Has the Budweiser Twitter Account Been Hacked?

I was researching fake news related to the NFL-Anthem controversy today and decided to check in on tweets related to NFL sponsors. Most had taken a middle-of-the-road position in a conflict that is not allowing a middle-of-the-road position.

When I checked to see how Budweiser was responding to numerous attacks, this is what I found.

bud twit

Notice that the account is verified. So what’s the deal?

I checked an associated site, @BudweiserUSA and the latest tweet was this.

bud lyft

However, the @Budweiser link goes to the account shown above. Although not yet reported in the news, at least not that I could find, either their main account has been taken over or it is being set up to send out fake news. Just read the comments on this tweet to get an idea of what pressure Budweiser is coming under from irate NFL fans.

Their associated site, @Anheuser-Busch is operating but is under a similar attack. Their last tweet

anheuser diversity

produced a tirade of angry responses. Here is an example of one of the nicer ones.


Well, you get the picture. I could not get the Budweiser to completely load, which could be a sign that they are experiencing heavy traffic.

I sent Budweiser a message but was told the reply would come in a week or more.

In the meantime, don’t trust any news you hear from Budweiser, especially negative news. This all may just blow over but, for now, all news emanating from sites related to NFL sponsors should be treated with caution.

A complete post on this situation will appear in the near future.


Posted in Uncategorized | Tagged , , | Leave a comment

The LinkedIn Job Scam

If I wanted to hack into a particular corporate network, I would begin by visiting LinkedIn. LinkedIn is like a menu for hackers. I simply type in the name of the company network I want to break into, and I will find a list of people who work for it. In other words, I’ll have information about an endpoint; a possible doorway into the network.

Let me give you an example. Suppose I want to get into the IBM network. (I chose this completely at random.) First, I would find a list of IBM employees on LinkedIn. Next, I’d have to vet this group. I don’t want to attack someone in security. I want to find someone who has a better chance at not being so knowledgeable about cybersecurity. Sure, I may be wrong, but I have to play percentages here. Using these parameters, I found an IBM marketer (who I will not name here). She gave me a lot of information about herself including the places she used to work and people who worked with her and endorsed her.

Through a Google search, I learned that IBM has an online employee information finder and, from her LinkedIn information, I knew enough about her to use it.

ibm search

Since LinkedIn had told me the geographical location where she worked, I typed in the information and received an email address and a phone number.

ibm results

A reverse phone number search confirmed that this was a personal phone which means I could use the phone number to reset her password on some social media sites that use two-factor authentication (2fa). However, that was not what I wanted to do. (See this post to see how this is done.)

My priority was to find as many contacts as I could. Of course, I could use those people who worked with her and endorsed her on LinkedIn, but Google helped me find her Twitter account and a list of followers. I also found her address, interests, and her political affiliations and donations. I found her instagram account and her blogs. In short, I now had enough information to design a good spearphishing email. I could make it look like it came from one of her friends or co-workers. Since Instagram and Twitter showed me where she was and what she was recently doing, I could refer to this information in the email to make it seem even more valid. I could then attach a link to some ‘photos’ or an attachment of some photos or documents. Of course, this would get her to install malware on her computer and, hopefully, get me into the IBM network.

My biggest problem would be for IBM to allow my email onto its network through her IBM email address. This would not be a problem if I could install malware directly on her phone, since it is apparently connected to the IBM network. There are numerous ways to install malware on any phone that I already know the number for, but they are too many to outline here. Those interested can check out this article.

The LinkedIn Job Scam

If you’ve ever been down and out and looking for a job, you’ll grasp at any straw that comes along. If someone gives you a job offer that looks even close to legitimate, you’ll do whatever it takes to get it. Well, if I were a hacker, I could take advantage of this state of mind. Imagine if I could get a list of people who want jobs. Imagine what I could make them do to get a job. I could ask for personal details. I could lead them to websites to fill out forms. I could get all kinds of personal information because these are desperate people and desperate people will readily give up security concerns for subsistence.

But does LinkedIn have a database of people who are actively seeking employment? Yes, but it’s not easy to find. First of all, the job seeker has to make it clear that they are actively seeking work. To do this, they have to go to the main ‘Jobs’ page. Near the top of the page is an option to “Update career interests”. Doing this will lead you to the “Career interests” page, where you will see the following.

linkedin recruiters

 When you slide the button to ‘On’, recruiters will see that you are open to receiving job offers. LinkedIn arranges it so that your current employer and those connected to it do not see that you are openly seeking new employment.

