Year: 2023

Many threat actors used the technique I called a fakejobposting attack. In this attack, the threat actors post or send a fake job offer to many users in order to trick them to perform an action that could be used to compromised their system or account.

The attack usually happens over websites sites used by job seekers such as LinkedIn, Monster, indeed and many others.

Usually, the threat actors used the victims as an attack vector to compromise different organization.

This technique is used by many threat actors such as the North Korean group Lazarus, Golden Chicken and others.

If the attack succeeds, it could lead to further damage such as data leaked, reputation damage, financial lost. Therefore, such activity should be taken into account and a security measure such as security awareness and training to detect and prevent such attack.

The attack usually happens by sending a malicious link, file with the fake job offer or posting a fake job to attract the users. Once, the user interacts with it, the user system can be compromised or the user can lose his or her account. It is very crucial to know how we can differentiate the real job offer and a fake one.

In the upcoming lines, we will give some details about it.

• Detection and preventing of fakejobposting attack:

 When you receive a link or file, check the link sent to you via OSINT tools such as virus total VirusTotal - Home, Interactive Online Malware Analysis Sandbox - ANY.RUN

NB: You can take the file hash and check it via the tools mentioned above or others to detect if the file is a malware.

Example:  How to get the file hash: open PowerShell command – type - Get-fileHash “file name” – enter – get the hash of the file

2. Check if the domain is newly created domain or updated domain Whois Lookup, Domain Availability & IP Search - DomainTools, often the threat actors use the new domain to target the users.
3. Check the details about the company online, example: Google search. Some threat actors mimic known companies, in this case, check others platform if the job offer is present or the company website for job listing.
4. When the link sent to you require the login, don’t never use the password you use to connect to your company portal or other platforms for personal used such as social medias.
5. When you receive the message from a social media such as LinkedIn, check the date of creation of the sender’s profile and the picture on the profile (they are many AI tools now used to generate a fake picture, always check the picture on the profile), some threat actors used a fake profile or newly created profile.

NB: The picture on the profile can be taken from another social media that belongs to someone else, it is a good practice to use Google image search or Microsoft Bling images or Yandex imagine to check the if the image is not taken from another platform.

6. When there is an application to install for the interview such as TeamViewer,3CX, Microsoft teams and others compare the hash to the hash available from the provider or take the hash of the software and check it via online tools like we explained in the section 1.

If you are still not sure then it would be better to set up a Virtual machine to interact with the link or file to avoid any issues.

You can use any Virtual machine of your choice, make sure that after interacting with the link or file or software that you used to the snapshot mode to back to the safe state.

The phishing and scam attacks are types of social engineering attack where the threat actor tries to manipulate the user to behave in such a way that he can achieve one or more of the following objectives (compromise the host, stealing data such as PII, PHI, Financial data, confidential data etc.)

There are many types of social engineering attacks:

Phishing

Spam over Internet messaging

Spear phishing

Dumpster diving

Shoulder surfing

Smishing

Vishing

Spam

Tailgating

Whaling

Prepending

Identity theft

Invoice scams

Hoax

Typosquatting

The attack is the most and easiest technique used nowadays by the threat actors to target the victims.

If you have been browsing over the internet or you have been using an email address to send and receive messages, then you probably at least one time face with this type of attacks.

The attack can be very impactful, many organizations or individuals who are victim of this type of attacks can lose quantitatively (money) and qualitatively (reputation), so it is crucial to know how to be protected from the attack and also how to report it.

Example of quantitative loss:

• Receiving a fraudulent message saying that you won in a lottery, you need to send some money to get back your jackpot. This technic is often used by the scammers to tricks the user to pay money.
• Fake financial investment website where people invest money with no ROI (example read the article Goldman website scamming people in Guinea-Conakry and around the world. – osintafrica)

Example of qualitative loss:

• Sextortion abuse. Example: Using a social engineering attack to gain access to someone mobile phone or notebook in order to blackmail the person.

Considering that the attack is the most efficient way to target the victim, most of users who are impacted by this attack do not report it, which causes more victims.

By reporting the attack, we can protect yourself and other. They are many ways to report the attack, below we will describe and share with you the details about each.

• How to report scam using Gmail

When you receive a suspicious message, you can report from your Gmail account by doing:

• Click on the email you received
• Click on the ellipsis sign (the tree dot in the right corner)
• Select report Spam or the second ellipsis – select block user

By doing that, the IT department from Google will review and block the message if it is used for social engineering attack.

• How to report scam using Outlook

- Click on the email you received

-Click on the ellipsis sign (the tree dot in the right corner)

- Select report Junk report or block user or phishing, the email will be removed from your inbox and send to the IT department of Microsoft for further analyses.

NB: The same option is available on other email service such as Yahoo, Hotmail and others.

Reporting phishing abuse over social media

• Facebook

 You can always report strange emails to phish@fb.com.

• Instagram

           You can always report strange emails to phish@instagram.com.

• LinkedIn

If you receive a phishing message on LinkedIn, you can report it, by clicking on the message you received, on the right corner click on More …icon and selecting one of the below options:

- It's spam or a scam

-It's a scam, phishing, or malware

• Twitter

If you want to report a post with a link used for phishing attack, on the right corner click on More …icon and selecting report Tweet, click on next – start report – choose the option for example” myself” – next – Spammed.

You can also report social engineering abuse by reporting the domain or URL to a third-party service provider.

Examples:

• PhishTank List of potential phishing sites: PhishTank

When you receive a phishing email, you can report via the website. You can use the website also to check if the domain you received is a phishing domain.

• Report a Phishing Page (google.com)

The following page is used by Google to report phishing abuse.

• APWG | REPORT PHISHING (antiphishing.org)

The website belongs to APWG which is an anti-phishing working group, you can report the phishing email to reportphishing@apwg.org  for further analysis.

• Report a phishing page - ESET

The website belongs to ESET group to report phishing abuse.

• Where to report scams | USAGov

 The website belongs to the USA government for reporting different types of phishing abuse.

• Internet Crime Complaint Center(IC3) | File a Complaint

The website is used to report internet crime such as phishing, ransomware, corporate data breaches and others.

• gov: econsumer - Report international scams online!

The website is used to report different types of scams or fraud such as Jobs and Making Money, Travel and Vacations, Lottery, Sweepstakes, or Prize Scams, Online Shopping/Internet Services/Computer Equipment and others.

• Phishing Initiative (phishing-initiative.eu)

Phishing Initiative helps fight against phishing attacks.

When you report the address of a suspected phishing website, the emails will be analyzed it and blocked if the address is malicious one.

• Phishing takedowns, faster - phish.report

By reporting the URL or domain, they will analyze  and it takedown if it is malicious.

In conclusion, the social engineering attack is easy to perform but the impact can be very devastating. Reporting the attack will save many people. So, it is crucial to report the attack as soon as possible to lessen the impact and stop it.

A typosquatting attack is a type of attack where the threat actor mimics a legitimate domain to target the victims. In this type of attack, the threat actor looks for the target domain that he and she want to target and alter the domain. The attack is one of the most successful attacks technics used by the threat actors. The attack is very difficult to detect as most of the users will consider it as a legitimate domain. However, the attack can be detected by implementing some countermeasures.

One of the most used tool to generate a typosquattitng domain is dnstwister | The anti-phishing domain name search engine and DNS monitoring service, the tool can help you  generate domains or find the domains that can be used to mimic your domain.

Types of typosquatting:

Combosquatting

The attacker adds a word to the legitimate domain to trick the users to click on it. Example:

The legitimate domain facebook.com will be altered to helps-facebook.com.

Bitsquatting

The attacker changes one or more bits of the legitimate domain to trick the user. Example:

Facebook.com will become fasebook.com

Soundsquatting

The attacker uses the technic calls “Homophones” to trick the user. Example”

Fare.com will become faire.com

Levelsquatting

The attacker uses the legitimate domain, follow by the phishing domain. Example:

Facebook.com will become facebook.com.ghdhwhj.com

Homographing

The attacker uses the technic calls homoglyph by changing one character from the legitimate domain. For example:

Faceboo.com will become fäcebook.com (the “a” changed to ä)

You can use the homoglyph generator to alter any domain you wish (Homoglyph Attack Generator and Punycode Converter (irongeek.com))

Typosquatting detection and protection:

• Security awareness and training
• User tool like dnstwister | The anti-phishing domain name search engine and DNS monitoring service or  Recorded Future: Securing Our World With Intelligence  to find the domain mimicking your brand
• Block all domains mimicking your brands
• Performing DNS lookup to verify the domain owner

In conclusion, the typosquatting is a type of attack that alter the legitimate domain to target the users. The attack is very difficult to detect but by combining different methods and technics, the users can be protected.

 

URLSCAN is used to perform different types of web scans and to analyze different IOCs such as IP address, domains, Hashes, filenames, and others.

URLSCAN is a tool used by different security teams such as Security Analyst, Cyber Threat Intelligence, Threat Hunting, Incident response team, and others.

Below, you can download the pdf document that will show you how to use the tool.

How to use URLSCAN

You can also find the articles related to the topic

How to use URLSCAN part1 – osintafrica

This is the part 4 and the last of (How to use URLSCAN part3 – osintafrica)

• SEARCH

URLSCAN can help to perform different types of searches to find more information about an indicator such as IP address, domain, file, hash, ASN number and others.

Click on the “Search” button.

It is very important to first read the documentation. Click on the “Help” button to read about how to perform different searches.

Let’s give some examples of queries that we can perform in the Search menu.

• Search for domain

If you want to find more information about a specific domain such as how the domain looked before and the connection between the domain with others domains or website, you can use the “domain:” query. We will give an example using microsoft.com.

Search - urlscan.io

 

 

In the image above, we can see the search result showing the domain Microsoft.com with different subdomains related to Microsoft.com and others domains or website where Microsoft.com was mentioned following with the time and the location it was scanned.

Click on each link where Microsoft.com is mentioned to see how the domain was at the time it was scanned; this technic can also help you as analyst to find out how the domain looked in the past. Many phishing websites changed the website interface after abusing many people over the internet so this technic can reveal such activity.

As you see, they are some domains or subdomains where Microsoft.com is not mentioned, we need to find out the relation between Microsoft.com and the domain.

Click on fraction.azurewebsites.net, go to HTTP transaction, search for Microsoft.com

AS you can see, Microsoft.com is used as redirect chain. This technic is often used by the threat actor to hide their activities and it can be also used to find the correlation between the domains.

 

• Search for IPs

Search - urlscan.io

As you see in the image above, we entered the IP address 23.35.192.180 and we got the domains and subdomains behind the IP address. This technic can be used to find phishing related domain behind an IP address.

• Search for Hashes

The hash can help you to make a correlation between the domains. Usually, the threats actor can use the same file but changed the domain, so this technic is good one to find such activity.

Example:

Click Microsoft.com, go to HTTP transaction, expand one http transaction request where the hash is available.

Hover the mouse on the hash and copy the hash, click on the Search menu and enter the query like you see in the picture below.

Now, we can see others websites that’s used the same hash.

• Search for Filenames

The same thing as we described in the previous section, the same filename can be used by the threat actor but with different domains name, we can use the same technic like we did to find the domain or website that used the filename. Be aware that the same file name does not mean that the file if the same, you need to compare the hash and also the file content to ensure that the files are the same.

Example:

From HTTP transaction, copy the file you wish to check

Go to search, enter the query like you see in the picture below, all the result from the search will appear.

In order to verify if the file is unique, click on the URL, go to HTTP transaction compare the hash and the file content.

Like I said before, you can perform many types of searches using the search field. As a security guy you should know what you are looking for before making the search. The best way to learn is by practicing on the daily basis.

To conclude what we have explained, URLSCAN is very amazing tool that all security guys should use to make easier their job while analyzing different information like we showed in our examples.

The tool can help you save many times as it contains many types of queries that will help you to find more information during your analysis.

If you never used it, it is the time for you to start using and if you did not know the features we explained, then we suppose that you already know so enjoy.

This is the part 3 of (How to use URLSCAN part2 – osintafrica)

Now, lets go to the “HTTP” menu

1. HTTP

In this menu, we can see all the HTTP transactions after the URL has been submitted.

The HTTP transactions consist of all the resources (HTLM, Script, AJAX, Images …) used by the website.

 

This section is very useful for the analyst.

Click on one of the options available

• In our case, we click on the button “Image” to find the image described in the section Image and all the files used by the image.

Click on the “expand” sign to see more details about each file.

We can observe the following details:

Full URL shows the requested image from Host: www.reddit.com.

We can find others information such as the server’s name used, TLS protocol version used, the Hash of the image used, the software used and others …

Click on the Show headers to find the details about the request headers and the response headers from the server side.

Click on Check archive.org that will lead you the website https://web.archive.org (You can Google search to find more information about it)

Click on each option (HTLM, Script, AJAX, Images) available to learn more about.

2. Redirect

Here, you will find all the redirect links on the website.

3. Links

The page contains all the links available on the website.

You can click on each of them or scan each of them to more details about.

4. Behaviour

The menu contains the information about the Security Headers, the Cookies, the JavaScript global variables used

5. Indicators

This menu contains all the domains, IP addresses, hashes used by the websites.

6. Similar

You will find some information about the URLS, ASN numbers, IP address, domains scanned on the website.

7. DOM

This menu is very useful as it has the whole map of the website such as the scripts used by the website, the HTML code used by the website and others …

8. Content

the Form (Google search for Form object DOM) used in DOM is available.

9. API

The API used by URLSCAN to get the information from the servers

Part4 (How to use URLSCAN part4 – osintafrica)