Mitigation

Analysis and Takeapart of a UPS Parcel Shipping Problem Spoof

Member for

8 months 3 weeks
Submitted by AlReaud on Tue, 02/28/2017 - 19:26

At least once a week I get attachments from a “reputable” organization saying my account (that I don't have) has been locked due to suspicious activity being detected, a bank account (that I don't have) needs verification, or there is a problem with the shipment of a parcel (I didn't order). This week I got an interesting one from "Jordan Mccabe, UPS Station Manager". Sadly the sending individual doesn't know enough about the target to realize that "UPS" and "Post Office", well, kind of mismatch. But this one got me interested in doing some reverse engineering of the suspicious attachment because of it's small size, only 817 bytes.

The text of the email is as follows:
Date: 02/26/2017 01:35 AM
From: virtual-user <webmaster@lippocastano.it>
Subject: Parcel #001210497 shipment problem, please review
To: Me
Body:

Dear Customer,
Your item has arrived at the UPS Post Office at February 25, but the courier was unable to deliver parcel to you.
Postal label is enclosed to this e-mail. Please check the attachment!
Yours sincerely,
Jordan Mccabe,
UPS Station Manager.

Attachment: UPS-Parcel-ID-001210497.zip
Attachment Checksum (MD5): 3e01923b9fd179c864bf40caffb21786

Screen capture of UPS Trojan Attachment Email showing highlights.

The highlighted areas indicate areas that commonly give away the fact that it is a spoof. Usually the sender address is strange or wrong, the grammar is wrong, and the context of the message is wrong.

Unzipping the attachments creates a second zip file with a

Beware the www.support.me phone scam...

Member for

8 months 3 weeks
Submitted by AlReaud on Sun, 02/26/2017 - 19:48

I got a call from (212) 877-1620, which is a Verizon New York number on Friday, February 24 2017. This number had been trying to reach me almost daily since February 14. Must have been an important call if they are doing that, so I answered. The guy on the other line was from a "Microsoft Certified support provider" (Right frown) who wanted to let me know that they had detected my Windows computer putting out malware. Really? Which computer? I have four computers up and running. Oh, the one you are on now. That's pretty interesting, I told him, the computer was powered down. Oh, we have logs of it he said. He had one of those Mumbai British accents that lets the cat jump right out of the bag, if you know what I mean…

The truth of the matter is that I have ZERO computers that have Windows on them, I only run versions of Linux. wink So I started feeding him line and slowly reeling him in. I was able to troll him for about 17 minutes (You want to keep them on the line as long as possible, as it cuts down their effectiveness). We get started right away, as he tells me it's a critical problem, and it has to be fixed right away. Sure, right! Lets try to open the command prompt running Windows-Key+R. Doesn't work. No command prompt shows up. Should I be doing a capital "R", no just Windows-Key+R. So we go through a few permutations of the opening of the command prompt in Windows. Doesn't work.

OK, could you open Internet Explorer. How? Spend a few minutes on that. No can't do that either. How about some other browser? Sure I have Firefox. Ok, that works (because I'm looking for a website address, LOL). OK, so he sends me to http://www.support.me, which immediately redirects me

Back-Hacker Blog

Member for

8 months 3 weeks
Submitted by AlReaud on Sun, 11/13/2016 - 14:17

The Back-Hacking Blog came into existence around December 2011 after I started using Kali Linux. It comes from the idea of defending against hackers in a manner similar to Krav Maga. The putative system or security administrator doesn't just sit there passively receiving attacks, rather in the background they start probing the intruder's system, looking for weaknesses and exploits and using all of the tools available. However, make sure you read that first Back-Hacking link (and this one). There are legal, ethical and logistical questions to be addressed. Sometimes it is quite effective, as related in SunTrust Spoof: Additional ways of protecting your SunTrust access it can be quite effective. The other side of the coin is that it is not for the uninitiated. You may compromise your systems, open yourself or your organization to legal liability or criminal prosecution depending on your jurisdiction, and/or straight up waste your time. My personal position is that it is like carrying a concealed weapon, to be used only justifiably in self-defense.

SunTrust Spoof: Additional ways of protecting your SunTrust access

Member for

8 months 3 weeks
Submitted by AlReaud on Tue, 09/27/2011 - 19:50

Updated: 11/6/2016

This is a recent phish wherein you get the following email (allegedly) from SunTrust Bank:

Subject: Additional ways of protecting your SunTrust access
From: "Suntrust"<infor@suntrust.com>



SunTrust Online Banking Alert:

Banking with SunTrust Online is about to become even more secure!
As a valued SunTrust online customer, the security of your identity and personal account information is extremely important. We are installing Enhanced Online Security as an additional

Hacker Mitigation

Member for

8 months 3 weeks
Submitted by AlReaud on Tue, 09/27/2011 - 19:03

This is a series dedicated to insuring that hackers and phishers can do no harm to your computer or your finances. Computer security basics will not be covered in this series.

We shall differentiate between two species of attacker as follows:

  • HACKER - The hacker (or cracker, depending on your school of thought) is an individual or bot that attempts to seize your machine via remote access. On operating systems that allow for a remote shell or graphical user interface with remote access, the remote login features are attacked via malware or social engineering. If successful, such attacks gain control of the hardware and operating system, allowing the creation of further bots, spam factories, etc.
  • PHISHER - The phisher is an individual or bot that attempts to steal your identity, banking information, and/or other sensitive financial/personal information via mostly social engineering based attacks. Getting a victim to click on a link going to a website that spoofs an actual one, lets say a bank's, has become very common. Such a spoof tricks you into divulging personal information to information thieves via spurious websites and forms. This is the hardest kind of attack to stop, as current Internet security applications have no control over operation of the wetware.

In the following, examples are given 

Whois as a tool to prevent scamming on Craigs List Job Ads

Member for

8 months 3 weeks
Submitted by AlReaud on Tue, 06/14/2011 - 19:30

To those of us that have to look for a job, Craigs List is a good tool, but with some serious identity theft risks involved. In Fort Collins, there has been a rash of fake advertisements posting for usually high-end technician/engineering jobs. Automated Guided Vehicle Technician, R & D Technician, etc. Some of these look like to-die-for jobs. You apply, send off a resume, and then you get an email, usually from a free email service, like Hotmail, Gmail, etc.: