At a glance.
- SEO for malicious links.
- Facebook's zero-day.
- Company associated with Dark Basin says it was doing legitimate work for private investigators.
Positioning malicious pages using SEO.
Avast has described a criminal campaign that uses search engine optimization to draw victims to malicious sites using promises of prizes. In general the tactic has been to use the same techniques SEO consultants advise their clients to employ to bring their pages to the top. Results in major search engines have been affected: Google, Bing, Yahoo, Yandex, and Baidu.
The operators use “fixed code to create the appearance of positive Google product reviews in rich search results,” Avast says. Should you follow the link, you’ll be taken to a variety of pages that eventually (usually after a show of calculating results to determine a winner) tell the searcher that you in fact are the lucky one. The goal of the scam has been the collection of personal information.
The scammers also tune the language to one that fits the visitor’s IP address. The examples Avast shares are in German, French, English, or Czech, and the researchers find the grammar and usage unusually fluent and convincing.
Facebook's aid to the FBI.
Motherboard this morning reported that Facebook helped the FBI track down one Buster Hernandez, a man wanted for harassing, threatening, and abusing young girls. the company did so by working with an unidentified security firm to develop a zero-day in Tails, the privacy-focused, Tor-using operating system to give the Bureau the ability to unmask Mr. Hernandez’s IP address, a hack that eventually led to his arrest.
This is the only known case in which Facebook has provided this kind of assistance. Menlo Park thought the case was too heinous to pass on helping law enforcement. Also factoring in was the company’s judgment that providing the assistance posed no threat to privacy, and no prospect of use against anyone other than Mr. Hernandez. The decision to develop the unmasking tool is nonetheless said to have been controversial within Facebook.
Follow-up: Dark Basin and the private eyes.
Sumit Gupta, founder of BellTroX, the Indian company Citizen Lab named in its report on hackers-for-hire, has told Reuters he did nothing wrong. All BellTroX did was help private investigators access email accounts when BellTroX was given credentials to those accounts. The snooping around environmental activist groups the Citizen Lab reported has gained a great deal of attention, but among the tasks BellTroX allegedly received from its customers was assistance in seeing what law firms, investment firms, short sellers, and private litigants were up to. That’s a pretty wide net. It's unclear on whose behalf BellTroX (or Dark Basin) was working: so far no clients have been publicly identified.
We received a number of comments on Dark Basin. James McQuiggan, Security Awareness Advocate as KnowBe4, had these observations, with particular attention to the place that url-shorteners had in the Dark Basin toolkit:
"Hackers for hire (HfH) or Hacking as a Service (Haas) is undoubtedly what this group was doing. Utilizing a variety of expert cybersecurity criminals, this organization was launching persuasive phishing attacks. What makes it difficult is the website shorteners that are part of the attack.
"It isn't easy to spot how authentic a shortened website address is and if one should believe it. Often times, with recognized shorteners, you can visit their website to verify if the address is real. It is an extra step and probably a few minutes worth of work.
"In the grand scheme of things, it could be worth it to save an organization from a phishing attack. If an end user ends up clicking the shortener link, it's essential to verify the webpage they load. It could appear to be a spoofed website and be trying to steal one's credentials.
"An organization with a solid security culture and a robust security awareness training program can educate employees to understand the latest phishing scams, which leads them to make smarter security decisions."
Colin Bastable, CEO of Lucy Security also finds the url-shorteners interesting, and is struck by the movie-script potential:
“The University of Toronto’s Citizen Lab’s report reads like a movie script. Half the time I’m thinking that the bad guys left so many trails that it must be an exercise in misdirection. Only State actors could pull something like this together. The quality of the phishing site landing pages is excellent, and the English grammar is very good - too good, unless you were running a very professional well-financed and targeted operation. The subdomains are also well designed, especially for mobile users. The URL shorteners, the 5 and a half-hour time zone difference, and the different email address which tie back to BellTroX are all very interesting.”
The proprietor of BellTroX has been wanted in the US for several years, and in 2017 was designated a fugitive. Paul Bischoff, privacy advocate with Comparitech, thinks it's striking how openly the Dark Basin operators were able to advertise their services, and concludes that the market for hackers-for-hire is likely to remain robust:
“The most striking part of the Dark Basin operation is how it was able to openly advertise its services without consequence. It clearly didn't fear any legal consequences that might arise despite much of its activity being blatantly illegal. I have to wonder, even after Citizen Lab's report, if authorities will go after Dark Basin. India is home to many phishing and scam operations that go about their business in broad daylight. Even if Dark Basin is shut down, another hack-for-hire business could replace it. So perhaps the best course of action is further investigation to reveal its clients and take legal action against them.”
And Chris Hauk, consumer privacy champion with Pixel Privacy, is disturbed by the target list:
“The Dark Basin report exposes a troubling development in the world of hacking, which is 'Hack-for-Hire.' We will continue to see black hat hackers offer their services to the highest bidder in the coming years. Sadly, as we have seen in recent weeks, we may see these 'hired guns' taking aim at more socially conscious groups, such as the NAACP, Black Lives Matter, and other social organizations.”