Archive for the ‘Phishing’ Category
Extortion Phishing: So, closer to the point. You surfed the internet with роrn, which I’ve placed with the virus…
A series of extortion emails have gone out this last month that caught my eye. The phish are simple straight forward attempts at extorting users by claiming they had been hacked and watched surfing porn. The phishers then demand that the user pay a certain amount of bitcoins to them and all their trouble will go away. Basically it is the equivalent of the old “Say, that’s a nice family you have there, it’d be a shame if something happened to it” routine familiar to anyone who has seen a mafia movie. I had a user get one and so I began the usual looking around to see if more came in and what the deal was with it. Once I began Googling key words and phrases I saw that this had been making the rounds since at least August 14th and that this last round had actually made some money for the extortionists.
I then began the usual OSINT on the domain that the emails came from after collecting as much info as I could from Reddit and other places where people had mentioned the extortion attempts. What I came up with is an arcology of malware and phishing that seem to tie back to one individual in Ukraine who may be the nexus of it all. Before I go down the OSINT rabbit hole though, I just want to take a moment to consider this threat and the psychology of it. One might think that if you got this email you would just laugh it off and then trash it. Some people though had guilty minds or had in fact been surfing “the porn”, as we all do mind you, (come on you all do and you know it!) so they got worried and they actually paid this guy off to make it all go away and this is interesting to me. Do those who paid really think that an extortionist, once successful at getting them to pay them will just walk away after such an easy exploit?
*shakes head*
You fools…
Anywho, it seems that even a non exploit exploit of just threatening a user’s browsing habits with “I am gonna email all your contacts with your pron habits” is can work and potentially give the attacker some pin money at least. So I tracked the emails and the IP’s that these came from to Ukraine. Specifically to a subnet of systems owned by one guy: Roman Shurbarev.
From: return@aukcion.org
Received: from nat5.aukcion.org (nat5.aukcion.org [188.225.27.25])
As you can see there are porn like sites in there…
The domain owner of not only the domain in question that was set up as a mailer for these phish but also a string of other domains that he owns connected to other malware and phish sites and activities that include, wait for it… Wait… Ransomware! Yup, this guy has it all goin on! Now, when I started poking at the system that this all came from I ran an Nmap and the shit is tight, there were no open ports and the firewall as filtering everything so I kinda doubt that this guy has been popped and being used as a relay for these. So I went on to profile all his domains and got the following malware connections:
PICK A MALWARE! ANY MALWARE!
So yeah, this guy has many bad connections but not anything directly connected to his domains themselves that I could see, at least in the sense that they were hosting the malware or being used as a C2. Now though I would like to talk about the money. These poor fools who actually paid this scammer have netted him about .28794615 Bitcoins which is about 80516.75 Rubles or $1,375.29 dollars as of yesterday when I looked. The money has been moved around a lot from the series of wallets used in this extortion scheme:
156eSKJU22jHHUEr6zznqMiDyR1L7DFFPY
1FJND3abrT4TjwijUbfYPD8jogCFeSbL
1Pku8VSnjgZePRt8yLF3QWfUYMTAjhA3io
1DGgLh6xeDmasCBHaLEQXwJ7C9gEvpYvWr
12pRJwZfZKi3RZa2eFijVCjmjCbB1YcXXXrA
15YhkTnuTprtPDRsdxiE2y8sMqiSmLPx2g
17qDi9fFG8C7a4mmTBBjsV7QmUN9QUBScZ
1H6DRf3XvHYudc7g6RvCiMbunHHKpbjhD2
1Nu2hju7Bs4vkUw2xyqi4E3ktSgx2VJEJq
13HSMufjTvzGJKoHdSQsLiJbsPcQcVMf4K <— 7 transactions
It ain’t Wannacry money but it would buy some shit in Ukraine I guess. There has been some movement of money around so I am wondering if they are trying to mixmaster or what. I did not go down that rabbit hole so if you all want to go right ahead. As for me I thought that this post should be put out there for others to see the actor, the act, and maybe as a PSA to put a stop to it. So, here are the other variations on the theme. The emails all pretty much say the same thing with some variations on “I see you have been surfing porn because I infected your machine with porn!” and ask for the money;
So there you have it. You don’t have to be anyone special, you don’t have to be 1337 to scam people with an email…
Yay internet!
