وحدة 7
Active Investigation - Analyze malicious webpages
آخر تحديث في: 23 أغسطس 2024
تعديل هذه الصفحة على GitHubوحدة 7
آخر تحديث في: 23 أغسطس 2024
تعديل هذه الصفحة على GitHubPhishing emails are usually just the first step in an attack. Most try to get the targeted person to visit a web page with a specific attack objective. This skill module will teach you to look at attacker-controlled websites to understand their actions and potentially uncover further attacker-controlled infrastructure or attack vectors used in the attacks. Note that websites can be extremely complicated, with behavior ranging from simple credential-stealing impersonation pages to complex attacks against the web browser or browsing device itself.
Note that interacting with malicious websites can put the analyst themself at risk. Make sure to set up and use an isolated environment (see Subtopic 3), and to collect and safely store all web pages. Lastly, this skill intersects with and leads into the Malware Analysis learning path.
After completing this subtopic, practitioners should be able to do the following:
This will be significantly easier to practice if you know the basics of JavaScript and HTML, though those are not strictly necessary prerequisites.
It’s worth highlighting some basic differences between an email and a web page:
Because of this, we recommend only analyzing web pages in a safe environment specifically designed for opening potentially suspicious files, such as a virtual machine or a sandbox. In addition, discuss the threat model specific to the recipient of the email to ensure it is safe for them for you to conduct further analysis activity which could be visible to the attacker.
Read through two case studies which analyze phishing attacks that targeted civil society groups. Both of those attacks were partially successful:
Focusing on the HRW case study above, note some key features of analysis used in each investigation. Some of these require technical skills to complete, while others require research, critical thinking, and interpersonal skills. Some of the methods identified in the case study include:
The first step when you are ready to inspect a website linked to from a phishing message may be to safely look at the website. This entails some degree of interaction with the website. For direct handling of a potentially malicious website, you should have implemented precautions to give yourself a safe working environment, as covered in Subtopic 3. However you can also use online tools to inspect a website in a safe remote sandbox:
🧰 Tools such as UrlScan allow the performance of a scan of an URL. Note some of the key features needed to interpret the results:
🧰 Hybrid Analysis is a hosted sandbox which can load a web page within a test environment and match website behavior against various heuristics of malicious activity and checking internal indicators against known threats. Note some of the key features and the skills needed to interpret the results:
VirusTotal can also check an URL for malicious content using . Note that Hybrid Analysis includes VirusTotal lookups and considers a broader range of issues in determining its rating.
Note that a sophisticated web application could detect that a request comes from the IP ranges of these tools and serve different data or no data to the request, while delivering malicious content to other IPs.
One of the easiest ways in which we could analyze a website is by using our web browser’s built-in inspection tool, which usually breaks the website down into different sub-parts, can sometimes illustrate what code the website requests from which server, and allows us to modify the site’s code and see how this changes the layout and functionality.
As in the Human Rights Watch report linked above, using programmatic approaches to brute forcing URLs is a commonly used technique during OSINT. Several tools and approaches can be learned:
Most attacks you will encounter will use a pre-made or modified phishing kit, a collection of code and templates that allow attackers to easily build a convincing phishing website. Some phishing kits have tell-tale signs; many of them, for example, use certain mechanisms to avoid being detected and indexed by search engines. They might even refuse to load from the IP addresses of search engines or security companies.
Some phishing kits also have the ability to bypass multi-factor authentication, for example by capturing a code that a targeted person typed in and immediately using it to log on to the real web page on their behalf. This article is a great write-up on how an open source phishing kit used by security teams who test out security mechanisms can capture and use two-factor authentication data (and what could be done to prevent this). You can also check out another writeup of a phishing kit (this kit was written by cybercriminals rather than security researchers), which used some MFA bypass and fascinating techniques to frustrate detection.
Complete this room by TryHackMe: Walking An Application
Iran: State-Backed Hacking of Activists, Journalists, Politicians
FreeA good write-up and analysis of a highly sophisticated phishing campaign which targeted civil society groups. Includes extensive discussions on infrastructure and attribution.
Guccifer Rising? Months-Long Phishing Campaign on ProtonMail Targets Dozens of Russia-Focused Journalists and NGOs
FreeA write-up of an earlier phishing campaign which specifically targeted civil groups working on Russia. The attack itself included an MFA bypass.
UrlScan
Free, with additional premium featuresA tool where you input a URL and which analyzes the resulting website, looking out for malware or other suspicious behavior.
Hybrid Analysis
FreeA tool which can scan files and links for malicious content or behavior. In contrast to UrlScan, it can also open up malware samples or executable files.
Learn JavaScript
FreeIn addition to HTML, most web pages use JavaScript. Although you don’t need to be an expert, learning some JavaScript is important to understand what websites are doing.
How to use Inspect Element in Chrome, Safari, and Firefox
FreeEvery major web browser now contains an inspect element feature, which allows you to carefully study and modify the code components which make up a web page. This article provides a brief overview of that feature and shows how to activate it on major browsers.
Example analyses of malicious websites, resource 1
FreeA good guide on how to do some initial analysis and triage on a website to figure out whether it is malicious and has been labeled by others as such.
Example analyses of malicious websites, resource 2
FreeAnother good guide on how to do some initial analysis and triage on a website to figure out whether it is malicious and has been labeled by others as such.
Classification of Web Phishing Kits for early detection by platform providers
FreeAn academic paper which looks at phishing kits, what mechanisms some of them use, and how we can use tools such as machine learning to detect them.
Protecting Phishing Pages via .htaccess
FreeThere are many ways in which phishing pages can try to avoid detection. One of them is to use .htaccess, a file containing instructions for web servers, to include or exclude specific IP ranges.
StalkPhish
FreeA tool designed to automate the discovery and identification of phishing kits.
Bypassing MFA: A Forensic Look At Evilginx2 Phishing Kit
FreeThis article looks at a phishing kit which has found a way to bypass some forms of MFA and provides a basic analysis of how it does that and what mitigations we could take.
W3LL phishing kit hijacks thousands of Microsoft 365 accounts, bypasses MFA
FreeThis piece analyzes a phishing kit designed and sold by cybercriminals, which contains multiple mechanisms which frustrate analysis and also uses MFA bypass techniques.
تهانينا على انتهاء وحدة 7!
وسم المربع لتأكيد اكتمالك والمتابعة إلى الوحدة التالية.
يوسم الوحدة الحالية كمكتملة ويحفظ التقدم للمستخدم.
لقد أكملت جميع الوحدات في مسار التعلم هذا.