The Technology blog and podcast

Wetransfer has now joined the services that can be and has now been abused for Phishing Lures

I guess we can add wetransfer, the newest file transfer program that I was made aware of to the list of services that criminals are using to get their wares out.

https://we.tl/t-ZR52D6sDAm is a link to the last available technology podcast which was number 359 of that series. I had been meaning to record, but other things came up and of course the Security Box came up.

According to a recent article, there is a different type of link that the actors are using to get their wares out.

According to the legitiment wetransfer email, the sender matches what you’d get from wetransfer. The subject line has the email address sent you files using wetransfer.

The legitiment file transfer will explain what the file is by giving you the description of the file like you’ll see through the clickable link.

The link in this article will not be linked but it is: hxxps://wetransfer[.]com/downloads/52d55eeb42591d9ebbffe5326326858320210218183005/8b80cbbd9c1b8f7695b8de69e995ebee20210218183005/8c0cd5?utm_campaign=WT_email_tracking&utm_content=general&utm_medium=download_button&utm_source=notify_recipient_email and is a lot longer than the URL that is linked above.

The download button is on the web page of wetransfer’s legitament links, not on the llink like you see here.

The other two domains used are box.com and Google Documents just to add to insult to injury.According to box.com, they’re a collaberation tool, nd of course we know well about Google Documents which has been used for things like this for many years.

ZLoader was known for being a banking trojan, but it seems now to be picking up where other malware families got dropped.

Want to learn more? Surge in ZLoader Attacks Observed is the article. It is written by Phish Lab’s Jessica Ellis. Do read the article, it is definitely worth the read and thanks for listening and reading!

P.S. The link to podcast 359 linked here expires in one week.

Comments (0)

The Security box, podcast 33: Continuing where we left off with part 2 of the Keystroke logging topic and more

Hello folks,

Welcome to another edition of the Security Box. The RSS feed now has the program. Do you not want to deal with RSS or you can’t for any reason? Here is the 140.88mb file for you to get.

The RSS feed has the bulk of the show notes, but the show notes will be included in full including the full news notes segment which could not be included.

Here are those show notes.

---

On this podcast, we continue where we left off with our Key Logging topic, and we’ll also have news, notes, questions, comments and concerns. Hope you’ll enjoy the program as much as we have putting it together for you.

Topic: Continuing Key Stroke Logging

This may take several programs, but we must cover keystroke logging. We take from the Wikipedia page on keystroke logging so you can follow along. Different heading include, but not limited to: application, software based keyloggers, keystroke logging and writing processes, related features, hardware based keyloggers and history. There are 4 different headings for this article and a lot to read. I figured it would be a good discussion to have since it has come up in discussions of other things. I hope you enjoy the discussion as much as I am bringing it to you.

News Notes

• According to an article found through twitter from a site called WSLS, Kroger is reporting a breach dating back to December. They’re notifying people because some employee data may have been accessed, however, the grocery and pharmacy chain who is based in Ohio indicate that no physical Store was ever effected. The breached was from a third party file transfer service I’ve never heard of called FTA. Accellion, the makers of FTA, indicate their file transfer product was patched even though the version used was 20 years old and is approaching end of life support. Kroger is latest victim of third-party software data breach has the complete details.
• Scandinavian Airlines is among the victims of the Solarwinds breach, reports DN. This comes from Mikko Hyponen from F-secure translated what the tweet was saying and quoted an account on twitter who links to an article. Using Chrome and translating the page, I’m not getting a good read on it except its a potential backdoor attack. If there is an article in English, please let us know. I’m not linking to the Norwegian article since most of my readers may not understand it.
• On February 22nd, I came across an article via the Lastpass blog that may be some days old but very valuable. The free service is changing quite a bit starting in March. The author, Dan DeMichele, goes in to detail on what is changing and it is very important for people to read it. The Tech blog also has this posted on the day mentioned and it’ll be linked here in the show notes for people. Quoting a paragraph it says:
  

  We’re making changes to how Free users access LastPass across device types. LastPass offers access across two device types – computers (including all browsers running on desktops and laptops) or mobile devices (including mobile phones, smart watches, and tablets). Starting March 16th, 2021, LastPass Free will only include access on unlimited devices of one type. 

  Examples are given on each, and they allow you a $9 discount if you upgrade before March 16th. Also going away is the free technical support. While I only utalized support sparingly, once was when I got my new phone and I needed their help to disable two factor. To learn more: Changes to LastPass Free is the article, feel free to read all of the details on this.

