Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Analysis’ Category

Phone Hacks Or Intercepts: Bezos’, Pecker, Sanchez, MBS, A Pragmatic Approach

leave a comment »

This whole thing about the Bezos’ dickpics is running amok in the media with panel after breathless panel dribbling on ad nauseum. Wanking on over whether or not a nation state secret service intercepted those texts and photos or if AMI (The National Inquirer) hacked them with the help of sleazy private investigators and or the brother of the mistress has me apoplectic every time it’s thrust in my face on the news. I finally decided to put this post together with some sense making to counter all the stupid out there. Of course the funniest thing about all of this though is that I have yet to see any of the hacking talking heads that usually show up like Dave Kennedy being dragged out to assess how easy or hard it would be to just hack a phone or an account. Who knew they would not be clambering to get more news cycle attention to pimp their services huh? Anyway, let’s do a little dive into what Bezos likely has as a phone, how easy they are to hack, and how likely that a bad actor like MBS and his secret services, a paid group, or just the brother of the mistress with a grudge were the culprits shall we?

What phone does Bezos likely have and how hack-able is it?

According to the babbling of the news media, claims have been made that Bezos has security and as such his phone is likely harder to hack. Well, let’s put that to the test and see. I did some looking and as of 2017 he was still using a Fire Phone, his own product and that runs on Android. A little more Googling and you can see that it had seven vulns that included DoS and overflow attacks in 2018

FireOS is based on Android 4.2 JellyBean and that had a host of vulnerabilities as well. So unless Bezos was using some super secret hardened version of JellyBean or FireOS then it is likely that even with iterations today he might have, it is still quite hack-able in all reality. So with that information one has to wonder at all this reporting that it HAD TO BE a nation state or that this was some exotic attack on a hard target.

Sorry, no.

INCONCEIVABLE!

Meanwhile, if indeed Bezos had another phone, he was spotted before with ANOTHER  model of phone (Samsung) which also uses Android as it’s base operating system. If you are in the hacking or security community, then you know that Android is a hot mess security wise because Google could really give a fuck, so there you  have it. Unless Bezos decided to get a Black Phone (which still had issues) I am gonna say it would not be hard to hack him with a phish with a bad .apk file and own him.

Sorry media, go home, you’re drunk again.

The facts are that unless Bezos got his hands on an NSA encrypted and hardened phone like the one that Obama had (which was Blackberry) then it is likely trivial to attack his phone and own him. That’s the fact and everyone should take that into account when listening or watching these talking heads on TV. Of course, this is not to say that it wasn’t MBS or minions he hired or AMI that did this because these are TRIVIAL hacks and one could pay easily for someone to do it. It would not take the NSA or that level of nation state access intercepts to get the data Pecker has.

What are the odds that a bad password(s) and an automatic backup to the cloud are responsible here?

Right, so what about bad passwords? I mean hell, Manny’s password to all his secret bad dealings was “bond007” right? So is Bezos using a good password vault with 16 character passwords and rotating them often? Well, I cannot say, but what I can say is this; “security is hard and OPSEC is even harder for regular people” This means that it is entirely possible that Bezos password could have been weak and he may not have changed them as regularly as might be needed for someone who is a higher risk target right? I am sure he has minions and possibly a security detail, but, think about this, would you want your security detail to have your password to your dickpic mistress phone?

This also brings up another question…. Did he have a mistress phone? Something separate from his regular phone and hidden so the wife would not see? You have to ask yourselves this question as well when thinking about this whole “affair” right? Let’s say Bezos bought a burn phone and used that instead of his primary phone to send his dickpics and stupid stupid texts mooning to his side piece? It’s not something you would really want to have laying about for the wife to find and nothing that could be directly tied to you in some ways, I mean sure he sent photos of himself, not just his junk, so yeah, not the greatest OPSEC there either. But would such a phone have less security because it was not hardened by the security detail?

Hmmmm….

Either way, passwords and access to Google (since I think he is still using Android) is problematic and unless he had all the 2FA turned on and alerting, he could have easily been pwned due to his own stupidity with passwords and access security.

What are the chances that physical access to the mistresses phone are to blame?

