Marketplace Update #1 – An Australian logs based Fraud Store

Readers! Its been almost a year so apologies for not being proactive. Will now try and publish at-least once a week.

Recently, I came across a marketplace or a store called A1 FRAUDSTORE offering multiple compromised/stolen data related to Australian individuals.

  • Drivers Licence/Medicare/Passport Scans – Used heavily for identity takeover
  • Bank Logins – self explanatory
  • Debit / Credit Card + Fullz – Slang for data that usually contain an individual’s name, Social Security number (USA), birth date, account numbers, phone, address email etc.
  • Fresh Bank Drops
  • Physical Debit
  • Homemade Methods&Guides
  • Various Login Details (Email/Facebook/etc) – Did not find a section for these
  • Australia Post Lockers
  • NatWest phishing kit by Kr3pto

Identities

The stolen identities are used for account creation to apply loans, generic scams however mostly to act as drop accounts. Drop accounts are where fraudsters can send proceeds of crime usually collected by malware or phishing. One of the most known use of such drop accounts are via money mules working with Business Email Compromise actors.

Banks logs

These are banking credentials which allows initial login however, based on post-authentication controls actors may or may not be able to transfer the funds out. However, once actors logs in, they can get their hands on significant personal information that can be further use for fraud. At times, if a card is connected, they can perform online transaction without users knowledge.

In the screenshot, actor has advertised, 86400.com.au, Westpac and NAB account. Although, he does mention in the details that only Commonwealth logs are available which the drops down confirms.

Full package Bank drops

According to actor these are custom packs with has account access, associated card, identities used, associated sim card and email address. Advertised screenshot actor shows cards from

  • CUA bank
  • ANZ bank
  • NAB
  • Westpac
  • ING
  • 86400

This readily available account information is than used to receive fraudulent funds.

Australia Post lockers

Lockers are used to receiving unsolicited and illegal parcels – in many cases individuals uses this to get drugs.

NatWest Phishing Kit by kr3pto

kr3pto is an alias of a threat actor known to create multiple phishing kits – more can be read at https://www.wmcglobal.com/blog/threat-actor-update-kr3pto

Store information

Link > meows://aaa111.company.site

; <<>> DiG 9.10.6 <<>> https://aaa111.company.site
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2136
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;https://aaa111.company.site.	IN	A

;; ANSWER SECTION:
https://aaa111.company.site. 59	IN	A	3.223.246.100
https://aaa111.company.site. 59	IN	A	3.225.248.13

;; Query time: 11 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Feb 27 15:43:16 AEDT 2021
;; MSG SIZE  rcvd: 88

Whois suggest range is assigned to Amazon and on ASN – AS14618 – AMAZON-AES

Final Words

Selling such data over marketplaces and over messengers is very common however, a dedicated store suggests increasing demand with success of getting hands on compromised data. Return on investment of these data is easily calculated as certain information can be used multiple times and one single success can provide thousands of dollar.

It is advisable for banks that once these drop accounts are identified it should be shared with agencies that can relay this information further to other financial institutions. It is also recommended to have proper KYC check right when an account application is being filled – whether online or in branch or via post application. A check against a known blacklist to reduce number of such drop accounts is recommended. Another option is to enable multi-factor right on login page – meaning only username and password even phishing will be of no use. One might debate the feasibility and usability but that’s banks call however, I do believe if actual survey is done account holders may pick security over them. a new change will always see some friction but if its towards improvement the positives will be eventually seen.

Banks can use above screenshots or monitor the store to identify victims and should be also able to pivot in how the actor got the data which could be mostly via phishing (could be malware) and login times and usage etc which can then be acted upon.

Evoltin POS Malware – Kill Chain Mind Map

Readers!!!

Its been quite a while I have updated my blog posts, due to me spending  some quality time off the work and being with family.

Recently, was honoured to attend SANS FOR578 Cyber Threat Intelligence course taught by Robert M. Lee and it was excellent. I will be writing a separate blog post reviewing the course later.

Being on customer service environment, I have realised how important data visualisations are. When you are presenting your findings to C Level Executives, having tables, charts and graphics in the report, makes it easier to grasp and understand analyst ( or whoever wrote the report) point of view. We can visualise our findings about Organisational Risks, Threats, Incidents and many other departmental attributes in different manner.

For me, best visualisation is Mind Maps and I have used them to represent process, procedure, incidents etc. I also, use mind maps, when I am performing any investigations on incidents during IR, Forensics and/or Threat Hunting. It helps me track investigation steps and my findings. If the incident continues or the next business day, the mind map, helps me to start where I left, and also helps me trace back my steps rather looking at excel sheets or other textual representation or a case management system.