• I’ll never think of Apple Juice as a juice that I enjoy again. While I like the drink apple juice, we’re not talking about the juice now, we’re talking about a piece of Malware that seems to have popped up again as CISA has gone ahead and issued an AA advisory and 4 MAR21’s in regards to this. Acording to 48A under targeted nations, it says:
  

  HIDDEN COBRA actors have targeted institutions with AppleJeus malware in several sectors, including energy, finance, government, industry, technology,
  and telecommunications. Since January 2020, the threat actors have targeted these sectors in the following countries: Argentina, Australia, Belgium, Brazil,
  Canada, China, Denmark, Estonia, Germany, Hong Kong, Hungary, India, Ireland, Israel, Italy, Japan, Luxembourg, Malta, the Netherlands, New Zealand, Poland,
  Russia, Saudi Arabia, Singapore, Slovenia, South Korea, Spain, Sweden, Turkey, the United Kingdom, Ukraine, and the United States

  There are many versions here listed including: AppleJeus Version 1: Celas Trade Pro, AppleJeus Version 2: JMT Trading, AppleJeus Version 3: Union Crypto, AppleJeus Version 4: Kupay Wallet, AppleJeus Version 5: CoinGoTrade, AppleJeus Version 6: Dorusio, and AppleJeus Version 7: Ants2Whale. Several of these have Windows and Mac components as well as crypto currency information within the AA. The MAR’s have not been read by me, but I suspect go in to detail about the specific ones. The MARS emails were all HTML raw based but everything is linked below.

• Alert (AA21-048A) AppleJeus: Analysis of North Korea’s Cryptocurrency Malware
• Malware Analysis Report (AR21-048B) MAR-10322463-2.v1 – AppleJeus: JMT Trading
• Malware Analysis Report (AR21-048F) MAR-10322463-6.v1 – AppleJeus: Dorusio
• Malware Analysis Report (AR21-048D) MAR-10322463-4.v1 – AppleJeus: Kupay Wallet

There may be more, check the blog for things that may be of interest, and stay safe.

---

Enjoy the show!

Comments (0)

Vulnerability summary for the week of February 15, 2021

This is the Vulnerability summary for the week of February 15th. As predicted, the FTA product was listed, and there are other items in there that may be of interest. I am not going to do a vulnerability summary report this week, because I don’t think most apply to the listenership of the box. Its going to be an interesting show, but this won’t be there. Click the link to learn more and see if something applies to you.

Comments (0)

Got Lastpass? Better read this for important free VS paid options

I don’t know how old this article is, but I was looking at my RSS feeds today and found this Lastpass blog post we’ll be linking to talking about free vs paid options.

The long of the short of the announcement, those of us who use Lastpass for free will soon lose the ability of logging in using multiple devices like phone VS computer. The free product will now be tied to the type of device, I.E. computer, laptop, phone, tablet, etc. instead of unlimited.

I’m saddened by this, because there are people who can’t afford a product like this who may utalize multiple devices. If you have ditched the computer and mainly use the phone for everything, than the phone/tablet/watch option may just work for free for you.

I’m not going to judge which product you use, and why. As discussed in many circles, it is important to use a password manager now a day because of the complexity of security and the numerous breaches that we have had to deal with within the last several years.

Want to learn more about Lastpass and their changes? Changes to LastPass Free is the article, and I hope that this finds you well.

P.S. You get about a 9 dollar discount through the blog post or your account if you act before the deadline. I did, I’ve used it for many years.

Comments (0)

Kroger is latest victim of third-party software data breach

Kroger Co. says it was among the multiple victims of a data breach involving a third-party vendor’s file-transfer service.

Source: Kroger is latest victim of third-party software data breach

I guess this shouldn’t be surprising, seeing the many companies coming outt after the massive Solar Winds breach. While this isn’t solar winds related, the grocery chain may consider itself very lucky because its stores itself is not effected as far as they can tell. Guess we’ll have to watch this one, and see what eventually happens.

Do feel free to reach out if you have comments on this one.

Comments (0)

Technical debt rising after buying in to things not really needed

I have a chance to read an article that Shaun sent me some time ago, and I think he posted the link on this blog. This was definitely a very interesting article where technology companies or even companies in general needed to buy things due to the pandemic, yet, they really don’t need it. It may have been short term.

If you want to learn more, read this article out of New Zealand: Firms’ technical debt rising after lockdown rush for digital upgrades – report and thanks for reading!

Comments (0)

The Security Box, podcast 32: Part 1 of Keystroke Loggers

Hello folks,

On this edition of the podcast, we start a discussion of keuystroke loggers. As indicated in the last podcast announcement, we do have some tracks, but they’re short and don’t take a lot of time. The program is still much shorter than the program’s broadcasting length on the mix, and we’ll see how it goes for podcast 33. We’ve got news, notes and more. I’d be interested on what people think of our “things to ponder segment” which starts the program. Thanks so much for listening!

Don’t want to deal with the RSS feed? No problem! Here is the 141.06 file for you to download.

Now, without any further ado, here are the show notes for this program, and thanks so much for listening, reading and participating!

---

Welcome to the security box, podcast 32. On this edition of the program, we’re going to talk about keystroke loggers. I found a Wikipedia article which is detailed and there could be a possibility that this goes in to multiple weeks. We’ll also have news, notes, questions, comments and even a “things to ponder” segment to boot.

