Announcing Offensive Warfare 2.0 - Official Hacking and Security Community Launch

Dear blog readers, I wanted to let everyone know that I've recently launched a public hacking and cyber security community repository offering Security Directory Downloads Podcasts and Security Videos directory including a countless number of hacking and security resources including a possible hacking and security discussion including community-based services and products - to keep the spirit of the Scene and the Security Industry - the way we know it.

How to obtain access?
- consider approaching me at dancho.danchev@hush.com for the purpose of requesting an invite

How you can contribute?
- feel free to approach your colleagues and friends including social network in terms of spreading the word about the portal and the community
- consider registering making an introduction and starting to contribute with content
- approach me directly at - dancho.danchev@hush.com with your questions and possible feature and content suggestion

Looking forward to receiving your response including any additional questions or comments including suggestions that you might have in terms of the project.

Stay tuned! Continue reading →

Historical OSINT - "I Know Who DDoS-ed Georgia and Bobbear.co.uk Last Summer"

Appreciate my rhetoric. In this post I'll provide actionable intelligence on a key DDoS for hire service that was primarily used in the Russia vs Georgia Cyber Attacks circa 2009 including the DDoS attack against Bobbear.co.uk.

Related actionable intelligence on the campaign:
hxxp://setx.in - Email: info@antiddos.eu - setx.mail@gmail.com - hxxp://httpdoc.info - hxxp://fakamaza.info. The last one with the email address "team@russia-vs-georgia.org" in the WHOIS info.

Related malicious URLs known to have participated in the campaign:
hxxp://cxim.inattack.ru/www7/www/auth.php

Related malicious URLs known to have participated in the campaign:
hxxp://h278666y.net/main/load.exe
hxxp://h278666y.net/www/auth.php

Related malicious MD5s known to have participated in the campaign:
MD5: 34413180d372a9e66d0d59baf0244b8f
MD5: 42e4bbd47d322ec563c86c636c3f10b9
MD5: ed36b42fac65236a868e707ee540c015
MD5: c9fa1c95ab4ec1c1d46abe5445fb41e4

hxxp://cxim.inattack.ru/www3/www/
hxxp://i.clusteron.ru/bstatus.php

Related malicious URLs known to have participated in the campaign:
hxxp://svdrom.cn

Related malicious URLs known to have participated in the campaign:
hxxp://203.117.111.52/www7/www/getcfg.php

Related malicious domains known to have participated in the campaign:
hxxp://cxim.inattack.ru/www2/www/stat.php
hxxp://cxim.inattack.ru/www3/www/stat.php
hxxp://cxim.inattack.ru/www4/www/stat.php
hxxp://cxim.inattack.ru/www5/www/stat.php
hxxp://cxim.inattack.ru/www6/www/stat.php
hxxp://finito.fi.funpic.org/black/stat.php
hxxp://logartos.org/forum/stat.php - 195.24.78.242
hxxp://weberror.cn/be1/stat.php
hxxp://prosto.pizdos.net/_lol/stat.php
hxxp://h278666y.net/www/stat.php - 72.233.60.254 Continue reading →

Historical OSINT - Sub7 Crew Releases New Version on 11th Anniversary of The RAT

It's 2010 and I've recently came across to the following announcement at Sub7's Main Forum - the most ubiquitous trojan horse also known as Remote Access Tool circa the 90's on the upcoming release of a new version.

"People can buy unique FUD servers in the shop and custom clients can also be written to help you admin PC's remotely with your own features. These are selling well so be sure to grab your own custom version while we are offering them at this price. Please be advised there is currently a waiting list for this."

Sample detection rate:
- borlndmm.dll - Result: 0/42 (0%)
- EditServer.exe - Result: 10/42 (23.81%)
- Server.exe - Result: 18/41 (43.91%)
- SubSeven.exe - Result: 16/41 (39.03%)

Should The Scene the way we know it re-appear the way we know it? It appears that every then and now a new cybercrime-friendly tool is trying to materialize taking us back to what used to be The Scene circa the 90's. Continue reading →

Historical OSINT - Profiling a Portfolio of Fake Visa Application Scam Domains

It's been a while since I last posted a quality update profiling a versatile currently circulating malicious and fraudulent spam campaign profiling and highlighting the fraudulent and malicious activities of the cybercriminals behind the campaign.

In this post I'll profile a currently circulating Fake Visa Application fraudulent campaign enticing users into submitting their personal details for the purpose of obtaining a fake and rogue visa.

Related emails known to have participated in the campaign:
vizagold2010@mail.ru
qwerty_ok@bigmir.net
vizacom10@bigmir.net
Abrakadabra011@yandex.ua
alexboy40@meta.ua
vizacom09@bigmir.net
bestagancy@rambler.ru
vizagold2010@mail.ru
vizagold2010@gmail.com
vizacom01@ua.fm
Vizacom01@gmail.com
Vizacom01@ukr.net
Vizacom01@qip.ru
visas_com@ukr.net
Visas.com2010@gmail.com
infinite-visas@rambler.ru
unforeseen2010@hotmail.com
shengen_visas@ukr.net
shengenvisas@gmail.com
shengenvisas@rambler.ru
shengenvisas@bigmir.net

Stay tuned for an updated set of malicious and fraudulent Fake Visa Application domain portfolio to be published anytime soon. Continue reading →

Historical OSINT - A Peek Inside The Georgia Government's Web Site Compromise Malware Serving Campaign - 2010

Remember the massive Russia vs Georgia cyber attack circa 2009? It seems that the time has come for me to dig a little bit deeper and provide actionable intelligence on one of the actors that seem to have participated in the campaign including a sample Pro-Georgian type of Cyber Militia that apparently attempted to "risk-forward" the responsibility for waging Cyberwar to third-parties including Russian and Anti-Georgia supporters.

