Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Extortion Phish: Your Password is XXXX

leave a comment »

I started seeing a pivot on the extortion phish plots that I reported on a while back. The new iteration of these exploits starts off with the simple statement that the extortionist knows your password and actually states it in the first sentence of the email. On average the passwords that I have seen have been ones that the users actually do have in use on the internet at various places and become very agitated and panicky when they get these emails. Thankfully though the majority in my environment have had training and report these to me so I get to see them and work all this out as to who may be doing this.

I wanted to put this post out though to let others know about this pivot in the attack and the use of some psychology of fear tactics to get a knee jerk reaction out of the marks in hopes of getting them to cough up bitcoin. Of course in these they want a large sum upward of three thousand dollars which makes me wonder if they actually do have passwords or access to passwords from a dump somewhere or that these guys are brazen in their attempts.

SAMPLE 1

I will directly come to the point. I know that XXXX is your pass word. More importantly, I’m aware about your secret and I’ve proof of your secret. You do not know me personally and no one employed me to look into you.

It’s just your bad luck that I found your misadventures. Actually, I installed a malware on the adult video clips (porn) and you visited this web site to have fun (you know what I mean). When you were watching videos, your browser started functioning as a Rdp (Remote desktop) with a key logger which gave me accessibility to your display and webcam. Right after that, my software collected every one of your contacts from your messenger, social networks, and email.

Next, I put in more time than I probably should have into your life and made a double display video. 1st part displays the video you were watching and second part shows the recording from your web cam (its you doing inappropriate things).

Frankly, I am willing to forget about you and let you get on with your regular life. And my goal is to offer you two options that may make it happen. Those two choices either to ignore this letter, or simply pay me $2900. Let us explore those 2 options in details.

Option 1 is to ignore this email message. Let’s see what is going to happen if you opt this path. I will definitely send out your video recording to all of your contacts including relatives, colleagues, and so forth. It won’t help you avoid the humiliation your self will feel when relatives and buddies uncover your dirty details from me.

Option 2 is to make the payment of $2900. We will call it my “privacy charges”. Now let me tell you what happens if you choose this path. Your secret remains your secret. I will erase the recording immediately. You move on with your routine life as though nothing ever occurred.

At this point you must be thinking, “I’ll just go to the cops”. Without a doubt, I’ve covered my steps to ensure that this mail can’t be traced to me also it won’t stop the evidence from destroying your daily life. I’m not looking to dig a hole in your pocket. I am just looking to get paid for the time I placed into investigating you. Let’s assume you have decided to create pretty much everything vanish entirely and pay me the confidentiality fee. You’ll make the payment by Bitcoin (if you don’t know this, search “how to buy bitcoins” in search engine)

Required Amount: $2900
Receiving Bitcoin Address: 19aJnFC6UdNjiMRtP766hVsn7Wg4KXQHbZ
(It’s cASe sensitive, so copy and paste it)

Tell nobody what you should be utilizing the Bitcoins for or they might not give it to you. The method to obtain bitcoin can take a few days so do not wait.
I’ve a specific pixel in this e mail, and at this moment I know that you’ve read through this email. You now have 2 days to make the payment. If I do not get the BitCoins, I will send your video to all your contacts including family members, co-workers, and so on. You better come up with an excuse for friends and family before they find out. However, if I receive the payment, I will erase the video immediately. It is a non-negotiable one time offer, thus please do not ruin my personal time & yours. Your time has started.

SAMPLE 2

I will directly come to the point. I’m aware XXXXX is your password. More importantly, I do know about your secret and I have proof of your secret. You don’t know me and no one hired me to investigate you.

It is just your bad luck that I found your blunder. In fact, I actually placed a malware on the adult videos (pornographic material) and you visited this website to experience fun (you know what I mean). While you were watching video clips, your internet browser initiated operating as a Rdp (Remote control desktop) that has a keylogger which provided me accessibility to your display screen and also cam. Immediately after that, my software program obtained all your contacts from your messenger, facebook, and email.