Ahh this mistress… Well all of the things above could play with her as well. It could have also been physical access to the phone by others as well. Let’s face it, Sanchez could have been using her dogs name as a password to all her accounts for all we know. She is the weakest of weak points as far as I am concerned in the security picture in this story. It seems that a running theme in the story seems to be that the mistresses brother is tied into the Trump camp and its acolytes so there is a chance that he accessed her phone either physically or perhaps he had a password to gather the details and leaked them to AMI.

Think about that though….

You would have to be one cold bastard as a family member to hack into the sister’s phone and dump pics that seem to include some nudity on her part as well to AMI right? I mean that is some serious pathology there. Keep that in mind further down this post ok? *turns over standing presentation board with pics and yarn connections* So yeah, it could be the brother, or it could be anyone who had proximity to the phone and a desire to carry out this attack on her and Bezos.

I am unaware of what phone the mistress is using but I am willing to bet that she is not as security conscious as Bezos might be. It could even be that Bezos and her both had burn phones that were insecure, who knows right? Suffice to say that the mistress and her electronics hygiene may have in fact been the vector of the leak and everyone has to take that into account even if you are thinking that this was carried out by nation state actors like MBS or Russia. It would be a soft target campaign with phishing, physical access, and stupidity that would win the day and would not take that much effort really.

Was it a nation state intercepting Bezos and just handed this over to Pecker and AMI?

Speaking of nation state actors here’s the deal…

It’s quite possible. It would likely be trivial to attack the weak link (mistress) and gather all the intel. In fact, let’s suppose the nation state actors did do this, it would not only be dick pics that AMI might have. It is possible that they also have audio and video captures of phone calls and the like as well. How do we know that Bezos and the mistress didn’t make any videos together as well? Or perhaps little videos for one another?

Ponder that one too.

The fact of the matter is that nation state, hired hackers, or sleazy PI’s could all have done this and all have passed on even more dirt to use against Bezos and his mistress and it all sits somewhere in a safe on an external hard drive right? All I am saying is that there may be more to come in the future if at some other time AMI and or others decide to go nuclear on Bezos. I will sit back and watch the fires burn and sip my whiskey when it all comes down. At the end of the day it cannot be said that it wasn’t a nation state that did this and there are hints and allegations that AMI might have that avenue of interest with MBS and Saudi to have made this happen.

My biggest problem though with that is that it was so fucking hamfisted in it’s being carried out that makes me wonder if it wasn’t just AMI doing what they have been doing since they started their yellow journalism agitprop fuckery. I would hope that a nation state would be smoother than; “It would be a shame if something happened to that marriage you have there” but hey, we are in the Trump era of thuggery and clown cars full of Russians right? So yeah, entirely possible it was MBS in the conservatory with AMI and a phone hack. Time will tell though, but let’s not make this into a James Bond epic huh?

What are the chances that this was a honey-trap?

Ok, breaking out the muder conspiracy board here for the fun of it…

What if, just what if, this was a honeytrap? What if the mistress is like the brother and a Trump supporter? What if this was all a trap to get Bezos to back off by AMI and others using this woman wittingly or unwittingly? I mean, it is possible isn’t it? I am not saying it is likely but I am just gonna put that out there for you all. If I were looking to damage an adversary (perceived) like Bezos I might just hire hookers and get the good on him in a hotel that’s been wired, of course it would have to be a situation that Bezos doesn’t have a TSCM team sweeping rooms before he stays in them and such but yeah, that would be one way. Another might be to leverage someone in the orbit or put someone in the orbit who he can be enticed by and get the goods on him that way…

Ya know… like what we are seeing play out here right? This is exactly the sleazy way that espionage is carried out on the nation state level (blackmail) as it is on the AMI level of play. So this is not an impossibility. Is it likely in this case? Well, what do we know about Sanchez anyway? I guess a deeper look into her and her brother might be in order and is likely being done by the likes of the FBI right about now.

Giggity.

But yeah, with all the hyperventilation going on in the media, this is a possibility and I cannot just wipe this away as a not a thing.

Time will tell.

Forensics or GTFO!

Finally, I would like to once again yell at the media FORENSICS OR GET THE FUCK OUT! I would like to see some evidence that points to nation state hacking or intercepts of Bezos and the mistresses accounts or phones. Will we ever see this data? Well, who the hell knows really but it won’t stop me from yelling this out every time the media breathlessly makes claims that exotic espionage has been carried out on alleged hard targets who use Android phones!

STAAAAAAHHHHP

I eagerly await some evidence in this case but I don’t really expect any. I will keep an eye on it all but at the end of the day I just wanted to put this out there. It is not super secret nation state shit level stuff going on here. It may in fact be leveraged by MBS and his people but it is not something along the lines of them using SS-7 on Bezos and his mistress right?

Right?

Oh right, need forensics for that…

Derp.

K.

Written by Krypt3ia

2019/02/10 at 14:53

The Widening Gyre: Putin’s Asset Sets Multinational Norms On Fire and Begets Global Negative Actions

leave a comment »

We are beginning to reap the whirlwind in the news cycle from the election of Trump and his breaking of norms that this country and the world have come to rely on. This is exactly what Putin wanted, a country in the midst of a political and social rift that takes our eye off the global ball and allows for negative actions to be carried out without sanction. We have seen Trump set the constitution on fire, the Judicial body of the United States, the Economic norms, and generally break up the balance of power in the world. This has allowed Putin to have greater freedom to act and in turn now others feel empowered.  China, North Korea, Syria, and most recently Saudi Arabia have taken actions that would in normal times, possibly not been acted on were the nations not at odds generally due to America’s abdication of its role.

Let’s cover some of the things going on…

RUSSIA:

Putin is still working the levers of power and in so doing he is still making moves on Ukraine all the while leveraging the problems in Syria as well. His actions are two fold, first to annex Ukraine altogether if he can. If he can’t then he will continue to fight with disinformation and active measures campaigns until he has more control over the area even if he cannot all out annex them back into Russia proper. Meanwhile, in Syria, Putin is leveraging Erdrogan and the battle there with da’esh to gain a foothold in the region and have a friendly dictator he can someday use as a proxy against others in the world.

Meanwhile, Putin keeps having his enemies killed off in interesting ways. The list has been topped off as of yesterday with an oligarch who ran afoul of him being found in a park choked to death by a dog leash.

…. A dog leash….

Now that is a metaphor huh? Putin will continue on liquidating his problems with impunity because the norms have all been broken because of Trump. The U.N. NATO, all of the normative bodies have been rebuffed by Trump and weakened. All that is lacking now is an assassination of a Putin enemy on American soil for his win to be complete. Putin pulled a master stroke in helping Trump win. Even so, don’t believe for a second that Putin isn’t also waiting to not only use Trump more, but if Trump begins to fail him he will continue to perform flyovers in our air space like he has been with the BEAR FOXTROTS over Alaska and likely will become more aggressive. I have yet to hear anything about SSN activity but be assured they are there… Waiting.

CHINA:

China has upped it’s espionage games since Trump started his little trade war with them. Recent events have shown a rise in hacking and phishing campaigns that had slowed down since the Xi and Obama agreement. That’s over now though and with the trade war heating things up, and rankles the core ideal of China to be an economic superpower, we are going to see not only more hacking and phishing with a side of theft of IP but also now classical espionage tradecraft to carry out the same goals. All of this will only escalate against the US as we move forward and likely set more things on fire by Trumps economic disaster plan.

MEANWHILE…. China feels empowered too because of all the fractiousness in the world’s governing bodies and has made the ex INTERPOL chief disappear while in China. Gee, China is now feeling like they can just disappear the head of an international investigative body.

Nice.

As all of this is going on we also have coincidentally, the arrest of an MSS asset in Belgium for economic espionage against the US aerospace community. Hmmmm gee, what a coincidence that this happens as the INTERPOL chief is disappeared. As you can see, and perhaps make the connections yourselves, it may be that the MSS is reacting to the impending arrest and or extradition of their asset by grabbing another as a warning?

Hmmm….

Yes, expect more to come out of China with the worsening of the trade wars as well as the eroding of the worlds norms on illegality.

Thanks Putin and Trump!

Oh yeah, and I forgot to mention the whole South China sea thing too…

 

SAUDI ARABIA:

Next up, Saudi Arabia seems to have lured a Washington Post reporter to Saudi only to kill and perhaps dismember him in an embassy there. Saudi has never before been as bold and I directly point toward the breaking of all the norms and groups for this action too. It’s been pretty blatant and I suspect there will be no sanction over this. I mean, look, it’s Saudi right? OPEC, oil? Not to mention that Trump was basically setting himself up to be their stooge since the beginning. Nope, nothing will come of this and now the Saudi’s have killed an Saudi journalist working for an American news org.

