Phishing Lab

1
Phishing Lab
2
Lab 9 Phishing

• Step 1 Acquire Some Data
• Open the Phishing_Evidence document. This is the
  original e-mail in its initial format as seen by
  a non-technical user, victim_at_students.sou.edu.
• 1. Does this document look suspicious to you?
•  
• 2. If you were the recipient, would you follow
  the instructions in the e-mail and go to the
  website and provide your account details, such as
  your account number and PIN?  
• Open the Phishing_Evidence_Long_Headers document.
  This is the same e-mail saved by a technical
  user. The technical user found the options in the
  e-mail application that would allow her to view
  long headers and/or view raw source.

3
Determine Sender

• The long headers option, which may be called
  something else in different e-mail applications,
  lets a user view the actual sender and the path
  that the e-mail took to arrive at the recipient.
  The raw source option lets the user view the
  actual text of the message, without any
  formatting.
• Study the Phishing_Evidence_ Long_Headers
  document to determine if you can tell the path
  that the e-mail message took. Here are some
  hints
• The final recipient is victim_at_students.sou.edu.
• The last e-mail server that received this message
  was students.sou.edu.
• The barracuda.sou.edu server sent this message to
  students.sou.edu.
• Look for a line that includes by
  barracuda.sou.edu to determine which server sent
  the message to barracuda. The line will tell you
  from whom barracuda received the message.
•  

4
Server IP Address

• 3. What is the Internet Protocol (IP) address of
  the server that sent the e-mail message to
  barracuda.sou.edu?
•  
•  
•  
• The email message (after the header) includes a
  URL. Compare the URL in the original
  (non-technical) version of the e-mail to the one
  in the technical version. The technical version
  will show the URL twice. Look for lines that
  start with https// or http//.

5
Original vs. Technical

• 4. What is the URL in the original version of the
  e-mail (the non-technical view)?
•  
•  
•  
• 5. What URLs do you see in the technical version
  of the e-mail?
•  
•  
•  

6
Step 2 Analyze the E-Mail Header

• Now its time to figure out the true identify
  of the server that sent the message to the
  barracuda server. In most investigations, the
  first step is to look up the servers IP address
  at the American Registry for Internet Numbers
  (ARIN). Go to the following website and look up
  the address that you wrote down in Question 3.
•  
• http//www.arin.net/whois/
•  
• 6. What does ARIN tell you about this address?
•  
•  
•  
• If ARIN tells you that the address is registered
  by a non-American registry, such as the Asia
  Pacific Network Information Center (APNIC) or the
  Réseaux IP Européens (RIPE), go the URL for the
  Whois database of that registry. (The ARIN page
  you went to should have a link to that registrys
  Whois database.)
•  

7
IP Address Owner

• 7. What company owns the IP address that you
  looked up?
•  
•  
• 8. What country is that company in?
•  
•  
•  
• Remember that the recipient of this message was
  an SOU student (victim_at_students.sou.edu.) Assume
  that the victim lives near Ashland, OR and has
  never opened a bank account outside the Western
  United States.

8

• 9. If this student were to receive a legitimate
  message from Citibank, where do you think it
  would come from? Go to www.citibank.com and
  determine the location of some reasonably close
  Citibank offices or ATMs and jot down some
  possible locations
•  
•  
•  
•  
• 10. Does it seem suspicious that
  victim_at_students.sou.edu received a message from
  Citibank from the location that you discovered in
  Question 8?
•  
•  

9
Step 3 Analyze the URL

• In the Phishing_Evidence_Long_Headers document,
  find the URL that looks like this
• href"http//3231312E39372E3234382E36
  303837/636974/696E6465782E68746D"
• The numbers that follow the percent sign are
  hexadecimal (Base 16) codes for alphabetic
  letters and numbers. They are encoded using a
  system called the American Standard Code for
  Information Interchange (ASCII). Find an ASCII
  table on the Internet or Slide ??? and convert
  the hex numbers to characters and determine what
  the URL really states.
• 11. What is the alphabetic representation of the
  URL?
•  
•  
•  
• The URL includes an IP address and a port number.
  For example, the URL might be something like
  http//66.241.68.2880/index.htm. The
  66.241.68.28 is an IP address. The 80 is a port
  number. Use the techniques you used in the
  previous section to determine who owns the IP
  address in the URL that you decoded in Question
  11.
•  

10
IP Address/Port Owner

• 12. What company or organization owns the IP
  address in the URL that you decoded in Question
  11?
•  
•  
• Port 80 is usually used for web browsing. The
  port number in the URL in our case isnt 80,
  however.
•  
•  
• 13. What is the port number in the URL that you
  decoded?
•  
•  
• The Internet Assigned Numbers Authority (IANA)
  maintains a list of port numbers and what they
  are used for. If you go to the http//www.iana.org
  /assignments/port-numbers website, you can
  determine the meaning of the port number you
  decoded.

11
Conclusions

• 14. What is that port number used for?
•  
•  
• 15. Does that port number seem suspicious to you?
• 16. How will you deal with suspicious e-mails in
  the future?
•