K.
KONNI: Malware Campaign Inside Pyongyang
So the release of the KONNI report by Cisco piqued my interest and so I thought I would look into the data presented and see if there was anything else to be seen. In looking at the malware (samples below) and the C2 involved over the last three years a few things come up about this campaign.
- The malware evolution is interesting as it started off kinda low-tek and then expanded in scope and in complexity of code by the writers
- The C2’s mostly seem to be clear of data showing who may own them and or who started the domains and this is rather professional in my opinion.
- One of the re-directed C2’s can be tied back to an alleged Chinese alias that owns numerous sites and allegedly is in Canada (a.yesadsrv.com) which comes back to yesupinc@yahoo.com as the address used in the domain information
- The C2’s also cluster in areas where other phishing exploits reside so as to maybe couch them in a constellation of disinformation
- The documents being used as part of the phish campaign seem to be aimed at English speaking embassy staff with alternate RU campaigns that might be running in parallel (as noted by doc file in sample Talos found in Cyrillic)
- All the documents look as though they would be common files passed around the embassy set and thus would not be something that would tip off the targets as to their being phish
- HOWEVER, the documents that are being aimed at these users show that they are low hanging fruit and not savvy to phishing threats because all of these have .scr or other types of file names attached and as such a savvy user would not click on them
- The campaign has been detected and the malware samples found in open source sites going back to 2015 (see links below) and the 2017 iteration was shown to be in a hybrid-analysis clone run in native Korean language on april 19th 2017.
- MOST of the infrastructure has been pulled but some of it is still up even today and you can pull down the SYM64.exe but attempts got a 0 byte file
Conclusions:
What all of my digging around has shown me is that this campaign is directed more at DPRK’s embassy set and thus hopefully at the hermit nations traffic in those embassies that may have gotten the phish. The use of English language is of interest to me but I suppose that the assumption is that these documents coming from the UN and other affiliates would be in English and not in Korean. There was one document that was purportedly from China but it also was not in Chinese so there is that too, I would have liked to have seen it translated to Chinese for good measure.
When I looked at the metadata for the document about blowing up NYC with a hydrogen bomb I found that it only had the name “John” and the date of creation and editing were transposed. I did not do a deep dive into the metadata but maybe later I will. For now though, the document is alleged to have come from an American and concerned “propaganda” so perhaps the email that the document was attached to was an alert for the embassy staff on recent events and timed for added click-ability. This would make a lot of sense to me and I suspect would have more than a few clicks occur to see what it had to say even with .scr in the filename.
I have since been wondering just how much data the hermit kingdom really shares with the embassies that they have around the world. I personally think they would not be of much intelligence use in many respects because Kim does not trust anyone and certainly not anyone not within his immediate reach to disappear. So what kinds of information might the malware get getting from these windows machines within such places? I also have to wonder if any of these documents/malware made their way to Kim and others within the Pyongyang confines and thus maybe onto grey license systems in DPRK itself. I then have to wonder as well what rules may be on their firewalls to let any telemetry get out to the internet proper, as I understand it only a core group have internet access outside the confines of the country.
All of these questions beg another question….
Do we know for sure these were aimed at DPRK embassies/personnel?
Now go with me for a minute here… This kind of information would also be of interest to other groups and countries right? Do we have any telemetry from Talos or elsewhere that the systems infected were in fact in DPRK sites? Do we have email addresses within the phish? I have not seen this information in any of the samples yet so I cannot say for sure that they were the target. If Talos has more maybe they should ya know, tell us all? I for one would be interested to see more on the targeting here because to me, this is all kinda sketch unless you can prove they were the ones opening the stuff.