During the course, there was a good stress on making sure investigation or intelligence gathering information is represented in a manner that all levels of audience can understand. This is when I thought to create a mind map of a malware and its behaviour and how it can be represented on Kill Chain phases.

evoltin-pos-aka-nitloveposb

Above screenshot shows Kill Chain phases for Evoltin POS Malware and indicators that were identified during analysis and how they can associated to different Kill Chain phases. Rather presenting them on table or chart format, I believe the view via mind map is much more easy to grasp and better presented.

I will be creating more mind maps and uploading to my GitHub account. I normally, update IOC’s to Alienvault OTX, Blueliv, GitHub and ThreatConnect, but now I will also create similar Kill Chain Mind Map for every investigation I do.

Happy Mind Mapping!!!!!

Ho Ho Ho – Here comes the spam/phish

Merry Christmas and Happy New Year to all !

I thought to start the new year with a blog with regards to spam from Australian Giants – Woolworths, JB HiFi, Flight Centre, Bunnings etc.

Although, we are on holidays, attackers/hackers are not. Holiday time is in fact very good time to target organisations as most of the staff are enjoying meals at home with their families while companies work with skeleton resources. Let’s analyse the emails. Following are the screenshots :

mails

Above screenshot shows Australian Vendors.

  1. Myer – Win a Myer voucher Sender : account@zepeem.com
  2. URLs in the mail

myers

Conclusion : Suspicious and seems to be phishing sites.

  1. Bunnings – Bunnings Gift Card – Bunnings0256986@relaisnautische.eu
  2. bunningsSubject of the email – %$email – likely used a automated email generator but forgot to change the subject that can look real
  3. mailed-by : shriek.relaisnautische.eu
  4. Links on the flyer are not clickable. Only link clickable is to unsubscribe and that goes to http://pss.relaisnautische.eu/ which is not active.

Conclusion – Suspicious and seems to be phishing site

  1. Woolwhorths ? – Isn’t it Woolworth – Woolwhorth8965742@ondernemingtoon.eu
  2. woolworths
  3. subject: SCRATCH & WIN – this time they made it right
  4. mailed-by: zoroastrian.ondernemingtoon.eu
  5. Links are identified as phishing my Google.
  6. Phishing link :

Conclusion – Phishing website.

Senders : Should be blocked on email filters

  1. Woolwhorth8965742@ondernemingtoon.eu
  2. Bunnings0256986@relaisnautische.eu
  3. account@zepeem.com
  4. Woolwhorths8965742@monstereigenschap.eu
  5. Woolwhorths8965742@netwerkenfonds.eu
  6. JB2519867@realiteitgoed.eu
  7. Woolwhorths0256989@bewustextreem.eu

Other links/IP addresses : Should update SIEM rules to catch any communications to these URLs. URLs can also be blocked on web filters.

  1. http://bell-news.de/ga/unsubscribe/2-1624154-36-5605-11384-5923d1a4644b2b2-c9bb0e8af2/?utf8=%E2%9C%93&confirmed=1 – 213.136.91.181
  2. http://balqjdvwrs.realiteitgoed.eu/ – 216.109.172.160
  3. http://ww41.uvqqsagwla.monstereigenschap.eu/ – 141.8.225.60
  4. http://ww41.uvqqsagwla.netwerkenfonds.eu/ – 141.8.225.60
  5. http://play.mobistos.com/lpx/MayoS93HF2?aff=ck-lll&reqid=731155943&oid=7230&s1=209491|83 – 82.94.216.105
  6. http://balqjdvwrsi.znhpslrnpk.bewustextreem.eu/track?e=02bj5CbpFWbnBkcv1WdohGdpdHZyVmbP&m=18764400&l=0. 63.250.4.10
  7. http://uvqqsagwla.bewustextreem.eu/ –  63.250.4.10

Final words :

  1. Similar links were used for other emails. Based on the HTTP objects extracted from all can only see png files. No executable or javascript noted.
  2. All emails have one country in common as sender – Germany.
  3. Unsubscribing goes to PO Box 1960 #22445 Wilmington, DE 19899
  4. The phishing attempt seems to be generic and concentrating on just getting private information from a user especially email addresses.
  5. No attempts of malware dropping identified from the links.

Understand that organisations should be on a lookout for any usage of its Brand name to deceive users to provide personal information. As users trusts these organisations, it’s organisation’s responsibility to have proper brand monitoring placed or outsourced so phishing campaigns using their names can be identified and controlled.

Security awareness for all users is also important to make sure not click on unsolicited emails.

Happy 2016!!!!

Westpac spam email – You have new notification

Malicious or spam emails are frequent but one of the best ways to get a system/host infected.

