New Email Scam Targeting Small-Medium Sized Businesses In The Pacific Northwest

email scam alert

I decided to write a quick post on the topic as I just received one of these new scams and almost fell for it and hopefully can prevent someone else from falling for it. The scam campaign seems to be targeting small-medium sized businesses and may variate in tactics depending on the industry targeted, the email example below is real and should be used as a template for what to look out for.

The prospect, in this case, is also the attacker (a fake prospect), sends a vague email as the one below (this is an actual scam email ):


 

scammer email


It Looks ok, right? Weary of the pdf attachment I scan it for malware or trojan but nothing was detected. I was still weary, being a computer & network security expert I decided to upload it to Google drive (lol) and previewed it there. To my surprise, it actually was a banner design…


fake salf banner


At this point, I was 75% convinced that this was a legitimate prospect. I decided to reply with additional questions required to effectively do the job or at least provide an accurate quote. The next day I received a reply:


scammer reply


After receiving the reply, I took some time to further analyze the entire conversation and began to find problems in his requests such as:

1. His email address, it was a Gmail address, easy to create anonymously.
2. Why is Save A Life Foundation (SALF) making banners for HIV/AIDS?
3. The banners mention sponsors but nothing about the SALF.
4. The banner size is an odd size, not a standard size, and doesn’t mind “any good” size.

Still weary but curious, I decided to go further down the rabbit hole and give them a quote which they then replied:


scam email 3


After I received this response I was convinced it was a scam and decided to do some research.

So SALF is asking me to send banners to a Mexican Address huh? let’s check it out…



Yeah doesn’t look like the Save a Life Foundation unless they’ve downsized and are outsourcing now, it’s obviously not any organization saving lives.

The email midlandshipping@usa.com looks absolutely wrong but somewhat legitimate because of the @usa.com domain behind it, which is why attacker used it. Thinking the attacker had compromised a mail server belonging to the domain, I decided to look at the domain in search for their abuse email so I could notify them of a possible breach with their mail server. Upon my search of the usa.com site, I came upon this on the usa.com site contact page.



So now we see how he was able to get the @usa.com email, it’s completely free.

This experience was annoying because of the time wasted but was good practice. I suggest people research companies who want to send your business requests for quotes and then ask to ship outside the country. Make sure their request makes logical sense, someone asking for something in quantity should be asking for standardized items and should require a standardized transactional process, no special or shady instructions, if it feels wrong don’t do it! In my case, it saved me a few thousand dollars that would have been most likely through a chargeback from a stolen credit card the attacker used.

sihost exe Hard Error Fix, Windows 10 Derp Edition

Windows 10 sihost.exe hard error

We noticed that a lot of customer PC’s where coming in with the same problem after installing a Windows update, specifically the April update. After a few hours of troubleshooting, the only conclusion to fixing the problem was creating a USB Windows 10 installation media and reinitiating the update process from the USB media (It will reinstall windows but download everything via USB update instead of the OS). We tried everything (sfc /scannow, dism…) and this was the ONLY solution that worked. So the solution to your broken windows is simply restarting the updating process through a Windows 10 USB installation media, the process should leave all your old files intact and only fix the broken OS, specifically the Administrative/System accounts which is what caused this problem originally.

Streaming 1080p Video Through The Browser On An Odroid-C2

odroid-c2

If your trying to build a video kiosk using a RasperryPi 3 guess what, you can’t and trust me I tried. I stumbled upon the Odroid-C2 and my whole life changed…

To build a 1080p capable video kiosk simply follow the outlined steps below.

  1. Download VideoJS (Open Source Javascript HTML5 Player)
  2. HTML5 Video (.mp4)
  3. Encode your Video at 24/25 fps or at a max of 6Mbps stream, ideally 5Mpbs.

I tested multiple in-browser video players and VideoJS outperformed all. I was able to get movies like The Matrix to play very smooth at even the most GPU intensive scenes. For more information about other methods used or to view the odroid forum thread that dealt with this issue visit here.

 

Updating To OpenSSL 1.0.2g On Ubuntu Server 12.04 & 14.04 LTS To Stop CVE-2016-0800 (DROWN attack)

It was a bit difficult to find any real information on fixing the latest openSSL CVE-2016-0800 (DROWN attack) so I decided to write this quick post on how to update your Ubuntu Server 12.04/14.04 OpenSSL (or any debian-based distro with apache2) to the latest 1.0.2g build to avoid the DROWN/Heartbleed attacks. I’m not going to go into the details of how the exploit works and how it’s exploited as there are many blogs/sites that already go over this. Instead I will only focus on the fix, I have provided 2 methods, a method using cURL or wget.