The catch is that, for recruiters to see people openly seeking employment, they have to use the paid service called, LinkedIn Recruiter. However, the cost is not prohibitive (and it is occasionally offered as a free trial) and nothing would stop a dedicated hacker, especially if they have the backing of a nation-state, to set up a fake account as a recruiter and pay the small fee to have a list of good hacking targets. Others have claimed that hackers will use other job seeking websites to find names and then cross-reference them on LinkedIn as preliminary preparation for a LinkedIn-based attack.

The latest job scam uses fake recruiter profiles that look exactly like the profiles of real recruiters. The reason that they may look exactly like real profiles is because they have copied the profiles of actual recruiters. In other words, checking the profiles of the people who send you job offers won’t help. They will even use corporate logos and other information to make their profiles look legitimate. In any event, the fake recruiter will tell you that you should send them a resume or visit a site where you can fill in a form. The form will ask you for a lot of personal information which may even include your social security number. Some will ask that you send them a training or application fee. (To learn more about fake recruiter profiles, read my post, How Many of Your LinkedIn Contacts are Fake and What Do They Want From You?)

So if fake recruiters are so difficult to spot, what can you do? The Better Business Bureau suggests you ask for a phone interview or, at least, a chance to talk with them via phone. Most fake recruiters will avoid all phone contact and will make repeated excuses as to why this cannot happen. Phoning them would put you in control and they may not be able to answer any more technical questions you may ask. If you have connections in common, (and this is likely) check with these connections to see what they know about the recruiter. Don’t pay any money up front, even if the job seems legitimate. This includes any affirmation that you will be reimbursed later.

Don’t discount the motive of revenge lurking behind such offers. One victim reported that he quit his well-paid job because he was offered a better job though LinkedIn. He later found out that a former colleague was behind the scam. That said, however, most scammers are just out to get your personal information, doing so can allow them to monetize that information or use it to infiltrate a corporate network as I outlined at the beginning of this article.

Common sense often fails when that perfect job offer comes along. However, if your instincts tell you something just doesn’t sound right, be skeptical. Check out the company. Check any links. Do an image search on Google to see if the person’s profile picture isn’t used in other locations. And finally, don’t give up any personal information without a fight.





Posted in Uncategorized | Tagged , , | Leave a comment

Watch Out For the Dangerous UPS/FedEx Delivery Scam  

Scams targeting the delivery chain have been around for as long as people have ordered merchandise on the internet. They vary mainly in the part of the chain they target and the severity of their goals. Some scams, sent by spammers, simply trick you into visiting a client’s website in the hope that you’ll buy their product. Others, sent by more malicious actors, will financially wipe you off the map. The goal of the current round of delivery-focused malware is to do the latter.

This particular malware (or malspam as some call it) is called, Hancitor. It’s been around for a while but continually updates its tactics. Its current tactics must be working because there has been a spike in infected computers this year, especially in the last few weeks. Hancitor is bad. If released on your computer, it will steal all of your passwords and banking information. If released on a corporate network, it will take whatever it wants.

But all malware has to start somewhere and most malware follows the same, well-trodden path. It all begins with a phishing trip. At this stage, it doesn’t appear the malware is targeting specific individuals, but that could change depending on who controls it. The attack appears to start with randomly sent spam messages that are made to look legitimate. The current version pretends to be a message from UPS but FedEx has been targeted in the recent past. It begins with an email message from “UPS Quantum View” <ups@piercerx.com> or from “FedEx” <tracking@afedex.com>. Both addresses link to fringe, poorly protected sites which have been compromised, but they are only two examples among hundreds that are controlled by the spam. UPS does have a service for tracking called Quantum View. The subject line for the UPS phishing email is “Delivery stopped for shipment #142384”. The delivery numbers are randomized. For the FedEx scam, the subject will be “FedEx Tracking 715715163815 Notification”, again, with the numbers randomized. The template for both scams is copied from actual templates.

