WhatsHack: WhatsApp in Cyberspace

WhatsApp Messenger is an instant messaging subscription service. In addition to text messaging, users can send each other images, video and audio media messages, as well as location data. As of September 2014, WhatsApp is the most popular global messaging app, with 600 million users. Aside from regular users, more underground communities like to use this application. WhatsApp activity is more complicated to monitor by a third party than regular phone messages and some online services. WhatsApp has proven to be a fast, reliable and inexpensive service for sharing various kinds of information.

The cyber underground is also seeking new platforms for chatting and sharing information. Lately, we have identified an increasing number of hacker-affiliated groups using WhatsApp services. These groups offer members chat services, hacking tips, cyberattack coordination and more. Members from numerous countries, including Bangladesh, Pakistan, Indonesia and others, expose their phone numbers to connect to such groups.

Facebook hacktivist post
Facebook hacktivist post

There are several manuals describing how to access other WhatsApp accounts. One post shared two different methodologies to do just that: spoofing with the help of Mac number, and using spy software. This post received over 738,000 views over a two-week period.

WhatsApp hacking guide
WhatsApp hacking guide

In addition to spy methodology, you can find various tools, such as WhatsApp Hack Spy Tool, WhatsAppSniffer, WhatsApp Xtract, WhatsApp Conversation SPY Hack Tool and more. You can also use third party spyware. These tools can be used for Android, iPhone and BlackBerry devices. Tools provide such features as tracking all voice notes, viewing all user chat logs, updating profile pictures, sending messages to contacts, changing profile status and more, depending on the tool.

WhatsApp hacking tools
WhatsApp hacking tools

The dissemination of such tools is becoming common also on social networks, such as Facebook, Twitter and LinkedIn. A Facebook page titled “WhatsApp Hack Spy Tool” has 390 members, mostly from India, Italy, France and the U.S. This page also has a related Twitter account with more than 3,500 followers. Another Facebook page titled “WhatsApp Hack Sniffer Spy Tool” has over 13,500 members, mostly from Turkey and India. Furthermore, advertisement for the tool can also be found on LinkedIn.

LinkedIn advertisement for the tool
LinkedIn advertisement for the tool

In addition to the free tools, you can purchase more unique software, such as a tool for hacking WhatsApp, only ten copies of which were released for sale on the DarkNet for 0.0305 BTC.

The tool is sold on the DarkNet
The tool is sold on the DarkNet

The use of WhatsApp by hacktivist communities, together with the development of hacking tools and methodologies, has opened up a new platform for the cyber community. These two directions provide a fast, inexpensive and more secure way for hacktivists to interact, coordinate operations, and exchange information and mobile hacking techniques and data vulnerabilities.

How to Spot a Fake LinkedIn Profile in 60 Seconds?

LinkedIn is a terrific platform to cultivate business connections. It is also rife with fraud and deceit. Fraudsters use as a social engineering tool which allows them to connect to professionals, trying to lure them into disclosing their real contact details (work email is the best) and then use this email address to send spam, or worse, deliver malware.
Always check the profile before accepting an invitation, and do so via the LinkedIn message mechanism and not viaemail (fake invitation emails can cause much more harm than fake profiles – see our previous post).

So we have established that it is imperative to be able to identify a fake profile when someone invites you to connect on LinkedIn. But how would you do that? Follow our proprietary (just made up) CID protocol! CID stands for – Connections, Image and Details. By following it, you will be able to spot most fakes in 60 seconds or less. For more elaborate fraud attempts, it will be much longer or maybe even impossible for the non- professional to identify. We will discuss these later.

Connections – while you can fabricate any “fact” on your profile, connections cannot be faked; they have to be “real” LinkedIn users who have agreed to connect with you. So unless the fraudster is willing to create 100 other fake profiles, and connect these with the fake persona he is trying to solidify (something that takes a lot of time and effort to do, and something I hope the LinkedIn algorithm will pick up), the only way for him to have 100 connections is to connect to 100 LinkedIn users. So if you see someone with a puny number of connections, you can start to be more suspicious. So, connections number check – 5 seconds. Moving on.

low connections
Very few connections

Image – by now most people creating a LinkedIn profile realize that it is in their best interest to include a real image of themselves, and usually a professionally looking one (either taken by a professional or in professional attire). So no image or an obscure one is kind of suspicious. Also, any too good-looking images should ring an alarm bell. Since it is almost certain that the fraudster will not use his/hers own image (by that they will make the profile real to a certain extent), they will most likely search for a nice photo to post online. How can you tell if the image they have used is taken from someplace else? There are dedicated websites for reverse image searching, but since we are under serious time constraints here, why not simply right-click the image and ask Google to check the source? Very quickly it will find a compatible image and you can match the profile image to an existing stock image. Another 25 seconds gone. Say these two tests were insufficient and you are still not sure? Check the Details.

image search

Starting Google image search

image search results
Image search results

Details – people know that the more detailed their profile is, the better. Profiles lacking education or occupation details are very unreliable, along with these are any severe discrepancies: How could this guy study at Yale and serve overseas at the same time? lack of skills, recommendations and endorsements are not in favor of any real profile. Taking another 30 seconds of your precious time, you should by now be able to spot a fake profile.
Sure, someone just starting on LinkedIn might have fit our CID protocol while actually just launching his LinkedIn profile, and therefore has few connections. If you know this guy, go ahead and connect. If you do not, it is best to wait until the profile seems more robust.
It is very important to note that accepting the invitation to connect by itself (given it was delivered via a LinkedIn message mechanism or clicked on the user profile) does not create any damage, but it establishes a link between you and a fraudster, which can later be utilized as an attack vector.

Oh, and if you have 30 more seconds, why not do everyone a favor and report the fraudster? LinkedIn allows you to report suspicious profiles for review.