How come? In this post I'll provide actionable intelligence on what appears to be a currently active Brazilian supporter of the Cyber Attacks that took place circa 2009 with the idea to discuss in-depth the tools and motivation for launching the campaign of the cybercriminals behind it.

Sample malicious URL known to have participated in the campaign:
hxxp://geocities.ws/thezart/

It's 2010 and I'm coming across to a malicious and fraudulent file repository that can be best described as a key actor that managed to participate perhaps even orchestrate the Russia vs Georgia cyber attacks circa 2009. Who is this individual? How did he manage to contribute to the Russian vs Georgia cyber attacks? Did he rely on active outsourcing or was he hired to perform the orchestrated DDoS for hire attacks that took place back then? Keep reading.

It appears that a Brazilian user known as The Zart managed to participated in the Russia vs Georgia cyber attacks circa 2009 relying on a variety of tools and techniques known as:

- DNS Amplification Attacks
- Web Site Defacement Tools
- Targeted Spreading of Vulnerable Legitimate Web Sites
- Automated Web-Site Exploitation - Long Tail of The Malicious Web

which basically resulted in a self-mobilized militia that actually participated and launched the Russia vs Georgia cyber attacks circa 2009.

Related posts:
The Russia vs Georgia Cyber Attack
Who's Behind the Georgia Cyber Attacks?
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
Real-Time OSINT vs Historical OSINT in Russia/Georgia Cyberattacks Continue reading →

Historical OSINT - Profiling a Rogue and Malicious Domain Portfolio of OEM-Pirated Software

In a cybercrime-ecosystem dominated by fraudulent and malicious releases cybercriminals continue relying on fraudulent and potentially-malicious affiliate-based type of revenue-sharing schemes for the purpose of serving fraudulent and malicious software to thousands of unsuspecting users including OEM-powered pirated software to millions of users globally.

In this post I'll profile a currently active fraudulent and malicious domain portfolio of OEM-powered pirated-software serving fraudulent and malicious domains.

Related domains known to have participated in the campaign:
hxxp://store-software-7.com - Email: altsrv@gmail.com
hxxp://oem-store-software-7.com - Email: altsrv@gmail.com
hxxp://store-digital-software-7.com - Email: altsrv@gmail.com
hxxp://oem-digital-software-7.com - Email: altsrv@gmail.com
hxxp://shop-digital-software-7.com - Email: altsrv@gmail.com
hxxp://buy-shop-software-7.com - Email: altsrv@gmail.com
hxxp://buyshop-software-7.com - Email: altsrv@gmail.com
hxxp://store-buy-software-7.com - Email: altsrv@gmail.com
hxxp://digital-shopsoftware-7.com - Email: altsrv@gmail.com
hxxp://buy-shopsoftware-7.com - Email: altsrv@gmail.com
hxxp://digitalbuysoftware-7.com - Email: altsrv@gmail.com
hxxp://software-digital-store-7.com - Email: altsrv@gmail.com
hxxp://buy-shop-digital-7.com - Email: altsrv@gmail.com
hxxp://buyshop-digital-7.com - Email: altsrv@gmail.com
hxxp://buy-soft-digital-7.com - Email: altsrv@gmail.com
hxxp://soft-buy-digital-7.com - Email: altsrv@gmail.com
hxxp://softbuy-digital-7.com - Email: altsrv@gmail.com
hxxp://softwaredigital-7.com - Email: altsrv@gmail.com
hxxp://buy-softdigital-7.com - Email: altsrv@gmail.com
hxxp://softbuydigital-7.com - Email: altsrv@gmail.com
hxxp://storesoftware-oem-7.com - Email: altsrv@gmail.com
hxxp://digitalsoftware-oem-7.com - Email: altsrv@gmail.com
hxxp://store-oem-7.com - Email: altsrv@gmail.com
hxxp://soft-buy-oem-7.com - Email: altsrv@gmail.com
hxxp://digital-storeoem-7.com - Email: altsrv@gmail.com
hxxp://digitaloem-7.com - Email: altsrv@gmail.com
hxxp://digital-buyoem-7.com - Email: altsrv@gmail.com
hxxp://digitalbuy-shop-7.com - Email: altsrv@gmail.com
hxxp://buyoem-soft-7.com - Email: altsrv@gmail.com
hxxp://digital-buy-soft-7.com - Email: altsrv@gmail.com
hxxp://digitalbuy-soft-7.com - Email: altsrv@gmail.com
hxxp://digital-buysoft-7.com - Email: altsrv@gmail.com
hxxp://digitalbuysoft-7.com - Email: altsrv@gmail.com
hxxp://shopsoftware-buy-7.com - Email: altsrv@gmail.com
hxxp://software-store-buy-7.com - Email: altsrv@gmail.com
hxxp://digitalshop-buy-7.com - Email: altsrv@gmail.com
hxxp://digital-soft-buy-7.com - Email: altsrv@gmail.com
hxxp://digitalsoft-buy-7.com - Email: altsrv@gmail.com
hxxp://software-digitalbuy-7.com - Email: altsrv@gmail.com
hxxp://oem-digitalbuy-7.com - Email: altsrv@gmail.com
hxxp://softdigitalbuy-7.com - Email: altsrv@gmail.com
hxxp://digital-softbuy-7.com - Email: altsrv@gmail.com
hxxp://digitalsoftbuy-7.com - Email: altsrv@gmail.com
hxxp://digitaltributary.com - Email: altsrv@gmail.com
hxxp://oemstore-software-7.ru - Email: mikepanin1990@gmail.com
hxxp://digital-buy-software-7.ru - Email: mikepanin1990@gmail.com
hxxp://shop-buy-software-7.ru - Email: mikepanin1990@gmail.com
hxxp://buydigitalsoftware-7.ru - Email: mikepanin1990@gmail.com
hxxp://digital-buysoftware-7.ru - Email: mikepanin1990@gmail.com
hxxp://buysoftware-store-7.ru - Email: mikepanin1990@gmail.com
hxxp://software-buy-store-7.ru - Email: mikepanin1990@gmail.com
hxxp://buysoftwarestore-7.ru - Email: mikepanin1990@gmail.com
hxxp://oem-digitalstore-7.ru - Email: mikepanin1990@gmail.com
hxxp://software-oemstore-7.ru - Email: mikepanin1990@gmail.com
hxxp://store-digital-7.ru - Email: mikepanin1990@gmail.com
hxxp://storeoem-digital-7.ru - Email: mikepanin1990@gmail.com
hxxp://oembuy-digital-7.ru - Email: mikepanin1990@gmail.com
hxxp://shop-softwaredigital-7.ru - Email: mikepanin1990@gmail.com
hxxp://softwarebuydigital-7.ru - Email: mikepanin1990@gmail.com
hxxp://store-software-oem-7.ru - Email: mikepanin1990@gmail.com
hxxp://buy-software-oem-7.ru - Email: mikepanin1990@gmail.com
hxxp://software-digital-oem-7.ru - Email: mikepanin1990@gmail.com
hxxp://storedigital-oem-7.ru - Email: mikepanin1990@gmail.com
hxxp://softwareoem-7.ru - Email: mikepanin1990@gmail.com
hxxp://digitalsoftwareoem-7.ru - Email: mikepanin1990@gmail.com
hxxp://softwarestoreoem-7.ru - Email: mikepanin1990@gmail.com
hxxp://buysoftwareshop-7.ru - Email: mikepanin1990@gmail.com
hxxp://software-digitalshop-7.ru - Email: mikepanin1990@gmail.com

