代写program、Java/Python程序代做
Table of Contents
2. Lab 2 2
2.1 The purposes and differences of the three selected tools. 2
2.1.1 Purpose of Selected Tools 2
2.1.2 Differences Between the Tools 2
2.2 Investigation Findings and Steps 2
2.2.1. Step 1: Extracting IP Address from Email Header 2
2.2.2 Step 2: Analyzing the Embedded URL 3
2.2.3 Step 3: Checking the URL Reputation on VirusTotal 3
2. Lab 2
2.1 The purposes and differences of the three selected tools.
2.1.1 Purpose of Selected Tools
1.IPVoid: IPVoid checks an IP’s reputation by scanning multiple DNS-based blacklists to determine if it has been flagged for malicious activities like spam or malware. This helps verify if an email sender’s IP is suspicious.
2.CheckPhish: analyzes URLs for phishing activities, detecting threats by scanning links. Since phishing emails often include fraudulent links, checking the URL helps identify fake websites used for credential harvesting.
3.VirusTotal: is a popular online service for scanning files, IPs, and domains for threats. It combines various security databases for thorough assessments. Since cybersecurity vendors report phishing domains, so verifying a URL or IP with VirusTotal adds extra verification.
2.1.2 Differences Between the Tools
IPVoid mainly focuses on the reputation of IP addresses and whether they are blacklisted, while CheckPhish focuses on the security of URLs, detecting whether they point to phishing sites. VirusTotal is more comprehensive, providing malicious detection for domain names, files, and IP addresses, covering a larger database of security vendors.
2.2 Investigation Findings and Steps
2.2.1. Step 1: Extracting IP Address from Email Header
Using Visual Studio Code (VSCode) to inspect the email’s raw headers, the sender’s IP address was identified as 46.167.245.207. This IP was analyzed using IPVoid, revealing the following details:
Feature Result
Geolocation Czech Republic
ISP FinalTek.com
Blacklist Status 0/93 (Not blacklisted)
Findings: Although the IP was not blacklisted, it originates from FinalTek.com, a Czech hosting provider, which is unrelated to the University of Glasgow. A genuine university security team would not operate from an external Czech server, making the email's origin highly questionable.
2.2.2 Step 2: Analyzing the Embedded URL
The email contained a hyperlink claiming to be a University of Glasgow security update: www.gla.ac.uk/security.info. However, further analysis using CheckPhish revealed that the link redirected to an unrelated domain: digitalkingdomsecurity.com, hosted by Trellian Pty. Limited (Australia).
Feature Result
Redirected URL digitalkingdomsecurity.com
IP Address 103.224.182.242
Hosting Provider Trellian Pty. Limited (AU)
Screenshot Parked domain with fake links
Findings: The destination webpage was a generic parked page with placeholder security-related links, a common characteristic of phishing attempts. Trellian Pty. Limited is known for hosting parked domains, often used in phishing scams. The URL impersonates the University of Glasgow but redirects to an unrelated domain.
2.2.3 Step 3: Checking the URL Reputation on VirusTotal
To further validate the legitimacy of digitalkingdomsecurity.com, it was submitted to VirusTotal.
Findings: No security vendors flagged the domain as malicious (0/96 detections). However, no detection does not mean it is safe. Many phishing domains go undetected until large-scale attacks occur. The domain history suggests it is an inactive parked domain, which may have been used for phishing previously.
2.2.4 Conclusion: Is This Email a Phishing Attempt?
The email exhibits clear phishing signs. The sender’s IP is not from the University of Glasgow but from a Czech ISP with an anonymous relay. The URL looks like a Glasgow link but redirects to a parked domain. Although security tools did not mark the domain as malicious, the misleading sender, anonymous relay, and deceptive link structure suggest phishing.