Here are the templates as analyzed by the Malware-Traffic-Analysis.net website.

ups email

Clicking ‘here’ as directed, will take the victim to the site shown in the graphic. Attached to that site is a document, the name of which is coded in a base64 string. Notice the odd phrasing and ungrammatical construction of the message which indicates a foreign origin.

But why put the document name in base64 code? This serves two purposes. Base64 encoding sometimes goes undetected by spam filters. Remember that the key goal of all attackers and spammers is to bypass the spam filters and get the malicious email into the victim’s inbox. Getting into the inbox is not as necessary as many think, however, because many people will check their spam folder from time to time and may be attracted by a good subject line. In any event, legitimate marketers try to do much the same thing and there are websites dedicated to getting the marketer’s message into a potential client’s inbox.

If the victim clicks on the link, they will be taken to a compromised website and then offered the ‘opportunity’ to download a document. The base64 code will be decoded once the victim clicks on the link and will produce a document name which includes the email username of the victim.

You can encode information in base64 on a number of online sites. For example, I encoded the fake email address joesmith@yahoo.com into am9lc21pdGhAeWFob28uY29t. With a little manipulation, I could have the malicious website produce a document that said, “UPS Delivery joesmith”. That code would be


If you don’t believe me, copy the code and check it out here. The point is that I can hide the document name until I need it to produce the browser-based message that says something like, “Do you want to open or save UPS Delivery joesmith.doc from (website name)?” Of course, in the original scam, the “UPS Delivery” segment would be hard coded.

ups download1

FYI, the FedEx message will look like this.

fedex email

In both cases, accepting the download will present you with an option screen which will look something like this. Hoping you will be frightened into enabling macros.

ups office

FireEye found a more creative API that looks like the one below, but in all cases, you will have to enable macros before the malware continues on its mission.

firefox enable macro

Enabling macros in Word will install Zloader which will connect via the internet to a command and control center and retrieve Zbot malware. Zbot is related to the notorious ZeuS banking trojan.  The malware will install itself into the browser as a man-in-the-middle and ‘watch’ for visitations to any banking sites. It will also create fake certificates to make fake sites look legitimate. The malware is not limited to stealing banking information but can be used for all manner of spying and information theft.

How to Avoid Becoming a Victim

 There is probably a good reason why your spam filter put an email into the spam folder. Be careful about clicking on any link in such emails and hover the cursor over the link to see the site that it is connected to.

When presented with a document to download, check the website that it is being downloaded from. Notice that it is given in the download option message seen previously.

ups download

If a UPS document is linked to a site that seems to have no connection with UPS, such as the impacthealthnow.org example shown above, do not waste your time downloading it. If, however, you have gone so far as to download a Word document, do not use the suggestion to enable macros or editing.

If you end up with Hancitor malware on your computer, it is very difficult to remove. Some suggestions are given here and here but be aware that this malware has the ability to regenerate itself even after an apparent removal.

Zbot/ZeuS malware is considered by many experts to be the most dangerous malware on the internet. Attackers are refining it all the time and using it more and more to spearphish victims with emails that appear to come from valid sources. Take all precautions or some day you may find that you have been financially destroyed or have lost important corporate information. I will update any new attack vectors when I discover them.

Update 9-21-17 New Hancitor Tactic

According to Malware-Traffic Analysis, Hancitor has recently been found phishing with an email disguised as a request for an invoice. It’s not clear if the sender mentioned in the ‘From’ field is known to the victim.

Four security firms have identified the connected site as malicious.



Posted in Uncategorized | Tagged , , | Leave a comment

The New Generation, Gen Z: “We don’t want to end up like Millennials”

Gen Z (a.k.a. iGen) refers to those individuals born around 1995. It’s the generation composed mostly of today’s teenagers. They were born with the internet firmly in place and with smartphone use becoming mainstream. They have no substantive recollection of 9/11, unlike Millennials (ages 21 to 37).

Although Millennials welcome the arrival of the tech-dependent Gen Zs and see them, more or less, as an extension of their own generation, there are clear differences developing between the two groups. The Millennials sparked the widespread use of social media, while Gen Zs take it for granted. Social media is far more important to them than it is for any other generation, and many Gen Zs believe that their happiness and self-esteem depend on it.

genz self worth

2016 The Center for Generational Kinetics

 Gen Zs also differ on their choice of social media. You may be surprised to see which platform is their favorite, since few other generations have even heard of it (65% of boomers).

genz social media

For those who don’t know, Vine is a site that allows members to share short, looped videos. Although only 13% think that Facebook is an appropriate social media platform for their generation, they do feel that it serves a purpose (57%). Sadly, 34% of Gen Z-ers have never heard of LinkedIn, but this could change as they reach employment age.