I also want to mention the whole glossy magazine that was put out by Trump’s friend David Pecker back last summer. What was this all about? Well, it seems that that was a PR move to make the house of Saud more accessible to the US consumer? Put another way, the new crown prince wanted to look progressive and hip and with the help of Pecker they tried real hard. It’s just that this mark was missed with this publication. In fact it only made an already wary populace start asking questions as to why this happened and what kind of conspiracy was afoot. Expect more to come out of this Saudi reporters death and it will likely not be pretty. If they get away with this, and I think they will, then expect Saudi to pull some more stunts in the future as the crown prince get’s more bold.

TRUMP REPUBLICANS:

Finally, the TRUMP party, I really don’t consider them Republicans anymore, will continue to push the limits of the nations norms and laws until they are just removed from power. The events around the recent SCOTUS nomination and confirmation of Kavanaugh are a clear example of how the Trump party is abusing their control over the house and senate to get whatever they want over what the governed wants. The Kavanaugh thing is just the most naked misuse of their power though to date and I am sure more will be coming once Trump replaces Sessions with a minion under his control. This will set the trifecta into play; DOJ under his control, SCOTUS under his control, and Mueller with a new target painted on his back.

I fully expect that when this happens the Russia investigation will be liquidated and the Trump party will lock arms and say that this is not a constitutional crisis. Of course then the DOJ will agree and SCOTUS will concur. It will all disappear at least legally right? This is Trump’s greatest desire and it seems more and more likely that this can happen because of the Kavanaugh ascension. An alternate timeline to this would be that Trump allows the investigation to finish but then has Kavanaugh in his pocket to be the deciding vote on whether or not a sitting president can be indicted.

Either way, it seems that if Trump can replace Sessions with a partisan minion, we are all doomed.

Even more worrying is the upcoming mid term elections. If the Trump party continues to be in contol, expect to look fondly at the times of outrage over Trump’s mild bad actions because he will feel empowered to do even more bad things if he has total control.

Once again, thanks Putin.

We are at a tipping point here and not just with regard to climate change kids.

K.

Written by Krypt3ia

2018/10/11 at 13:38

ASSESSMENT: Threat Intelligence and Credit Card Fraud

with 3 comments

rescator_maltego

TARGET:

With the escape of card data and personal data from Target over the holiday season we have seen an uptick in stories about the underworld of carding. Of course Target is just one large company that has been hit with such attacks albeit this time this one hit scored over 70 million cards and their attendant PII data. As the fallout continues to get reported on the attack itself, Brian Krebs has been reporting on those behind the scenes offering up the “dumps” for the criminally inclined to buy cards and data in order to create new lines of credit or spend the ones that have been stolen. As time has worn on though, and as Target starts to release details of just how inadequate their security was on their systems that allowed this attack to happen from external access to their intranet one thing has become clear; Credit crime is not abating and the banks and credit companies are either powerless or don’t care to find ways to stop the hacks and dumps from happening in the first place. Target specifically in this instance has done a terrible job of responding to the incident with clients and the street and now that details are coming out about their internal security issues, they no doubt will be hiring PR firms by the dozen to spin a tale that this was impossible to have stopped.

CARDERS:

In reality the carders live a fairly open existence on the internet in PHP bulletin boards much like the jihadi’s do. Their OPSEC is lacking as Krebs can attest and in some cases really don’t care because they live or work in countries where the laws are not as robust and they don’t really fear prosecution. After having been on their sites and looked at caches as well as live data I can say that the OSINT that Krebs culls is not that hard to perform and that more people should be doing the same thing in order to interdict possible attacks in the future. I would assume that there are personnel tasked to do this from say Treasury or USSS but inasmuch as all of this came as such a surprise and that Krebs broke the story before anyone else says a lot about the lack of eyeballs on these forums. These guys are living large and often are not that old to begin with. We aren’t talking about old KGB guys now lurking the net and stealing credit card data to support their plans of world domination. What we are talking about are kids who play Xbox and have a revenue stream that is often times pretty robust allowing them to do pretty much whatever they want. Of course I suspect that there are ties to Mafiosi of the Russian variety (this case) as well as in other quarters because hey, this is just another piece of action right? What still amazes though is the naked operations that these guys carry out day to day that don’t even require much else than an ICQ connection and an email address that can be thrown away.

