Exposing FBI's Most Wanted Cybercriminal Mujtaba Raza from Forwarderz and SecondEye Solution - An OSINT Analysis - Maltego Technical Details Video Demonstration

Google is your best friend!

Here's the original analysis.

Check out the actual Maltego technical details video demonstration here:

Enjoy! Continue reading →

Profiling FBI's Most Wanted Iran-based Cybercriminals - Mohammad Sagegh Ahmadzadegan - An OSINT Analysis

In this post I've decided to expose and offer personally identifiable information on Iran's based cybercriminal known as Mohammad Sagegh Ahmadzadegan for the purpose of assisting U.S Law Enforcement on its way to track down and prosecute the cybercriminals behind these campaigns.

Sample personally identifiable information on Mohammad Sagegh Ahmadzadegan includes:

Name: Mohammad Sagegh Ahmadzadegan

Handle: Nitrojen26

Email: nitr0jen26@asia[.]com; Nitrojen26@yahoo[.]com; me@sadahm[.]net

Web Site: hxxp://sadahm[.]com

Social Media Accounts: https://twitter[.]com/nitrojen26

Sample personally identifiable photos of Mohammad Sagegh Ahmadzadegan include:

Stay tuned!

Continue reading →

Profing FBI's Most Wanted Cybercriminal Mujtaba Raza from Forwarderz and SecondEye Solution - An OSINT Analysis

In this post I've decided to offer in-depth and practical and relevant OSINT analysis of FBI's Most Wanted Cybercriminal Mujtaba Raza from the Forwarderz and SecondEye Solution fake documents and IDs selling Pakistan-based rogue fraudulent and malicious online enterprise with the idea to assist U.S Law Enforcement on its way to track down and prosecute the cybercriminals behind these campaigns.

shy4angels@gmail[.]com

shahzadsmb@gmail[.]com

khizarh11@yahoo[.]com

khizarhayat[.]jaffri@yahoo[.]com

muhammadkhizar[.]hayatjaffri@yahoo[.]com

mygreentree59@yahoo[.]com

khizar14hayat@gmail[.]com

muhammadkhizarhayatjaffri@yahoo[.]com

threatcc@gmail[.]com

mujtaba@forwarderz[.]com

syedaliraza940@gmail[.]com

raza[.]zaidi92@yahoo[.]com

kool_boy92@hotmail[.]com

s[.]alirz92@gmail[.]com

alimohsin228@gmail[.]com

mohsinrazaamiri@gmail[.]com

alimohsin228@yahoo[.]com

amestypezx@yahoo[.]com

mohsin@forwarderz[.]com

great_guy1102002@yahoo[.]com

support@secondeyesolution[.]com

info@forwarderz[.]com

forwarderz@yahoo[.]com

forwarderzlive@google[.]com

forwarderzlive@hotmail[.]com

support@secondeyehost[.]com

Sample Web sites known to have been used by Forwarderz and  SecondEye Solution: 

hxxp://secondeyesolution[.]su

hxxp:// secondeyesolution[.]ch

hxxp:// secondeyesolution[.]ru

hxxp:// secondeyesolution[.]com

hxxp:// forwarderz[.]com

hxxp:// secondeyehost[.]com

Sample screenshots of various Forwarderz and SecondEye Solution domains include:

Stay tuned!

Continue reading →

Exposing FBI's Most Wanted Cybercriminals - Iran's Mabna Hackers - An OSINT Analysis

Dear blog readers,

I've decided to share some of the actionable intelligence that I have at my disposal regarding the FBI's Most Wanted Iran-based Mabna Hackers which I originally outlined in my second release of the "A Qualitative and Technical Collection OSINT-Enriched Analysis of the Iranian Hacking Scene Through the Prism of the Infamous Ashiyane Digital Security Team" where you can also obtain a copy of the first release entitled "Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran" in terms of catching up in terms of what Iran-based hackers and hacking groups are up to up to present day with the research report basically representing one of the most comprehensive and in-depth publicly accessible report on Iran's hacking scene.

