Spam Phishing Investigation - Maltego

Spam - Phishing Investigation using Maltego

CONTENTS

ABSTRACT 2

INTRODUCTION 2

OSINT 3

MALTEGO 3

USING MALTEGO 4

NEW TRANSFORM 24

ABSTRACT

“Every single scam in human history has worked for one key reason; the victim did not recognized it as a scam” – R. Paul Wilson

Currently anyone can be exposed to a cyber-attack; the level of vulnerability may vary from individual to individual and it can affect a person as an organization. The first phase of cyber scams focuses on data collection to determine the target´s vulnerability to facilitate the network access. However this is also the first phase of any safety assessment; actually for this point several tools have been developed for data collection, these tools use Open Source Intelligence (OSINT) as data collection the method. Maltego is one of these tools and works such a penetration tester which helps to gather all the information and organize it efficiently. With this tool a fraudulent email could be analyzed and all information about infrastructure and people associated with the email can be obtained.

INTRODUCTION

A penetration test is an attack in a computer system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data. For this kind of test is necessary to gather information about the target; there are basically two types of information gathering: active and passive. Passive information gathering is where the attackers won’t be contacting the target directly and will be trying to gather information that is available on the Internet; whereas in active information gathering, the attacker will be directly contacting the target and will be trying to gather information.

Penetration tests are valuable for several reasons:

1. Determining the feasibility of a particular set of attack vectors

2. Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence

3. Identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software

4. Assessing the magnitude of potential business and operational impacts of successful attacks

5. Testing the ability of network defenders to successfully detect and respond to the attacks

6. Providing evidence to support increased investments in security personnel and technology

OSINT

Open Source Intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. The relationship between the various forms of information gathered from the Internet can be extremely valuable.

MALTEGO

Maltego is a penetration tester which is able to get a huge amount of data about any organization or person. The software uses OSINT to gather information like what web servers, domains, kind of email servers, email address, location they are using, etc.

Bellow are some features about Maltego:

• Maltego is a program that can be used to determine the relationships and real world links between:

o People

o Groups of people (social networks)

o Companies

o Organizations

o Web sites

o Internet infrastructure such as:

 Domains

 DNS names

 Netblocks

 IP addresses

o Phrases

o Affiliations

o Documents and files

• These entities are linked using open source intelligence.

• Maltego is easy and quick to install - it uses Java, so it runs on Windows, Mac and Linux.

• Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate - making it possible to see hidden connections.

• Using the graphical user interface (GUI) you can see relationships easily - even if they are three or four degrees of separation away.

• Maltego is unique because it uses a powerful, flexible framework that makes customizing possible.

USING MALTEGO

For this test will use Maltego 3 Free Edition CE (Community Edition), to track an email that we get in to an Outlook account:

Image 1 - Maltego Carbon CE 3.5.3

For the purpose of this research, it begins with the study of a fraudulent e-mail, it will be analyzed the infrastructure and people related with it, using Maltego:

Image 2 – Outlook account receive and email from: ecarpentier.mickael@bbox.fr

This e-mail comes from the address: ecarpentier.mickael@bbox.fr

And the email send some information about some Lottery won by user. The email contains a couple of links and the email of a person to be contacted. From here we want to gather information of the original email ecarpentier.mickael@bbox.fr, to understand where it comes from.

Started the Graphic

Once in Maltego to create a new graph press Control + T or click on the (+) button in the top left, next to the application icon.

Image 3 – New Graph

After user creates the new graph, you can start working in the canvas that appears and so you can use the palette which will display the entities available to create different graphics:

Image 4 – Canvas + Palette

User can choose between different options in the palette:

- Devices

- Infrastructure

- Locations

- Penetration Testing

- Personal or Social Network

With the scam e-mail option user get the domain bbox.fr.

Then user select in infrastructure the option Domain and drag and drop it onto the canvas.

The new entity will become in one of the nodes on the new graph:

Image 5 – Drag and Drop Domain Option

Here the user can and should edit the value of the node, for this user double click on the text box on the node to edit the value; in our case the value will be the email´s domain, bbox.fr:

Image 6 – Edit the Node: bbox.fr

Once the user established the domain as bbox.fr go for the first transformation with Maltego; for this user have to:

- Right click on domain node and select “Run Transform”

- In the new menu choose “All Transforms”

- Then multiple options are displayed; here user should select

...