mardi 16 juillet 2019

The SLUB guys are back !

The SLUB guys are back !

We detected them from another watering hole, and they updated their malware. More about it here.

As a reminder, we first published about them here

jeudi 13 juin 2019

Advanced Targeted Attack Tools Found Being Used to Distribute Cryptocurrency Miners

Hey there :-)

I just contributed to a new blog post about some cybercriminals using advanced tools to spread a cryptocurrency miner.

The full blog post is here.

Cheers !

jeudi 7 mars 2019

New SLUB Backdoor Uses GitHub, Communicates via Slack

So here is a new blog post. It was a great collaborative work with several of my highly skilled colleagues :-)

It is all about a new malware we discovered recently, used in an APT, and sitting on an interesting watering hole.

vendredi 1 mars 2019

How a Hacking Group is Stealing Popular Instagram Profiles

Well here is a new blog post I published regarding cybercrime, this time mostly around Instagram.

While I have contributed to this blog post, I have to say it was mostly the awesome work of my talented colleague Jindrich. Great work mate ! :-)

mardi 30 octobre 2018

Critical Infrastructures Exposed and at Risk: Energy and Water Industries

I am very proud to be part of that research we published :

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/exposed-and-vulnerable-critical-infrastructure-the-water-energy-industries

Full paper : https://documents.trendmicro.com/assets/white_papers/wp-exposed-and-vulnerable-critical-infrastructure-the-water-energy-industries.pdf

It was amazing to work with all these colleagues :-)

vendredi 16 mars 2018

Taking Down Fraudulent Domains (Part 2)

So here's the second part of that serie on fraudulent domain monitoring and takedown.

Here.

Hope you'll enjoy :-)

lundi 5 mars 2018

InfoSec Guide: Domain Monitoring — Detecting Phishing Attacks (Part 1)

I just published this one, on domain registration monitoring:

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/infosec-guide-domain-monitoring-detecting-phishing-attacks

Next one should be published very soon :-)

Hope you'll enjoy :-)

lundi 11 décembre 2017

Untangling the Patchwork Cyberespionage Group

Hi guys,

We released a new technical paper about a known APT threat actor named "Patchwork".

The blog entry is here, while the full paper is there.

Cheers ! :-)

jeudi 21 septembre 2017

New RETADUP Variants Hit South America, Turn To Cryptocurrency Mining

Hi all,

I have written this blog post in collab with my good friends Kenney and Lenart... ;-)

Available HERE.

jeudi 20 juillet 2017

Android Backdoor GhostCtrl can Silently Record Your Audio, Video, and More

Some days ago we published this blog post. It seems that some cybercriminals are heavily using it at the moment to spy audio conversations. I guess it's pretty interesting.

mercredi 22 mars 2017

Winnti Abuses GitHub for C&C Communications

Hi folks,

I've published a new blog post today on Trend Micro's blog. This is once again about some APT campaign, this time showing some of the new modus operandi from a threat actor named Winnti.

It is available here.

mercredi 14 septembre 2016

The French cybercrime underground

Hi all :-)

I just released a new white paper about the whole french cybercrime underground, available here. The full paper is available here.

jeudi 8 septembre 2016

The French Dark Net Is Looking for Grammar Police

New blog post being released, entitled "The French Dark Net Is Looking for Grammar Police". Hope you will enjoy it ;-)

The french cybercrime underground is definitely surprising... ;-)

lundi 29 août 2016

When Hackers Hack Each Other—A Staged Affair in the French Underground?

Last week one of my new blog post got released here. I hope you will enjoy it, especially the french ones interested in cybercrime ;-)

Cheers !

mardi 12 juillet 2016

French Dark Bets: Betting On Euro 2016

Hi all,

Please be advised I have published a new blog post entitled "French Dark Bets: Betting On Euro 2016"

French people in particular might be interested... ;-)

mardi 1 septembre 2015

New Rocket Kitten research paper

Following my first research paper about the Rocket Kitten APT threat actor, I have released another one, this time as a collaboration work with one researcher from ClearSky.

The blog post is here: Rocket Kitten Spies Target Iranian Lecturer and InfoSec Researchers in New Modus

The full paper is here: The Spy Kittens Are Back : Rocket Kitten 2

mercredi 3 juin 2015

How to Spot Frauds on Professional Networks

Here is another article I wrote, this time to try to raise awareness on some professional networks risks. Link is How to Spot Frauds on Professional Networks

Also, related, is this blog post I wrote: Reconnaissance via Professional Social Networks.

mardi 31 mars 2015

Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority

Here is the link to a new blog post I wrote with friends Kenney Lu and Dark Luo from Trend Micro.