With software piracy continuing to increase and proliferate it shouldn't be surprising that rogue and fraudulent affiliate-based type of networks will continue to make impact globally potentially exposing millions of user to a variety of risks including malicious software.

Stay tuned for an updated set of fraudulent and malicious piracy-themed portfolio of domains to be published anytime soon. Continue reading →

Historical OSINT - Profiling a Typosquatted Facebook and Twitter Impersonating Fraudulent and Malicious Domains Portfolio

With cybercriminals continuing to populate the cybercrime ecosystem with hundreds of malicious released including a variety of typosquatted domains it shouldn't be surprising that hundreds of thousands of users continue falling victim to fraudulent and malicious malware and exploits serving schemes.

In this post I'll profile a currently active fraudulent and malicious typosquatted domain portfolio successfully impersonating Facebook and Twitter for the purpose of enticing users into interacting with the rogue and malicious domains.

Related domains known to have participated in the campaign:
hxxp://sm-url.info
hxxp://sm-urls.info
hxxp://smurls.info
hxxp://smirl.info
hxxp://smalladdr.info
hxxp://sm-irl.info
hxxp://tnylnk.info
hxxp://tnysite.info
hxxp://smalink.info
hxxp://profilelink.info
hxxp://muypix.info
hxxp://profilehoster.info
hxxp://quiklynk.info
hxxp://tnyur.info
hxxp://skurls.info
hxxp://smrls.info
hxxp://smulrs.info
hxxp://snurls.info
hxxp://link-out.info
hxxp://make-small.info
hxxp://make-tiny.info
hxxp://makesmall.info
hxxp://maketiny.info
hxxp://maketny.info
hxxp://mehprofile.info
hxxp://muhprofile.info
hxxp://quickprofile.info
hxxp://quiklink.info
hxxp://quikprofile.info
hxxp://small-url.info
hxxp://smalllink.info
hxxp://tinyout.info
hxxp://go-out.info
hxxp://out-link.info
hxxp://tny-url.info
hxxp://posta-link.info
hxxp://tiny-out.info
hxxp://private-pics.info
hxxp://private-pix.info
hxxp://coool-pics.info
hxxp://sxypics.info
hxxp://sxypix.info
hxxp://my-link-out.info
hxxp://my-lynk.info
hxxp://go-to-my-pix.info
hxxp://my-profile-lnk.info
hxxp://smaller-link.info
hxxp://smaller-urls.info
hxxp://pics-url.info
hxxp://pix-url.info
hxxp://quick-pix.info
hxxp://quick-profile.info
hxxp://pics-links.info
hxxp://pix-links.info
hxxp://check-my-pics.info
hxxp://check-my-profile.info
hxxp://check-my-link.info
hxxp://click-links.info
hxxp://my-photo-profile.info
hxxp://photo-profile.info
hxxp://my-video-profile.info
hxxp://video-profile.info
hxxp://hotvideoprofile.info
hxxp://my-videos-profile.info
hxxp://myphotoprofile.info
hxxp://mypictureprofile.info
hxxp://mysexyphotos.info
hxxp://mysexypix.info
hxxp://mysexyvideos.info
hxxp://mysexyvids.info
hxxp://mysxyphotos.info
hxxp://mysxypics.info
hxxp://mysxypictures.info
hxxp://mysxyprofile.info
hxxp://mysxyvideos.info
hxxp://mysxyvids.info
hxxp://myvideoprofile.info
hxxp://myvideosprofile.info
hxxp://profile-link.info
hxxp://sxyprofiles.info
hxxp://myhotphotos.info
hxxp://myhotpictures.info
hxxp://myhotprofile.info
hxxp://myhotvideos.info
hxxp://myhotvids.info
hxxp://my-photos-r-cool.info
hxxp://my-profile-page.info
hxxp://my-cool-profile.info
hxxp://my-photo-spot.info
hxxp://my-profile-spot.info
hxxp://my-video-spot.info
hxxp://myphotopages.info
hxxp://myprofilepages.info
hxxp://photo-pages.info
hxxp://profile-pages.info
hxxp://videoz-profile.info
hxxp://myphoto-gallery.info
hxxp://myphoto-spot.info
hxxp://myvideo-spot.info
hxxp://myvideospot.info
hxxp://show-my-pictures.info
hxxp://show-my-videos.info
hxxp://show-my-vids.info
hxxp://show-off-pics.info
hxxp://show-off-vids.info
hxxp://show-your-photos.info
hxxp://check-my-page.info
hxxp://show-my-picx.info
hxxp://show-my-vidds.info
hxxp://my-profile-site.info
hxxp://profile-sites.info
hxxp://profile-space.info
