URLVoid — http://www.urlvoid.com/
- Sucuri — https://sitecheck.sucuri.net/
- IsItHacked! — http://www.isithacked.com/
What is Next?
Watch out for the next series on this topic: PATCHING HUMAN S2PDT 102 — “PHISHING DEFENSE WITH OSINT.”
💡Note: Article originally posted in Cybrary — June 09, 2018