Skip to content

Phish Detection Agency⚓︎

Difficulty:
Direct link: https://hhc23-phishdetect-dot-holidayhack2023.ue.r.appspot.com/

Objective⚓︎

Request

Fitzy Shortstack on Film Noir Island needs help battling dastardly phishers. Help sort the good from the bad!

Fitzy Shortstack

Just my luck, I thought...
A cybersecurity incident right in the middle of this stakeout.
Seems we have a flood of unusual emails coming in through ChatNPT.
Got a nagging suspicion it isn't catching all the fishy ones.
You're our phishing specialist right? Could use your expertise in looking through the output of ChatNPT.
Not suggesting a full-blown forensic analysis, just mark the ones screaming digital fraud.
We're looking at all this raw data, but sometimes, it takes a keen human eye to separate the chaff, doesn't it?
I need to get more powdered sugar for my donuts, so do ping me when you have something concrete on this.

Hints⚓︎

DMARC, DKIM, and SPF, oh my!

From: Fitzy Shortstack

Discover the essentials of email security with DMARC, DKIM, and SPF at Cloudflare's Guide.

Solution⚓︎

Our assignment is to classify emails into "Safe" or "Phishing", based on formal criteria - SPF, DKIM and DMARC records.

Intro text

Attention, Digital Defenders! You've entered the realm of the Phishing Detection Agency, where advanced AI meets human insight. It's been reported that AI has started hallucinating, and it's up to you to discern the reality behind these emails.

Key: In the shadow-laden corridors of our menu, the Phishing link casts a crimson hue, a siren's call warning that the number of deceitful emails is amiss. Should our digital sleuthing align perfectly with the cunning of these tricksters, watch as it transforms, glowing an emerald green in triumphant success.

Collaboration with ChatNPT: In our ongoing battle against phishing, we've enlisted ChatNPT to preliminarily flag potential phishing attempts. These flagged emails are stored in the Phishing Folder. However, AI isn't foolproof! It's up to you, the astute investigator, to dive into these emails and confirm their legitimacy. Cross-reference with our DNS records, apply your knowledge of SPF, DKIM, and DMARC, and ensure that only true phishing threats remain in the Phishing Folder. Your keen eye for detail is crucial in outsmarting these digital tricksters!

Your mission: Navigate through our virtual vault of emails, employ your knowledge of SPF, DKIM, and DMARC, and identify those deceptive, phishing attempts.

We see a few headers for each email message, such as “From,” “Reply-to,” “Date,” “Subject,” “Return-Path,” “Received,” “DKIM-Signature,” and “DMARC.”

We consider an email to be a phishing attempt if one or more of the following criteria are met:

  • The address in the “From” header is different from the address in the “Return-Path” header.
  • The DKIM-Signature is invalid or missing, but the “From” address claims to be from the “@geeseislands.com” domain.
  • The “From” address is from “@geeseislands.com,” but the “Received” header indicates that the email was not received from “mail.geeseislands.com.”

After applying these criteria, we are left with 10 confirmed phishing emails:

Sender Subject
xavier.jones@geeseislands.com Urgent IT Security Update
victor.davis@geeseislands.com Invitation to Research Grant Meeting
ursula.morris@geeseislands.com Legal Team Expansion Strategy
steven.gray@geeseislands.com Procurement Process Improvements
rachel.brown@geeseislands.com Customer Feedback Analysis Meeting
quincy.adams@geeseislands.com Networking Event Success Strategies
oliver.thomas@geeseislands.com New Research Project Kickoff
nancy@geeseislands.com Public Relations Strategy Meet
michael.roberts@geeseislands.com Compliance Training Schedule Announcement
laura.green@geeseislands.com Security Protocol Briefing

The challenge automatically anounces our win the instant we have correctly classified the last email:

Success

Congratulations, Ace Detective! You've successfully navigated the treacherous waters of deception and emerged victorious. Your sharp wits and keen eye for detail have cracked the case wide open, proving that even the most cunning phishing attempts are no match for your discerning mind.

In a world where shadows often obscure the truth, you shone a bright light on duplicity. Your unwavering commitment to truth and justice in the digital realm has kept our virtual streets safe. Thanks to your efforts, the Phishing Detection Agency stands strong, a bulwark against the tide of digital deceit.

Remember, the battle against phishing is ongoing, but with sleuths like you on the case, the internet remains a safer place. You're not just a hero; you're a guardian of the digital frontier. So here's to you, the quintessential cyber sleuth, a beacon of hope in these pixelated alleyways of misinformation.

Your achievement is not just a personal victory; it's a triumph for all of us in the agency.

Images⚓︎

phishing emails

Answer

After solving the challenge, the fact will be listed as an "Achievements" in the player's badge.

AI-improved answer text

I asked Bing Chat to rephrase my original answer using this prompt:

Could you rephrase the following text to make it more easy to understand it?

We are shown a select assortement of headers for each email message:

  • From
  • Reply-to
  • Date
  • Subject
  • Return-Path
  • Received
  • DKIM-Signature
  • DMARC

We classify an email as a phishing attempt when one or more of these critera apply:

  • The address in the "From:"-header differes from the address in the "Return-Path" header
  • DKIM-Signature reads as invalid or missing, but From: claims to come from the @geeseislands.com domain.
  • From-Address is from @geeseislands.com, but Received-Header indicates that the email was not received from mail.geeseislands.com

After applying these, 10 true phishing emails remain:

Response⚓︎

Fitzy Shortstack

You've cracked the case! Once again, you've proven yourself to be an invaluable asset in our fight against these digital foes.