hxxp://view-my-profile.info
hxxp://view-profile.info
hxxp://profile-link2.info
hxxp://profile-link3.info
hxxp://profile-link4.info
hxxp://profile-link5.info
hxxp://profile-link6.info
hxxp://profile-link7.info
hxxp://profile-link8.info
hxxp://twitpic-1.info
hxxp://twitpic-2.info
hxxp://twitpic-3.info
hxxp://twitpic-4.info
hxxp://my-pictures-domain.info
hxxp://photo-profile-sites.info
hxxp://picture-profile-site.info
hxxp://picture-profile-sites.info
hxxp://picture-profiles.info
hxxp://video-profile-site.info
hxxp://video-profile-sites.info
hxxp://myprofile-site.info
hxxp://photo-gallery-sites.info
hxxp://photogallery-site.info
hxxp://photogallery-sites.info
hxxp://theprofileiste.info
hxxp://photo-galleries-1.info
hxxp://photo-galleries-10.info
hxxp://photo-galleries-2.info
hxxp://photo-galleries-3.info
hxxp://photo-galleries-4.info
hxxp://photo-galleries-5.info
hxxp://photo-galleries-6.info
hxxp://photo-galleries-7.info
hxxp://photo-galleries-8.info
hxxp://photo-galleries-9.info
hxxp://unrated-profiles-1.info
hxxp://unrated-profiles-10.info
hxxp://unrated-profiles-2.info
hxxp://unrated-profiles-3.info
hxxp://unrated-profiles-4.info
hxxp://unrated-profiles-5.info
hxxp://unrated-profiles-6.info
hxxp://unrated-profiles-7.info
hxxp://unrated-profiles-8.info
hxxp://unrated-profiles-9.info
hxxp://unrated-profile-1.info
hxxp://unrated-profile-10.info
hxxp://unrated-profile-2.info
hxxp://unrated-profile-3.info
hxxp://unrated-profile-4.info
hxxp://unrated-profile-5.info
hxxp://unrated-profile-6.info
hxxp://unrated-profile-7.info
hxxp://unrated-profile-8.info
hxxp://unrated-profile-9.info
hxxp://r-rated-photos-1.info
hxxp://r-rated-photos-10.info
hxxp://r-rated-photos-2.info
hxxp://r-rated-photos-3.info
hxxp://r-rated-photos-4.info
hxxp://r-rated-photos-5.info
hxxp://r-rated-photos-7.info
hxxp://r-rated-photos-8.info
hxxp://r-rated-photos-9.info
hxxp://r-rated-profile-1.info
hxxp://r-rated-profile-10.info
hxxp://r-rated-profile-2.info
hxxp://r-rated-profile-3.info
hxxp://r-rated-profile-4.info
hxxp://r-rated-profile-5.info
hxxp://r-rated-profile-6.info
hxxp://r-rated-profile-7.info
hxxp://r-rated-profile-8.info
hxxp://r-rated-profile-9.info
hxxp://unrated-gallery-1.info
hxxp://unrated-gallery-10.info
hxxp://unrated-gallery-2.info
hxxp://unrated-gallery-3.info
hxxp://unrated-gallery-4.info
hxxp://unrated-gallery-5.info
hxxp://unrated-gallery-6.info
hxxp://unrated-gallery-7.info
hxxp://unrated-gallery-8.info
hxxp://unrated-gallery-9.info
hxxp://profile-unrated-1.info
hxxp://profile-unrated-10.info
hxxp://profile-unrated-2.info
hxxp://profile-unrated-3.info
hxxp://profile-unrated-4.info
hxxp://profile-unrated-5.info
hxxp://profile-unrated-6.info
hxxp://profile-unrated-7.info
hxxp://profile-unrated-8.info
hxxp://profile-unrated-9.info
hxxp://iprosa.com
hxxp://sm-urls.com
hxxp://snkirl.com
hxxp://tnulk.com
hxxp://smulx.com
hxxp://tnysnorl.com
hxxp://supalnk.com
hxxp://tnyweb.com
hxxp://smlnk.com
hxxp://profilehoster.com
hxxp://make-small.com
hxxp://my-link-out.com
hxxp://url-out.com
hxxp://profile-out.com
hxxp://tiny-out.com
hxxp://posta-link.com
hxxp://coool-pics.com
hxxp://twitpics-1.com
hxxp://twitpics-4.com
hxxp://twitpics-2.com
hxxp://twitpics-3.com
hxxp://profile-video-gallery.com
hxxp://fb-photo-gallery.com
hxxp://fb-gallery.com
hxxp://profile-photo-gallery.com
hxxp://profilegallerysite.com
hxxp://profilepicturesite.com
hxxp://my-profile-gallery.com
hxxp://profile-gallery.com
hxxp://profile-galleries.com
hxxp://her-profile-pictures.com
hxxp://her-picture-sites.com
hxxp://her-photo-site.com
hxxp://gallery-link.com
hxxp://her-photo-sites.com
hxxp://her-profile-photos.com
hxxp://her-profile-out.com
hxxp://her-profiles.com
hxxp://her-picture-site.com
hxxp://photosites-now.com
hxxp://photos-for-fb.com
hxxp://photosforfb.com
hxxp://photo-galleries-onilne.com