RESCATOR:

Screenshot from 2014-01-20 15:54:08

In the case of Rescator though, we have a kind of a “Senatus” as they like to call him on the sites who seems to have been at this for some time and has amassed an infrastructure to allow for the sale of not only stolen credit card data but also flooding services and other offerings. In the case of the latest Target affair, Senatus Rescator is most definitely at the forefront of the whole thing. He and others like Flavius are in charge of about 10 or so sites that are transitory at times and all bulletin boards pretty much explicitly for the trade of credit card data. Now, as to whether or not Rescator was the main operator behind this hack on target and others is a question that I cannot answer at the present time. I will say though that the conglomerate including those like Flavius and Rescator may in fact form the cabal that ordered up the hack and ex-filtration or perhaps just benefited from the dumps that came to them from the hackers. I lean towards though the idea that Rescator and Flavius and others were likely the ones who put this all together, purchased the malware, and got the hired hands to pull it off if not doing some of the work themselves. That Krebs and others have actually tracked Rescator to a single name and have his personal details shows the lack of OPSEC there and one hopes that sometime in the near future he will get a knock at the door from Interpol and the USSS/FBI but that remains to be seen.

LAMPEDUZA, RESCATOR, OCTAVIAN:

Screenshot from 2014-01-20 15:47:49

Screenshot from 2014-01-20 15:55:40

Screenshot from 2014-01-18 10:13:33

Screenshot from 2014-01-18 12:38:42

Screenshot from 2014-01-18 15:38:25

Domain ID:GMOREGISTRY-DO27434
Domain Name:RESCATOR.SO
Created On:2013-10-01T07:27:57.0Z
Last Updated On:2013-10-08T06:45:26.0Z
Expiration Date:2015-10-01T23:59:59.0Z
Status:clientTransferProhibited
Status:clientUpdateProhibited
Status:clientDeleteProhibited
Status:serverTransferProhibited
Registrant ID:WN18968955T
Registrant Name:Private Registration
Registrant Organization:rescator.so
Registrant Street1:Rm.804, Sino Centre, Nathan Road,
Registrant City:Kln Hong Kong
Registrant State/Province:Hong Kong
Registrant Postal Code:582-592
Registrant Country:HK
Registrant Phone:+852.23840332
Registrant FAX:+0.0
Registrant Email:rescator.so@domainsproxy.name
Admin ID:WN18968956T
Admin Name:Private Registration
Admin Organization:rescator.so
Admin Street1:Rm.804, Sino Centre, Nathan Road,
Admin City:Kln Hong Kong
Admin State/Province:Hong Kong
Admin Postal Code:582-592
Admin Country:HK
Admin Phone:+852.23840332
Admin FAX:+0.0
Admin Email:rescator.so@domainsproxy.name
Tech ID:WN18968957T
Tech Name:Private Registration
Tech Organization:rescator.so
Tech Street1:Rm.804, Sino Centre, Nathan Road,
Tech City:Kln Hong Kong
Tech State/Province:Hong Kong
Tech Postal Code:582-592
Tech Country:HK
Tech Phone:+852.23840332
Tech FAX:+0.0
Tech Email:rescator.so@domainsproxy.name
Billing ID:WN18968958T
Billing Name:Private Registration
Billing Organization:rescator.so
Billing Street1:Rm.804, Sino Centre, Nathan Road,
Billing City:Kln Hong Kong
Billing State/Province:Hong Kong
Billing Postal Code:582-592
Billing Country:HK
Billing Phone:+852.23840332
Billing FAX:+0.0
Billing Email:rescator.so@domainsproxy.name
Sponsoring Registrar ID:webnic
Sponsoring Registrar Organization:Web Commerce Communications Limited
Sponsoring Registrar Street1:Lot 2-2, Technology Park Malaysia, Bukit Jalil,
Sponsoring Registrar City:Kuala Lumpur
Sponsoring Registrar State/Province:Wilayah Persekutuan
Sponsoring Registrar Postal Code:5700
Sponsoring Registrar Country:MY
Sponsoring Registrar Phone:+60.60389966788
Name Server:GREG.NS.CLOUDFLARE.COM
Name Server:ROSE.NS.CLOUDFLARE.COM
DNSSEC:Unsigned

