Bangaly Koita

Bangaly Koita is a SOC Analyst and  Cyber Security researcher . As a passionate in cyber security,  he spends most of the time  writing articles and making videos online to share his knowledge and experience to the vast community of IT but in general Cyber Security. Feel free to contact me in case.
urscan

How to use URLSCAN

URLSCAN is used to perform different types of web scan and also to analyze different IOCs such as IP address, domains, Hashes, filenames and others.

URLSCAN is a tool used by different security teams such as Security Analyst, Cyber Threat Intelligence, Threat Hunting, Incident response team and others.

The tool is divided in 2 versions (community version and paid version).

We will talk about the community version that is available for free.

In order to connect to the Web application, you need to type the domain (urlscan.io), once you connect to the domain, you will get to the following screen.  

In our case, we need two menus (Home and Search)

  • HOME

Once we click on this menu, we can see the scanned queried by the users from different locations.

By default, the tool is showing the public scan mode, if you want to leave the default mode and scan anything, the scan will be visible by everyone.

So, we advise you to click on option and used the private mode if you do not want other people to see the query you entered, this option can also help to avoid alerting the threat actor about your findings.

URLSCAN can anonymize your identity.

Examples:

  • If you want to hide your location, you can click on “country selection” or auto (be aware that the Country selection for the private mode works only on the Commercial plans.)
  • You can change the “User Agent”. For example, if the website you want to scan is for the mobile phone – you can choose one of the Android User Agent.

You can also customize your own User Agent.

  • The “HTTP referer” can be used to custom the HTTP header before scanning.

 

Now, lets scan in a private mode a URL in hazard and analyze its behavior.

After submitting the URL, we can see the IP address 151.101.129.140 from the submitted URL following the submitted URL and the effective information.

From the right side, we can see 5 menus.

The menu “Lookup” will direct you to find different tools such as (Virus Total, crt.sh, Riskiq …). The tools can help you find more details about the submitted domain (click on each of them to learn more about). 

The option “Go To” will bring you to the domain submitted webpage (be careful before you click on it in case it is a malicious domain, you might be compromised).

The option “Rescan” is used to rescan the submitted URL.

The option “Add Verdict” and “Report” are used to add some comments about the submitted domain and contains some details about the scan report. 

The next part is described in the part 2 (How to use URLSCAN part2 – osintafrica)

SDLC

L’importance de SDLC dans le développement d’une application

Savoir coder est diffèrent de savoir protéger un code. Les failles au niveau des applications de nous jours sont l’un des problèmes majeurs que les experts de la cyber sécurité font face, cela est dû au manque d’intégration de la sécurité dès le début du codage. La plupart des développeurs ne tiennent pas compte de la sécurité par manque de connaissance et de suivi. Pour remédier à cela, il faudra suivre des bonnes pratiques telles que : manque d’intégration de la sécurité au moment de la conception jusqu’ au niveau du développement, de la maintenance et la disposition d’une application, manque de certification et accréditation pour valider l’application, manque d’évaluation périodique, manque de protection du code source de l’application et d’autres.

Il faudra aussi savoir qu’il y aura toujours des failles au niveau d’une application quelles que soit les précautions prises. C’est pourquoi l’intégration de la sécurité est très primordiale.

Les failles sont recherchées et exploitées par les hackers pour avoir accès a l’application pour des raisons telles que : Voler des informations confidentielles, demander une rançon ou bien faire cracher l’application. 

Pour mieux vous informer sur les attaques perpétrées par les hackers, vous pouvez consulter le site web : OWASP Top 10:2021.

En effet, il y a des guides ou des bonnes pratiques et des méthodes que nous pouvons suivre pour rendre notre application plus sécurisée.

Guides ou bonnes pratiques :

Chaque logiciel développé doit avoir un minimum d’exigence pris en compte. Il faudra toujours suivre des guides ou bonnes pratiques pour se rassurer que le logiciel développé a respecté certains critères au moment du développement.

Exemples :

  • Validation des entrées
  • Mettre en place et moyen (Identification, Authentification, Comptabilité, Audit)
  • Gestion des erreurs
  • Revoir le code pour découvrir des failles
  • Validation et vérification de code

Software développement life cycle :

SDLC (Software development life cycle) est la méthodologie utilisée pour concevoir, développer, sécuriser, implémenter, tester, et maintenir une application.  

