Instagram Account Recovery

Instagram Account Recovery

Is Instagram’s account recovery workflow disappearing on some accounts and devices? We’ve had reports from readers and friends who’ve had hacked Instagrams with no success in using Instagram’s published docs to recover the account once the attacker’s email and phone number have changed.

Here’s a copy of the official Instagram post: I think my Instagram has been hacked.

(Update 12/6 – After testing for weeks over 40 times we can see the option on an Android but at the same time not on his iPhone following the same process. Another user reports the option appeared on an iPhone. We put in the attacker’s email, then see ‘Need more help?‘ but it has to be from a phone that’s logged in before and not a new device.)

 

 

 

 

The email doesn’t say ‘Revert Change‘ anymore as indicated in the Doc above:

I can’t access this email’ or phone number is no longer in the UI no matter how long you wait or many times you resend the codes:

Clicking ‘Secure your account here‘ brings you to a login page or the Help Center. No workflow triggers an account recovery of any kind, whether from a mobile or web browser:

Password reset emails offer no option to declare you’ve lost access to the email or phone number on the account:

(It usually says ‘Need more help?‘ but that option is missing on some devices)

Instagram mentions its new selfie function to recover accounts, but how? There’s no UI in any apps to trigger the Account Recovery options that lead to this outcome.

How does one recover once a hacker has changed the phone number and email address on the account?.

Card Fraud – Express Store 2401

Card Fraud – Express Store 2401

*** Update 9/12/22 *** – Thousands of people are visiting this blog regularly due to card fraud of their own via Express Store 2401. I have not been able to gather any more information from the companies involved, but I continue to dig deeper into how they’re stealing these cards and other parts of the operation. It’s ridiculous that it’s been going on this long and that Wells Fargo isn’t concerned with somebody stealing a card that’s never been used.

 

 

Wells Fargo texted me the other night about its fraud system. The issue was an attempted charge from EXPRESS 2401 in Columbus, Ohio. After a bit of Google research, I found that the world is no stranger to fraud coming from this location.

I’ve never once used this card with any other merchant or website. It was activated in June of 2021 and then locked in a cabinet. It also seems that if something were purchased on Express.com, it would show up as CORP, not a particular store location.

Here is the response from Express:

As a part of the investigation, I’ve set out to answer a few questions about this particular scenario:

  1. How could the attackers steal a card that’s never been used before?
  2. Did attackers hijack the Express merchant account for this location?
  3. Why does fraud persist at store #2401 despite reporting to the banks and Express for over 8 months?

The story will be updated as more information is obtained about this issue at Express Stores.

 

Ben Damman aka TypeSend

Ben Damman

Ben Damman aka TypeSend

In our opinion, Ben Damman (CEO of Aliens From The Future, Inc.) is not a reliable person. He took $8,041.67 from us to work on a project in September 2020, where he has yet to make any progress. By that, I mean he failed to show up for most meetings, made endless excuses, did near-zero code commits, took on new business, and did the same thing to other people on UpWork in the interim.

Ben Damman

 

Ben manually logged ~66 hours, including a twelve-hour day, and reportedly worked a weekend where he never committed any code aside from a bare-bones Elixir framework. He would send reassurances like “I’m going to commit a release soon,” “There’s going to be a big unveiling…” and “I don’t have any problem paying you back. The check is on the way“. Despite his reassurances when he was communicating, he’s never delivered on anything he’s promised, at any time, in any way.

Ben Damman

Ben publicly brags about working at the White House

Ben publicly brags about working at Apple

Ben publicly brags about being an expert developer.

He just wouldn’t do anything he said he would do, even though he was capable of it…

The cancellations and last-minute changes with meetings became the only time we’d ever have a chance to communicate:

Ben’s “beast mode” approach didn’t work out for me because he never sent those screenshots, links, or instructions.

Here’s an example where Ben used the January invasion with a simultaneous stomach bug to deflect an email asking how he was doing, given he hadn’t created anything or been communicating at that point ninety-one days after the project began:

(After replying within an hour, providing various times we could have a call, there was no further communication…)

Ben told me he wanted a bonus because he was “low on money” (unemployed) during this time. I generously gave him $1k out of my pocket as a bonus for the proposal win he had come up with to help with this personal project. At that point, all he’d done was create a 1.5-page document that might’ve taken an hour for him to prepare; and he did that only after canceling the meeting to unveil it…

Here’s a review from another client he took money from only eight days after I canceled his contract from Oct 14, 2020 – Jan 19, 2021:

Ben Damman Aliens From The Future TypeSend
Ben Damman Aliens From The Future Typesend

Ben’s original excuse was a death in the family (Uncle) back in December timeframe. If that caused him to be unable to work on our project, why would he take on another one a week after being fired from this one? He also displayed the same behaviors, taking the money and never getting any work done.

That happened to be 13k between our two organizations.

Imagine looking at a freelancer’s Instagram while they travel, eat out at excellent restaurants, and move to a beautiful new place, all while not communicating with you and living off of your hard-earned money for doing absolutely nothing in return and then watching them do it to another business right after you buy into a waterfall of pitiful excuses!

Ben legitimately hurt our future endeavors with his inaction, holding the project back for months and wasting valuable time getting to the market. Ben was initially hired to troubleshoot an existing environment, which he could not do, and instead convinced us to build an entirely new one using his preferred frameworks.

If it weren’t for this picture of President Obama and references to the White House, Apple, Google, and other trustworthy organizations in his social media, I would not have hired him to help me build out this concept. It’s sad, but I bought into this precarious ‘My jobs are my identity’ delusion, somehow thinking it would guarantee the reliability, but it produced nothing.

Ben Damman Aliens From the Future Developer Missoula Montana

Ben should pay back the money he owes because he did not perform meaningful work when the project was engaged. Ben’s approach was to do harm first (Nocere primo) by separating us from our limited capital, wasting our time, and moving out of town to never be seen or heard from again.

Meanwhile, he’s familiar with issues of the financial kind, so I’m still determining if I’ll ever get my funds back. Much like these creditors below, who had to use courts to force Ben to pay his bills, we’ll probably have to go this route at some point:

(Per WhitePages.com)

$4,306 to Express Personal Services
$9,802 to Asset Acceptance, LLC
$3,600 GB, LLC
$1,640 Capital One Bank
~20k in legal judgments.

Ben’s never attempted to pay back $1 despite being given options to return a significantly reduced amount with open terms. i.e., Ben wouldn’t finalize a very generous agreement to pay even half back with open terms on how much he’s paying at a time and the schedule of payments.

Thanks for your time, and good luck in your endeavors.

Google Spamdexing Attack

Google Spamdexing Attack

No Comments

Found an interesting Google Results injection against sites running Solr search. Attackers created links in an unknown place with search parameters being passed to the websites. Google crawled these source pages, following the links and accepting them as content. It’s not all that sophisticated, but remember, it’s results that matter in this game.

Many more are on my Twitter from notifying the organizations of this clever little hack against Google’s results.

911: Google Webmaster Removal Tool

 

 

 

 

In an example URL from Berkeley.edu, notice how they’re passing a parameter to ?s= that the site appends into the code of the search results page. Somehow they’ve added this to Attacker Page 1, which was then crawled by Google, and it’s creating an XSS (cross-site) on the destination page, picking the search up as content.

The result is that Google is picking up keywords from those pages in its results effectively promoting them:

Image

Image

Image

Definitely don’t try this at home! ‘Snorting Viagra‘ hosted on Umassmed.edu.

