Watch Out For the Dangerous UPS/FedEx Delivery Scam  

Scams targeting the delivery chain have been around for as long as people have ordered merchandise on the internet. They vary mainly in the part of the chain they target and the severity of their goals. Some scams, sent by spammers, simply trick you into visiting a client’s website in the hope that you’ll buy their product. Others, sent by more malicious actors, will financially wipe you off the map. The goal of the current round of delivery-focused malware is to do the latter.

This particular malware (or malspam as some call it) is called, Hancitor. It’s been around for a while but continually updates its tactics. Its current tactics must be working because there has been a spike in infected computers this year, especially in the last few weeks. Hancitor is bad. If released on your computer, it will steal all of your passwords and banking information. If released on a corporate network, it will take whatever it wants.

But all malware has to start somewhere and most malware follows the same, well-trodden path. It all begins with a phishing trip. At this stage, it doesn’t appear the malware is targeting specific individuals, but that could change depending on who controls it. The attack appears to start with randomly sent spam messages that are made to look legitimate. The current version pretends to be a message from UPS but FedEx has been targeted in the recent past. It begins with an email message from “UPS Quantum View” <ups@piercerx.com> or from “FedEx” <tracking@afedex.com>. Both addresses link to fringe, poorly protected sites which have been compromised, but they are only two examples among hundreds that are controlled by the spam. UPS does have a service for tracking called Quantum View. The subject line for the UPS phishing email is “Delivery stopped for shipment #142384”. The delivery numbers are randomized. For the FedEx scam, the subject will be “FedEx Tracking 715715163815 Notification”, again, with the numbers randomized. The template for both scams is copied from actual templates.

Here are the templates as analyzed by the Malware-Traffic-Analysis.net website.

ups email

Clicking ‘here’ as directed, will take the victim to the site shown in the graphic. Attached to that site is a document, the name of which is coded in a base64 string. Notice the odd phrasing and ungrammatical construction of the message which indicates a foreign origin.

But why put the document name in base64 code? This serves two purposes. Base64 encoding sometimes goes undetected by spam filters. Remember that the key goal of all attackers and spammers is to bypass the spam filters and get the malicious email into the victim’s inbox. Getting into the inbox is not as necessary as many think, however, because many people will check their spam folder from time to time and may be attracted by a good subject line. In any event, legitimate marketers try to do much the same thing and there are websites dedicated to getting the marketer’s message into a potential client’s inbox.

If the victim clicks on the link, they will be taken to a compromised website and then offered the ‘opportunity’ to download a document. The base64 code will be decoded once the victim clicks on the link and will produce a document name which includes the email username of the victim.

You can encode information in base64 on a number of online sites. For example, I encoded the fake email address joesmith@yahoo.com into am9lc21pdGhAeWFob28uY29t. With a little manipulation, I could have the malicious website produce a document that said, “UPS Delivery joesmith”. That code would be

VVBTIERlbGl2ZXJ5IGpvZXNtaXRo

If you don’t believe me, copy the code and check it out here. The point is that I can hide the document name until I need it to produce the browser-based message that says something like, “Do you want to open or save UPS Delivery joesmith.doc from (website name)?” Of course, in the original scam, the “UPS Delivery” segment would be hard coded.

ups download1

FYI, the FedEx message will look like this.

fedex email

In both cases, accepting the download will present you with an option screen which will look something like this. Hoping you will be frightened into enabling macros.

ups office

FireEye found a more creative API that looks like the one below, but in all cases, you will have to enable macros before the malware continues on its mission.

firefox enable macro

Enabling macros in Word will install Zloader which will connect via the internet to a command and control center and retrieve Zbot malware. Zbot is related to the notorious ZeuS banking trojan.  The malware will install itself into the browser as a man-in-the-middle and ‘watch’ for visitations to any banking sites. It will also create fake certificates to make fake sites look legitimate. The malware is not limited to stealing banking information but can be used for all manner of spying and information theft.

How to Avoid Becoming a Victim

 There is probably a good reason why your spam filter put an email into the spam folder. Be careful about clicking on any link in such emails and hover the cursor over the link to see the site that it is connected to.