SDLC est primordial dans le développement d’une application. Il permet de suivre et d’ordonner le développement d’une application et d’intégrer la sécurité dans chaque phase.

Le SDLC permet aux équipes telles que : les programmeurs, les gestionnaires de projets, Analystes, et d’autres dans le développement de l’application) de mieux collaborer de la phase d’initiation a la disposition de l’application. Le SDLC est compose de différentes phases qui sont :

Phases de SDLC 

  • Initiation et planification
  • Définition des exigences fonctionnelles
  • Design
  • Développement
  • Implémentation
  • Certification et accréditation
  • Opération et maintenance
  • Disposition

Model de SDLC :

Comme déjà dit dans nos textes, SDLC est une méthodologie utilisée pour mieux concevoir une application. A ce fait SDLC est base sur des modèles, l’utilisation des d’un modèle est très important dans le développement d’un logiciel car cela nous permet de s’adapter aux exigences du client.

Dans le développement d’un logiciel chaque projet est spécifique il faudra se referrer ou se baser surr un model plus approprier pour atteindre l’objectif.

Exemple de SDLC modèles tels que :

  • Waterfall
  • Spiral
  • Rapide application développement
  • Cleanroom
  • Prototype
  • Agile

Importances de SDLC

  • Planifier et gérer une application
  • Mieux sécuriser une application
  • Tester et évaluer une application
  • Réduire les risques et vulnérabilités sur un logiciel

SSDF (Secure Software Development Framework)

Malheureusement la sécurité n’est pas adressée dans certains modèles de SDLC. A ce fait, SSDF doit être ajoute et intégrées à chaque implémentation SDLC.

SSDF est compose de pratiques de développement de logiciels pour mieux sécuriser une application. Il a été établi par les organisations telles que BSA, OWASP et SAFECode  Secure Software Development Framework | CSRC (nist.gov).

SSDF va permettre de réduire le nombre de vulnérabilités, l’impact d’exploitation et autres.

En conclusion, le SDLC est essentiel dans le développement d’un logiciel. Une application ou un logiciel développe sans suivre le SDLC est comme construire une maison sans plan. Faire une bonne conception, bien développer et intégrer la sécurité est primordial pour n’importe quel logiciel.

11

Goldman website scamming people in Guinea-Conakry and around the world.

On November 28, 2022, I was contacted by someone  (From Guinea - Conakry) who invested a lot of money in a financial investment website. During a couple of time, the money raised up to thousands of US dollars, the person decided to take the money into his account, unfortunately no success. The service provider said that they will take 30% of the money raised, the person accepted the condition, but the service provider said that the person needs first to send the 30% then he can get access to the rest of money. I was contacted by the person and explained to me the situation. As an OSINT lover, I decided to take my responsibility.

I asked the person to share the details so i can start the investigation.  

I got following details:

Website name: Goldmaneur{.}om

"The person also shared the name and pictures of some people from Telegram who talk to him about the website (For privacy reason, we won’t share these information)"

After collecting all the details, I started my investigation.

Investigation:

Goldmaneur{.}com

First of all, I started to check the domain via Google search

goldmaneur.com Reviews | check if site is scam or legit| Scamadviser

From scamadviser.com, I got the following information:

The score is quite low

People comments about the website.

The comments are quite interesting , almost the same details that i got from the person who contacted me.

(The website owners are taking money from people and forcing them to pay 30% in order to get back the money raised).

At this point, the investigation started to become more interesting, the comments from others third parties were very helpful.

 I found out another  comment on LinkedIn:  

I clicked on the link and found the message below:

Again, another person saying the same thing. From this point I was sure about 80% that the website is a fake investment.  

But i wanted to check deeper to find others connection with the website, i checked VirusTotal, Riskiq, Security trails, i did not find more information. I got an idea, Censys, i checked it and found some interesting details:

https://search.censys.io/certificates?q=goldmaneur.com

I found more domains using the same certificates.

I clicked on one domain and  I found the following domains related to it.

https://www.entrust.com/blog/2019/03/what-is-a-san-and-how-is-it-used/

I started to check the domains above if i can find more information, the following information were found:

Goldmanusd{.}com 

Comment from Twitter

Another indicator found.

I checked the domain  via Who si lookup and found the following details:

The domain is created 140 days ago, using Cloudflare to hide the real IP address and to target more people around the world. Which could be a sign of world wide scam. 

goldman-global{.}com

Riskiq RiskIQ | Digital Risk | Cyber Threat Intelligence | Incident Response | RiskIQ

Some subdomains related to the domain

I decided to checked URLSCAN to see how the website goldmaneur{.}com looks like and perform further investigation on the website:

goldmaneur.com - urlscan.io

 

One important think I found was that the website is using a fake logo of Goldman ( a leading global financial institution) to trick people to to trust the website.

Another important information I found on the website was the online logo

I clicked on it and found the chat online available but at the time of writing, the chat is not working. 

I went on Telegram to check if i can find some information about the owner, i found the following picture with no specific details such as number, email address, picture and others.

I found also the download version of the application

https://goldmaneur{.}com/download/

I checked if others domains are using the same websites from URLSCAN, I found the following details:

First I connect to goldmanneur[.]com , clicked on the Hash to find all the website that use the same image.

goldmaneur{.}com - urlscan.io

 

I found:

Search - urlscan.io

We can see Goldmanusd{.}com, which means that the website site used the same logo. Another evidence that they operate together.

NB: One important thing to mention here is that, the website does not have any specific information such as information about the project, the creation of the website, the owner, the contact and others. Which is very strange. A normal financial website should have more details and the contact should be available for people who wish to contact.

We stop here our investigation as with all the information collected, we can assume that the website is used by scammers and operate around the world.

Before using any similar website, check always the information about it as we did. Many scammers used the same technics to trick people. When you face with such issue, report to the police as fast as possible to stop the scam and help other people to not get scam.

BYOD

LE BYOD et les organisations en Afrique

Le BYOD signifie Bring your own device, le BYOD est devenu très populaire dans les organisations à travers le monde mais aussi en Afrique.

 Le BYOD permet aux travailleurs de venir avec leurs propres équipements tels que: des ordinateurs, téléphones mobiles, tablettes pour se connecter à l’infrastructure de leur organisation et travailler avec. Cela apporte d’énormes avantages aux organisations mais s’il n’y a pas de suivi cela pourrait aussi avoir plus de conséquences que d’avantages.

Le BYOD est utilisé souvent dans les lieux suivants : Les écoles, les organisations publiques ou gouvernementales, entreprises.

Les Etats Africains par manque de moyen n’ont pas le choix d’adopter d’autres alternatives que le BYOD.

Imaginons que chaque Etat Africain décidait d’acheter des équipements pour les travailleurs cela couterait d’énorme fortune a chaque Etat, ce qui fait que le BYOD est l’option la plus souhaite.

Avec les informations recueillies avec certaines sources, la plupart des pays Africains aujourd’hui utilisent le BYOD dans les organisations gouvernementales et aussi dans les entreprises sans suivis.

Le manque de suivi est le problème majeur du BYOD et les problèmes sont parfois irréparables.

Le manque de suivi du BYOD entraine des fuites de données en sachant que les données de nos jours sont devenues comme une matière première, elles permettent aux organisations, entreprises et Etats de collecter et produire des informations politiques, militaires, économiques, éducatives, médicales et autres.

Il ne faut pas avoir peur, le BYOD n’est pas une fatalité si les conditions sont mises en place pour l’implémenter, le maintenir jusqu’au niveau de la disposition des équipements et le départ d’un travailleur.

Avantages d’utilisation du BYOD dans une organisation.

  • L’organisation arrive à économiser financièrement
  • Selon certaines sources le BYOD peut améliorer le travail des employés et aussi le moral des employés
  • Augmentation de la productivité des travailleurs.

Les conséquences d’utilisation du BYOD dans une organisation.

  • Violation de la politique de l’entreprise
  • Fuite des données
  • Manque de gestions des équipements
  • Augmentation des vulnérabilités et de menaces
  • Augmentation du shadow IT
  • Augmentation des cybers attaques

Nous pouvons encore citer plusieurs avantages et conséquences, mais limitons-la-nous le temps c’est de l’argent.

Apres avoir citer les conséquences, je vois que vous aviez décidé de tout changer dans votre organisation. Mais non, il y a toujours des solutions pour bien implémenter le BYOD.

Solutions d’utilisation du BYOD dans une organisation.

  • Mettre en place une politique de gestion du BYOD
  • Mettre en place un moyen de gestion d’équipements (asset management)
  • Mettre en place une équipe de gestions de risques

NB: Il y aussi d’autres alternatives telles que: CYOD ou le COPE.

CYOD (choose your own device)

A ce niveau, l’employer ou l’entreprise donne une liste d’équipements que les employés peuvent acheter. Cela permet à l’employer de mieux gérer les équipements dans l’entreprise.

COPE (CORPORATE OWN PERSONAL ENABLED)

A ce niveau, l’employer achète des équipements pour les travailleurs. Les travailleurs peuvent utiliser les équipements pour le travail mais aussi pour leurs fins personnelles.

NB: Il faudra faire signer à chaque employé un document en confirmant leur accord et mettre une politique de surveillance en place pour une bonne implémentation du BYOD, CYOD, COPE.

En conclusion, le BYOD est une bonne alternative en Afrique mais et à travers le monde. Une bonne implémentation du BYOD en mettant en place une bonne politique de gestion et de suivis peut aider une entreprise à mieux gérer les équipements. L’adaptation du BYOD sans se rendre compte des conséquences et des risques dans les organisations telles que (ministères, directions et autres) en Afriques sont les causes de la plupart des fuites de données. Il faudra alors prendre en compte des avantages et des conséquences pour mieux protéger les données.

osintafrica1

The fake video that made CR7 scored his first goal for Al Nasr

 

A fake video is going viral on different social medias showing CR7 celebrating a goal with his colleagues at the time he was playing at Juventus. 

Most people watching the video believe that the goal is the first goal of CR7 from his new team AL Nasr.

The video is showing the yellow format of Juventus which is quite similar to the format of Al Nasr.

https://www.youtube.com/shorts/3sxHjXvzI8g

The demonstration here is for training purpose. We will show you how you can find various information from a video or an image.

We started first to analyze the video by watching it a couple of time and checking the comments on it. We found out people putting the comments about the 3 players (Chiellini, Sandro, Chiesa) celebrating the goals with CR7. We realized that people think that the team is Al Nasr the new team of CR7 (Cristiano Ronaldo).

To be sure that the team is the new team of CR7, we started our investigation.

We typed on Google searched "team Cr7 with chiesa, Chiellini and Sandro"

We did not find any useful information regarding the picture. But we found one piece of information which was very important for us, from the picture above, you can see that Giorgio Chiellini is playing for Log Angeles and Federico Chiesa and Alex Sandro are both playing for Juventus at the time of writing.

With the information found, our investigation becomes more important.

We took the screenshot of the video and put in Google search; we did not find any information.

We took the same picture and put on Microsoft Bing image; we found the following information:

Our finding:

We clicked on the link; we got the following result:

Italian League Results and Standings - Ronaldo Wretched 4 Minutes, Mourinho Laughs, Juventus Kelelep, Roma Pepet Inter - Page 5 - Bolasport.com

Other information we found was that t the 4 players played for Juventus from 2018 to 2021.

https://ca.sports.yahoo.com/news/cristiano-ronaldo-included-22-member-074946593.html?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAACHZqdA3NGL5QmpqSThY18UQ8XiFtnzUtaSPn9EQxOZDk060wNyR8Sv9hPMfWIYFzmmf83lkEtOh8tIB9bFQM-P2fKYZHVXN6L3fyAeoIizTsUn54vfRC3J7q2xUV85pSneL8RMdffJ-LDbtE7aXiQe3099F3xBP8G6wOcz17hf- 

Based on our findings, we come to the conclusion that the video is a fake one and the team was Juventus.

In conclusion, the technics we showed here, will help you to detect different fakes news over the internet. The fake news is becoming more and more often and sometimes can create a panic over the internet. Always when you see some news that pay people attention, take your time to use the same technics as we did to verify the relevancy and accuracy of it. 

template

Why do we need a Cyber Threat Intelligence?