The Smartphone Generation

Gen Z is the first generation to live with a smartphone as an integral part of their body. The idea of living without a smartphone is unthinkable. There is even a psychological condition which occurs if this happens. It’s called, phone separation anxiety. This is, perhaps, why Gen Zs believe it is appropriate for 13-year-olds to have a smartphone, while Millennials believe this is too young, with the majority of them feeling 18 is a more appropriate age. I doubted this statistic because I’ve noticed my Gen Z son and his friends seem more liberal than this. In fact, another report found that the mean age for receiving a first smartphone is 10.3. I expect this age will continue to lower.

genz kids

Keep in mind that these stats come from a 2016 study, and that opinions linked to technology are changing more quickly with each generation. Exponential changes in technology surround the Gen Zs, which lead them to accept ideas that older generations find unacceptable. For example, Gen Zs think it is acceptable to use a smartphone during religious services, during a job interview, and even during their own wedding ceremonies. Older generations would probably find these behaviors shocking, hence, future generational clashes are inevitable.

Although child-unfriendly content abounds on the internet, parental monitoring of their children’s smartphone use has declined. Only 25% monitor their use with special apps. Only 15% monitor their children’s whereabouts through GPS. The technology gap is separating parents from their children and it is not uncommon for children to be more tech-savvy than their parents. This is why, even when parents install parental control apps on their children’s smartphones, most teenagers know how to work around them.

The Troubling Influence of Social Media

 As mentioned above, for the Gen Zs, social media largely determines their sense of self worth. By the age of 12, most Gen Zs have social media accounts and interactions on these accounts largely influence the way they see themselves. Keep in mind that social media includes online gaming, which has a strong social interaction component. The graphic below shows the influence social media has on Gen Z as compared to older generations.

genz old young social media

This dependence on unknown others for self-affirmation has created a whole new set of concerns for the Gen Zs. According to Childline, a support service for children and teens, the main concern of the Gen Zs is low self-esteem and unhappiness. The chart below shows how Gen Z’s concerns have changed from those of the Millennials when they were younger.

genz jobs

Notice that the main concerns for Millennials were concrete, even physical, while those of the Gen Zs tend to be more psychological. This shift can largely be attributed to the influence of social media. More so than any other generation, this could be the generation of psychological problems. At this time, however, it is impossible to say how these concerns will play out as this generation ages. One thing is certain, though; social media will come under increasing scrutiny.

A Return to More Traditional Values

Several studies have shown a tendency for Gen Zs to be more like Boomers than Millennials in their values, but it’s not an across the board agreement. This values shift has been traced to the alarm the Gen Zs see when viewing the dilemmas faced by Millennials, especially when it comes to employment and education. As one Gen Z-er commented in the CGK study, “We don’t want to end up like Millennials”

The Millennials, having been raised by relatively well-off Boomers, assumed life would be relatively easy and were not prepared to encounter diversity. Gen Zs, on the other hand, were raised mainly by a generation that saw the economy plunge and who, subsequently, developed the mindset that they were living on the edge of economic uncertainty. Thus, Gen Zs show a tendency to be more cautious or realistic. Seventy-seven percent of Gen Zs feel they will have to work harder than Millennials to be successful.

Gen Zs tend to be more independent and individualistic than previous generations. Where Millennials believed that it was safe to share any personal information online, Gen Zs tend to be more careful and selective about what they share. They have seen the problems Millennials and older generations have encountered by giving up too much personal information without proper concern for security.

Gen Zs also see the financial abyss that many Millennials faced in attempting to recover the debt they acquired by paying for education. The idea of living at home with their parents is not something Gen Zs would like. Recent surveys show that about 40% of Millennials live either with their parents or other relatives. According to a Federal Reserve study, the underemployment rate for recent college graduates is around 44%. One in ten young college graduates are neither employed nor pursuing more education. They are part of the growing number of the educated idle. This all makes Gen Zs wonder if paying so much for an education is worth the investment.

