In November 2020, Group-IB and INTERPOL revealed details about operation Falcon, which targeted members of a Nigerian cybercrime ring engaged in business email compromise (BEC) and phishing. The prolific gang, dubbed TMT, compromised at least 500,000 companies in more than 150 countries since at least 2017.
Phishing is TMT's main attack vector. It also remains the most popular tool among both nation-state hackers and scammers, and nearly every attack involves phishing: websites, accounts, or mailouts with malicious archives or links. Over nearly 20 years, Group-IB has accumulated a lot of practical knowledge about identifying cybercriminals involved in phishing. Try the following steps to guide your next investigation.
Step 1. Analyzing Initial Data, Searching for ArtifactsStart by analyzing the phishing attack type, timeline, distribution method, malicious content, and primary indicators (email, attachment name, links, domains, etc.).
Then, examine the decoy that tricked the victim into opening the malicious email or website. Generally, the decoy is an email, malicious code, or a phishing website. Look for artifacts such as:
Attachments such as fake payment documents
Phishing links, which are often disguised as legitimate URLs
Sent/received time stamps, which help build an incident timeline and sometimes determine the sender's time zone
Email headers (Envelope-From, Return-Path, Reply-to, Receive-From), which may allow you to extract the attacker's real email address and domain, even from forged email details
Additional headers (X-PHP-SCRIPT, X-ORIGINATING-SCRIPT), which are rare but very valuable artifacts that enable investigators to determine specific mail scripts, URLs, and sometimes the IP address
Phishing attacks can involve malicious code. In our investigations, we are not particul ..
Support the originator by clicking the read the rest link below.