When presented with a document to download, check the website that it is being downloaded from. Notice that it is given in the download option message seen previously.

ups download

If a UPS document is linked to a site that seems to have no connection with UPS, such as the impacthealthnow.org example shown above, do not waste your time downloading it. If, however, you have gone so far as to download a Word document, do not use the suggestion to enable macros or editing.

If you end up with Hancitor malware on your computer, it is very difficult to remove. Some suggestions are given here and here but be aware that this malware has the ability to regenerate itself even after an apparent removal.

Zbot/ZeuS malware is considered by many experts to be the most dangerous malware on the internet. Attackers are refining it all the time and using it more and more to spearphish victims with emails that appear to come from valid sources. Take all precautions or some day you may find that you have been financially destroyed or have lost important corporate information. I will update any new attack vectors when I discover them.

Update 9-21-17 New Hancitor Tactic

According to Malware-Traffic Analysis, Hancitor has recently been found phishing with an email disguised as a request for an invoice. It’s not clear if the sender mentioned in the ‘From’ field is known to the victim.

Four security firms have identified the connected site as malicious.

 

 

Posted in Uncategorized | Tagged , , | Leave a comment

The New Generation, Gen Z: “We don’t want to end up like Millennials”

Gen Z (a.k.a. iGen) refers to those individuals born around 1995. It’s the generation composed mostly of today’s teenagers. They were born with the internet firmly in place and with smartphone use becoming mainstream. They have no substantive recollection of 9/11, unlike Millennials (ages 21 to 37).

Although Millennials welcome the arrival of the tech-dependent Gen Zs and see them, more or less, as an extension of their own generation, there are clear differences developing between the two groups. The Millennials sparked the widespread use of social media, while Gen Zs take it for granted. Social media is far more important to them than it is for any other generation, and many Gen Zs believe that their happiness and self-esteem depend on it.

genz self worth

2016 The Center for Generational Kinetics

 Gen Zs also differ on their choice of social media. You may be surprised to see which platform is their favorite, since few other generations have even heard of it (65% of boomers).

genz social media

For those who don’t know, Vine is a site that allows members to share short, looped videos. Although only 13% think that Facebook is an appropriate social media platform for their generation, they do feel that it serves a purpose (57%). Sadly, 34% of Gen Z-ers have never heard of LinkedIn, but this could change as they reach employment age.

The Smartphone Generation

Gen Z is the first generation to live with a smartphone as an integral part of their body. The idea of living without a smartphone is unthinkable. There is even a psychological condition which occurs if this happens. It’s called, phone separation anxiety. This is, perhaps, why Gen Zs believe it is appropriate for 13-year-olds to have a smartphone, while Millennials believe this is too young, with the majority of them feeling 18 is a more appropriate age. I doubted this statistic because I’ve noticed my Gen Z son and his friends seem more liberal than this. In fact, another report found that the mean age for receiving a first smartphone is 10.3. I expect this age will continue to lower.

genz kids

Keep in mind that these stats come from a 2016 study, and that opinions linked to technology are changing more quickly with each generation. Exponential changes in technology surround the Gen Zs, which lead them to accept ideas that older generations find unacceptable. For example, Gen Zs think it is acceptable to use a smartphone during religious services, during a job interview, and even during their own wedding ceremonies. Older generations would probably find these behaviors shocking, hence, future generational clashes are inevitable.

Although child-unfriendly content abounds on the internet, parental monitoring of their children’s smartphone use has declined. Only 25% monitor their use with special apps. Only 15% monitor their children’s whereabouts through GPS. The technology gap is separating parents from their children and it is not uncommon for children to be more tech-savvy than their parents. This is why, even when parents install parental control apps on their children’s smartphones, most teenagers know how to work around them.

The Troubling Influence of Social Media

 As mentioned above, for the Gen Zs, social media largely determines their sense of self worth. By the age of 12, most Gen Zs have social media accounts and interactions on these accounts largely influence the way they see themselves. Keep in mind that social media includes online gaming, which has a strong social interaction component. The graphic below shows the influence social media has on Gen Z as compared to older generations.

genz old young social media

This dependence on unknown others for self-affirmation has created a whole new set of concerns for the Gen Zs. According to Childline, a support service for children and teens, the main concern of the Gen Zs is low self-esteem and unhappiness. The chart below shows how Gen Z’s concerns have changed from those of the Millennials when they were younger.

genz jobs

Notice that the main concerns for Millennials were concrete, even physical, while those of the Gen Zs tend to be more psychological. This shift can largely be attributed to the influence of social media. More so than any other generation, this could be the generation of psychological problems. At this time, however, it is impossible to say how these concerns will play out as this generation ages. One thing is certain, though; social media will come under increasing scrutiny.

A Return to More Traditional Values

Several studies have shown a tendency for Gen Zs to be more like Boomers than Millennials in their values, but it’s not an across the board agreement. This values shift has been traced to the alarm the Gen Zs see when viewing the dilemmas faced by Millennials, especially when it comes to employment and education. As one Gen Z-er commented in the CGK study, “We don’t want to end up like Millennials”

The Millennials, having been raised by relatively well-off Boomers, assumed life would be relatively easy and were not prepared to encounter diversity. Gen Zs, on the other hand, were raised mainly by a generation that saw the economy plunge and who, subsequently, developed the mindset that they were living on the edge of economic uncertainty. Thus, Gen Zs show a tendency to be more cautious or realistic. Seventy-seven percent of Gen Zs feel they will have to work harder than Millennials to be successful.

Gen Zs tend to be more independent and individualistic than previous generations. Where Millennials believed that it was safe to share any personal information online, Gen Zs tend to be more careful and selective about what they share. They have seen the problems Millennials and older generations have encountered by giving up too much personal information without proper concern for security.

Gen Zs also see the financial abyss that many Millennials faced in attempting to recover the debt they acquired by paying for education. The idea of living at home with their parents is not something Gen Zs would like. Recent surveys show that about 40% of Millennials live either with their parents or other relatives. According to a Federal Reserve study, the underemployment rate for recent college graduates is around 44%. One in ten young college graduates are neither employed nor pursuing more education. They are part of the growing number of the educated idle. This all makes Gen Zs wonder if paying so much for an education is worth the investment.

There is also the shadow cast by technology’s impermanence. What is today’s must-have tech is tomorrow’s old school. Why choose to be educated for a career when that career may become obsolete? Why spend oneself into debt to prepare for an unknowable future? Notice in the chart below from the Federal Reserve report that the once highly-sought-after business management degree left over 60% of graduates underemployed. Note also that the more practical degrees offered the best chance for post graduate success.

genz underemployment

Only 32% of current college-age Gen Zs believe they are being properly prepared for future careers. This mindset may lead Gen Zs to pursue alternative forms of education.

Conclusions

 Gen Zs face a future that is more unpredictable than it has ever been. This uncertainty forces them to live in the present more than any other generation. They believe in hard work, they’re pragmatic and realize the value of face-to-face communication, but within limits. Seventy-one percent of Generation Z said they believe the phrase “if you want it done right, then do it yourself.” And 69% would rather work in a private rather than a shared work space.

However, there is a disclaimer behind all of these statistics. That is, how will these attitudes change when they enter universities and companies? What do teenagers really know of the workings of the ‘real world’? Like most teenagers, the Gen Zs are optimistic and believe in the American Dream (78%). Their independent attitudes and their belief in on-demand technology may make them difficult employees, especially in terms of cyber security. They may be more willing to challenge educational norms and opinions professors try to thrust upon them because they have probably been doing this on social networks. Nonetheless, predicting how they will fit into mainstream life is as difficult as predicting the future of technology.

Posted in Uncategorized | Leave a comment

The Banking Trojan that Uses the 711 Million Exposed Email Addresses: Why You Should Be Concerned

 

If you haven’t yet checked to see if your email address was compromised in the recent password exposure, go and do it now. You can type in your email address here. This will give you the dumps that your email was found in. Keep in mind that even the site’s owner, Troy Hunt, was surprised to see that his own email was listed.