Image

Check out all of the other organizations that have the search hack:

https://www.google.com/search?q=%22Search+Results+for+%22+Viagra%22 (Pages 1-7)

https://www.google.com/search?q=%22Order+without+prescription%22 (“Order without Prescription“)

You can take any of the domains found in the broad results and cross-check with a more specific search, for example, site:berkeley.edu “viagra”

Here’s a gallery of different University sites showing thousands of results with the pill advertisements. Hit escape if the gallery runs off the top of your screen:

Pages that show whatever you put into?s= Solr search. If the search parameter is replayed into the page, it creates the appearance of content. The attackers must’ve linked these from other locations to get them on Google:

In a similar scam where the attackers actually inject a real page into the site, these organizations were impacted. Some were the University of Massachusetts Medical Center, Hastings Library, and The City of Dry Rock, where the pages have been injected since at least December of 2020:

Image

Destinations of these links being advertised are some of the following sites like ‘WebMD(dot)shop,’ which is brazen:

All of these domains above are landing pages that eventually lead to anonymrxonline[.]com

Phone: 888-524-7141 [ANI: VIGAR]

This phone # has over 5k Google results and shows signs of being in use for pill dealing for over 6+ years. It was formerly advertised by

[email protected]
Skype Gina24Rx [BDay: 9/16]
Location: Costa Rica.

Uses another phrase ‘MyPharmaCash’ from this affiliate program: https://www.facebook.com/MyPharmaCash and Twitter https://twitter.com/24rxshop activity ceased in early to mid-may of 2015.

Skype resets are af*****@mypharmacash.com and gi*****@gmail.com or phone number (***) ***-**61

The registrant of mypharmacash.com before it went private in 2016 was Mariano Bolanos in San Jose, Costa Rica. This is the same location as ‘Gina24Rx‘ this time using an email [email protected].

The owner Marianos Bolanos has numerous domains for pill-related items. His activity has died down since 2016. Many of the domains are active, though I have not investigated all of them.

Domain Cnaacr.com belongs to the National Chamber of Agriculture and Agroindustry in Costa Rica. In the footer, it’s signed ‘Web development by Bernetz’ (WayBack)

Domain Bernetz.com belongs to the company Bernetz IT Services that’s also registered to Marcos Bolanos:

https://twitter.com/bernetzit?lang=en

 

Still putting some pieces together on this one…

Organizations I’ve notified about being listed on Google under these kinds of reflective (XSS) and direct injection attacks today:

American Association of State Highway
Alabama Theatre
Arizona Department of Health Services
Berkeley Materials Science & Engineering
BainBridge Island Museum of Art
Califonia Digital Library
Children’s Community Day School
City of Dry Ridge, Kentucky
City of Tullahoma, Tennessee
Columbus Tech
Columbia University
Dickerson Park Zoo
Eastern New Mexico University
Ewing Marion Kauffman Foundation
FPrime Capital
Generation Citizen
Gulf of Mexico Fishery Management Council
Hudson River Museum
Monroe County History Center
Museum of Durham History
Miami Music Project
Multiple YMCAs
Methodist University
Palm Harbor Fire Rescue
Pathways 2 Life
Philly Expo Center
QuickLogic Software
SAE Institute
Schoharie County NY
Iowa State University
Irish American Heritage Center
Illinois State University
SoftLab
The City University of New York
The Port of Philadelphia
Toledo Zoo
University of Southern California
University of California San Diego
University of Minnesota
University of Mary Washington
Unmanned Systems Labs @ Texas A&M
Virginia Commonwealth University
Washington Internation Trade Association
Wisconsin Small Business Development Center
We Fest – Country Music Festival
WinterThur Museum
Wheaton Arts
Working Men’s Institute (Indiana)

Impacted Orgs: Google Webmaster Removal Tool 

Phish Gallery & Blog Update

Phish Gallery & Blog Update

Update

Why has the blog been so dry? Well, it’s complicated. There are always people who don’t want to see you expressing yourself in a public way. These invisible haters will try to make connections between your personal activities, i.e., Blogging and work-related things, in any way they desperately can. I win those battles; it’s just tiring to explain to the suits how free speech works. Support the ACLU and EFF. 

Visit my Twitter Feed to see screenshots of various threats that come my way from readers, and my own mailboxes being flooded with threats. Many of them turn into future news articles in the days or weeks to come, so you get a head start. Otherwise, I tend to post the news I’ve been personally reading throughout the day. Maybe you’ll find something interesting. Thanks for reading. I’ll be back as soon as I finish realigning my career goals and getting myself in a good place to write again.

Phishing Gallery

It’s been a CRAZY year for breaches, ransomware, and other cyber terrorism. Truly a daily occurrence all over the world. A collection of phishing screenshots I’ve collected this year from various honeypots and other sources. We’ve worked with many organizations over the years to take down infrastructure related to these attacks. The trend I’ve seen across security products is that they block effectively, but it takes days. Secondly, the sites and email sources tend to go largely unreported.  If you want to make a difference: Protect future victims by sending the abuse emails. It may take hours, but it’ll take days or even weeks as everyone shields themselves without bringing the sites down. Many providers I reach out to will respond quickly to eliminate the artifacts.

Useful Links:

www.joesandbox.com

www.any.run

www.sentinelone.com

www.dnsfilter.io 

Websites:

(Click the right > key to move through the screenshots. I need to fix the jumping around with different sizes)

Emails + Attachments:

AlphaRacks Offline

AlphaRacks Offline

No Comments

We reported a massive phishing operation taking place back in July of 2018 at Alpharacks. The spam, child porn, malware, and phishing never stopped for a moment since writing about Alpharacks back in 2018. The [email protected] team never responded to any direct emails between Quadranet and myself. The blog is under development but at this time Alpharacks is still offline as of 5/26/19. Here is the most recent Statement from Alpharacks

See our article: Phishing – A Master Anglers Toolbox

Recent updates:

DeepSentinel

DeepSentinel

No Comments

DeepSentinel is a new home surveillance system that leverages cameras, AI, around-the-clock monitoring to prevent break-ins, auto theft, and other domestic crimes.

DeepSentinel cameras are equipped with speakers allowing two-way communication. Speakers at 104dB which is reportedly the loudest on the market. Each kit comes with 3 cameras, 1 hub, and mounting equipment. Cameras are battery operated and reportedly last up to 2 months without recharging.

If a crime is detected, the Surveillance Center will engage local law enforcement. DeepSentinel aims to identify a threat in under 10 seconds and contact the police within 20 seconds

 

 

System Review

*** Update 11/2020 – Things have been smooth with DeepSentinel. A few brief outages were about an hour of time due to the larger Google Cloud Disruptions. The performance of the system has increased over time with much less false positive activity. Alerting is still nearly real-time allowing me to catch people out front very quickly. App has improved visually and in terms of features greatly since I bought the system. Support is great they’ve sent me a new hub, batteries, and cameras anytime I have issues with barely any hassle. Although I spent a bit of time below poking holes at the system most of them have long since been resolved. It’s truly a wonder to stop constantly thinking about people in my yard especially when I leave the house.

The vendor has recently released a new power-over-ethernet system that uses an Nvidia card and dome cameras. Stay tuned for updates on that system as I get my hands on one. our DeepSentinel purchase.  Click here to get 20% off your purchase/subscription.

—-Original Blog—-

Testing is in progress as are discussions with the vendor. This is a rough write-up of the final testing that I am doing with this system at home. Please note despite any critical reviews of certain features I am certain of two things: 1. I am here to hang on because fully managed is what I need. 2. Apps, Features, Bugs, and Products can change with enough feedback. This is by no means a recommendation not to buy the system. I love it! My job (as always) is to show you how marketing meets the delivery. Also, highlight anything that needs development or may annoy a potential customer. I have been using it for approximately 1-month gathering this information.

Positive:

1. Wake up time is fast. Agents consistently verify events in a short amount of time. Tests were successful in bringing an agent to the live camera. Many other cameras I have tested seem to catch the movement 1-5 seconds after it starts. This unit always records the movement that is taking place reliably. Another feature I like is that the clips can be 1.5-2min long if necessary. Other devices have predefined lengths that cut off the activity prematurely.

2. Battery life is good/acceptable for cameras with 1-2 bars and heavy traffic in front of them. My cameras have been up for 1 month. Batteries are 61% (Front), 57% (Back Door), (Driveway) 27%. The extra battery is a nice touch. It took me a few to realize you can rip the top off of the hub to charge it.

