Try Hack Me | Phishing Emails in Action | Write up

Learn the different indicators of phishing attempts by examining actual phishing emails.

Room link

Task 1: Introduction

In this task, we move beyond the fundamentals covered in “Phishing Emails 1” and delve into real examples of phishing emails. Each email sample presented here illustrates various tactics employed to make these phishing emails appear genuine. The more convincing a phishing email looks, the greater the likelihood that the recipient may unknowingly engage in harmful actions, such as clicking on malicious links, downloading and executing harmful files, or falling for fraudulent schemes.

A word of caution: The email samples featured in this section contain information from actual spam and phishing emails. Therefore, it is strongly advised to exercise caution and refrain from interacting with any IP addresses, domains, attachments, or other elements found within these samples.

Questions

Questions 1: Read the above.

No answer needed.

Task 2: Cancel your PayPal order

This task focuses on email analysis. Email analysis focuses on identifying several deceptive techniques employed:

1. Spoofed email address.
2. Use of URL shortening services.
3. HTML elements mimicking a legitimate brand.

Key observations of the the email sample :

- The recipient address is unusual, not associated with the Yahoo account, raising suspicion.
- The sender’s details (service@paypal.com) don’t match the sender’s email address (gibberish@sultanbogor.com).
- The subject line implies a purchase or transaction, aiming to prompt quick interaction.

The email body:

- Mimics a legitimate PayPal email, with no attachments except for a “Cancel the order” button/link.
- The HTML source of the email is suspicious.

Email hyperlinks:

• Links use URL shorteners, which can hide their true destination.
  - Upon investigation, the link surprisingly redirects to google.com, suggesting potential phishing or scam tactics.

Questions

Question No 1: What phrase does the gibberish sender email start with?

Hint: Answer is in first picture in the task

Answer: noreply

Task 3: Track your package

This task summary is given below:
This email analysis focuses on identifying the following deceptive techniques:

1. Spoofed email address.
2. Use of pixel tracking.
3. Link manipulation.

Key observations:

- The email is designed to appear as if it’s sent from a mail distribution center.
- The subject line reinforces the deception with a ‘tracking number.’
- The link in the email body corresponds to the subject line.

Additional notes:

- Yahoo blocked image loading, possibly to prevent pixel tracking and link inspection.
- The email contains an image file named “Tracking.png” that acts as a tracking pixel, sending data back to the sender’s server.
- Spammers use tracking pixels for various purposes, including monitoring email opens and user interactions.
- The hyperlink points to a suspicious domain, potentially associated with malware, but further analysis is needed for confirmation.

Questions

Question No 1: What is the root domain for each URL? Defang the URL.

Hint: Remember to Defang the URL

Answer: devret[.]xyz

Task 4: Select your email provider to view document

This task summary is given below:
This email analysis highlights several deceptive techniques:

1. Urgency
2. HTML to impersonate a legitimate brand
3. Link manipulation
4. Credential harvesting
5. Poor grammar and typos

Key observations of the given mail:

- The urgency is introduced by the expiration of the download link on the same day.
- The email prompts the victim to take action by clicking a button to download the fax document.
- The victim is redirected to pages resembling OneDrive and Adobe, with misleading URLs.
- Grammatical errors are present in the email content.
- The victim’s credentials, whether real or fake, would be harvested by the attacker.

In summary, this email employs urgency, impersonation of legitimate brands, link manipulation, credential harvesting, and contains grammatical errors as part of a phishing attempt to deceive recipients and steal their email credentials.

Questions

Question No 1: This email sample used the names of a few major companies, their products, and logos such as OneDrive and Adobe. What other company name was used in this phishing email?

Hint: Question ask name used in email

Answer: Citrix

Task 5: Please update your payment details

This email analysis highlights several deceptive techniques:

1. Urgency
2. HTML to impersonate a legitimate brand
3. Link manipulation
4. Credential harvesting
5. Poor grammar and typos

Key observations:

- The urgency is introduced by the expiration of the download link on the same day.
- The email prompts the victim to take action by clicking a button to download the fax document.
- The victim is redirected to pages resembling OneDrive and Adobe, with misleading URLs.
- Grammatical errors are present in the email content.
- The victim’s credentials, whether real or fake, would be harvested by the attacker.

In summary, this email employs urgency, impersonation of legitimate brands, link manipulation, credential harvesting, and contains grammatical errors as part of a phishing attempt to deceive recipients and steal their email credentials.

Questions

Question No 1: What should users do if they receive a suspicious email or text message claiming to be from Netflix?

Hint: Read the article from the lnk provided in hint of the question.

Answer: forward the message to phishing@netflix.com

Task 6: Your recent purchase

In this task email analysis highlights various techniques used in a suspicious email:

1. Spoofed email address: The sender pretends to be Apple Support but uses a fake email address, gibberish@sumpremed.com.

2. Recipient is BCCed: The email is sent using Blind Carbon Copy, making it look like it was directly addressed to the victim while hiding the actual recipients.

3. Urgency: The email creates a sense of urgency, pressuring the victim to take immediate action.

4. Poor grammar and typos: Typos are present in both sender and recipient email addresses, such as “donoreply” and “payament.”

5. Attachments: The email contains an attachment with a .DOT file extension, which is a Microsoft Word page layout template file.

6. Blank email body: There is no content in the email body; it only includes an attachment.

The attachment appears to mimic an App Store receipt and includes keywords related to Apple, such as “apps” and “iOS.”

Questions

Question No 1: What does BCC mean?
Question No 2: What technique was used to persuade the victim to not ignore the email and act swiftly?

Hint: Read the passage

Answer: Blind Carbon Copy
Answer: Urgency

Task 7: DHL Express Courier Shipping notice

This email analysis focuses on the following techniques:

1. Spoofed email address
2. HTML impersonation of a legitimate brand
3. Attachments: The email includes an attachment, an Excel document.

Observations:

• The subject line creates the impression that DHL has a package to ship for the recipient.
  - Examining the email’s source code reveals that the link to view it as a web page lacks an actual destination URL.
  - The recipient can only interact with the email’s attachment, which runs a payload that generates an error.

Questions

Question No 1: What is the name of the executable that the Excel attachment attempts to run?

Hint: View the last screen shot.

Answer: regasms.exe

Task 8: Conclusion

In this task there was summary what we did in above task and additional resources were provided if want to study further.

Questions

Question No 1: Read the above.

No answer needed.