Sample screenshots of Mabna Institute including the associated Web sites where the information is offered:

Sample phishing URLs known to have been involved in the campaign:

ezvpn.mskcc.saea.ga    

library.asu.saea.ga    

library.lehigh.saea.ga    

moodle.ucl.ac.saea.ga    

saea.ga    

unex.learn.saea.ga    

unomaha.on.saea.ga    

www.uvic.saea.ga

catalog.lib.usm.edu.seae.tk

elearning.uky.edu.seae.tk

www.aladin.wrlc.org.seae.tk

alexandria.rice.ulibr.ga

cmich.ulibr.ga

columbia.ulibr.ga

edu.edu.libt.cf

ezproxy-authcate.lib.monash.ulibr.ga

login.revproxy.brown.edu.edu.libt.cf

ezproxy-authcate.monash.lib.ulibr.ga

ezproxy-f.deakin.au.ulibr.ga

lib.dundee.ac.uk.ulibr.ga

cas.usherbrooke.ca.cavc.tk

catalog.lib.ksu.edu.cavc.tk

isa.epfl.ch.cavc.tk

login.vcu.edu.cavc.tk

www.med.unc.edu.cavc.tk

cas.iu.edu.cavc.tk

ltuvpn.latrobe.edu.au.reactivation.in

passport.pitt.edu.reactivation.in

edu.login.revproxy.brown.edu.libt.cf

shibboleth.nyu.edu.reactivation.in

login.revproxy.brown.edu.login.revproxy.brown.edu.libt.cf

weblogin.pennkey.upenn.edu.reactivation.in

webmail.reactivation.in

www.ezlibproxy1.ntu.edu.sg.reactivation.in

www.ezpa.library.ualberta.ca.reactivation.in

www.lib.just.edu.jo.reactivation.in

www.passport.pitt.edu.reactivation.in

shib.ncsu.ulibr.cf/

www.shibboleth.nyu.edu.reactivation.in

www.weblogin.pennkey.upenn.edu.reactivation.in

ezlibproxy1.ntu.edu.sg.reactivation.in

login.revproxy.brown.edu.libt.cf

weblogin.umich.edu.lib2.ml

catalog.sju.edu.mncr.tk

ezpa.library.ualberta.ca.reactivation.in

lib.just.edu.jo.reactivation.in

login.ezproxy.lib.purdue.edu.reactivation.in

login.libproxy.temple.shibboleth2.uchicago.ulibr.cf

shib.ncsu.shibboleth2.uchicago.ulibr.cf

shibboleth2.uchicago.shibboleth2.uchicago.ulibr.cf

singlesignon.gwu.shibboleth2.uchicago.ulibr.cf

webauth.ox.ac.uk.shibboleth2.uchicago.ulibr.cf

edu.libt.cf

login.libproxy.temple.ulibr.cf

shib.ncsu.ulibr.cf

singlesignon.gwu.ulibr.cf

webauth.ox.ac.uk.ulibr.cf

library.cornell.ulibr.ga

login.ezproxy.gsu.ulibr.ga

shibboleth2.uchicago.ulibr.cf

login.library.nyu.ulibr.ga

mail.ulibr.ga

webcat.lib.unc.ulibr.ga

www.ulibr.ga

www.alexandria.rice.ulibr.ga

www.cmich.ulibr.ga

www.columbia.ulibr.ga

www.ezproxy-authcate.lib.monash.ulibr.ga

www.ezproxy-authcate.monash.lib.ulibr.ga

www.ezproxy-f.deakin.au.ulibr.ga

www.lib.dundee.ac.uk.ulibr.ga

www.library.cornell.ulibr.ga

www.login.ezproxy.gsu.ulibr.ga

www.login.library.nyu.ulibr.ga

auth.berkeley.edu.libna.ml

sso.lib.uts.edu.au.libna.ml

bb.uvm.edu.cvre.tk

cline.lib.nau.edu.cvre.tk

illiad.lib.binghamton.edu.cvre.tk

libcat.smu.edu.cvre.tk

login.brandeis.edu.cvre.tk

msim.cvre.tk

libcat.library.qut.nsae.ml

www.webcat.lib.unc.ulibr.ga

Sample domains known to have been involved in the campaign:

mlibo.ml

blibo.ga

azll.cf

azlll.cf

lzll.cf

jlll.cf

elll.cf

lllib.cf

tsll.cf

ulll.tk

tlll.cf

libt.ga

libk.ga

libf.ga

libe.ga

liba.gq

libver.ml

ntll.tk

ills.cf

vtll.cf

clll.tk

stll.tk

llii.xyz

lill.pro

eduv.icu

univ.red

unir.cf

unir.gq

unisv.xyz

unir.ml

unin.icu

unie.ml

unip.gq

unie.ga

unip.cf

nimc.ga

nimc.ml

savantaz.cf

unie.gq

unip.ga

unip.ml

unir.ga

untc.me

jhbn.me

unts.me

uncr.me

lib-service.com

unvc.me

untf.me

nimc.cf

anvc.me

ebookfafa.com

nicn.gq

untc.ir

librarylog.in

llli.nl

lllf.nl

libg.tk

ttil.nl

llil.nl

lliv.nl

llit.site

flil.cf

e-library.me

cill.ml

fill.cf

libm.ga

eill.cf

llib.cf

eill.ga

nuec.cf

illl.cf

cnen.cf

aill.nl

eill.nl

mlib.cf

ulll.cf

nlll.cf

clll.nl

llii.cf

etll.cf

1edu.in

aill.cf

atna.cf

atti.cf

aztt.tk

cave.gq

ccli.cf

cnma.cf

cntt.cf

crll.tk

csll.cf

ctll.tk

cvnc.ga

cvve.cf

czll.tk

cztt.tk

euca.cf

euce.in

ezll.tk

ezplog.in

ezproxy.tk

eztt.tk

flll.cf

iell.tk

iull.tk

izll.tk

lett.cf

lib1.bid

lib1.pw

libb.ga

libe.ml

libg.cf

libg.ga

libg.gq

libloan.xyz

libnicinfo.xyz

libraryme.ir

libt.ml

libu.gq

lill.gq

llbt.tk

llib.ga

llic.cf

llic.tk

llil.cf

llit.cf

lliv.tk

llse.cf

ncll.tk

ncnc.cf

nctt.tk

necr.ga

nika.ga

nsae.ml

nuec.ml

rill.cf

rnva.cf

rtll.tk

sctt.cf

shibboleth.link

sitl.tk

slli.cf

till.cf

titt.cf

uill.cf

uitt.tk

ulibe.ml

ulibr.ga

umlib.ml

umll.tk

uni-lb.com

unll.tk

utll.tk

vsre.cf

web2lib.info

xill.tk

zedviros.ir

zill.cf 

Sample IPs known to have been involved in the campaign:

103.241.3.91

104.152.168.23

107.180.57.7

107.180.58.47

138.201.17.56

144.217.120.73

144.76.189.80

162.218.237.3

167.114.103.215

173.254.239.2

176.31.33.115

178.33.115.10

184.95.37.90

185.105.185.22

185.28.21.83

185.55.227.104

185.86.180.250

188.40.34.186

193.70.117.250

195.154.102.75

198.252.106.149

198.91.81.5

199.204.187.164

31.220.20.111

66.70.197.208

78.46.77.105

79.175.181.11

82.102.15.215

87.98.249.207

88.99.139.8

88.99.160.209

88.99.40.240

88.99.69.4

93.174.95.64

94.76.204.201

136.243.145.233

136.243.198.45

141.8.224.221

148.251.116.93

148.251.12.172

162.218.237.31

167.114.13.164

172.246.144.34

173.254.239.217

6.31.33.115

176.31.33.116

176.9.188.235

85.28.21.83

185.28.21.95

192.169.82.134

198.27.68.142

198.91.81.51

45.35.33.126

46.4.91.26

5.135.123.163

5.196.194.234

51.254.198.131

51.254.21.142

79.175.181.118

88.99.128.229

88.99.139.88

88.99.69.49

3.174.95.64

Stay tuned!

Continue reading →

Exposing Iran's Most Wanted Cybercriminals - FBI Most Wanted Checklist - OSINT Analysis

Remember my most recently published "Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran - Report"? The report details and discusses in-depth the most prolific Iran-based government-sponsored and tolerated hacking groups including the following groups:

- Ashiyane Digital Security Team
- Iranhack Security Team
- Iranian Datacoders Security Team
- Iran Security Team a.k.a SEPANTA Team/Iran Cyber Army 2012/2013
- IDH Security Team
- Bastan Security Team
- NOPO Digital Security Team
- Shekaf Security Team
- Mafia Hacking Team
- Iran Black Hats Team
- Delta Hacking Security Team
- Digital Boys Underground Team
- IrIst Security Team

I recently came across to FBI's Most Wanted Cybercriminals List and decided to elaborate more by providing actionable Threat Intelligence on some of the most Wanted Iranian cybercriminals with the idea to help law enforcement and to inform the security industry and to ensure that the cybercriminals behind these campaigns can be properly tracked down and prosecuted.