3. The app is evolving with new features. Alerts have become more specific, and the privacy mode is much more flexible. Having an initial max of 3 hours was a mistake. 24hr is great, a schedule would be even better. One downside to privacy mode is it stops recording locally altogether. It would be nice to choose whether to keep storing footage locally on the box. The idea (in my mind) was to stop escalating it to the SOC.

 

Issues:

1. Picture Quality – Overall picture quality of snippets and recordings is low. The vendor stated this is to expedite uploading to the Operations Center. I find the quality locally on my end remains poor. It would be hard to identify a license plate or letters on a van for example. I don’t doubt that the camera is capable of more but I can see that it’s throttled down for the reason specified and perhaps others like preserving battery life, storage space, or other resources. My thought is that this might record full quality and then commit a lesser quality image to the Operations Center. There is a balance of evidentiary interest with these minor details in addition to the live response.

2. Opened a ticket with the Support Team to investigate an unexpected outage of my system in the first 14 days. I didn’t make any changes other than rebooting the system a few times. On my first escalation, the rep explained it away as one of those situations where a device crashes. I recommended avoiding that kind of rationalization in this instance. It’s much wiser to use support as a point to collect those technical details. I want to know if my box is going to crash every 14 days. Reboots don’t address root causes. The vendor has been responsive and contacted me about this multiple times. No crashes since that time.

3. The camera appears to inspect 100% of all movement. Dogs, a spider, people walking by 100 times in 5 minutes. I have not personally witnessed any kind of AI. Every time there is movement it’s verified by an agent. I’m trying to make the connection between AI Assisted and a fully managed service that manually checks 100% of all notifications. This is not evident in my usage of the product. I am waiting for the vendor to explain where the technology comes in to play. I need somebody to draw me that line… We all know of the  100s of vendors who sell AI but the execution seems to be largely reliant on humans. Maybe it’s in the roadmap? Learning mode?

^^ Turkey Burglar or Burger? I can’t decide. My Actual Intelligence determined this is a bird, not a threat.  We focus on what matters most  “Coupled with Artificial-Intelligence, we distinguish between a potential intruder and a car, dog (^turkey?) or other non-threats.“. I’m sure it’s in a hyper-excited type of ‘learning’ mode but I’m just saying… I don’t know or understand a lot about “How” it’s going to learn, and when to expect that to kick in. I don’t doubt it’s coming but I seek more information on what’s next for my system. For now, I don’t mind if they keep an eye on my turkeys.

4. Delayed alerts, false alarms with cameras going online/offline. Apps seem to be evolving with its notification styles on Android. I have seen alerts that there was activity at my Front Door but then the clip is for the Back Door. Other times it alerts but the clip is from a past time. Not clear if this is known but the app seems to be producing lots of alerts that apply to events which already happened. Or there’s no video waiting when I open the application to see that alert’s contents. It might be something that’s going on with my phone. It’s not annoying enough to cause any issues. I do have ComCrap internet service…

5. Adjusting the area of coverage in some cases took away from areas within that border. I am still experimenting but it seemed like the ideal way to keep it was expanding the coverage completely. I tried to reduce it in some areas to avoid a road with cars passing by in the distance. It has recently stopped firing on those cars so the AI may have learned this pattern. Previously I had dozens of recordings showing cars far in the distance moving laterally to my yard. (Vendor responded and made adjustments on 5/24)

6. Many situations where I select a camera and after 0-60 seconds it’s still loading. At this moment I have rebooted my phone + the hub several times and still can not load my cameras in a live view. It displays a message that it’s having trouble reaching cameras. I can’t do it at all no matter how many times I try with app version 345. The camera also hangs when it has a live alert and I click into it when an event is taking place. (Vendor replaced a defective camera on 5/28)

7. Wireless between the cameras and hub is just OK. It’s not terrible but it’s also not spectacular. There are no antennas on the hub and it’s a 2.4GHZ connection. I spoke with the company about this and they quickly sent me a few repeaters. Mind you my Wireless box has 4 antennas and 75% strength in the positions of the cameras. It’s not up to me though I have to use the Wireless built-in to the system unable to leverage my own. (Vendor provided WiFi extender on 5/29)

Visit DeepSentinel

Bomb Threat E-mails

Bomb Threat E-mails

No Comments

A developing story where a wave of e-mails around the United States has caused mass hysteria and evacuations. I’ve obtained two domains from a trusted source who manages hundreds of clients. Below I provide an example of the e-mail, and move on to start investigating the domains. As always I’m asking for others to independently look into these domains. I will be updating the blog as I obtain information about this issue.

Data for domains came from various sources but are relatively self-evident as the headers will match the From: address in this instance. I have a list of domains below with corresponding IP addresses that all point to the same provider’s network. In some cases, the key seems to be what the domain was doing before it moved over to the new Russian host. One approach is that I’ve found most of the were pointing to GoDaddy just prior to changing over to REG.RU. I couldn’t find many that had a frontpage or legitimate use. See below for a deep dive on 11 different domains/IPs sending these messages.

Example:

“Subject: Do not waste your time

Hello. My man hid an explosive device (Hexogen) in the building where your business is conducted. My mercenary assembled the explosive device according to my guide. It has small dimensions and it is covered up very carefully, it is impossible to damage the building structure by my bomb, but in the case of its detonation there will be many victims.

My recruited person keeps the area under the control. If any unusual behavioror cop is noticed he will power the bomb.

I can call off my man if you make a transfer. 20.000 dollars is the cost for your life and business. Pay it to me in BTC and I warrant that I will withdraw my man and the device won’t detonate. But do not try to cheat- my guarantee will become valid only after 3 confirmations in blockchain network.

My payment details (Bitcoin address): (REMOVED)

You must solve problems with the transaction by the end of the workday, if you are late with the money the device will detonate.

Nothing personal this is just a business, if you don’t transfer me the bitcoins and a bomb explodes, next time other companies will send me more money, because this is not a one-time action.

For my safety, I will no longer log into this email. I check my address every forty min and if I receive the payment I will order my person to get away.

If the explosive device detonates and the authorities see this letter:

We are not terrorists and dont assume any liability for explosions in other places.

Deeper Investigation

I’ve accumulated a total of 11 Domains/IPs that were actively sending as a part of this campaign. They all have working SPF records and are hosted in netblocks starting with 194.58.x.x in ORG-nrRL1-RIPE as the host out of Russia called REG.RU. I’m not saying Russia is behind it as that would be a very simple solution – and at this point we can’t attribute anything. I opened a ticket w/ the host Thu 12/13/2018 5:38 PM PST as the services were still up and running with no takedown requests, not surprisingly. They responded Fri 12/14/2018 4:31 AM PST that ‘Service is blocked’. Despite all of the media coverage, and expert analysis not one person contacted the source of the e-mails to prevent further activity. Infact, as you’ll see below this is the same host/subnet used on the most recent sextortion emails.

Note: The e-mail below is a Sextortion threat from back in late Oct of this year using the domain albionstudios_com. That domain still resolves to ISP where threats came from. This strongly implicates the same individuals have recently run sextortion spam jobs from the same source network.

Here is an example header from the bomb threats:

Network Map (2 of the 11 below)

VirusTotal Graph

Godaddy IPs that some of these domains had before the A records changed over to REG.RU based on passive DNS from DomainTools + VirusTotal records:

50.63.202.48
184.168.221.57
184.168.221.9
103.1.175.1
50.63.202.62
50.63.202.82
91.195.240.82
50.63.202.46

Domain #1: yinnyang.com (194.58.103.231) (Previously: 
50.63.202.46)

SPF record checks out for both hosts during the campaign:

Search shows that the IP for this domain was changed today after being stuck on another address for several years:

Current IP:

Current IP address search on VirusTotal shows a number of other domains associated with the IP

Looking at the previous IP address right before it switched:


Previous IP this domain was pointing to is regularly communicating Files on this address is off the charts. It’s obviously a Command & Control point for Malware communication. Probably a throwaway at GoDaddy that’s still being used. The key here is checking the other domains (many of which have no legitimate front page) for these kinds of connections as the largest majority suddenly made the DNS switch today for this campaign.

Malware Families associated with previous IP of the domain


Domain #2: armiracles.com (194.58.61.73)

Domain #3 – Tiedeman.com (194.58.58.207) (Previously 95.170.70.225)

Domain #4 – wedgeze.com (194.58.58.54)

Domain #5 – weimd.com (194.58.58.23

Domain #6 – whathappensatdeath.com (194.58.61.134

Domain #7 – vinight.com (194.58.58.82) (Previously: 
184.168.221.9)

Domain #8 – theweightlossarea.com (194.58.58.125)

Domain #9 – worldfused.com (194.58.61.67) (Previous: 50.63.202.62)

Domain #10 – tvlgbt.com (194.58.58.123)

Domain #11 – truockhichet.com (194.58.58.106)

Adware Empire – IronSource and InstallCore

Adware Empire – IronSource and InstallCore

A recent Adware campaign using malicious Bing ads led me to a Chrome download that eventually deployed Adware to the user’s computer. The IPs and types of Adware connected back to IronSource Ltd., Babylon Software Ltd., and InstallCore – all Israeli companies that have connections to Adware. See here, and here.

(Note: This was reported heavily by the media ZDNetOn MSFTInquirer, and Alphr in recent days. My discovery of the malicious ads was independent of any other source. My list of 3,500 IronSource Hostnames is exclusive, as is all of the IP research behind the Adware).

At this time, there appears to be a publisher that’s steering users to a network of sites that deliver a payload of Adware. Please note that I have made only tangential connections between said publisher and the aforementioned companies. Various IP addresses and analysis of the Adware point to IronSource as the controlling entity of the servers that the Adware is communicating with after it’s delivered. That’s not to say that IronSource is necessarily aware that a publisher (pay-per-install) is redirecting visitors to sites that impersonate Google Chrome.

The process began by searching Bing.com for “Download Chrome.” The ad at the top of the returned page below looks like a legitimate Chrome advertisement and has an “Ad” marker clearly visible, but it’s poisoned because it leads to a false Google Chrome domain.

Notice how the ad below says “Chrome is a fast,secure” browser. No, I didn’t make a typo – there is a missing space before the word “secure”!

 

The fake chrome website googleonline2018.com is presented to the user when they click the ad above.

 

 

Clicking ‘Download Chrome‘ leads the user to a URL:

files.drivedowns.com/direct/?cod=24620&name=GoogleChrome
🍪
302 Redirect
Which leads to another URL with the payload:
www.tasetofeni.com/y94jg5t/ChromeSetup.exe 
SHA1:a61c027efb9c0ea3448ef584302c987af508a07d8347c20e8f373d847034ba7c

^^ File above on VirusTotal (1/70) is only detected by BitDefender. Here’s the JoeSandBox Malware Analysis. Malware type delivered is DealAgent, which is considered as Adware.

We discovered a number of different Adware families being delivered from the hosts this file communicated with including Amonetize, BitVote Miner, Babylon Toolbar, InstallCore, Strictor, DealPly, InstallMiez (MacOS), OpenCandy, Optimizer Pro, SProtector, Crepreote, Advanced Mac Cleaner, Vittalia, OpinionSpy, Spynion, and Adware going by many other names across all of the IPs involved. There was also a prevalence of macOS unwanted programs and Adware communicating to these hosts, similar to a Command & Control infrastructure in malware. (JoeSandBox Malware Analysis)

A video below shows the full sequence of events:

A video below shows the full sequence of events:

We’ve compiled a video of the event and screenshots to walk through the process of encountering the Adware. In our video, the Antivirus Bitdefender blocks the attack, and it was the only one out of 70 other engines that detected it on VirusTotal. See JoeSandBox full analysis.

Deeper Investigation

***Update #1. Check out this list of 3,500 IronSource hostnames still active!

***Update #2. Related IP address in a block owned by IronSource199.58.87.151. It contains interesting files that appear to be payloads for the Adware applications. Curiously, a few are named KAVcompatibilityCheck.cis and Symantec_Norton_IronSourcev5.cis. Here’s a zip of the files I downloaded from the URLs in VirusTotal. Can you analyze these?

Below, I will investigate three domains. One belongs to the publisher, and the other two appear to funnel traffic using a referrer ID to a payload domain with round-robin DNS. Several of the IPs it resolves to belong to IronSource, based on WHOIS Records. Others are unidentified, but given the identical file structure and activity, I’d say there’s a great chance they’re all connected. As you scroll down, you’ll find a piece of evidence. I encourage you to continue researching them and connecting the dots. Let me know what you find…

Domain #1: googleonline.com

The landing page googleonline2018.com is a 116-day-old domain, registered by [email protected] at an IP address 149.28.73.46 that reportedly belongs to Vultr Holdings, LLC.

Example of the site googleonline2018.com:

A number of other domains are registered to this user with the word “Chrome” or “Google” in them.

There are two other domains that stand out like the atracksys.com (1st domain name on list above). They don’t seem to fit the profile of the fake Chrome sites. They are inccweb.com and necisoft.com, listed below from 3 to 4 years ago.

Information on registrar:

Blog @ 163.com no logins since 2007 – http://richard86811.blog.163.com/

Pastebin link https://pastebin.com/sai42Sdw has “456223”, “richard86811”, “868118918”, and “[email protected]”. These are held in a DB dump (of some kind) that reveals another email associated with the Gmail used to register these domains. The number 86 is the country code for China, and 86-811-8918 could potentially be a partial phone number.

Names associated with domains: Jiaqiang Li (Jiangmen & Guangdong, China) and Chen Weilong (Guangdong, China).

Domain #2: drivedowns.com

This domain is the initial redirector after you click Download Chrome. It’s a 20-day-old domain currently being protected by Cloudflare. It’s not uncommon to see malicious sites behind Cloudflare. I’ve made dozens of attempts to report abuse to this vendor, only to be rebuffed and told that “Our service is a pass-thru and we do not control the content of our customers.”

The VirusTotal results show not only that this domain is rated as malware by Fortinet, PREBYTES, and Scumware.org, but that others on the same IP appear to be backdoor PHP files and other malicious-looking, randomized-type domains. These details are unrelated to this campaign, but it goes to show you that it can both protect the good guys and obfuscate the real location of the bad guys.

Domain #3: tasetofeni.com

This domain is 101-days-old and has been using rotating Amazon IPs since at least 10/08/2018, based on passive DNS. This is not surprising, as we see plenty of hacked AWS accounts and/or fraudulent ones where attackers are controlling domains with no legitimate front page.

Other files with different packing are showing various levels of detection with AV Agents.

Malware ChromeSetup.exe is detected as InstallCore or a basic dropper/trojan.

Click for JoeSandBox Analysis of these files and domain goes into depth:

Domain #4: reholessbegise.com (dev, img, remote)

The ChromeSetup.exe dropped file communicates with a couple of subdomains on reholessbegise.com, a 35-day-old domain using AWS DNS. There is a connection with this domain and IPs owned by IronSource at LeaseWeb. Also, many of the IPs that resolve have the Babylon Toolbar, a piece of software made by Babylon Software Ltd. in Israel.

img.reholessbegise.com is a domain that many images are pulled from for the ChromeSetup.exe file and there’s no shortage of IPs behind it.

We resolved them with Whatsmydns globally to find a round-robin of addresses:

IPs: [199.58.87.155 (Active) 199.58.87.110 (Old), 199.58.87.151 (Old) ] (IronSource Israel via LeaseWeb)

Note how IronSource’s IP range has plenty of misleading or downright fake file names. These aren’t files that are ‘communicating’ but ones that have been pulled down from these hosts.

Check out this list of 3,500 IronSource Domains most are still active!

Note ‘InstallCore.com’ is hosted off of this IP owned by IronSource. Here’s a discussion between two hackers on a forum below about doing Adware installs for them linking the companies together. InstallCore is an ‘IronSource’ service.

LeaseWeb identifies the customer in WHOIS records:

 

dev.reholessbegise.com is a domain we can see ChromeSetup.exe talks to this domain often as confirmed in the sandbox analysis

Note that each IP has a Virustotal link to see it’s activity:

IP: [54.201.95.158, 35.167.192.77] –  (Amazon AWS)

IP: [185.59.222.146] (CDN77.com/Netherlands)

IP: [46.166.187.59] [85.159.237.103] (NForce Entertainment B.V.)

IP: [95.211.184.67] – (Leaseweb)

IPs: [146.185.27.45, 146.185.27.53, 209.95.37.242] (Midphase

IP: [192.96.201.161] (CommPeak.com via LeaseWeb)

The ChromeSetup.exe file talks heavily to these hosts and grabs not only images but suspicious files. See the JoeSandBox analysis for all communications.

Oct 26, 2018 6129 OUT HEAD /ofr/Solululadul/osutils.cis HTTP/1.1
Accept: */*
Host: remote.reholessbegise.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

(SHA256: 168656b0a807e5fa2c016d637c0c02d83753919ac5a8f493895e9dddce1a916c)

Still working on this investigation…. Have any tips? Drop me a line in my contact form.

Net Neutrality – The Spirit Lives On

Net Neutrality – The Spirit Lives On

No Comments

What if one day your Netflix suddenly stopped streaming and displayed an error message to call your Internet Service Provider for assistance? You place the call, and the provider advises that you’re currently not subscribed to the 3rd party streaming plan to access this type of content. Come to find out; the provider is now charging a fee for access to streaming content outside of its network. You’ll have to purchase a package to access Netflix or be forced to access the providers own video streaming service which comes at an additional cost. Net Neutrality rules are protections created in the spirit of a “need to ensure the openness of the Internet, preserving users’ free and nondiscriminatory access to content, applications or services available on the Internet.” (Bello & Jung, 2015).

The scenario with Netflix is but a glimpse into the reality of a world painted by those who oppose removing the protections. If a provider does make a user pay for specific services like gaming, video streaming, or establishing a remote connection to your office, it’s considered offering a “tiered service,” which differs from the unlimited subscription model of internet services today. Research suggests that repealing Net Neutrality regulations can be bad for consumers because they harm innovation and competition between providers, but also that repealing these laws allows for consumer internet traffic to be analyzed, manipulated to block content, and throttled to decrease the performance of the transmission speeds. The potential impacts to the consumer are interruptions to streaming, lower quality video, and possibly an inability to access certain types of services by requiring additional subscription fees, and some other scenarios that we’ve yet to imagine. ISPs may not be able to experiment with business models or innovate with new services in the market.

At the heart of the Net Neutrality debate is the concern that providers will be able to analyze, manipulate, throttle, or even block access to specific content on the internet. The term open internet comes to mind when thinking about the origins of the internet – an entity born free and not intended to be commercial in origin. The internet has evolved from a platform that was facilitating communication between universities, to the birth of e-commerce websites – and now services like cloud, the blockchain, or online distance learning leverage it to deliver content to every edge of the earth. It’s become a utility for all kinds of devices as well, for example, cars, refrigerators, water bottles, luggage, and even a surfboard. The possibilities are somewhat endless when you view things through the lens of the Open Internet versus the Restricted Internet. Consumers are increasingly adopting lifestyles that revolve around these services, which necessitates a discussion about the legal rights of ISPs to control information.

It’s entirely possible that ISPs will make changes that are “self-serving, and profit-maximizing goals when enhancing or degrading content carriage.” (Frieden, 2018). The service you have doesn’t currently come with the ‘package’ you have for internet access to these types of applications. What about employees who telecommute using a VPN connection to the office? Would ISPs be able to charge a premium for this kind of access, knowing that it’s for a commercial purpose? The short answer is yes; they’re able to categorize and sell products in any way that they’d like. It’s believed that “The Internet’s openness” should be understood as a guiding principle that transcends each of the layers/tiers and extends throughout the digital ecosystem, and that each of the stakeholders of this ecosystem is essential to its development. (CIGI, 2015).”. Keeping the spirit of the internet as an open place by integrating protections for consumers is essential to the discussion, and actions by the FCC. It’s proponents want to see these core values preserved and more transparency with how providers manage network traffic.

You might be asking yourself, is all of this for nothing? What is the real threat here, and are ISPs planning, or doing this kind of thing today? After all, if they have never done this before, then Net Neutrality could potentially be a solution in search of a problem. Is there any history, or even potential for abuse by these providers? The answer is yes, and one situation where a violation of Net Neutrality occurred when an organization called Public Knowledge complained to the FCC that the number two provider of internet Comcast was throttling BitTorrent Traffic. Comcast was working with a vendor who was Sandvine, a company that sells ‘Active Network Intelligence,’ a service which can give ISPs better visibility into exactly what kind of traffic is on the network. In a statement, the company explained that “Sandvine determined that the use of several Peer-to-Peer protocols was regularly generating disproportionate burdens on the network, primarily on the upstream portion of the network, causing congestion that was affecting other users on the network.” (Comcast, 2008). Based on this research, Comcast had reportedly achieved wide-scale deployment of a blocking platform in 2007 until the FCC ruled that the “The selective blocking of file-sharing traffic interfered with users’ rights to access the internet and to use applications of their choice.”. Although Comcast had a plausible explanation, it still violated the Net Neutrality rules because it interfered with the normal transmission of information. Comcast positioned itself to analyze, and interrupt certain types of legitimate communications without any transparency to its users. Notification of these practices had not been sent to its subscribers, effectively restricting any users of the BitTorrent file-sharing method that was used at one time by NASA to accelerate the distribution of satellite data. BitTorrent is not a completely illegitimate protocol, and even if it was the issue remains that customers were unaware of these activities. Based on this occurrence of the violation, it is entirely possible that ISPs could begin blocking traffic without the transparency provided by these regulations.

A key argument from opponents of repealing Net Neutrality rules is that it negatively impacts the innovation and competition between providers. The FCC commissioner stated that “…the regulations made things worse by limiting investment in high-speed networks and slowing broadband deployment. Under Title II, broadband network investment dropped more than 5.6% — the first time a decline has happened outside of a recession.” And went on to say that “Removing these outdated and unnecessary regulations will create a strong incentive for companies to pour resources into building better online infrastructure across the country and bringing faster, better, and cheaper Internet access to more Americans.” (FCC, 2018).

The stated intention of the government is that repealing these rules will aid in expansion in rural and hard-to-service areas, as well as higher average speeds throughout the US. They also wanted to allow ISPs to experiment with different business models, such as giving priority to medical applications, or self-driving cars. ISPs may experiment with security, home automation, and services like artificial intelligence that can help improve the quality of your experience in a meaningful way. There are limitless possibilities for how companies could innovate these products. Mainly, the concern is that small players in the market and start-ups wouldn’t be able to create unique services to compete with larger companies. In fact, the FCC found that “Title II regulations are bad for competition. They disproportionately burden the small Internet service providers and new entrants that are best positioned to introduce more competition into the broadband marketplace.” (FCC, 2017) And also that “Restoring Internet freedom will lead to greater investment in building and expanding broadband networks in rural and low-income areas as well as additional competition—leading to better, faster, cheaper Internet access for all Americans, including those on the wrong side of the digital divide.”. Based on these statements, it would appear that repealing could promote innovation among ISPs.

The Net Neutrality rules came under attack in January 2017, when president Donald Trump appointed Ajit Pai, an FCC commissioner who had previously voted against Title II reclassification of the internet, as the new head of the FCC. Net Neutrality was finally repealed on June 11th of 2018 and is no longer in effect after nearly 20 years of having classified internet services under the protection of telecommunication laws.

