# Phishing 101
###### tags: `social engineering` `cybersecurity` `phishing`
## Where it all began
Ray Tomlinson invented the concept of emails and made the @symbol famous.
The invention of the email dates back to the 1970s for ARPANET
### What's in an email address?
1. User mailbox / Usernmae
2. @ symbol
3. domain
Taking deedee@dexterslab.com as an example:
* deedee - user mailbox
* @ - @ symbol
* dexterslab.com - domain
## Email Delivery ...
There are 3 specific protocols involved in sending emails:
* SMTP (Simple Mail Transfer Protocol) - handles the sending of emails
* POP3 (Post office protocol) - responsible for transferring emails between client and mail server
* IMAP (Internet Message Access Protocol) - responsible for transferring emails between client and mail server
Let's send an email from deedee@dexterslab.com to number4@kidsnextdoor.com
This is what the process would look like:
1. Deedee composes an email to number4@kidsnextdoor.com on her favorite email client (like outlook / gmail) and hits send.
2. The SMTP server needs to determine where to send Deedee's email. It queries DNS for information related to kidsnextdoor.com
3. The DNS server obtains information for kidsnextdoor.com and sends it to the SMTP server
4. The SMTP server sends Deedee's email across the internet to number4's mailbox
5. Deedee's email passess through various smtp servers until it is relayed to number4's smtp server
6. After Deedee's email reaches the destination smtp server, it is forwarded to the POP3/IMAP server waiting for number4
7. Number4 logs into his email client which queries the server for new emails in his mailbox
8. Deedee's email is copied (IMAP) or downloaded (POP3) to Number4's email client.
While POP3 and IMAP serve the same purpose, some of their differences are outlined below:
| POP3 | IMAP |
| -------------- | :---------------|
|Emails are downloaded and stored on a single device | Emails are stored on the server and can be downloaded to multiple devices |
|Sent messages are stored on the single device from which email was sent | Sent messages are stored on the server|
|Emails can only be accessed from the single device the emails were downloaded to |Messages can be synced and accessed across multiple devices |
| if you want to keep the messages on the server ensure to enable the "Keep email on server" setting otherwise all messages are deleted from the server once downloaded to the single device | Emails are kept on the server by default|
More differences can be found [here](https://help.dreamhost.com/hc/en-us/articles/215612887-Email-client-protocols-and-port-numbers)
## Email Headers
There are two parts of an email:
1. the email header (information about the email such as the email servers that relayed the email)
2. the email body (text and / or html formatted)
The syntax for emails is known as Internet Message Format (IMF)
When analyzing a potentially malicious email, we look at the following fields first:
1. **From** - the senders email address
2. **Subject** - the email's subject line
3. **Date** - the date the email was sent
4. **To** - the recipient's email address
You could view raw email details to obtain email header information. More about that [here](https://mediatemple.net/community/products/grid/204644060/how-do-i-view-email-headers-for-a-message)
Other fields of interest:
* **X-Originating-IP**: The ip address the email was sent form (a.k.a **X-header**)
* **Smtp.mailfrom/header.from** - The domain the email was sent from (headers are within Authentication Results)
* **Reply-To** - Email address a reply will be sent to instead of the From email address
This article [here](https://mediatemple.net/community/products/all/204643950/understanding-an-email-header) has more information.
### Deep dive into headers:
**It is important to note that when reading an email header every line can be forged so only trust the Received: lines that are created by your service or computer**
#### From:
displays who the message is from, however this can easily be forged and is the least reliable in analysis
#### Subject:
what the sender placed as the topic of the email content
#### Date:
This shows the date and time the email message was composed
#### To:
shows to whom the message was addressed but may not contain the recipient's address.
#### Return-Path:
email address for return mail. Same as Reply-to
#### Envelope-To:
shows that this email was delivered to the mailbox of a subscriber whose email address is user@example.com
#### Delivery-Date:
shows the date and time at which your email was received by your mail transfer service or email client
#### Received:
* most important part of the email header and the most reliable as well.
* They form a list of all the servers / computers through which the message traveled in order to reach its destination.
* Received lines are best read **from bottom to top**
* i.e the first received line is your own system or mail server
* the last received line is where the mail originated.
* Each mail system has their own style of "Recieved:" line.
* A "Received:" line typically identifies the machine that received the email and the machine from which the mail was received.
#### DKIM-Signature & DomainKey-Signature
Signatures for Domain keys
#### Message-id
A unique string assigned by the mail system when the message is first created. Can be easily forged.
#### Mime version
Multipurpose Internet Mail Extensions is an internet standard that extends the format of email.
#### Content Type
Tells you the format of the email message e.g html / plaintext
#### X-Spam-Status
Displays a spam score created by your service or mail client
#### X-Spam-Level
Displays a spam score usually created by your service or mail client
#### Message Body
Actual content of the email itself written by the sender.
## Tracking Sender
The easiest way to find the orginal sender is to look at the **X-Originating-IP header**.
This header tells you the ip address of the computer that sent the email.
If this header cannot be found you will have to sift through the **Received:** headers to find the senders IP address.
Once found, look it up on [arin.net](https://www.arin.net/)
## Types of phishing
Phishing is a form of social engineering where emails are sent to a target(s) purporting to be from a trusted entity to lure individuals into providing sensitive information
* smishing - via sms
* vishing - via voice
* phishing - via email
* spearphishing - target to a specific individual
* whaling - target to a specific high value target e.g c-suite
* spam - unsolicited mail sent to bulk recipients.
The modus operandi is usually the same when it comes to the purpose of the email.
* The sender email name / email address will masquerade as a trusted identity (email spoofing)
* The email subject line and / or body (text) is written with **a sense of urgency** or uses certain keywords such as **invoice** , **suspended** etc
* The email body (HTML) is designed to match a trusted entity e.g Amazon
* The email body (HTML) is poorly formatted or written (contrary to the previous point)
* The email body uses generic content, such as Dear Sir / Madam
* Hyperlinks often use url shortening services to hide its true origin
* A malicious attachment posing as a legitimate document.
In analysis, hyperlinks and ip addresses should be **defanged**
### Defanging urls
When sending the contents of an artifact within an email notification, any web and IP addresses are automatically “defanged” to prevent the user from inadvertently clicking a malicious link.
The following occurs when URLs are defanged:
* “http” is replaced with “hxxp”
* “ftp” is replaced with “fxp”
* Brackets are added to domain names; for example, www.example.com is replaced with www[.]example[.]com
* Brackets are added to the IP address; for example, 8.8.8.8 is replaced with 8[.]8[.]8[.]8
## Business Email Compromise
Is when an adversary gains control of an **internal employee's account** and then uses the compromised email account to **convince other internal employees** to **perform unauthorized or fraudulent actions**.
Sign in with Wallet
Connect another wallet