Topic, Keystroke logging:

This may take several programs, but we must cover keystroke logging. We take from the Wikipedia page on keystroke logging so you can follow along. Different heading include, but not limited to: application, software based keyloggers, keystroke logging and writing processes, related features, hardware based keyloggers and history. There are 4 different headings for this article and a lot to read. I figured it would be a good discussion to have since it has come up in discussions of other things. I hope you enjoy the discussion as much as I am bringing it to you.

Things to Ponder

During last week’s program, we were still learning about the possible issue in a small town in Florida that could’ve had some serious problems with its water supply if it weren’t for a worker noticing something as simple as a mouse moving. In this things to ponder segment, I talk about what we’ve learned to date, and its quite interesting. To date, I have two sources you can read more, one an article by our good companion Brian Krebs, the other from CISA. You should read them both, and of course listen to what my thoughts are and participate.

• What’s most interesting about the Florida water system hack? That we heard about it at all. Krebs on Security
• Alert (AA21-042A) Compromise of U.S. Water Treatment Facility CISA

I hope you’ll participate in this interesting story.

News, notes and more:

This is the news, notes and other commentary from around the web. Where appropriate, links to any articles may be possible.

• I was told on February 15th about a 60 minutes piece on Solar Winds and the potential hack or lack there of where the Russians were possibly involved. On my own Internet Radio show for Sunday, I talked about one such story where a tech story like this was found on my local news site KNX some month after I saw it in publications like Cyberscoop. This doesn’t necessarily surprise me that Solar Winds was covered on 60 minutes, it is a national syndicated program and is well respected. I respect them, but this is now old news, but yet I don’t know what they really had to say about the attack so I can’t ccomment further.
• While I’ve not been blogging like I really should, we can’t skip patch Tuesday. Besides Windows, its a good idea to check for updates on other software such as Adobe Reader, and even software you use on a more frequent basis. As usually the case, Trend Micro and Krebs on Security are the two places where I get coverage on the patches. If you have not gotten your updates, you should be soon. Please reboot if necessary. For February, there were 56 vulnerabilities, according to Krebs. 9 of these are the most critical, according to the article. To date, over 1700 CVE’s have been already disclosed this year. The CVE this time is CVE-2021-1732 affects Windows 10, server 2016 and later. According to Trend Micro, 7 of the vulnerabilities were disclosed via the Zero Day initiative (zdi) program. According to the Trend Micro article, 3 out of the 9 critical issues are in networking aspects of Windows. Please read Microsoft Patch Tuesday, February 2021 Edition and February Patch Tuesday Fixes 11 Critical Bugs for complete details.
• While Emotet was dismantled as well as other gangs, we can’t let our guard down. There are other things that are out there that can take its place, or even it being used as a stepping stone to other attacks across your network. According to the article, a paragraph states:
  

  In 2020, Emotet, Trickbot, and ZLoader were the loaders of choice for actors, contributing to 78% of the overall loader volume. 

  In 2021, trickbot and z-loader are still being used according to Phishlabs. Emotet Dismantled, Trickbot, ZLoader, and BazarLoader Step In should be read for the complete details. According to the Cyberwire Daily, seems as though Emotet is still going, even though infrastructure was disrupted by arrests of people.

• While I’m behind on Trend Micro’s week in security postings as of late, I did come across some good news for a change which I always like to cover. The most recent article I’ve read in regards to arrests and seizures of infrastructure and domains deal with NetWalker’s ransomware gang. This is an article that our good friend Mr. Krebs covers. He describes what Netwalker is up to, the fact they are a ransomware as a service (raas) and how the domain or multiple domains were used. Its well worth the read, so check out the article Arrest, Seizures Tied to Netwalker Ransomware for all of the complete details.
• Speaking of arrests, I read an article back on the 10th talking about the arrest of people involved with a phishing kit. According to this article, this phishing kit had a web control panel that would give you information as well as access to phishing templates and the like. The article Arrest, Raids Tied to ‘U-Admin’ Phishing Kit should be read for all of the complete details.
• I don’t believe facebook for one minute. According to an article, Facebook, TikTok, Instagram and Twitter will target stolen accounts. How, I’m not exactly sure, but Facebook has been known to allow this type of thing. Instagram is part of their brand now, but I could see TikTok and Twitter having a stance. The article was written by mr. Krebs, and its a good article to read. The article talks about how these accounts are taken from legit users. The TTP’s include but are not limited to: Besides intimidation and harassment tactics, they use hacking, coercion, , sextortion, sim swapping and swatting. There is a forum called OG users which Brian covers in this well written article, and I urge everyone to read it. Facebook, Instagram, TikTok and Twitter Target Resellers of Hacked Accounts is the article.

---

Lots to read and comment on, let your voice be heard!

Comments (0)

The Security Box, podcast 31 February 10, 2021

It looks like I have neglected to post some show notes for some programs, so its time to catch up on this. The Security Box has been uploaded, but I’ve neglected to post the notes.

On podcast 31, we pick up where podcast 30 left off on the domain discussion. We also covered news, notes, questions, comments and more.

Do you not want to deal with the RSS feed because you can’t or don’t know how? Here is the 103.03mb file and we hoep you enjoy it.