After that I gave in much more time than I should’ve exploring into your life and generated a two screen video. First part shows the recording you had been viewing and second part shows the capture from your web camera (its you doing inappropriate things).

Frankly, I’m ready to forget about you and let you continue with your life. And I will present you two options which will accomplish this. The two option is to either ignore this letter, or perhaps pay me $3200. Let us explore above 2 options in more detail.

First Option is to ignore this e-mail. Let me tell you what is going to happen if you opt this path. I definitely will send out your video recording to your contacts including friends and family, co-workers, and so on. It doesn’t help you avoid the humiliation your household will must face when relatives and buddies find out your unpleasant videos from me.

Second Option is to make the payment of $3200. We will name it my “confidentiality tip”. Now let me tell you what happens if you choose this path. Your secret remains your secret. I will delete the recording immediately. You move on with your routine life as though nothing like this ever occurred.

Now you must be thinking, “I’ll just go to the cops”. Without a doubt, I have covered my steps to ensure this mail cannot be tracked returning to me and it will not stop the evidence from destroying your daily life. I am not trying to steal all your savings. I just want to be compensated for the time I placed into investigating you. Let’s hope you have decided to make all this go away and pay me the confidentiality fee. You’ll make the payment via Bitcoin (if you do not know how, type “how to buy bitcoins” in google)

Required Amount: $3200
Receiving Bitcoin Address: 1JE6Pxdb865yhxc92KfjypcaXHgdAJpdsZ
(It’s CASE sensitive, so copy and paste it carefully)

Tell no person what you should be sending the bitcoin for or they might not sell it to you. The procedure to have bitcoins will take a short time so do not delay.

I have a unique pixel within this e-mail, and now I know that you have read through this email. You have 24 hours in order to make the payment. If I don’t get the Bitcoin, I definitely will send out your video to all of your contacts including family members, co-workers, etc. You better come up with an excuse for friends and family before they find out. Nonetheless, if I do get paid, I’ll erase the video immediately. It’s a non-negotiable offer, thus kindly don’t ruin my personal time & yours. The clock is ticking.

SAMPLE 3

Let’s get straight to the point. I am aware XXXXXXX is your password. More to the point, I am aware about your secret and I have proof of it. You don’t know me and no one paid me to investigate you.

It is just your misfortune that I came across your bad deeds. Let me tell you, I setup a malware on the adult vids (pornography) and you visited this site to have fun (you know what I mean). While you were watching video clips, your web browser started operating as a Rdp (Remote desktop) with a keylogger which gave me access to your display screen and also webcam. Right after that, my software gathered your entire contacts from your messenger, social networks, and mailbox.

Next, I gave in much more hours than I should have exploring into your life and made a two view video. 1st part shows the recording you were watching and next part shows the capture of your cam (its you doing inappropriate things).

Honestly, I want to forget all information about you and allow you to get on with your regular life. And my goal is to present you two options that may accomplish this. These two choices are with the idea to ignore this letter, or perhaps pay me $2900. Let us investigate above 2 options in details.

Option 1 is to ignore this message. You should know what is going to happen if you select this path. I will definately send out your video to all of your contacts including members of your family, coworkers, and so on. It won’t help you avoid the humiliation your household will ought to feel when friends and family find out your dirty details from me.

Second Option is to make the payment of $2900. We’ll call it my “confidentiality tip”. Now let me tell you what happens if you choose this path. Your secret remains your secret. I will destroy the recording immediately. You keep your life that none of this ever happened.

At this point you must be thinking, “I should go to the cops”. Let me tell you, I’ve taken steps to ensure this email message can’t be tracked time for me plus it will not prevent the evidence from destroying your daily life. I am not planning to steal all your savings. I am just looking to get paid for time I put into investigating you. Let’s assume you’ve decided to create all of this disappear completely and pay me my confidentiality fee. You’ll make the payment by Bitcoins (if you do not know how, type “how to buy bitcoins” in google)

Required Amount: $2900
Bitcoin Address to Send to: 169rDGiiDxTKknBYgLPDq4sCQJjKgejkni
(It is case sensitive, so copy and paste it)

Tell no one what you should be utilising the Bitcoins for or they possibly will not sell it to you. The process to have bitcoin usually takes a short time so do not put it off.

I’ve a specific pixel in this email message, and at this moment I know that you have read through this email. You now have 24 hours in order to make the payment. If I don’t get the Bitcoin, I will send out your video to your entire contacts including members of your family, co-workers, etc. You better come up with an excuse for friends and family before they find out. Nevertheless, if I do get paid, I will erase the video immediately. It is a non-negotiable offer, so kindly don’t ruin my personal time and yours. The clock is ticking.

So as you can see from the samples, the extortionist is hoping that you visit porn and that your password was in fact some iteration if not literally the password they provided as a bona fide. If in fact the passwords are correct, it made me wonder if these were just good guesses on the part of the adversaries or do they have access to a dump of some site common to all the users in question. I am currently carrying out an investigation as to that, but, suffice to say that either method would work up to a point to get the fight or flight response of the end user going right?

So, if the adversaries have access to a dump I have to wonder what it is. In the case of some of the information I got from users, I used haveibeenpwnd and did not discover anything in there from old dumps. So, if there is a leak somewhere, it is likely on some hacker site where they are offering up these passwords and these guys decided to use them in this clever way. By sending these emails through open SMTP replays and expecting no response, with no links at all or malware, these phish get through every time bypassing the protections of filters and using sites like outlook.com to bypass any SPF settings one might have. It’s a smart tactic by an adversary intent on getting that bitcoin really.

Where the emails fail is the amount that they are looking for (nearly 3K) and this is where they tend to lose people I think. Who’s got that kind of money as an office worker? So far the bitcoin wallets are all empty and I suspect these guys are not going to be in the champagne room anytime soon from my users but other places may be different. Having an awareness program and interfacing with your employees is a key to fighting this and other phishing schemes and in my case it seems to be working with users either just deleting the emails or sending them in.

I just have to wonder now what the next iteration will be. Will these guys up the ante and present more hacked info? Maybe some sample clips of these alleged movies as bona fides?

Hmmmm…

K.

 

UPDATE:

It seems the gambit has worked on some people. One of the bitcoin accounts has over 4 grand in it today. A second has just over 3K.

 

UPDATE 2:

The phish are coming from the Microsoft domain space for SMTP servers so this is why they are not seen as spoofed. The email addresses are random names and do not exist really according to searches I have performed. So, Microsoft needs to address where these are coming from and maybe seal up the SMTP relay hole they have.

Additionally, the random nature of the email addresses and the Outlook domain make it hard to try to track and block these in defenses that rely on heuristics like subject and sender names. This is a clever means to get these to their targets by bypassing the controls in place without a real remedy.

I fully expect another iteration of this to come along where they add some content or some other key to get the targets to react quickly to their demands and send them bitcoin.

ALSO, it seems to be tracking that the passwords that are being cited in the extortion email are from the LinkedIN password dump in 2016. It may in fact be a melange of dumps but it seems since these are being targeted at corporate email accounts it makes sense that the adversary is using this dump cleverly.

UPDATE: 3

If my stats are right, the adversaries have now made approximately $185,499.50 cents in bitcoins from these phishing emails. I am checking the wallets again to insure I have the right ones in all cases but one of them has  transactions.

Screenshot 2018-07-18_11-57-07

 

 

 

 

Written by Krypt3ia

2018/07/16 at 18:13

Posted in phish

Defeating Disinformation

leave a comment »

This tweet came up in my feed this morning and it got me thinking. There has been a lot of talk about how disrupting or denying the sources of disinformation could put a stop to it altogether. I for one have not been a proponent of strictly technical solutions to this because they never will work fully and while you can play whack a mole with fake news or disinfo operations, it will always propagate with those who have the cognitive bias and dissonance. What I mean by that is that the mind virus that is fake news or disinformation is just that, those who are disposed to it will propagate it if not create it out of whole cloth for their own reasons be they financial, cultural, or psychological.

While it has been shown that if you give those predisposed to these narratives, the truth once or twice they do not come to the conclusion that they are in fact falsehoods. In fact, the studies thus far have shown that you must repeatedly bombard those individuals with the truth (truth bombs heh) until they actually accept the truth. So, unless you can force these individuals to accept “truth” via other channels than the disinformation feeds, you will have little luck in stopping the disinformation from doing it’s harm and being magnified by those predisposed to their belief in them.

So, what I am saying here is that once again, the technology will not be able to stop the false narratives. The technologies today short of a truly Turing compliant AI that is plugged into the internet as a whole, will not be stopping the disinformation never mind those campaigns of falsehoods by the likes of an Alex Jones because they will be passing them in email, news sites, comments in sites, texts, tweets, over the phone, over the air, …everywhere possible. The reliance or thought of reliance on technologies alone to save us from all this kind of warfare is patently naive. The psychology of why disinformation works and how these things propagate WITH the technology is where we need to focus. More so we need to focus on the psychological aspects in relation to how we might leverage technologies to get the truth into the right minds with repeated viewings is key. Alas though, I fear that this is not what many in the technology space are considering and are relying on algorithms instead of focusing on the animal behind the keyboard. Until we do this I am afraid we are quite doomed to failure.

I also began to parse this tweet out a bit as well on the hacking versus the disinformation campaign. It is quite clear that the hacking and the dumps of information were at some level laced with disinformation but not as a whole was the hack a part of the disinformation campaigns by the GRU. While “not getting hacked” is a good start, the real problems came from other sources and in fact when I looked at the DC leaks stuff and the claims I did come up with some gold that the data did not come from the Clinton Foundation, but instead was DCCC and DNC only to the contrary of what Guccifer 2.0 wanted people to believe.

So yeah, the information being hacked surely added to the mix of disinformation out there but it was not a main contributor to it. Overall, the problems of disinformation rely much more on the psychology of the tribes at play now and the cognitive issues we have within them than the hacking ever did. It turned out at least in the Clinton campaign there was no real “there” there to latch on and make her look even worse with an expose of wrongdoings. The most we got was that they were treating Bernie poorly but really, that was it.

Where were the Benghazi revelations?

Where where the revelations that she and others were running a pedophile ring out of a pizza parlor in DC?

Where was the absolute proof that Clinton had ordered the murders of a number of US citizens and in fact was funneling monies around to places like Panama?

Oh yeah, there were none and this is the reason why the others out there including the GRU and the SVR were creating those narratives on Twitter, Reddit, and elsewhere for those predisposed to those mental virus were living and ready to echo the message to others. When the day comes that we see a dump of information that has been tampered with well enough to detect forensically, then we can parse that out a bit and prove out that a hacked dbase was the cause of disinformation like some of the DC leaks stuff tried to be. Other than that, the two roads do not meet in my book.

The technology is the amplifier but the humans behind the keyboard are the real engines here.

K.

Written by Krypt3ia

2018/07/16 at 16:58

Posted in .gov, .mil, 2016, 2018

2018 Krypt3ia Kryptos Crypto Challenge!

leave a comment »

 

Ok kids, here it is. You may start now.

Why now?

Well, because it’s hard and no one has time during DEFCON.

Solve the puzzle and you’ll know what to do.

Good luck.

K.

Written by Krypt3ia

2018/06/27 at 13:24

Dear Paul! : The Curious Case of A Letter In A Cache of Files from Andrea Manafort’s Phone Dumped In The Darknet

leave a comment »

 

 

The letter you see above was posted in a cache of pictures ostensibly from Andrea Manafort’s cell phone which was hacked back in 2016. The pictures, which were checked for metadata to be sure, are in fact hers and contain quite a bit of visual information that I will not release here including medical data and taxes etc. The interesting bits though were alleged pictures/images of documents in Cyrillic and in English that concern a media company that was set up by Dmitry Firtash and others during Paul’s time working in Ukraine for Viktor Yanukovych. It was during this time that many assume Paul made connections like his second in command Kilimnik (GRU) that are all becoming very important to the obstruction case of Donald J Trump, the 2016 election tampering by Russia, and Manafort’s centrality to it all.

