Blog

This is a guest diary submitted by Renato Marinho Distracted users mistyping the first n when accessing www.santanderempresarial.com.br are subject to banking credentials theft and a very convincing phone call from a pretended Santanders attendant. The calls reason? To collect the victims OTP Token combination and proceed with previously prepared fraudulent. This is the exact …

Read more “A very convincing Typosquatting + Social Engineering campaign is targeting Santander corporate customers in Brazil, (Mon, Mar 6th)”

I had to help out someone with this sample. It contains obfuscated strings like these: Notice the Like operator. This is a strong indication that the strings are obfuscated by adding extra characters (e.g. the string left of the Like keyword). If we remove all these extra characters, we end up with this: This PowerShell …

Read more “Another example of maldoc string obfuscation, with extra bonus: UAC bypass, (Sun, Mar 5th)”

In a previous diary[1], I explained why the automatic processing of IOCs (Indicator of Compromise) could lead to false positives. Here is a practical example found yesterday. I captured the following malicious HTML page (MD5: b55a034d8e4eb4504dfce27c3dfc4ac3)[2]. It is part of a phishing campaign and tries to lure the victim to provide his/her credentials to get …

Read more “How your pictures may affect your website reputation, (Sat, Mar 4th)”

I was looking at a curious uptick in traffic to TCP port 6881. What caught my eye was that itwas a immediate uptick from almostnothingand it hasbeensustained over a couple of weeks.Also, the number of sources has risen significantly compared to the past year. Here width:600px” /> Heres what it looked like over the past …

Read more “BitTorrent or Something Else?, (Fri, Mar 3rd)”

=============== Rob VandenBrink Metafore (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

I recently had a client get an interesting phishing message. They had received a fake message from their CEO to their Controller – a start the conversation email to end up with a wire transfer. width:1001px” /> Some technical warning signs in that note were: While the From field in Outlook showed the CEOs email, …

Read more “Phishing for Big Money Wire Transfers is Still Alive and Well (or: For Want of Good Punctuation, all was Lost), (Thu, Mar 2nd)”

Xavier pointed me towards a new issue posted on Palo Altos Unit 42 blog – the folks at PA found apps in the Google Play store infected with hidden-iframe type malware. 132 apps (so far) are affected, with the most popular one seeing roughly 10,000 downloads. But were not at the end of the trail …

Read more “Infected Apps in Google Play Store (it's not what you think), (Thu, Mar 2nd)”

At a recent penetration test, one of typical tests that everyone runs these days are available TLS/SSL ciphers. There are many tools that can be used for this I personally prefer nmaps ssl-enum-ciphers script, which does a great job on ranking ciphers similarly to what SSL Labs do (but you can run it on any …

Read more “SSL/TLS on port 389. Say what?, (Wed, Mar 1st)”

Amazon is experiencing an outage of its S3 service (Simple Storage Service) for a few hours. According to the Amazon status dashboard[1], only theUS-EAST-1 area is affected. Many other Amazon services relying on S3,this outage could have impacts on many websites and web services. [1]https://status.aws.amazon.com/ Xavier Mertens (@xme) ISC Handler – Freelance Security Consultant PGP …

Read more “Amazon S3 Outage, (Tue, Feb 28th)”

This is a guest diary submitted by Remco Verhoef. The cloud is bringing a lot of interesting opportunities, enabling you to scale your server farm up and down depending on the load. Everything is being taken care of automatically by auto scale groups.There is nothing to worry about anymore. But this brings me to the …

Read more “My Catch Of 4 Months In The Amazon IP Address Space, (Tue, Feb 28th)”