Say Talos, did you get into that C2 infrastructure and pull some data down on systems compromised?
Come on, you can tell uncle Krypt3ia!
SAMPLES:
Ask for them and we will work out a transfer method
LINKS:
LinkedIN: The APT Phisherman’s Friend
I get some interesting requests for connection on LinkedIN. Some of these are just the rando security wonk or government type, others, well, they are much more targeted and potentially adversary activity looking for an opportunity to mine your connections or you for bits. In the case of the profile above, I believe this to be a fake account created by group looking to get into my links and perhaps someday send me some file that they hope I will click on. Now you all know me, I am an infamous bastard and I vet my connections most of the time so when this one came in all the bells started going off once I took a closer look at her bonafides.
The problem with her is that I cannot verify much of anything she claims in her bio. I looked her online and nothing. I looked up her company that she works for and all I got was a real estate company out of Florida not NYC as she claims to be located in. I then went on to inquire with the secret squirrels out there on the internets whether or not she had in fact worked for RAND. The responses I got back were that she had not worked for RAND, which sure, maybe she did and they could not locate an old email acct and just didn’t know her, but, there are no other remnants in the OSINT out there showing her to be an employee there at all.
Neither could I locate her current company solidly and the company that has the name is run by some guy alone so I am not thinking that that is a solid hit. I then cross referenced in searches on Google for “Harbor Capital LLC NYC” and all I get are names that are close to this but not the same. Once again nothing comes up here that validates this person, never mind the company itself. The alarm claxon is getting louder and louder here ain’t it? So I started the cross searches and yes there are “Elisabeth M Jones'” out there but no one specifically pops up as the definitive person I am looking for here.
Then I used the image search engines to see if I could catch the photo as being re-used. This woman looks kinda familiar, like I have seen her in something on TV but I cannot place it. Coincidentally neither can Tineye nor Google. Neither of these services gave me a solid hit on this image so either this is someone who is rarely photographed, or, this is someone who’s pic has never been hoovered and catalogued by the great Google machine.
Once again, here we are at a loss to show this person really exists. Nothing in these searches can lead me to believe this is anything but a cutout account looking to gain access to my connections and I on LinkedIN. Now some of you out there will likely say “Meh so what?” Well, this is what, this type of attack with social engineering is what I use against targets and many of you out there in the pen-testing arena do too. More so though, the APT types have been using LinkedIN for a long time to gain access to people and then send them malware or links to malware. China has been very good at this for a long time. Iran was doing this a few years ago post Stuxnet, and now the DPRK is gangbusters on LinkedIN phishing.
Put another way gentle reader.. If you work for anything and anyone the APT types want to get access to then YOU are a target as well. Pay heed to the awareness programs you are given on social engineering and phishing and KNOW that LinkedIN, Twitter, Facebook, ALL the social media platforms are used as well for this. I personally have created profiles on LinkedIN to target execs using pretty women to get them to give me access. In fact, ALL of this should sound familiar to you.
Does the name Robin Sage ring a bell?
Speaking of Robin….
Here are Elisabeth’s connections…
Do you see the irony there?…
I do…
*giggle*
Anyway, I have reached out to some and told them that I have some inside skinny that this may be APT but only one of them said they were removing her. C’est la vie I guess, but I never added her. You gentle reader need to understand once again that the Robin Sage effect is still possible. Some of these connections have inside connections that I for one would not want connecting to this rando account… Unless that is their plan, to lead them along..
Hmm….
Whatever.
Keep your eyes open kids and just don’t click accept on shit mmmkay?
K.
PS.. Elisabeth if you are in fact real lemme know… Maybe I will acc…. NAH just fuckin wit ya!
PPS!!
Jayson, you are a first connection… I know you like going to China but you may want to not be the way in for these guys.
So APT Is China *snicker* Now What?
zl’s egt amsk sbfmt kze kwcyfocggp ktlhiu!