I told some friends that I had found their email addresses listed in the latest leak. Most were thankful, but some thought that if their password was not exposed, they were safe. After all, what could a hacker do with only an email address? The answer is: Many evil things. These email addresses serve as a starting point for well-designed spamming attacks that attempt to deliver the Ursnif banking Trojan (aka Gozi, Dreambot) and have the potential to be used in ransomware attacks.

ursnif severe

Of course, all such attacks begin with an email that has to look legitimate enough to get itself opened. Ideally, the attackers would like the email to avoid the spam filter and get into the victim’s inbox. I’ll detail some of these techniques in a future post. For now, it’s just necessary to note that Ursnif is pretty standard in its delivery approach except for a few variations. In its mass email spamming campaign, the senders need to know which addresses are most susceptible to an attack. They will first send out a test email to check out the victim. These test emails include a single-pixel beacon within the email. If the email is opened by the intended victim, this invisible pixel informs the attacker. The beacon also sends back other useful information, such as IP address, network and device information, and what operating system the victim is using. This is important in that Ursnif targets Windows systems. The beacon activates if the potential victim has images enabled in their emails. Spam filters sometimes find these beacons and remove the associated images from an email or send the email to the spam folder. It should be noted that legitimate email marketers also use beacons to help their clients track the success of their marketing campaigns.

If the test email reveals a potential victim, the attacker will target them more precisely in a subsequent email. They may, for example, have learned which company the victim works for and construct an email that may seem to come from someone within their company. The subject line may be about a payment, invoice, or contain a known person’s name, as in the example below given by Forcepoint.

ursnif email

Notice that the email contains the password for opening an attached Word document. This may make the victim (and spam filter) less suspicious. The victim may decide to download the document and take a look at it. As is usually the case, the attacker tries to get the user to enable macros in Word. They do this in a somewhat creative way by using the interface shown below.

ursnif doc open

If the victim clicks on any of the documents shown, the attack will begin. There will be no need to wait for the victim to enable macros. That’s because these files are not what they seem to be. They are all the same VBS script designed to look like Word documents.

Once triggered, the script is designed to connect to the internet and download the main malware package. The malware will store itself in a %Temp% folder. It will begin the attack by checking to see if the device is running a sandbox. To this end, the malware also analyzes mouse movements. A mouse that doesn’t move is more likely using a sandbox. Another technique for avoiding sandbox detection is for the malware to check what processes are running. If it finds a sandbox-related process, it will not deploy.

If the system checks out as safe for the malware to operate, it will set up an autorun key in the registry, which will guarantee its persistence at every startup. The original downloaded file will then be deleted and the malware will try to hide within a legitimate process such as explorer.exe or svchost.exe.

Once installed, the malware will then establish an internet connection with its command and control (C&C) server. It is now ready to gather important banking, credit card, or other information. It does that by using the following.

A keylogger, to record users’ keystrokes

Video and screen capturing, to follow what the user is doing when they visit their banking site in case the victim uses a mouse to login (they can watch them enter their credentials)

An information stealer, to obtain browser passwords, browser history, email, and other important data,

Man-in-the-browser and Web injects, to help them gather other personal and financial information

Tor client, to use a more hidden way to connect to the C&C (this could also be useful in some ransomware attacks)

VNC client, to remotely administer a device

True, many spamming attacks are stopped by either good spam filters or wary users. However, with 711 million email addresses at their disposal, the attacker only needs a small percentage to work to launch a successful campaign. In addition, the malware is continuously evolving with attack vectors changing all the time. The examples shown are a few of many. Its increasing sophistication in using more targeted emails (spearphishing) makes this trojan more likely to succeed than others in its class. So does it matter that an attacker only has your email address? You be the judge.