Imagine a new zero-day vulnerability under exploitation that can impact your organization without a CVE score, and your scanner cannot detect it.

Imagine having many devices exposed over the internet with different vulnerabilities not detected by your vulnerability scanner.

Imagine that your employees used the same password on social media and in your organization also. What if the social media was breached? Your password might be on the Dark web or other data leaked sharing forum. Your organization might be compromised if you are not aware of the breached.

Imagine that your competitor company was compromised, and you might be the next.

Imagine that your company confidential information was leaked on the Dark Web, and you need to find the confidential data

Imagine that your employees are putting pictures containing confidential information about your company over the social media such as Twitter, Facebook, LinkedIn and you are not aware of that.

Imagine that the threat actors made the copy of your website, and your employees s are connecting to it without knowing

Imagine that your employees are receiving a lot of phishing emails daily and are responding to it.

There are thousands of reasons that we still can mention, but let’s limit here.

As security expert when you think about all the imaginations cited, you might think about an option to detect and protect your organization against these imaginations.

A Cyber Threat Intelligence or CTI was created to find the solution against such imaginations.

Before talking about the Cyber Threat Intelligence, we should talk about “Intelligence cycle”

Intelligence Cycle

The intelligence cycle is set of steps that we use to conduct the intelligence. 

The Intelligence Cycle is divided in different phases:

Direction or Planning – This phase is the first phase and is very important.

In this phase, you set your goals, procedures, prioritize based on the asset evaluation result.

Collection – This is where, you will be gathering data to meet your goals set up in the previous phase. You will need to use different tools to achieve this goal.  For example: used of open source or private source to find all the devices that belong to your organization over the internet.

Analysis or Processing– After collecting the data, you must process and analyze all the data you have collected.  You need a specific tool to do that, you will need also to interpret the data at this point. Note that if the data collected, processed and analyzed failed, the results will not be accurate. For example: Collecting and analyzed a bunch of date from the Dark Web by entering your company keyword in order to find the relevant data related to your company. If the tool used did not collect correctly the data and the analysis did not meet the requirement from the planning phase, the result would not be relevant.

Production – Once you get the analysis and processing parts done, the next step will be to prepare the report with the details following with some recommendations. For example: The cyber threat intelligence report about the data collected, processed and analyzed from the Dark Web, the vulnerability assessment report, the report about the threat actors that can target your organization.

Dissemination – When you report is ready, the next step will be to report it to the management level or the C level based on the decision taken in the planning phase.

Some companies might report to different teams. For example: The vulnerability assessment report could be sent to the vulnerability management in order to verify if the vulnerability scanner engine did not detect the findings. This might also help to determine the efficiency of the tool.

The report about data leaked could be sent to the CISO to take the decision based on the recommendation put in the report.

Feedback – The last part and where the report will be verified from the management level or C level like the CISO. If the report did not meet the company requirements, the report might be criticized to improve it. For example: When you send a technical report to the CISO about the data breached on the Dark Web, the CISO might not understand all the terms, as the CISO is not a technical person. It is better always to know where the report will be sent and how to meet the company requirements before reporting it.

Cyber threat intelligence

Cyber threat detection is the process of detecting and analyzing different threats that can impact the organization.

Cyber threat detection without the intelligence cycle will be very difficult, as the data are becoming much bigger over the internal network and the internet, we need to find a proper approach to find the relevant data. That’s one of the reasons, both were merged to bring the idea of cyber threat intelligence.

Cyber Threat Intelligence is the combination of threat detection tool plus the intelligence cycle to detect and analyze threats, vulnerability and risk that can impact an organization.

As you might read at the beginning of this article, the Cyber Threat Intelligence is made of imaginations. The imaginations will help you to find different threats, vulnerabilities and risks that can impact your organization.

With the different explanations provided above, we may provide a general definition for Cyber Threat Intelligence. The Cyber Threat Intelligence is the process of planning, collecting, processing, analyzing, producing, disseminating and providing the feedback about different threats, vulnerabilities and risks that can impact your organization by using different tools (open sources or private sources).