Domain Information
Query: rescator.cm
Status: Active
Created: 01 Jan 2014 15:52 WAT
Modified: 10 Jan 2014 09:54 WAT
Expires: 01 Jan 2015 15:52 WAT
Name Servers:
pns4.cloudns.net
pns5.cloudns.net

Registrar Information
Registrar Name: Web Commerce Communications WebCC

Registrant:
Name: Private Registration
Organisation: rescator.cm
Address:
Rm.804, Sino Centre, Nathan Road
Kln Hong Kong, Hong Kong 582-592
hk
Email Address: rescator.cm@domainsproxy.net

Admin Contact:
Name: Private Registration
Organisation: rescator.cm
Address:
Rm.804, Sino Centre, Nathan Road
Kln Hong Kong, Hong Kong 582-592
hk
Email Address: rescator.cm@domainsproxy.net

Technical Contact:
Name: Private Registration
Organisation: rescator.cm
Address:
Rm.804, Sino Centre, Nathan Road
Kln Hong Kong, Hong Kong 582-592
hk
Email Address: rescator.cm@domainsproxy.net

Billing Contact:
Name: Private Registration
Organisation: rescator.cm
Address:
Rm.804, Sino Centre, Nathan Road
Kln Hong Kong, Hong Kong 582-592
hk
Email Address: rescator.cm@domainsproxy.net

Domain ID:GMOREGISTRY-DO27425
Domain Name:LAMPEDUZA.SO
Created On:2013-10-01T00:58:44.0Z
Last Updated On:2014-01-16T14:55:50.0Z
Expiration Date:2015-10-01T23:59:59.0Z
Status:clientTransferProhibited
Status:clientUpdateProhibited
Status:clientDeleteProhibited
Status:serverTransferProhibited
Registrant ID:WN18967443T
Registrant Name:Private Registration
Registrant Organization:lampeduza.so
Registrant Street1:Rm.804, Sino Centre, Nathan Road,
Registrant City:Kln Hong Kong
Registrant State/Province:Hong Kong
Registrant Postal Code:582-592
Registrant Country:HK
Registrant Phone:+852.23840332
Registrant FAX:+0.0
Registrant Email:lampeduza.so@domainsproxy.net
Admin ID:WN18967444T
Admin Name:Private Registration
Admin Organization:lampeduza.so
Admin Street1:Rm.804, Sino Centre, Nathan Road,
Admin City:Kln Hong Kong
Admin State/Province:Hong Kong
Admin Postal Code:582-592
Admin Country:HK
Admin Phone:+852.23840332
Admin FAX:+0.0
Admin Email:lampeduza.so@domainsproxy.net
Tech ID:WN18967445T
Tech Name:Private Registration
Tech Organization:lampeduza.so
Tech Street1:Rm.804, Sino Centre, Nathan Road,
Tech City:Kln Hong Kong
Tech State/Province:Hong Kong
Tech Postal Code:582-592
Tech Country:HK
Tech Phone:+852.23840332
Tech FAX:+0.0
Tech Email:lampeduza.so@domainsproxy.net
Billing ID:WN18967446T
Billing Name:Private Registration
Billing Organization:lampeduza.so
Billing Street1:Rm.804, Sino Centre, Nathan Road,
Billing City:Kln Hong Kong
Billing State/Province:Hong Kong
Billing Postal Code:582-592
Billing Country:HK
Billing Phone:+852.23840332
Billing FAX:+0.0
Billing Email:lampeduza.so@domainsproxy.net
Sponsoring Registrar ID:webnic
Sponsoring Registrar Organization:Web Commerce Communications Limited
Sponsoring Registrar Street1:Lot 2-2, Technology Park Malaysia, Bukit Jalil,
Sponsoring Registrar City:Kuala Lumpur
Sponsoring Registrar State/Province:Wilayah Persekutuan
Sponsoring Registrar Postal Code:5700
Sponsoring Registrar Country:MY
Sponsoring Registrar Phone:+60.60389966788
Name Server:PNS4.CLOUDNS.NET
Name Server:PNS9.CLOUDNS.NET
Name Server:PNS7.CLOUDNS.NET
Name Server:PNS5.CLOUDNS.NET
Name Server:PNS8.CLOUDNS.NET
DNSSEC:Unsigned

