Exposing FBI's Most Wanted Iran's Mabna Hackers - An OSINT Analysis

Dear blog readers,

In this post I've decided to share actionable intelligence on the online infrastructure of FBI's Most Wanted Iran's Mabna Hackers for the purpose of assisting everyone in their cyber attack and cyber threat actor attribution campaigns.

mlibo[.]ml

blibo[.]ga

azll[.]cf

azlll[.]cf

lzll[.]cf

jlll[.]cf

elll[.]cf

lllib[.]cf

tsll[.]cf

ulll[.]tk

tlll[.]cf

libt[.]ga

libk[.]ga

libf[.]ga

libe[.]ga

liba[.]gq

libver[.]ml

ntll[.]tk

ills[.]cf

vtll[.]cf

clll[.]tk

stll[.]tk

llii[.]xyz

lill[.]pro

eduv[.]icu

univ[.]red

unir[.]cf

unir[.]gq

unisv[.]xyz

unir[.]ml

unin[.]icu

unie[.]ml

unip[.]gq

unie[.]ga

unip[.]cf

nimc[.]ga

nimc[.]ml

savantaz[.]cf

unie[.]gq

unip[.]ga

unip[.]ml

unir[.]ga

untc[.]me

jhbn[.]me

unts[.]me

uncr[.]me

lib-service[.]com

unvc[.]me

untf[.]me

nimc[.]cf

anvc[.]me

ebookfafa[.]com

nicn[.]gq

untc[.]ir

librarylog[.]in

llli[.]nl

lllf[.]nl

libg[.]tk

ttil[.]nl

llil[.]nl

lliv[.]nl

llit[.]site

flil[.]cf

e-library[.]me

cill[.]ml

fill[.]cf

libm[.]ga

eill[.]cf

llib[.]cf

eill[.]ga

nuec[.]cf

illl[.]cf

cnen[.]cf

aill[.]nl

eill[.]nl

mlib[.]cf

ulll[.]cf

nlll[.]cf

clll[.]nl

llii[.]cf

etll[.]cf

1edu[.]in

aill[.]cf

atna[.]cf

atti[.]cf

aztt[.]tk

cave[.]gq

ccli[.]cf

cnma[.]cf

cntt[.]cf

crll[.]tk

csll[.]cf

ctll[.]tk

cvnc[.]ga

cvve[.]cf

czll[.]tk

cztt[.]tk

euca[.]cf

euce[.]in

ezll[.]tk

ezplog[.]in

ezproxy[.]tk

eztt[.]tk

flll[.]cf

iell[.]tk

iull[.]tk

izll[.]tk

lett[.]cf

lib1[.]bid

lib1[.]pw

libb[.]ga

libe[.]ml

libg[.]cf

libg[.]ga

libg[.]gq

libloan[.]xyz

libnicinfo[.]xyz

libraryme[.]ir

libt[.]ml

libu[.]gq

lill[.]gq

llbt[.]tk

llib[.]ga

llic[.]cf

llic[.]tk

llil[.]cf

llit[.]cf

lliv[.]tk

llse[.]cf

ncll[.]tk

ncnc[.]cf

nctt[.]tk

necr[.]ga

nika[.]ga

nsae[.]ml

nuec[.]ml

rill[.]cf

rnva[.]cf

rtll[.]tk

sctt[.]cf

shibboleth[.]link

sitl[.]tk

slli[.]cf

till[.]cf

titt[.]cf

uill[.]cf

uitt[.]tk

ulibe[.]ml

ulibr[.]ga

umlib[.]ml

umll[.]tk

uni-lb[.]com

unll[.]tk

utll[.]tk

vsre[.]cf

web2lib[.]info

xill[.]tk

zedviros[.]ir

zill[.]cf

Sample URL structure for the rogue and fraudulent online phishing infrastructure for the campaign:

ezvpn[.]mskcc[.]saea[.]ga

library[.]asu[.]saea[.]ga

library[.]lehigh[.]saea[.]ga

moodle[.]ucl[.]ac[.]saea[.]ga

saea[.]ga

unex[.]learn[.]saea[.]ga

unomaha[.]on[.]saea[.]ga

www[.]uvic[.]saea[.]ga

catalog[.]lib[.]usm[.]edu[.]seae[.]tk

elearning[.]uky[.]edu[.]seae[.]tk

www[.]aladin[.]wrlc[.]org[.]seae[.]tk

alexandria[.]rice[.]ulibr[.]ga

cmich[.]ulibr[.]ga

columbia[.]ulibr[.]ga

edu[.]edu[.]libt[.]cf

ezproxy-authcate[.]lib[.]monash[.]ulibr[.]ga

login[.]revproxy[.]brown[.]edu[.]edu[.]libt[.]cf

ezproxy-authcate[.]monash[.]lib[.]ulibr[.]ga

ezproxy-f[.]deakin[.]au[.]ulibr[.]ga

lib[.]dundee[.]ac[.]uk[.]ulibr[.]ga

cas[.]usherbrooke[.]ca[.]cavc[.]tk

catalog[.]lib[.]ksu[.]edu[.]cavc[.]tk

isa[.]epfl[.]ch[.]cavc[.]tk

login[.]vcu[.]edu[.]cavc[.]tk

www[.]med[.]unc[.]edu[.]cavc[.]tk

cas[.]iu[.]edu[.]cavc[.]tk

ltuvpn[.]latrobe[.]edu[.]au[.]reactivation[.]in

passport[.]pitt[.]edu[.]reactivation[.]in

edu[.]login[.]revproxy[.]brown[.]edu[.]libt[.]cf

shibboleth[.]nyu[.]edu[.]reactivation[.]in

login[.]revproxy[.]brown[.]edu[.]login[.]revproxy[.]brown[.]edu[.]libt[.]cf

weblogin[.]pennkey[.]upenn[.]edu[.]reactivation[.]in

webmail[.]reactivation[.]in

www[.]ezlibproxy1[.]ntu[.]edu[.]sg[.]reactivation[.]in

www[.]ezpa[.]library[.]ualberta[.]ca[.]reactivation[.]in

www[.]lib[.]just[.]edu[.]jo[.]reactivation[.]in

www[.]passport[.]pitt[.]edu[.]reactivation[.]in

http://shib[.]ncsu[.]ulibr[.]cf/idp/profile/SAML2/POST/SSO

www[.]shibboleth[.]nyu[.]edu[.]reactivation[.]in

www[.]weblogin[.]pennkey[.]upenn[.]edu[.]reactivation[.]in

ezlibproxy1[.]ntu[.]edu[.]sg[.]reactivation[.]in

login[.]revproxy[.]brown[.]edu[.]libt[.]cf

weblogin[.]umich[.]edu[.]lib2[.]ml

catalog[.]sju[.]edu[.]mncr[.]tk

ezpa[.]library[.]ualberta[.]ca[.]reactivation[.]in

lib[.]just[.]edu[.]jo[.]reactivation[.]in

login[.]ezproxy[.]lib[.]purdue[.]edu[.]reactivation[.]in

login[.]libproxy[.]temple[.]shibboleth2[.]uchicago[.]ulibr[.]cf

shib[.]ncsu[.]shibboleth2[.]uchicago[.]ulibr[.]cf

shibboleth2[.]uchicago[.]shibboleth2[.]uchicago[.]ulibr[.]cf

singlesignon[.]gwu[.]shibboleth2[.]uchicago[.]ulibr[.]cf

webauth[.]ox[.]ac[.]uk[.]shibboleth2[.]uchicago[.]ulibr[.]cf

edu[.]libt[.]cf

login[.]libproxy[.]temple[.]ulibr[.]cf

shib[.]ncsu[.]ulibr[.]cf

singlesignon[.]gwu[.]ulibr[.]cf

webauth[.]ox[.]ac[.]uk[.]ulibr[.]cf

library[.]cornell[.]ulibr[.]ga

login[.]ezproxy[.]gsu[.]ulibr[.]ga

shibboleth2[.]uchicago[.]ulibr[.]cf

login[.]library[.]nyu[.]ulibr[.]ga

mail[.]ulibr[.]ga

webcat[.]lib[.]unc[.]ulibr[.]ga

www[.]ulibr[.]ga

www[.]alexandria[.]rice[.]ulibr[.]ga

www[.]cmich[.]ulibr[.]ga

www[.]columbia[.]ulibr[.]ga

www[.]ezproxy-authcate[.]lib[.]monash[.]ulibr[.]ga

www[.]ezproxy-authcate[.]monash[.]lib[.]ulibr[.]ga

www[.]ezproxy-f[.]deakin[.]au[.]ulibr[.]ga

www[.]lib[.]dundee[.]ac[.]uk[.]ulibr[.]ga

www[.]library[.]cornell[.]ulibr[.]ga

www[.]login[.]ezproxy[.]gsu[.]ulibr[.]ga

www[.]login[.]library[.]nyu[.]ulibr[.]ga

auth[.]berkeley[.]edu[.]libna[.]ml

sso[.]lib[.]uts[.]edu[.]au[.]libna[.]ml

bb[.]uvm[.]edu[.]cvre[.]tk

cline[.]lib[.]nau[.]edu[.]cvre[.]tk

illiad[.]lib[.]binghamton[.]edu[.]cvre[.]tk

libcat[.]smu[.]edu[.]cvre[.]tk

login[.]brandeis[.]edu[.]cvre[.]tk

msim[.]cvre[.]tk

libcat[.]library[.]qut[.]nsae[.]ml

www[.]webcat[.]lib[.]unc[.]ulibr[.]ga

Stay tuned!

