Spam Phishing Investigation - Maltego

Spam - Phishing Investigation using Maltego

CONTENTS

ABSTRACT 2

INTRODUCTION 2

OSINT 3

MALTEGO 3

USING MALTEGO 4

NEW TRANSFORM 24

ABSTRACT

“Every single scam in human history has worked for one key reason; the victim did not recognized it as a scam” – R. Paul Wilson

Currently anyone can be exposed to a cyber-attack; the level of vulnerability may vary from individual to individual and it can affect a person as an organization. The first phase of cyber scams focuses on data collection to determine the target´s vulnerability to facilitate the network access. However this is also the first phase of any safety assessment; actually for this point several tools have been developed for data collection, these tools use Open Source Intelligence (OSINT) as data collection the method. Maltego is one of these tools and works such a penetration tester which helps to gather all the information and organize it efficiently. With this tool a fraudulent email could be analyzed and all information about infrastructure and people associated with the email can be obtained.

INTRODUCTION

A penetration test is an attack in a computer system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data. For this kind of test is necessary to gather information about the target; there are basically two types of information gathering: active and passive. Passive information gathering is where the attackers won’t be contacting the target directly and will be trying to gather information that is available on the Internet; whereas in active information gathering, the attacker will be directly contacting the target and will be trying to gather information.

Penetration tests are valuable for several reasons:

1. Determining the feasibility of a particular set of attack vectors

2. Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence

3. Identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software

4. Assessing the magnitude of potential business and operational impacts of successful attacks

5. Testing the ability of network defenders to successfully detect and respond to the attacks

6. Providing evidence to support increased investments in security personnel and technology

OSINT

Open Source Intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. The relationship between the various forms of information gathered from the Internet can be extremely valuable.

MALTEGO

Maltego is a penetration tester which is able to get a huge amount of data about any organization or person. The software uses OSINT to gather information like what web servers, domains, kind of email servers, email address, location they are using, etc.

Bellow are some features about Maltego:

• Maltego is a program that can be used to determine the relationships and real world links between:

o People

o Groups of people (social networks)

o Companies

o Organizations

o Web sites

o Internet infrastructure such as:

 Domains

 DNS names

 Netblocks

 IP addresses

o Phrases

o Affiliations

o Documents and files

• These entities are linked using open source intelligence.

• Maltego is easy and quick to install - it uses Java, so it runs on Windows, Mac and Linux.

• Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate - making it possible to see hidden connections.

• Using the graphical user interface (GUI) you can see relationships easily - even if they are three or four degrees of separation away.

• Maltego is unique because it uses a powerful, flexible framework that makes customizing possible.

USING MALTEGO

For this test will use Maltego 3 Free Edition CE (Community Edition), to track an email that we get in to an Outlook account:

Image 1 - Maltego Carbon CE 3.5.3

For the purpose of this research, it begins with the study of a fraudulent e-mail, it will be analyzed the infrastructure and people related with it, using Maltego:

Image 2 – Outlook account receive and email from: ecarpentier.mickael@bbox.fr

This e-mail comes from the address: ecarpentier.mickael@bbox.fr

And the email send some information about some Lottery won by user. The email contains a couple of links and the email of a person to be contacted. From here we want to gather information of the original email ecarpentier.mickael@bbox.fr, to understand where it comes from.

Started the Graphic

Once in Maltego to create a new graph press Control + T or click on the (+) button in the top left, next to the application icon.

Image 3 – New Graph

After user creates the new graph, you can start working in the canvas that appears and so you can use the palette which will display the entities available to create different graphics:

Image 4 – Canvas + Palette

User can choose between different options in the palette:

- Devices

- Infrastructure

- Locations

- Penetration Testing

- Personal or Social Network

With the scam e-mail option user get the domain bbox.fr.

Then user select in infrastructure the option Domain and drag and drop it onto the canvas.

The new entity will become in one of the nodes on the new graph:

Image 5 – Drag and Drop Domain Option

Here the user can and should edit the value of the node, for this user double click on the text box on the node to edit the value; in our case the value will be the email´s domain, bbox.fr:

Image 6 – Edit the Node: bbox.fr

Once the user established the domain as bbox.fr go for the first transformation with Maltego; for this user have to:

- Right click on domain node and select “Run Transform”

- In the new menu choose “All Transforms”

- Then multiple options are displayed; here user should select “To Email Address [From who is Info]”; this option allow user to get information about the IP Number related with the domain and translate this IP Number in different e-mails linked with it

Image 7 – Run Transform

Image 8 – Select: To Email Address

Image 9 – Sites related

- After user gets the emails related with the domain user can create another transformation

- With the same domain user will be searching for the domains related to the original email; bbox.fr

- User right click on the node domain and choice the option “Run Transform”,

- In the menu user choose “All Transforms

Image 10 – Run Transform

- And then select one the and multiple options displayed: “DomainToDNSNameSchema”

Image 11 – Select: DomainToDNSNameSchema

- This option allow to get information about schema´s domain related with the domain selected: bbox.fr

- Thus user get the next graphic, with in the graph

Image 12 – Domain to DNS Name Schema

- From here user can select any of the websites to be analyzed, creating another transformation.

- For this case and new website we will trace the IP Address

- Now right click on the node for the website user choose: secure.bbox.fr

- Select “Run Transform”

- In the menu user should choose the option “All Transforms”

- And then multiple options are displayed; here user should select “To IP Address [DNS]”

Image 13 – Select the Node: secure.bbox.fr

- This option allow user to get information about IP address linked with the Website and the domain

- Now user can analyzed the IP address to determine the geographic position of this website

- For this user should right click on website node and select the option “Run Transform”

- In the new menu choose “All Transforms”

- And Then multiple options are displayed; here user should select “To Location Country”

- With this option, user can get origin country and information according the IP address using the MaxMind free city database. MaxMind is used to GeoIP intelligence for content personalization, ad targeting, traffic analysis and digital rights management; whit this information user can prevent online fraud, cut chargebacks, and reduce manual review which can take a long time instead of seconds

Image 14 – To Location Country

- It will validate the netblok which belong to the IP address

- Now user should right click on the website and select “Run Transform”

- In the new menu choose “All Transforms”

- And then multiple options are displayed; here user should select “To

...