As of June 20th, 2018 thirty-six states have proposed or passed a resolution, bill, or executive order to preserve Net Neutrality since the new rules were adopted. Six states, Hawaii, Montana, New Jersey, New York, Rhode Island, and Vermont, have addressed this change by issuing Executive Orders requiring companies wishing to contract with the State to confirm that they will meet the 2017 net neutrality requirements. Thirty states have proposed legislation reinstating the net neutrality rules or requiring state contractors to abide by them. Ten additional states initiated Resolutions supporting Net Neutrality principles (NRRI, 2018)

Current day, there is a clause in which internet service providers or ISPs, have to disclose information about under circumstances they block or slow traffic and to disclose if and when they offer paid-priority services. The FCC has preserved the ‘transparency’ rules that had many concerned about the power over that ISPs could potentially hold over these communications. This development mitigates the risk that providers would continue to engage in activities such as blocking or throttling connections as Comcast did with BitTorrent, and not tell it’s customers. The current ruling is a win for consumers, who are only seeking a basic set of guidelines or principals to regulate the behavior of providers. It doesn’t have to be called Net Neutrality, but it does have to have increased transparency and still allow ISPs to grow and innovate in the markets in which they operate. We can’t let it be used in an anti-competitive, fraudulent, or discriminatorily to harm consumers in a way that diminishes the right to equal internet access abilities for all who seek it.

California net neutrality bill easily passes Assembly

Internet groups urge U.S. court to reinstate ‘net neutrality’ rules

Net Neutrality Repeal Enables Abuse By Carriers, Groups Tell Court

Ajit Pai killed net neutrality but still wants you to love the FCC

(Note: I’m actively updating this small paper I wrote for a class on Net Neutrality for a novice audience)

References:

Bello, P., & Jung, J. (2015). Net Neutrality: Reflections on the Current Debate. GLOBAL COMMISSION ON INTERNET GOVERNANCE

CIGI. (2015). Net Neutrality: Reflections on the Current Debate https://www.cigionline.org/sites/default/files/no13_web.pdf

Corporation Corporation. (2008, September). COMCAST CORPORATION DESCRIPTION OF CURRENT NETWORK MANAGEMENT PRACTICES. Retrieved from http://downloads.comcast.net/docs/Attachment_A_Current_Practices.pdf

FCC. (2018, May 22). Releases Restoring Internet Freedom Order. Retrieved from https://www.fcc.gov/document/fcc-releases-restoring-internet-freedom-order

FCC. (2017). Myth Vs. Fact. Retrieved from https://transition.fcc.gov/Daily_Releases/Daily_Business/2017/db1128/DOC-347961A1.pdf

Frieden, R. r. (2018). Freedom to Discriminate: Assessing the Lawfulness and Utility of Biased Broadband Networks. Vanderbilt Journal Of Entertainment & Technology Law, 20(3), 655-708.

NRRI. (2018). Net Neutrality State Actions Tracker. Retrieved from http://nrri.org/net-neutrality-tracker/

Skype – Why can’t it all be so simple

Skype – Why can’t it all be so simple

Skype now has four versions of its software – purely for your confusion and inconvenience. Most recently, Microsoft was on its way to canceling Skype v7.0, with a deadline of Sept 1st until an uproar from internet users not-so-quietly rolled that back. The new version of Skype that Microsoft is pushing now is called v8.0. There are issues users have brought up about its design and overall feel. One ‘idea’ on the Skype Voice site reads “Make Skype 8 look EXACTLY like Skype 7 Classic.” In its own forum, Microsoft stated that “Based on customer feedback, we are extending support for Skype 7 (Skype Classic) for some time. Our customers can continue to use Skype Classic until then. ”

Skype Release Notes is not being updated frequently by Microsoft. We’re seeing new versions, and 1 to 2 weeks later, there are still no details on what’s changed.

Skype FAQ and Known Issues has limited information on actual issues we’ve seen with the software. It would be nice to have a closed loop, with the Release Notes showing when things are fixed.

Here’s a quick rundown on versions of Skype:

Skype for Business – Used for SMB/Enterprises, typically via Office365, but can be hosted privately on Rackspace, etc.

Skype for Windows 10 v11 – Windows 10 app that runs off of the Microsoft Store. This version is part of a program called Universal Windows Platform, or UWP, which means it works identically across Windows 10 platforms like PC, tablet, phone, and holographic devices. At this time, it’s not clear if it is missing any features when compared to the new Skype Desktop, but it does seem to be a very basic touch-type app in Windows.

Skype Classic v7.0 – An apparent all-time favorite of Windows users, and they don’t want it to go away. It’s the “same old” same Skype and seems to be working perfectly. I’ve run into errors installing it on Windows 10 at times, which were probably due to a major update that MS still hadn’t put in their fixes to make it work.

Skype for Desktop v8.0 – Newest version of Skype that brings Free HD Video, @mentions, group calls with 24 users, and will soon have privacy features like off-the-record audio chats. The biggest value-add here is in those features, which are combined with a modern interface and, of course, the promise of future development.

There’s also: Skype for Web, Skype Meetings, Skype for Mac, Skype For Linux, Skype for Android, and Skype for iOS, if you feel like you don’t have enough Skype in your life.

Issues:

I’ll make a list of known issues and fixes as I test the software. Please see below for some of the common deployment and usage-type problems I’ve found in Skype, especially on the new v8.0.

  • Skype v8.0 – attempts to launch SkypeSetup.exe out of the user profile when the user has no admin permissions. The user can NOT open Skype – even when they hit No, the program keeps trying to trigger this download file. This happens every time Skype releases an update, and it will effectively lock the user out until the admin credentials are provided.

Adding these lines to the hosts file seemed to help block this version of Skype from trying to auto-upgrade:

127.0.0.1 get.skype.com
127.0.0.1 livegeteastus.cloudapp.net 
127.0.0.1 liveget.trafficmanager.net

Delete or block the SkypeSetup file:

del "%APPDATA%\Microsoft\Skype For Desktop\SkypeSetup.exe" /f
  • Skype v8.0 – does not remove Skype Classic from a machine when you push it out. In my testing, I was able to remove Skype v7 first and then push Skype v8. It migrated my profile to the new version. If I pushed Skype v8 on top of v7, it would launch both on start-up. Simply removing v7 didn’t fix it – I had to push v8 again after the removal. Here’s my recommendation:
wmic /node:'LOCALHOST' /interactive:off product where "name LIKE 'Skype% 7.%'" call uninstall

Skype-8.27.0.85.exe /silent
  • Skype for Business – Installs with the Business version of Office365 and will NOT let you remove it from the computer. Go ahead try it… use a customized install XML and it won’t honor the request to keep Lync off the machine. Even if it does remove Lync, the app will automatically reinstall during an online repair of Office.

Remove from start-up:

reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ /v Lync /f
  • Skype For Business– 2nd issue with Skype For Business is easily connecting to regular Skype users. Microsoft requires them to associate with a Live.com email before this can happen. You can’t find them, and they can’t find you until that has been done. In my testing, I could not add my personal Skype account to a test instance running for Business without the Microsoft email association.
  • Skype v11 for Windows 10 – This version of Skype can cause confusion and issues with compatibility when it comes to the new features offered by Skype Desktop v8.

Remove it using Powershell:

Set-ExecutionPolicy -Scope LocalMachine Restricted
Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage

Panda Antivirus Adaptive Defense 360

Panda Antivirus Adaptive Defense 360

No Comments

We recently tested Panda Antivirus Adaptive Defense as a continuance to a previous review of NGAV products. Does Panda live up to its claims? Is it the future of Antivirus? It has it’s ups and downs but overall I think the issues we experienced can be fixed. It’s headed in the right direction and overall the interface is designed well for a modern protection platform.

Panda’s current version is 7. x and the product is Adaptive Defense 360. From the marketing on the website, you get the feeling that it’s not your average ‘Panda’ but it’s next-generation, sexy, and ready to eradicate even the most virulent samples.