Avanced? Persistent? Threat?
As RSA comes to a close and the corridors of the hall stop ringing with the acronym APT bleated out by a megaphone from the Mandiant booth I find myself once again looking at the problem as opposed to the hype. Let me simplify this for you all a little bit here to start though. APT is not necessarily “advanced” as the Mandiant finally lets you all out there not in the secret squirrel club know. In fact the APT’s are often just outsmarting the average end user on a daily basis and you and I both know it does not take a mental genius to do that right? Seriously there is nothing overly advanced nowadays in sending phishing emails and doing recon to assess your targets. Sure there is some coding going on once inside that is novel but really, any good hacker will tell you that they can code some shit up to keep persistence or maybe just buy it on the black market if needed. This is not rocket science here.
On the persistence thing yes, yes they are. They are persistent not only in trying to keep their toehold but also in that they bombard companies with emails in order to have a signal to noise attack. This is nifty but really it’s not a new technique. So ok persistence means they keep trying but it is often our own failings that ALLOW their persistence. Everything from the #click_sheep who keep clicking on every god damned email they get that asking if they want a bigger penis to companies lack of controls over patching and other standard procedures that they should be carrying out on their infrastructure. So when really looking for someone to blame look in the mirror folks. Hey maybe you will look in the mirror and see that you are Chinese huh?
Finally the “threat” part well I think I just covered that huh? YOU are the real threat in this vector. The adversary is just leveraging that fact to obtain their goals. The threat is not Chinese, Russian, Israeli, or French. It’s us. We are the threat and this was the case even before computers and espionage came together. How do you think a lot of the information was stolen back in the day from governments and companies? That’s right kids! It was by people being paid off or being leveraged in some way by spies and spy agencies. Now though, we really don’t have to leverage people as much with compensation or threats. Instead we just leverage their human natures and boy oh boy does it work ever so well!
Our sloth, greed, and general cluelessness are our own undoing.
Is WHO Hacked You That Important?
So Mandiant puts out a report on our Chinese hackers and everyone is a twitter over the “revelations” As someone who has personally dealt with this type of activity in my work life I was pretty apathetic about the report and it’s being published outside of the “sekret squirrel” world. Sure, they probably set us all back some and certainly have set the stage for a great amount of douchery to come but really, what good comes from this report and the data it dropped? Hurriedly I have seen many glom onto the hashes and the techniques that the Comment Crew was using in order to fortify their environments since the drop. Of course this may be to no avail as soon I am sure the CC will be changing their ways but hey, it gives us all something to do huh?
Meanwhile people are nodding their heads and saying “BAD CHINA” while the government pops out 140 page draft resolutions on how to deal with China and their hacking of our IP. I for one see this as just a lot of smoke and mirrors that may in the end have no greater effect other than political gain but hey who am I right? Let’s let it roll as everyone gets their panties in a bind over China. Others though have piped in and said that maybe it’s not only China but all too often these voices are not enough to cut through the cacophony of stupid to make it to the reasoned ear. Guess what kids it’s not just China and it never has been and this is the problem of fixating on one target. You tend to lose the other and then they come up behind you and shoot you in the back of the head.
The upshot here? Who hacked you is NOT as important as WHY you got hacked and HOW you got hacked. The old WHO WHAT WHY WHEN & HOW are important equally and we unfortunately have collectively latched onto the WHO and this will be our downfall. At least Mandiant is looking at the how but I am not hearing much about how to remediate the problems that cause the problem to start with. Instead as we see with the government response they are going to the WHO and saying “cut it out” and anyone who thinks that that is going to make them stop is really biting too tightly on the crack pipe. So back to the point which should be plainly clear. We are the target and we are the problem. It is important to understand the who but you cannot leave out the WHAT, WHERE, WHEN, and WHY. If you do then you will never win the battle.
Know Thy Enemy.. Know Thyself…
It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.