The podcast is much shorter than the program as we started playing less music within our program to comply with my other podcast. While podcast 32 plays some tracks, they are short tracks.

Here are the show notes for podcast 31 of the podcast, and again, thanks for listening!

---

Welcome to the security box, podcast 31. On this podcast, we’re going to continue the discussion of domains with several different things that we couldn’t get to from last week. Also, we’ll have news, notes, questions, comments and more. I hope you enjoy the program as much as we have putting it together for you.

Domain discussion:

Part of running a domain today is security certificates. These certs are called SSL certificates or what is now known as TLS. We have to remember that SSL and TLS are pretty much interchangable, keep that in mind.

When I first started reading Phishlabs, they were indicating that Phishing sites were not much into security as the ultimate goal was to get their wares out, not necessarily wanting to be secure. Thats when we learned through newsletters that looking for the padlock or https was the sign we’re secure. This is not the case anymore. This is because several years ago, a company called Lets Encrypt came up with an automated way of issuing the domain validated certificates that would be used for this purpose. The 200,000 web sites for August and September were unique sites according to the article. It also states that SSL encryption for phishing sites overtook SSL deployment for general websites. We also have a 10 percent increase in BEC attacks that originate from free Webmail accounts such as Hotmail, Outlook, MSN, mail.ru and possibly others.

According to the web site for Lets Encrypt, it says:

Let’s Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).

According to the article, 80 percent of Phishing sites now have some form of SSL certificate installed up from the 74 percent I last saw. We’ve been covering this trend on the tech podcast, I remember when it indicated it was in the 50 percential. This is higher than most general websites, says the article. According to it, a survey from Q-source, 66.8 percent of web sites use SSL.

“Not surprisingly, most SSL certificates used by phishers were Domain-Validated (DV), which is the weakest form of certificate validation.” said LaCour. There are three types of SSL certificates, and DV certificates can be issued quickly, through an easy verification process. Of more than fifty-three thousand SSL certificates observed by PhishLabs, 91.3 percent were Domain-Validated.

Generally, PhishLabs found that cybercriminals are using free certificates. In Q3, 40 percent of all SSL certificates used by phishers were issued by the same free certificate authority, Let’s Encrypt.

According to the article, registrars are part to blame for the increase in phishing as there is limited action. Phishing has gone up sharply since March of 2020, and my article talking about one such phishing attack got something done. I sent the blog post linked here over to Mr. Krebs, and also called my provider I use. I called them up after doing some lookup and I mainly inquired as to whether they can help. As of Friday, February 6th, 2021: the domain emailhostsecurity.com is now suspended, and I don’t know when this officially occurred. The blog post linked here has the email that was sent to me, and I believe I talked about this on either the Security box or the main tech podcast.

According to the article, it says:

An average of 500 brands were targeted by phishing each month over the course of Q3, with SaaS remaining the most frequently attacked industry, targeted 31.4 percent of the time.

Under the Business Email Compromise section of the article it says:

The report also found 16.3 percent of BEC attacks involved domains registered by the phishers, with most originating from five registrars: Namecheap, Public Domain Registry, Google, Tucows, and NameSilo.

50 countries and 64 million dollars of potential stolen funds later, criminals have been identified in one year alone.

For the full details of the report and any links read: APWG Q3 Report: Four Out of Five Criminals Prefer HTTPS and let’s discuss.

---

Cybercriminals register hundreds of thousands of look-alike domains every year to impersonate reputable organizations and make a profit. These domains are used for a variety of attacks including phishing emails, fraudulent websites, web traffic diversion, and malware delivery.

Look-alike domains are intentionally misleading to give customers the false impression that they’re interacting with trusted brands, leading to significant reputation damage, financial losses, and data compromise for established enterprises. The process of creating an attack is inexpensive, and if threat actors move quickly to evade detection, they can make a large return on their time and money.

Millions of internet users are targeted with look-alike domains each year. The article has a graph that shows only a sampling of at least 50,000 threats that Phishlabs has observed.

The most common use of a look-alike domain is to set up a Website with Monetized Links. This approach is not necessarily malicious, yet it accomplishes multiple objectives:

The article goes on and says:

The registrant parks a domain and capitalizes on visiting traffic by adding monetized links. The link topics are typically related to the impersonated brand’s keywords, increasing the probability that visitors will click through to the destination website.

They let a domain “age” before using it. Most scammers typically use new domains quickly, yet some will maintain them for weeks or months. Recently registered domains garner low reputation scores and are a telltale sign of malicious activity, making them targets for security teams.

I believe that is why my incident was handled, as when I looked it up, it was only 4 days old!

There is much, much more in this article that we could spend a long time quoting and discussing it. I now invite you to read: The Anatomy of a Look-alike Domain Attack for all of the complete details. If something sticks out at you, please discuss it.

We aren’t going to cover this one, but another article in this series is Look-alike Domain Mitigation: Breaking Down the Steps if you wish to take a look at it. Its a long process, and I think it needs more work.