During the test, I exchanged 178 emails with the vendor over a period of fewer than 90 days. I’ve learned a great deal through direct experience of its stability and effectiveness. It’s been my experience that you’d better test the heck out of these products. Not only with detection but the basic administration features as well. There can be bugs lurking that may not impact you on the security side but potentially impair your ability to control and manage endpoints. I went ahead and dug in using my basic Dell models and hoped for the best. Keep in mind that the things I don’t ‘like’ are bugs that can be resolved – not necessarily fatal issues. Here’s my evaluation…

*** Update 8/13 – Panda is aware of this blog and actively working to fix any of the issues I found. They’ve allocated folks from Product Management, Engineering and other teams to help improve response.

A few things to note:

1. My blog recommends products on occasion but has nothing for sale
2. Bugs like to come out when I’m around so careful if I sign up for a demo
3. I don’t drink the kool-aid so I look forward to lifting the marketing curtain

Machines Tested:

Dell Latitude E6440, E5470, E5480
Dell XPS 8390 (Desktop)
Dell Inspiron (7000 Series)
Windows 7 and Windows 10

Things we liked: 

  • Support is light speed and much more responsive than BitDefender. We received prompt responses and consistent service from all of the techs. They responded appropriately to our concerns. Many times it was just a matter of reproducing the issues and gathering the right data. Panda can trigger a ‘PSINFO’ tool to gather support data without you having to send any technical information to support. In comparison, I’ve waited days and days for BitDefender support to reply. Even when they do it’s not with any urgency. If you call there is typically no way to speak to anyone live at BitDefender until they call you back. Panda is easy to get on the phone and called me often when I was available before the afternoon time.
  • Panda recently implemented anti-tampering. I’ve been advocating for this across a number of products. In Barkly, I could simply stop any of the AV processes, execute malcode and start them again. Panda protected its services even in the services.msc snap-in.
  • EDR function traced the source of execution back to a file on many virus samples we tested. We’d get an alert within 0-15 minutes that showed which process executed a particular piece of code and where it connected to. Very useful and is focused on the context of that execution. Liked this better than the fancy tree in other EDR products. It’s better to be able to alert on this in an e-mail format without needing to access the console.
  • Deployment tools were adequate in that there were no major issues with installing, uninstalling or deploying the files. Minimal interruption or notices to the machine when pushing it down with a script. Removal from the console happens in under 15 minutes on most machines.
  • Panda’s support is phenomenal despite us having many bugs with it on our particular platform that was available to test. They responded quickly and with haste. During our support they offered access to an early release version of Panda AD360 8.x as a way to get past known issues on v7.

Issues we worked with support on:

  • Crashing/Bluescreens – Panda caused many bug checks on my machines with the driver NNSPRV.SYS, and by many I mean over a dozen on multiple machines. The key for some was that they were running Intel Proset Drivers for Wireless on a slightly older version but I can not fully confirm that’s the cause. The crashes continued until we were put on an early release of version 8.0 that seemed to alleviate them. At the time though this was not a general release. Every dump had references to Panda drives in it when the crashes occurred and they happened often.

  • Performance Issues/Hangups – Machine slowdowns on several boxes that include severe delays opening applications. This happened several more times in the last few months with the most recent being on my own machine while I was using it. I captured video of this and called in to offer an impacted machine to Panda. They were unavailable to gather any data and did not recommend any steps to take on the machine at that time. I had to remove the product and could not wait until ‘tomorrow’ to find out what I needed to do. That issue is still not identified or resolved. The burden was on me to prove that this is an issue even though I’ve captured live video of it happening multiple times. Panda was using 10,000 handles on PSANHOST.EXE when the issue occurs. Chrome tabs were completely hung up and simple applications like Notepad.exe took more than a minute to open. The issue was immediately resolved by removing the AV – which by the way was so hung up it took about 30 minutes. After the removal, we could immediately surf the web, and open up applications.
  • Service instability – Panda services were crashing on version 7.x-8.x randomly. We detected this in the monitoring of its services, and the issue impacts the latest version. Support requested that we manually gather using a dump tool for them to access the issue. The main service controlling Panda crashes and says ‘The Panda Endpoint Administration Agent service terminated unexpectedly’ on these machines. There is no fix or explanation for this issue, and it’s separate from the ones shown above. We don’t know why the service keeps crashing off or what to do next. Even if we did, we believe that this ‘broken agent’ issue leads to decreased security for those endpoints when they aren’t able to update or communicate properly. A lot of time being spent manually reinstalling agents to fix this issue.
  • Upgrade Issues – Panda also failed to upgrade from v7 to v8 automatically on around 25% of the computers creating a situation where it was ‘broken’ and not functional. There was, of course, a fix or method for support to help us but it was manual, involved remoting into each machine and again the upgrade just didn’t work without any explanation. Many of the computers have rebooted numerous times and get repeatedly prompted to ‘Upgrade Panda’ when they’ve accepted that menu over and over. Meanwhile, the agents did not have full protection because the install was technically broken between versions.

 (Panda Support)

  • Dropper Detection / Kill Chain Issues – None of the files I opened with Malicious Word Macros were detected until the actual payload ran. Panda did not detect many files on-access but only once they ran and down the line in the attack chain. It will stop the PowerShell command from running but only at the point of execution. A little too close for comfort especially when many other tools see the evil in the Macro’s and malware code embedded in the document. Out of a dozen files of so I got live from the internet, none of the droppers triggered an alert until they tried something fishy. Panda was quick about adding them as a generic type of alert when I sent in samples. There is no automated system or method to submit samples to Panda w/o manually opening an e-mail ticket. Panda’s ‘EDR’ type execution report fails to correlate the malicious .doc I opened and only ‘sees’ the Powershell. But what ran the command? What were the parameters?

 ( Panda Support)

  • False Positives – We found that Panda would trigger on innocuous Windows 10 processes like those that update the Windows Store applications. In some cases it labeled them as ‘potentially malicious’ and in lock mode, it halted execution while it could determine if they were true positive malicious. This wasn’t the only ‘system’ type file and we encountered many more with Nvidia and a driver from Intel.
  • Web Filtering / Phishing – Many of the Malware and Phishing URLs I attempted to visit wasn’t classified by the software. During my investigation of the ‘Master Angler’ story this month I had Panda running and it never blocked any of the URLs. I submitted a URL to Panda with my blog and they added that single address but no others that were obviously running off that same IP. After reporting many of these URLs to Panda I realized that the phishing protection was outsourced to Cyren and not using its own threat intelligence.
  • Buggy Alerting- Malware alerts were configured for the web and alerted directly from the IP via SMTP to my e-mail server kind of strange. Not only that but there were still variables in the e-mail that was unresolved like {ExtendedUrlMalwareinfo}. The other issue was that I’d get tons of duplicates with the same information may be 5-10 e-mails in a blast from a single machine visiting a site. It says ‘Virus deleted’ but I couldn’t find anything malicious on some of these sites.

  • Console Outages –  Web console has issues on several occasions with server-side errors that prevented me from logging in. At this exact moment I keep logging in but it tells me for security reasons my session is timed out

  • Cookie Alarm – Panda sent alerts for cookies detected on machines and I couldn’t turn it off. There was no way to whitelist or otherwise exclude this extra noise.

        

 

Bad Bots – Headless Chrome

Bad Bots – Headless Chrome

There’s never a shortage of bad bots and unidentifiable applications that crawl websites. Are they scraping the content? Updating it for some unnamed organization’s news site? Storing an archive of it? It’s not clear, as they typically won’t identify themselves with a legitimate robot-type user agent.

One group of firewall logs recently caught my eye for a few reasons. The first reason was that, similar to my issue with OVH Hosting in a previous blog, there were numerous clients connecting simultaneously with the same user agent. At any given time, 3 to 5 of these hosts would be crawling information, like tags and posts, off of the site. Viewing the visitors live, I saw that a high percentage of the IPs below were all using the same user agent.

