Hey guys, it’s me Dheeraj Yadav and in today’s blog, we will learn about all the techniques used for analyzing email and verifying if it’s legit or not.
This blog is useful for everyone ranging from a normal internet user to CISO of an M.N.C. The blog is designed in such a way that there would be no way that you got any false positives.
What is Phishing?
Phishing is a type of online scam in which hackers send fake emails pretending to be from a legitimate company or individual in order to steal sensitive information such as login credentials, financial information, or personal data. These emails often contain links to malicious websites or attachments that, when clicked or downloaded, can infect the recipient’s computer with malware.
Phishing attacks have become increasingly sophisticated over the years, and hackers are constantly finding new ways to trick people into falling for their scams. In 2019, phishing attacks resulted in more than $12 billion in losses worldwide. It is crucial for individuals and organizations to be able to identify and analyze phishing emails in order to protect themselves from these attacks.
In this blog, we will only be targeting email phishing but some techniques can still be applied in performing other phishing attacks too.
For learning about other types of phishing attacks, refer to Different Types of Phishing Attacks
How to identify phishing Emails?
Firstly once go through the traditional ways of identifying phishing emails and those are as follows -
- Look for unusual or suspicious sender names or email addresses. Hackers often use fake names or variations of real names to make the email appear legitimate. They may also use domains that are similar to, but not exactly the same as, the real company’s domain. For example, if you receive an email from a supposed colleague at your company, but the email address is slightly different than their usual address, it could be a phishing attempt.
- Check the email for spelling and grammar mistakes. Legitimate companies usually have a team of professionals who carefully proofread all of their communications. If the email contains numerous errors, it is likely to be a phishing attempt.
- Be wary of emails that contain urgent or threatening language. Phishing emails often try to scare the recipient into taking immediate action, such as clicking a link or downloading an attachment. They may use language such as “Your account will be suspended if you do not take action immediately,” or “You will be in legal trouble if you do not respond.” These types of emails should be treated with caution.
- Inspect links carefully before clicking on them. If you hover your mouse over a link, your email client should display the true destination of the link. If the link does not match the text that it is supposed to be associated with, or if the destination seems suspicious, do not click on it. You can also check the link manually by hovering over it with your mouse and looking at the bottom left corner of your screen. This will show you the true destination of the link.
- Be cautious of emails that ask for personal information. Legitimate companies will not ask for sensitive information such as login credentials or financial information via email. If you receive an email asking for this type of information, it is likely to be a phishing attempt.
By being aware of these signs and using caution when opening emails and clicking links, you can protect yourself from phishing attacks. It is also a good idea to use antivirus software and to be careful about the websites you visit and the attachments you open.
Now, let me tell you the techniques I personally use which have given me 100% successful results to date.
Verifying the Sender -
First of all, what you should do is check it for spoofing. For this, first, check the sender’s email closely, also try to open the domain which sended that email, and also perform a whois lookup on the domain on the sender’s email. Once you think that the sender’s email is the same as it should be. Check it for spoofing, as it may be possible that has sent the email via spoofing. For checking this, open the raw data of that particular mail or download that email in .eml format and copy the IP address mentioned in the email header named Received or Received by and perform the reverse IP lookup using any tool like https://mxtoolbox.com/ReverseLookup.aspx
If the details of the results match with the sender’s mail, it’s not a spoof mail otherwise it’s a simple spoofed email.
Also, pay close attention to the reply to the header of that email, sometimes it is different from the senders’ email and that’s also a sign of a phishing attack, but sometimes it’s different due to some reasons, so think wisely.
These are some ways, you can check if it’s not a spoofed email.
But what if it’s sent from an email id that has been hacked?
In order to be safe from this, search for the sender’s email on websites like https://breachdirectory.org/ , https://haveibeenpwned.com/ , etc.
Paying attention to all the links mentioned in that email (including those which are mentioned using href ) , perform a whois lookup on those to check if they are not redirecting you to any malicious website.
URL / IP Reputation check >>
⌘ https://lnkd.in/gNqxtn4d
⌘ https://urlscan.io/
⌘ https://lnkd.in/g7uWdC5q
⌘ https://www.abuseipdb.com/
File Analysis - There may be chances that the email has some files as an attachment and those can also be malicious. So, before opening those files direct, firstly scan them for viruses by uploading those to website like virustotal.com and the following website -
⌘ File Hash check >> https://lnkd.in/gNqxtn4d
⌘ online sandboxing >> https://any.run/
⌘ online sandboxing >> https://lnkd.in/gaRGY8kB
These are the basic techniques you must follow while analyzing any email.
Now, here comes the best tool which is an all in one phishing analysis tool, https://www.phishtool.com/
Anything else:
Yes, in order to make this process easy, we are developing an all-in-one email phishing analysis that will perform all the above techniques automatically and also use some intelligence. We are still in the implementation mode of that.
Follow me on Twitter as we will inform everyone about that once it’s launched using Twitter,
https://twitter.com/dheerajydv19/
This is the end of this blog, please let me know if i missed anything or suggest improvements in the comments.
Thanks all for reading this write-up, follow me for more content like this in the future.
You can follow me for learning my writeups on topics related to ethical hacking and cybersecurity and a few topics on technology and to knowing my tips and tricks which I use to save my time and for better results.