Stay tuned for an updated set of typosquatted malicious and fraudulent domains impersonating popular brands to be published anytime soon. Continue reading →

Historical OSINT - Able Express Courier Service Re-Shipping Mule Recruitment Scam Spotted in the Wild

I've recently intercepted a currently circulating malicious and fraudulent spam campaign successfully impersonating "Able Express Courier Service" to utilize a re-shipping mule recruitment scam potentially targeting tens of thousands of unsuspecting users globally.

Sample malicious URL known to have participated in the campaign:
hxxp://ablecs.biz - 104.31.82.184 - Email: phyllisjhurst@grr.la

Sample Mailing Address:
PO Box 34459
Bartlett, TN 38184-0459
United States
+1 (888) 597-5808

The service is positioning itself as "Able Express Courier Service has been providing forwarding services for more than three years now. Our staff consists of experienced professionals who regularly get certified and verified for competency. Over the years, Test Compant inc has delivered packages to a variety of places and gained many major business partners all around the world."

Sample Screenshots of the Malicious and Fraudulent Service:

Stay tuned for an additional set of details regarding re-shipping money mule recruitment scams to be publishe anytime soon.

Continue reading →

Historical OSINT - Global Postal Express Re-Shipping Mule Recruitment Scam Spotted in the Wild

Continuing the series of post detailing the activities of currently circulating malicious and fraudulent spam campaigns successfully targeting potential money mule recruiters I've recently came across to Global Postal Express which basically:

"We Provide best in service global logistics through our people by building lasting relationships with the commitment to prioritize our customer needs to generate financial results. Be the leader in the development of integrated logistics strategies by offering the highest levels of quality, reliability and exceptional customer service while strategically growing nationally and internationally."

Sample malicious URL known to have participated in the campaign:
hxxp://globalpostalexpress.net - Email: globalpostalexpressinc@gmail.com

Sample Mailing Address:
2549 Harris Ave, Sacramento,CA 95838, U.S.A
+1 (719) 838 2416

Sample Screenshots of the Service in Action:

Sample Screenshots of the Related Malicious Domains Known to Have Participated in the Campaign:

Related malicious URLs known to have to participated in the campaign:

hxxp://www.marannata.com

hxxp://wellburton.com

hxxp://stecoexpress.com

hxxp://mag-trading.com

Stay tuned for an additional set of details regarding re-shipping money mule recruitment domain portfolios anytime soon.

Continue reading →

Historical OSINT - Re-Shipping Money Mule Recruitment "Your Shipping Panel LLC" Scam Domain Portfolio Spotted in the Wild

The time has come to profile a recently intercepted and currently active malicious and fraudulent re-shipping money mule recruitment fraudulent campaign successfully enticing users into interacting with the rogue and bogus content potentially risk-forwarding the risk of the fraudulent transaction to the unsuspecting user.

Sample malicious URL:
hxxp://yourshippingpanel.com

Sample Mailing Address:
One World Trade Center, New York, NY, 10007, USA
+1 (606) 879-0046

Sample Company Description:
"Your Shipping Panel LLC" is successfully positioning the company "Founded in 1995, is a package delivery company with services to Eastern Europe as well as to all the countries of the former Soviet Union. Over the years, Your Shipping Panel LLC has grown into an industry leader by focusing on the goal of connecting customers in the United States with their families, friends and businesses in Eastern Europe. This also includes e-commerce between those countries. Today, Your Shipping Panel LLC has become a dominant force in package delivery with services to Ukraine, Russia, Belarus, Moldova, Uzbekistan, Kazakhstan, Kyrgyzstan, Georgia, Azerbaijan and Armenia. Our specialized transportation and logistics services to those countries lead the way as the most recognized brand in North America."

Sample Screenshots of The Related Web Sites Known to Have Been Involved in the Campaign:

Related domains known to have participated in the campaign:
hxxp://meestshipping.com
hxxp://www.bellwordcourier.site
hxxp://unitedmorganexpresslogistics.com
hxxp://fastexmega-delivery.com
hxxp://supremelight-globaldelivery.com
hxxp://mngcargocourier.com
hxxp://fastex-uk.com
hxxp://bequem-gh.com
hxxp://diamonddeliverys.com
hxxp://leadasialogistic.com
hxxp://diplomatcourierservices.com
hxxp://solacec.com

Stay tuned for an additional portfolio of re-shipping money mule recruitment scam domains to be published anytime soon. Continue reading →

The Current and Future Cyber Threat Landscape - 2019 - A Prediction and Current Trends Analysis

- old school hacktivism - the rise and the decline of the Web Site defacement hacktivism market segment can be greatly attributed to a variety of pro-hacking groups internationally that would inevitably continue to cause havoc and will continue to affect the infrastructure of major including boutique Web sites on a global scale

- URL shortening services
- compromised legitimate Web site
- opt-in activism
- ransomware
- monetization
- malicious economies of scale
- cyber warfare
- information warfare Continue reading →

Astalavista Security Group - Official Campaign Announcement

Dear blog readers, I wanted to let you know that I've recently launched a crowd-funding campaign on Indiegogo - "Astalavista Security 2.0 - A Hacker in Every Home" with the idea to raise the necessary funds for the upcoming launch of the World's Largest and Most Popular Information Security Portal.

