Posts

Leveraging Legitimate Services for Malware and Phishing

Image
  Legitimate third-party Platform-as-a-Service (PaaS) providers are becoming increasingly leveraged by threat actors for phishing and malware deployment. PaaS providers such as cloud instances, marketing platforms, content delivery networks (CDN), and dynamic DNS servers have been weaponised for a range of malicious activities. One of the key benefits is that they can be used to  evade detection systems. This is due to the decreased likelihood of these being pre-emptively blocked because of established levels of trust and legitimate usage.  Many of these types of malware and phishing campaigns also combine the use of multiple platforms simultaneously, making these particularly difficult for human analysts and automated systems to identify and malicious activity. The research in this blog details how cybercriminals l everage these systems as credential harvesting pages, payload hosting sites, redirector links, C&C servers, "dead drop resolvers", and for data exfiltration. 

Analysis of the latest PayPal phishing attacks

Image
As far as brands that get impersonated a lot, PayPal has got to be in the Top 5 or Top 3 globally. Between August and October, I personally received 19 PayPal credential phishing page links and my crud email provider (not Gmail or Outlook) didn't block them, so they've been landing in my inbox. So I took a look at them, natch.  I examined various phishing attempts that appear to be sent in a similar manner to my personal email, which has only appeared in one small breach in 2017, according to Have I Been Pwned for the record. One phishing kit stood out and forced my hand into blogging about it. It consisted of 11 parts, including the phishing email itself and the initial landing page; followed by several pages to harvest credit card and billing information, bank account details, and finally the bit that I'd not personally seen before (but I doubt is that new) was that it asked me to "Upload your identity".   The amount of personal data this phishing kit is harvest

Ransomware Decryption Intelligence

Image
Ransomware continues to be the most profitable method of monetising unauthorised access to compromised networks. It is the biggest threat to private and public sector organisations, large and small. In the last three years, we have seen hundreds of hospitals hit by ransomware, as well as other critical infrastructure sector organisations, such as the Colonial Pipeline or JBS foods. Slowing the ransomware epidemic requires a multi-pronged approach. While this includes arrests, action against illicit cryptocurrency transactions, sanctions, or - the topic of this blog - decryption. By reverse engineering the encryption implementation utilised by a ransomware variant, researchers can exploit a cryptographic flaw to decrypt ransomware. This does make it possible to recover files without paying a ransom for the decryption keys. When the ransomware group eventually realises, or learns via public reports, that their ransomware is fundamentally flawed, they often either abandon it, fix the flaw

OSINT blog: Reunion in Scotland

Image
  The Beer Farmers recently issued a geo-location OSINT challenge with a mystery prize for the first person to find them.  Under time pressure, I put my OSINT skills to the test to see how difficult it would be to find them.  Some Saturday fun. Where are @SeanWrightSec and @AppSecBloke in this photo? First to get it right wins something. @netsecfocus knows what it's like to win a prize from us. #HereForYou pic.twitter.com/L5HiKGAF8X — The Beer Farmers (@TheBeerFarmers) September 11, 2021 I examined the image closely, looking for any clues. The first thing I think everyone would have immediately noticed was the large greek-style columns behind Mike and Sean. These would come in handy later when roaming the streets on Google Maps.  The second thing I noticed was a backwards JD Sports logo (a highstreet clothing brand in the UK). Therefore, I realised the image was flipped horizontally, so I flipped it back: The task was then to locate which JD Sports this was going to be. Judgin

How Do You Run A Cybercrime Gang?

Image
Cybercrime has many forms, the most common of which is theft and fraud. Aspiring cybercriminals may begin with off-the-shelf malware or phishing kits and run amateur, but profitable, campaigns. Banking Trojans were the next step up, which intercept and manipulate connections during online banking procedures for exploitation and wire fraud. Several infamous groups that graduated from these campaigns went on to form organised crime syndicates and launch 'big game hunting' ransomware campaigns. Ransomware in particular, has caused mass disruption on a national level and huge financial losses. This blog will explore three top-tier cybercrime syndicates which are tracked by the private cybersecurity industry as EvilCorp, WizardSpider, and FIN7. These threat actors are financially motivated cybercriminals whose campaigns have become a scourge to organisations and society at large. So much so, that they are closely tracked by intelligence agencies and international law enforcement. Fi

Summer of Scammers: PancakeSwap cryptocurrency thieves

Image
  Cryptocurrency is experiencing a huge boom. With this explosion in popularity, and people getting rich quick, come the cybercriminals looking to exploit this new technology. Unfortunately, while there may be a large amount of money to be made from cryptocurrecny there are very little controls or regulations preventing scams. Unlike other centralised financial services, such as banks, cryptocurrency users are only as protected as their own personal operational security (OPSEC). While there are long guides on OPSEC for cryptocurrency users, many new users are lacking here and do not use a strong password or two-factor authentication (2FA). This makes them sitting ducks for cybercriminals. This blog will detail how users of a relatively new platform, PancakeSwap, are being highly targeted.  In their own words "PancakeSwap is the leading decentralized exchange on Binance Smart Chain, with the highest trading volumes in the market". Despite its comical name, PancakeSwap is no j