Showing posts from April, 2021

Mo Money, Mo Magecart

Online shopping sites are prime targets for cybercriminals. Large sites can process vast quantities of personal information and payment data, making them a high-value reward if successfully hijacked. On 29 April, Malwarebytes Threat Intelligence shared a JavaScript web skimmer their team discovered on a compromised French Canadian online shoe store. The skimmer was injected into the online store's checkout page and used to siphon off payment data and billing info. Data entered into the site was exfiltrated to a domain in Russia. I pivoted off this domain and looked at what was hosted on the same IP with a similar naming convention. This led to uncovered multiple other domains used for web skimming. I mapped the domains on VirusTotal graph here: I then chucked these domains into URLscan and uncovered at least five other sites that have been compromised in these attacks: Some additional pivoting uncovered a skimmer masquerading as a Bing Analytics domain that was injected

OSINT blog: You Sunk My Battleship

  Another pandemic Friday night in, another OSINT challenge to find a mate using GEOINT. In our Discord server we have a channel called 'opsec fail club' where, occassionally, someone will challenge others to geolocate them exactly. It's a fun thing to do when bored and good to practise and refine your OSINT skills. Starting point: Using the above image I was able to find where @BigLDP was located exactly. I began with checking for battleships in the US that were musems. I came across USS Intrepid  - one of the most visited in the world: The ship @BigLDP was on was not USS Intrepid , however, but does still look like an Essex-classs aircraft carrier. So I was on the right track. After going through the list of post-war rebuilds I found one that was a museum - USS Lexington aka CV-16 or "The Blue Ghost".  I was able to find the directions and satellite images of USS Lexington and all I need to do now was confirm @BigLDP's exact location.  And in a few steps, it

Dead Drop Resolvers - Espionage Inspired C&C Communication

  A “dead drop” is a well-known espionage tactic of passing items or information between two parties using secret locations. The two parties never meet and any sign of communication is concealed. This tactic is commonly used by intelligence officers to interact with their assets in the field to avoid any suspicious meetings or either caught talking to each other. For decades, intelligence agencies have used dead drops. Two infamous double agents from the CIA and FBI - Aldrich Ames and Robert Hanssen respectively - both used dead drops to supply information to their handlers from the Soviet Union. Cyber adversaries have also come to adapt this technique into their espionage campaigns. However, instead of a human source, state-backed computer network operations (CNOs) have leveraged legitimate services for covert communications or so-called “dead drop resolvers”.  In October 2019, ESET Research disclosed a report on Operation Ghost Dukes which detailed the activities of an APT group kn