Analysing a Phishing C&C server

I recently uncovered a phishing command and control (C&C) Simple Mail Transer Protocol (SMTP) server hosted on the same page that the kit was deployed on. Surprise surprise, they were targeting PayPal.The Leaf PHP Mailer: The phishing page has all the features you would largely expect to see of a phishing C&C. The main features the attackers require is a way to send out hundreds, if not thousands, of fake emails maquerading as a service such as PayPal to a long list of target email address. Other features the Leaf PHP mailer also offers includes adding HTML code to the phishing email. Blacklist checker: The blacklist checker enables the phisher to check whether their host is blocked by spam lists and to maintain a record of how likely their phishing emails are likely to land in inboxes. Once an IP address appears on too many list, the operator can transfer to a new host and start the process again. The CAPTCHA: Nowadays, a large number of credential harvesting phishing pages leve…

OSINT Challenge: Key West

One way to improve your OSINT skills is to practice. Practice makes perfect as they say. #OSINT challenge. Find the exact coordinates of this webcam in Key West, Florida.

RT for reach— Jake Creps (@jakecreps) September 10, 2020Thanks @JakeCreps, I'll take it from here. Let's start by visiting the stream, the initial piece of intelligence provided:
I immediately noticed the "CIDBW0008" and it looks like a possible address or unique identifier to me.
A quick search of "CIDBW0008" brought me to:
Clicking on one of these links brought me to a Facebook page that also shares this live video feed, giving us a new location "Galleon Marina":
I then searched up "Galleon Marina":
This location lines up with the title of the intital YouTube stream's location. I then searched 'Front Street' from the title:
Via scanning around on Google Street Maps, I was able to find the two buildings present in the stream:
We have a confi…

Intelligence & Analysis report: Attacks leveraging the Cloud

“The cloud is not a physical entity, but instead is a vast network of remote servers around the globe which are linked together and meant to operate as a single ecosystem. These servers are designed to either store and manage data, run applications or deliver content or a service such as streaming videos, web email, office productivity software or social media.” - Microsoft AzureCloud services are increasingly being leveraged by cybercriminals and advanced persistent threat groups in attack campaigns. These cloud services include consumer accounts for OneDrive, Google Drive, DropBox, compromised SharePoint and GSuite accounts, as well as the Discord CDN. These are leveraged to host malicious files, phishing pages, redirector links, and other parts of attack campaigns. These services are often used for business operations and are regarded as safe by default by most detection systems. Any threat actor can leverage these services for free or could compromise user accounts.The most common…

Fantastic APTs and Where to Find Them

Sophisticated computer security breaches in some of the most heavily defended networks around the world have been orchestrated by so-called Advanced Persistent Threats (APT) groups. Many of these APTs operate on behalf of a nation state’s intelligence agency or military. They can even be private sector hacking groups, hired for specific operations. An APT group specialises in gaining access, maintaining it, and executing post-exploitative activities while remaining undiscovered. There are also many types of APT attack campaigns. This can include, but is not limited to, intelligence gathering operations, intellectual property theft, sabotage and data destruction, and exploitation for financial gain.Intelligence gathering, cyber-espionageOne such APT that exemplifies this type of behaviour is known as the Naikon APT group. In May 2020, Check Point disclosed new evidence of an ongoing cyber-espionage campaign against several national government entities in the Asia Pacific (APAC) region.…

Analysis of a recent Magecart campaign

On 13 March, SanSec disclosed a new Magecart domain used to host malicious JavaScript (.js) files that can collect credit card information from ecommerce site checkout pages. The site (jquerycdn[.]at) that hosted the scripts was present on at least 299 different victim stores. The most commonly attacked platform is Magento 1 ecommerce platform. Notably, support for Magento 1 ended on 30 June 2020, meaning that it will no longer receive security updates.
How does the web skimmer work?“Web skimmers are loaded on the checkout page of a typical store. It lives in the browser of an unsuspecting online customer. Whenever he or she enters her payment information, the private data is siphoned off to an offshore server. Usually, this data is then sold on the dark web within 2-10 weeks.” - SanSec. 
In this blog, I analysed the JavaScript Skimmers connected to jquerycdn[.]at in an ongoing campaign: 


My first year in Cyber Threat Intelligence

As of 1 August, I have been working in the cyber threat intelligence industry for one whole year. It has been a steep, but rewarding, learning curve that gives as much back as you put into it.
In 2016, I started university doing a cybersecurity-specific course as I knew it was what I wanted to do since I was about 15 years old. I graduated in 2019 with a 2:1 in BSc (Hons) Computer and Information Security. Within three weeks of finishing my course I was offered a job in July and started in August. It could not have been better. 
It was only until the end of my course that I began to learn about threat intelligence and emerging threats in an interesting module that educated us about 0day vulnerabilities and the darknet. Initially, I wanted to be a penetration tester (like most students on my course), but I was only just about able to make it through the labs on Kali and Metasploit through hard work and frustration. This put me off and made me look elsewhere into other areas of security w…