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/64.0.3282.119 Safari/537.36

Here’s a copy of the Firewall log where I set up a rule to do an extended browser validation using javascript:

Does anybody know the purpose and source of these connections? Did you end up here by searching of the IPs? All of the subnets below belong to Amazon Technologies and could possibly be connected behind the scenes on Amazon Web Services.

I’ve tested a solution called Kasada that I’d recommend for blocking these kinds of probes on a medium-large scale network. Otherwise, the tool ‘Cerber’ is useful for defending platforms like WordPress.

100+ IP Addresses recorded in the month of July:

18.236.120.18
18.236.243.214
18.237.41.164
18.237.61.143
18.237.123.0
34.208.40.36
34.208.92.220
34.208.141.124
34.208.235.48
34.209.44.200
34.209.114.64
34.209.227.101
34.210.78.254
34.210.100.217
34.210.221.104
34.211.25.220
34.211.190.187
34.211.227.196
34.212.71.188
34.212.116.241
34.212.131.138
34.214.150.53
34.215.152.137
34.216.26.43
34.217.14.63
34.217.50.13
34.217.107.188
34.218.250.187
34.219.11.198
34.219.39.87
34.219.92.251
34.219.141.108
34.219.193.58
34.219.225.182
34.220.16.137
34.220.59.162
34.220.80.254
34.220.103.78
34.220.148.196
34.220.188.241
34.220.199.88
34.220.224.29
34.221.7.4
34.221.22.134
34.221.32.36
34.221.58.141
34.221.77.132
34.221.142.89
34.221.164.175
34.221.241.244
34.221.242.167
35.160.27.133
35.160.98.44
35.161.21.171
35.162.116.37
35.164.15.117
35.164.69.206
35.164.100.206
35.165.242.232
35.166.95.89
35.166.178.125
35.172.212.99
52.10.12.227
52.12.129.255
52.13.68.33
52.13.80.33
52.25.232.118
52.27.65.70
52.34.53.176
52.35.81.218
52.35.124.32
52.36.59.177
52.38.5.86
52.38.39.61
52.40.23.116
52.40.76.8
52.41.164.108
52.89.45.141
54.68.182.6
54.70.12.254
54.70.144.155
54.148.14.116
54.149.73.177
54.184.19.153
54.185.147.189
54.186.70.168
54.187.36.97
54.187.196.207
54.190.184.2
54.191.111.154
54.191.111.220
54.191.197.179
54.200.246.200
54.201.191.42
54.201.229.227
54.202.84.215
54.202.248.143
54.212.211.34
54.213.15.127
54.213.61.104
54.213.242.152
54.218.1.204
54.218.84.30
54.218.112.201
54.244.15.175
54.244.37.100
54.245.26.75
54.245.183.44
91.213.143.248
167.99.167.226

Phishing – A Master Anglers Toolbox

Phishing – A Master Anglers Toolbox

We recently came across a researchers gold mine of phishing sites. It all started with a PDF file received via an email called Post-Label.  The file itself is harmless, but it links to the USPS scam shown below in the screenshots.

USPS-Phishing

Further analysis of this IP found that it belongs to QuadraNet a colocation provider who’s only involved in hosting physical servers for its clients. The service is being provided to AlphaRacks a VPS provider that rents out computing space by offering to host to its clients. QuadraNet is no stranger to Malware and C&C being #8 of the top 10 worst Spam ISPs.

(***Update*** ) [The feds shut Alpharacks down and two employees from QuadraNet were fired for running a business under aliases to rent space from the ISP and deflect attempts to block its communication at the Abuse team]

VirusTotal has a ton of sites being hosted off this box, and almost an unbelievable amount of phishing pages and malware. We found more than 60 different brands being phished off this one IP address. The activity goes back to March 2018. It’s a phenomenon I call ‘hiding in plain sight,’ and that’s because vendors have been detecting the issue for many months, but no one has taken the initiative to file an abuse report.

We filed an abuse report and QuadraNet is now aware of the issue. They’ve committed to cutting off access from this IP if the client does not respond within a period of time and clean up the phishing sites. We’ve included numerous updates below as to the progress of the cleanup below just before the screenshots we have collected over a period of months.

https://www.virustotal.com/#/ip-address/162.220.11.2

https://www.virustotal.com/#/ip-address/167.160.188.2 (Added 10/2018. New IP owned by Alpharacks)

URLScan provides regular screenshots of the activity hosted on various domains at this IP address. I’ve seen hundreds and potentially thousands of domains pointing to this location over the last several months.

https://urlscan.io/ip/162.220.11.2

https://urlscan.io/ip/167.160.188.2

https://www.abuseipdb.com/check/162.220.11.2

https://checkphish.ai reports 1,945 phishing URLs have been observed off of this address.

Brands being phished include CIBC Bank, DHL, GoDaddy, Microsoft Live, Office 365, OneDrive, Outlook Web Access, PayPal, USPS, 50+  others all on a single IP. This is a master angler at work, folks!

Victims we’ve seen phishing attempts against the companies below. This is is not a confirmation that they were compromised only that they scanned a URL with an e-mail inside of it so we presume that the owner received it via inbound phishing e-mail. Keep in mind this list only represents a small portion of the recipients and just a couple of days worth of URLs being scanned on VirusTotal:

Australia and New Zealand Bank
Aditya Birla Group
Conrad Hotels
Ericsson
Fox Broadcasting
Huawei
KPMG
Owens Corning
PotashCorp
QBE Insurance Group
Reebok
Regus
Seagate
State of Minnesota
Tetra Pak
Toyota
The Linde Group
VF Corporation
Volvo

NOTE: Some of this research is incomplete and should be investigated further by other researchers. I tend to post these kinds of ‘live’ hacks quickly, to get the word out and let folks experiment a bit before the hackers are shut down. The first thing I did was notify the hosting provider, so the clock is ticking. Or maybe it’s not, depending on how well they handle abuse complaints.

E-mail possibly associated with activity: [email protected] 

Dozens of the sites have login pages for the Pony Botnet:


Updates:

11/19 – New IP address observed 167.160.188.2 owned by Alpharacks and has an equivalent amount of scam websites up and running.

10/16 – We will allow the provider Quadranet to continue working with its client to remediate the issue.

9/17 – Activity continues and no response from ‘[email protected]‘ or Quadranet.

8/21 – Quadranet has reportedly taken action against AlphaRacks by null-routing it’s IP again due to the abuse. IP was responding again a short time later.

 8/14 – IP still has dozens of phishing sites, malware binaries and botnet communication files hosted on it. I’ve been e-mailing this information to the upstream provider who is QuadraNet. The co-location customer this IP belongs to either doesn’t have the time to keep an eye on this, or doesn’t know how to stop these phisherman. It’s also possible the server is compromised or that the operator AlphaRacks is complicit in the activity. I found that the blocks used to be owned by Crissic Solutions (Skylar MacMinn, Germany) who both worked at Quadranet and occupied the same IP space. An unknown entity was selling AlphaRacks on a web forum about 4 years ago at post#1 post#2.

8/7 – IP continues to host phishing activity. We have reported additional sites to QuadraNet who will presumably notify the colocation client again. Keep in mind we noticed this activity start trending upward in March of 2018. Obviously, they’ve been outsmarting both of these parties for a good deal of time nearly half of 2018.

7/23QuadraNet has notified me that they are going to “null-route the IP address and reach out to our customer, they may not have been aware of the number of domains involved.” after they had repeatedly asked the customer to disable these services. IP went down and was back up within a few hours. We confirmed it still had 5+ phishing sites live on it and reported that back to QuadraNet. We suspect the client is Alpharacks Hosting and that up to 1,200 domains may be on this server most of the malicious.

Screenshots below:

I’ve reported this to the Quadranet, and PhishTank. Google Chrome warned against visiting many of these sites hosted on this IP.