News, Notes and more

• Looks like there are a couple of items I heard about in February 3rds episode of the Cyberwire. Looks like Solar Wind first has more problems with their software that they have fixed, but the most important thing in this episode is that the initial breach of 2020 actually could’ve started as early as December 2019 when it has been reported that Solar Winds had one of their Microsoft 365 accounts compromised. We’re continuing to hear more, and you can search this out if you wish to learn more.
• Looks like Facebook has changed their mind about collecting Metadata for now, according to the same episode of The Cyberwire. I’m not sure I fully buy that, but if they’re going to use meta data, let them have at it I say. Besides that, it looks like Facebook is going ape because apple will be putting a feature in to IOS that will allow us to tell apps to identify us by our tracking ID. Mr. Zuckerberg says that it is apple dominating the ecosystem and if I could read between the lines during the interview of that episode, he’s not too happy as it hurts their bottom line. The person interviewed indicated that it is about time, and it has been in the works for awhile, even though Facebook and others may say that it is because of January 6, 2021’s event that sparked this.
• Security Now, podcast 804 has a ton of stuff that might be of interest to listen to. The very first segment talks about security certificate authorities and the latest one Camafirma, being knocked off the list by Google Chrome starting with release 90 which will be released in April 2021. According to Security Now, there are multiple issues which the company said they’d fix between 2017 and 2020, yet, they were never fixed. Please listen to the Security Now program numbered 804 for complete details on some of what was wrong. Through the years, the technology podcast as well as Security Now have mentioned and talked about other authorities misbehaving. Even Symantech, the makers of Norton, sign certs and failed at times. Its ok to make a mistake, but being a security certificate signer is a privlage, not a right.
• A company I’m not familiar called Nox, who makes some sort of player, may have been compromised with updates that were malicious in nature only making it out to a subset of its customers. The company says there is nothing wrong, according to Security Now, so people who use this player better do their due dilligance and make sure their device from this company is not infected.
• Sans News Bites is reporting that school districts can get some help with their cybersecurity. The blurb from the newsletter says: “IBM has announced a $3 million grant program to help US school districts protect their systems from ransomware. IBM will award $500,000 in-kind grants
  to six school districts, which will be chosen through an application process. The applications opened on February 4 and close on March 1, 2021. Teams from
  IBM’s Service Corps Program will “help [the selected schools] proactively prepare for and respond to cyberattacks.”” Lets see what happens! Sans News bites links to multiple articles, see the link to the newsletter on the blog.
• According to The Cyberwire Daily, Feb 4, 2021: Zoombomnbing is being done by high school and college students who are board and want to “piss off the teacher.” It may not have started that way, but the Cyberwire says that most of the problems now are with the kids.

Comments (0)

Blind Bargains report that the ID mate is being discontinued

Hello folks,

Its never great to share a little bit of sad news, and I’ve complated on buying this device but with mhy phone, it isn’t necessarily necessary because there are bar code readers as part of apps like Seeing AI and maybe others.

The post I’m linking to is 3 days old, and I look from time to time to see if any news of interest could be passed along to my readers. Joe does a great job with deceminating the information in their post.

The item The I.D. Mate Is Being Discontinued shoould be read from Blind Bargain’s Joe Steinkamp for complete details.

I know that people may not have the necessary means to get a device whether smart or this device. I’m happy that they were able to offer a payment plan for the product, but they aren’t offering that anymore due to the announcement linked here.

I hope that this information is of value to people, and thanks for reading.

---

P.S. A telephone number for the company is at the bottom of the post linked within.

Comments (0)

Apple updating the subscription sheet in iOS 14.5 with clearer pricing and trial information – 9to5Mac

This isn’t very long, but this might be good for those who are confused. I’ve signed up for a couple of subscriptions and it seemed clear, but I’d like to see what its like when 14.5 comes out. IOS 14.5 was covered in this past week’s Tech Talk and Music program and the article they referenced came from Cnet which is pretty good. This comes from 9 to 5 mac, and while it isn’t long, it looks interesting.

Last week we shared a concept that explored ways Apple could improve the subscription sheet in iOS to help customers better understand what they’re signing up for. The issues with the subscription sheet have been a hot topic lately amongst the community. But tonight the developer behind Launch Center Pro, David Barnard has pointed out […]

Source: Apple updating the subscription sheet in iOS 14.5 with clearer pricing and trial information – 9to5Mac

Comments (0)

This week in security news, news ending Feb 12th, 2021

Hi all, I know i’m behind on news from Trend Micro, but there are some items that might be of interest to us.

Instead of doing a complete rundown like I normally do, I’m just going to link to This Week in Security News – Feb. 12, 2021 and let you decide what you want to read and you let me know what you want covered.

Comments (0)

Parler Is Back Online With New Plan That Doesn’t Rely On ‘Big Tech’ – The Police Tribune

This is going to get interesting. I saw this yesterday on twitter, and found it interesting. Guess we’ll see what happens with it now.