I can be reached at dancho.danchev@hush.com

In this OSINT analysis I'll provide actionable intelligence including personally identifiable information some of FBI's Most Wanted Iranian cybercriminals including Ahmad Fathi, Hamid Firoozi, Amin Shokohi, Mohammad Sadegh Ahmadzadegan, Omid Ghaffarinia, Sina Keissar, Nader Saedi including the infamous ITSec Team and the Mersad Co. company.

Personally Identifiable Information regarding Sun Army Team Members including ITSec Team and the Mersad Co. company:

Sun Army Team Members:
Nitrojen26, Mehdy007, MagicCoder, tHe.Mo3tafA, Plus, BodyGuard

Sample Network Infrastructure Reconnissance:
hxxp://sun-army.org - 185.53.179.10 - Email: Sun.Army@asia.com; Lord.private@ymail.com

Name: Omid Ghaffarinia
Handle: Plus
Email: omid.ghaffarinia@gmail.com; plus.ashiyane@gmail.com; omid.ghaffarinia@alum.sharif.edu
Phone: 091 2444 9002
Web Site: http://alum.sharif.ir/~omid.ghaffarinia/; http://alum.sharif.ir/~omid.ghaffarinia/; http://omidplus.persiangig.com/;
Social Media Accounts: https://plus.google.com/109226633947780718251; https://plus.google.com/109226633947780718251

Personal Photos of Omid Ghaffarinia a.k.a Plus:

Sample Personal Photos from a Train Trip:

Handle: MagicCoder
Email: MagicC0d3r@gmail.com
Web Site: http://magiccoder.ir

Handle: Mehdy007
Email: mehdy007@hotmail.fr
Web Site: http://mehdy007.persiangig.com

Sample Sun Army Cover Art Photos:

ITSec Team a.k.a Amn pardazesh kharazmi a.k.a Pooya Digital Security Group Members:
Pejvak, M3hr@n.S, Am!rkh@n, Doosib, H4mid@Tm3l, R3dm0ve, Provider, ahmadbady

Sample Team Member Personally Identifiable Information:
Name: Amin Shokohi
Handle: Pejvak
Email: pejv4k@yahoo.com
Web Site: http://pejv4k.persiangig.com; http://pejv4k.110mb.com

Handle: Mehr@n.S
Email: M3hran.S@gmail.com

Sample Network Infrastructure Reconnaissance:
http://itsecteam.com/

Social Network Graph of Sun Army Team Members including ITSec Team Members and the Mersad Co. company:

Name: Mohammad Sagegh Ahmadzadegan
Handle: Nitrojen26
Email: nitr0jen26@asia.com; Nitrojen26@yahoo.com; me@sadahm.net
Web Site: hxxp://sadahm.com
Social Media Accounts: https://twitter.com/nitrojen26

Sample Personal Photos of Mohammad Sagegh Ahmadzadegan a.k.a Nitrojen26:

Sample Mersad Co. Company Logo:

Sample Network Infrastructure reconnaissance:

hxxp://mersad.co/ - 188.40.112.196

hxxp://mersadco.ir

Mohammad’s life has strongly tied with programming. After graduation of Computer Engineering, he studied IT (E-Commerce) for his Master to know more about the relation of business and technology. You can find some large scale software projects managed by him like Iran’s SOC, SDIDS, Jolfa Vulnerability DB and etc. Now he is a university lecturer and also CEO of Mersad Co. and one of TKJ Co. consultants. Mohammad is here to help you how to manage a good develop team and guide you to have better usage of technology to achieve your business goals.

Personal Photos of Mersad Co.CEO Mohammad Hamidi Esfahani:

Personally Identifiable Information regarding Mersad Co. Company CEO Mohammad Hamidi Esfahani:

Name: Mohammad Hamidi Esfahani

Email:'m.hamidi.es@gmail.com

Phone: 0913-304-7591

Web Sites: http://www.mohammadhamidi.ir/

Social Media Accounts: https://www.facebook.com/mohammad.hamidi; https://twitter.com/haj_mamed; https://github.com/mohammadhamidi; https://medium.com/@haj_mamed; https://medium.com/@haj_mamed; https://plus.google.com/+mohammadhamidiEsfahani; 

Sample Mersad Co. Personal Company Photos:

Stay tuned! Continue reading →