Another Phish in the Sea

The rise in scamming campaigns has become a focal issue for the InfoSec world in recent years. More and more attacks have been targeting everyone from large corporates, by using specific techniques “tailored” for the target, to simple users, by spreading it to anyone available. The platforms from which the malware is spread vary from standard email messages and social networks to more complicated SMS scams.

We will attempt to describe herein the basic steps to take to determine if a suspicious email, text message or Facebook post is actually malicious – in order to stay safe from falling victim, while still being able to keep up with the latest 9GAG spam.

Source Identity

When receiving a new email or text message, check who the sender is. If the message comes from an unknown person – a source you are not expecting contact from or a strange looking email name – do not open it! Browsing social networks like Twitter can also lead you to malicious actors that will try to lure innocents and curious people.

One such example is a reservation email scam that “accidentally” sends a room reservation email to you instead of the hotel manager. The email has an attachment, purportedly containing a list of special requirements for the guests, which turns out to be a malicious element that downloads additional executable malware.

Another Phish in the Sea_1

Content

We have all heard the joke about receiving a scam email from a Nigerian prince, where the victim is asked to provide their bank account details in order to receive a large sum of money, but reality is not so far off. Attackers use sophisticated techniques to capture your attention, be it by intimidation, exploiting the latest trending topic or informing you of a transaction.

The recent iCloud hacking leak scandal has been a hot topic on the Internet, and the phishing attacks soon followed. The tweet, which tries to grab your attention by sharing a link to the alleged nude video of Jennifer Laurence, redirects visitors to a download page for a video converter. Of course, the downloaded file turned out to be adware, not to mention the fact that it forces its victims to share the malicious site on their Facebook profiles.

Another Phish in the Sea_2

Grammar

I believe that the easiest way to observe that something about a message of any kind is wrong is bad grammar. Foreign scammers who are not fluent in target audience languages encounter a barrier that they try to bypass by using online translators or just trying their luck at translating the message on their own. A poorly written letter from a formal organization or a shifty looking website should definitely raise a red flag.

Another Phish in the Sea_3

Links

Apart from the content itself, the message might also contain links. The URL that appears in the text might seem legitimate, but it is important to get a closer look at the domain name, in addition to ‘hovering’ over the link with a mouse to see if the actual web address is compatible with the one presented to you (for other fake-link-finding techniques, see our previous post).

Let’s say you received an email from the human resources department in your company – Sounds like a legitimate item to open. But what if it contains a link to download CryptoWall ransomware? In this particular situation, it is very difficult to distinguish whether this is phishing scam, but by taking a closer look at the shared link, you can notice if it redirects you to a gaming website and forces you to download a suspicious ZIP file that contains the malware.

Another Phish in the Sea_4

Attachments

Some scammers direct you to open files attached to their message. They might appear legitimate because they are Word or ZIP files, but they end up being disguised malware. Be aware of attachments you are not expecting to receive, especially executable files like .EXE, .PIF, .JAR, .BAT and .REG.

Curiosity killed the cat, and apparently also some people’s computers. An innocent-looking email suggesting that you view someone’s new photo contains an attachment called photo.zip, which unfortunately does not contain an attractive person’s selfie, but rather a Zbot Trojan.

And just like the old Japanese saying goes “Attack a man with a phish and you’ll scam him for a day; Teach a man to phish and you keep him safe for a lifetime.”

Another Phish in the Sea_5

Hacker Idol

The cyber world is anxiously awaiting the next big event and you can feel the buzz in the air since the Anon Official Arab hacker group announced their survey of the “Best Hacker Group in the Arab World for Year 2014″. People have been asked to vote for the best hacker group according to its achievements during 2014. The survey will be available to the public for 48 hours, after which time the organizers will announce the winners.

The Survey

The Survey

The nominees for the title “Best Hacker Group” are Anonymous, AnonGhost, Gaza Hacker Team, Fallaga, Moroccan Kingdom and Moroccan Islamic Union Mail. All are very popular groups with undisguised agendas against Israel, the U.S. and other governments around the world.
We have already voted for our favorite group. Have you? :)

After the Russian Yandex and Mail.ru, Gmail Accounts are Leaked. Who will be Tomorrow’s Target?

This morning cyber security sources informed us for the third time this week about email addresses and passwords being leaked from a large mail provider. After the Russian services Yandex.ru (one million leaked emails) and Mail.ru (4.5 million leaked emails), came Gmail’s turn – around five million emails were posted on a Russian platform.