The threats, vulnerabilities and risks could be anywhere where your infrastructure and data reside. It is very important to find and prioritize your assets and data. You need to have a proper data evaluation and asset evaluation in place to achieve this goal.

Cyber Threat Intelligence Report

As we already mentioned, we need to report the Cyber Threat Intelligence result obtained during the “Production phase”. While creating a report, the report should be based on some frameworks such as Diamond model and Cyber kill chain (Google to find more about the topics).  The frameworks will help you standardize the report and make it much easier to understand.

Cyber Threat Intelligence tools

As discussed earlier, the Cyber Threat Intelligence consists of collecting and analyzing data to find more relevant data. Let’s give the name of some tools used by the Cyber Threat Intelligence team.

One of the biggest repositories related to Cyber Threat Intelligence tools is OSINT Framework , the website contains different tools used by Cyber Threat Intelligence teams, we can also cite other tools such as:

In conclusion, based all the details explained, the Cyber Threat Intelligence is very important for any organization to protect his own environment. It will help you to be more proactive to protect your organization against different cyber-attacks. If you have not implemented a CTI team it is the time for you to start. 

fakemail temp

Why should we use a fake email?

The most common attack vectors used by the threat actors to compromise the target system is the phishing attack or spam. The phishing attack consist of sending a malicious email to a target, once the target receives and clicks on the message (open a link or attachment), the threat actors could then compromise the system. They are many websites that require to register before using it, some of these websites could be owned by the threat actors or could be sending annoying advertisement every time to you. To avoid this issue, the appropriate solution is the use of “fake email”.

A fake email or email generator is an email address generator used to create an email address that is used to receive a message. The Fake email will help you to protect your email address from receiving spam, phishing, advertisement from third party, avoiding detection during investigation for example instead of using your company email to test a suspicious website, you can use a fake email.

There are many fake emails freely available over the internet.

Temp Mail - Disposable Temporary Email (temp-mail.org)

Temp mail is an open source used to receive for certain amount of time. You can use the service to register to a website and get the notification code or activation code from the Fake email. The technology will help you to protect your work email, your private email from being disclosure on a suspicious website or receiving advertisement that you do not wish.

In the pictures below, we will describe the features available on the Temp mail.

Once you connect to the website, you will see the interface with the email generated for you.

Click on the copy button to copy the email generated, submit it to the website you wish to register, within a couple of the you will receive the mail confirming your registration.

When you receive the activation code, you can then activate it and connect to the website.

Be aware that the email is used for temporary purpose.

The second option is - Fakemail

FakeMail | Temp Mail Addresses

Once you connect to the website, you will see the email address generated, the time set available to use the email and the random generated password for you to use on the website on which you want to connect.

Fakemail can be used maximum for 2 weeks, so in case you have a website that you wish to reconnect again, this option is the one you can use.

 

The last option, we will talk about is the - email-fake.com 

Fake Email - Disposable Temporary Email (email-fake.com)

If you want to keep connected with the email for long period of time, this option is the best option. you need to choose the email you want to use, and the uptime period will be set.

Click on the arrow in “green” you will the uptime time for each email you choose.

 

Constrains related to email generator or fake email:

The email generator has some limits. Some websites such as Twitter, Facebook, Instagram do blacklist such email address so using the fake email to register will not be possible. In order to avoid that problem, you can use a private domain and bind it to the fake email.

A private domain is a domain that you already acquired, or you own after buying it.

To bind a domain to a fake email, once you own a domain, you need to add a DNS mail exchange on it and connect to your Temp Mail account.

For more details, visit: Private domains. How to get your own Temporary Email (2021) (temp-mail.org)

As we described, the fake email is a best practice that people should be aware of and use when needed. The protection of the data is becoming much more difficult so the best way to stay safe it to be protected. Be aware that some fake email could be owned by the threat actors so before using it make sure that it's a safe one.

2

Google Chrome Zero-day vulnerability exploited in the wild.

On November 22. 2022, Google's Threat Analysis Group reported the new zero-day vulnerability CVE-2022-4135.

The vulnerability is rated as High CVE-2022-4135: Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121. The vulnerability could allow a remote attacker to compromise the renderer process to perform a sandbox escape via a crafted HTML page.

