120 likes | 260 Views
Phishing Lab. Lab 9: Phishing. Step 1: Acquire Some Data Open the Phishing_Evidence document. This is the original e-mail in its initial format as seen by a non-technical user, victim@students.sou.edu . 1. Does this document look suspicious to you?
E N D
Lab 9: Phishing • Step 1: Acquire Some Data • Open the Phishing_Evidence document. This is the original e-mail in its initial format as seen by a non-technical user, victim@students.sou.edu. • 1. Does this document look suspicious to you? • 2. If you were the recipient, would you follow the instructions in the e-mail and go to the website and provide your account details, such as your account number and PIN? • Open the Phishing_Evidence_Long_Headers document. This is the same e-mail saved by a technical user. The technical user found the options in the e-mail application that would allow her to “view long headers” and/or “view raw source.”
Determine Sender • The long headers option, which may be called something else in different e-mail applications, lets a user view the actual sender and the path that the e-mail took to arrive at the recipient. The raw source option lets the user view the actual text of the message, without any formatting. • Study the Phishing_Evidence_ Long_Headers document to determine if you can tell the path that the e-mail message took. Here are some hints: • The final recipient is victim@students.sou.edu. • The last e-mail server that received this message was students.sou.edu. • The barracuda.sou.edu server sent this message to students.sou.edu. • Look for a line that includes “by barracuda.sou.edu” to determine which server sent the message to barracuda. The line will tell you from whom barracuda received the message.
Server IP Address • 3. What is the Internet Protocol (IP) address of the server that sent the e-mail message to barracuda.sou.edu? • The email message (after the header) includes a URL. Compare the URL in the original (non-technical) version of the e-mail to the one in the technical version. The technical version will show the URL twice. Look for lines that start with https:// or http://.
Original vs. Technical • 4. What is the URL in the original version of the e-mail (the non-technical view)? • 5. What URLs do you see in the technical version of the e-mail?
Step 2: Analyze the E-Mail Header Now it’s time to figure out the true identify of the server that sent the message to the barracuda server. In most investigations, the first step is to look up the server’s IP address at the American Registry for Internet Numbers (ARIN). Go to the following website and look up the address that you wrote down in Question 3. • http://www.arin.net/whois/ • 6. What does ARIN tell you about this address? • If ARIN tells you that the address is registered by a non-American registry, such as the Asia Pacific Network Information Center (APNIC) or the Réseaux IP Européens (RIPE), go the URL for the Whois database of that registry. (The ARIN page you went to should have a link to that registry’s Whois database.)
IP Address Owner • 7. What company owns the IP address that you looked up? • 8. What country is that company in? • Remember that the recipient of this message was an SOU student (victim@students.sou.edu.) Assume that the victim lives near Ashland, OR and has never opened a bank account outside the Western United States.
9. If this student were to receive a legitimate message from Citibank, where do you think it would come from? Go to www.citibank.com and determine the location of some reasonably close Citibank offices or ATMs and jot down some possible locations: • 10. Does it seem suspicious that victim@students.sou.edu received a message from Citibank from the location that you discovered in Question 8?
Step 3: Analyze the URL • In the Phishing_Evidence_Long_Headers document, find the URL that looks like this: • href="http://%32%31%31%2E%39%37%2E%32%34%38%2E%36%30:%38%37/%63%69%74/%69%6E%64%65%78%2E%68%74%6D" • The numbers that follow the percent sign are hexadecimal (Base 16) codes for alphabetic letters and numbers. They are encoded using a system called the American Standard Code for Information Interchange (ASCII). Find an ASCII table on the Internet or Slide #??? and convert the hex numbers to characters and determine what the URL really states. • 11. What is the alphabetic representation of the URL? • The URL includes an IP address and a port number. For example, the URL might be something like: http://66.241.68.28:80/index.htm. The 66.241.68.28 is an IP address. The 80 is a port number. Use the techniques you used in the previous section to determine who owns the IP address in the URL that you decoded in Question 11.
IP Address/Port Owner • 12. What company or organization owns the IP address in the URL that you decoded in Question 11? • Port 80 is usually used for web browsing. The port number in the URL in our case isn’t 80, however. • 13. What is the port number in the URL that you decoded? • The Internet Assigned Numbers Authority (IANA) maintains a list of port numbers and what they are used for. If you go to the http://www.iana.org/assignments/port-numbers website, you can determine the meaning of the port number you decoded.
Conclusions • 14. What is that port number used for? • 15. Does that port number seem suspicious to you? • 16. How will you deal with suspicious e-mails in the future?