According to publications about the Gmail leak, the data was published on a Russian forum that focuses on bitcoin issues – Bitcoin Security. The forum member who uploaded the database is nicknamed tvskit, and he was the first one to publish the data online in all three of the cases.

A short search on the above nickname on social networks revealed a 34-year old man by the name of Ivan Bragin, from the Perm administrative center in Russia. His VK and Twitter pages contain plenty of information regarding crypto-currencies, in addition to a tweet about the Gmail leak linked to the BTC forum. From his posts, it seems that he did not directly connect himself to the leaks, nor did he take credit for stealing the data. Moreover, the story he tells is about running into these email lists on the web, then deleting the passwords and publishing them ‘for the greater good’. It is a strange coincidence that all three lists were found by the same person.

Based on the fact that tvskit‘s real identity was so easy to find (no attempts to hide it from his side), combined with the fact that initially the account list was published without the passwords (“just in order for people to check if their address was on the list”), makes us doubt that he stole the data.

According to several cyber security sources that analyzed the database, some of the compromised mail accounts were either automatically registered or were not active in the past. Nevertheless, some users of the above providers did confirm the authenticity of the logins and passwords.

Yandex and Mail.ru denied any kind of breach of their databases, so the leading hypothesis of the accounts origin is that all three lists were collected over a long period of time, from different sources, maybe along with other, less “attractive” data, that was later sorted by email providers and published online. In addition, we should also consider that at least some of the addresses are fictitious or not valid. At this moment, it is difficult to specify the exact number of addresses with a valid password.

Relying on the information above, we believe that all three lists were obtained by the same person (not necessarily tvskit), who managed to get hold of some valid logins and passwords and then mixed them with non-valid or automatically created addresses to intensify the scale of the leak.

A forum thread Bitcoin Security forum, which cointians the leaked Gmail database on

A forum thread from Bitcoin Security forum, which cointains the leaked Gmail database

Ivan Bragin's Twit linked to the forum post about Gmail leak

Ivan Bragin’s tweet linked to the forum post about the Gmail leak

The Rebirth of #OpIsraelReborn

#OpIsraelReborn 2014

Since 2001, the date 9/11 has held symbolic meaning for all terror groups and Islamist hacktivists. Every year, come September, many countries raise their alert status, fearing that a terror attack might be executed on this date to amplify its resonance and attach more significance to it. Ergo, it came of little surprise that this date was chosen in 2013 for the #OpUSA campaign that mainly targeted the websites of different American governmental and financial institutions. To further leverage the momentum, a second campaign, #OpIsraelReborn, was launched by AnonGhost concurrently with #OpUSA. However, the 2013 #OpIsraelReborn campaign failed to produce the desired results, and perhaps for this reason, this year the group has decided to have another go at it.

1111

On August 21, 2014, AnonGhost tweeted “Next operation is #OpIsrael Reborn. On 11 September, be ready Israel – you will taste something sweet as usual”. While we do not expect them to hand out vanilla-flavored ice-cream to random Israelis on the street, we also do not believe this campaign poses an exceptionally grim threat. Nevertheless, the AnonGhost group, together with many other hackers, are undoubtedly highly motivated to launch cyberattacks against Israeli targets, especially after the recent Protective Edge campaign, and they should therefore be afforded appropriate attention.

Based on last year’s experience, we expect that the main attack vectors will include DDoS attacks, defacements and SQL injections, and the prime victims of these attacks will be the websites of small businesses that maintain a low level of security.

9/11 is drawing closer and we will soon find out what cake AnonGhost has baked for us this time.        

2222

Our New SenseCy.com is Here!

We are happy to announce the launch of the new version of our portal!

After many sleepless hours and minor hiccups along the way, we have launched our new website this past week. Let’s have a quick tour and introduce the new changes:

Firstly, we shifted our approach to accommodate our customers’ needs. Instead of focusing on our sources, we now focus on five main sectors. This enables you to choose the sector of your interest and get information from all available sources (whether if it’s OSINT, Hacktivism or Deep-Web).

1st

Our feed representation has also changed. It’s much more intuitive and user friendly. We’ve expanded the search capabilities which enables you to conduct various correlations and to locate the proper information that you require.