Sun Tzu: Art of War
It’s a trite thing to some out there *looking at you Jericho* to quote Sun Tzu in any cyber context but in my case here it is absolutely correct to quote. The problem I am finding in much of the approaches to trying to defeat or lessen the APT problem focuses less on knowing the self (aka your network and your people) and more on blinky light solutions to stop them dead in their tracks as the vendor propaganda states. Some even go as far as to proclaim that security awareness is pointless which I called bullshit on before rather vociferously in the past. I find it to be one of the more reprehensible statements made up until yesterday’s revelations that a panel gave at RSA saying that “We are soon going to live in a post crypto world” and that crypto is pointless because the APT keeps avoiding it. This is one of the most idiotic statements I have heard in a while and it just makes me think people misunderstand APT even more than before. Everyone thinks they are unstoppable and that is not right. These attacks can be mitigated but it will take real work to do do not some blinky verndor solutions.
The point here is this; We need to carry out due diligence and we need to be vigilant in our security apparatus. We need to engage the end users and teach them about malware and phishing and keep teaching them over and over and over again. Wrote learning is the ONLY way that this will get into their collective heads. Sure, we can also use technologies to attempt to arrest the spear phishing attacks but if you have a 3 star general who is a #click_sheep well, you are pretty much fucked if you are not really paying attention to the network SIEM and other mitigations in place and even then, with creativity those too can be outwitted. These APT types use common traffic to hide within and that is the problem. The pivot is the key here, they are using your network to their advantage just like a Judo expert. Will you be able to stop them all? No. Will you be able to considerably cut the attack success down with holistic methods? I believe you can and I have seen it in action. Others have said much the same thing and I hope more people start paying attention.
I agree that knowing who is attacking is important but it is only important as long as you take the time to be introspective about what they are seeking from you and how they are getting it out of you. What flaws in your infrastructure and culture are they exploiting that is allowing them to rob you blind and how can you remedy them to stop them. These are the key questions that seem to be missing from so many vendor offers like Crowdstrike and others out there today offering offensive defense or active defense. Sure, if your org is working properly and you have security enlightened end users go for the disinformation honeypot things and other means of defense. However, if your people are a bunch of #click_sheeple then what is the point? You will be PWND and it will be all be moaning and wailing “woe is me” in the end …Trust me.
Oh, and a last word here on the #click_sheep thing. Why am I harping on it? Look at the reports again. 99.999 percent of the attacks are being performed via phishing and spear phishing STILL! We have known about this type of attack how long? Come on people! There’s a reason it is done this way. It’s because people are not being trained properly as well as their systems are not being patched up! I know what you are thinking “but there’s 0day!” Yes yes there is but that is only a small percentage of the attack surface at present.
CLICK CLICK PWN.
Behavior Modification Is Needed
Now that I have ranted a while let me just re-iterate the facts. We are to blame for the APT successes. The term was coined back in 2006 and though it’s been in the secret squirrel world it was a known quantity. In fact I would say that it was not only the APT but generally crackers who were using these techniques for the most part and the APT just went along with it and refined it. This is not new and now that it is all out in the open we need to really pay attention here and look at the problem from the macroverse level and not just the myopic microverse that we in the industry tend to have. This isn’t just a technical problem it’s a sociological and psychological problem that we have to work on. Many say that there is no defense to social engineering attack but I do not ascribe to that. With the proper security education and awareness training anyone can defeat SE attacks. It just takes training like that which Dave Aitel thinks is pointless.
9/11 pointed out to the intelligence community that an over-reliance on technology failed to detect and stop the 19 hijackers from AQ. This failure was remedied by adding record numbers of assets post 9/11 to carry out HUMINT (Human Intelligence) and what we learned most of all that technology in itself is useless against human nature and a healthy dose of avoiding tech. It was tradecraft that allowed the plot to succeed even when their phone conversations were being tapped. I make this analogy because once again we are facing the same problem within the INFOSEC community as well as the government and military’s. The adversary is relying on human nature and we are relying on technologies created by humans. It’s a bad mix really and it needs to be re-evaluated to include more introspection on the people creating, maintaining, and using the technologies today. So far I am not seeing too much of this ethos being bandied about in the community and I think it is at our own peril.