There is also the shadow cast by technology’s impermanence. What is today’s must-have tech is tomorrow’s old school. Why choose to be educated for a career when that career may become obsolete? Why spend oneself into debt to prepare for an unknowable future? Notice in the chart below from the Federal Reserve report that the once highly-sought-after business management degree left over 60% of graduates underemployed. Note also that the more practical degrees offered the best chance for post graduate success.

genz underemployment

Only 32% of current college-age Gen Zs believe they are being properly prepared for future careers. This mindset may lead Gen Zs to pursue alternative forms of education.


 Gen Zs face a future that is more unpredictable than it has ever been. This uncertainty forces them to live in the present more than any other generation. They believe in hard work, they’re pragmatic and realize the value of face-to-face communication, but within limits. Seventy-one percent of Generation Z said they believe the phrase “if you want it done right, then do it yourself.” And 69% would rather work in a private rather than a shared work space.

However, there is a disclaimer behind all of these statistics. That is, how will these attitudes change when they enter universities and companies? What do teenagers really know of the workings of the ‘real world’? Like most teenagers, the Gen Zs are optimistic and believe in the American Dream (78%). Their independent attitudes and their belief in on-demand technology may make them difficult employees, especially in terms of cyber security. They may be more willing to challenge educational norms and opinions professors try to thrust upon them because they have probably been doing this on social networks. Nonetheless, predicting how they will fit into mainstream life is as difficult as predicting the future of technology.

Posted in Uncategorized | Leave a comment

The Banking Trojan that Uses the 711 Million Exposed Email Addresses: Why You Should Be Concerned


If you haven’t yet checked to see if your email address was compromised in the recent password exposure, go and do it now. You can type in your email address here. This will give you the dumps that your email was found in. Keep in mind that even the site’s owner, Troy Hunt, was surprised to see that his own email was listed.

I told some friends that I had found their email addresses listed in the latest leak. Most were thankful, but some thought that if their password was not exposed, they were safe. After all, what could a hacker do with only an email address? The answer is: Many evil things. These email addresses serve as a starting point for well-designed spamming attacks that attempt to deliver the Ursnif banking Trojan (aka Gozi, Dreambot) and have the potential to be used in ransomware attacks.

ursnif severe

Of course, all such attacks begin with an email that has to look legitimate enough to get itself opened. Ideally, the attackers would like the email to avoid the spam filter and get into the victim’s inbox. I’ll detail some of these techniques in a future post. For now, it’s just necessary to note that Ursnif is pretty standard in its delivery approach except for a few variations. In its mass email spamming campaign, the senders need to know which addresses are most susceptible to an attack. They will first send out a test email to check out the victim. These test emails include a single-pixel beacon within the email. If the email is opened by the intended victim, this invisible pixel informs the attacker. The beacon also sends back other useful information, such as IP address, network and device information, and what operating system the victim is using. This is important in that Ursnif targets Windows systems. The beacon activates if the potential victim has images enabled in their emails. Spam filters sometimes find these beacons and remove the associated images from an email or send the email to the spam folder. It should be noted that legitimate email marketers also use beacons to help their clients track the success of their marketing campaigns.

If the test email reveals a potential victim, the attacker will target them more precisely in a subsequent email. They may, for example, have learned which company the victim works for and construct an email that may seem to come from someone within their company. The subject line may be about a payment, invoice, or contain a known person’s name, as in the example below given by Forcepoint.

ursnif email

Notice that the email contains the password for opening an attached Word document. This may make the victim (and spam filter) less suspicious. The victim may decide to download the document and take a look at it. As is usually the case, the attacker tries to get the user to enable macros in Word. They do this in a somewhat creative way by using the interface shown below.

ursnif doc open

If the victim clicks on any of the documents shown, the attack will begin. There will be no need to wait for the victim to enable macros. That’s because these files are not what they seem to be. They are all the same VBS script designed to look like Word documents.

Once triggered, the script is designed to connect to the internet and download the main malware package. The malware will store itself in a %Temp% folder. It will begin the attack by checking to see if the device is running a sandbox. To this end, the malware also analyzes mouse movements. A mouse that doesn’t move is more likely using a sandbox. Another technique for avoiding sandbox detection is for the malware to check what processes are running. If it finds a sandbox-related process, it will not deploy.