Henderson, NV – Free speech social media app Parler announced Monday that it was back up and running using a new web hosting service. Parler said in a press release on Feb. 15 that the app had been rebuilt “on sustainable, independent technology and not reliant on so-called ‘Big Tech’ for its operations,” KSNV reported. […]

Source: Parler Is Back Online With New Plan That Doesn’t Rely On ‘Big Tech’ – The Police Tribune

Hopefully this Los Angeles company, whoever they are, won’t have any trouble, but we’ll have to see.

Comments (0)

Vulnerability summary for February 8, 2021

Hi folks,

Here is the vulnerability summary for February 8th which was delivered. I will be mentioning a few of these items, but the link will take you to a page where you can read more. This has got to be time to update products like Adobe Reader and Google Android to name two. Happy hunting!

Comments (0)

Be on the lookout, forms now leading to trust web sites for fake web sites

I know it has been awhile since the blog has been touched. I really need to get back in to blogging, and news notes will prove it.

This time, I want to highlight yet another email I got through my contact form over on the main network’s web site, jaredrimer.net.

This contact form is quite interesting as it leads to trust web sites, one of which caught my attention. Reading the email on my phone, I clicked on the second link from within this form because I was curious. The first link I checked out via the computer on my main connection, and the profile was removed. It leads to this page: Action We Take which has a heading on fake reviews.

You may also want to check out this wikipedia page on Country code top-level domain to learn more. Here is the form.

---

Below is the result of your feedback form. It was submitted by () on Monday, February 15, 2021 at 17:01:54

Name: Mattie
phone: 445 1406
contact_method: both E-mail and phone
bug: no
additional_bug_info: The best fake id maker in the market for over 15 years

read our reviews and testimonials
https://www.trustpilot.com/review/idgod.ch
https://scamadviser.com/check-website/idgod.ch
https://www.sitejabber.com/online-business-review?url=idgod.ch

comment_or_question: The best fake id maker in the market for over 15 years

read our reviews and testimonials
https://www.trustpilot.com/review/idgod.ch
https://scamadviser.com/check-website/idgod.ch
https://www.sitejabber.com/online-business-review?url=idgod.ch

---

HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
REMOTE_ADDR: 172.94.125.11

---

According to the IP lookup at abuse IP database it is belonging to purevpn with the company of Secure Internet LLC. It is a Data Center/Web Hosting/Transit . The country is Germany. I’m the first reporter of the IP. As I said, I looked at the first two links and the site in question for fake ID’s is just outright wrong. I would’ve never done this anyhow, but this is just another tactic for people to get you to go over to their site.

Site Jabber looks to only allow people to review, and I went to the site carefully to see what it was about. ID God looks like it has a lot of info about what you should do so they can do their job. So far, from the scam advisor, I’d recomend people to read that since thats all we’ve got.

This is only going to get more interesting.

Comments (0)

The Security box, podcast 31: More Domain discussion, news, notes and more

Hello folks, welcome to the show notes of the Security Box. Yes, its been a couple of days, however, its better late than never I’d say. Other stuff got delayed like the playlists for my shows for my independent stuff, so it isn’t too bad.

The RSS feed has had the program up since the podcast was done, and now its time to provide the link to the podcast as well as the extensive show notes.

You’ll notice that we only have two tracks now, and the lunch time set I play if I don’t have anything else was not broadcasted. This makes the podcast less than two hours instead of the 2 and a half hours the internet radio program took. I hope that this makes the podcast better to listen to.

Don’t want to mess with RSS? Here is the 162.57mb file for you to download. Thanks so much for listening!

---

Welcome to the security box, podcast 31. On this podcast, we’re going to continue the discussion of domains with several different things that we couldn’t get to from last week. Also, we’ll have news, notes, questions, comments and more. I hope you enjoy the program as much as we have putting it together for you.

Domain discussion:

Part of running a domain today is security certificates. These certs are called SSL certificates or what is now known as TLS. We have to remember that SSL and TLS are pretty much interchangable, keep that in mind.

When I first started reading Phishlabs, they were indicating that Phishing sites were not much into security as the ultimate goal was to get their wares out, not necessarily wanting to be secure. Thats when we learned through newsletters that looking for the padlock or https was the sign we’re secure. This is not the case anymore. This is because several years ago, a company called Lets Encrypt came up with an automated way of issuing the domain validated certificates that would be used for this purpose. The 200,000 web sites for August and September were unique sites according to the article. It also states that SSL encryption for phishing sites overtook SSL deployment for general websites. We also have a 10 percent increase in BEC attacks that originate from free Webmail accounts such as Hotmail, Outlook, MSN, mail.ru and possibly others.

According to the web site for Lets Encrypt, it says:

Let’s Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).

According to the article, 80 percent of Phishing sites now have some form of SSL certificate installed up from the 74 percent I last saw. We’ve been covering this trend on the tech podcast, I remember when it indicated it was in the 50 percential. This is higher than most general websites, says the article. According to it, a survey from Q-source, 66.8 percent of web sites use SSL.

