Your email address has been leaked and you receive an email from Paypal in German. Try to analyze the suspicious email.
Another LetsDefend challenge, this time focusing on Phishing emails!
I’ve looked at phishing emails a lot at work. I’ve heard and read about SOC Burnout and… I’ll be honest, I’ve never really felt it. Part of what excites me in a SOC role is piecing together the story of an attack. The investigation side of SOC work scratches an itch for me. Maybe it comes from all the mystery novels I read as a kid, but putting together all the pieces of an attack and defining a clear story makes me happy.
Phishing emails are the easiest ‘stories’ to put together though. More often than not you’re immediately told Who sent the email. Analyzing a link (if it’s still active) will show you the What, usually a credential stealing site (I guess the How as well). If a user has reported the email after having credentials stolen then you have more of an investigation on your hands, but I’m getting a bit off topic.
Let’s get onto the challenge at hand! We’re given the email in a .zip folder to analyze. After we start the lab we can connect and analyze it a bit.
Question one
What is the return path of the email?
The return-path of an email is an important field to make note of. The From: field is what is shown to end-users on their email client. To most users this is all they ever care about. The Return-Path is used by SMTP during delivery and isn’t usually shown to the end user. These addresses can differ for legitimate reasons, like if a company uses Mailchimp or some other third-party mailer. In phishing emails this can also tell you who really sent this email and where bounces/replies would be sent to.
To answer this question we can open the paypal.eml file using Notepad++ and search for return-path.
I did this in my last post for LetsDefend, so here’s the full paypal.eml file. We’ll get to each part of the email as it’s needed.
Delivered-To: krystyalia@gmail.com
Received: by 2002:a59:ce05:0:b0:2d3:3de5:67a9 with SMTP id l5csp1310935vqx;
Mon, 15 Aug 2022 07:35:02 -0700 (PDT)
X-Google-Smtp-Source: AA6agR5km6ywOzoBtEq9clYbBp8qJUgwZjl3vP31rmyn3ReGCZe7C1UBuWHBbIZLS4vvQF7qIUqB
X-Received: by 2002:a92:c543:0:b0:2e4:c514:4ad8 with SMTP id a3-20020a92c543000000b002e4c5144ad8mr5344852ilj.301.1660574102289;
Mon, 15 Aug 2022 07:35:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1660574102; cv=none;
d=google.com; s=arc-20160816;
b=v0vRI/Pfq0mG8+kEolqxZIG0U7TAEObvlwr8ILnGJSKrCr+0gwGjNTLTuLDOKuQSYL
+0KATfrRyeS+S4J4EaV+9n/ctMKNKFGu4213iyMaCSuzaF7XBEwFe0scYp4r6QbeFKjp
DVgAnm8CQubLm9+DOk1jlnLmoqfDRIUB+tC3QS8VWVOOtNo1jF7lPhJTV5WoSW3uHDhL
cNHj70daaMitn5LQwqY3u3h/XhQR9f0pLWGPqeaM/8OSAyaU8aIlxpNMVL7EiltQgsew
6o7lgKjzOkn+g+5jEWGPRjWFjwJTmudTN4yTHOQhB5hFRGbrvv0m0FNN/lR9HuqpeKH3
7f8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=feedback-id:message-id:to:subject:envelope-to:list-unsubscribe:from
:date;
bh=RBOWoaMMpae2XSW5fIY8AMWesjkkUGv9NVPbU5akMiw=;
b=qEx4Dby+KeEbwFfEkyTOLalZdP2Bi/1x++tzApl5zqJPEO+/yhr49+kFUAOLs6YejZ
5GVU8PA4yOTHHBDuLmYr6tGRNNdbohZIT7G6rz+hV1uU8bNmoUTzVXoTzWUSZKUappHH
WnfmvEJzQvlPvdPPgwA2/5a4HKxeCLX+Pa/YJ0wUfeXrDwHBDiHmG2hpG2h2n07BkWYk
CVhDnFFhQ8tDO6dS371kOBeYBcseystA3+1SoBs6M6qZbEPPXzNXkyFqN6NuoeCmNn3d
moGUHjeXaGD3W1kY+qjvUywVULouHPSK0F578CTgg1/DSdm7UGYnJyMYlyrbA9EBXa5H
Mm1Q==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of bounce@rjttznyzjjzydnillquh.designclub.uk.com designates 134.195.196.43 as permitted sender) smtp.mailfrom=bounce@rjttznyzjjzydnillquh.designclub.uk.com
