Corporate Espionage Through Botnets

Following my previous post on OSINT Through Botnets, here's a company that's categorizing Fortune 500 companies whose networks are heavily polluted with malware infected hosts :

"Support Intelligence (SI), a network security company in San Francisco, has been running what it called "30 Days of Bots," featuring corporate networks infected with spam-churning bots. It began analyzing data in February, monitoring 10,000 domains that plow data into a trap much like a fishnet, except the intelligence in the data is designed to determine what information to keep by looking for spam. In total, SI analyzed traffic from more than 100 sources, including the aforementioned spam traps."

Considering the possibility for gathering open source intelligence through military and government infected PCs only, it is logical to conclude that a specific company can be targeted on the basis of the already infected hosts on its network as well. Think about it. For the time being, a botnet's master doesn't really care if it's a military or Fortune 500 company that's infected as long as spam, phishing and malware goes out of these hosts. But passive corporate espionage in the form of intercepting the traffic going out of a specific company's network shouldn't be excluded as an opportunity.

Visual Script Obfuscation

We often talk and deobfuscate scripts aiming to hide their real and often malicious intentions. But what if malicious attackers have become so efficient in their obfuscation, that they decide to show some JAPH style in order to make them harder to analyze by visually obfuscating the scripts as you can see here?

The Jihadist Security Encyclopedia

A month ago, the Media Jihad Battalion started distributing a 118 pages long encyclopedia on anything starting from secure communications to keywords not to search for as they'll raise an early warning system alarm. The front cover is so Blade's style, but the PSYOPS motive is highly influential. Here's a translated table of contents and the original version attached.

Sampling Jihadists' IPs

Great idea as a matter of fact :

"The following is based on an analysis of 4,593 IP addresses (1,452 unique IP addresses). The IPs were acquired from 19 of the more prominent of the Salafist/Jihadist forums, including both Arabic and non-Arabic forums, from 01 January through 30 April of this year."

Taking into consideration the per-country stats, do not exclude the logical possibility of IP cloaking while browsing these and also, the tiny number of intelligence and lone gunman info warriors gathering OSINT data. In another much more in-depth analysis on mapping the online jihad, the authors point out the emerging internationalization of jihad as well :

"The near exclusive use of the Arabic language in these significant jihadi websites likely accounts for the concentration of activity in the Middle East and North Africa. But with a reach to more than 40 countries, the virtual community within these ten influential sites assumes a global significance. The international jihadi movement's use of the internet to fuel the exchange of ideological expansion and its corresponding influx of support will increase the vulnerability of many countries to the appeal of extremism."

At least these organizations don't rely on setting up fake jihadist communities to come up with the sample data, but know exactly where to look for.