“Not surprisingly, most SSL certificates used by phishers were Domain-Validated (DV), which is the weakest form of certificate validation.” said LaCour. There are three types of SSL certificates, and DV certificates can be issued quickly, through an easy verification process. Of more than fifty-three thousand SSL certificates observed by PhishLabs, 91.3 percent were Domain-Validated.

Generally, PhishLabs found that cybercriminals are using free certificates. In Q3, 40 percent of all SSL certificates used by phishers were issued by the same free certificate authority, Let’s Encrypt.

According to the article, registrars are part to blame for the increase in phishing as there is limited action. Phishing has gone up sharply since March of 2020, and my article talking about one such phishing attack got something done. I sent the blog post linked here over to Mr. Krebs, and also called my provider I use. I called them up after doing some lookup and I mainly inquired as to whether they can help. As of Friday, February 6th, 2021: the domain emailhostsecurity.com is now suspended, and I don’t know when this officially occurred. The blog post linked here has the email that was sent to me, and I believe I talked about this on either the Security box or the main tech podcast.

According to the article, it says:

An average of 500 brands were targeted by phishing each month over the course of Q3, with SaaS remaining the most frequently attacked industry, targeted 31.4 percent of the time.

Under the Business Email Compromise section of the article it says:

The report also found 16.3 percent of BEC attacks involved domains registered by the phishers, with most originating from five registrars: Namecheap, Public Domain Registry, Google, Tucows, and NameSilo.

50 countries and 64 million dollars of potential stolen funds later, criminals have been identified in one year alone.

For the full details of the report and any links read: APWG Q3 Report: Four Out of Five Criminals Prefer HTTPS and let’s discuss.

---

Cybercriminals register hundreds of thousands of look-alike domains every year to impersonate reputable organizations and make a profit. These domains are used for a variety of attacks including phishing emails, fraudulent websites, web traffic diversion, and malware delivery.

Look-alike domains are intentionally misleading to give customers the false impression that they’re interacting with trusted brands, leading to significant reputation damage, financial losses, and data compromise for established enterprises. The process of creating an attack is inexpensive, and if threat actors move quickly to evade detection, they can make a large return on their time and money.

Millions of internet users are targeted with look-alike domains each year. The article has a graph that shows only a sampling of at least 50,000 threats that Phishlabs has observed.

The most common use of a look-alike domain is to set up a Website with Monetized Links. This approach is not necessarily malicious, yet it accomplishes multiple objectives:

The article goes on and says:

The registrant parks a domain and capitalizes on visiting traffic by adding monetized links. The link topics are typically related to the impersonated brand’s keywords, increasing the probability that visitors will click through to the destination website.

They let a domain “age” before using it. Most scammers typically use new domains quickly, yet some will maintain them for weeks or months. Recently registered domains garner low reputation scores and are a telltale sign of malicious activity, making them targets for security teams.

I believe that is why my incident was handled, as when I looked it up, it was only 4 days old!

There is much, much more in this article that we could spend a long time quoting and discussing it. I now invite you to read: The Anatomy of a Look-alike Domain Attack for all of the complete details. If something sticks out at you, please discuss it.

We aren’t going to cover this one, but another article in this series is Look-alike Domain Mitigation: Breaking Down the Steps if you wish to take a look at it. Its a long process, and I think it needs more work.

News, Notes and more

• Looks like there are a couple of items I heard about in February 3rds episode of the Cyberwire. Looks like Solar Wind first has more problems with their software that they have fixed, but the most important thing in this episode is that the initial breach of 2020 actually could’ve started as early as December 2019 when it has been reported that Solar Winds had one of their Microsoft 365 accounts compromised. We’re continuing to hear more, and you can search this out if you wish to learn more.
• Looks like Facebook has changed their mind about collecting Metadata for now, according to the same episode of The Cyberwire. I’m not sure I fully buy that, but if they’re going to use meta data, let them have at it I say. Besides that, it looks like Facebook is going ape because apple will be putting a feature in to IOS that will allow us to tell apps to identify us by our tracking ID. Mr. Zuckerberg says that it is apple dominating the ecosystem and if I could read between the lines during the interview of that episode, he’s not too happy as it hurts their bottom line. The person interviewed indicated that it is about time, and it has been in the works for awhile, even though Facebook and others may say that it is because of January 6, 2021’s event that sparked this.
• Security Now, podcast 804 has a ton of stuff that might be of interest to listen to. The very first segment talks about security certificate authorities and the latest one Camafirma, being knocked off the list by Google Chrome starting with release 90 which will be released in April 2021. According to Security Now, there are multiple issues which the company said they’d fix between 2017 and 2020, yet, they were never fixed. Please listen to the Security Now program numbered 804 for complete details on some of what was wrong. Through the years, the technology podcast as well as Security Now have mentioned and talked about other authorities misbehaving. Even Symantech, the makers of Norton, sign certs and failed at times. Its ok to make a mistake, but being a security certificate signer is a privlage, not a right.
• A company I’m not familiar called Nox, who makes some sort of player, may have been compromised with updates that were malicious in nature only making it out to a subset of its customers. The company says there is nothing wrong, according to Security Now, so people who use this player better do their due dilligance and make sure their device from this company is not infected.
• Sans News Bites is reporting that school districts can get some help with their cybersecurity. The blurb from the newsletter says: “IBM has announced a $3 million grant program to help US school districts protect their systems from ransomware. IBM will award $500,000 in-kind grants
  to six school districts, which will be chosen through an application process. The applications opened on February 4 and close on March 1, 2021. Teams from
  IBM’s Service Corps Program will “help [the selected schools] proactively prepare for and respond to cyberattacks.”” Lets see what happens! Sans News bites links to multiple articles, see the link to the newsletter on the blog.
• According to The Cyberwire Daily, Feb 4, 2021: Zoombomnbing is being done by high school and college students who are board and want to “piss off the teacher.” It may not have started that way, but the Cyberwire says that most of the problems now are with the kids.

