Phishing Analysis with Voyant Tools

text analysis Voyant Tools

Recently I came across a tool called Voyant Tools.

Voyant Tools is a web-based text analysis platform designed to assist researchers in exploring, analyzing, and visualizing digital texts. Developed by Stéfan Sinclair and Geoffrey Rockwell, this suite of tools allows users to investigate patterns, frequencies, and relationships within textual data, making it an invaluable resource for various disciplines such as digital humanities, linguistics, and data-driven journalism.

Although Voyant Tools is not specifically designed for analyzing malicious email files (.eml), it can still provide valuable insights into the structure, content, and patterns present in such files. Researchers can benefit from the following features:

It is important to note that while Voyant Tools can provide valuable insights into the textual features of malicious emails, it does not offer specific functionality for analyzing email headers, attachments, or embedded links. As such, researchers should complement their use of Voyant Tools with additional cybersecurity tools and techniques to conduct a comprehensive analysis of potentially harmful emails.

Voyant Tools button

Now let’s talk about Phishing :

Phishing scams are fraudulent activities wherein cybercriminals masquerade as legitimate entities to deceive individuals into revealing sensitive information, such as usernames, passwords, financial details, and personal information. These scams typically rely on communication channels such as email, social media, and text messages to lure victims into clicking malicious links, downloading harmful attachments, or providing confidential data.

The most commonly used themes in phishing scams include:

Phishing scams are a serious threat, below are some of the latest statistics emphasizing their danger:

Learn more about latest phishing trends in 2023 here.

As phishing scams continue to evolve and target a wide range of industries and individuals, it is crucial to raise awareness and implement robust security measures to protect against these threats. Today we will use Voyant Tools to analyze some of the common and pressing themes in the realm of phishing emails.

One can gain deeper insights into Phishing emails without becoming a victim themselves via using tools and services like CaniPhish - It’s primarily utilized for user-training in the enterprise networks, standalone end-users can benefit from it as well.

Voyant Tools button

Utilizing Voyant Tools for analyzing Phishing

Methodology :

However this is not a rigorous research work, but still I will highlight the overall methodology utilized in this article.

I have found a dataset of common phishing emails (samples) being used in real world malware campaigns and submitted by users / administrators etc respectively. These .eml files have all the details of the phishing email being received on their endpoints, they contain all the security headers and email contents.

Voyant Tools is smart and it can decode Base64 encoded email contents on its own, also it doesn’t evaluate the security headers and alike in the .eml files, it automatically focuses on analyzing the main content of the email itself. This saves our time for cleaning a complex data like “original message” of emails, for the reason being here, we are just interested in the Text Analysis of malicious emails. For the safety purposes, these sample email’s real malicious links / sensitive information have been replaced by benign phishing@pot

Remember to anonymize the files hiding information that could identify the address of your Honey Pot. All sensitive information should be replaced with phishing@pot. Sometimes the email address is contained within the content, either in the body of the message or in malicious URL arguments. Be sure to check these fields. If the content is encoded in base64, decode it, change the necessary values, re-encode it in base64 (respecting the indentation).

Above is a transcript from Phishing Pot’s GitHub repo.

Data set used - Phishing Pot

Psychology behind Phishing :

Phishing emails exploit various psychological principles to manipulate victims into divulging sensitive information or performing actions that compromise their security. Some of the key psychological targets employed by cybercriminals include:

By understanding and recognizing these psychological targets, individuals can become more vigilant and better equipped to identify and avoid falling victim to phishing scams.

Using Voyant Tools we will attempt to identify and understand some of the most common themes in the realm of Phishing. I have chosen 11 random malicious .eml files for analysis.

Last day to claim your exclusive offer / reward type phishing scams.

Phishing emails like these create a sense of curiosity and intrigues the victim to try their schemes, attempting to log into their said wallets, clicking their malicious links or opening the malicious attachments etc…

Bitcoin and Cryptocurrency themed phishing scams, would often offer some Bitcoins, not much just 75… enticing isn’t it?!

McAfee subscription maybe Terminated, extend it… creates a sense of urgency and authority, as we will see in some other phishing emails here.

No attachment was found associated with this malicious email, but usually they have either malicious link or attachment. Theme is simple - an innocent looking initiation from Bank, a legit banking fraud.

Moving ahead with modern themes, we have NFTs (OpenSea) scam.

This one has a malicious link attached in its email body, which is already flagged as malicious by other security vendors. Theme is based on “money withdrawal” or some amount of money residing in your said wallet / account they have decided upon.

An enticing social proof themed phishing email, revolving around Food, Diet planning and exclusivity to join their program/subscription.

Classic security email phishing scam - FaceBook : someone tried to log into your account.

Charming Russian girls

KYC Wallet verification scam, often these variations of phishing emails leverage the sense of urgency and authority.

I hope end users gain a deeper insight into the inner body and its contents of typical phishing emails being used in real world malware campaigns. Using Voyant Tools one can tweak and play around with the analysis above. Being aware and cautious would put us in a safer zone, the inbuilt spam filters available in the mailboxes (mostly) are effective but attackers evolve over time and they bypass that often. So identifying what’s in your MailBox and differentiating it from benign ones will keep you safe.

© 2023 Siddhartha Shree Kaushik