UPDATE: I wanted to let everyone know that I've just posted the following updates regarding the upcoming launch of the portal. How you can help? Consider spreading the word further and possibly consider making a modest donation to keep up the campaign going.

• New Update - Official Campaign Announcement
• New Update - Official Astalavista 2.0 - Press Release Launch
• New Update - Official Astalavista 2.0 -Statement of Work
• New Update - Official Astalavista 2.0 - The Big Idea
• New Update - Official Astalavista 2.0 - The Fanciful Story

Stay tuned for an additional set of campaign details to be published anytime soon including an in-depth information regarding the history of the Portal including the Scene the way we know it throughout the 90's. Stay tuned!

Remember Astalavista Security Group - The Underground? Basically it used to be my primary working place throughout the 90's and I wanted to say thanks to everyone who expressed their interest in the resurrection of the portal including possible feedback and personal donations.

Users interested in contributing with modest funds can always approach me at dancho.danchev@hush.com including the following Live Skype Conversation Link for the purpose of managing and operating the campaign including the upcoming launch of the portal.

Looking forward to receiving your feedback suggestions and general questions.

Stay tuned! Continue reading →

Undermining Underground Black Markets - An Analysis

Sometimes, too much rationalism is precisely the worst possible mode of thinking next to apathy, and as it usually happens, great and socially oriented visions never materialize due to their poor execution or wrongly perceived critical success factors.

A recently proposed model to disrupt the computer underground's black markets by impersonating the traders and undermining their reputations by making them look like "leechers" and "rippers", is applaudible, but futile at least in respect to the proposed undermining approaches against these communities :

""

The concepts discussed are like fighting child pornography by pretending to be a child pornographer who when supposedly exchanging child porn, sends back 70+ video footage - definitely outrageous.

How do you get inside an online child porn exchange ring? Theoretically, by demonstrating how sick you are by proving you a have collecting, and are "contributing" to the growth of the scene in order to prove you're

If you just think over the idea of disrupting the communications channels by which illegally obtained data gets transfered online, you'll end up with the realistic answer that all such attempts are futile, that's the nature of the Web, to stimulate communication and interaction in news gets that get discovered on a monthly basis.

Moreover, the way cyber jihadists are already embracing the Dark Web and hiding behind crawlers are not welcome here authentication based sites, underground markets for such goods have.

The tactics mentioned

Here's another interesting description of the people's information warfare concept :

"I don’t see in this a big tragedy,” said a respondent who used the name Lightwatch. “Western countries played not the smallest role in the fall of the Soviet Union. But the Russians have a very amusing feature — they are able to get up from their knees, under any conditions or under any circumstances. As for the West? “You are getting what you deserve.” Continue reading →

Historical OSINT - Inside the Pay-Pay-Install (PPI) Spyware/Adware Affiliate Business

Continue reading →

The Threat Intelligence Market Segment - A Complete Mockery and IP Theft Compromise - An Open Letter to the U.S Intelligence Community

I recently came across to the most recently published DoD Cyberspace Strategy 2018 which greatly reminded me of a variety of resources that I recently took a look at in terms of catching up with some of the latest cyber warfare trends and scenarios. Do you want to be a cyber warrior? Do you want to "hunt down the bad guys"? Watch out - Uncle Sam is there to spank the very bottom of your digital irrelevance. How come?

It appears that the U.S is re-claiming back the dominance over the "communication channel" using a variety of real-life oriented cyber threats including referencing and citing security researchers and NGOs (Non-Profit Organization) as potential threats. Takes you back - doesn't it? If it's going to be massive it better be good.

It's been several years since I last posted a quality update following my disappearance and possible kidnapping attempt circa 2010. What really took place during that period of time? The rise of ransomware? The rise of Tech Support Scams? Yet another botnet currently spreading In The Wild? A market-driven buzz-word generation? Take that - ransomware is there to take care, hundreds of thousands of supposedly relevant IOCs (Indicators of Compromise) TTPs (tactics techniques and procedures) discussed to the bottom of your PR-relevant online presence. The Rise of the Threat Hunter job career opportunity basically empowering with you with the almighty skills to "track down" and "shut down" the bad guys? You wish - Uncle Sam is always there to take care.

Let's discuss the Threat Intelligence market segment and offer an in-depth discussion on its inner working including a possible discussion on the Threat Intelligence market segment in today's modern Intelligence Community successfully realizing the consequences of what was once a proprietary network known as the Internet - today's modern cyber warfare operational battlefield.

Many of my blog readers are familiar with my work throughout the years however what you might not be aware of is the fact that throughout the 90's I used to pioneer the position of Technical Collector in the context of processing hundreds of malicious and user-friendly Trojan Horses also known as Remote Backdoors what would be later on described as Remote Access Tools through my hacker enthusiast years as an independent contractor and novice hacker working with the market-leading LockDownCorp anti-trojan horse software including leading to what would be later on better described as the foundations of the Threat Intelligence market qualitative Technical Collection including the very basics of the foundations of CYBERINT.

