Month: January 2023

On November 28, 2022, I was contacted by someone (From Guinea - Conakry) who invested a lot of money in a financial investment website. During a couple of time, the money raised up to thousands of US dollars, the person decided to take the money into his account, unfortunately no success. The service provider said that they will take 30% of the money raised, the person accepted the condition, but the service provider said that the person needs first to send the 30% then he can get access to the rest of money. I was contacted by the person and explained to me the situation. As an OSINT lover, I decided to take my responsibility.

I asked the person to share the details so i can start the investigation.

I got following details:

Website name: Goldmaneur{.}om

"The person also shared the name and pictures of some people from Telegram who talk to him about the website (For privacy reason, we won’t share these information)"

After collecting all the details, I started my investigation.

Investigation:

Goldmaneur{.}com

First of all, I started to check the domain via Google search

goldmaneur.com Reviews | check if site is scam or legit| Scamadviser

From scamadviser.com, I got the following information:

The score is quite low

People comments about the website.

The comments are quite interesting , almost the same details that i got from the person who contacted me.

(The website owners are taking money from people and forcing them to pay 30% in order to get back the money raised).

At this point, the investigation started to become more interesting, the comments from others third parties were very helpful.

I found out another comment on LinkedIn:

I clicked on the link and found the message below:

Again, another person saying the same thing. From this point I was sure about 80% that the website is a fake investment.

But i wanted to check deeper to find others connection with the website, i checked VirusTotal, Riskiq, Security trails, i did not find more information. I got an idea, Censys, i checked it and found some interesting details:

https://search.censys.io/certificates?q=goldmaneur.com

I found more domains using the same certificates.

I clicked on one domain and I found the following domains related to it.

https://www.entrust.com/blog/2019/03/what-is-a-san-and-how-is-it-used/

I started to check the domains above if i can find more information, the following information were found:

Goldmanusd{.}com

Comment from Twitter

Another indicator found.

I checked the domain via Who si lookup and found the following details:

The domain is created 140 days ago, using Cloudflare to hide the real IP address and to target more people around the world. Which could be a sign of world wide scam.

goldman-global{.}com

Riskiq RiskIQ | Digital Risk | Cyber Threat Intelligence | Incident Response | RiskIQ

Some subdomains related to the domain

I decided to checked URLSCAN to see how the website goldmaneur{.}com looks like and perform further investigation on the website:

goldmaneur.com - urlscan.io

One important think I found was that the website is using a fake logo of Goldman ( a leading global financial institution) to trick people to to trust the website.

Another important information I found on the website was the online logo

I clicked on it and found the chat online available but at the time of writing, the chat is not working.

I went on Telegram to check if i can find some information about the owner, i found the following picture with no specific details such as number, email address, picture and others.

I found also the download version of the application

https://goldmaneur{.}com/download/

I checked if others domains are using the same websites from URLSCAN, I found the following details:

First I connect to goldmanneur[.]com , clicked on the Hash to find all the website that use the same image.

goldmaneur{.}com - urlscan.io

I found:

Search - urlscan.io

We can see Goldmanusd{.}com, which means that the website site used the same logo. Another evidence that they operate together.

NB: One important thing to mention here is that, the website does not have any specific information such as information about the project, the creation of the website, the owner, the contact and others. Which is very strange. A normal financial website should have more details and the contact should be available for people who wish to contact.

We stop here our investigation as with all the information collected, we can assume that the website is used by scammers and operate around the world.

Before using any similar website, check always the information about it as we did. Many scammers used the same technics to trick people. When you face with such issue, report to the police as fast as possible to stop the scam and help other people to not get scam.

Main News

Persistence methods used by malware

Bangaly Koita 2 years ago

Many malware used the persistence method to maintain the foothold on the system that was infected even when the system is restarted.

They are many technics often used by malware to maintain the persistency such as: registry keys, the startup folder, account manipulation, device registration and others Persistence, Tactic TA0003 - Enterprise | MITRE ATT&CK®.

Registry Keys used for persistency.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Startup folder used for persistency.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Tools used to detect and remove malware using persistence method.

Autoruns Autoruns for Windows - Sysinternals | Microsoft Learn
Sysmon Sysmon - Sysinternals | Microsoft Learn
Endpoint Detection and Response such as:
Crowdstrike CrowdStrike: Stop breaches. Drive business
Sophos Intercept X Endpoint https://www.sophos.com/
SentinelOne SentinelOne | Autonomous AI Endpoint Security Platform | s1.ai
Microsoft Defender Microsoft Defender for Individuals | Microsoft 365
PowerShell logging, PowerShell GetWmi-Object, OSQuery, Antimalware Scan Interface How to detect persistence mechanisms with seven different tools (redcanary.com)

In conclusion, the persistence method is one of the favorites methods used by the threats actors to compromise the system. They are many malware that used the technics described above to maintain the foothold to the system. Following the best practices such as using tools to detect and remove the malware is the key to stay protected.

Security Awareness

LE BYOD et les organisations en Afrique

Bangaly Koita 2 years ago

Le BYOD signifie Bring your own device, le BYOD est devenu très populaire dans les organisations à travers le monde mais aussi en Afrique.

Le BYOD permet aux travailleurs de venir avec leurs propres équipements tels que: des ordinateurs, téléphones mobiles, tablettes pour se connecter à l’infrastructure de leur organisation et travailler avec. Cela apporte d’énormes avantages aux organisations mais s’il n’y a pas de suivi cela pourrait aussi avoir plus de conséquences que d’avantages.

Le BYOD est utilisé souvent dans les lieux suivants : Les écoles, les organisations publiques ou gouvernementales, entreprises.

Les Etats Africains par manque de moyen n’ont pas le choix d’adopter d’autres alternatives que le BYOD.