Posted in Uncategorized | Tagged , | 2 Comments

Massive 711 Million Emails and Passwords Dumped and You Are Probably on the List…I was

A malware researcher going by the Twitter handle, Benkow moʞuƎq, has uncovered a huge stash of emails and passwords stored on an open server in The Netherlands. The stolen credentials were apparently harvested by a spambot known as, Onliner. This spambot has been used to deliver banking malware which has compromised over 100,000 accounts.

Troy Hunt, who runs the Have I Been Pwned (HIBP) website, has called this the “largest single set of data I’ve ever loaded into HIBP.” Over 711 million credentials are listed with only 27% being repeats from previous dumps. That’s probably the most sobering fact to extract from this data.  His report gives more details of this dump.

711

Just assume that your email is on the list. Sadly, when I checked my own emails, I found they were listed. The good news is that I had changed my login credentials since the information was taken.

This is just a brief post to alert anyone who may be affected as soon as possible. I suggest visiting the Have I Been Pwned site to see if you are listed. If you are, you will be given a list of the breaches you were caught up in. If you have not changed your password since the time of that breach, do so at once.

For those interested in seeing the damage that the banking trojan associated with these emails can do, see this post.

Posted in Uncategorized | Tagged | Leave a comment

How Free Security Tools and Online Scanners Are Used by Hackers

Endpoint detection and response (EDR) tools are becoming more common on those networks which allow access to a wide variety of endpoints such as smartphones and tablets. Basically, these tools continuously monitor behavior on these devices to see if anything unusual is going on. The information collected through this monitoring is sent to a central database where it is analyzed. If something is found amiss, a report is sent to the network administrators so that they can look into the device or devices causing concern.

On the surface, the idea sounds pretty good. The problem is in the implementation. Any update being performed on a device, for example, could be assessed as possible malicious activity. There could be other reasons why an endpoint could be flagged for closer analysis, but the point here is that the central database can quickly become overrun with data from all these endpoints. The system may reach a point at which it takes so long to analyze the data that damage to the network is done in the interim. And that’s just the beginning of the problem.

It appears that, because of this pressure, some EDR companies may be using online file scanning sites to help them analyze unknown files. All antivirus firms maintain whitelists (good files/sites) and blacklists (bad files/sites). Each company will have different opinions on which files or sites are good and bad. Combining all these lists on one site, such as is done on the site, VirusTotal, means normal users and EDR services can more easily identify bad files.

Probably few companies would worry about their EDR services using these file scanning sites. Sure, the services may inform the companies that they can opt out of this additional connection, but why would they? Why would they opt out of an additional service that could potentially add another level of security to their network? The reason they might consider opting out is that these file scanning sites come with risks. These risks include the exposing of sensitive corporate data to potential hackers.

Security information firm, DirectDefense, has recently found that the EDR firm, Carbon Black, has accidentally been leaking corporate information through its use of VirusTotal. In its investigations, DirectDefense was able to uncover

“Cloud keys (AWS, Azure, Google Compute) – which could provide you with access to all cloud resources

App store keys (Google Play Store, Apple App Store) – letting you upload rogue applications that will be updated in place

Internal usernames, passwords, and network intelligence

Communications infrastructure (Slack, HipChat, SharePoint, Box, Dropbox, etc.)

Single sign-on/two factor keys

Customer data

Proprietary internal applications (custom algorithms, trade secrets)”.

Yeah, that sounds pretty serious. Not only that, but the company also believes that many other EDR firms probably use VirusTotal, which means that a lot of potential information on numerous high profile companies may have been accidentally leaked to whomever may have wanted to have a look at it.

In past posts, I have warned about how good, online-security tool sites can be used by hackers. In a recent post, I showed how a good security service, Malware Hunter, could be used to remotely take over a computer.

VirusTotal is routinely used by hackers to see if their malware or infected website can be detected. If it is, they can continue using VirusTotal and tweaking their attack until it escapes detection.

Have I Been Pwned (HIBP) is another good website often used by people to see if they have been victimized by a hack. HIBP uses a site called, Dump Monitor, @dumpmon, to see what new hacks have occurred. Since many email/password dumps occur on Pastebin, HIBP goes there when Dump Monitor makes the dump public. HIBP then adds the information in the dump to its database.

