Lenny ZeltserHow can we write better incident reports? Here's the video of my talk from the RSA Conference. The audience rated it highly, so you might find it informative:
YouTube
IrishMASMSIt seems this activity has been going on since 3 May
https://freecycle.helpscoutdocs.com/article/327-spam-email
First issues with this incident response: zero communications with their user base. I had to go digging just to find this support portal wiki page.
Second issue: this is not spam but likely phishing. Use the correct terms folks.
#freecycle #spammers #scammers #malicious #suspectfiles #malware #triage #ioc #_ioc #infosec #informationSecurity #IncidentResponce #IR #spam #infosec #infomantionSecurity #virustotal #ABUSE
Well #freecycle is still dealing with the incident.
two more "user verification" email waves in the last 24 hours. One at 6:30 PT and one at 0500 PT.
Does not seem like #freecycle folks are handling this well - though all messages are removed as they were previously.
🤔 what vulnerability is being exploited?
#spammers #scammers #malicious #suspectfiles #malware #triage #ioc #_ioc #infosec #informationSecurity #IncidentResponce #IR #spam #infosec #infomantionSecurity #virustotal #ABUSE
It looks like freecycle.org is dealing with a security incident
Multiple responses to postings, all with what appears to be automated accounts with gibberish usernames of punctuation, capital letters, and numbers. The activity started last night around midnight PT, and continues - most recent being 40 minutes ago.
The messages have been deleted with the message:
system notifier
There are no messages in this thread.
This issue after the recent data breach, I have to wonder what problems #freecyle is dealing with.
#spammers #scammers #malicious #suspectfiles #malware #triage #ioc #_ioc #infosec #informationSecurity #IncidentResponce #IR #spam #infosec #infomantionSecurity #virustotal #ABUSE
#VT – First submission with 5/66 detection rate looks to be JS/Redirector.QSU related https://www.virustotal.com/gui/file/7fc51469303642006715af40b5b8b545e249e8a2a7ff1b6604565db27de0ca0d/
#spammers #scammers #malicious #suspectfiles #malware #triage #ioc #_ioc #infosec #informationSecurity #IncidentResponce #IR #spam #infosec #infomantionSecurity #virustotal #ABUSE #emailabuse
#filescan #virustotal
3/3
#spammers #scammers #malicious #suspectfiles #malware #triage #ioc #_ioc #infosec #informationSecurity #IncidentResponce #IR #spam #infosec #infomantionSecurity #virustotal #ABUSE #emailabuse
#filescan #virustotal
3/3
Attachment details:
Archive unpacked: Ojo de Agua L7e4Q9T8n7H5F02948682763671061.zip (application/zip, 875.00 B)
#MD5: 6631371d736d640a36c6ab4d6c63dea6
#SHA1: 8fd44aa1bff3821d3a433e36749ea72f43a94dd9
#SHA256: 7fc51469303642006715af40b5b8b545e249e8a2a7ff1b6604565db27de0ca0d
#SHA512: e658bd018c278481c1ea5bf32d4dee533bd6448dca8ad7094807fa7c6f569203a5d2c13b2e38a323c72a35fc221139eb7432451d91a924b47973807856ecba37
https://www.filescan.io/uploads/662fd7af75339da04fa6bb92
Expanded to Name: Ojo de Agua L7e4Q9T8n7H5F02948682763671061.html
File Magic: text/#html
SHA-256: 1ea974fab990da9ca61a9c56afdcbecbe8486e0cd2cc5045fea9ab71d8347ee7
https://www.filescan.io/uploads/662fd7af75339da04fa6bb92/reports/cd4142ec-180b-4461-b82a-9c65ac07a4dd/overview looks to be a spoofed #Google page, in German. No detections!
#spammers #scammers #malicious #suspectfiles #malware #triage #ioc #_ioc #infosec #informationSecurity #IncidentResponce #IR #spam #infosec #infomantionSecurity #virustotal #ABUSE #emailabuse
#filescan #virustotal
2/3
Today’s #malware sample is in #Spanish, leveraging a #ezmlm mailing list on the back end at facturanuevagenerada [DOT[ com which does not have an associated web site – just a placeholder.