It has several interesting aspects, in my mind:

  • The fact that there is an ongoing campaign against french people, using french material, which is rare enough to be worth mentioning;
  • The fact that there is a kit used to drop different payloads: Gootkit, CryptoWall, some banking trojan...;
  • The fact that it uses an innovating method to infect the victims computers.

Hope you will enjoy the read ! :-)

mercredi 18 mars 2015

Operation Woolen GoldFish

Hi all,

Here is my first research paper done for my new employer, Trend Micro.

I hope you'll enjoy it ! :-)

The blog summary I wrote about the paper is here, while the complete paper can be found here.

jeudi 30 octobre 2014

Looking for a new jersey

Well, as you probably know, I am french. Some of my friends do not agree, and say that I am not a real french, because I do not like strong cheese, I do not like eating ducks (in any way), and all wine tastes the same for me, in opposite to beer. Also, I hate european football, but loooooove american football, my favorite team being the Patriots from New England.

On the other hand, I must admit I have a little kink for american football team's jerseys. I already have one from the Patriots, yet I wanted one from the Miami Dolphins.

So here I am, googling to find a new jersey at an attractive price, in french language.

Using a simple request like "jersey miami dolphins pas cher" which means "jersey miami dolphins cheap" in Google, I get the following as first result:

jersey1.png

As you can see, the first results are from "Google Shopping" and do provide links to legitimate websites like nike.com.

Then, more interestingly, I get results from Google Image. The first image shown, on which my mouse pointer is, leads to a domain named maillot-foot-nfl-nba.com.

Following this link, I get a nice page from an online store showing me the jersey of my dreams:

jersey2.png

At this point, there are several little details which should raise suspicion for anyone:

  • At the top of the web page, there's a line "Vente de DIR_WS_SEO_KEYWORD" which looks very ugly and unprofessional. Would a real seller really keep this ugly line up there ? Probably not.
  • Look at the price !!! 69% discount on that product !!! It brings the price from 99€ (which is quite the usual price for that product) down to 30.99€.
  • Bad language. I am writing this blog post in english and showing french stuff, ok, but I can tell you that if you go to any page of the web site, you'll see loads of spelling mistakes and even sentences which do not mean anything. The "general conditions" page is a must-read for french people, it is full of language problems.

Clicking on some of the general pages of the web site is quite instructive. In the middle of the description for shipping, written in french, some spanish can be seen: "Aceptamos Visa, Mastercard, Paypal y tarjeta de crédito!" ...

There can only be one conclusion to all of this: this website is fraudulent, selling counterfeit products, and no one should buy products there.

Now if I come back to my Google research, and look at the Google image links on the right of the one I followed, the domains are:

  • www.boutiquesprofr.com
  • www.forschungsinfo.de
  • www.giacche.eu

By carefully watching these websites (except for forschungsinfo.de, which to clarify is a real site which has just hosted links to a fraudulent one, and the link has been removed), we could come to the same conclusion: counterfeit products are sold there.

Now one might think that these websites are build up by isolated fraudsters looking for easy money. The reality is a bit different, and that's why I am blogging, I wanted to bring some more insight to this kind of fraud and raise some awareness for people on Internet.

For starters, once again if you look carefully at all pages from such a website, you can find something more interesting than spelling mistakes: links to other websites.

Reading the "shipping info" from boutiquesprofr.com for example, the first line mentions that "sacmiumiu.com offre la livraison gratuite" , which means that "sacmiumiu.com offers free shipping".

Why the hell is a website called sacmiumiu.com mentioned in the shipping info of boutiquesprofr.com (which by the way means "prostorefr.com") ?

Well, the reason for that is that fraudsters do not build a single website to sell counterfeit products. They do build LOADS of different websites. You might think it takes a lot of time to do it, but it takes less than one or two hours to do. These fraudsters do use websites templates, which they just slightly modify from one site to the other. From the single sentence found on boutiquesprofr.com, we can expect it to use almost the same template as sacmiumiu.com.

sacmiumiu.com does not exist anymore, yet just by googling this name you would find interesting stuff : ads for it in guestbooks showing links to other counterfeit products websites, etc... Looking for it on archive.org, a website which shows past versions of websites, you would even find that the website has indeed been transfered by judge decision to Louis Vuitton because it was selling counterfeit products.

So, with few googling and wise use of archive.org, we already found out that our guys from "boutiquesprofr.com" were somehow connected to "sacmiumiu.com".

What else can be found ?

Let's go back to the first website I found, maillot-foot-nfl-nba.com.