Here’s the problem. I went to one of these recent dumps, retrieved an email and tested it on HIBP. Sure enough, I received the following information. (I removed the username in the email address.)

pwned

I now knew that the email was valid. The dump also gave me the password to this email. In other words, I, at least theoretically, could get into this person’s email account. It’s possible that the user had changed their password, but, nonetheless I had direct access to a number of emails. I could, therefore, use HIBP as a step in a hacking campaign and validate all emails in a dump before I hacked into the accounts.  If I were a hacker and was able to get into someone’s email account, I could do all sorts of damage, least of which would be to search for any credit card information.

Thousands of recent dumps are made available on another very useful site maintained by security firm, HTTPCS. Here, you can watch cyber attacks as they occur and get a list of various types of attacks collected from a number of sites. Among these attacks are lists of recent email/password dumps. There are also lists of software vulnerabilities that are posted on a variety of somewhat obscure sites. Some of these vulnerabilities have been patched and some not. In any event, not all of the recent patches could have been applied by every organization or business that uses the software. Hackers, interested in using these vulnerabilities, will still have time to do so. Here is an example of a recent announcement of vulnerabilities found in Google Chrome announced on Seclists.org.

“Several vulnerabilities have been discovered in the chromium web browser. CVE-2017-5087

Ned Williamson discovered a way to escape the sandbox. CVE-2017-5088

Xiling Gong discovered an out-of-bounds read issue in the v8 javascript library. CVE-2017-5089

Michal Bentkowski discovered a spoofing issue. CVE-2017-5091

Ned Williamson discovered a use-after-free issue in IndexedDB.”

Recently, hackers have begun repackaging free software security tools to include malware. This make the malware in such tools difficult to detect as dangerous by networks. The tools are legitimate so they may only be detected as being questionable and not dangerous. But they are dangerous. They have been modified to function as information stealing devices. It’s the old wolf in sheeps’ clothing angle. Worse yet, they are being used to attack government agencies. The brand of malware used in this attack has been termed, Netrepser, by Bitdefender. The malware included in these tools is used to infiltrate a network and do whatever the command and control center wants it to do. It appears that the command and control centers are in Russia.

And it gets worse. Earlier this year it was found that attackers were using a zero-day exploit to turn antivirus software into an attack vector. It relies on the fact that if you can’t trust your antivirus software, what can you trust? The attack has been appropriately named, DoubleAgent, as it uses your antivirus to mask its malicious activities.

There are numerous security sites and free software available to help you keep your device or network safe. Most of the time, they will give you the help you need, but keep in mind that there are always risks involved. You may be either installing malware on your device or giving away free information; information that may come back to haunt you. Even free services come with a price.

____________________________________________________________________________________________

Note: Endpoints do not need to be monitored if protected by hardware separation architecture such as that produced by WorkPlay Technologies

Posted in Uncategorized | Tagged , , , , | Leave a comment

The Awan Family Scam:  A Triumph of Political Correctness Over Cybersecurity

After being subjected to numerous, damaging cyber attacks, you would think the Democrats would have learned their lesson and become more cybersecurity aware. Unfortunately, this does not seem to be the case. As the scam perpetrated by the Awan family on House Democrats unfolds, it becomes apparent that it succeeded because of poor cybersecurity practices underpinned by a misguided sense of political correctness. In fact, all evidence points to a complete lack of concern about cybersecurity among the Democrats affected by the scam. Not even the most basic precautions were taken.

Before looking into the matter further, it is necessary to look at what is known about this scam.

The Facts

 2004 – Imran Awan, who came to the US from Pakistan as a teenager, starts working as an information technology director on Capitol Hill. He begins working for Florida Democratic Representative, Robert Wexler.

2005 – At Wexler’s recommendation, Debbie Wasserman Schultz hires Imran.

2005 – Imran’s brothers (Abid and Jamal), his wife (Hina Alvi), and Abid’s wife (Natalia Sova), begin working in IT for House Democrats. Each of their salaries averages $160,000 a year.