#email #SRC 62.149.155.137 assigned to #aruba.it a hosting provider over in the #EU
Of interest:
#User-Agent: #Roundcube Webmail/1.6.0
#IP is not listed as an #openProxy
#spammers #scammers #malicious #suspectfiles #malware #triage #ioc #_ioc #infosec #informationSecurity #IncidentResponce #IR #spam #infosec #infomantionSecurity #virustotal #ABUSE #emailabuse
#filescan #virustotal
1/3
New sample relating to this activity described - file attachment
Name: Daily Check status order---###Geek Squad###2024APR##.txt
File Magic: text/plain
SHA-256: 330a0f5609c1922888772bc72bc4ececf5e6fca236a68e6783129706af0bdc06
Uploaded to:
https://www.filescan.io/uploads/662c1bcb14ba3ce8289b35fe/reports/3083959a-01fa-4b25-82b0-5de7c9ba2c09/overview
https://www.virustotal.com/gui/file/330a0f5609c1922888772bc72bc4ececf5e6fca236a68e6783129706af0bdc06/
With todays number (833) 944-1376
message source: 209.85.220.41:
Routing details for 209.85.220.41
Cached whois for 209.85.220.41 : [email protected]
#spammers #scammers #malicious #suspectfiles
#malware #triage #ioc #_ioc #infosec #informationSecurity #IncidentResponce #IR
#spam #infosec #infomantionSecurity #virustotal #ABUSE #emailabuse #paypal #paypuke #geeksquad #filescan #vt #virustotal
Today’s #malware sample is anther #DHL spoof, in #Spanish and #pretending to be an individual in #Spain
#email #SRC 192.190.220.159 assigned to #liquidweb.com
their abuse address has bounced all #spamcop reports
#IP is listed on dnsbl.sorbs.net as #openProxy
Archive unpacked: DHL_ES567436735845755676678877988975877.7z (#application/x-rar-compressed; version=5, 4.80 kB)
#MD5: 594d7d00d0e80e84754b39b29a5347c8
#SHA1: f5b4828c76d936a5f53e361086f8c787b1d1f2a4
#SHA256: 99646928c1a35686a0067fb6c506ec0bb03e4a0ff9cd108158ada19babb90895
#SHA512: ec1279a7484e0c440823547887dc09807c29ef35501d292463701fca67d4f9965c190070f239fa0ffeb0b14a72d8ad85a6991866bd5fa419106acc081e3e95b5
https://www.filescan.io/uploads/662aad6e54bafb7d21ddc6aa
#VT - 11/62 detection rate as trojan.suspar
https://www.virustotal.com/gui/file/99646928c1a35686a0067fb6c506ec0bb03e4a0ff9cd108158ada19babb90895/
#spammers #scammers #malicious #suspectfiles #malware #triage #ioc #_ioc #infosec #informationSecurity #IncidentResponce #IR #spam #infosec #infomantionSecurity #virustotal #ABUSE #emailabuse
#filescan #virustotal
#email #SRC 192.190.220.159 assigned to #liquidweb.com
their abuse address has bounced all #spamcop reports
#IP is listed on dnsbl.sorbs.net as #openProxy
Archive unpacked: DHL_ES567436735845755676678877988975877.7z (#application/x-rar-compressed; version=5, 4.80 kB)
#MD5: 594d7d00d0e80e84754b39b29a5347c8
#SHA1: f5b4828c76d936a5f53e361086f8c787b1d1f2a4
#SHA256: 99646928c1a35686a0067fb6c506ec0bb03e4a0ff9cd108158ada19babb90895
#SHA512: ec1279a7484e0c440823547887dc09807c29ef35501d292463701fca67d4f9965c190070f239fa0ffeb0b14a72d8ad85a6991866bd5fa419106acc081e3e95b5
https://www.filescan.io/uploads/662aad6e54bafb7d21ddc6aa
#VT - 11/62 detection rate as trojan.suspar
https://www.virustotal.com/gui/file/99646928c1a35686a0067fb6c506ec0bb03e4a0ff9cd108158ada19babb90895/
#spammers #scammers #malicious #suspectfiles #malware #triage #ioc #_ioc #infosec #informationSecurity #IncidentResponce #IR #spam #infosec #infomantionSecurity #virustotal #ABUSE #emailabuse
#filescan #virustotal
Most recent email #SRC:
Tracking message source: 209.85.220.65:
#Routing details for 209.85.220.65
Cached #whois for 209.85.220.65 : #network-#abuse@#google.com
File #attachment:
Name: You can view and pay your invoice online at #### TXN ID - 35BY54NY6U.txt
FileMagicDescription: #ASCII text, with CRLF line terminators
Size: 820.00 B
#MD5: 3623bff3a27884ccad53958452b3b386
#SHA-1: 1d7f7cbea8d82de0ae5beab1272401213e39a8e1
#SHA-256: f5c231e6710d06d91bda4fe4509900b085a4e8d344df609fe63f2d9c440be24a
#spammers #scammers #malicious #suspectfiles
#malware #triage #ioc #_ioc #infosec #informationSecurity #IncidentResponce #IR
#spam #infosec #infomantionSecurity #virustotal #ABUSE #emailabuse #paypal #paypuke #geeksquad #filescan #vt #virustotal
2/2