Jihadi Cybercrime (Increasing Interest in Spam and Phishing Methods on Closed Islamic State Platforms)

While monitoring closed platforms that propagate an Islamic State agenda, we detected an initial interest in hacking lessons, focusing on spam and phishing methods. Many discussions in the technical sections of closed platforms affiliated with the Islamic State deal with the implementation of Continue reading “Jihadi Cybercrime (Increasing Interest in Spam and Phishing Methods on Closed Islamic State Platforms)”

Another Phish in the Sea

The rise in scamming campaigns has become a focal issue for the InfoSec world in recent years. More and more attacks have been targeting everyone from large corporates, by using specific techniques “tailored” for the target, to simple users, by spreading it to anyone available. The platforms from which the malware is spread vary from standard email messages and social networks to more complicated SMS scams.

We will attempt to describe herein the basic steps to take to determine if a suspicious email, text message or Facebook post is actually malicious – in order to stay safe from falling victim, while still being able to keep up with the latest 9GAG spam.

Source Identity

When receiving a new email or text message, check who the sender is. If the message comes from an unknown person – a source you are not expecting contact from or a strange looking email name – do not open it! Browsing social networks like Twitter can also lead you to malicious actors that will try to lure innocents and curious people.

One such example is a reservation email scam that “accidentally” sends a room reservation email to you instead of the hotel manager. The email has an attachment, purportedly containing a list of special requirements for the guests, which turns out to be a malicious element that downloads additional executable malware.

Another Phish in the Sea_1

Content

We have all heard the joke about receiving a scam email from a Nigerian prince, where the victim is asked to provide their bank account details in order to receive a large sum of money, but reality is not so far off. Attackers use sophisticated techniques to capture your attention, be it by intimidation, exploiting the latest trending topic or informing you of a transaction.

The recent iCloud hacking leak scandal has been a hot topic on the Internet, and the phishing attacks soon followed. The tweet, which tries to grab your attention by sharing a link to the alleged nude video of Jennifer Laurence, redirects visitors to a download page for a video converter. Of course, the downloaded file turned out to be adware, not to mention the fact that it forces its victims to share the malicious site on their Facebook profiles.

Another Phish in the Sea_2

Grammar

I believe that the easiest way to observe that something about a message of any kind is wrong is bad grammar. Foreign scammers who are not fluent in target audience languages encounter a barrier that they try to bypass by using online translators or just trying their luck at translating the message on their own. A poorly written letter from a formal organization or a shifty looking website should definitely raise a red flag.

Another Phish in the Sea_3

Links

Apart from the content itself, the message might also contain links. The URL that appears in the text might seem legitimate, but it is important to get a closer look at the domain name, in addition to ‘hovering’ over the link with a mouse to see if the actual web address is compatible with the one presented to you (for other fake-link-finding techniques, see our previous post).

Let’s say you received an email from the human resources department in your company – Sounds like a legitimate item to open. But what if it contains a link to download CryptoWall ransomware? In this particular situation, it is very difficult to distinguish whether this is phishing scam, but by taking a closer look at the shared link, you can notice if it redirects you to a gaming website and forces you to download a suspicious ZIP file that contains the malware.

Another Phish in the Sea_4

Attachments

Some scammers direct you to open files attached to their message. They might appear legitimate because they are Word or ZIP files, but they end up being disguised malware. Be aware of attachments you are not expecting to receive, especially executable files like .EXE, .PIF, .JAR, .BAT and .REG.

Curiosity killed the cat, and apparently also some people’s computers. An innocent-looking email suggesting that you view someone’s new photo contains an attachment called photo.zip, which unfortunately does not contain an attractive person’s selfie, but rather a Zbot Trojan.

And just like the old Japanese saying goes “Attack a man with a phish and you’ll scam him for a day; Teach a man to phish and you keep him safe for a lifetime.”

Another Phish in the Sea_5

How to Spot a Fake LinkedIn Profile in 60 Seconds?

LinkedIn is a terrific platform to cultivate business connections. It is also rife with fraud and deceit. Fraudsters use as a social engineering tool which allows them to connect to professionals, trying to lure them into disclosing their real contact details (work email is the best) and then use this email address to send spam, or worse, deliver malware.
Always check the profile before accepting an invitation, and do so via the LinkedIn message mechanism and not viaemail (fake invitation emails can cause much more harm than fake profiles – see our previous post).

So we have established that it is imperative to be able to identify a fake profile when someone invites you to connect on LinkedIn. But how would you do that? Follow our proprietary (just made up) CID protocol! CID stands for – Connections, Image and Details. By following it, you will be able to spot most fakes in 60 seconds or less. For more elaborate fraud attempts, it will be much longer or maybe even impossible for the non- professional to identify. We will discuss these later.

Connections – while you can fabricate any “fact” on your profile, connections cannot be faked; they have to be “real” LinkedIn users who have agreed to connect with you. So unless the fraudster is willing to create 100 other fake profiles, and connect these with the fake persona he is trying to solidify (something that takes a lot of time and effort to do, and something I hope the LinkedIn algorithm will pick up), the only way for him to have 100 connections is to connect to 100 LinkedIn users. So if you see someone with a puny number of connections, you can start to be more suspicious. So, connections number check – 5 seconds. Moving on.

low connections
Very few connections

Image – by now most people creating a LinkedIn profile realize that it is in their best interest to include a real image of themselves, and usually a professionally looking one (either taken by a professional or in professional attire). So no image or an obscure one is kind of suspicious. Also, any too good-looking images should ring an alarm bell. Since it is almost certain that the fraudster will not use his/hers own image (by that they will make the profile real to a certain extent), they will most likely search for a nice photo to post online. How can you tell if the image they have used is taken from someplace else? There are dedicated websites for reverse image searching, but since we are under serious time constraints here, why not simply right-click the image and ask Google to check the source? Very quickly it will find a compatible image and you can match the profile image to an existing stock image. Another 25 seconds gone. Say these two tests were insufficient and you are still not sure? Check the Details.

image search

Starting Google image search

image search results
Image search results

Details – people know that the more detailed their profile is, the better. Profiles lacking education or occupation details are very unreliable, along with these are any severe discrepancies: How could this guy study at Yale and serve overseas at the same time? lack of skills, recommendations and endorsements are not in favor of any real profile. Taking another 30 seconds of your precious time, you should by now be able to spot a fake profile.
Sure, someone just starting on LinkedIn might have fit our CID protocol while actually just launching his LinkedIn profile, and therefore has few connections. If you know this guy, go ahead and connect. If you do not, it is best to wait until the profile seems more robust.
It is very important to note that accepting the invitation to connect by itself (given it was delivered via a LinkedIn message mechanism or clicked on the user profile) does not create any damage, but it establishes a link between you and a fraudster, which can later be utilized as an attack vector.

Oh, and if you have 30 more seconds, why not do everyone a favor and report the fraudster? LinkedIn allows you to report suspicious profiles for review.

Report profile
Report profile

Simply click the “Block or Report” option, fill the short form and there you go.

Report the profile for review by LinkedIn
Report the profile for review by LinkedIn

P.S.

the profile displayed in this article is an actual fake profile who tried to connect to one of our analysts. Busted!