November, 2009 to September, 2010 – Despite his apparent full time job performing IT duties for House Democrats, Abid opens and runs a car dealership (Cars International) in Falls Church, VA.

cars international

2012 – After amassing debts of over $1 million from his failed car dealership, Abid files for bankruptcy.

2012 – Family friend, Rao Abbas, begins working in IT for House Democrats.

2013 – High school friend, Haseeb Rana, hired to work in IT for House Democrats but quits after 3 months complaining that he was doing all the work.

December, 2016 – Imran’s wife signs home loan documents from an IP address associated with the US House of Representatives

January, 2017 – Imran (posing as his wife) takes out a home loan but, instead of using the money to buy the home, Imran sends this and other money, totaling $283,000, to two people in Pakistan. It was probably this transaction that tipped off authorities.

February, 2017 – News of the investigation into the Imran family is made public. They are accused of stealing equipment from the offices of 20 House members and improperly using the IT network.

March, 2017 – Hina Alvi tries to make a quick escape to Pakistan. She suddenly takes their three children from school and goes to Dulles Airport with $12,400 in cash. She is questioned but allowed to proceed.

July 24, 2017 – Imran arrested at Dulles Airport

July 25, 2017 – Imran fired by Debbie Wasserman-Schultz

The Scam

Basically, Imran found a weakness in the House employment system which allows members to share employees without any member paying these employees a full time salary. Each member would pay separately and the amount paid by each would be small enough to raise no red flags. Besides, few, if any, House members would take the time to investigate how many other House members were also paying these part-time employees. More importantly, it is unlikely that they cared. Imran must have also found weaknesses in the vetting system as he somehow managed to get his entire family and some friends high-paying jobs without raising any suspicions. You would think that Imran’s brother’s criminal record and his apparent need for cash would have disqualified him for working in such a high profile job, but it did not.

Imran’s wife was certainly a ghost employee who never showed up at work but managed to get over $160,000 a year for her lack of effort. Except for the two friends and, at times, Imran, himself, none of the family did much, if any, work. Few of the 80 House members they worked for ever saw these IT workers.  Nonetheless, together, they were able to amass $4-5 million in taxpayer money.

Motivation

The pure lack of interest in cybersecurity by Democratic House members made them low hanging fruit for these scammers. It was simply a network waiting to be exploited. Add the family’s need for money into the equation and some sort of scam was bound to develop. Money seemed to be the family’s main motivation. The fact that Imran was arrested for stealing equipment underlines how important money was to the family. According to a police report, they were keeping their mother hostage so that they could keep her from inheriting money and property from her dying husband. They planned on getting it instead.  Did they have a plan to monetize the information they found on the computers of the 80 representatives they worked for? That remains to be seen, but, seeing their all-pervading lust for money, it would surprise no one.

Some have suggested that they may have had political motivations and connections to radical Islamists. These investigators point to dealings the brothers had with Dr. Ali al-Attar, a doctor who had to flee the U.S. before being arrested for medical fraud. He is said to have ties to radical Islamist groups. Abid apparently borrowed $100,000 from him to start his car dealership and never paid him back. Such a political connection is possible but, based on the available evidence, it is, at this time, weak

What could they have done?

 If this group really wanted to do damage, they could have done quite a bit. As IT administrators, they would have had access, not only to individual devices, but to the servers and all the information they would hold. It’s not clear that they thought this far ahead. They seem more like the type of criminals who would look for easy money, such as that gained from selling stolen equipment or taking money designated for equipment and using if for themselves. That said, here is a list of what they could do to make money if they wanted to.

They could…

Steal sensitive data, such as passwords, login credentials banking information, credit card data, personal information about supporters and contributors and either use this information for themselves or sell it.

Download sensitive information from devices to a USB for future use or send this sensitive information to cloud storage.

Install malware to remotely hack the computer/network whenever they wanted to.

Install keyloggers to gather information.

Leak information for political or monetary reasons

Blackmail House members or others for money.

Set up a ransomware attack for financial gain.

What evidence do we have?