Continue reading →

Profiling Russia's U.S Election Interference 2016 - An OSINT Analysis

Note: This OSINT analysis has been originally published at my current employer's Web site - https://whoisxmlapi.com where I'm currently acting as a DNS Threat Researcher since January, 2021. 

We’ve decided to take a closer look at the U.S Elecetion 2016 interference provoked by several spear phishing and malicious campaigns courtesy of Russia for the purpose of offering and providing actionable threat intelligence including possible attribution clues for some of the known participants in this campaign potentially assisting fellow researchers and Law Enforcement on its way to track down and prosecute the cybercriminals behind these campaigns.

In this analysis we’ll take a closer look at the Internet connected infrastructure behind the U.S Election 2016 campaign in terms of malicious activity and offer practical and relevant including actionable threat intelligence on their whereabouts.

Sample malicious and fraudulent C&C domains known to have participated in the U.S Elections 2016 campaign:

linuxkrnl[.]net

accounts-qooqle[.]com

account-gooogle[.]com

accoounts-google[.]com

account-yahoo[.]com

accounts-googlc[.]com

accoutns-google[.]com

addmereger[.]com

akamainet[.]net

akamaivirusscan[.]com

apple-icloud-services[.]com

apple-notification[.]com

arabianbusinessreport[.]com

azamtelecom[.]com

babylonn[.]com

baengmail[.]com

boobleg[.]com

chinainternetservices[.]com

com-hdkurknfkjdnkrnngujdknhgfr[.]com

combin-banska-stiavnica[.]com

cvk-leaks[.]com

fb-security[.]com

g00qle[.]com

global-exchange[.]net

googlesetting[.]com

hlbnk[.]com

homesecuritysystems-sale[.]com

icloud-localisation[.]com

imperialc0nsult[.]com

informationen24[.]com

interglobalswiss[.]com

intra-asiarisk[.]com

invest-sro[.]com

iphone-onlineshopping[.]net

kur4[.]com

lastdmp[.]com

localisation-apple-icloud[.]com

localisation-apple-support[.]com

localisation-mail[.]com

login-163[.]com

login-kundenservice[.]com

magic-exchange[.]com

mail-apple-icloud[.]com

mailpho[.]com

malprosoft[.]com

medicalalertgroup[.]com

megafileuploader[.]com

mfadaily[.]com

mfapress[.]com

militaryexponews[.]com

msoftonline[.]com

myaccountgoogle[.]com

myaccountsgoogle[.]com

mydomainlookup[.]net

mypmpcert[.]com

net-a-porter-coupon[.]com

newiphone-online[.]net

newiphone-supply[.]net

newreviewgames[.]com

nobel-labs[.]net

nvidiaupdate[.]com

obamacarerx[.]net

onlinecsportal[.]com

pass-google[.]com

password-google[.]com

paydaytoday-uk[.]com

pb-forum[.]com

planetaryprogeneration[.]com

regionoline[.]com

security-notifications[.]com

service-facebook[.]com

servicesupdates[.]com

set121[.]com

set132[.]com

set133[.]com

sicherheitsteam-pp[.]com

sicherheitsteam-pp[.]net

skypeupdate[.]com

smp-cz[.]com

soft-storage[.]com

solutionmanualtestbank[.]com

ssl-icloud[.]com

team-google[.]com

techlicenses[.]com

techlicenses[.]net

ua-freedom[.]com

updates-verify[.]com

us-mg7mail-transferservice[.]com

us-westmail-undeliversystem[.]com

us6-yahoo[.]com

vatlcan[.]com

wordpressjointventure[.]com

ya-support[.]com

yandex-site[.]com

yepost[.]com

Related malicious and fraudulent emails known to have participated in the U[.]S Elections 2016 campaign:

julienobruno@hotmail[.]com

jenna[.]stehr@mail[.]com

s[.]simonis@mail[.]com

domreg@247livesupport[.]biz

kumarhpt@yahoo[.]com

aksnes[.]thomas@yahoo[.]com

yingw90@yahoo[.]com

andre_roy@mail[.]com

myprimaryreger@gmail[.]com

okorsukov@yahoo[.]com

tzubtfpx5@mail[.]ru

annaablony@mail[.]com

jamesyip823@gmail[.]com

tmazaker@gmail[.]com

emmer[.]brown@mail[.]com

qupton@mail[.]com

adel[.]rice@mail[.]com

trainerkart2@gmail[.]com

cowrob@mail[.]com

direct2playstore@gmail[.]com

cffaccll@mail[.]com

drgtradingllc@gmail[.]com

jack2020@outlook[.]com

pdkt00@Safe-mail[.]net

david_thompson62@aol[.]com

distardrupp@gmail[.]com

perplencorp@gmail[.]com

spammer11@superrito[.]com

jilberaner@yahoo[.]de

snowyowl@jpnsec[.]com

asainchuk@gmail[.]com

OKEKECHIDIC@GMAIL[.]COM

abelinmarcel@outlook[.]fr

idesk[.]corp[.]apple[.]com@gmail[.]com

mutantcode@outlook[.]fr

pier@pipimerah[.]com

vrickson@mail[.]com

prabhakar_malreddy@yahoo[.]com

Sample related email known to have participated in the U[.]S Elections 2016 campaign:

jack2020@outlook[.]com

Sample Maltego Graph of a sample malicious and fraudulent domain registrant known to have participated in the U.S Election 2016 campaign:

Sample related domains known to have participated in the U.S Elections 2016 campaign:

support-forum[.]org

oceaninformation[.]org

vodafoneupdate[.]org

succourtion[.]org

eascd[.]org

northropgruman[.]org

apple-iphone-services[.]com

localisation-security-icloud[.]com

applesecurity-supporticloud[.]com

icloud-iphone-services[.]com

icloud-id-localisation[.]com

apple-localisation-id[.]com

identification-icloud-id[.]com

cloud-id-localisation[.]com

support-security-icloud[.]com

identification-apple-id[.]com

localisation-apple-security[.]com

security-icloud-localisation[.]com

dabocom[.]com

quick-exchange[.]com

hygani[.]com

hztx88[.]com

sddqgs[.]net

qufu001[.]com

lutushiqi[.]com

gsctgs[.]com

tazehong[.]com

hthgj[.]com

kvistberga[.]com

bjytj[.]net

cqhuicang[.]com

softbank-tech[.]com

osce-press[.]org

maxidea[.]tw

sdti[.]tw

gmailcom[.]tw

zex[.]tw

gain-paris-notaire[.]fr

loto-fdj[.]fr

client-amzon[.]fr

idse-orange[.]fr

rgraduzkfghgd[.]com

jmhgjqtmhanoncp[.]com

stwdchstclovuzk[.]com

puxqtyrwzuzybgzehc[.]com

maatil[.]com[.]ng

surestbookings[.]com

asatuyouth[.]org[.]ng

hanna[.]ng

hostlink[.]com[.]ng

sirbenlimited[.]com

dce[.]edu[.]ng

eventsms[.]com[.]ng

krsbczmxwdsjwtizmx[.]com

alizirwzyjazurof[.]com

zslipanehule[.]com

cxotonspmjkxw[.]com

wpifmhyjkxyt[.]com

ngvsngpwdidmn[.]com

imperialvillas[.]com[.]ng

lipyhgpofsnifste[.]com

flexceeweb[.]com

fgfcpkdcnebgduls[.]com

shinjiru[.]us

supportchannel[.]net

couponofferte[.]com

psepaperindustrial[.]com

lakws[.]com

perplencorp[.]com

lbchemtrade[.]com

viaggibelli[.]com

liontitco[.]com

svendiamo[.]com

orogenicgroup[.]com

giudeviaggio[.]com

greenskill[.]net

siteseditor[.]net

e-mail-supports[.]com

biplen[.]com

infradesajohor[.]com

dealhot[.]net

suanmin[.]com

on9on9[.]com

accoutns-google[.]com

puroniq[.]com

sinqa[.]com

sadihadi[.]com

mrangkang[.]com

terumbu[.]com

phygitail[.]com

veraniq[.]com

potxr[.]com

icraw[.]com

thearoid[.]com

teempo[.]com

parblue[.]com

mydomainlookup[.]net

adrianvonziegler[.]net

zetindustries[.]com

researchs[.]com[.]ng

joymoontech[.]com

researchmaterials[.]com[.]ng

james823[.]com

oneibeauty[.]net

We’ll continue monitoring the campaign and post updates as soon as new developments take place.

Stay tuned!

Continue reading →

Massive "Facebook Appeal" Themed Phishing Campaign Uses Google's Firebase Spotted in the Wild - An OSINT Analysis

I just came across to a currently active phishing campaign that's using Google's Firebase as a hosting infrastructure for the purpose of enticing users into falling victim into a rogue and fake "Facebook Appeal" themed phishing campaign.

You can check out my initial analysis at my official Dark Web Onion here as my initial post got censored by Google as it violates its Terms of Service.

Sample malicious and rogue phishing domains known to have been involved in the campaign:

hxxp://publicaccount-facebook-46956.web.app

hxxp://publicappeal-348239237392.web.app

hxxp://publicappeal-9344858302239.web.app

hxxp://publicappeal-facebook.web.app

hxxp://publicappeal-form-fb-copyright102872.web.app

hxxp://publicappeal-form-fb-copyright104352.web.app

hxxp://publicappeal-form-fb-copyright119275.web.app

hxxp://publicappeal-form-fb-copyright126776.web.app

hxxp://publicappeal-form-fb-copyright171651.web.app

hxxp://publicappeal-form-fb-copyright18251.web.app

hxxp://publicappeal-form-fb-copyright18258.web.app

hxxp://publicappeal-form-fb-copyright18274.web.app

hxxp://publicappeal-form-fb-copyright18275.web.app

hxxp://publicappeal-form-fb-copyright182755.web.app

hxxp://publicappeal-form-fb-copyright18721.web.app

hxxp://publicappeal-form-fb-copyright187265.web.app

hxxp://publicappeal-form-fb-copyright187285.web.app

hxxp://publicappeal-form-fb-copyright18762.web.app

hxxp://publicappeal-form-fb-copyright19285.web.app

hxxp://publicappeal-form-fb-copyright19827.web.app

hxxp://publicappeal-form-fb-copyright981725.web.app

hxxp://publicappeal-form-page-unpublish1897.web.app

hxxp://publicappeal-from-fb-copyright12352.web.app

hxxp://publicappeal-from-fb-copyright12857.web.app

hxxp://publicappeal-page-unpublish-1827589.web.app

hxxp://publicappeal-page-unpublish1107276.web.app

hxxp://publicappeal-page-unpublish118172861.web.app

hxxp://publicappeal-page-unpublish18275.web.app

hxxp://publicappeal-page-unpublish182758.web.app

hxxp://publicappeal-page-unpublish1827586.web.app

hxxp://publicappeal-page-unpublish1827588.web.app

hxxp://publicappeal-page-unpublish182759.web.app

hxxp://publicappeal-page-unpublish18278652.web.app

hxxp://publicappeal-page-unpublish1827890.web.app

hxxp://publicappeal-page-unpublish187-36ac4.web.app

hxxp://publicappeal-page-unpublish187265.web.app

hxxp://publicappeal-page-unpublish18769.web.app

hxxp://publicappeal-page-unpublish1906392.web.app

hxxp://publicbusiness-appeal-form-129862.web.app

hxxp://publicbusiness-appeal-form125921.web.app

hxxp://publicfacebookappeal110631.web.app

hxxp://publicfb-appeal-form-29997.web.app

hxxp://publicfb-appeal-form-70f46.web.app

hxxp://publicfb-appeal-form-791bd.web.app

hxxp://publicfb-appeal-form-8276f.web.app

hxxp://publichouse-h3.web.app

hxxp://publicpage-appeal-unpublish1253631.web.app

hxxp://publicproject-8595314475285305009.web.app

hxxp://publicrestriction-appeal-business128.web.app

hxxp://publicreview2024545897534.web.app

Stay tuned!

Continue reading →

Massive Phishing Campaign Domain Farm Spotted in the Wild Uses Google's Firebase Thousands of Users Affected - An OSINT Analysis

I've just stumbled across a pretty decent and massive phishing domains farm that using Google's for the purpose of hosting and distributing the rogue and malicious content.

In this post I'll provide actionable intelligence on the infrastructure behind it including to discuss in-depth the TTPs (Tactics Techniques and Procedures) of the cybercriminals behind it.

Sample rogue and malicious URL known to have participated in the campaign:

hxxp://js-82wha8sw738.web.app/sc/css.css

Sample malicious and rogue responding IPs known to have participated in the campaign:

199.36.158.100

151.101.1.195

151.101.65.195

Sample screenshots of the rogue and malicious phishing domains known to have been involved in the campaign:

Sample rogue and malicious phishing domain portfolio known to have participated in the campaign:

