Incident Response | Phishing Attack
The
attacker crafts an “fake” email with a URL in it and sends the message to
several users at your organization
- The phishing email is received
by the company’s SMTP server
- Email goes through the SPAM
filter
- The phish is moved into the end
user’s mailbox
- User notifies the new email in
the mailbox and reads it
- User clicks on the link in the
malicious email
- A website opens up and offers
an “.exe” file (disguised with a pdf icon) to be downloaded
- User thinks the file is a genuine
and opens it
- The file was a dropper that
downloads some additional content from the Internet
- The additional content
automatically installs
- The malware opens a permanent
connection to a certain IP address
- Attacker connects to the PC
through this permanent tunnel
- Attacker enumerates the network
and downloads DATA if available
IR
Steps: -
If a new report comes in from Helpdesk or End
users, create a new ticket
- Obtain the original email from
the end-user and attach it to the ticket
- Validate the email whether it
is a phish
1.
Check the hostname
part of all links in the email on https://otx.alienvault.com or another feed
like Virus total or IBM Xforce Exchange
2.
Check the URL, is it
the same? Or masking to a malicious link?
3.
Does the email try to
evade SPAM filters?
If the email is a
false positive, resolve the ticket. Otherwise, continue with the instructions
below.
Investigation Step 1: Get IoCs
- Full download URL(s) from the
email
- Hostname from URL
- Visit http://www.kloth.net/services/nslookup.php and get the IPs belonging to the hostname
Alerting Employees
If this is the fifth
ticket related to the same, we need to warn our end-users of the threat.
Block Emails on the SMTP Server
As the phisher can easily
change the subject line or sender of the emails, try to find a common pattern
in the email headers of the related emails. For instance, all emails might
share the X-Mailer: and X-PHP-Script: headers.
Removing Emails from User Inboxes
Check the SMTP logs
whether the same email has been delivered to other users. Engage IT in removing
similar emails from the affected employee mailboxes.
- Search for the subject line
from the original phish
- Search for the sender email
address from the original phish
- If you identify other
recipients in the SMTP logs
1.
Export affected
recipients into a CSV file
2.
Contact System
Administrators / ask them to remove the phishes from the affected mailboxes
Blocking Download URL
This process will
block the dropper to be downloaded if a user clicks on the malicious URL in the
phish.
- Pivot on hostname and collect related hostnames and
create a blacklist.
- Block it in Perimeter Level,
Email Security.
No comments:
Post a Comment