2nd

We’ve also introduced our all new bundles. Get substantial discounts and our unique reports when purchasing one of our cyber intelligence feed bundles.

3rd

What’s next? We are now working hard on our next release which will add more features and improvements.

So definitely stay tuned and stay connected!

Ukraine Accuses Russia of Invasion – Ukrainian Hackers Set to Retaliate

Earlier today (August 28, 2014) Ukrainian President Petro Poroshenko said that Russia has sent troops to eastern Ukraine. Ukrainian hacker groups are quickly aiming to retaliate – Anonymous Ukraine plans to attack a number of Russian bank websites and the official websites of the Russian President . The first target was sberbank.ru, and the attack was planned to take place on August 28 at 16:00.

Anonymous Ukraine is threatening to carry out DDoS attacks

Anonymous Ukraine is threatening to carry out DDoS attacks

Other websites on the list include:

Threats to wage cyber attacks on sberbank.ru

Threats to wage cyber attacks on sberbank.ru

How to Spot a Fake LinkedIn Profile in 60 Seconds?

LinkedIn is a terrific platform to cultivate business connections. It is also rife with fraud and deceit. Fraudsters use as a social engineering tool which allows them to connect to professionals, trying to lure them into disclosing their real contact details (work email is the best) and then use this email address to send spam, or worse, deliver malware.
Always check the profile before accepting an invitation, and do so via the LinkedIn message mechanism and not viaemail (fake invitation emails can cause much more harm than fake profiles – see our previous post).

So we have established that it is imperative to be able to identify a fake profile when someone invites you to connect on LinkedIn. But how would you do that? Follow our proprietary (just made up) CID protocol! CID stands for – Connections, Image and Details. By following it, you will be able to spot most fakes in 60 seconds or less. For more elaborate fraud attempts, it will be much longer or maybe even impossible for the non- professional to identify. We will discuss these later.

Connections - while you can fabricate any “fact” on your profile, connections cannot be faked; they have to be “real” LinkedIn users who have agreed to connect with you. So unless the fraudster is willing to create 100 other fake profiles, and connect these with the fake persona he is trying to solidify (something that takes a lot of time and effort to do, and something I hope the LinkedIn algorithm will pick up), the only way for him to have 100 connections is to connect to 100 LinkedIn users. So if you see someone with a puny number of connections, you can start to be more suspicious. So, connections number check – 5 seconds. Moving on.

low connections

Very few connections

Image - by now most people creating a LinkedIn profile realize that it is in their best interest to include a real image of themselves, and usually a professionally looking one (either taken by a professional or in professional attire). So no image or an obscure one is kind of suspicious. Also, any too good-looking images should ring an alarm bell. Since it is almost certain that the fraudster will not use his/hers own image (by that they will make the profile real to a certain extent), they will most likely search for a nice photo to post online. How can you tell if the image they have used is taken from someplace else? There are dedicated websites for reverse image searching, but since we are under serious time constraints here, why not simply right-click the image and ask Google to check the source? Very quickly it will find a compatible image and you can match the profile image to an existing stock image. Another 25 seconds gone. Say these two tests were insufficient and you are still not sure? Check the Details.

image search

Starting Google image search

image search results

Image search results

Details - people know that the more detailed their profile is, the better. Profiles lacking education or occupation details are very unreliable, along with these are any severe discrepancies: How could this guy study at Yale and serve overseas at the same time? lack of skills, recommendations and endorsements are not in favor of any real profile. Taking another 30 seconds of your precious time, you should by now be able to spot a fake profile.
Sure, someone just starting on LinkedIn might have fit our CID protocol while actually just launching his LinkedIn profile, and therefore has few connections. If you know this guy, go ahead and connect. If you do not, it is best to wait until the profile seems more robust.
It is very important to note that accepting the invitation to connect by itself (given it was delivered via a LinkedIn message mechanism or clicked on the user profile) does not create any damage, but it establishes a link between you and a fraudster, which can later be utilized as an attack vector.

Oh, and if you have 30 more seconds, why not do everyone a favor and report the fraudster? LinkedIn allows you to report suspicious profiles for review.

Report profile

Report profile

Simply click the “Block or Report” option, fill the short form and there you go.

Report the profile for review by LinkedIn

Report the profile for review by LinkedIn

P.S.

the profile displayed in this article is an actual fake profile who tried to connect to one of our analysts. Busted!