0000.firebaseapp.com

02a8.web.app

11spielmacherbeta.firebaseapp.com

131023.firebaseapp.com

144110.firebaseapp.com

1493735036650.firebaseapp.com

164200.firebaseapp.com

177010.firebaseapp.com

177610.firebaseapp.com

17cc7.firebaseapp.com

212820.firebaseapp.com

abmay-d9b3b.web.app

abmay2-4abdf.web.app

adamlouie-c87d1.firebaseapp.com

adda-fenase.web.app

admininstatiles-5e702.firebaseapp.com

ads-restricted-id.web.app

aglae-f0665.firebaseapp.com

ahwma-de0bf.web.app

airbnb-70aba.firebaseapp.com

ajarwebsite-7d033.firebaseapp.com

all-scanner-cdf80.web.app

amao-dc021.web.app

ambitowebapp-2e394.firebaseapp.com

analytics-6a184.firebaseapp.com

angular2-hn.firebaseapp.com

angular7firestore-155e4.firebaseapp.com

aniapp-7ddc2.firebaseapp.com

anna-prone.web.app

api-project-723816548444.firebaseapp.com

appeal-form-fb-copyright102872.web.app

appeal-form-fb-copyright18258.web.app

appeal-form-fb-copyright187265.web.app

appeal-page-unpublish-1827589.web.app

appeal-page-unpublish1107276.web.app

appeal-page-unpublish118172861.web.app

appeal-page-unpublish18275.web.app

appeal-page-unpublish182758.web.app

appeal-page-unpublish1827586.web.app

appeal-page-unpublish182759.web.app

appeal-page-unpublish18278652.web.app

appeal-page-unpublish1827890.web.app

appeal-page-unpublish187-36ac4.web.app

appeal-page-unpublish18769.web.app

appemailhostingcha2.web.app

appy-760b5.firebaseapp.com

ararestaurant1.firebaseapp.com

arco-website-f9750.firebaseapp.com

aruba-postmaster-info.web.app

asmorx-1f6a2.web.app

asna-mod.web.app

ass-mote.web.app

asse-mofe.web.app

assets-0l61.firebaseapp.com

atarashii-atsui.web.app

au-ma-di.web.app

aude-mofe.web.app

audiscover-owawebapplications.web.app

auri-mo-da.web.app

auth-task1-m.web.app

auth20-outlook.web.app

authdemo-177a0.firebaseapp.com

authenticationuchu23.web.app

baffe-level.web.app

bandspace-console.web.app

baren-od.web.app

battle-22f22.firebaseapp.com

benali-acbe6.web.app

bestofjs-api-v1.firebaseapp.com

bi-1020101000x0.web.app

bigbt-aten.web.app

bingbrossvocalintel.web.app

bitbaink.web.app

bithunnb.web.app

bjqrasuoup.web.app

blockchain-assets-protection.web.app

blockchain-recovery-dda4d.web.app

bmazy2-0.web.app

bnp-verifi.web.app

boma-ren.firebaseapp.com

booking-hotesses-d7920.firebaseapp.com

bred-authentification-97-7.web.app

buten-dare.web.app

bzbikeruko.web.app

ca-regionale-department-a.web.app

cabs-ole.web.app

cadeau-par-plaisir.web.app

cale-mothe.web.app

camoam-d97a4.web.app

case-ofa.web.app

case100091254778.web.app

caseforpage100089481844.web.app

caseforpages100049151.web.app

caseforpages108412.web.app

caseforpages1885777.web.app

caseforpages1888888.web.app

caseforpages55222.web.app

caseforpages777422.web.app

caseforpages88174714.web.app

caten-opa.web.app

cau-quate.web.app

cen-kenase.web.app

cenle-one.web.app

centre-telephoneproinfo.web.app

chargement-service.web.app

chat-b2982.firebaseapp.com

chat-finpolo.firebaseapp.com

checkmailsawo5.web.app

checkmessagerievocalewebtel.web.app

checksweetmail6.web.app

cinhatena.web.app

cloud-space-auth-service.web.app

clouddoc-authorize.firebaseapp.com

club-note-vocale.web.app

code-mesme.web.app

cogne-menta.web.app

cojet-mole.web.app

cokade-made.firebaseapp.com

colimat-done.web.app

colo-mate.web.app

comasse-unade.web.app

come-measa.web.app

companyemailresync1.web.app

con-firma.firebaseapp.com

cones-dore.web.app

conh-ma.web.app

cop-ado.web.app

cope-ilna.web.app

cora-gas-me.web.app

cphost-7edd4.web.app

crawer-sur.web.app

credit-et-assurance07.web.app

cres-mate.web.app

crime-aune.web.app

crive-cible.web.app

csen-ted.web.app

d-validate.web.app

d3iioor0753gvdbfewypqb64.web.app

daisma-e7e6c.web.app

darrin-pendleton-j5286.web.app

dc4u-6e803.firebaseapp.com

decdo-chat2.firebaseapp.com

demachatendi36.web.app

demoitau-d3428.web.app

denabere-2c382.web.app

digital-book-9f870.firebaseapp.com

dmacenda.web.app

docsharex-authorize.firebaseapp.com

docuproject39-277-383-files.firebaseapp.com

dope-ufen.web.app

downloadfreeebookspdf-6e806.firebaseapp.com

downloadpdfreader-d7702.firebaseapp.com

drafty-43c88.firebaseapp.com

driveintuksouteast-falcaopla.web.app

dropdocument-c3829.web.app

dskdirect-5ba26.web.app

dw-website-fbc19.firebaseapp.com

eagle10.firebaseapp.com

ebookwngfgewarwle.web.app

edret-tropm.web.app

efetgreds.web.app

eins-done.web.app

eleven-bot-399b7.web.app

elimu-c1a38.firebaseapp.com

email-mweb-co-za-zimbra-1.firebaseapp.com

email-update-verify.web.app

email-verificationservices365.web.app

empacte-do.web.app

ems-obe.web.app

emsi-lobo.firebaseapp.com

end-losup.web.app

erfders-f6013.web.app

esote-mode.web.app

exness-mobile.web.app

explore-wetriansfering-web.web.app

exposedacne.web.app

f0ldgonn.firebaseapp.com

facebook-appeal1749902610052.web.app

facebook-appelcase32q1.web.app

facebookappeal-case10351001.web.app

facebookappealcase1884888444.web.app

facebookappealcase7174747444.web.app

facebookcase187444441.web.app

facebookcase188444.web.app

fares-one.web.app

fb-appeal-form-70f46.web.app

fb-appeal-form-791bd.web.app

fb-restricted-d12c2.web.app

fbappealform13111.web.app

fbforpages1848151.web.app

fbmail-case199418414.web.app

fbmail-pages100049194.web.app

fbpages-case10004915.web.app

fema-tode.web.app

fetfetaa-81119.web.app

fines-gining.web.app

firtserverunithpp.web.app

flape-man.web.app

flape-odade.web.app

fmvfhagpab.web.app

focus-online-news.web.app

fodes-mota.web.app

font-makeupe.web.app

foresta-mod.firebaseapp.com

foten-moda.web.app

francesbbv.web.app

freeebookspdf-9ab41.firebaseapp.com

freejobsnews-f8cb8.firebaseapp.com

freis-mode.web.app

gadjabadjala1.web.app

gare-train3.web.app

gene-marso.web.app

genie-alba.firebaseapp.com

girly-wallpaper-5b75f.web.app

godadyxs.web.app

gomas-12c01.web.app

gospel-living.web.app

goswapp-bsc.web.app

gotan-one.web.app

gotcha-67060.firebaseapp.com

grace-bijoux-14910.firebaseapp.com

green656dfbb5f31b1fe48c2391a6.web.app

gridsend-98f14.web.app

groupe-ca-authenticati-caisse.web.app

groupe-sa-accueil-autnenti.web.app

gweb-gc-gather-production.firebaseapp.com

gweb-miyagi.firebaseapp.com

hagenpau.web.app

histoire-clik.web.app

hiworksservicecenter.web.app

hon-macona.web.app

hounbvc-c7661.web.app

hsfkrkqogo.web.app

httpsaudiscover-owawebapplications.web.app

httpsdocument-download-902123.web.app

httpsfyregym-wetransfer.web.app

httpsjojo-wiza124.web.app

httpsjoovkuebea.web.app

httpsminxtex.firebaseapp.com

httpsprice-per-unit.firebaseapp.com

httpsprotectmimemimefrem.web.app

httpsworldvision-419f2.firebaseapp.com

hunin-one.web.app

hyle-fb82f.web.app

info-telephone-vocale.web.app

international-web-fb75a.web.app

isfane-osade.web.app

iydd-1b2d8.web.app

jams-jamz1234.web.app

jecta-f45df.firebaseapp.com

jentame-add.web.app

jes-mo-sad.web.app

jex-ulto.web.app

kaunte-mone.web.app

kebote-moda.web.app

kes-mole.web.app

kodrefse-nsf.web.app

l09162020-fixmailhelpdesk.web.app

laefhfdhkdsdv.web.app

lamaf-50e45.web.app

les-more.web.app

lg-roudcubeblack-access.web.app

lgeyfuusmg.web.app

licloud.web.app

licos-date.web.app

line-9ca1c.web.app

link-bb76d.web.app

lisen-ocun.web.app

live-support-82d11.firebaseapp.com

login-442v3f.web.app

loginfo-tkconf.web.app

lohsam-86765.web.app

lommsrecu3.firebaseapp.com

lono-jena.web.app

lote-masme.web.app

louams-62870.web.app

lthouse.web.app

m-cabanqueenligne-particuliers.web.app

m-orangebankenligne-id.web.app

m1technology.firebaseapp.com

maedz-5fdff.web.app

mail-8583e.web.app

mail-account-verify-f4723.web.app

mail-lcloud-com-account.web.app

mail-ovhcloud.web.app

mansan-4ca1c.web.app

may1110genstanbk.web.app

mbqbfhfmgr.web.app

memo-vocale-52636.web.app

mentipdf.web.app

mercadolibre-research.web.app

mms-sms-alert.firebaseapp.com

mo-aska-da.web.app

mobialmysyf.web.app

mobizzmperb.web.app

moce-add.web.app

moce-aude.web.app

molases-b652e.web.app

mon-tome.web.app

msgmessage-7f854.firebaseapp.com

mswordg.web.app

mta-round-cube.web.app

mxflexsub.web.app

my-bithumb.web.app

my-winbamk.web.app

mylogin-config.web.app