Let's discuss in-depth the current state of the Threat Intelligence market segment including an in-depth discussion on the Threat Intelligence market segment in the context of today's modern U.S Intelligence Community.

• Indicators of Compromise - the vary basics of formulating a new buzz-word for what was once a proprietary-term coined by the Intelligence Community to populate and disseminate actionable nation-state Cyberspace data to a variety of defensive and offensive Cyber Warfare Units can be best described as a New Age in the area of responsive and proactive OSINT type of acquisition methodologies that can be best described as a new way to acquire leaked and potentially data-and-resource exposure in a variety of automated ways. Generalizing the very basics of the Threat Intelligence market segment in the context of potential Indicators of Compromise leaks can be best tackled in a way of offering central repositories including "government-free" access including a nation-state Early Warning System for potential Cyberspace threat data including a variety of Indicators of Compromise to prevent wide-spread data and information leaks further protecting the U.S Government from current and emerging threats.
• Corporate Sector Data Mining Should Considered - what was once best known as "conducting cyber espionage through botnets" including the conducting of "cyber espionage through data mining of malware-infected corporate networks" can be best described as today's proposed central Incident Response based central-repository empowering the U.S Intelligence Community with the necessary data and expertise to stay ahead and act upon current and emerging cyber threats.
• Private Sector Cooperation and the "You Wish" mentality - the general assumption that the private sector will continue to cooperate and empower the U.S Intelligence Community with the necessary data information and knowledge should be considered a wrong approach on the U.S Intelligence Community's way to further protect the U.S national infrastructure including the proactive response to current and emerging cyber threats. What can be best done to further protect the U.S Government from current and emerging threats can be best described as a modern central-repository of "government-free" access based Cyber Threat Data type of platform.
• Slicing the Threat on Pieces Should be Ignored - What can be best described as the process of slicing the threat "on pieces" is today's modern World of PR agencies and Threat Intelligence market segment intermediaries including the active labeling of a particular group of interest or an individual as a separate entry leading to an overall mis-confusion in the context of actually providing actionable Threat Intelligence to the U.S Intelligence Community that could ultimately better protect the U.S National Infrastructure. With the mainstream media continuing to raise the buzz around popular terms and newly coined cyber threat actor groups in the face of the rise of the advanced persistent threat media-buzz generating initiative it should be clearly noted that the overall irrelevance of labeling a specific cyber threat actor in the public domain should be considered as an irrelevant exercise in the broad context of providing the U.S Intelligence Community with the necessary data information and knowledge to stay ahead of current and emerging cyber threats.
• Tactics Techniques and Procedures Should Be Buzz-Word Ignored - The very basics of coining a term term for the purpose of describing what can be best described as a general cyber threat methodology known as qualitative assessment should be considered as a possible flag raising operation that should be considered as a possible source for mis-confusion in terms of the broader context of discussing and reacting to current and emerging cyber threats.
• The Rise of the "Threat Hunter" Cyber Security Career Position Is Already Causing Headaches - The rise of the "Threat Hunter" career position can be best described as a complete failure to understand the basics that drive today's modern Cyber Warfare Team including possible defensive and offensive Cyber Warfare Units and Cyber Operations Groups. With everyone "interested" in becoming a Cyber Warrior including a possible "Threat Hunter" it should be noted that the over-supply of private-sector companies stealing revenue from Uncle Sam for the purpose of enriching and disseminating actionable Threat Intelligence is overly increasing resulting in the overall demise of what was once a proprietary technology and know-how in the hands of a few that truly grasped the market and its potential successfully serving the needs of the U.S government for years to come.
• The Rise of Secondary Markets for IOCs Should Provide "Government-free" Access - The general over-supply of market-segment driven repositories of actionable Threat Intelligence data should be greatly attributed to a variety of factors including the rise of the Threat Intelligence market segment and should be considered as a way for the U.S Intelligence Community to clearly seek a technical and potentially market-segment relevant way to populate a potential Cyber Threats data-base using public and proprietary sources with a clear "government-free" access in mind.

Current Proposals to U.S Intelligence Community in Terms of Threat Intelligence and Nation-State Actors:

• Clusted Activity - Taking into consideration the fact that on the majority of occasions the majority of quality Threat Intelligence type of data is publicly obtainable using a variety of public and potentially proprietary sources is should be considered feasibly possible for the U.S Intelligence community to build manage and operate a proactive-based Cyber Threats anticipating platform including a possible Early Warning Based type of OSINT-capable system able to anticipate and act upon current and emerging threats with a possible cluster-based type of data mining and information processing capabilities potentially serving the needs of the U.S Intelligence Community.
• Government-free Access - The very notion that an Indian-based company will successfully manage launch and operate a Threat Intelligence business should be largely ignored for the very sake of figuring out a way to obtain access to a particular company's Threat Intelligence data information and knowledge citing potential Nation Security issues. What should be considered in terms of obtaining access to a company's data-base citing potential National Security issues is the so called notion of "government-free" access based type of private sector partnership.
• Talent Acquisition Roles - In today's modern Talent Acquisition Wars it should be clearly noted that a select set of key individuals can greatly contribute to the overall demise of cybercrime internationally taking into consideration the overall demise of the "Wisdom of the Crowds" market-segment driven-concept. What should be considered when hiring a potential top-notch Cyber Warfare and Information Warfare-based type of personnel shouldn't be necessary years and decades worth of experience but the overall disruptive degree of the individual in terms of "making a change" and "making an impact" compared to a certification-based-driven crowd of individuals.
• Central Repository - What the modern U.S Intelligence Community can better do to better protect the nation's Infrastructure should be considered in something in the lines of a central-private-sector driven repository of Threat Intelligence type of data including the notion of a "government-free" access in terms of obtaining access to a public or a proprietary company information and data assets.