Recently I received an email from one of the Big 4 banks of Australia – Westpac.

Very first thing was I am not a customer so definitely it was a phishing scam.

Actual Email

email headerswestpac email

Actual email is a bit unprofessional. The URL is ending with Bankingx. Email is coming from west-pac@bbodyregistry.com.
Looking at the email headers the originating IP address is 41.57.96.54. Email headers also shows the email came from IP 197.232.31.99. Geo location of both IP address is Kenya.

Virustotal results : https://www.virustotal.com/en/ip-address/41.57.96.54/information/
IP Address does have few malicious URL’s detected previously.

Clicking on the URL in the email it re-directs to http://antoniahallcommunications.com/referrer/. The site is identified as Phishing attack by Google Chrome.

chrome phishing .

So disabled the phishing and Malware protection from the browser settings and access the site again. No signatures were triggered on Security Onion Snort. Received following response :

tcp stream The site resolves to 198.46.82.80 – ehub36.webhostinghub.com – a free webhosting.

The site actually belongs to Antonia Hall a publicist.

Below are the IOC’s:

197.232.31.99
41.57.96.54
bbodyregistry.com

Conclusion :

I did not find anything malicious besides this being a unsuccessful attempts for a user to click on a link. Also, the URL is not accessible anymore.

An email from UN – attachment ATM_CARD_1.doc – IRREVOCABLE PAYMENT ORDER VIA ATM CARD

Received an email from UN@ – no email domain on the sender list and that’s why my email identified as spam.

email from UN

Attachment was a doc file – ATM_CARD_1.doc – Checked various websites (malwr.com, virustotal, shodun) but no information about mentioned DOC file.

MD5 : 2134a6afb12a5a2bcdd77b09e43a8e29 – not reported.

Uploaded the file on virustotal but did not find any hits – https://www.virustotal.com/en/file/058767db41be4365c137dfd2ed857e86211c724a3037c561f7a9d0f994e6c829/analysis/1443706261/

Exiftool output

xifTool Version Number : 8.60
File Name : ATM_CARD__1_.doc
Directory : .
File Size : 86 kB
File Modification Date/Time : 2015:10:01 13:01:39+00:00
File Permissions : rw-r—–
File Type : DOC
MIME Type : application/msword
Author : FullNameHere
Template : Normal
Last Modified By : SONY
Revision Number : 2
Software : Microsoft Office Word
Total Edit Time : 2.0 minutes
Last Printed : 2010:11:24 17:52:00
Create Date : 2015:09:28 02:38:00
Modify Date : 2015:09:28 02:38:00
Pages : 1
Words : 436
Characters : 2491
Security : None
Company : OrgHome
Lines : 20
Paragraphs : 5
Char Count With Spaces : 2922
App Version : 12.0000
Scale Crop : No
Links Up To Date : No
Shared Doc : No
Hyperlinks Changed : No
Title Of Parts :
Heading Pairs : Title, 1
Code Page : Windows Latin 1 (Western European)
Hyperlinks : http://www.yahoo.com/_ylt=AkJ_84uMIDD6A0cgsAd.wbubvZx4;_ylu=X3oDMTNoamk4OG9oBGEDMTAwODE3IFNFRyBzaGluZSBpZGVudGl0eSB0aGVmdCB0BGNwb3MDMwRnA2lkLTM2MjMyBGludGwDdXMEcGtndgM4BHBvcwMxBHNlYwN0ZC1mZWF0BHNsawNpbWFnZQRzbHBvcwNGBHRlc3QDNzAx/SIG=13ip2d9rl/EXP=1282263418/**http%3A/shine.yahoo.com/event/financiallyfit/13-things-an-identity-thief-wont-tell-you-2299277/, http://www.uneca.org/istd/ict/images/UN-logo%5b2%5d.GIF, http://www.uneca.org/istd/ict/images/UN-logo%5b2%5d.GIF, http://www.uneca.org/istd/ict/images/UN-logo%5b2%5d.GIF, http://www.uneca.org/istd/ict/images/UN-logo%5b2%5d.GIF
Comp Obj User Type Len : 39
Comp Obj User Type : Microsoft Office Word 97-2003 Document

Last modified by seems interesting as it says SONY. The attachment has no links for a user to click. However, it requests personal information and informing to pay 250 K Pounds.

Email within doc : nationwbk@hotmail.com – personal email for UN 🙂
Email also had a number 0044-7010057597. Based on research the number is in london obviously but no information about a business. Likely a personal number.
http://www.searchyellowdirectory.com/reverse-phone/447010057597/

No malware found – just a social engineering attempt.

Spam are targeting most vulnerable entity in cyber world – HUMANS.