WEBVTT

00:00.310 --> 00:02.930
We're going to be going over a email investigation.

00:02.930 --> 00:09.880
And for this we're taking a look at a real spam email or actually a scam email.

00:09.890 --> 00:11.450
So let's take a look.

00:12.020 --> 00:15.410
So this is a pretty common one I've been getting lately.

00:15.530 --> 00:17.300
Supposedly it's from Costco.

00:17.330 --> 00:19.400
It says Reclaim your gift card.

00:19.430 --> 00:23.370
So the attack vector of this is, well, greed.

00:23.390 --> 00:29.270
So supposedly I have a gift card waiting for me from Costco.

00:29.420 --> 00:34.700
I click on it, I get my savings, I get my gift card that I never signed up for.

00:34.700 --> 00:38.450
And actually, I never gave Costco my my email for this.

00:38.450 --> 00:39.950
So that's kind of interesting.

00:39.950 --> 00:40.820
I got that.

00:41.150 --> 00:42.620
But anyways.

00:43.670 --> 00:47.170
The idea is the scammers are sending these out.

00:47.180 --> 00:50.150
I click on it and it could do a number of things.

00:50.300 --> 00:53.090
It could install a virus on my computer.

00:53.100 --> 00:56.210
It could steal my my user account information.

00:56.630 --> 00:59.090
It could do a remote Trojan on my computer.

00:59.090 --> 01:06.080
It could simply send me to a website where since I go to it, they they get the click count for it and

01:06.080 --> 01:07.490
potentially make money off it.

01:07.490 --> 01:10.970
But that way there's a number of attack vectors for this.

01:10.970 --> 01:14.660
So let's break this down in terms of investigating this.

01:16.940 --> 01:23.600
So again, I, I know this is a scam email for a couple of reasons right off the bat.

01:23.630 --> 01:26.810
One, again, I do have a Costco membership.

01:26.810 --> 01:29.150
However, they do not have my email address.

01:29.150 --> 01:33.380
So getting the email from them is highly suspect.

01:33.740 --> 01:40.100
And of course, if we're taking a look at whether it is a legitimate email or not, if we're not sure,

01:40.910 --> 01:44.880
we take a look at well, we take a look at who sent it.

01:44.910 --> 01:49.710
We also want to check who the link is and we can do that with a link cover we take take our mouse.

01:49.710 --> 01:53.520
If we're on a computer, we hover over the link and it'll give us a URL.

01:53.520 --> 01:56.910
So this is supposedly going to Costco.

01:56.940 --> 02:06.030
However, the actual email or actual URL rather is going this holla myex.com blah blah blah.

02:06.240 --> 02:08.490
So not Costco.com.

02:08.490 --> 02:10.560
So that's a big red flag right there.

02:12.220 --> 02:16.810
Matter of fact, if it actually takes you to multiple places.

02:16.810 --> 02:23.590
So on my phone, if you I have an iPhone, if you kind of hold down on the link and kind of push down,

02:23.990 --> 02:25.360
you have to be real careful about this.

02:25.360 --> 02:26.800
You could do a preview link.

02:26.800 --> 02:29.440
And on that preview link, I saw it.

02:29.660 --> 02:32.500
Want to take me to good news now for you.

02:32.500 --> 02:36.070
So a Russian site again, not Costco.

02:38.350 --> 02:43.300
So other things we could do is we could take a look at the email header and that's if you're investigating

02:43.300 --> 02:44.980
it, that's one of the first things you want to do.

02:44.980 --> 02:50.770
Take a look at the sender, hover over the link and do show original email.

02:50.770 --> 02:55.720
And let's take a look at the actual full email header in here.

02:55.720 --> 02:58.990
We could potentially find some interesting information.

02:59.170 --> 03:01.900
Again, we can find who actually sent the email.

03:01.930 --> 03:06.070
We might potentially be able to go back and find.

03:06.830 --> 03:10.340
Trace back where this email is going coming from ET.

03:11.540 --> 03:13.190
Not very likely.

03:13.190 --> 03:18.050
If they're using things like, say, Gmail, Yahoo!

03:18.320 --> 03:25.430
Outlook, etcetera, because those free email servers generally do a pretty good job of user privacy,

03:25.430 --> 03:28.820
which is of course great for user privacy.

03:29.270 --> 03:35.420
However bad for if we're actually doing osint or tracking down where the original email came from.

