Phish response IPs – determining if a phish has been viewed on another device or forwarded

 

You may see that in some cases different IP addresses will be recorded for the same user. This can happen:

  • Where a user views their email on different devices or networks – e.g.
    1. On their primary work device (desktop / laptop) and

    2. On a secondary mobile device that may be using a different / mobile network (and therefore be assigned a different IP address)

  • Where a user views the phish / email and then forwards that email to a different user

 

So how do we determine which is the more likely of the two scenarios above

 

The answer is to look at the reporting IP addresses in a similar way to how we looked at them above.

Note: This task becomes more complex where users are connecting to VPNs in order to access the Internet / your systems, so please let us know if this is the case.

 

 

Example 1 – User has likely viewed the phishing email on their own local device and then also on a mobile device

 

So looking at the two IP addresses above for the user [email protected], we can see that the first one is Eircom (an Irish ISP)  - and the second is Three (an Irish cell phone / mobile internet service provider).

We also note that the reported times are very close together (within a minute / minutes of each other).

 

A picture containing timeline

Description automatically generated

Eircom – Irish Telco / ISP


A screenshot of a computer

Description automatically generated with medium confidence

Three – Irish cell phone service provider / mobile ISP

So while this is not conclusive, it’s reasonable to assume (given the closeness in time of the reported clicks and that they’re both Irish ISPs) that this is likely the same user, firstly on their primary device and secondly on their mobile phone or other device.

There will be exceptions to this general rule, so further analysis may be required on a case by case basis.

 


 

Example 2 – User has viewed the phishing email on their local device but then forwarded to another user

 



In the above example for the user [email protected], we see again two IP addresses.

Where we look up the Eircom IP we again see that this is an Irish based ISP as shown below. We also know that this user works in Donegal (Ireland), and so this is likely their home ISP / broadband provider. We look it up to confirm using Iplocation.net as below:


Graphical user interface, application

Description automatically generated

 

We then lookup the second IP address reported:  68.235.38.164. This one seems unusual as we do not recognise the ISP (Tzulo Inc).

We find that this IP is based in the USA (Illinois):

 

A screenshot of a computer

Description automatically generated with medium confidence

 

This tells us that the user has most likely forwarded the email onto someone in the US, as the time recorded for the US click was only 30 minutes after the Irish click.

If you have any questions on any of the above, the support team at SafeTitan will be on hand to help you at all times if required.

We are here to help you. Please do not hesitate in reaching out to us should you need any further assistance.


Suggested additional reading:  Analysing Phish Reponses - Recognising false positives and how to correct