*** UPDATED 7/4/2017 ***
Because this is a popular post, I’ve gone ahead and updated it to reflect latest SSL binaries, it’s good practice to check what the latest binaries are regardless of this post.

cURL Method

  1. sudo apt-get install php5-curl (Install cURL library)
  2. sudo apt-get install make (Install compiling library Make)
  3. curl https://www.openssl.org/source/openssl-1.0.2l.tar.gz | tar xz && cd openssl-1.0.2l && sudo ./config && sudo make && sudo make install (single command that will download latest binaries, extract them, cd into the directory, compile configuration and then install the files)
  4. sudo ln -sf /usr/local/ssl/bin/openssl ‘which openssl’ (This will create a sym link to the new binaries)
  5. openssl version -v (Used to check the version of the Current OpenSSL binaries)

wget method

  1. sudo apt-get install make (Install compiling library Make)
  2. wget https://www.openssl.org/source/openssl-1.0.2l.tar.gz (Download the latest OpenSSL 1.0.2g binaries)
  3. tar -xzvf openssl-1.0.2l.tar.gz (Extract the tar ball to the local directory)
  4. cd openssl-1.0.2l (Enter extracted OpenSSL directory)
  5. sudo ./config (Configure binaries for compiling)
  6. sudo make install (install configured binaries)
  7. sudo ln -sf /usr/local/ssl/bin/openssl `which openssl` (This will create a sym link to the new binaries)
  8. openssl version -v (Used to check the version of the Current OpenSSL binaries)

This was tested on both Ubuntu Server 12.04 & 14.04 LTS versions. Questions? Comments?

How To Change Network Location On Windows Server 2012 R2

Change Network Location Windows 2012 Server R2

This is one of those quick posts designed more as a note, I had fun trying to find the way to update the network location on my 2012 Server sandbox so I figured I would create a short post on the matter…

It can be found by following:

Server Manager>Tools>Local Security Policy>Network List Manager Policies>Network

This is of course assuming that you have a fresh install with GUI.

If you’re using PowerShell you will want to run the following command (this requires PowerShell 4)

Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private

Updating To PHP 5.4 On Ubuntu Server 12.04 LTS

If you use php web applications then your know a lot are now demanding to be updated to php 5.4 or higher. To do this in Ubuntu 12.04LTS simply do the following…

If you haven’t already used ppa then you will have to first install python software properties, make sure you’re the root user… ( sudo bash )

apt-get install python-software-properties

PHP 5.4.x run:

add-apt-repository ppa:ondrej/php5-oldstable

PHP 5.5.x run:

add-apt-repository ppa:ondrej/php5

Once you’ve added the repo simply update and upgrade current packages & distribution packages with one simple command :)

apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y

Installing USB Wireless Card On Kali Linux VMware

So I ran into this problem, I installed a fresh copy of Kali Linux onto a VM (VMware) so I could do some pen-testing on my local network without booting into Linux but couldn’t get Kali to use my external wireless card (I needed packet injection capabilities ;))

To make this short and sweet all you have to do to use your external USB wireless card (In My Case an Alfa Card) is just install updated vmware tools (I am assuming you have already added USB Controller in your VM settings…) you can do this by using the following commands on your shell/terminal:

apt-get update
apt-get install open-vm-tools

Once installed you should see your wireless card detecting new networks. This worked on Kali Linux x64 and because its based on Ubuntu Its safe to assume it will work with Ubuntu. Good luck and good hunting ;)

Listing The Last Modified Files In Debian Or Ubuntu

You might be asking yourself why would I care to list the last modified file/s right? Well if your in the security world then you know sometimes it’s important especially in a compromised server/workstation. It’s important to check what files may have been modified to help the attacker, for example, the editing of native configurations or scripts can facilitate permanent access to a system. It’s also important when trying to identify the potential root of the problem.

 

This command will list all files that were recently modified by without any real order.

ls -t

This command will list all files that were recently modified separating all file names by line by line.

ls -1t

This command will list all files that were recently modified separating all file names by line by line and limiting the amount displayed by 10

ls -1t | tail -10

 

I am sure there are more aggressive methods but this is a simple one that works pretty solid on any Linux distribution with bash.

How To Spot A Malicious Email

Today I get an email that looks like it came from GoDaddy except for a few things that don’t look right…
Email Headers are not correct, this was obviously a shitty job as the malicious user tried to make the email look like it was coming from godaddy but was actually coming from a compromised wordpress install on Hostgator.

From: Godaddy <donotreply@m.godaddy.com>
Message-Id: <E1YXF6r-0008QX-BX@gator4163.hostgator.com>

The Email:

Dear Customer MIGUEL VALLEJO. Confirm Your Identify.

An unknown user was trying to login your GoDaddy account with an incorrect password on Sunday 15 March , 2015 1:05 GMT, and with an unknown DNS IP Location:
(China) ip=36.250.74.87, as a result of that we partially blocked your GoDaddy accounts due to major security protocols.

Kindly visit our GoDaddy account Re-Activation Center Click here :
https://accounts.godaddy.com/do.php?check=e3251075554389fe91d17a794861d47be3251075554389fe91d17a794861d47b

We are sincerely sorry for any inconvenience.
GoDaddy Customer Support.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Copyright (c) 1999-2015 GoDaddy.com, LLC. All rights reserved.

 

Except for the fact that there is no administrative contact info, phone, business address in the signature it looks somewhat legit. Now Lets look at body of the email specifically at the url and where the link points to…
http://someweirddomain.com/wp-includes/css/nvldigkoua.htm?nvldigkoua=e3251075554389fe91d17a794861d47b

So this is obviously a malicious email, a targeted one because the user had to go through some effort to put this type of attack together. Sadly this is someone trying to dupe you into coughing up your password or in my case a sad attempt at doing so.
It’s a good idea to go over some security logs after events like this as it could be a sign of someone already in your network and trying to escalate their access.
In my case it was just some noob who though he was dealing with a end user, my response… <^>-_-.