03:37.160 --> 03:44.330
So another thing we're going to take a look at again, We take a look at who sent this Is it from Costco.com?

03:44.330 --> 03:45.910
Well, in this case, no.

03:45.920 --> 03:49.640
We see from down here it looks like it came from Costco.com.

03:49.640 --> 03:51.740
We have to send field here.

03:52.130 --> 03:54.980
However, the real mail link is right here.

03:54.980 --> 04:04.220
This 4577355 support at Significo za Now za is South Africa.

04:04.220 --> 04:04.910
Nigeria.

04:04.910 --> 04:05.390
ET cetera.

04:05.390 --> 04:06.680
Around that area.

04:07.640 --> 04:09.800
So again, obviously not Costco.

04:09.800 --> 04:11.930
It's a spoofed email address.

04:14.810 --> 04:20.270
So taking that email address, we can put it into our data breach sites, things like have I been pwned?

04:20.270 --> 04:27.050
If we have our own personal data breach site like, say, the com data breach combination of many breaches

04:27.080 --> 04:33.090
or we could put in things like hash or any number of other data breaches and see if that came up.

04:33.110 --> 04:39.050
Now, chances are, with a lot of these scams, you're not going to see any leak credentials from those

04:39.050 --> 04:41.750
because they're going to be pretty one off systems.

04:41.750 --> 04:46.340
They're going to run this thing for a day, maybe a couple of days, and then kill it.

04:46.370 --> 04:47.510
They're not going to use it again.

04:47.510 --> 04:51.140
So there's generally not a lot of chance that you're going to see a data breach of this.

04:51.140 --> 04:52.750
But you might get lucky.

04:52.760 --> 04:58.160
Maybe someone's got sloppy and start reusing the email over and over and they use it for other stuff

04:58.160 --> 05:00.950
other than trying to scam people.

05:03.170 --> 05:08.230
We could also take that email and we can put in something like Maltego.

05:08.240 --> 05:14.930
So we put we put in Maltego, we pull up the email address, put it in there, and then we run a scan.

05:15.170 --> 05:24.320
So from here with the particular plugins I have for Maltego, it does have have I been phone search?

05:24.860 --> 05:27.860
We can, we can see it's the signify code.

05:28.040 --> 05:29.480
ZA It kind of splinters off.

05:29.490 --> 05:33.770
We can see the servers and potentially be able to track down the source from there.

05:36.520 --> 05:45.140
Now taking the links that that we found on that particular email, we could do domain registry lookups.

05:45.160 --> 05:48.950
Things like domain tools, who is records and whatnot.

05:48.970 --> 05:54.250
Put it in there and we can start taking a look at information of, well, it wants me to go to these

05:54.250 --> 05:54.760
websites.

05:54.760 --> 05:55.990
What are these websites?

05:55.990 --> 05:59.680
Well, putting this particular one in this good news.

05:59.680 --> 06:01.870
Now, what are you doing?

06:01.870 --> 06:03.220
A reverse search.

06:03.220 --> 06:04.810
We could see various information.

06:04.810 --> 06:09.490
We could see when it was created in March 25th, 2021.

06:09.490 --> 06:10.660
It expires in a year.

06:10.660 --> 06:13.690
So we see that it was only registered for a year.

06:13.690 --> 06:16.690
So they weren't planning on using this for very long.

06:17.490 --> 06:22.890
They probably picked a domain pretty cheap registered for for a year because that's the minimum you

06:22.890 --> 06:26.220
could do anyways and try to start scamming people that way.

06:27.070 --> 06:28.690
We can see the IP address.

06:28.690 --> 06:30.700
We could see the IP location.

06:31.580 --> 06:35.660
We could see the name servers, we could see it's going through Cloudflare.

06:35.690 --> 06:41.900
So they are spending some money here and we may potentially be able to find things like phone numbers

06:41.900 --> 06:43.940
and names and addresses and etcetera.

06:43.970 --> 06:45.350
Doing a domain search.

06:46.250 --> 06:48.380
And if we do, who is search?

06:49.390 --> 06:55.960
We could actually find the abuse phone number in here and we can find the email contact in here, which

06:55.960 --> 06:57.490
probably is not going to work.

06:57.490 --> 06:59.440
But we did find a phone number in here.

06:59.710 --> 07:04.450
Now, with that phone number, we could do a reverse phone number, search things like spy dialer,

07:04.480 --> 07:06.190
whitepages, etcetera.