The vulnerability is being exploited in the wild.

Google has released the update (the version 107.0.5304.121 for Mac and Linux and the version 107.0.5304.121/.122 for Windows)

How to update your Chrome:

  • Open the chrome browser
  • Go to your setting – right side of the browser – click on the setting option

Go to – About Chrome

  • The browser will start the update automatically

As soon as you read this article, make sure that you update your browser.

1

WHATSAPP brand targeted by threat actors

On November 24, 2022, the security researcher from OSINTAFRICA has detected many phishing attacks mimicking WhatsApp brand.

WhatsApp is a freeware platform used to send and receive text, voice messages, make voice and video calls, and share images, documents, user locations, and other content. The application is owned by American company Meta Platforms.

The application is used by more than 2 billion of users around the globe.

The name associated to the threat actors is unknown. The domains identified are created a few days ago.

The threat actors are using different locations such as US, SINGAPORE, Hong Kong to avoid detection and target user from those locations as well.

Apart from using different location, the threat actors used also CDN Cloudflare to hide their location and hide the services they use to target the users.

From the details we collected and analyzed, we can assume that the intention of the threat actors is to steal users’ credentials and trick the users by installing a malicious software which look like WhatsApp.

Let's explain the findings in detail:

On the screen below, we can see the image is quite similar to WhatsApp, and it has been classified as Malicious by Google safe browsing. The IP address 2606:4700:3037::ac43:d2ab is located in US and belongs to CLOUDFLARENET, US.

We can also observe some words writing in Chinese which could indicate that the threat actors might be targeting users from China.

gotas.evoluir.sbs - urlscan.io

Virus total detected as a phishing website

VirusTotal - URL - c424a393c09b3c1007258c95aef074d555395af61bda0e02fa68a4abc8ba773b

Another example is whatssap7[.]com

We can see that the IP address is located in US and belongs to TERAEXCH US.

 

https://urlscan.io/result/b7490a37-9c92-4020-8cde-abedee990831/

We decided to connect to Securitytrails to find more information related to the domain. 

We found the following information.

Two domains detected by Securitytrails. The second domain – download.whatssap7[.]com, the malicious domain contains downloading version of the application for Android, Windows and MacBook.

https://securitytrails.com/list/apex_domain/whatssap7.com

Two domains were found. The second one download.whatssap7[.]com a malicious WhatsApp package to download

https://urlscan.io/result/ae426881-2e77-412f-a27a-8ec5b956dfa2/

 

Unfortunately, we could not download the file 

Our last example will be the domain whatqsapp[.]com

https://urlscan.io/result/4f6be6c4-be69-4e24-9618-08605b541c95/

Another domain located in the US.

From Riskiq, we found many subdomains mimicking WhatsApp using the IP address 172.247.175.66.

 

Its not the first time WhatsApp is being targeted. Many users complained in the past about loosing their credential and the phishing attack is the most used technic to achieve the goal.

This issue is quite interesting as WhatsApp is used by many users; some measures should be taken to avoid the users connecting to the malicious websites.

In order to reduce this situation, 3 mains advice need to be followed.

Advice:

Use only WhatsApp.com for downloading the application and connecting

Use 2FA to protect your account

Take down all the domains (should be done by the WhatsApp corporation team)

Domains mimicking WhatsApp

whatssapp8[[.]]com

whatsaaapp[.]com

whataswappapp[.]com

whatsakpp[.]com

whatmsapp[.]com

whatszaapp[.]com                                    

whaxsapp[.]com

www[.]whatscaapp[.]com

www[.]whatszaapp[.]com

www[.]whatstaapp[.]com

whatscaapp[.]com

whatstaapp[.]com

whatqsapp[.]com             

whatsaypp[.]com  

whatmsapp[.]com

www[.]whatmsapp[.]com          

www[.]whatqsapp[.]com

www[.]whhatapp[.]com 

whatsalpp[.]com                           

whatsabpp[.]com 

whatskapp[.]com  

www[.]whatsalpp[.]com

whatuapp[.]com

whlatapp[.]com

www[.]whatskapp[.]com

ww[.]whatsaypp[.]com

whaotapp[.]com