Return-Path: <bounce@rjttznyzjjzydnillquh.designclub.uk.com>
Received: from foresthillrestaurant.com (capchrist.org. [134.195.196.43])
by mx.google.com with ESMTP id v19-20020a056638251300b00343383b93c1si6702219jat.13.2022.08.15.07.35.01
for <krystyalia@gmail.com>;
Mon, 15 Aug 2022 07:35:02 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounce@rjttznyzjjzydnillquh.designclub.uk.com designates 134.195.196.43 as permitted sender) client-ip=134.195.196.43;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of bounce@rjttznyzjjzydnillquh.designclub.uk.com designates 134.195.196.43 as permitted sender) smtp.mailfrom=bounce@rjttznyzjjzydnillquh.designclub.uk.com
Received: from efianalytics.com (efianalytics.com. 216.244.76.116)
Date: Mon, 15 Aug 2022 10:35:01 -0400 (EDT)
From: "?P.A.Y.P.A.L?" <IHKH0MFEWW@kodehexa.net>
X-EMMAIL: Marrybenh@kodehexa.net
List-Unsubscribe: <mailto:<6kb5309jhvfamn7t0kt-iyct34ecfud7rfs3owh5d355dzxhy5.ljdg2j.quk3tu.9@unsub-sj.mktomail.com>
Envelope-To: <krystyalia@gmail.com>
Subject: ?? ?????? ?????????? ?????? ??????????????????, ?????? ?????????? ?????????? ??????????????????????_______________0759338487
To: <[an18]@itlgopk.uk>
Message-Id: <-@vevida.net>
X-MarketoID: vKD-Gha-mqeegooa:0:jJKk4V:9:oB3EVd:besLKX8VE
Feedback-ID: 1.us-east-1.psHyoMfnH8hkuQnF72JGzzQK1By9IkayShm7uIk1GIc=:AmazonSES
X-PVIQ: mkto-RdMCgBVWW-NB6yqY-hZCeCx-FdLezk
Content-Type: multipart/report; boundary="000000000000SGCNuB7Qm6umj710elBSQB"; report-type=delivery-status
--000000000000SGCNuB7Qm6umj710elBSQB
Content-Type: multipart/related; boundary="000000000000B0MNRUNyYR84HR9a"
--000000000000B0MNRUNyYR84HR9a
Content-Type: multipart/alternative; boundary="000000000000B0MNRUNyYR84HR9b"
--000000000000B0MNRUNyYR84HR9b
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Top Stories of the Day: Mon, 15 Aug 2022 10:35:01 -0400 (EDT)
384382299382446281
-----
ggtwfouyfnynwgqololxakgwudhtkvnhogafpjgctzkzazptiapkkouipkgecsgsspfqmxxptgurwoffnswmljbnzyectoehitafxvbvrlnymiftcboectjvqwjahugddiojegjxtrjnkqqljyoklsyzljbomvqzxdraozqwudeyrbksoxamufytlwviddnaxxkupiauolcpiq
If you believe this has been sent to you in error, please safely unsubscrib=
e
--000000000000B0MNRUNyYR84HR9b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 8bit+
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>WalmartAmazo.com </title>
</head>
<body>
<div style="font-family:Calibri,Helvetica,Arial,sans-serif">
<table width="564" cellspacing="0" cellpadding="0" border="0" align="center">
<tr>
<td bgcolor="#FFFFFF">
<table width="600" cellspacing="0" cellpadding="8" border="0">
<tr>
<td bgcolor="#FFFFFF" >
<b><font color="#27377C"><font size="7">Paypal </font></font><font color="#24A0D5" size="7">.</font></b><font size="7" color="#27377C">com</font></td>
</tr>
</table>
</td>
</tr>
<tr>
<td valign="top" height="21" bgcolor="#FFFFFF">
</td>
</tr>
<tr>
<td valign="top" height="137" bgcolor="#FFFFFF">
<font size="4" face="Calibri, Helvetica, Arial, sans-serif;" color="#737373">
<strong><em>
<span style="font-size:22px" >
Hallo !</span></em></strong><br>
<br>Sie sind Kunde Nr. 12819202501 von AU Paypal Rewards und wir warten seit dem 09.08.2022 auf Ihre Besttigung. Diese Lieferung ist fr Sie. Um die Lieferung zu aktivieren,<a href="https://storage.googleapis.com/hqyoqzatqthj/aemmfcylvxeo.html#QORHNZC44FT4.QORHNZC44FT4?dYCTywccxr3jcxxrmcdcKBdmc5D6qfcJVcbbb4M">
bitte besttigen.</a>.</font></td>
</tr>
<tr>
<td valign="top" height="164" bgcolor="#FFFFFF">