Report profile
Report profile

Simply click the “Block or Report” option, fill the short form and there you go.

Report the profile for review by LinkedIn
Report the profile for review by LinkedIn

P.S.

the profile displayed in this article is an actual fake profile who tried to connect to one of our analysts. Busted!

The “Total Sting” – 419 Scam Evolved

Have you ever received a suspicious looking email, urging you to send money or provide your banking account details to someone you don’t know? Sure you have.

This is one of the Internet’s most common scams, and it has many names – “Phishing”, “advanced fee fraud”, “Nigerian sting” or 419 Scam (this name refers to the article of the Nigerian Criminal Code dealing with fraud).

The logic is simple – send numerous phishing emails, and you can expect that at least some people will be gullible enough to provide you with money or banking details. When you send millions of emails even a meagre return percentage is enough to generate hefty sums. But there’s a catch – most people are by now aware of this and are reluctant to reply or even open emails which do not appear to have been sent from a known acquaintance or organization. So 419 scammers have to evolve in order to survive. One way of doing so is utilizing social networks, and especially LinkedIn, since people tend to see it as a professional network and trust information and requests to connect which originate there.

Enter the “Total Sting”.

Image
An open position as Senior Project Manager at Total Oil as published on LinkedIn

The story is simple yet entails great sophistication and creativity. As a LinkedIn member you one day notice a lucrative job opening – Total oil, one of the leading oil and gas companies are looking to opening new offices at your country and are recruiting a senior project manager.

You submit your application via LinkedIn and a few days later you receive a formal looking email from Gérard Lamarche at Total HR Dept. (even the email address looks legit: apply@totalconsult.int.tf). Out of curiosity you check who this gentlemen is and find that he is a director at Total (http://total.com/en/media/news/press-releases/20120116-appointment-gerard-lamarche-director-total-sareplacing-thierry-rudder).

Image
The Invitation Letter (allegedly) received from Total Oil

Now comes the fun part. The email includes three attachments. Since you know that this is a reply email to a submission you’ve sent you don’t hesitate to open these PDF files. There’s a very attractive job description document, an officially looking invitation for an interview in London and another letter describing the technicalities of the interview. You are cordially invited to come to London and interview for the lucrative job at Total Recruitment offices, Human Resources department, TOTAL UK Limited, 40 Clarendon Road, Watford, Hertfordshire WD17 1TQ.

Out of curiosity you Google the address and find that this is indeed the official address of Total in the UK. There’s only one catch – you need to make the travel arrangements through a specific agency (but don’t worry, you will be reimbursed upon arrival). The contact person’s name is Dr. Kenneth Cole (hmmm) and the travel agency name is Belair travel and tours (located at Air Malta House, 314-316 Upper Richmond Rd, London SW1). Now things are looking a little more suspicious.

Image
A letter requesting to arrange travel through a designated travel agency

You decide to look more carefully into this. You phone the number but there is no answer. You check the website of the company, located in east Kensington, London, and find that they are using completely different phone numbers. ( http://www.belleair.co.uk/contactbelleair).

You search a little more on the web and immediate see that this is indeed a scam. (http://www.419baiter.com/_scam_emails/01-08/419_emails_total-oil-company-job-scam.html).

So you were just one of many lured into a simple phishing scam? Not quite.

This is an evolution of the classic 419, and this is why: the perpetrators of this specific scam have done almost everything possible to overcome the identifiable pitfalls of Phishing emails.

This scam is reactive, it is targeted at specific audience, it is officially looking and does not ask directly for money or details in advanced. Someone had to create a fake company profile on LinkedIn, post an authentically looking position, receive and read emails, fabricate authentically looking documents (complete with logo and an actual executive name), enter the job seeker name into the documents title and send it all back. And since this is a reply to an email/job submission the recipient is much more likely to open and perhaps respond. The logical evolution to this scam is that the scammers will create a false website (which will appear completely real) and let you submit your details there, making this fraud almost perfect.

I would like to Thank Itay and Tanya who shared this with me and assisted me in describing this in detail.

P.S. we checked and the PDF files were not weaponized (i.e. carrying Malware). had they been, this would have been a Spear-phishing campaign and a darn good one too.

P.s. 2. if you ever notice this type of scam please notify the good people of LinkedIn at phishing@linkedin.com (we have).

How to Avoid Phishing Scams Using LinkedIn Invitations?

Image

Hi! As a well-connected individual (with well over a thousand connections on LinkedIn) who receives invitations to connect on a daily basis, I wasn’t surprised to learn that Websense Security Labs researchers found that the most successful headline for a phishing campaign is “Invitation to connect on LinkedIn”.

(http://community.websense.com/blogs/websense-insights/archive/2013/12/10/new-phishing-research-5-most-dangerous-email-subjects-top-10-hosting-countries.aspx)

The reason for this being so popular (which it must be according to its success rates) is because unlike emails received from banks and credit card companies, social media messages (and especially LinkedIn, which is a respectable network of professionals) are not perceived as as source-threatening content.

So you receive a legitimate looking LinkedIn invitation email, something like the email below:

Image

All the obvious signs (funky looking email address, funky name, broken English) are absent. Until today, one would simply click the “View Profile” link or “Accept” button. Now we know that these are potentially phishing messages and we need to take better precautions. So what can we do to identify if this is a legitimate request? Simply hover with the mouse over the “View Profile” link or “Accept” button to see the actual link address. If the link is different to http://www.linkedin.com, then you should not click it.

Image

Another method for identifying if this is indeed a scam is to open your LinkedIn account from your browser (or phone app) and check your Inbox for invitations. If the same message does not appear there it must surely be a scam. Once you have established this is SPAM, you can mark this as SPAM in your outlook.