Diego

@[email protected]
56 Followers
128 Following
165 Posts

Former SAP Architect, Service Manager, and, by accident, working in IT Security since 2016.

Way before that, developer in C/C++ and then Visual Basic (what a jump).

I am part of the unknown club of people having 20+ internet domains "because I have a project in mind" that, somehow, I keep renewing every year. Because you never know...

And, of course, views expressed are just mine.

Webhttps://safete.ch/
Other Mastodonhttps://mastodon.social/@dehaller
Twittodonhttps://twittodon.com/confirm.php?t=dehaller&[email protected]
Show threadDiegoOct 3, 2024
DiegoOct 3, 2024
After 18 years using a Flickr account, time to close it. So long Flickr, it has been a nice ride.
DiegoAug 22, 2024
Tired with the way some apps work and behave. This time it is Sogou input keyboard. It downloads from a weird IP based in Myanmar, not using standard ports.
DiegoAug 31, 2023

Phishing related to Post Finance (Swiss bank), pretty well done:

You receive an email like this one below. You check the sender and see it is coming from another domain (1st warning):

no-replay@lfm[.]ch
Notice also it is “no-replay” and it should be “no-reply" to simulate an automated mailbox. So we have now two warnings.

You check the footer of the email:

“Don't like these emails? Unsubscribe or Manage Email Subscriptions
Powered By FluentCRM”
Since when a CRM would send this type of email? There you have your third warning.

You notice the big gap between email content and footer (see image), and you find some gibberish text that is in white foreground and background. Check next image. And there you have your fourth warning.

Next: the link. It points to (this is a URLScan result, safe to click)

https://urlscan.io/result/d003eb47-1414-4842-83f6-cb7b69890bc5/

And you see it redirects you to:
https://oustrup-landbrug[.]dk/pf/

URLScan doesn't go to a second redirection, so if I check with a sandbox, you will see it takes you to:

https://salonfigaro[.]dk/ch/PF/Login.php
Which is perfect copy of Post Finance login page.

If you put fake data, it takes you to this page:
https://salonfigaro[.]dk/ch/PF/Account/Waiting.php and keeps showing last image. And, of course, you will never get passed it.

To summarise, plenty of warnings that can help you detect a phishing. What is really interesting is the fact that threat actors don't just send you a phishing email hoping it does not get filtered, they really work hard to:
- detect an email domain not having SPF properly configured
- use a CRM to send emails
- hack their way into two web servers
- redirect 2 times to defeat link analysis services

So, nicely tried, and no luck with me. But I wonder how many people might have fallen for it...

oustrup-landbrug.dk - urlscan.io

urlscan.io - Website scanner for suspicious and malicious URLs

DiegoAug 7, 2023

This is more for my own documentation, but I thought it could be useful to share with all of you.

If you happen to detect some strange http (no s) connection to strange FQDNs or IP Addresses, check if the service initiating the connection is BITS (Background Intelligent Transfer Service). I've been detecting these since we deployed a new EDR, and it is driving me crazy.

DiegoJul 4, 2023
If you see an alert like the screenshot attached, you might think Notepad++ in that machine is not the legitimate one. So, you check MD5 and find out it is actually a legit one. What’s going on? Somme DLL injection? Nope, it is actually TVM (Threat and Vulnerability Management) from MS that allows you to create a notification for the user should he/she be using a non-updated version and suggests to update to the most current one, and also blocking the execution, which explains this alert. Notice the “TvmWarn” in the virus definition.
So, false alert. 😨
DiegoMay 1, 2023
Good morning! After almost two weeks with the Moonlander keyboard, and who knows how many layout changes, I am getting there. I was close to give up because I mainly struggle with special characters keys, don’t recall where are. But I feel a little improvement.
DiegoApr 23, 2023

Interesting reading: report from the NTC https://ntc.swiss
A security analysis report fro the Tiktok app.

I guess you can replace Tiktok by Facebook, Twitter, Instagram, and WhatsApp (to name a few) and it will be also correct.

https://www.ntc.swiss/hubfs/NTC-security-analysis-tiktok-v1.0-en.pdf

NTC | Nationales Testinstitut für Cybersicherheit

Das Nationale Testinstitut für Cybersicherheit NTC prüft vernetzte oder cyber-physische Komponenten, Applikationen und Services auf ihre Cybersicherheit.

DiegoApr 20, 2023
Interesting, now in Microsoft Sentinel you can get incidents raised when a password is being reused between different services.
DiegoApr 19, 2023

After 21 different layouts for the Moonlander keyboard, I think I have found the one in which I don't get lost looking for the special keys and/or symbols.

I also believe that using a non-US configuration because I need to be able to write in English, French, and Spanish, using accents of all sorts (not as complex as Romanian or Polish, to name the ones I've seen written quite a few times).

Now time to train with it.

#Moonlander