Comments (0)

Here are a couple of items from this week’s latest Sans News bites

As part of this week’s Sans News Bites, I’ve read two of the recent articles that caught my attention both from Cyberscoop.

---

The first article that caught my attention was the Florida case with the treatment of their water. The good news is that the potential hack did not cause much damage as it was reversed quickly, yet, the hack was through an application used to monitor things

An unidentified hacker on Feb. 5 broke into the computer system of a water treatment plant for a town outside of Tampa, Florida, and temporarily changed
the plant’s sodium hydroxide setting to a potentially dangerous level, local authorities said Monday.

The attacker changed the level of sodium hydroxide in the water treatment plant in the town of Oldsmar from about 100 parts per million to 11,100 parts
per million, said Bob Gualtieri, the sheriff of Pinellas County, Florida. Treatment plants use sodium hydroxide to make it drinkable, but it can be unsafe
for people in large quantities.

The breach did not cause any harm to public health, but it is a stark reminder of the risks that come with increasingly digitized critical infrastructure.

According to the article, the FBI and the Secret Service are involved in the investigation, which makes this quite interesting.

The article continues:

The attacker broke into the Oldsmar Water Treatment Facility’s computer system twice on Feb. 5, according to Gualtieri, taking advantage of remote access
software that operators use for maintenance. Not long after the intruder changed the sodium hydroxide level, a plant operator noticed and reversed the
change, according to authorities.

This is the best news out of it, someone noticing and fixing the problem and tht’s what you want.

It would have taken 24 to 36 hours before the altered water solution entered the water supply and there were redundancies in place to prevent that, according
to Gualtieri and Oldsmar Mayor Eric Seidel.

I wonder what those procedures were?

The chilling news:

Engineers at industrial plants often used remote software to monitor plant performance, a practice that has long opened up potential avenues for hackers.
The incident at Oldsmar, a town of some 15,000 people, is bound to bring such security arrangements under fresh scrutiny.

The good news is that this was contained quickly but what will happen next?

According to the article, Hackers breached a facility in Israel last year, and its linked in Cyberscoop’s article. Its not normal, but I wonder if it will become the new normal for hackers once they learn about this?

• Hacker breached Florida water facility to alter sodium hydroxide level, police say

---

The next article may be of interest if you use a bard code scanner. According to the article that was mentioned as part of Sans News Bites this bar code scanner was very well liked until it was hit with code that did unwanting things to the device.

According to the first paragraph of the article, it says:

An app with more than 10 million downloads from the Google Play Store recently took a hard turn to the dark side, according to antivirus company Malwarebytes.

Google removed the application in December after it was apparently opening the browser to serve up advertisments. When Google removes it from the play store like this, the article indicates that the application is still on your phone. It may be time for this application to be removed from your phone. Since I’m not an Android user, I am unable to help you further. Check with someone who may know more and let’s learn together.

“It is frightening that with one update an app can turn malicious while going under the radar of Google Play Protect,” Collier writes.

Approximately 10 million users are effected, so get help if you can.

• Barcode scanner in Google Play Store became malware after years of popularity, researchers say

Thanks for reading, and make it a great day!

Comments (0)

Sans news bites for february 9, 2021

I was perusing the news bites for today and it is well good. This link should take you there to read it and pick something that interests you. You might be effected with something, so instead of me putting up what I think you should have, take the newsletter and read what interests you.

Comments (0)

Vulnerability summary for the week of Feb 1-8, 2021

This is the link to the vulnerability summary for Feb 8, 2021. Lots of routers listed in the high vulnerability section, better figure out how you can get updated. My ISP said they push out updates, but i wonder.

Comments (0)

AR21-039A: MAR-10318845-1.v1 – SUNBURST

I saw this after i posted the other, but taking a look at this, this might not be new for most who have heard and read my prior coverage. If you are new and you’re coming across the blog, search for Solar Winds and you’ll come across tons of stuff if I did it all correctly.

Here is the link to the web page for you all to read about what we know already.

Comments (0)

Sans at risk

Sans at risk whose archive can be found here is a valuable resource to what is possibly known. February 4ths issue is covered in highlights for the next Security Box program. Enjoy!

Comments (0)

Older Posts »

go to sections menu

---