<table width="600" cellspacing="0" cellpadding="12" border="0">
<tr>
<td width="552" valign="top" bgcolor="#FFFFFF">
<table width="389" cellspacing="0" cellpadding="6" border="0">
<tr>
<td colspan="2" bgcolor="#FFFFFF">
<font size="4" face="Calibri, Helvetica, Arial, sans-serif;">
Ihre Kontoinformationen
</strong></font></td>
</tr>
<tr>
<td width="36%" bgcolor="#ffffff">
<strong><style>9yjf8g7o9ty7n5ym5x5xqm5hurb8mop8</style>
<font face="Calibri, Helvetica, Arial, sans-serif;" size="4" color="#084B76">
Kunde</font></strong><font size="4" face="Calibri, Helvetica, Arial, sans-serif;" color="#084B76"><strong>:</strong></font></td>
<td width="64%" bgcolor="#ffffff">
<font size="4">Krystyalia</font></td>
</tr>
<tr>
<td bgcolor="#FFFFFF">
<font size="4" face="Calibri, Helvetica, Arial, sans-serif;" color="#084B76">
<strong>Email:</strong></font></td>
<td bgcolor="#FFFFFF">
<font size="4">Krystyalia@gmail.com</font></td>
</tr>
<tr>
<td bgcolor="#FFFFFF">
<strong>
<font face="Calibri, Helvetica, Arial, sans-serif;" size="4" color="#084B76">
Belohnen</font></strong><font size="4" face="Calibri, Helvetica, Arial, sans-serif;" color="#084B76"><strong>:</strong></font></td>
<td bgcolor="#FFFFFF">
<i><font size="4"><a href="https://storage.googleapis.com/hqyoqzatqthj/aemmfcylvxeo.html#QORHNZC44FT4.QORHNZC44FT4?dYCTywccxr3jcxxrmcdcKBdmc5D6qfcJVcbbb4M">PayPal-Guthabenkarte 1000 </a></font></i></td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</div>
<div style="font-family:Calibri,Helvetica,Arial,sans-serif">
<table width="600" cellspacing="0" cellpadding="0" border="0" align="center">
<tr>
<td valign="top" bgcolor="#FFFFFF">
<table width="600" cellspacing="0" cellpadding="12" border="0">
<tr>
<td width="290" valign="top" align="center">
<table width="85%" cellpadding="16" border="0">
<tr>
<td style="border-radius:6px" bgcolor="#27377C" align="center">
<strong>
<a href="https://storage.googleapis.com/hqyoqzatqthj/aemmfcylvxeo.html#QORHNZC44FT4.QORHNZC44FT4?dYCTywccxr3jcxxrmcdcKBdmc5D6qfcJVcbbb4M">
<font face="Verdana, Geneva, sans-serif" size="4" color="#FFFFFF">
Setzen Sie die Lieferung fort</font></a></strong></td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td valign="top">
<table width="600" cellspacing="0" cellpadding="18" border="0">
<tr>
<td bgcolor="#FFFFFF">
<hr> </td>
</tr>
</table>
</td>
</tr>
</table>
</div>
<center> <p style="text-align:center;font-family: 'Open Sans','Arial','Helvetica',sans-serif;font-size:13px;"><br><br>
<a href="https://storage.googleapis.com/hqyoqzatqthj/aemmfcylvxeo.html#QORHNZC44FT4.QORHNZC44FT4?dYCTywdcxr3jcxxrmcdcKBdmc5D6qfcJVcbbb4M"> Abmelden </a><br><br>
</center>
<center> <p style="text-align:center;font-family: 'Open Sans','Arial','Helvetica',sans-serif;font-size:13px;"><br><br>
<br>The advertiser does not manage your subscription.<br>
If you perfer not to receive further communication please unsubscribe<a href="https://storage.googleapis.com/hqyoqzatqthj/aemmfcylvxeo.html#QORHNZC44FT4.QORHNZC44FT4?dYCTywfcxr3jcxxrmcdcKBdmc5D6qfcJVcbbb4M"> here</a><br>Or write to: 34 N Franklin Ave Ste 687#2043, Pinedale, WY, 82941 <br>
</center>
</body>
</html><table width="100%" cellpadding="0" cellspacing="0" border="0" style="">
--000000000000B0MNRUNyYR84HR9b--
--000000000000B0MNRUNyYR84HR9a--
--000000000000SGCNuB7Qm6umj710elBSQB--
Make sure you use Ctrl + F to search, .eml can be pretty busy so you’ll be spending much more time going line by line rather than just searching for it. That’s our first answer!
