Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

LinkedIN: The APT Phisherman’s Friend

leave a comment »

screenshot-from-2016-10-28-14-36-24

I get some interesting requests for connection on LinkedIN. Some of these are just the rando security wonk or government type, others, well, they are much more targeted and potentially adversary activity looking for an opportunity to mine your connections or you for bits. In the case of the profile above, I believe this to be a fake account created by group looking to get into my links and perhaps someday send me some file that they hope I will click on. Now you all know me, I am an infamous bastard and I vet my connections most of the time so when this one came in all the bells started going off once I took a closer look at her bonafides.

The problem with her is that I cannot verify much of anything she claims in her bio. I looked her online and nothing. I looked up her company that she works for and all I got was a real estate company out of Florida not NYC as she claims to be located in. I then went on to inquire with the secret squirrels out there on the internets whether or not she had in fact worked for RAND. The responses I got back were that she had not worked for RAND, which sure, maybe she did and they could not locate an old email acct and just didn’t know her, but, there are no other remnants in the OSINT out there showing her to be an employee there at all.

screenshot-from-2016-10-28-14-38-05

screenshot-from-2016-10-28-14-38-22

Neither could I locate her current company solidly and the company that has the name is run by some guy alone so I am not thinking that that is a solid hit. I then cross referenced in searches on Google for “Harbor Capital LLC NYC” and all I get are names that are close to this but not the same. Once again nothing comes up here that validates this person, never mind the company itself. The alarm claxon is getting louder and louder here ain’t it? So I started the cross searches and yes there are “Elisabeth M Jones'” out there but no one specifically pops up as the definitive person I am looking for here.

screenshot-from-2016-10-28-14-57-20

screenshot-from-2016-10-28-15-00-46

Then I used the image search engines to see if I could catch the photo as being re-used. This woman looks kinda familiar, like I have seen her in something on TV but I cannot place it. Coincidentally neither can Tineye nor Google. Neither of these services gave me a solid hit on this image so either this is someone who is rarely photographed, or, this is someone who’s pic has never been hoovered and catalogued by the great Google machine.

screenshot-from-2016-10-28-14-39-01

screenshot-from-2016-10-28-15-12-27

Once again, here we are at a loss to show this person really exists. Nothing in these searches can lead me to believe this is anything but a cutout account looking to gain access to my connections and I on LinkedIN. Now some of you out there will likely say “Meh so what?” Well, this is what, this type of attack with social engineering is what I use against targets and many of you out there in the pen-testing arena do too. More so though, the APT types have been using LinkedIN for a long time to gain access to people and then send them malware or links to malware. China has been very good at this for a long time. Iran was doing this a few years ago post Stuxnet, and now the DPRK is gangbusters on LinkedIN phishing.

Put another way gentle reader.. If you work for anything and anyone the APT types want to get access to then YOU are a target as well. Pay heed to the awareness programs you are given on social engineering and phishing and KNOW that LinkedIN, Twitter, Facebook, ALL the social media platforms are used as well for this. I personally have created profiles on LinkedIN to target execs using pretty women to get them to give me access. In fact, ALL of this should sound familiar to you.

Does the name Robin Sage ring a bell?

Speaking of Robin….

Here are Elisabeth’s connections…

screenshot-from-2016-10-28-14-34-29

Do you see the irony there?…

I do…

*giggle*

Anyway, I have reached out to some and told them that I have some inside skinny that this may be APT but only one of them said they were removing her. C’est la vie I guess, but I never added her. You gentle reader need to understand once again that the Robin Sage effect is still possible. Some of these connections have inside connections that I for one would not want connecting to this rando account… Unless that is their plan, to lead them along..

Hmm….

Whatever.

Keep your eyes open kids and just don’t click accept on shit mmmkay?

K.

PS.. Elisabeth if you are in fact real lemme know… Maybe I will acc…. NAH just fuckin wit ya!

PPS!!

screenshot-from-2016-10-28-15-44-46

Jayson, you are a first connection… I know you like going to China but you may want to not be the way in for these guys.

 

Written by Krypt3ia

2016/10/28 at 19:27

Posted in APT, CUTOUTS, OPSEC, Phishing

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: