Phishing is a common and effective cybercrime tool, but even the most sophisticated threat actors make mistakes that you can leverage in your investigations.
In November 2020, Group-IB and INTERPOL revealed details about operation Falcon, which targeted members of a Nigerian cybercrime ring engaged in business email compromise (BEC) and phishing. The prolific gang, dubbed TMT, compromised at least 500,000 companies in more than 150 countries since at least 2017.
Phishing is TMT’s main attack vector. It also remains the most popular tool among both nation-state hackers and scammers, and nearly every attack involves phishing: websites, accounts, or mailouts with malicious archives or links. Over nearly 20 years, Group-IB has accumulated a lot of practical knowledge about identifying cybercriminals involved in phishing. Try the following steps to guide your next investigation.
Step 1. Analyzing Initial Data, Searching for Artifacts
Start by analyzing the phishing attack type, timeline, distribution method, malicious content, and primary indicators (email, attachment name, links, domains, etc.).
Then, examine the decoy that tricked the victim into opening the malicious email or website. Generally, the decoy is an email, malicious code, or a phishing website. Look for artifacts such as:
- Attachments such as fake payment documents
- Phishing links, which are often disguised as legitimate URLs
- Sent/received time stamps, which help build an incident timeline and sometimes determine the sender’s time zone
- Email headers (Envelope-From, Return-Path, Reply-to, Receive-From), which may allow you to extract the attacker’s real email address and domain, even from forged email details
- Additional headers (X-PHP-SCRIPT, X-ORIGINATING-SCRIPT), which are rare but very valuable artifacts that enable investigators to determine specific mail scripts, URLs, and sometimes the IP address
Phishing attacks can involve malicious code. In our investigations, we are not particularly interested in how the code works. The most important things lie on the surface:
- IP addresses and domains used to communicate with command and control servers and external resources; these will come in handy when analyzing the adversary’s infrastructure
- Developers’ contact information left in the code (e.g., nicknames, email addresses, messenger contacts)
- Text comments, notes, inactive software functions, names of variables and functions, coding style
URLs leading to phishing sites are often found in targeted mailouts. Phishing website analysis includes:
- Analyzing available WHOIS registration data and DNS records
- Noting the website’s functional features and technology stack
- Scrutinizing the webpage code
- Examining forms and authorization interfaces
- Tracking network activity when the client application interacts with the phishing Web server
Servers that host phishing content deserve special attention and analysis. We scan ports, search for open directories, carry out URL fuzzing and content discovery, examine SSL certificates, and search for subdomains.
The main goal of analyzing source objects is to find a clue that helps attribute the phishing campaign. These range from external IP addresses and new domains to advertising identifiers, nicknames, phone numbers, and emails.
Cybercriminals do not leave their real address or phone number in the phishing site’s code nor send emails from their own accounts (although it happens sometimes). However, any action leaves a trace, and the analyst’s job is to find as many traces as possible and connect the dots.
Step 2. Enriching Your Knowledge About the Attackers
Maximize your knowledge about the scope of their visibility by detecting other phishing campaigns, new and previously unknown incidents, test projects, non-hacking-related resources, and their closest social circle. In one case, an attacker’s girlfriend’s Instagram account helped identify the threat actor. (The girlfriend was not as concerned about his anonymity as he was.)
Often, even the most successful hackers have ordinary jobs and live normal lives. They try not to mix their legal and criminal activities. This is where some inconsistencies emerge that help investigators reconstruct chains of events and connect the two sides of a threat actor’s personality.
Attackers are human beings and tend to make mistakes, especially in the early stages of their criminal careers. That is why “gifts” like server misconfigurations, mistakenly specified personal contact information, and nicknames can identify a hacker’s legal side. For example, one criminal reused a nickname he’d used in his cybercrime activities on a medical forum, where he was asking for advice about an X-ray image — which included his full name.
Step 3. Connecting the Dots
At this point, if you are lucky, you have a comprehensive database of clues such as domains, nicknames, accounts on hacker forums, and phone numbers. Here, open source intelligence (OSINT) comes into play. The indicators begin to merge into a long chain leading from the original phishing attack to a specific person or a group.
Network graph analysis tools and threat intelligence and attribution systems, which store information about adversary infrastructures (e.g., IP, domains, servers, etc.), can be of tremendous help. They constantly update their databases of threat actors. While you can never fully automate your investigations, you can use these tools to help define their scope.
Step 4. Validating the Connections: the Rule of Three
The next step is to build and test hypotheses to create a chain of links from phishing activity to specific people. Even if the investigation identifies a specific person, keep looking for additional independent information that help prove their involvement. After confirming your hypotheses with at least three independent facts, you can say you successfully identified the attacker.
Step 5. Arresting the Criminals (if You Can)
Even excellent analytical and research work can be useless. How? Imagine a case in which an attacker living in one country compromises a company in another country and uses the infrastructure located in a third country. Say you even determine their physical location. If the countries don’t have extradition treaties, there is no way to arrest the criminal.
Unfortunately, without effective cross-border cooperation, it is impossible to bring hackers to justice. The case of the Nigerian TMT gang demonstrated that synergy between private companies’ technologies and law-enforcement agencies’ capabilities in the fight against cybercrime can make detection and prosecution of cybercriminals more effective.
Andrey Kolmakov heads up the hi-tech crime Investigations team at Group-IB. He is a cybersecurity expert specializing in cybercrime investigations. In his role, Andrey has participated in and led various international investigations into financially motivated adversaries. … View Full Bio