Domain Name: LAMPEDUZA.NET
Registrar: INTERNET.BS CORP.
Whois Server: whois.internet.bs
Referral URL: http://www.internet.bs
Name Server: NS1.CLOUDNS.NET
Name Server: NS2.CLOUDNS.NET
Name Server: NS3.CLOUDNS.NET
Status: clientTransferProhibited
Updated Date: 03-oct-2013
Creation Date: 31-may-2011
Expiration Date: 31-may-2022

>>> Last update of whois database: Mon, 20 Jan 2014 20:30:53 UTC <<<

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: LAMPEDUZA.NET
Registry Domain ID:
Registrar WHOIS Server: whois.internet.bs
Registrar URL: http://www.internetbs.net
Updated Date:
Creation Date: 2011-05-31T11:47:48Z
Registrar Registration Expiration Date: 2022-05-31T11:47:48Z
Registrar: Internet.bs Corp.
Registrar IANA ID: 814
Registrar Abuse Contact Email: abuse@internet.bs
Registrar Abuse Contact Phone:
Reseller:
Domain Status:
Registry Registrant ID:
Registrant Name: Jeremiah Heisenberg
Registrant Organization: Offshore Hosting Solutions Ltd.
Registrant Street: Oliaji TradeCenter 1st floor
Registrant City: Victoria
Registrant State/Province:
Registrant Postal Code: 3341
Registrant Country: SC
Registrant Phone: +248.2482032827
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: domains@offshore-hosting-service.com
Registry Admin ID:
Admin Name: Jeremiah Haselberg
Admin Organization: Offshore Hosting Solutions Ltd.
Admin Street: Oliaji TradeCenter 1st floor
Admin City: Victoria
Admin State/Province:
Admin Postal Code: 3341
Admin Country: SC
Admin Phone: +248.32724
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: domains@offshore-hosting-service.com
Registry Tech ID:
Tech Name: Jeremiah Haselberg
Tech Organization: Offshore Hosting Solutions Ltd.
Tech Street: Oliaji TradeCenter 1st floor
Tech City: Victoria
Tech State/Province:
Tech Postal Code: 3341
Tech Country: SC
Tech Phone: +248.32724
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: domains@offshore-hosting-service.com
Name Server: ns1.cloudns.net
Name Server: ns2.cloudns.net
Name Server: ns3.cloudns.net
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2014-01-20T11:49:26Z <<<

domain:        OCTAVIAN.SU
nserver:       jack.ns.cloudflare.com.
nserver:       leah.ns.cloudflare.com.
state:         REGISTERED, DELEGATED
person:        Private Person
e-mail:        fpolev@mail.ru
registrar:     RUCENTER-REG-FID
created:       2013.01.13
paid-till:     2015.01.13
free-date:     2015.02.15
source:        TCI

Last updated on 2014.01.21 00:31:35 MSK

~$ whois rescator.la
Domain ID:CNIC-DO1009346
Domain Name:RESCATOR.LA
Created On:2013-02-21T01:24:13.0Z
Last Updated On:2013-12-27T12:53:29.0Z
Expiration Date:2014-02-21T23:59:59.0Z
Status:SERVER UPDATE PROHIBITED
Status:SERVER HOLD
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:CLIENT DELETE PROHIBITED
Status:SERVER TRANSFER PROHIBITED
Registrant ID:WN18395382T
Registrant Name:Private Registration
Registrant Organization:rescator.la
Registrant Street1:Rm.804, Sino Centre, Nathan Road
Registrant City:Kln Hong Kong
Registrant State/Province:Hong Kong
Registrant Postal Code:582-592
Registrant Country:HK
Registrant Phone:+852.23840332
Registrant FAX:+0.0
Registrant Email:rescator.la@domainsproxy.net
Admin ID:WN18395383T
Admin Name:Private Registration
Admin Organization:rescator.la
Admin Street1:Rm.804, Sino Centre, Nathan Road
Admin City:Kln Hong Kong
Admin State/Province:Hong Kong
Admin Postal Code:582-592
Admin Country:HK
Admin Phone:+852.23840332
Admin FAX:+0.0
Admin Email:rescator.la@domainsproxy.net
Tech ID:WN18395384T
Tech Name:Private Registration
Tech Organization:rescator.la
Tech Street1:Rm.804, Sino Centre, Nathan Road
Tech City:Kln Hong Kong
Tech State/Province:Hong Kong
Tech Postal Code:582-592
Tech Country:HK
Tech Phone:+852.23840332
Tech FAX:+0.0
Tech Email:rescator.la@domainsproxy.net
Billing ID:WN18395385T
Billing Name:Private Registration
Billing Organization:rescator.la
Billing Street1:Rm.804, Sino Centre, Nathan Road
Billing City:Kln Hong Kong
Billing State/Province:Hong Kong
Billing Postal Code:582-592
Billing Country:HK
Billing Phone:+852.23840332
Billing FAX:+0.0
Billing Email:rescator.la@domainsproxy.net
Sponsoring Registrar ID:H129924
Sponsoring Registrar IANA ID:460
Sponsoring Registrar Organization:Web Commerce Communications Ltd
Sponsoring Registrar Street1:Lot 2-2, Incubator 1, Technology Park Malaysia
Sponsoring Registrar Street2:Technology Park Malaysia
Sponsoring Registrar Street3:Bukit Jalil
Sponsoring Registrar City:Kuala Lumpur
Sponsoring Registrar State/Province:Wilayah Persekutuan
Sponsoring Registrar Postal Code:57000
Sponsoring Registrar Country:MY
Sponsoring Registrar Phone:+603 8996 6788
Sponsoring Registrar FAX:+603 8996 8788
Sponsoring Registrar Website:http://www.webnic.cc
Name Server:JACK.NS.CLOUDFLARE.COM
Name Server:LEAH.NS.CLOUDFLARE.COM
DNSSEC:Unsigned

The sites that Rescator and friends have set up are an arcology on the internet for underground (almost) carding forums. As at the top of the page (see maltego map) you can see that they all can be connected together either by registration data or links to one another to and from their domains. One interesting bit is the fact that a couple of the sites were registered our of the Seychelles by “Jeremiah Heisenberg” which has a checkered past with sites ranging from online poker for bitcoins to outright scams including takedown notices from MPAA. It seems that perhaps the nearest thing to a real financial entity that can be found in the intelligence gathering I did today was this company (likely a shell company) that could be a means to an end in laundering funds and cleaning them. As to whether or not Rescator and the others are a part in this or are just the mules (so to speak) is the question I still have and it will take more looking to see. In the end though this constellation of sites and their spidering out to many many others both on and off of the darkweb is the primary means for volume trafficking in stolen credit data and PII as well as bank accounts and access to financial institutions. In other words, a real and credible threat.

THREAT INTELLIGENCE AND ANALYSIS:

I have been looking into these sites and the players for a little while now and I have to say that with the lack of OPSEC I would think they would be easy targets for takedown. What has been bothering me now since I started this Odyssey is that companies like Target as well as the banks out there lack any true intelligence gathering apparatus to actually monitor these sites and get insight into what is happening. Ok, I know this may sound a little out there to some and that I am asking for companies and banks specifically to have working intelligence apparatus but really, isn’t that the only real way to have a fighting chance here? Had the banks or some firms out there been doing what Krebs has been doing perhaps this attack would have been at least prepared for a little bit if not stopped due to intelligence gathering from these fairly open sites? My analysis that stemmed from about a day’s worth of looking backstops Krebs data and even goes further and really, I did not put all that much time into it. Imagine what could be done with the proper analysis and heads up on such POS malware as was plainly for sale and talked about in these forums?

It will be some time until the Target kerfuffles dust has settled but I would like to advocate more HUMINT and OSINT like Krebs has been doing by analysts either selling this as a service or perhaps in house operations that at the very least can spend some time Googling or using Maltego to determine just what is happening out there in these not nearly opaque bulletin boards. As I write this though I am wondering whether or not the simplest answer here is that the banks just don’t care because in the end the costs will circle back to the clients in the form of fee’s. This reasoning serves the cognitive dissonance within the financial sector that says it’s not their fault, it’s not your fault, but hell there is nothing we can do about it. I should think that more proactive approaches to anti-fraud methodologies might be better but who knows what they are thinking. Overall this kind of crime will continue both big and small because the companies make it easy for the criminals to hack them (bad passwords and processes etc) as well as the lackadaisical leze fair  attitude on the part of the credit corporations and banks persist. The real loser though will be the client who has to deal with bad credit through identity theft, loss of funds that may or may not be guaranteed, and generally being the product for sale by these miscreants.

K.

Written by Krypt3ia

2014/01/20 at 21:53