If the system checks out as safe for the malware to operate, it will set up an autorun key in the registry, which will guarantee its persistence at every startup. The original downloaded file will then be deleted and the malware will try to hide within a legitimate process such as explorer.exe or svchost.exe.

Once installed, the malware will then establish an internet connection with its command and control (C&C) server. It is now ready to gather important banking, credit card, or other information. It does that by using the following.

A keylogger, to record users’ keystrokes

Video and screen capturing, to follow what the user is doing when they visit their banking site in case the victim uses a mouse to login (they can watch them enter their credentials)

An information stealer, to obtain browser passwords, browser history, email, and other important data,

Man-in-the-browser and Web injects, to help them gather other personal and financial information

Tor client, to use a more hidden way to connect to the C&C (this could also be useful in some ransomware attacks)

VNC client, to remotely administer a device

True, many spamming attacks are stopped by either good spam filters or wary users. However, with 711 million email addresses at their disposal, the attacker only needs a small percentage to work to launch a successful campaign. In addition, the malware is continuously evolving with attack vectors changing all the time. The examples shown are a few of many. Its increasing sophistication in using more targeted emails (spearphishing) makes this trojan more likely to succeed than others in its class. So does it matter that an attacker only has your email address? You be the judge.

Posted in Uncategorized | Tagged , | 2 Comments

Massive 711 Million Emails and Passwords Dumped and You Are Probably on the List…I was

A malware researcher going by the Twitter handle, Benkow moʞuƎq, has uncovered a huge stash of emails and passwords stored on an open server in The Netherlands. The stolen credentials were apparently harvested by a spambot known as, Onliner. This spambot has been used to deliver banking malware which has compromised over 100,000 accounts.

Troy Hunt, who runs the Have I Been Pwned (HIBP) website, has called this the “largest single set of data I’ve ever loaded into HIBP.” Over 711 million credentials are listed with only 27% being repeats from previous dumps. That’s probably the most sobering fact to extract from this data.  His report gives more details of this dump.


Just assume that your email is on the list. Sadly, when I checked my own emails, I found they were listed. The good news is that I had changed my login credentials since the information was taken.

This is just a brief post to alert anyone who may be affected as soon as possible. I suggest visiting the Have I Been Pwned site to see if you are listed. If you are, you will be given a list of the breaches you were caught up in. If you have not changed your password since the time of that breach, do so at once.

For those interested in seeing the damage that the banking trojan associated with these emails can do, see this post.

Posted in Uncategorized | Tagged | Leave a comment

How Free Security Tools and Online Scanners Are Used by Hackers

Endpoint detection and response (EDR) tools are becoming more common on those networks which allow access to a wide variety of endpoints such as smartphones and tablets. Basically, these tools continuously monitor behavior on these devices to see if anything unusual is going on. The information collected through this monitoring is sent to a central database where it is analyzed. If something is found amiss, a report is sent to the network administrators so that they can look into the device or devices causing concern.

On the surface, the idea sounds pretty good. The problem is in the implementation. Any update being performed on a device, for example, could be assessed as possible malicious activity. There could be other reasons why an endpoint could be flagged for closer analysis, but the point here is that the central database can quickly become overrun with data from all these endpoints. The system may reach a point at which it takes so long to analyze the data that damage to the network is done in the interim. And that’s just the beginning of the problem.

It appears that, because of this pressure, some EDR companies may be using online file scanning sites to help them analyze unknown files. All antivirus firms maintain whitelists (good files/sites) and blacklists (bad files/sites). Each company will have different opinions on which files or sites are good and bad. Combining all these lists on one site, such as is done on the site, VirusTotal, means normal users and EDR services can more easily identify bad files.

Probably few companies would worry about their EDR services using these file scanning sites. Sure, the services may inform the companies that they can opt out of this additional connection, but why would they? Why would they opt out of an additional service that could potentially add another level of security to their network? The reason they might consider opting out is that these file scanning sites come with risks. These risks include the exposing of sensitive corporate data to potential hackers.

