Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

The Case of The Curious INSCOM Cyber Warrior Site: You’ve Been Phished Without An Email Or A PDF!

with 10 comments

INSCOM Is Hiring A Cyber Brigade? You Don’t Say!

A tweet from @treadstone71 yesterday caught my eye and I decided to take a look at the link therein he had put out. The link, purports to be for INSCOM the Army Intelligence and Security Command’s new Cyber Brigade.

Now, I am a bastard by nature as well as a paranoid so I decided to take a look at the site before making any kinds of re-tweets about it. Often today people just pass things along without really taking a good look at what they are talking about or recommending to others. In this case, I am certainly glad my better nature (paranoia) took over. The site looks slick on the surface but as soon as you take a jaundiced eye to it, you see there are certain things wrong here.

Alas though, not only was there a site but also a twitter account just set up as well…

So it seems that someone is making a full sized driftnet for information on those who would like to sign up as well as discuss the INSCOM Cyber Brigade. On the surface like I said, this looks all well and good, but once you start to poke at it though, you get some strange answers. But, for those who don’t take a closer look WOO HOO they too can maybe get some details about how THEY CAN BE AN ARMY OF ONE.. A Cyber Army of one that is. With all of the hoopla that jester is trying to stir up about his being a “patriot hacker” people in the right wing and the stupid, have been flocking to his side and to the idea that a Cyber Brigade is needed in this country. You know, like the ones that China has?

Yes, this has been the talk for a while, in fact, it pre-dates jester’s showing up and I suspect as well has something to do with it too. A Cyber Brigade or (Brigades) out there to protect us all from calamity on the internets. Using their hi-tech skills, they will pre-pwn the Chinese, or Anonymous and protect us all like John McClane in those horrid “Die Hard” movies. I can hear the jingoism in the air now and it hurts my ears as well as my frontal lobes.

As we spin out of control planning another war in Asia, the morons abound in just blindly supporting initiatives like this one purports to be.. And it scares me to think just how many people filled out their information on this site to get more information about becoming a “Cyber Warrior”

Uh Wait.. Why Is The Site on Godaddy AND It’s Hosted in Sweeden?

Once you take a good look at the site though, you notice, if you bother to look, that the domain was set up in February and that it is in fact hosted by an anonymous proxy company who located the server in Sweeden.

*blink blink*

That’s right kids. This site is not hosted at all on .mil domains nor seems to be at all controlled or created by INSCOM or the military. Initial contact with the mil boys has unofficial responses of “uh what?” So the reality is that this site is not what it says it is.

So what do we have so far..

  • A site looking for you to fill out information
  • A site looking for your information that is hosted in Sweeden
  • A site that the INSCOM folks don’t seem to know about in initial contacts
  • Skulduggery

It seems pretty evident to me that as Admiral Ackbar says “It’s a TRAP!” Can you say Phishing or at the very least “cutout” I think you can. Time will tell once I hear back from the .mil guys but really, do you all think the military would host their INSCOM Cyber Brigade site in Sweeden? Do you further think they would want to be hosting a site taking the future “cyber brigadiers” information there as well?

Hint.. If you said yes, you are doing it wrong… Time to get out of security.

Also, if I find out that indeed the military did set this site up in Sweeden… Well.. There you go, I am moving to the bomb shelter ASAP. Some OPSEC there huh?

OPSEC and SITUATIONAL AWARENESS

So many times I have railed about OPSEC and Situational Awareness on here but it seems some just don’t pay attention. As military, government, or INFOSEC workers should know, you have to pay attention to what you are doing and what is happening around you at all times. In the case of this site, it seems to be out there to gather intelligence about those out there who would like to join such an outfit. Your details could be something like where you are coming from in logs (site visits) to actually getting your email address, address, name, skill sets, etc.. Or hell just a CV out of you! Think about it, they don’t have to go through LinkedIn here! They just suck up the info that YOU give to them!

Easy peezy.

It would seem from the people who are already following the twitter acct, that some of you may already be looking at this site askance or you bought it hook line and sinker. One follower in particular has CIA and other intelligence community groups written all over her profile. To me that says either she is INCREDIBLY stupid or, it’s a cutout acct to further fool others into following the acct and lending credence to the site itself to those who aren’t smart enough to think critically.

Flies To Corpse Flowers

So, as this site is still up the flies will congregate to the cyber corpse flower. I wonder how many have already put their info in there… Actually it kinda reminds of of Project Viglio (Vigilo misspelled by the morons designing the logo) Remember that one post Defcon a couple years back? Yeah, bullshit sites and calls to action by who knows. People fall for stupid shit all the time and this is what the likes of China really want to have continue.

Yep, I said it.. China.

Oh no, there I go again.. Well, yes, China or maybe in this case Wikileaks? Or perhaps Anonymous? this site is fairly well put together on the surface so as to fool people but this is a common tactic out there. Put up a nice site and start harvesting data. In this case who would benefit from such a program? Who would want this data? Personally I think China would love to have the cyber warriors of the “future” already marked to watch no? This however is anyone’s guess at present but I had to put it out there.

In the end, this is a cautionary tale for you all out there. Pay attention to what you are re-tweeting and signing up for.

K.

CORRECTION: The server is not in fact located in Sweeden, it is instead in Scottsdale AZ

The server location does not change the issue at hand though. The site is a recent site that wants to take your information insecurely on a notoriously insecure hosting company’s servers. I am still waiting on INSCOM’s response from their publicity office on this but all of this has the hallmarks of being hinky and anyone in the INFOSEC world should have their ears pricked at seeing this.

Now, the companies listed are real, but this does not mean to me that they are involved nor had created the site. Remember, that the site was registered under a proxy service to who’s to know who’s site it really is.

Time will tell, and INSCOM will respond.

K.

FOLLOW UP:  So, the site is legitimate though the source at INSCOM cannot fathom why they would be using Godaddy with an anon registry AND no SSL. As the email says, it’s sad but true. Sadder still, the reaction from Jeff Bardin about the whole thing (namely being childish)

—–Original Message—–
From: XXXXXXXX CPT MIL USA USINSCOM
[mailto:XXXXXXXXX]
Sent: Tuesday, March 13, 2012 9:47 AM
To: XXXXXXXXXX
Subject: RE: Phishing Site for INSCOM? (UNCLASSIFIED)

Mr. XXXXXX,

Well, the site is legitimate. I just got an email verifying it is being used
to recruit new civilian talent into the INSCOM Cyber Brigade. Why they are
using that system, I have no idea. Sad, but I guess that’s the way the Army
is going. Regardless, I appreciate your attention and concern to such
matters. Thank you.

XXXXXXXXX

So let’s recap, a site, registered under an anonymous proxy account was taking names and information in an insecure manner for jobs potentially at NSA for INSCOM. Anyone in this business should look at such a site and question it frankly, nevermind just re-tweet it out. As well, the Twitter account as well seemed hokey just like the site so this also makes one wonder about the site and the twitter account. Given recent events with the NATO Facebook thing, you would think that the question needs to be begged.

… And as the INSCOM guys says he isn’t sure why they are doing it the way they are and seems incredulous.

There you have it.

Pay attention to things and actually take the time to read what I am saying *looking at you Bardin*

K.

Written by Krypt3ia

2012/03/12 at 18:37

Posted in .gov, .mil, China, CUTOUTS, Phishing

10 Responses

Subscribe to comments with RSS.

  1. Someone clearly has a sense of humor, since Treadstone71 was the shadow organization that employed Jason Bourne.

    If that doesn’t trigger suspicion, I don’t know what will.

    John Nicholson

    2012/03/12 at 18:59

  2. Actually, it was an event to interview for the INSCOM Cyber Brigade, with a legitimate company who is directly tied to the contract. If you have any questions, there is an email for you to respond to….

    Ken Fuller

    2012/03/12 at 20:47

  3. Pre-Dating Robin Sage, Shawn Moyer and Nathan Hamiel did this same type of attack on LinkedIn and gained some success.

    http://www.eweek.com/c/a/Security/Securing-Social-Networks-From-Facebook-to-MySpace-to-LinkedIn/

    This was reported in a timely manner to avoid Negative Fallout. A Full Blown Authentic to the average eye would have a much worse fallout.

    My 2 Cents!

    Tom Ryan

    2012/03/12 at 21:23

  4. Might want to check your LSD at the door https://www.infosecisland.com/blogview/20682-Youve-Been-Phished-Without-An-Email-Or-A-PDF.html

    Check the comments out on this site – What does crow taste like?

    Jeff Bardin

    2012/03/12 at 23:34

  5. Jeff, you are over reacting and it reflects poorly only on you. I brought up valid concerns over a site that was anonymously registered. I corrected the info on where the server was physically located but that does not change the fact that the site looks funky. INSCOM has yet to respond formally but the initial response I got was they did not know about the site. Go take your bruised ego elsewhere.

    Krypt3ia

    2012/03/13 at 13:54

  6. Poorly executed, INSCOM. FAIL FAIL FAIL.

    Teri Centner

    2012/03/13 at 16:06

  7. Great article. If you allow me, I would like to use it as an example for my lessons on checking websites. Unfortunately a lot of my students still look at how a website looks like and not at the URL (as a starter), let alone do a WHOIS-check.

    Geert

    2012/03/13 at 19:48

  8. Geert, go right ahead.

    Krypt3ia

    2012/03/13 at 20:01

  9. I am going to go with it is not a gov ran website. This site is being hosted by MBA Consulting Services, INC this is reflected here: http://www.mbacsi.com/applicant_portal2/

    Also ATSC was awarded the primary contract for staffing where MBA Consulting Services was sub contracted out to fulfill this requirement.
    http://www.atsc.com/documents/press-releases/20110329-atsc-new-contract-award-INSCOM.cfm

    So I am going to go out here on a limb and say it strictly a recruiting effort by the contracted companies to provide employment for this contract.

    Hence why they do not adhere to DoD policies for government websites and personal information.

    Just my 2 cents

    Coy Roberts

    2012/03/13 at 20:37

  10. Coy,
    Thanks for the comment, it has already been proved out to be in fact a legit site (see update at bottom) the email from INSCOM pretty much said it all though. They had no idea it was being run this way and that it was a “sad” way to go about it.
    Cheers,
    S

    Krypt3ia

    2012/03/14 at 12:37


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: