6.6 C
Friday, September 22, 2017
Home Tags WHOIS


Two Tickets as Bait

Over the previous weekend, social networks were hit with a wave of posts that falsely claimed that major airlines were giving away tickets for free. Users from all over the world became involved in this: they published posts that mentioned Emirates, Air France, Aeroflot, S7 Airline, Eva Air, Turkish Airlines, Air Asia, Air India, and other companies.
PayPal, CloudFlare, Shaw, and Whois “are involved” in attacks, Twitch claims.
He registered domains years ago, leaving personal data exposed—like lots of people.
This threat was originally discovered by a bank’s security team, after detecting Meterpreter code inside the physical memory of a domain controller (DC). Kaspersky Lab participated in the forensic analysis, discovering the use of PowerShell scripts within the Windows registry.

Additionally it was discovered that the NETSH utility as used for tunnelling traffic from the victim’s host to the attacker´s C2.
Maltego, the tool best known for deep data mining and link analysis, has helped law enforcement, intelligence agencies and others in security-related work since it was released in 2008.

To benefit from using Maltego, come to SAS 2017 for intensive Digital Intelligence Gathering training from the experts who created the tool from scratch: there won’t be any questions that they can’t answer.
I received the following “domain abuse notice” for one of my inactive registered domains last week: Those of us who have dealt with falsely blacklisted domains in the past have seen notices like this before.
It’s usually from an antispam vendor or service letting you know that your domain has been used in a spam attack—and they’re going to put you on one or more mailing blacklists until you resolve the problem. I hate spam blacklists.

Although well intentioned, they tend to be reports on false positives rather than domains used to send spam. Lately, antispam services and products have become quite good, and it’s a rarity for me to get these types of reports, false or not. Plus, I bought this particular name a few months ago, and it has remained completely inactive in that time. Still, I wasn’t sure whether this was a malicious email or an overly aggressive sales tactic.

To add to my confusion, I had received junk mail last week in the name of the same inactive domain.

Although I didn’t expect unsolicited junk mail, my name and personal home address can be found through any domain lookup service. Many companies and services look for newly registered domains and start sending spam or junk mail from there. Most domain registrars allow anyone to register pseudo-anonymously for that reason, though they usually charge an additional fee. I have to say, at least for a few seconds, I mostly believed the claims when I first read the email.

The domain name, domaincop.net, sounds legit enough.

The complaint is familiar.
Initially I wondered how the spammer started using my domain name to send spam—and why this particular service didn’t pick up on the fact that my domain lacked a mail exchange DNS record. I even briefly contemplated letting the domain stay blacklisted—I wasn’t using it, and I could always start unblacklisting it if I changed my mind.

But I decided that taking care of it now would make my life easier than letting whatever damage it caused stay and spread over time.

Blacklisting, if legitimate, can be a real pain to clean up. I needed to find out if the service and email was real or a scam.
I first looked at the country code of the telephone number provided in the email that supposedly led to domaincop.net.

A quick internet search revealed that the country code did not exist.

That’s a big ding against a potentially legitimate service and almost certainly, by itself, disqualifies the email.

But who knows? Perhaps the “139” was a telephone area code instead of a country code.
I kept exploring. Next, I placed my cursor over the two links listed in the email.
I love that most desktop browsers (though not all mobile browsers) will show the real link underlying the reported text before you commit to clicking on it.

As you can see below, the link reported back to www.domaincop.net, but it ended in “kerouac-judgments.” The name of a famous Beat poet and novelist did not bode well. Randomly picking words from an English dictionary is a common tactic used by phishers and spammers to bypass antiphishing and antispamming software and services. More than likely, those two randomly chosen English words were unique for my copy of the spam email and would help identify that my email address was valid if I clicked on it, which would lead to more spam and phishing emails. Next, I typed domaincop.net into a Whois query.
It returned the following information: The Whois return is full of red flags, including the “clientHold” status and the fact that the domain was created on the same day as the email was sent to me.

The clientHold status is not common on legitimate domains and essentially means enough people have complained that this domain was put on ice.

That’s enough evidence to officially call this email bogus. I did more internet searches on the domaincop.net email and came up with plenty of people who got similar messages.

After doing some research, I reached the same conclusion.

The malicious domain was put up and taken down in a few hours—gotta love the internet. Check out these related reports.

The latter link contains dozens of useful links for doing your own investigations. As an additional precaution, I called my domain registrar to inform them of the ongoing spam campaign.

They already knew what I was talking about and were on top of it. Lessons learned What did I learn? Maybe the additional privacy services during domain registration are worthwhile. Also, I’m glad my first personal experience with this sort of domain phishing was so easy to detect.
If the phisher had created a more authentic-looking email with fewer red flags, I might have fallen for it—although had I clicked on the link, it would have likely tried to get me to download malicious files, which I never would have done. You should always do a little investigating before blindly clicking on any email that claims to be helping you. I’m glad I did.
95 per cent of the 650,000 messages not relevant Analysis Since igniting a political firestorm and triggering major changes in US presidential voting intentions by revealing some emails passing through Hillary Clinton's private email server had been found in an unrelated criminal investigation, the FBI has gone to ground. The US criminal investigation bureau has repeatedly refused to answer basic media questions about simple and long-established computer forensic procedures. But the math, based on detailed information previously released by the FBI, points to the conclusion that the agency will have known by Monday morning exactly how many emails found in a laptop computer seized a month ago from disgraced former New York Congressman Anthony Weiner had come from, gone to, or been copied on from the Clinton server, and how many, if any, could contain possibly classified information not already checked. The agency appears to have pushed a completely misleading number out to US media outlets, suggesting that 650,000 emails had to be checked. Comey told Congress: "The FBI cannot yet assess whether or not this material may be significant.
I cannot predict how long it will take to complete this additional work." But the FBI did not point out that of the 650,000 emails mentioned to the US media, 95 per cent could not possibly be relevant. Comey's letter to Congressional leaders, which started the whole debacle, explained that the agency could not officially look at or report on the emails without obtaining a specific new warrant.

The letter implicitly acknowledged that the agency already had copies of all the mails on its computer systems (which would normally automatically have been indexed by forensic software), bringing the Clinton connection to light. To find out how many emails on the laptop were relevant would have taken "seconds", according to e-discovery software industry experts.

To then find out how many of those – if any – the FBI had not seen in its previous investigation would, at most, have taken "minutes." Standard methods are to take and match cryptographic hashes of email files (which proves the email files identical, if the hashes match), or to match metadata and then textual content. The FBI's previous, year-long investigation into the private Clinton server finished in July, when director James B Comey reported that: "We cannot find a case that would support bringing criminal charges." As only 110 of 30,490 official emails previously examined by the FBI were found to contain classified government information, the number of previously unseen mails that had strayed onto Weiner's laptop is likely to range from zero to a few tens. How the mess began The laptop at the heart of the election controversy was seized on October 3 from former Congressman Weiner after a then-15-year-old girl from North Carolina had complained of sexting.

The alleged victim, now 16, has now complained vociferously that Comey had irresponsibly forced her identity into the open, exposed her to continual and continuing media harassment, and caused the abuse to continue. "You have assisted him in further victimizing me on every news outlet.
I can only assume that you saw an opportunity for political propaganda," she said. Standard forensic procedures for e-discovery in civil and criminal investigations is to make a certifiable digital copy of all media immediately after getting access, and immediately to analyse and index the contents, including buried metadata and email attachments. The software utilised in these investigations is used to handling and sifting big data, scaling up to tens of millions of files.

The global e-discovery market in software systems and services is now worth an estimated $1bn, with many companies offering sophisticated email analysis add-on systems to spot, map, network and visualise chaining, duplicates, and to provide searchable indexes. The FBI have long been leaders in this business.

As revealed by Edward Snowden, the FBI has been operating the PRISM and other systems for over ten years from its Digital Intercept Technology Unit (DITU) at its sprawling Quantico, Virginia base.

The unit annually "ingests" and analyses billions of emails intercepted from US optical fibre cables or passed on by telecommunications operators.

The critical part of the system's front end, obviously, is to spot email addresses associated with intelligence targets. But when it came to the debate, the agency's computer teams had apparently regressed to the digital stone age. The New York Times reported: "The FBI needed custom software to allow them to read Mr Weiner's emails without viewing hers.

But building that program took two weeks." Industry experts used to massive email searches in large civil cases have been scathing about the idea that the FBI's job is difficult with modern tools. Linda Sharp of ZL Technologies said: "In the scheme of e-discovery, 60,000 documents is nothing. We're used to seeing documents in the tens of millions of documents, terabytes of data." Even if you read every email, "we're not talking about a lot. 60,000 is nothing." Journalists have also become users of high-end e-discovery software to handle document dumps in recent high profile reports, such as the Panama Papers and Offshoreleaks investigations (Duncan worked as the data manager for the Offshoreleaks project of the International Consortium of Investigative Journalists).
In the Offshoreleaks investigation in 2013, two million emails were analysed and catalogued, and made available to international journalism teams on a secure server.

To find all emails from a domain takes seconds, once the gruntwork of indexing is complete – which had previously been done for Weiner's computer, to look for sexing evidence. Standard WHOIS registry records show that the clintonemail.com domain was registered on 13 January 2009.
She turned down the opportunity to use a standard state.gov address, and corresponded throughout her term of office as hdr22@clintonemail.com. In 2009, Clinton appointed Huma Abedin as deputy chief of staff at the State Department.
In 2010, Abedin married Weiner.

They separated this past August.

Abedin then became vice chairwoman of Hillary Clinton's 2016 Presidential campaign.

Apart from communicating with Clinton on her email, Abedin and another aide also had personal accounts on the Clinton server. The implication of the FBI's October findings is that Abedin communicated with her husband from the clintonemail domain, or copied him some of her boss's email, or even that he lifted and copied them in a domestic setting. Whichever happened, or all of them, finding those emails on Weiner's laptop will have been forensically trivial, as all will contain the unique string "clintonemail." Google it and you get it, in seconds. Republicans have form for previously exploiting making fundamental forensic errors in reporting on email data in the Clinton investigation.
In 2015, it was claimed that she had a second "secret" address on the server.
In fact, it was a new address she used after being Secretary of State. Phoney numbers Asked by The Reg if they agreed that as their own investigation into Clinton reported that there were 62,320 emails handled on the clintonemail.com domain during her term in office as Secretary of State, and that they had already checked 30,490 of those handed over by her lawyers as being official, 90 per cent must be irrelevant – an FBI spokesman refused comment. The Reg asked how long it had taken them to filter the emails to select only Clinton mails, and how many had actually been found. "No comment." Do the math.

The FBI have already seen nearly half of the emails handled by the server.

The balance of emails deemed private by Clinton's lawyers is 32,740.

Even if, implausibly, the entire contents of the Clinton server had been copied to Abedin, and then on to Weiner, it is obvious that 95 per cent of the Weiner emails could not be relevant.

Commonly, two such troves contain many sets of multiple copies of the same emails, made automatically by backup and other processes. Oregon Senator Ron Wyden, a longstanding critic of FBI and NSA electronic mass surveillance, told The Reg that the FBI's "continuing leadership failures" underscore the "need for independent oversight" on surveillance, and reflected a "pattern of poor judgment" by the FBI's director. The US media have been full of hyperbole about how no effort has been spared by the FBI in its efforts to break the butterfly on their wheel.

They would "spare no resources," are working "round the clock" on "16-hour shifts," developing "new software" for the taxing task. In an internal FBI message reported by NBC, Comey is said to have told agents that it would "be misleading to the American people were we not to supplement the record.

At the same time, however, given that we don't know the significance of this newly discovered collection of emails, I don't want to create a misleading impression", he added.
Indeed. ® Sponsored: Customer Identity and Access Management
New Internet Data Sets, Monitoring, and Project Features Yield Greater Context Into Attackers’ InfrastructureSAN FRANCISCO and LONDON, UK – November 1, 2016 RiskIQ, the leader in external threat management, today announced major enhancements coming to RiskIQ PassiveTotal, its world-class threat investigation platform.

The enhancements will enable security teams to better address the massive increase in web, social, and mobile cyber threats. New features will simplify and accelerate incident investigation processes, provide external context to security alerts, and reveal threat infrastructure so organizations can accurately understand, triage, and mitigate incidents. Using RiskIQ PassiveTotal, security teams have access to the largest number of internet data sets in a single platform, allowing them to work faster and more intelligently.
In a recent survey of over 400 PassiveTotal customers, 100% of respondents said they save at least 1-3 hours a week researching threats. "PassiveTotal gives our security research team access to the most critical data sets necessary to investigate and connect threat infrastructure, all without leaving the platform," said Irena Damsky, senior director of security research at ThreatSTOP. "The intuitive new project capability and real-time alerts on infrastructure and threat elements that we're investigating make it easier for our team to continuously monitor and detect new and advanced threats." RiskIQ is recognized as a leader and received the highest score for the current offering category in The Forrester Wave™: Digital Risk Monitoring, Q3 2016. RiskIQ views threat infrastructure analysis as a core tenet of a complete DRM program.

The report put the C-suite on notice that they must address threats beyond the firewall as part of a complete security program, or “remain susceptible to a wide variety of brand, cyber, and physical risk events.” Organizations must be able to analyze and correlate the most thorough data sets available across web, social, and mobile in order to reduce their digital risk; a task made easy by PassiveTotal. With the latest release, PassiveTotal continues to strengthen RiskIQ’s platform, which uniquely combines publicly available and proprietary data sets with predictive analytics to automate the investigation processes and keep pace with the shifting threat landscape. Rather than attempt to assemble, learn, and use a myriad of tools, PassiveTotal offers an end to end platform.
Security analysts can readily pivot between extensive data sets to intelligently surface seemingly unrelated threat infrastructure to get ahead of attackers and prevent their next moves.

As a result, security staff can reduce the time to understand new threats, speed up investigations, and more effectively remediate incidents. “Organizations are moving business-critical resources from behind the protection of firewalls to the internet to enhance customer engagement and gain operational efficiency.

This exposes the company and its customers to organized threat actors and advanced persistent threats beyond conventional layered defenses,” said Arian Evans, VP of product strategy at RiskIQ. “The good news for defenders is that we can show them the muddy footprints in cyberspace to help proactively address new threats and block impending attacks before they happen.” Key enhancements in PassiveTotal allow analysts and security teams to:Predict threats forming on the internet: New monitoring capability in PassiveTotal provides analysts and threat investigators with proactive notification of changes on infrastructure they’re watching or interested in, as well as the ability to set notifications on new data sets such as SSL certificate details, current and historical WHOIS registrant information, and more. Investigate infrastructure used to launch attacks: Automatically aggregate and correlate data from passive DNS, email, SSL certificates, host pairs, web trackers, WHOIS, and comprehensive web crawling, to provide context about security events that would otherwise take an analyst days or hours of manual analysis. With the newly designed user interface, users can narrow investigations and only highlight infrastructure changes and resolutions to a specific timeframe. Defend internet-exposed assets from attackers: Enable cyber defense project management by grouping similar infrastructure and investigation elements into sharable projects, making it easier to collaborate with other analysts and researchers. Organize responders to uncover and proactively block hidden facets of attacker infrastructure and set monitors to be made aware of new or changed infrastructure elements that may target a brand for reputation hijacking, phishing, or other malicious activity. The new release of PassiveTotal is currently in beta and will be generally available in the coming weeks.

For more information about PassiveTotal and to sign up for free, visit www.riskiq.com/whats-new-passivetotal. About RiskIQRiskIQ is a cybersecurity company that helps organizations discover and protect their external-facing known, unknown, and third-party web, mobile, and social assets.

The company’s External Threat Management platform combines a worldwide proxy and sensor network with synthetic clients that emulate users to monitor, detect, and take actions against threats. RiskIQ is used by thousands of companies including many of the Fortune 500 and leading financial institutions to protect their digital assets, users, and customers from external security threats.

The company is headquartered in San Francisco, California, and backed by growth equity firms Summit Partners and Battery Ventures. To learn more about RiskIQ, visit www.riskiq.com.
Pair abused typo blind spot to game certificate authority Two European security researchers exploited Comodo's crappy backend systems to obtain a HTTPS certificate for a domain they do not own. That cert could be used to impersonate the website, allowing passwords and other sensitive information to be swiped from victims in man-in-the-middle attacks. The infosec bods, Florian Heinz and Martin Kluge, found that the CA uses optical character recognition (OCR) software to process requests for certificates.

This image-recognition system is designed to ensure server-side certs are only sent to the registered owner of that domain. Comodo uses OCR to parse screen grabs of records from domain-name registries or registrars when verifying the ownership of a website.

Thanks to shortfalls in the OCR system used, Comodo can fail to distinguish an authentic domain name from one with similar characters (such as the number "1" instead of the letter "l") and end up giving valid certificates to owners of the fake domain. Comodo says that upon hearing from the researchers, it suspended the use of the OCR software and will be reviewing certificates it issued using the optical recognition tools between July 27 and September 28 of this year. The issue, it seems, is due to privacy protections in place on the .eu and .be domains.
In order to prevent the scraping of contact details, some registries and registrars do not allow automated WHOIS lookups to pull email addresses.
Instead, that data is displayed as text in an image that can be easily read by a person but not pulled by bot. Comodo, meanwhile, normally relies on the automated WHOIS lookup to verify its applications. When a person requests a certificate via email, the CA gets the contact information from the WHOIS lookup and sends a verification message to that address, at which point the applicant would click a link to verify they own that domain and obtain their certificate. When the owner's address can't be read automatically for .be and .eu domains, Comodo instead uses the OCR to match the characters, and here is where the researchers found their weak point. By registering a domain name similar to that of their target (an Austrian service provider), they were able to send Comodo's application system a request for a certificate for the targeted domain.

Failing to spot the one character difference (the letter "l" and number "1"), the system errantly sent a verification email to the researchers' domain believing it to be the one listed in the WHOIS report. According to Comodo's incident report, the researchers contacted it directly on September 23 and upon verifying the issue, the OCR system was disabled.
So far, no other incidents of fake certificate registrations have been found. ®
megaupload.orgreader comments 11 Share this story Megaupload.org used to be where you'd go to access the vast amount of films hosted by Kim Dotcom's Megaupload service.

But once Dotcom was hit with US criminal charges, that site and many others were grabbed by the FBI, and visiting them produced nothing but a government seizure banner. No longer.

Today, a visit to Megaupload.org (NSFW) brings up what can only be described as softcore porn.

Text ads for "casual sex," "adult affair dating," "adult cam chat," and "live sex cams" are surrounded by pictures of women in their underwear. So how did this happen? In all likelihood, this is the same thing that happened last year, when similarly scammy-looking ads took over the main Megaupload.com page.

The FBI used a domain called cirfu.net as a "name server" to re-direct traffic from sites it had seized.

Then the Bureau apparently forgot to renew that domain, allowing someone else to purchase it. Today, the WHOIS data shows Megaupload.org to have name servers at NS5.CIRFU.NET and NS6.CIRFU.NET, so it's possible that those domains expired, only to be bought up by someone who thought they could make a few bucks off whatever paltry traffic still heads to Megaupload.org these days. How long Megaupload.org has been filled with sex ads isn't clear.

The change was first noted by TorrentFreak, which reported it earlier today. Other sites linked to Megaupload are also hosting ads, albeit less provocative ones. Megaworld.mobi shows text ads related to the Philippines. Megaclick.org hosts a similarly designed page, with ads related to horses and ponies. As for Kim Dotcom himself, the proceedings over his extradition from New Zealand have dragged on for years.
In December, a New Zealand judge ruled that the former Internet mogul must be sent to face trial in the US. Dotcom is appealing that ruling. The FBI's press office didn't immediately respond to a request for comment about apparent hijacking of Megaupload.org. We'll update this post with a response once we get one.
Empowers customers to fight back by detecting malicious activity as it appears on the InternetSan Francisco – July 28, 2016 – RiskIQ, the leader in external threat management, today announced general availability for its Security Intelligence Services, a ground-breaking new product that uses the Internet itself as a detection system to automatically defend a network from cyber attacks.

Attackers use automation and can launch sophisticated attacks at very low cost by rotating and reusing undetected infrastructure. RiskIQ has provided defenders with access to Internet datasets, advanced analytics and machine learning to stay one step ahead. With Security Intelligence Services, RiskIQ now detects unknown threats at the source and tracks how attacks change and spread—in real-time. “The security team’s visibility is mostly based on what they see on the corporate network but once they detect a threat locally, the attacker has already moved —this fact limits defenders’ efficacy—they are always playing catch up,” said Arian Evans, VP of Product Strategy at RiskIQ. “Using the Internet as a replacement for the corporate network, we provide real-time information on the attacker as soon as their attack goes live or moves.” With thousands of customers and processing petabytes of Internet datasets daily, RiskIQ is a pioneer in expanding the reach of the security program to prevent attacks.

The comprehensive service includes: Passive DNS (PDNS) data, a system of record that stores DNS resolution for a given domain or IP address, provides security analysts with insight into how a particular domain name or IP address changes over time. RiskIQ’s implementation of PDNS enables programmatic links between related domains/IP addresses and, when researching an event, can provide context to an attack or additional malicious domains/IP addresses. PDNS helps identify the indicator of compromise through correlation of historical resolution lookups, time-based analysis, and fully qualified domain name lookups. WHOIS data, an internet database of ownership information about a domain, IP address or subnet, can give an organization insight into those behind an attack campaign. WHOIS data helps determine the maliciousness of a given domain or IP address based on ownership records. Using domain registration information, an organization can unmask an attacker’s infrastructure by linking a suspicious domain to other domains registered using the same or similar information. RiskIQ Attack Analytics, a proprietary RiskIQ dataset, is based on malicious observations inside of real-time Internet datasets.

As attacks evolve and propagate outside of your network, RiskIQ behavioral analytics identifies cyber threats and provides customers with filtered lists of known bad hosts, domains, IPs and URLs.

These feeds allow any enterprise security organization to leverage RiskIQ’s vast Internet datasets and expertise to proactively defend their environment’s networks or endpoints from threats. Newly Observed Domains, the first of our attack analytics feeds, is a proprietary enriched RiskIQ dataset containing newly resolving domains.

Threat actors often programmatically use different domains for their attack campaigns, therefore newly active domains can serve as a guide to whether a domain is legitimate or not. RiskIQ’s continually updated Newly Observed Domains provides customers with near real-time intelligence of domains seen for the first time. Organizations can proactively defend against new domains that could be hosting phishing sites, distributing or operating malware or posing other cyber threats by blocking newly observed domains for a specified time period based on policy and risk tolerance. "To solve this incredibly difficult problem, RiskIQ has assembled the only complete source of real-time Internet datasets combined with the machine learning and analytics capable of generating truly predictive results," continued Arian Evans, VP of Product Strategy at RiskIQ. “Security Intelligence Services is a major innovation for threat detection—finding threats first using the Internet as a sensor and then using automation to inform the corporate network to block, thereby freeing up resources and increasing the cost to attackers to launch further attacks—in this current state of rapidly morphing threats." Customers can access RiskIQ Security Intelligence Services through a sandbox to test data structures and explore information via a user-friendly interactive application programming interface (API) and documentation.

Data from RiskIQ Security Intelligence Services can then be easily integrated with commonly used security platforms to investigate and protect against threats such as: Advanced persistent threats (APT)/Malware hosting and distribution Phishing, spear phishing and whaling Domain name abuse/Copycat domains Email abuse Watering holes Malvertising For pricing inquiries, please contact sales at RiskIQ.
Security Intelligence Services is available on the RiskIQ website at http://www.riskiq.com/products/security-intelligence-services About RiskIQRiskIQ is a cybersecurity company that helps organizations discover and protect their external facing known, unknown and third-party web, mobile and social digital assets.

The company’s External Threat Management platform combines a worldwide proxy and sensor network with synthetic clients that emulate users to monitor, detect and take actions against threats. RiskIQ is being used by thousands of companies including F500s and leading financial institutions to protect their web assets and users from external security threats.
It is headquartered in San Francisco and backed by growth equity firms Summit Partners and Battery Ventures. To learn more about RiskIQ, visit www.riskiq.com.