Trace the Phish: Pivoting from Email to DNS to Server IP
Le défi
Un utilisateur a signalé cet e-mail de hameçonnage. Ouvrez les sources et corrélez-les : l'e-mail pointe vers un domaine, le domaine a un enregistrement DNS, et une config divulguée mentionne le même hôte. Trouvez l'adresse sur laquelle tourne réellement le site de phishing et soumettez cette IP.
Ce que tu vas apprendre
- Pivot across independent sources (email, WHOIS, DNS, paste) to build a picture
- Read a phishing email's headers and link for the attacker's domain
- Resolve a hostname to its A record and recognise it as the real infrastructure
- Spot a freshly registered look-alike domain as a phishing indicator
Compétences testées
Prérequis
- Basic understanding of email, domains, and DNS records
- Awareness of phishing
Comment ça marche
Investigating a phishing report is an exercise in pivoting: no single artifact tells the whole story, so you connect independent sources until they point at the same thing. You start with what the victim received and follow it outward to the attacker's infrastructure.
The email is the entry point. Its display name impersonates IT, but the real signal is the link domain, acme-verify.co - a look-alike of the legitimate brand. The WHOIS corroborates the threat: the domain was registered only days ago and hides behind privacy, both hallmarks of a throwaway phishing domain. The decisive pivot is DNS: resolving the phishing hostname secure-login.acme-verify.co gives an A record, and that IP - 203.0.113.66 - is the actual machine serving the fake login page. The leaked kit config is independent confirmation: it lists the attacker's admin panel on the same IP.
The OSINT board presents each source as a card you open and read. The intel you want is not on any one card by itself; it emerges when the email's domain, the DNS A record, and the paste all line up on one address. That address is what a defender blocks at the firewall and reports to a takedown service.
Erreurs fréquentes
- Submitting the domain instead of the IP. The question asks where the site runs - resolve the hostname to its A record.
- Trusting the From display name. 'IT Support' is spoofable; the link domain is the evidence.
- Reading one source in isolation. The answer comes from connecting the email's host, the DNS record, and the paste.
- Ignoring the registration date. A domain created days ago is a strong phishing indicator worth noting.
Comment s'en protéger
Defensively, the recovered IP and domain feed directly into response: block them, hunt for other users who clicked, and submit a takedown. The freshly registered look-alike is the kind of indicator that newly-registered-domain detections and brand-monitoring catch early.
- Block the malicious domain and IP at the mail gateway and firewall, and hunt logs for prior contact.
- Monitor for newly registered look-alike domains of your brand.
- Report phishing infrastructure to the hosting provider and a takedown service.