Continue reading →

Exposing Iran's Most Wanted Cybercriminals - FBI Most Wanted Checklist - OSINT Analysis

Remember my most recently published "Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran - Report"? The report details and discusses in-depth the most prolific Iran-based government-sponsored and tolerated hacking groups including the following groups:

- Ashiyane Digital Security Team
- Iranhack Security Team
- Iranian Datacoders Security Team
- Iran Security Team a.k.a SEPANTA Team/Iran Cyber Army 2012/2013
- IDH Security Team
- Bastan Security Team
- NOPO Digital Security Team
- Shekaf Security Team
- Mafia Hacking Team
- Iran Black Hats Team
- Delta Hacking Security Team
- Digital Boys Underground Team
- IrIst Security Team

I recently came across to FBI's Most Wanted Cybercriminals List and decided to elaborate more by providing actionable Threat Intelligence on some of the most Wanted Iranian cybercriminals with the idea to help law enforcement and to inform the security industry and to ensure that the cybercriminals behind these campaigns can be properly tracked down and prosecuted.

I can be reached at dancho.danchev@hush.com

In this OSINT analysis I'll provide actionable intelligence including personally identifiable information some of FBI's Most Wanted Iranian cybercriminals including Ahmad Fathi, Hamid Firoozi, Amin Shokohi, Mohammad Sadegh Ahmadzadegan, Omid Ghaffarinia, Sina Keissar, Nader Saedi including the infamous ITSec Team and the Mersad Co. company.

Personally Identifiable Information regarding Sun Army Team Members including ITSec Team and the Mersad Co. company:

Sun Army Team Members:
Nitrojen26, Mehdy007, MagicCoder, tHe.Mo3tafA, Plus, BodyGuard

Sample Network Infrastructure Reconnissance:
hxxp://sun-army.org - 185.53.179.10 - Email: Sun.Army@asia.com; Lord.private@ymail.com

Name: Omid Ghaffarinia
Handle: Plus
Email: omid.ghaffarinia@gmail.com; plus.ashiyane@gmail.com; omid.ghaffarinia@alum.sharif.edu
Phone: 091 2444 9002
Web Site: http://alum.sharif.ir/~omid.ghaffarinia/; http://alum.sharif.ir/~omid.ghaffarinia/; http://omidplus.persiangig.com/;
Social Media Accounts: https://plus.google.com/109226633947780718251; https://plus.google.com/109226633947780718251

Personal Photos of Omid Ghaffarinia a.k.a Plus:

Sample Personal Photos from a Train Trip:

Handle: MagicCoder
Email: MagicC0d3r@gmail.com
Web Site: http://magiccoder.ir

Handle: Mehdy007
Email: mehdy007@hotmail.fr
Web Site: http://mehdy007.persiangig.com

Sample Sun Army Cover Art Photos:

ITSec Team a.k.a Amn pardazesh kharazmi a.k.a Pooya Digital Security Group Members:
Pejvak, M3hr@n.S, Am!rkh@n, Doosib, H4mid@Tm3l, R3dm0ve, Provider, ahmadbady

Sample Team Member Personally Identifiable Information:
Name: Amin Shokohi
Handle: Pejvak
Email: pejv4k@yahoo.com
Web Site: http://pejv4k.persiangig.com; http://pejv4k.110mb.com

Handle: Mehr@n.S
Email: M3hran.S@gmail.com

Sample Network Infrastructure Reconnaissance:
http://itsecteam.com/

Social Network Graph of Sun Army Team Members including ITSec Team Members and the Mersad Co. company:

Name: Mohammad Sagegh Ahmadzadegan
Handle: Nitrojen26
Email: nitr0jen26@asia.com; Nitrojen26@yahoo.com; me@sadahm.net
Web Site: hxxp://sadahm.com
Social Media Accounts: https://twitter.com/nitrojen26

Sample Personal Photos of Mohammad Sagegh Ahmadzadegan a.k.a Nitrojen26:

Sample Mersad Co. Company Logo:

Sample Network Infrastructure reconnaissance:

hxxp://mersad.co/ - 188.40.112.196

hxxp://mersadco.ir

Mohammad’s life has strongly tied with programming. After graduation of Computer Engineering, he studied IT (E-Commerce) for his Master to know more about the relation of business and technology. You can find some large scale software projects managed by him like Iran’s SOC, SDIDS, Jolfa Vulnerability DB and etc. Now he is a university lecturer and also CEO of Mersad Co. and one of TKJ Co. consultants. Mohammad is here to help you how to manage a good develop team and guide you to have better usage of technology to achieve your business goals.

Personal Photos of Mersad Co.CEO Mohammad Hamidi Esfahani:

Personally Identifiable Information regarding Mersad Co. Company CEO Mohammad Hamidi Esfahani:

Name: Mohammad Hamidi Esfahani

Email:'m.hamidi.es@gmail.com

Phone: 0913-304-7591

Web Sites: http://www.mohammadhamidi.ir/

Social Media Accounts: https://www.facebook.com/mohammad.hamidi; https://twitter.com/haj_mamed; https://github.com/mohammadhamidi; https://medium.com/@haj_mamed; https://medium.com/@haj_mamed; https://plus.google.com/+mohammadhamidiEsfahani; 

Sample Mersad Co. Personal Company Photos:

Stay tuned! Continue reading →