I feel like it should be a catch phrase akin to the GHW Bush era’s “It’s the economy stupid” In my case though its more along the lines of “It’s not just the technology stupid” We have been myopic and we need to cut that out. The next shiny whizbang appliance is not going to stop that 3 star #click_sheep from opening the email addressed to him with the misspellings about how he has a package from UPS and needs to install this .EXE file to get it.
Derp.
K.
The Case of The Curious INSCOM Cyber Warrior Site: You’ve Been Phished Without An Email Or A PDF!
INSCOM Is Hiring A Cyber Brigade? You Don’t Say!
A tweet from @treadstone71 yesterday caught my eye and I decided to take a look at the link therein he had put out. The link, purports to be for INSCOM the Army Intelligence and Security Command’s new Cyber Brigade.
Now, I am a bastard by nature as well as a paranoid so I decided to take a look at the site before making any kinds of re-tweets about it. Often today people just pass things along without really taking a good look at what they are talking about or recommending to others. In this case, I am certainly glad my better nature (paranoia) took over. The site looks slick on the surface but as soon as you take a jaundiced eye to it, you see there are certain things wrong here.
Alas though, not only was there a site but also a twitter account just set up as well…
So it seems that someone is making a full sized driftnet for information on those who would like to sign up as well as discuss the INSCOM Cyber Brigade. On the surface like I said, this looks all well and good, but once you start to poke at it though, you get some strange answers. But, for those who don’t take a closer look WOO HOO they too can maybe get some details about how THEY CAN BE AN ARMY OF ONE.. A Cyber Army of one that is. With all of the hoopla that jester is trying to stir up about his being a “patriot hacker” people in the right wing and the stupid, have been flocking to his side and to the idea that a Cyber Brigade is needed in this country. You know, like the ones that China has?
Yes, this has been the talk for a while, in fact, it pre-dates jester’s showing up and I suspect as well has something to do with it too. A Cyber Brigade or (Brigades) out there to protect us all from calamity on the internets. Using their hi-tech skills, they will pre-pwn the Chinese, or Anonymous and protect us all like John McClane in those horrid “Die Hard” movies. I can hear the jingoism in the air now and it hurts my ears as well as my frontal lobes.
As we spin out of control planning another war in Asia, the morons abound in just blindly supporting initiatives like this one purports to be.. And it scares me to think just how many people filled out their information on this site to get more information about becoming a “Cyber Warrior”
Uh Wait.. Why Is The Site on Godaddy AND It’s Hosted in Sweeden?
Once you take a good look at the site though, you notice, if you bother to look, that the domain was set up in February and that it is in fact hosted by an anonymous proxy company who located the server in Sweeden.
*blink blink*
That’s right kids. This site is not hosted at all on .mil domains nor seems to be at all controlled or created by INSCOM or the military. Initial contact with the mil boys has unofficial responses of “uh what?” So the reality is that this site is not what it says it is.
So what do we have so far..
- A site looking for you to fill out information
- A site looking for your information that is hosted in Sweeden
- A site that the INSCOM folks don’t seem to know about in initial contacts
- Skulduggery
It seems pretty evident to me that as Admiral Ackbar says “It’s a TRAP!” Can you say Phishing or at the very least “cutout” I think you can. Time will tell once I hear back from the .mil guys but really, do you all think the military would host their INSCOM Cyber Brigade site in Sweeden? Do you further think they would want to be hosting a site taking the future “cyber brigadiers” information there as well?
Hint.. If you said yes, you are doing it wrong… Time to get out of security.
Also, if I find out that indeed the military did set this site up in Sweeden… Well.. There you go, I am moving to the bomb shelter ASAP. Some OPSEC there huh?