Imaginons que chaque Etat Africain décidait d’acheter des équipements pour les travailleurs cela couterait d’énorme fortune a chaque Etat, ce qui fait que le BYOD est l’option la plus souhaite.

Avec les informations recueillies avec certaines sources, la plupart des pays Africains aujourd’hui utilisent le BYOD dans les organisations gouvernementales et aussi dans les entreprises sans suivis.

Le manque de suivi est le problème majeur du BYOD et les problèmes sont parfois irréparables.

Le manque de suivi du BYOD entraine des fuites de données en sachant que les données de nos jours sont devenues comme une matière première, elles permettent aux organisations, entreprises et Etats de collecter et produire des informations politiques, militaires, économiques, éducatives, médicales et autres.

Il ne faut pas avoir peur, le BYOD n’est pas une fatalité si les conditions sont mises en place pour l’implémenter, le maintenir jusqu’au niveau de la disposition des équipements et le départ d’un travailleur.

Avantages d’utilisation du BYOD dans une organisation.

L’organisation arrive à économiser financièrement
Selon certaines sources le BYOD peut améliorer le travail des employés et aussi le moral des employés
Augmentation de la productivité des travailleurs.

Les conséquences d’utilisation du BYOD dans une organisation.

Violation de la politique de l’entreprise
Fuite des données
Manque de gestions des équipements
Augmentation des vulnérabilités et de menaces
Augmentation du shadow IT
Augmentation des cybers attaques

Nous pouvons encore citer plusieurs avantages et conséquences, mais limitons-la-nous le temps c’est de l’argent.

Apres avoir citer les conséquences, je vois que vous aviez décidé de tout changer dans votre organisation. Mais non, il y a toujours des solutions pour bien implémenter le BYOD.

Solutions d’utilisation du BYOD dans une organisation.

Mettre en place une politique de gestion du BYOD
Mettre en place un moyen de gestion d’équipements (asset management)
Mettre en place une équipe de gestions de risques

NB: Il y aussi d’autres alternatives telles que: CYOD ou le COPE.

CYOD (choose your own device)

A ce niveau, l’employer ou l’entreprise donne une liste d’équipements que les employés peuvent acheter. Cela permet à l’employer de mieux gérer les équipements dans l’entreprise.

COPE (CORPORATE OWN PERSONAL ENABLED)

A ce niveau, l’employer achète des équipements pour les travailleurs. Les travailleurs peuvent utiliser les équipements pour le travail mais aussi pour leurs fins personnelles.

NB: Il faudra faire signer à chaque employé un document en confirmant leur accord et mettre une politique de surveillance en place pour une bonne implémentation du BYOD, CYOD, COPE.

En conclusion, le BYOD est une bonne alternative en Afrique mais et à travers le monde. Une bonne implémentation du BYOD en mettant en place une bonne politique de gestion et de suivis peut aider une entreprise à mieux gérer les équipements. L’adaptation du BYOD sans se rendre compte des conséquences et des risques dans les organisations telles que (ministères, directions et autres) en Afriques sont les causes de la plupart des fuites de données. Il faudra alors prendre en compte des avantages et des conséquences pour mieux protéger les données.

Main News

The fake video that made CR7 scored his first goal for Al Nasr

Bangaly Koita 2 years ago

A fake video is going viral on different social medias showing CR7 celebrating a goal with his colleagues at the time he was playing at Juventus.

Most people watching the video believe that the goal is the first goal of CR7 from his new team AL Nasr.

The video is showing the yellow format of Juventus which is quite similar to the format of Al Nasr.

https://www.youtube.com/shorts/3sxHjXvzI8g

The demonstration here is for training purpose. We will show you how you can find various information from a video or an image.

We started first to analyze the video by watching it a couple of time and checking the comments on it. We found out people putting the comments about the 3 players (Chiellini, Sandro, Chiesa) celebrating the goals with CR7. We realized that people think that the team is Al Nasr the new team of CR7 (Cristiano Ronaldo).

To be sure that the team is the new team of CR7, we started our investigation.

We typed on Google searched "team Cr7 with chiesa, Chiellini and Sandro"

We did not find any useful information regarding the picture. But we found one piece of information which was very important for us, from the picture above, you can see that Giorgio Chiellini is playing for Log Angeles and Federico Chiesa and Alex Sandro are both playing for Juventus at the time of writing.

With the information found, our investigation becomes more important.

We took the screenshot of the video and put in Google search; we did not find any information.

We took the same picture and put on Microsoft Bing image; we found the following information:

Our finding:

We clicked on the link; we got the following result:

Italian League Results and Standings - Ronaldo Wretched 4 Minutes, Mourinho Laughs, Juventus Kelelep, Roma Pepet Inter - Page 5 - Bolasport.com

Other information we found was that t the 4 players played for Juventus from 2018 to 2021.

https://ca.sports.yahoo.com/news/cristiano-ronaldo-included-22-member-074946593.html?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAACHZqdA3NGL5QmpqSThY18UQ8XiFtnzUtaSPn9EQxOZDk060wNyR8Sv9hPMfWIYFzmmf83lkEtOh8tIB9bFQM-P2fKYZHVXN6L3fyAeoIizTsUn54vfRC3J7q2xUV85pSneL8RMdffJ-LDbtE7aXiQe3099F3xBP8G6wOcz17hf-

Based on our findings, we come to the conclusion that the video is a fake one and the team was Juventus.

In conclusion, the technics we showed here, will help you to detect different fakes news over the internet. The fake news is becoming more and more often and sometimes can create a panic over the internet. Always when you see some news that pay people attention, take your time to use the same technics as we did to verify the relevancy and accuracy of it.