nale-ping.web.app

name-ocina.web.app

ne01u59l.firebaseapp.com

nera-mode.web.app

netw0rksolutions.web.app

newlink-c8a8f.web.app

njnapcdvzc.web.app

nopin-dod.web.app

nozed-uname.firebaseapp.com

ntzmttpmnttoepnlant.web.app

o-orangebank18-id.web.app

oaism-72827.web.app

ocaque-domen.firebaseapp.com

ocuso-aken.web.app

office-webmail-login-f0e3c.web.app

officeindex-file.web.app

officemailsharing-20cd3.web.app

offices-voicemail.web.app

oftenas-oweb.web.app

ojin-madij.web.app

olet-mado.web.app

omawo-14b8c.web.app

on-me-ro.firebaseapp.com

onee-a0488.web.app

oneone-19cd8.web.app

onga-moce.web.app

onlinepdfkwpmmkl.web.app

onsa-mode.web.app

orange-my-app.web.app

orangesmsprovocale.web.app

oras-moria.web.app

oroma-42f59.web.app

osale-mape.web.app

osaute-moca.web.app

others1-f7ce9.web.app

outline-auth-d7f99.web.app

outlookloffice365user09ngxsmd.web.app

outlookloffice365userp86aese6.web.app

outlooks-userserver.web.app

owa-signon-officeaccount.web.app

owablu84349439434.web.app

owserv220020.web.app

padma-3fbb8.web.app

page-appeal-unpublish1253631.web.app

pagebusiness-copyrightcase1256.web.app

pay-sera.web.app

phuongpndev.web.app

pokajca.web.app

poltunefrdonecodesms.web.app

popuyecash7.web.app

portail-messagerieorangesms.web.app

postmailservr-panel-centr.web.app

project2021c-42b13.firebaseapp.com

pry-ecommerce.web.app

put-media-lan.web.app

r-web-2a3a9.web.app

rbc-mainline.web.app

rbc-verifylogin5.web.app

rbclogin-line.web.app

readingwtagzdm.web.app

recording-c12f5.web.app

renard-trouillard.web.app

restore70174-coinbase-us.web.app

rjabldfrbg.web.app

romas-512bf.web.app

rooted-4da8a.web.app

rouncubemail.web.app

royalbill-a3y4.web.app

rufe-sun.web.app

saal-kejriwal.web.app

samda-3c88f.web.app

sarba-one.web.app

scorchvc.web.app

scorchvc.web.app0

serve-8e8dc.web.app

server-authentication-332e1.web.app

servercpanel-afa12.web.app

service-vocalesmsprotelfixe.web.app

sharebox-onedrive-file-f692f.web.app

side-esone.web.app

sim-ote.web.app

skype-online04171.web.app

slackchatv1.firebaseapp.com

snaptik.web.app

soci-molen.web.app

sode-mape.web.app

soden-olma.web.app

sofe-inchena.web.app

sofe-tane.web.app

solen-conda.web.app

somas-b88a0.web.app

sone-masa.web.app

sonta-maline.web.app

sore-modabe.web.app

soure-made.web.app

sparkassbank-de.web.app

srey-deocs.web.app

sroxma-ab2cc.web.app

sudo-mone.web.app

sugen-oda.web.app

sun-maupe.web.app

sunge-ode.firebaseapp.com

suone-bena.web.app

swiftshare-content-auth.web.app

tittot-a8505.web.app

tm-etiquetado.web.app

tome-done.web.app

totem1.web.app

totem2.web.app

tousou-posoto3.web.app

trdsmccdb7386cbf3ba0b0b8d.web.app

truein-264db.web.app

ugen-orabe.web.app

uiinlcuo37oed.web.app

un-foreste.web.app

unt-morelle.web.app

update-45190ca.web.app

user-45190ca21.web.app

userca-58ce4.web.app

usmin-moda.web.app

validate-clientrbc.web.app

vandameman4.web.app

verberuyer7.web.app

verif-loginrbc.web.app

verify-48181.web.app

verify-user-rbc.web.app

verifywell-85477.web.app

vkmqnvyfwd1111.web.app

vmta-mod.web.app

vocaleproidorange.web.app

votre-boitevocale-fixe.firebaseapp.com

wdfyxklmba.web.app

web-bf4.web.app

web-e1f6d.web.app

web874830-98375-90232.web.app

webmail-a2846.web.app

webmail-control-9efc7.web.app

wecluihfrf-76tygh.web.app

wedpfoaliculate-resmazm.web.app

westernfoodmaincourse.web.app

wetranslatetransfers-coxsola.firebaseapp.com

wetrnafers.web.app

whatsapp-clone-teamwork.firebaseapp.com

win-more-0x.web.app

winx-fbac0.web.app

wix-engage-visitors-prod-0.firebaseapp.com

wix-engage-visitors-prod-10.firebaseapp.com

wix-engage-visitors-prod-20.firebaseapp.com

wo0923536-902453-908563.web.app

wraxdne.web.app

www.firebaseapp.com

www.web.app

x0x0x10010-0100.web.app

x48652.web.app

xamua-7cb66.web.app

xcio-00000auth.web.app

xm01-18c1f.web.app

xn--87487387348739-16aa.web.app

xtpma4ep.firebaseapp.com

zoho-active.web.app

zoho-adminserv.web.app

zoho-mailservices.web.app

zoho-online.web.app

zoho-validationserv.web.app

zxtst-44902.firebaseapp.com

Stay tuned!

Continue reading →

Dancho Danchev's Blog - Mobile Android-Based Google Play Application Available!

Dear blog readers,

This is Dancho and I wanted to let everyone know that I've released a mobile Android-device compatible Google Play application for my personal blog where I intend to reach out to more readers and acquire a new type of audience. Grab a copy today!

Stay tuned!

Continue reading →

Exposing FBI's Most Wanted Cybercriminals - Iran's Mabna Hackers - An OSINT Analysis

Dear blog readers,

I've decided to share some of the actionable intelligence that I have at my disposal regarding the FBI's Most Wanted Iran-based Mabna Hackers which I originally outlined in my second release of the "A Qualitative and Technical Collection OSINT-Enriched Analysis of the Iranian Hacking Scene Through the Prism of the Infamous Ashiyane Digital Security Team" where you can also obtain a copy of the first release entitled "Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran" in terms of catching up in terms of what Iran-based hackers and hacking groups are up to up to present day with the research report basically representing one of the most comprehensive and in-depth publicly accessible report on Iran's hacking scene.

Sample screenshots of Mabna Institute including the associated Web sites where the information is offered:

Sample phishing URLs known to have been involved in the campaign:

ezvpn.mskcc.saea.ga    

library.asu.saea.ga    

library.lehigh.saea.ga    

moodle.ucl.ac.saea.ga    

saea.ga    

unex.learn.saea.ga    

unomaha.on.saea.ga    

www.uvic.saea.ga

catalog.lib.usm.edu.seae.tk

elearning.uky.edu.seae.tk

www.aladin.wrlc.org.seae.tk

alexandria.rice.ulibr.ga

cmich.ulibr.ga

columbia.ulibr.ga

edu.edu.libt.cf

ezproxy-authcate.lib.monash.ulibr.ga

login.revproxy.brown.edu.edu.libt.cf

ezproxy-authcate.monash.lib.ulibr.ga

ezproxy-f.deakin.au.ulibr.ga

lib.dundee.ac.uk.ulibr.ga

cas.usherbrooke.ca.cavc.tk

catalog.lib.ksu.edu.cavc.tk

isa.epfl.ch.cavc.tk

login.vcu.edu.cavc.tk

www.med.unc.edu.cavc.tk

cas.iu.edu.cavc.tk

ltuvpn.latrobe.edu.au.reactivation.in

passport.pitt.edu.reactivation.in

edu.login.revproxy.brown.edu.libt.cf

shibboleth.nyu.edu.reactivation.in

login.revproxy.brown.edu.login.revproxy.brown.edu.libt.cf

weblogin.pennkey.upenn.edu.reactivation.in

webmail.reactivation.in

www.ezlibproxy1.ntu.edu.sg.reactivation.in

www.ezpa.library.ualberta.ca.reactivation.in

www.lib.just.edu.jo.reactivation.in

www.passport.pitt.edu.reactivation.in

shib.ncsu.ulibr.cf/

www.shibboleth.nyu.edu.reactivation.in

www.weblogin.pennkey.upenn.edu.reactivation.in

ezlibproxy1.ntu.edu.sg.reactivation.in

login.revproxy.brown.edu.libt.cf

weblogin.umich.edu.lib2.ml

catalog.sju.edu.mncr.tk

ezpa.library.ualberta.ca.reactivation.in

lib.just.edu.jo.reactivation.in

login.ezproxy.lib.purdue.edu.reactivation.in

login.libproxy.temple.shibboleth2.uchicago.ulibr.cf

shib.ncsu.shibboleth2.uchicago.ulibr.cf

shibboleth2.uchicago.shibboleth2.uchicago.ulibr.cf

singlesignon.gwu.shibboleth2.uchicago.ulibr.cf

webauth.ox.ac.uk.shibboleth2.uchicago.ulibr.cf

edu.libt.cf

login.libproxy.temple.ulibr.cf

shib.ncsu.ulibr.cf

singlesignon.gwu.ulibr.cf

webauth.ox.ac.uk.ulibr.cf

library.cornell.ulibr.ga

login.ezproxy.gsu.ulibr.ga

shibboleth2.uchicago.ulibr.cf

login.library.nyu.ulibr.ga

mail.ulibr.ga

webcat.lib.unc.ulibr.ga

www.ulibr.ga

www.alexandria.rice.ulibr.ga

www.cmich.ulibr.ga

www.columbia.ulibr.ga

www.ezproxy-authcate.lib.monash.ulibr.ga

www.ezproxy-authcate.monash.lib.ulibr.ga

www.ezproxy-f.deakin.au.ulibr.ga

www.lib.dundee.ac.uk.ulibr.ga

www.library.cornell.ulibr.ga

www.login.ezproxy.gsu.ulibr.ga

www.login.library.nyu.ulibr.ga

auth.berkeley.edu.libna.ml

sso.lib.uts.edu.au.libna.ml

bb.uvm.edu.cvre.tk

cline.lib.nau.edu.cvre.tk

illiad.lib.binghamton.edu.cvre.tk

libcat.smu.edu.cvre.tk

login.brandeis.edu.cvre.tk

msim.cvre.tk

libcat.library.qut.nsae.ml

www.webcat.lib.unc.ulibr.ga

Sample domains known to have been involved in the campaign:

mlibo.ml

blibo.ga

azll.cf

azlll.cf

lzll.cf

jlll.cf

elll.cf

lllib.cf

tsll.cf

ulll.tk

tlll.cf

libt.ga

libk.ga

libf.ga

libe.ga

liba.gq

libver.ml

ntll.tk

ills.cf

vtll.cf

clll.tk

stll.tk

llii.xyz

lill.pro

eduv.icu

univ.red

unir.cf

unir.gq

unisv.xyz

unir.ml

unin.icu

unie.ml

unip.gq

unie.ga

unip.cf

nimc.ga

nimc.ml

savantaz.cf

unie.gq

unip.ga

unip.ml

unir.ga

untc.me

jhbn.me

unts.me

uncr.me

lib-service.com

unvc.me

untf.me

nimc.cf

anvc.me

ebookfafa.com

nicn.gq

untc.ir

librarylog.in

llli.nl

lllf.nl

libg.tk

ttil.nl

llil.nl

lliv.nl

llit.site

flil.cf

e-library.me

cill.ml

fill.cf

libm.ga

eill.cf

llib.cf

eill.ga

nuec.cf

illl.cf

cnen.cf

aill.nl

eill.nl

mlib.cf

ulll.cf

nlll.cf

clll.nl

llii.cf

etll.cf

1edu.in

aill.cf

atna.cf

atti.cf

aztt.tk

cave.gq

ccli.cf

cnma.cf

cntt.cf

crll.tk

csll.cf

ctll.tk

cvnc.ga

cvve.cf

czll.tk

cztt.tk

euca.cf

euce.in

ezll.tk

ezplog.in

ezproxy.tk

eztt.tk

flll.cf

iell.tk

iull.tk

izll.tk

lett.cf

lib1.bid

lib1.pw

libb.ga

libe.ml

libg.cf

libg.ga

libg.gq

libloan.xyz

libnicinfo.xyz

libraryme.ir

libt.ml

libu.gq

lill.gq

llbt.tk

llib.ga

llic.cf

llic.tk

llil.cf

llit.cf

lliv.tk

llse.cf

ncll.tk

ncnc.cf

nctt.tk

necr.ga

nika.ga

nsae.ml

nuec.ml

rill.cf

rnva.cf

rtll.tk

sctt.cf

shibboleth.link

sitl.tk

slli.cf

till.cf

titt.cf

uill.cf

uitt.tk

ulibe.ml

ulibr.ga

umlib.ml

umll.tk

uni-lb.com

unll.tk

utll.tk

vsre.cf

web2lib.info

xill.tk

zedviros.ir

zill.cf 

Sample IPs known to have been involved in the campaign:

103.241.3.91

104.152.168.23

107.180.57.7

107.180.58.47

138.201.17.56

144.217.120.73

144.76.189.80

162.218.237.3

167.114.103.215

173.254.239.2

176.31.33.115

178.33.115.10

184.95.37.90

185.105.185.22

185.28.21.83

185.55.227.104

185.86.180.250

188.40.34.186

193.70.117.250

195.154.102.75

198.252.106.149

198.91.81.5

199.204.187.164

31.220.20.111

66.70.197.208

78.46.77.105

79.175.181.11

82.102.15.215

87.98.249.207

88.99.139.8

88.99.160.209

88.99.40.240

88.99.69.4

93.174.95.64

94.76.204.201

136.243.145.233

136.243.198.45

141.8.224.221

148.251.116.93

148.251.12.172

162.218.237.31

167.114.13.164

172.246.144.34

173.254.239.217

6.31.33.115

176.31.33.116

176.9.188.235

85.28.21.83

185.28.21.95

192.169.82.134

198.27.68.142

198.91.81.51

45.35.33.126

46.4.91.26

5.135.123.163

5.196.194.234

51.254.198.131

51.254.21.142

79.175.181.118

88.99.128.229

88.99.139.88

88.99.69.49

3.174.95.64

Stay tuned!

Continue reading →

Dancho Danchev's Blog - Open Call for Blog Contributors and Guest Bloggers

UPDATE: Do you know which is one of the World's most popular Security blogs and who's running it? 

Guess what - you've been reading it all along. Ever since I started this blog in December, 2005 for the purpose of impressing my girlfriend and greatly inspired by a successful venture with Astalavista Security Group circa 2003-2006 I've received over 5M page views courtesy of a loyal base of users to whom I owe a great debt of gratitude for keeping track of my research and following my comments - in real-time. The time has come to expand and eventually launch a new set of products and services including a possible Advertising Inventory - therefore I've decided to launch an Open Call for Blog Contributors including Guest Bloggers. Interested in writing at this blog? Feel free to approach me - dancho.danchev@hush.com

Dancho Danchev's Blog - Major Security Web Property Statistics:

Dear blog readers, friends, partners, colleagues, Security Industry friends and partners including U.S Intelligence Community and U.S and International Law Enforcement friends and partners - it's been a decade since I originally decided to launch this blog positioning it as a top Security and Threat Intelligence including Cybercrime Research Major Web Property attracting thousands of high-profile and loyal users throughout the decade to whom I owe a great deal of personal thanks and admiration for following me and supporting my research and personal opinion throughout the years including the active spreading of high-quality and never-published before OSINT analysis cybercrime and threat intelligence gathering type of technical analysis.

In the spirit of offering high-quality research and malicious and fraudulent campaign analysis including the expansion of my personal blog to include a diverse set of new areas including a possible Advertising Inventory to offer to selected and invite-only vendors and organizations - I've decided to make an Open Call for Blog Contributors and Guest Bloggers with the idea to keep the spirit of my 2008-2013 series of analysis where I was busy dominating the news with new attack vectors and attacks techniques including the profiling and tracking down of new malware and cybercrime groups.

Interested in writing at this blog? Do you have a lot to say in the area of cybercrime research and Threat Intelligence including Privacy Anonymity and malicious software including botnets? Keep reading.

Who's Welcome to Approach me?

• Academic Institutions looking for ways to properly promote their research and content by offering a selected individuals who'd be responsible for offering an in-depth never published before perspective on the Institution's cybercrime and malicious software research perspective
• Threat Intelligence Vendors looking for ways to approach a new set of loyal user base and to promote their research products and services by appointing a selected individual who would be interested in communicating Key Vendor findings on a daily basis
• Independent Freelancers looking to reach out to a loyal user base and receive the necessary expose in terms of having their article read by thousands of loyal and selected users on a daily basis
• Friends and Colleagues with whom I've worked in the past or with who I continue to work nowadays who might be interested in making a valuable contributing to this high-quality Web property publication

Interested in writing at this blog? Do you want to make a valuable contribution? Feel free to approach me dancho.danchev@hush.com and I'll get back to you with proper access as soon as possible.

Continue reading →

Historical OSINT - Georgian Justice Department and Georgia Ministry of Defense Compromised Serving Malware Courtesy of the Kneber Botnet

It's 2010 and I've recently came across to a compromised Georgian Government Ministry of Defense and Ministry of Justice official Web site spreading potentially participating in a wide-spread phishing and malware-serving campaign enticing users into interacting with the rogue U.S Intelligence and U.S Law Enforcement themed emails for the purpose of spreading and dropping malicious software on the targeted host's PC.

Sample malicious URL known to have participated in the campaign abusing common Web Site redirection application vulnerability flaw:

hxxp://www.mod.gov.ge/2007/video/movie.php?l=G&v=%20%3E%20a%20href%20http%3A%2F%2Fofficialweightlosshelp.org%2Fwp-admin%2Freport.zip%20%3EDownload%20%3C%2Fa%3E%20script%3Ewindow.OPEN%20http%3A%2F%2Fofficialweightlosshelp.org%2Fwp-admin%2Freport.zip%20%3C%2Fscript%3E%20#05184916461921807121

Related malicious URLs known to have participated in the campaign:

hxxp://officialweightlosshelp.org/wp-admin/report.zip

Spread URL found within the config:

hxxp://www.adventure-center.net/upload/x.txt - 195.70.48.67

Related compromised malicious URLs known to have participated in the campaign:

hxxp://new.justice.gov.ge/files/Headers/in.txt

hxxp://new.justice.gov.ge/files/Headers/fresh.txt

hxxp://new.justice.gov.ge/files/Headers/rollers1.php

Related MD5s known to have participated in the campaign:

MD5: d0c0a2e6b30f451f69df9e2514ba36f2

MD5: 974a4a516260a4fafb36234897469013

MD5: ecb7304f838efb8e30a21189458b8544

MD5: 81b3bff487fc9a02e10288114fc2b5be

MD5: 234523904033f8dc692c743cbcf5cf2b

MD5: e2fffaffc1064d24e7ea6bab90fd86fc

MD5: 5941c9b5bd567c5baaecc415e453b5c8

MD5: 0ff325365f1d8395322d1ef0525f3b1f

MD5: 4437617b7095ed412f3c663d4b878c30

MD5: eb66a3e11690069b28c38cea926b61d2

MD5: 2b7e4b7c5faf45ebe48df580b63c376b

Known to have participated in the campaign are also the following two domains part of the Hilary Kneber botnet:
hxxp://dnicenter.com - Email: abuseemaildhcp@gmail.com
hxxp://dhsorg.org - Email: hilarykneber@yahoo.com

Related malicious download location URLs known to have participated in the campaign:
hxxp://www.zeropaid.com/bbs/includes/CYBERCAFE.zip
hxxp://rapidshare.com/files/318309046/CYBERCAFE.zip.html
hxxp://www.sendspace.com/file/fmbt01
hxxp://hkcaregroup.com/modlogan/MILSOFT.zip
hxxp://rapidshare.com/files/320369638/MILSOFT.zip.html
hxxp://fcpra.org/downloads/MILSOFT.zip
hxxp://fcpra.org/downloads/winupdate.zip
hxxp://www.sendspace.com/file/tj373l
hxxp://mv.net.md/update/update.zip - 195.22.225.5
hxxp://www.sendspace.com/file/7jmxtq
hxxp://mv.net.md/dsb/DSB.zip
hxxp://www.sendspace.com/file/rdxgzd
hxxp://timingsolution.com/Doc/BULLETIN.zip
hxxp://www.sendspace.com/file/goz3yd
hxxp://dnicenter.com/docs/report.zip
hxxp://dhsorg.org/docs/instructions.zip - 222.122.60.186; 222.122.60.1
hxxp://www.sendspace.com/file/h96uh1
hxxp://depositfiles.com/files/xj1wvamc4
hxxp://tiesiog.puikiai.lt/report.zip
hxxp://somashop.lv/report.zip
hxxp://www.christianrantsen.dk/report.zip
hxxp://enigmazones.eu/report.zip
hxxp://www.christianrantsen.dk/report.zip
hxxp://enigmazones.eu/report.zip

hxxp://gnarus.mobi/media/EuropeanUnion_MilitaryOperations_EN.zip
hxxp://quimeras.com.mx/media/EuropeanUnion_MilitaryOperations_EN.zip - 66.147.242.169

Related malicious and fraudulent domains known to have participated in the campaign:
hxxp://dhsinfo.info - 218.240.28.34
hxxp://greylogic.info - 218.240.28.34; 218.240.28.4
hxxp://intelfusion.info - 218.240.28.34

hxxp://greylogic.org - 222.122.60.1

Related malicious MD5s known to have participated in the campaign:
MD5: 8b3a3c4386e4d59c6665762f53e6ec8e
MD5: 5fb94eef8bd57fe8e20ccc56e33570c5
MD5: 28c4648f05f46a3ec37d664cee0d84a8

Once executed a sample malware phones back to the following C&C server IPs:
hxxp://from-us-with-love.info - 91.216.141.171
hxxp://from-us-with-love.info/imglov/zmpt4d/n16v18.bin
hxxp://vittles.mobi - 174.132.255.10

hxxp://nicupdate.com - 85.31.97.194

Related malicious and fraudulent IPs known to have participated in the Hilary Kneber botnet campaign:
hxxp://58.218.199.239
hxxp://59.53.91.102
hxxp://60.12.117.147
hxxp://61.235.117.71
hxxp://61.235.117.86
hxxp://61.4.82.216
hxxp://193.104.110.88
hxxp://95.169.186.103
hxxp://222.122.60.186
hxxp://217.23.10.19
hxxp://85.17.144.78
hxxp://200.106.149.171
hxxp://200.63.44.192
hxxp://200.63.46.134
hxxp://91.206.231.189
hxxp://124.109.3.135
hxxp://61.61.20.134
hxxp://91.206.201.14
hxxp://91.206.201.222
hxxp://91.206.201.8
hxxp://216.104.40.218
hxxp://69.197.128.203

Related malicious and fraudulent domains known to have participated in the Hilary Kneber botnet campaign:
hxxp://123.30d5546ce2d9ab37.d99q.cn
hxxp://d99q.cn
hxxp://524ay.cn
hxxp://adcounters.net
hxxp://adobe-config-s3.net
hxxp://mywarworld.cn
hxxp://aqaqaqaq.com
hxxp://avchecker123.com
hxxp://bizelitt.com
hxxp://biznessnews.cn
hxxp://bizuklux.cn
hxxp://fcrazy.com
hxxp://fcrazy.eu
hxxp://boolred.in
hxxp://brans.pl
hxxp://britishsupport.net
hxxp://bulkbin.cn
hxxp://chaujoi.cn
hxxp://checkvirus.net
hxxp://chinaoilfactory.cn
hxxp://chris25project.cn
hxxp://client158.faster-hosting.com
hxxp://cwbnewsonline.cn
hxxp://cxzczxccc.com.cn
hxxp://dasfkjsdsfg.biz
hxxp://dia2.cn
hxxp://digitalinspiration.e37z.cn
hxxp://dolbanov.net
hxxp://dolcegabbana.djbormand.cn
hxxp://djbormand.cn
hxxp://download.sttcounter.cn - 61.61.20.134; 211.95.78.98
hxxp://sttcounter.cn
hxxp://dred3.cn
hxxp://dsfad.in
hxxp://e37z.cn
hxxp://e58z.cn
hxxp://electrofunny.cn
hxxp://electromusicnow.cn
hxxp://elsemon.cn
hxxp://fcrazy.info
hxxp://filemarket.net
hxxp://flo5.cn
hxxp://footballcappers.biz
hxxp://fobsl.cn
hxxp://forum.d99q.cn
hxxp://gamno6.cn
hxxp://gidrasil.cn
hxxp://gifts2010.net
hxxp://ginmap.cn
hxxp://giopnon.cn
hxxp://gksdh.cn
hxxp://glousc.com
hxxp://gnfdt.cn
hxxp://gold-smerch.cn
hxxp://goldenmac.cn
hxxp://google.maniyakat.cn
hxxp://maniyakat.cn
hxxp://greenpl.com
hxxp://grizzli-counter.com
hxxp://grobin1.cn
hxxp://inpanel.cn
hxxp://itmasterz.org
hxxp://iuylqb.cn
hxxp://kaizerr.org
hxxp://keepmeupdated.cn
hxxp://khalej.cn
hxxp://kimosimotuma.cn
hxxp://klaikius.com
hxxp://klitar.cn
hxxp://kolordat482.com
hxxp://kotopes.cn
hxxp://liagand.cn
hxxp://love2coffee.cn
hxxp://majorsoftwareupdate.info
hxxp://marcusmed.com
hxxp://mcount.net
hxxp://mega-counter.com
hxxp://monstersoftware.info
hxxp://morsayniketamere.cn
hxxp://mydailymail.cn
hxxp://mynewworldorder.cn
hxxp://newsdownloads.cn
hxxp://nit99.biz
hxxp://nm.fcrazy.com
hxxp://nmalodbp.com
hxxp://not99.biz
hxxp://online-counter.cn
hxxp://pedersii.net
hxxp://piramidsoftware.info
hxxp://popupserf.cn
hxxp://qaqaqaqa.com
hxxp://qaqaqaqa.net
hxxp://qbxq16.com
hxxp://redlinecompany.ravelotti.cn
hxxp://ravelotti.cn
hxxp://relevant-information.cn

Related Hilary Kneber botnet posts:
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Dissecting the Exploits/Scareware Serving Twitter Spam Campaign
Koobface Botnet Starts Serving Client-Side Exploits

Continue reading →

Historical OSINT - Zeus and Client-Side Exploit Serving Facebook Phishing Campaign Spotted in the Wild

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercrimianals, continue, actively, populating, their, botnet's, infected, population, with, hundreds, of, thousands, of, newly, affected, users, globally, potentially, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, affected, botnet's, population, largely, relying, on, the, utilization, of, affiliate-based, type, of, fraudulent, revenue, monetization, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, impersonating, Facebook, for, the, purpose, of, serving, client-side, exploits, to, socially, engineered, users, further, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, affected, hosts, largely, relying, on, the, use, of, affiliate-based, type, of, fraudulent, revenue, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, provide, actionable, intelligence, on, the, infrastructure, behind, it.

Sample, URL, exploitation, chain:
hxxp://auth.facebook.com.megavids.org/id735rp/LoginFacebook.php
    - hxxp://wqdfr.salefale.com/index.php - 62.193.127.197
        - hxxp://spain.salefale.com/index.php

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://salefale.com - 112.137.165.114
    - hxxp://countrtds.ru - 91.201.196.102 - Email: thru@freenetbox.ru
       
Sample, detection, rate, for, the, malicious, executable:
MD5: e96c8d23e3b64d79e5e134a9633d6077
MD5: 19d9cc4d9d512e60f61746ef4c741f09

Once, executed, a, sample, malware, phones back to:
hxxp://makotoro.com

Related, malicious, C&C, server, IPs, known, to, have, participated, in, the, campaign:
hxxp://91.201.196.99
hxxp://91.201.196.77
hxxp://91.201.196.101
hxxp://91.201.196.35
hxxp://91.201.196.75
hxxp://91.201.196.76
hxxp://91.201.196.38
hxxp://91.201.196.34
hxxp://91.201.196.37

Related, malicious, C&C, server, IPs (212.175.173.88), known, to, have, participated, in, the, campaign:
hxxp://downloads.fileserversa.org
hxxp://downloads.fileserversc.org
hxxp://downloads.fileserversd.org
hxxp://downloads.portodrive.org
hxxp://downloads.fileserversj.org
hxxp://downloads.fileserversk.org
hxxp://downloads.fileserversm.org
hxxp://downloads.fileserversn.org
hxxp://downloads.fileserverso.org
hxxp://downloads.fileserversq.org
hxxp://downloads.fileserversr.org
hxxp://auth.facebook.com.megavids.org
hxxp://auth.facebook.com.fileserversl.com
hxxp://auth.facebook.com.legomay.com
hxxp://auth.facebook.com.crymyway.com
hxxp://auth.facebook.com.portodrive.net
hxxp://auth.facebook.com.modavedis.net
hxxp://auth.facebook.com.migpix.net
hxxp://auth.facebook.com.legomay.net
hxxp://auth.facebook.com.crymyway.net
hxxp://downloads.megavids.org
hxxp://downloads.regzavids.org
hxxp://downloads.vedivids.org
hxxp://downloads.restpictures.org
hxxp://downloads.modavedis.org
hxxp://downloads.fileserverst.org
hxxp://downloads.fileserversu.org
hxxp://downloads.regzapix.org
hxxp://downloads.reggiepix.org
hxxp://downloads.migpix.org
hxxp://downloads.restopix.org
hxxp://downloads.legomay.org
hxxp://downloads.vediway.org
hxxp://downloads.compoway.org
hxxp://downloads.restway.org
hxxp://downloads.crymyway.org
hxxp://downloads.fileserversa.com
hxxp://downloads.fileserversb.com
hxxp://downloads.fileserversc.com
hxxp://downloads.fileserversd.com
hxxp://downloads.fileserverse.com
hxxp://downloads.fileserversf.com
hxxp://downloads.fileserversg.com
hxxp://downloads.fileserversh.com
hxxp://downloads.fileserversi.com
hxxp://downloads.fileserversj.com
hxxp://downloads.fileserversk.com
hxxp://downloads.fileserversl.com
hxxp://downloads.fileserversm.com
hxxp://downloads.fileserversn.com
hxxp://downloads.fileserverso.com
hxxp://downloads.fileserversp.com
hxxp://downloads.fileserversq.com
hxxp://downloads.fileserversr.com
hxxp://downloads.regzavids.com
hxxp://downloads.vedivids.com
hxxp://downloads.restpictures.com
hxxp://downloads.modavedis.com
hxxp://downloads.fileserverss.com
hxxp://downloads.fileserverst.com
hxxp://downloads.fileserversu.com
hxxp://downloads.regzapix.com
hxxp://downloads.reggiepix.com
hxxp://downloads.migpix.com
hxxp://downloads.legomay.com
hxxp://downloads.vediway.com
hxxp://downloads.compoway.com
hxxp://downloads.crymyway.com
hxxp://downloads.fileserversa.net
hxxp://downloads.fileserversb.net
hxxp://downloads.fileserversc.net
hxxp://downloads.fileserversd.net
hxxp://downloads.fileserverse.net
hxxp://downloads.portodrive.net
hxxp://downloads.fileserversf.net
hxxp://downloads.fileserversg.net
hxxp://downloads.fileserversh.net
hxxp://downloads.fileserversi.net
hxxp://downloads.fileserversj.net
hxxp://downloads.fileserversk.net
hxxp://downloads.fileserversl.net
hxxp://downloads.fileserversm.net
hxxp://downloads.fileserversn.net
hxxp://downloads.fileserverso.net
hxxp://downloads.fileserversp.net
hxxp://downloads.fileserversq.net
hxxp://downloads.fileserversr.net
hxxp://downloads.regzavids.net
hxxp://downloads.vedivids.net
hxxp://downloads.tastyfiles.net
hxxp://downloads.restpictures.net
hxxp://downloads.modavedis.net
hxxp://downloads.fileserverss.net
hxxp://downloads.fileserverst.net
hxxp://downloads.fileserversu.net
hxxp://downloads.regzapix.net
hxxp://downloads.reggiepix.net
hxxp://downloads.migpix.net
hxxp://downloads.legomay.net
hxxp://downloads.vediway.net
hxxp://downloads.compoway.net
hxxp://downloads.restway.net
hxxp://downloads.crymyway.net

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Fighting Internet's email junk through licensing

Just came across this story at Slashdot, interesting approach :



"China has introduced regulations that make it illegal to run an email server without a licence. The new rules, which came into force two weeks ago, mean that most companies running their own email servers in China are now breaking the law. The new email licensing clause is just a small part of a new anti-spam law formulated by China's Ministry of Information Industry (MII)."



While the commitment is a remarkable event given China's booming Internet population -- among the main reasons Google had to somehow enter China's search market and take market share from Baidu.com -- you don't need a mail server to disseminate spam and phishing attacks like it used to be in the old days. You need botnets, namely, going through CME's List, you would see how the majority of today's malware is loaded with build-in SMTP engine, even offline/in-transit/web email harvesting modules.



You can often find China on the top of every recently released spam/phishing/botnet trends summary, which doesn't mean Chinese Internet users are insecure -- just unaware. What you can do is educate the masses to secure the entire population, and stimulate the growth of the local security market that everyone is so desperately trying to tap into.


Moreover, I doubt you can regulate the type of Internet users still trying to freely access information, again with the wrong attitude in respect to security :



"..prohibiting use of email to discuss certain vaguely defined subjects related to 'network security' and ' information security', and also reiterate that emails which contain content contrary to existing laws must not be copied or forwarded. Wide-ranging laws of this nature have been used against political and religous dissenters in the past."



It's like legally justifying the country's censorship practices through introducing the law, whereas I feel "network security" and "information security" attacks outside the homeland get favored, compared to internal ones, don't you?



Forbidden fruits turn into dangerous desires on the majority of occasions, and you just can't control that, what's left to censor it.



Technorati tags:
Security, Malware, Spam, Phishing, China Continue reading →

Heading in the opposite direction

Just one day before April 1st 2006 I came across this article :



"German retail banker Postbank will begin using electronic signatures on e-mails to its customers to help protect them from phishing attacks."



Catching up with the phishers seems to be a very worrisome future strategy. Electronic Signatures by themselves are rarely checked by anyone, and many more attack vectors are making the idea of this totally irrelevant. Moreover, a great research "Why phishing works" was recently released and it basically outlines basic facts such as how end users doesn't pay attention to security checks, if there's a definition of such given the attack vectors phishers have started using recently. In some of my previous posts "Security threats to consider when doing E-Banking", and "Anti Phishing toolbars - can you trust them?" I mentioned many other problems related to this bigger than it seems problem, what you should also keep an eye on is the good old ATM scam I hope you are aware of.



Postbank is often targeted by phishers, still, the best protection is the level of security awareness stated in here :



"Phishing attacks have led 80% of Germans to distrust banking related e-mails, according to TNS Infratest." Moreover, "Postbank's electronic signature service isn't possible with web-based e-mail services provided by local Internet service providers such as GMX GmbH and Freenet.de AG, according to Ebert. One exception is Web.de"



Thankfully, but that's when you are going in exactly the opposite direction than your customers are, while trying to estalibish reputable bank2customer relationship over email. Listen your customers first, and follow the trends, and do not try to use the most popular dissemination vector as a future communication one.



Something else in respect to recent phishing statistics is the key summary points of the recently released, AntiPhishingGroup's Report for January, 2006 report :



• Number of unique phishing reports received in January: 17,877
• Number of unique phishing sites received in January: 9715
• Number of brands hijacked by phishing campaigns in January: 101
• Number of brands comprising the top 80% of phishing campaigns in January: 6
• Country hosting the most phishing websites in January: United States
• Contain some form of target name in URL: 45 %
• No hostname just IP address: 30 %
• Percentage of sites not using port 80: 8 %
• Average time online for site: 5.0 days
• Longest time online for site: 31 days



I feel there's a lot more to expect than trying to re-establish the communication over a broken channel, as far as E-banking is concerned.



More resources you might be interested in taking a look at are :
Vulnerability of First-Generation Digital Certificates and Potential for Phishing Attacks
Netcraft: More than 450 Phishing Attacks Used SSL in 2005
SSL's Credibility as Phishing Defense Is Tested
Rootkit Pharming
The future of Phishing
Something is Phishy here...
Phishing Site Using Valid SSL Certificates
Thoughts on Using SSL/TLS Certificates as the Solution to Phishing



Technotati tags:
Security, Phishing, Scam, Banking Continue reading →