π Room Link
Let's clarify Spamming vs Phishing:
Spam focuses on quantity over precision. Unlike phishing, which aims to deceive specific users, spam messages are sent in bulk to flood inboxes with unwanted marketing or irrelevant content. Their goal isnβt usually to steal data, but to push exposure or engagement, Promotions, clickbait or even data harvesting.
Other jargons include:
- Social Engineering: Rather than hacking technology, connecting with someone on a personal level to lure out important data. You can look for the following approaches to see if someone might be using social engineering: Impersonation, Sense of urgency, Side channel(telling that "hey, we moved our helpline to this new number"! etc.
- Typosquatting and Punycode: ΡrΡhackme.com written with Cyrillic Ρ, Cyrillic Π³, Cyrillic Ρ
- Spoofing: An email's "From" field can look legit. But actually its coming from a different server. Spoofing checks on the mail server should always be on. Inspecting 'header fields' such as Authentication-Result and Return-Path.
- Malicious Attachments: And there's always the classic way to just attach the malware in the email because someone will always click on stuff no matter what
- Legitimate Application: Attackers can also hide behind trusted services, such as Dropbox or Google Drive, and share a PDF or document file containing fake content and malicious code.
- Fake login pages.
Task Questions:
Classify the 1st email, what's the flag?
=> Go to the target machine IP and click on the first email. Scroll down...
Is it a spam or a phishing attempt? The email is asking to make a payment from paypal, definitely phishing; Submit and find out!
From the header, we know that even though the email says paypal.com, it is actually not from paypal.com but from someone else. That is why we can tick mark spoofing and fake invoice. And also tick mark 'urgency' because 'santa sending invoice' is supposed to be urgent!
And finally submit to get the flag.
Classify the second email. The email is a audio attachment, the from field says <calls@tbfc.com> But in the 'inspect' section, the 'from header' is different: gibberish.outlook.com
Hence, Spoofing, Impersonation and malicious attachment are the correct answer.
The 3rd email comes from a gmail address and says:
McSkidy here β I'm currently unreachable by phone. We have an ongoing incident and need the Blue Team to get remote access now to investigate. Please create a new VPN access for me immediately. Send the access to my personal email address.
=> Impersonation, sense of urgency and social networking!
The 4th email says:
TBFC HR Department (hr.tbfc@outlook.com) invited you to view the file "Annual Salary Raise Approval.pdf" on Dropbox.
"Hi there, You have a pending document to be signed regarding you recent Salary Raise Approval. You can copy and paste the URL below if you do not have a DropBox account: https://www.dropbox.com/scl/fi/xzruzfwqa4w77ozxvq00i/annual-salary-raise-approval.pdf?blablablabla Thank you, TBFC HR Department"
It comes from external domain(dropbox), social engineering and impersonation. Dont know why malicious attachment is not the other answer.
The 5th email is a promotional campaign. Just mark it as spam.
The last email to classify contains cursive letters, meaning it is not from our domain.
Typosquatting/Punycodes, Impersonation are correct. But Malicious Attachment is not correct answer, Social Engineering is.
Onwards and upwords...
Top comments (0)