In an exclusive interview, Wasserman Schultz told South Florida’s Sun Sentinel  newspaper last week that she was told that the case against Awan and his family involved “procurement violations and data transfer violations.” She said data had been sent “outside the secure network, which I think amounted to use of apps that the House didn’t find compliant with our security requirements.” She mentioned that Imran was using Dropbox, which, apparently, was one of the forbidden apps.  She expressed her belief that other IT workers did the same thing but were not being investigated.

These remarks from Wasserman Schultz about Imran setting up a Dropbox account are far from reassuring. To me, it shows that she is simply technologically naïve. Why would Imran install Dropbox at all? Maybe because this would be a good way to transfer documents from Wasserman Schultz’ computer to the cloud without leaving any suspicious storage files on her computer. Maybe he worried about leaving log traces of a USB download, as in the image below.

usbview

USB Activity as shown on Nirsoft’s USBLogView utility

 It would be easy for a good administrator to track any Dropbox use, but Imran may have just been taking advantage of Wasserman Schultz’ and other’s lack of technological knowledge. We know nothing about the extent of Imran’s own cybersecurity knowledge. It could have been very basic. Maybe he believed, like some do, that cloud storage is safer. It would certainly keep the House members he worked for from accessing any files stored there. The fact remains that, if he had installed Dropbox on other members’ computers, it would look decidedly suspicious. He could, then, give anyone he wanted access to these stored documents or access them himself whenever and wherever he needed them. I’d be interested in seeing what investigators find in his Dropbox account, assuming these files were not deleted before he was arrested.

Evidence of Cybersecurity Naiveté

Nearly every media outlet reporting on this story remarks on how unconcerned Imran’s employers were about his being investigated. Wasserman Schultz didn’t even fire him until after he was arrested. “I believe that I did the right thing, and I would do it again”, she said during the Sentinel interview. She claims she had not seen enough evidence to fire Imran. “I had grave concerns about his due process rights being violated.” “I was presented with no evidence of anything that they were being investigated for. And so that, in me, gave me great concern that his due process rights were being violated. That there were racial and ethnic profiling concerns that I had.”

This last point should not be taken lightly. Democrats, by a wide majority, believe in promoting diversity and being politically correct. This view may have allowed the Awan family to bypass normal hiring standards. It may also have allowed them to continue in jobs that they were all under-performing in. The fear, as expressed by Wasserman Schultz, that firing them may look to others as undermining diversity or supporting ethnic profiling may have made some representatives look the other way. The Awans had forced them into an uncomfortable ethical corner.

And then, there’s apathy. According to the Daily Caller, one IT technician who works with the Democratic House members noted, “there’s no question about it: If I was accused of a tenth of what these guys are accused of, they’d take me out in handcuffs that same day, and I’d never work again,” But what baffled other IT workers most was that “members of Congress have displayed an inexplicable and intense loyalty towards the suspects.” “Members were fiercely protective of the business, despite objectively shoddy work and requests for computer help routinely ignored for weeks.” One contractor who works for the House complained that “there’s networkers meetings once a week and I never saw them ever come to them. We have an email group; I never saw them contribute or reply.”

One IT worker told a story of an angry staffer who complained about Imran taking so long to fix his computer. ‘I’m not going to pay my invoices until you fix my computer,’ and Imran went to the member, and they fired [the staffer who complained] that day. Imran has that power.” Pat Sowers, who has worked on IT with House members for years admitted that “I love the Hill but to see this clear lack of concern over what appears to be a major breach bothers me.”

This lack of interest by affected House members has led some to suggest that the Awans may have been blackmailing them. Sowers noted, “I don’t know what they have, but they have something on someone. It’s been months at this point with no arrests. Something is rotten in Denmark.” This angle cannot be ignored, but it is only speculation at this point.

In the end, it seems the Awans took advantage of technologically naïve House members and used the members’ own support for diversity against them. Details are lacking in this case but, hopefully, these will emerge when the case goes to trial on August, 21.

 

 

Posted in Uncategorized | Tagged , , | Leave a comment