The documents above purport to be either a letter or an email, but it is impossible to tell because there are no headers, and no way to determine which it is. In fact, this could be an outright fake. This is the caution I am making up front here concerning this document in the dump with the rest. Not only is there no data in the page to tell what the source is, there is also no metadata at all to prove out where it came from so it could be a fabrication, but to what end and by whom I wonder? As for the other documents in Cyrillic, they are checking out to be real but they are also elsewhere on the net from other sources in Ukraine and can also be verified by the companies involved.

 

A map of companies comprising the flow of ownership and money concerning a media company set up in Ukraine

So some of this tracks as real, but the document at the top of the page is not found that I could tell anywhere else. So, is this disinfo? Was Andrea actually the one who had these files sent to her by someone? I suspect that “could” be the case but once again, it is impossible to know completely without metadata that is forensically viable to prove it. So, I would have to ask Andrea, or maybe someone in the media can, if indeed she has seen these documents before and was she party to looking into what her father was up to at some point?

But wait… It get’s more interesting..

Did you really read the document at the top of the post?

Lemme draw out some things…

Paying attention here? It’s subtle but there seems to be some planning here and intonation of criminal conduct with regard to the Ukrtelekom deal there don’t it? My only question now is who is JN? Anyone? Hmmm JN? Oh well, the fact of the matter is that if this is real, well, there may be some ammunition that Mueller may have or want along with those documents in Cyrillic. On the other side, this could be some Ukrainian hackers attempt to drive the narrative. Perhaps Andrea can enlighten us all on the provenance of those documents in the dump…

While she is at it, maybe someone should tell her also not to take pics of her insurance card and other very personal things… Ya know, cuz they may end up in the darknet…

The other documents are being translated so I will have more on them later.

Enjoy,

K.

Written by Krypt3ia

2018/06/19 at 15:42

Posted in Manafort

Who’s Ian Smirlis or Giannhs Smyrlhs and Why Were They Hosting and Domain Owner of cicada3301.org in 2015?

leave a comment »

From Reddit /r/cicada3301:

  • On April 19, 2015, cicada3301.org went live, displaying the ASCII Cicada emblem seen in some of 3301’s tor sites and a countdown clock heading to August 17 2015, 10:33 AM, calibrated to the user’s clock. The metaheader of the countdown page reads “Willkommen” – ‘Welcome’ in German.
  • Upon reaching 0, most people report that the clock begins counting back up from 10:33 on August 17. (This is the case for this author.) It is unclear if this is intended or a default function of the basic countdown script used.
  • The index loads only for certain users – for those unable to view the index, see these screenshots. (imgur link)
  • Besides the index, there are four pages in the site’s navigation: an overview of the Gematria Primus, a description of the “technomystical” Cicadian order who hold 3301 sacred, the entire translated portion of the Liber Primus, and a description of Cicadian “broods” (which seem akin to congregations.)
  • No part of the site’s HTML or Javascript seems unusual in any significant way, though further investigation may yield some break on this front
  • No PGP has been found anywhere on the site.

Lately I have been in a mood to look into the more darker and deeper corners of the darknet and one of the more interesting goups/puzzles/mysteries is the Cicada3301 group. While I was messing about with the Liber Primus and such, I decided to poke around cicada3301.org, which was a domain and site that popped up in 2015 and purported to be a part of the whole thing. It has been determined by Redditor’s that this is a fake site not part of the official 3301 and later on in fact 3301 said that all messages will be signed with a pgp key, and this site did not have it as far as I know. So this site is ostensibly just someone who is enamored with the whole thing or, maybe, someone affiliated. If you look at the site you can see some content that makes me wonder if they aren’t somehow a part of it. One of the things that I kinda key on is the whole “brood” discussion, but I could just be a bit crazy and not know when the term first came out in the public eye after one of the solvers talked about how cicada3301 is alleged to work as a group with “broods” of intelligent individuals working for the higher ups doing… “things”…

Wayback cicada3301.org_1

Wayback Cicada3301.org_2

Anyway, having stumbled on the site because I have not been paying close attention all these years, I decided to take a look at this site in Domain Tools because the Redditor’s seem to lack an account on this service. What I was able to determine was that the site was originally started/owned by a guy named Ian Smirlis, or Giannhs Smyrlhs out of Athens Greece. Now, this is interesting because once I started digging in on the names and the email address I started to find some odd things about our pal Ian.

Screenshot from 2018-06-15 16-21-13

Ian Smirlis is a kind of enigma on his own. Looking online for traces of the name you only come up with a few and what you get are, well, odd. For starters, one of the first hits you get is for a YouTube channel that he has out there. When you look at that channel you see five uploads and not much else. In fact, when you look closely, there is no bio page at all. Nothing else about this channel leads you to any further information about Ian at all. No favorites, no comments, no email address, nada. Now, if you look at the videos he has uploaded the first one in the group turns out to be the most interesting of the lot, save for a weird interest in “The Elephant Man” that he has. The first video is called “SCIgen talk

The SCIgen talk is the story about three MIT students who “fooled the world of scientific journals” using a program called SCIgen which is a paper generator intended to fool CFP judges and audiences. The video is really funny and the article linked here is a good read. Clearly these MIT kids are tricksters and it turns out that all three of them are now working in the tech area with jobs that concern information security and encryption technologies. It certainly is funny to me that this Smirlis character, also in the software and engineering field has their video as a direct upload to his pretty information free YouTube channel.

Watch the video and see just how amused these guys were with pulling off the talks they did with at least one audience member in attendance. However, ok, you might say, what do these guys have to do with Cicada3301 and this Smirlis guy’s alleged fake Cicada site? Well, if you look deeper at the article linked above about how these MIT guys fooled the establishment, there is mention at the bottom of the second gen of the SCIgen program called SCIpher that will steganographically hide messages in “innocuous scientific conference advertisements

ORLY?

Gee, isn’t there a lot of hidden messages in the whole Cicada3301 thing? Oh yeah, there are. In fact, to me this all seems to click a bit. I mean, these guys took on the scientific establishment and, well, they all have the chops to pull off a lot of what we have seen in the Ciacada3301 arc right? Also, what if a group of MIT students, not content to fool with the scientific community decided to move on to bigger and better things by fucking with the “internet” with hidden messages and a story line to get some giggles? It does kinda sound like an MIT prank in a way to my mind.

…But back to Ian Smirlis…

The thing that keyed for me is that maybe this guy isn’t real or that the name was an anagram. I spent some time on that idea and so far he seems real enough but still kinda sketch. The other name on the domain registry definitely turns up even less on the net. Giannhs Smyrlhs has a Google+ page and not much else on the Goog. He has some followers and I went down that rabbit hole a while and decided it was chaff.

Alrighty then Giannhs…

So, what am I left with here? Well, I find it interesting that these characters are so sketch and that but for a fuck up on the domain reg, the site would have remained anonymous unless you pay Domain Tools a chunk of dough for the service to look at historical WHOIS.

TAKE THAT GDPR!

The connections with the MIT guys and the whole SCIpher and SCIgen thing also kinda makes me wonder. Also, the fact that there is so much mythos around the Cicada in Greek history as well kinda makes me wonder. See for yourselves if you feel like reading up:

Cicada’s in Ancient Greece: Orkin

Cicada Mythology: Wikipedia

All of it is interesting to say the least. Whoever Smirlis is, whatever he is up to, he is pretty serious about Cicada3301 at the very least. Now with these other clues, I just wonder if he is somehow involved or has some knowledge and is tipping the hat ever so subtly to the MIT guys on this one…

Just something to make you go HMMMMMMMMMM….

K.

UPDATE: I got an email from Ian and well, he says he has nothing to do with Cicada3301, he was only interested in it and wanted his information taken down. I have smudged out his personal info from the WHOIS image but the post stands.

K.

UPDATE 2: So I was in the darknet looking at Hunchly’s scrape of urls and came across the following address: http://honmnaapxzpk2rg7.onion/blogs/3301.html on there I see at the bottom of the page something interesting…

Screenshot from 2018-06-26 09-40-00

Whaaaaat? Some rando guy in the darknet is saying that 3301 is really a group of MIT students who wanted to play with people and ciphers…

NO. WAY.

UPDATE 3: Sooooo it turns out the snippet I found in the darknet is paralleling a post on Reddit two years ago by someone named “Dave” The post was made on Reddit 1/7/17 and was deleted soon after (comments are here)

Screenshot from 2018-06-26 10-15-59

So what Dave is saying here in 2017 is that Cicada was 4 guys from MIT who decided to troll the internet and it got outta hand. Gee, why does that sound familiar? Oh yea, I said as much by looking into this fake Cicada site and the links to the three MIT guys video that Smirlis made.

Please note I came to this independently and am now finding out more by looking at links sent to me by Switch’d on Twitter. It also is interesting that Smirlis posts the link to the video of the MIT students troll in 2014.

Screenshot from 2018-06-26 10-26-13

Does this mean Smirlis knows something or that he was making a guess? Does it mean that he is “Dave” ?? It is amusing to see all the comments where people are like “NO WAY MAN, THIS IS ILLUMINATI LEVEL SHIT!”

But wait, now can anyone confirm the vulnerabilities that Dave speaks of in the pages that they put up? Also, it makes TOTES sense they would use a VM for all this and that it all gets out of hand so they back off.

All I have to say is that this is all rather interesting. Especially since we have not seen the Cicada for a while. Oh, and yeah, in my traversing the players here I also did come across a connections DeviantArt page and her drawings look kinda like the same hand as that which made the grand grimoir “Liber Priumus” so there is that too.

What do you guys think? I already know the Redditor’s thought rather little of my last post…

Evidence kinda mounts.

HEY DAVE! SPEAK TO ME!

K.

Written by Krypt3ia

2018/06/16 at 12:38

Posted in Uncategorized

Supernotes and Poorly Cloned Darknet Sites

leave a comment »

I was on safari in the darknet this morning and I came across the site above. The address is druglixdfcb3gda3.onion and as you can see it proclaims it is selling supernotes of American currency. Of course this is always of interest to me and they are making claims about printing specs and things that sound right. However, when you look  closer at the site you see that it is not quite finished. It has some lorem ipsum text in there and it also has a lot of broken image links so you get no sample images at all even though they are linking to them.

 

They even have testimonials! Yet they don’t work either. Now, it got my interest at the bottom there where the site is claiming that you can contact them on the information below. Which, well, is all clearnet addressing and contains a physical address in Italy as well as a domain and email address in the UK! I had to look twice there to make sure I wasn’s seeing things. So I began looking more closely at the code and pulled up the information on the domain that they listed with a contact email of contact@andia.co.uk.

Once I pulled up Domain Tools, I saw that the domain has been around since 2014 and has not changed hands. I did some looking on the Wayback Machine and saw that there really never has been a site and that the names attached to the firm were a couple guys in London, which matched the address in the domain data. I then looked up these guys and found some interesting congruences. Andia LTD has been dissolved as of 2016 and dig this, one of these guys is a specialist in “bank fraud”

*blink blink*

 

 

So, um, how coincidental is it that this domain of a dissolved company of a couple thirty somethings in the UK has one that is a specialist in banking  and fraud? Hmmmmm… Well, it goes down the rabbit hole pretty quickly and I was thinking OK! I am on to something here but then I started to look at the code some more… It turns out that if you start to Google the code and key words on the page you get a LOT of hits elsewhere. It turns out that this site in the darknet was using code from a free template created by this guy Anli Zaimi, who has a bunch of these templates. So, was this all just for naught? I mean, there are a lot of sites that seem really really sketch using his template and many do not bother to redact the contact details that he put in there.

Also, since this domain is real (andia.co.uk) how does that fit in? Then there is the whole thing with the banking connection and failed businesses. I am letff scratching my head a little here. I mean, who puts up a forgers site so poorly in the darknet? OK ok ok, the darknet really is the Geoshitties of the 2000’s right? So yeah some nitwit just flung this hapless piece of shit up there…

But…

This site has been around a while. Why? No changes? Static and just bad.

 

 

Oh well… I even did the due diligence and emailed the contact address and it bounced, so, it ain’t there. I guess in the end it just shows you that the darknet is a garbage heap full of the strangest detritus. I did learn one thing though, this guy’s template is the go to for scammers it seems.

It’s just that most of them are so code illiterate that they don’t take out the dummy data and leave a long trail on google.

K.

Written by Krypt3ia

2018/06/15 at 17:28

Posted in DARKNET, Forgery

USA Really: New IRA Troll Farm Site and Twitter Account

with 2 comments

So this morning I saw a tweet come across the feed by RVAWonk that was proclaiming that the IRA was back with a new site and the fuckery was pretty much just naked on their part. In the article she goes over the salient technical details of the site and the accounts. It also has another nice linked post that does a bit more in that area as well and I recommend you all read that too. However, I took a bit of a deeper dive looking at the site itself and it’s coding as well as did some Maltego mapping of it and the Twitter account. My overall take on all of that is pretty much “meh” … What really intrigues me and has been bothering me for some time now is that everyone is busy mapping all this shit but the fact of the matter is that mapping does not stop the cognitive dissonance that the Russians are playing on to win this game.

The Russians here are basically at a point where they aren’t even trying to hide the fact that the site is a Russian propaganda/disinformation effort and this is the important fact we all seem to be missing in this community. This shit works and even though most people do not have the technical abilities to look deeper into the code and the domains, it is pretty plain when you look at the site itself where they use Cyrillic and Russian in their image names and such that it is in fact a Russian operation.

We will all likely go down the rabbit hole on the how many followers they have on Twitter and who they follow. We will collate all the data and sift it and parse it all to put out reports on how they did this. My problem though is that we can investigate the shit out of this all we want but unless we come up with strategies to deny, degrade, or destroy the content, it will reach those tribalists out there who want it and the damage of 2016 will continue on unabated. What’s even more galling here is that the Russians have basically pulled a Babe Ruth by announcing this site and putting it out there so flagrantly with cyrillic in it and on domains owned by a russian domain hosting service. In reality they just gave us the bird and we are now going to just have to sit by and watch as they inflame the Trumpists to hopefully affect the mid terms with this crap.

 

Of course maybe Twitter will catch on here and swat this account offline? You hear me Jack? … *tap tap* this thing on?

 

Oh well, so there’s a new site and it seems they have also employed an SEO in there as well. The site has a lot of means to track posts, likes, geolocations etc as well. I have mirrored the whole site and am still poking through the code. The SEO is a new old site too with an anonymous domain resister back in April of this year that likely is also the Russian’s doing as well. I am sure many of the community will keep an eye on it as we go along so someone will eventually write about this as well with rapt verbiage not really doing anything about the problem as well.

 

So here’s my thing, we are all spending all this time nattering on about it but what can we do to stop such propaganda sites and Twitter accounts from spreading the mind virus? If we cannot stop them, how can we innoculate the general public from the effects of such mental plagues? These are the questions we should be asking and I just don’t hear it happening. I know that it is a rich and difficult problem dealing with the psyche and cognitive dissonance but we really need to lay off all the techno babble and focus on real solutions. Solutions that conern the human animal, not the technology kids. The Russians already know this and they are leveraging it. I mean, how much more blatant do they have to be? How about they just post billboards now in Cyrillic for Trump in all those Trump states?

Focus people.

K.

Written by Krypt3ia

2018/06/06 at 13:38