Question two
What is the domain name of the url in this mail?
We need to scroll down past all the header information (Like the Return-Path) and find the actual body of the email to get this answer. Thankfully that’s pretty easy! Scroll down (Or Ctrl + F) to the <body> tag. Emails are constructed with html, so if you’ve ever done web-development you should be pretty familiar with this.
We can see the following in the body of the email:
<tr>
<td valign="top" height="137" bgcolor="#FFFFFF">
<font size="4" face="Calibri, Helvetica, Arial, sans-serif;" color="#737373">
<strong><em>
<span style="font-size:22px" >
Hallo !</span></em></strong><br>
<br>Sie sind Kunde Nr. 12819202501 von AU Paypal Rewards und wir warten seit dem 09.08.2022 auf Ihre Besttigung. Diese Lieferung ist fr Sie. Um die Lieferung zu aktivieren,<a href="https://storage.googleapis.com/hqyoqzatqthj/aemmfcylvxeo.html#QORHNZC44FT4.QORHNZC44FT4?dYCTywccxr3jcxxrmcdcKBdmc5D6qfcJVcbbb4M">
bitte besttigen.</a>.</font></td>
</tr>
Initially the text of this email looks like German, and after translating it here’s what we see:
Hello! You are customer number 12819202501 of AU PayPal Rewards and we have been waiting for your confirmation since August 9, 2022. This delivery is for you. To activate the delivery, <a href="https://storage.googleapis.com/hqyoqzatqthj/aemmfcylvxeo.html#QORHNZC44FT4.QORHNZC44FT4?dYCTywccxr3jcxxrmcdcKBdmc5D6qfcJVcbbb4M">
A pretty standard phishing email!
For the answer, we can just grab the domain (and subdomain!) of the link.
Question three
Is the domain mentioned in the previous question suspicious?
This is a pretty easy question to answer. We know that this is a suspicious, phish-y email, however the domain belongs to google.
Unfortunately, malicious actors like to use legitimate websites to host malware/scripts/whatever else they want to run on your device. Just because a process reaches out to Reddit, for example, doesn’t mean that it’s safe. Using public sources as a C2 can be a neat way to bypass firewalls that specifically block unknown domains. So yes, the domain is suspicious, even if it’s owned by Google.
Question four
What is the body SHA-256 of the domain?
If we enter the domain into VirusTotal and check on the Details tab, then scroll down you’ll see the Body SHA-256 field, this is the ‘SHA-256 hash of the body of the HTTP response sent back by the server upon asking for the URL being studied.’. Neat!
Question five
Is this email a phishing email?
Another easy to answer question. From the information we’ve gathered thusfar we can confidently call this email phishing!
Conclusion
Another neat little challenge from LetsDefend. I mentioned this in the introduction of the challenge, but putting together the story of an attack, even if it’s just a phishing email, is always fun to me. I’m still fairly new in my infosec career and the more I think about it, the more I’m thinking about going down the Threat Hunting career path. It’s not as big and flashy as a penteser, but it’s still something that excites me. Maybe in a few years I’ll start posting actual threat research on here rather than CTF writeups, stay tuned and find out!