At the top left part of the website, a logo from the company "NEW ERA" is visible. Let's be a bit clever and use it to find other websites which contain the exact same logo. To do that, we can save the logo from maillot-foot-nfl-nba.com and then submit it to a Google Image search. By doing that, Google will show us all referenced websites which contain the same picture :

jersey4.png

Note: what you do not see in the screenshot is the fact that Google Image offers results showing images which are "close" to the image you submit. We need to focus on the exact same image, to avoid false positives. Moreover, if the fraudsters took the image from a legitimate website and did not modify it, we will get false positives we need to remove from the analysis.

Once again, the results are quite interesting: we easily fall on several fake products sellers.

This provides us a very easy method to group fake websites.

Ok, what do we know now ? We know that there are hundreds of websites selling fake products, using more or less the same templates and techniques.

How about having a look at the people who register these domain names ?

Let's have a look at the Whois information for our favorite website, maillot-foot-nfl-nba.com.

Registrant Name: mingsheng zheng
Registrant Organization: zhengxiansheng
Registrant Street: haikoulu10
Registrant City: haikou
Registrant State/Province: hainan
Registrant Postal Code: 570100
Registrant Country: CN
Registrant Phone: +86.13800000000
Registrant Phone Ext: 
Registrant Fax: +86.13800000000
Registrant Fax Ext: 
Registrant Email: registrar@mail.zgsj.com
Admin Name: mingsheng zheng
Admin Organization: 
Admin Street: haikoulu10
Admin City: haikou
Admin State/Province: hainan
Admin Postal Code: 570100
Admin Country: CN
Admin Phone: +86.13800000000
Admin Phone Ext: 
Admin Fax: +86.13800000000
Admin Fax Ext: 
Admin Email: capsshopnet@gmail.com

Once again, this really does not look like Whois information a legitimate merchant would use: the phone numbers seems to be fake, and the e-mail address is on gmail.com, yet this is very interesting for us in terms of investigation.

So, by doing some reverse whois researches, we can find 23 domains, additionally to maillot-foot-nfl-nba.com, which have been registered by capsshopnet@gmail.com :

jersey5.png

Oh my, our friend "capsshopnet" has counterfeit stuff in french, spanish, and german, what a great linguist, this might explain all the spelling mistakes on these websites ;-)

What about the hosting ? Well, maillot-foot-nfl-nba.com is currently hosted on 223.26.62.200, which belongs to:

inetnum:        223.26.62.0 - 223.26.62.255
netname:        SUN-HK
descr:          Sun Network - DataCenter Service
                TRANS ASIA CENTER, KWAI CHUNG
country:        HK
admin-c:        DA179-AP

Let's look at some Passive DNS information. Which other domains have lead to this precise IP address currently or in the past ?

The results are other counterfeit products websites (except for kkk345.com which is about pornographic stuff)

kkk345.com
www.kkk345.com
www.gorras-obey.com
gorrasbaratas.com
www.gorrasbaratas.com
maillot-pascher.com
www.maillot-pascher.com
zapatos-baratas.com
www.zapatos-baratas.com
www.maillot-foot-nfl-nba.com
www.kkk3.org

Now let me please represent all this data in a structured form (click to enlarge):

Complex web of counterfeit products domains

I will end this blog post here. I just wanted people to be a bit aware that the underground of counterfeit products is huge, and that few minutes of investigation can lead to the discovery of a complex web of Internet websites run by fraudsters.

One might wonder about the number of people involved in that kind of fraud. There are probably several people to register the websites, several people to build the content (and we can be pretty sure some other people are selling the web pages templates), to handle the orders, to manufacture the products (probably hundreds/thousands of people here), etc.

I stopped my investigation at this point, because it was done on a rainy night at home. A lot is uncovered here: I did not look for every domain whois, I did not look for all the hosting data and IP ranges, I did not really search for any real person attribution.

By digging more on all these data, we could probably find much more fake products websites and persons involved, but once again, my goal here was just to raise awareness on a kind of fraud and describe it a bit.

So what have we learned here ?

  • There are people probably working fulltime on registering websites, building websites (and people making/selling templates), having them indexed on Google and other places (black SEO), to sell counterfeit products coming mostly from China (that's what you discover when you order something), all of this in several different languages.
  • Dozens of websites are handled by the same people
  • These people do sell every kind of products you can think of: fake jerseys, fake tshirts, fake caps, fake shoes, fake handbags, fake sunglasses ... (you can guess it looking at the domain names from the previous image)
  • The fraud is obvious when you take the time to really analyze the content a bit. You should NEVER BUY A PRODUCT WHICH LOOKS AMAZINGLY CHEAP, or from a website with loads of spelling mistakes.

Thank you for your reading, this was some kind of fun post blog I've done in a hurry last night. See you soon ! :-)

- page 1 de 4