8.1.Phishing Analysis

Download Report

Transcript 8.1.Phishing Analysis

Phishing Analysis
Ojectives
•
•
•
•
•
•
Phishing
Internet Protocol (IP) addresses
Domain Name System (DNS) names
Analyse “From” addresses
Analyse URL’s
Trace the e-mail
Phishing
• E-mail utilizing social engineering
• Induces the recipient to reveal desired
personal information
•
•
•
•
Bank account
SSN
Address
Etc.
• Sometimes entices the recipient to go to a
malicious web site
IP Addressing
• Each interface on a network is assigned a 32-bit IP address
• The address has a prefix and suffix
●
Network and host ID
Finding Your IP Address
• Examples
– 3.5.1.193
– 140.211.91.175
– 192.168.0.1
• Finding your own address
– Open a Command window
– Type ipconfig/all on Windows
Opening a
Command
Prompt
Your IP Address
The Easy
Way
Who Owns an IP Address
• Managed by the Internet Assigned Numbers
Authority (IANA)
• Users are assigned IP addresses by Internet
Service Providers (ISPs)
• ISPs obtain allocations of IP addresses from
their appropriate Regional Internet Registry
(RIR)
Regional Internet Registries (RIR)
• APNIC (Asia Pacific Network Information Centre)
• AfriNIC (African Network Information Center)
• ARIN (American Registry for Internet Numbers) –
North America
• LACNIC (Regional Latin-American and Caribbean
IP Address Registry) – Latin America and parts of the
Caribbean
• RIPE NCC (Réseaux IP Européens) – Europe, parts
of the Middle East and Asia
Researching IP Addresses
ARIN
At Your
Finger Tips
Address Geographic Location
URL’s
Uniform Resource Locater
• The name of a web site
• http://www.geobytes.com/IpLocator.htm
• First name – Top Level Domain
.com
.edu
.gov
.mil
.biz
.net
.org
.etc
Family Tree
• http://www.geobytes.com/IpLocator.htm
• Second name is the organization’s name
• Third name www is particular web server of
Geobytes
• After the / is the directory and document to
be displayed
• IpLocator.htm
• Default is index.html
Domain Name System
• Associates URL Names to IP addresses
• Examples
– ww.sou.edu = 140.211.107.34
• The Domain Name System (DNS) is a set of
servers that together know all the names
used on the Internet
• More about this later…
Email Schemes/Scams
•
•
•
•
•
Advertisers
Spammers
Scammers
Phishers
Spear Phishers
E-mail Structure
•
•
•
•
•
•
To:
From:
C:
BC:
Subject
Body
Basic Email Header
Email Header Info
• Header info can be faked
– From
– Reply to
– Return-path
– Subject
– Date
• Don't believe it!
Long Headers
NOT EASY
• Different for each e-mail client
• Sometimes impossible
• www.aeicomputertech.com/forensics_mail_header_info.php
• http://www.abika.com/Reports/Samples/emailheaderguide.htm
• For campus Groupwise
• Open e-mail
• Click on “Message Source”
AOL
1. Open AOL
2. Open the e-mail that you wish to check by
double-clicking it
3. Under the To: line, there should be a “Sent from
the Internet (Details)” line
4. Single left click the word “Details” to open an
Internet Information window
5. This should display the full e-mail header
information
Gmail
1.
2.
3.
4.
5.
Log into the Gmail account
Open the e-mail message in question
To the right of the sender’s e-mail message will be a
“show details” hyperlink and to the right of that is a
“Reply” button (I.e., Reply is the default option at least
of 10/15/2007). To the right of the word “Reply” is a
pipe mark (I.e. |) and a down arrow. Single left-click the
down arrow to display a small window of options.
Single left-click the word “show option”
The e-mail headers, in their entirety, will now be
displayed in a new window
Hotmail
1. Log into your Hotmail account single left-click
the “View Source” option.
2. Single, right-click the e-mail you wish to inspect
3. Single, ;eft-click the “View Source” option
4. The e-mail will now be displayed in its native
HTML-based format with the e-mail header
information at the very top.
MS Outlook
•
•
•
•
•
•
•
•
Open Microsoft Outlook
Open the e-mail that you wish to check the mail header information by double-clicking
it
Looking at the Office 2007 horizontal "ribbon" menu, move your cusor to the "Options"
square
Underneath the three icons for Categorize, Followup, & Mark as Unread, there is the
word "Options" and to the right of it is a small three-sided square with a diagonal arrow
in it
Hovering over this miniature icon produces a popup with the wording "Message
Options"
Single, left-click the miniature icon
A "Message Options" window will display
The selected e-mail header information will be at the bottom of the window to the left of
"Internet headers:"
Yahoo!
•
•
•
•
Login to the Yahoo! e-mail account in question
Single, left-click the "Options" hyperlink text from the top menu
Single, left-click the "General Preferences" hyperlink text
Scroll down to the Messages section of the page and place a dot in the
second radio button option that reads "Show all headers on incoming
messages"
• Scroll down to the bottom of the page and single, left-click the "Save"
button
• Navigate to and open the e-mail message in question
• The full e-mail header information will now be displaye
Reading Long Header Info
• Check path by looking at “received” list
• Read it upside down (originator is at the
bottom of the list)
• Uses the passive voice, so can be confusing
Actual e-mail
Long Header Example
Real
Spam
Long Headers
Real
Owner
of
IP
Address
Real
Spam
Look for Real Link
Checking
whois
For
URL
Another Example
Just have to
reply to the e-mail
But where do you go?
Not where you think.
Where you think you are going.
Another look at the e-mail
ARIN Whois Result
Go to Afrinic
Check out
Afrinic
Phishing Again
Probably should
not reply to Nigeria
and give them your
bank account number
Summary
• IANA assigns IP addresses
• Regional Registries assign addresses for
regions
• Start with ARIN when researching
– ARIN will tell you where to go for nonAmerican addresses
• Turn on long headers in email
• Don't fall for silly stuff in the body of the
email