OPSEC and SITUATIONAL AWARENESS
So many times I have railed about OPSEC and Situational Awareness on here but it seems some just don’t pay attention. As military, government, or INFOSEC workers should know, you have to pay attention to what you are doing and what is happening around you at all times. In the case of this site, it seems to be out there to gather intelligence about those out there who would like to join such an outfit. Your details could be something like where you are coming from in logs (site visits) to actually getting your email address, address, name, skill sets, etc.. Or hell just a CV out of you! Think about it, they don’t have to go through LinkedIn here! They just suck up the info that YOU give to them!
Easy peezy.
It would seem from the people who are already following the twitter acct, that some of you may already be looking at this site askance or you bought it hook line and sinker. One follower in particular has CIA and other intelligence community groups written all over her profile. To me that says either she is INCREDIBLY stupid or, it’s a cutout acct to further fool others into following the acct and lending credence to the site itself to those who aren’t smart enough to think critically.
Flies To Corpse Flowers
So, as this site is still up the flies will congregate to the cyber corpse flower. I wonder how many have already put their info in there… Actually it kinda reminds of of Project Viglio (Vigilo misspelled by the morons designing the logo) Remember that one post Defcon a couple years back? Yeah, bullshit sites and calls to action by who knows. People fall for stupid shit all the time and this is what the likes of China really want to have continue.
Yep, I said it.. China.
Oh no, there I go again.. Well, yes, China or maybe in this case Wikileaks? Or perhaps Anonymous? this site is fairly well put together on the surface so as to fool people but this is a common tactic out there. Put up a nice site and start harvesting data. In this case who would benefit from such a program? Who would want this data? Personally I think China would love to have the cyber warriors of the “future” already marked to watch no? This however is anyone’s guess at present but I had to put it out there.
In the end, this is a cautionary tale for you all out there. Pay attention to what you are re-tweeting and signing up for.
K.
CORRECTION: The server is not in fact located in Sweeden, it is instead in Scottsdale AZ
The server location does not change the issue at hand though. The site is a recent site that wants to take your information insecurely on a notoriously insecure hosting company’s servers. I am still waiting on INSCOM’s response from their publicity office on this but all of this has the hallmarks of being hinky and anyone in the INFOSEC world should have their ears pricked at seeing this.
Now, the companies listed are real, but this does not mean to me that they are involved nor had created the site. Remember, that the site was registered under a proxy service to who’s to know who’s site it really is.
Time will tell, and INSCOM will respond.
K.
FOLLOW UP: So, the site is legitimate though the source at INSCOM cannot fathom why they would be using Godaddy with an anon registry AND no SSL. As the email says, it’s sad but true. Sadder still, the reaction from Jeff Bardin about the whole thing (namely being childish)
—–Original Message—–
From: XXXXXXXX CPT MIL USA USINSCOM
[mailto:XXXXXXXXX]
Sent: Tuesday, March 13, 2012 9:47 AM
To: XXXXXXXXXX
Subject: RE: Phishing Site for INSCOM? (UNCLASSIFIED)
Mr. XXXXXX,
Well, the site is legitimate. I just got an email verifying it is being used
to recruit new civilian talent into the INSCOM Cyber Brigade. Why they are
using that system, I have no idea. Sad, but I guess that’s the way the Army
is going. Regardless, I appreciate your attention and concern to such
matters. Thank you.
XXXXXXXXX
So let’s recap, a site, registered under an anonymous proxy account was taking names and information in an insecure manner for jobs potentially at NSA for INSCOM. Anyone in this business should look at such a site and question it frankly, nevermind just re-tweet it out. As well, the Twitter account as well seemed hokey just like the site so this also makes one wonder about the site and the twitter account. Given recent events with the NATO Facebook thing, you would think that the question needs to be begged.
… And as the INSCOM guys says he isn’t sure why they are doing it the way they are and seems incredulous.
There you have it.
Pay attention to things and actually take the time to read what I am saying *looking at you Bardin*
K.
Krypt3ia 