07:06.490 --> 07:10.270
There's a lot of different phone number reverse searches we could do.

07:11.010 --> 07:15.260
Now putting the phone number in my identified as a landline.

07:15.270 --> 07:16.650
Now, what can we do with that?

07:16.650 --> 07:18.690
Well, we can do a name lookup.

07:18.690 --> 07:20.880
We could do with Spy dollar.

07:20.880 --> 07:25.680
We could hear the voice mail, we could use a burner phone number, we could use a voice over IP phone

07:25.680 --> 07:28.260
number and call that number, see if it is a landline.

07:28.260 --> 07:31.200
If anyone picks up, who do they identify as?

07:31.230 --> 07:32.760
As ET cetera.

07:32.790 --> 07:34.060
Is it a cell phone?

07:34.080 --> 07:38.220
Most likely it's going to be a voice over IP number that's going to be highly disposable.

07:38.220 --> 07:39.970
But again, we might get lucky.

07:39.970 --> 07:42.450
We might be able to get more information from it that way.

07:43.950 --> 07:48.720
We can also do, of course, our Google searches, DuckDuckGo searches, whatever.

07:48.720 --> 07:51.300
Your search engine of choice is.

07:51.330 --> 07:55.950
Now taking some of the other sites that were popping up on here.

07:56.250 --> 07:58.470
We could see various information here.

07:58.470 --> 08:05.340
And on the Russian side that came up, we could do a Russian business search.

08:05.340 --> 08:11.110
And I also found it down in here when I went on to Alienvault while doing a Google search.

08:11.110 --> 08:16.180
And we could see things like group known as VIP one delivers a link through phishing emails.

08:16.180 --> 08:22.060
Links lead to a series of redirects, works best with opera, different ad fraud campaigns running through

08:22.060 --> 08:25.960
this, and again, we can find more information about it.

08:25.960 --> 08:26.680
So now we know.

08:26.680 --> 08:31.720
Hey, this is from a group known as VIP one and this is what they do.

08:31.720 --> 08:34.510
And this was identified on this date.

08:34.510 --> 08:37.300
And again, we can get more information from that.

08:39.170 --> 08:45.380
So wrapping up these email addresses and URLs typically don't last very long.

08:45.410 --> 08:47.630
They might last for a couple of days at best.

08:47.660 --> 08:52.880
Typically, if I get one of these and I decide to start doing investigation the next day, those links

08:52.880 --> 08:53.900
are dead.

08:54.920 --> 08:56.740
Emails tend to change very quickly.

08:56.750 --> 08:59.810
Again, these are designed to be highly disposable and cheap.

09:00.380 --> 09:06.830
A lot of times people will use either free services or they'll again get a domain for a year, probably

09:06.830 --> 09:11.330
pick it up real cheap and start generating a bunch of emails and start doing these attacks.

09:11.720 --> 09:18.590
That particular email address that I showed you, I got three more of those emails, exact same type

09:18.590 --> 09:19.160
of emails.

09:19.160 --> 09:23.240
However, the address changed slightly, even though the domain was still the same.

09:23.240 --> 09:27.980
So that shows me that, okay, they're generating a lot of different emails from that same domain,

09:27.980 --> 09:30.260
probably trying to get the most out of their money.

09:31.010 --> 09:36.470
Now the domain registration, if any, are likely to be purchased cheaply and disposable again, it

09:36.470 --> 09:39.060
can make it a little bit harder to track because of this.

09:39.060 --> 09:45.360
So if we want to keep going after these people and trying to find more about them, we could try things

09:45.360 --> 09:51.150
like social engineering, maybe drop a canary token, send an email to them and go, Oh, well, you

09:51.150 --> 09:52.620
know, I had problems with the link.

09:52.620 --> 09:53.100
ET cetera.

09:53.100 --> 09:53.550
ET cetera.

09:53.550 --> 09:54.930
And try to draw them out.

09:55.350 --> 10:00.540
Or even if you find the phone number attached on the domain, you might get lucky again.

10:00.540 --> 10:06.630
Get a hold of a live person, use some social engineering techniques to to draw out more information

10:06.630 --> 10:07.500
about them.

10:07.770 --> 10:15.180
So this was about email investigations and identifying phishing emails and doing investigations on them.

10:15.210 --> 10:16.290
Thank you for watching.

10:16.290 --> 10:17.250
I'll see you next video.