Keep Calm and Stop the Attack: Today… Phishing Campaign

Phishing campaigns are the order of the day. In this short article, we will see from a not so technical place what are the steps to stop and analyze the impact of a campaign.

We cannot control an attack if we do not maintain control.

And to keep control of the situation we must know what to do. We can divide the tasks into 3 stages:

A. Stop incoming emails.
B. Analyze the impact of the campaign.
C. Report tasks performed.

Stop incoming emails.

The main thing stopping a Phishing Campaign attack is to know the origin, having that data, we will be able to block the accesses and with that, we have already taken a big step.

If the mail arrives from a single address, it is very easy to block it, we add that address to our Spam list and that’s it.

Now, it can happen that the campaign is carried out from random origins, that is, that dozens or hundreds of emails arrive from different domains, in that case, we must look for a pattern, the campaigns always have a pattern. Either the “Subject”, some phrase within the body of the email “You have been chosen” or “To unlock your account, enter here” or the redirection of the link that comes in the body of the message.

This data is obtained in a manual analysis or using the online Sandbox.

Let’s build our flow of tasks:

Stage 1: We stop incoming emails

Analyze the impact of the campaign.

Once the entry of new emails is controlled, we will focus on calculating the impact the campaign had. For this we are going to get some data: Number of Emails that entered, Number of Emails that were filtered and stopped, Period of time in which the campaign was active (from the entry of the first email to the last), If the emails reached the directors or owners of the company, among others.

With all this data collected, we already have a good idea of the impact of the campaign.

Now we need the most important information: Who clicked on the link in the email.

This data is obtained by visualizing the users’ navigation, if they are lucky enough to have tools such as a Proxy or a SIEM the task will be simpler, if not, it will be necessary to search by hand.

A great tool to remotely review the browsing history of computers connected to the network is: BrowsingHistoryView

View the browsing history of your Web browser

All users who have accessed the Phishing site should be considered compromised

It does not matter if the site tries to collect data from a credit card or the credentials of the Home Banking user or the corporate email account.

As prevention we will carry out the following tasks:

1. Force user to change network password.
2. Start a scan of the Antivirus installed on the PC used by the user.

And if we have the resources …

3. Add that PC in a monitoring group that allows you to analyze the behavior of that PC in the next few days.

Let’s add these steps to our flow:

Stage 2: Analyze the Impact of the Campaign

Report tasks performed.

With all the data collected we proceed to carry out the Analysis Report.

But first, as a last step, it only remains to report the site.

For this we can use several resources:

Submit a file for malware analysis

Avoid and report phishing emails

How to report a scam website

How to Report a Website

Report Phishing Sites

PhishTank | Join the fight against phishing

Now and to finish the flow we add the last stage.

Flujo completo — Phishing

I hope this article is useful, do not hesitate to ask any questions that may arise.

See you next.