Security information firm, DirectDefense, has recently found that the EDR firm, Carbon Black, has accidentally been leaking corporate information through its use of VirusTotal. In its investigations, DirectDefense was able to uncover

“Cloud keys (AWS, Azure, Google Compute) – which could provide you with access to all cloud resources

App store keys (Google Play Store, Apple App Store) – letting you upload rogue applications that will be updated in place

Internal usernames, passwords, and network intelligence

Communications infrastructure (Slack, HipChat, SharePoint, Box, Dropbox, etc.)

Single sign-on/two factor keys

Customer data

Proprietary internal applications (custom algorithms, trade secrets)”.

Yeah, that sounds pretty serious. Not only that, but the company also believes that many other EDR firms probably use VirusTotal, which means that a lot of potential information on numerous high profile companies may have been accidentally leaked to whomever may have wanted to have a look at it.

In past posts, I have warned about how good, online-security tool sites can be used by hackers. In a recent post, I showed how a good security service, Malware Hunter, could be used to remotely take over a computer.

VirusTotal is routinely used by hackers to see if their malware or infected website can be detected. If it is, they can continue using VirusTotal and tweaking their attack until it escapes detection.

Have I Been Pwned (HIBP) is another good website often used by people to see if they have been victimized by a hack. HIBP uses a site called, Dump Monitor, @dumpmon, to see what new hacks have occurred. Since many email/password dumps occur on Pastebin, HIBP goes there when Dump Monitor makes the dump public. HIBP then adds the information in the dump to its database.

Here’s the problem. I went to one of these recent dumps, retrieved an email and tested it on HIBP. Sure enough, I received the following information. (I removed the username in the email address.)


I now knew that the email was valid. The dump also gave me the password to this email. In other words, I, at least theoretically, could get into this person’s email account. It’s possible that the user had changed their password, but, nonetheless I had direct access to a number of emails. I could, therefore, use HIBP as a step in a hacking campaign and validate all emails in a dump before I hacked into the accounts.  If I were a hacker and was able to get into someone’s email account, I could do all sorts of damage, least of which would be to search for any credit card information.

Thousands of recent dumps are made available on another very useful site maintained by security firm, HTTPCS. Here, you can watch cyber attacks as they occur and get a list of various types of attacks collected from a number of sites. Among these attacks are lists of recent email/password dumps. There are also lists of software vulnerabilities that are posted on a variety of somewhat obscure sites. Some of these vulnerabilities have been patched and some not. In any event, not all of the recent patches could have been applied by every organization or business that uses the software. Hackers, interested in using these vulnerabilities, will still have time to do so. Here is an example of a recent announcement of vulnerabilities found in Google Chrome announced on Seclists.org.

“Several vulnerabilities have been discovered in the chromium web browser. CVE-2017-5087

Ned Williamson discovered a way to escape the sandbox. CVE-2017-5088

Xiling Gong discovered an out-of-bounds read issue in the v8 javascript library. CVE-2017-5089

Michal Bentkowski discovered a spoofing issue. CVE-2017-5091

Ned Williamson discovered a use-after-free issue in IndexedDB.”

Recently, hackers have begun repackaging free software security tools to include malware. This make the malware in such tools difficult to detect as dangerous by networks. The tools are legitimate so they may only be detected as being questionable and not dangerous. But they are dangerous. They have been modified to function as information stealing devices. It’s the old wolf in sheeps’ clothing angle. Worse yet, they are being used to attack government agencies. The brand of malware used in this attack has been termed, Netrepser, by Bitdefender. The malware included in these tools is used to infiltrate a network and do whatever the command and control center wants it to do. It appears that the command and control centers are in Russia.

And it gets worse. Earlier this year it was found that attackers were using a zero-day exploit to turn antivirus software into an attack vector. It relies on the fact that if you can’t trust your antivirus software, what can you trust? The attack has been appropriately named, DoubleAgent, as it uses your antivirus to mask its malicious activities.

There are numerous security sites and free software available to help you keep your device or network safe. Most of the time, they will give you the help you need, but keep in mind that there are always risks involved. You may be either installing malware on your device or giving away free information; information that may come back to haunt you. Even free services come with a price.


Note: Endpoints do not need to be monitored if protected by hardware separation architecture such as that produced by WorkPlay Technologies

Posted in Uncategorized | Tagged , , , , | Leave a comment