Secure SSH connectivty

Security
  • Hi all,

    I’m curious to understand how you all connect to your servers - hopefully, it’s at the very least using SSH and at the better end of the spectrum, using a key and passphrase combination. For those who are curious to understand why we need a key and passphrase, it’s because without it, your SSH session is still subject to brute force. In addition, you should NEVER allow root to login directly - either at the console physically (if you have a physical server within your reach), or via SSH session.

    In this case, you should be using a normal account to gain access via SSH, then elevating your session using

    su - or su root

    Permitting login as root directly is simply asking for trouble, and will effectively negate your security completely by allowing a complete stranger to bruteforce and then assume control of your server. You should also use a firewall to permit access to SSH via specified and approved IP addresses.

    This is security101 and an industry standard.

    Now it’s confession time on your part… 😄

    The other part of the bargain would be which SSH client you should use. There’s the go-to PUTTY for Windows, or even the command line (which has been greatly simplified in Windows 10/11). However, one I recently started using which is 100% free and extremely powerful is Bitvise

    https://www.bitvise.com/

    Seriously, if you haven’t already got this application in your toolkit, then it’s time to add it.

  • phenomlabundefined phenomlab marked this topic as a regular topic on
  • And, if you want to confess that you’re not using SSH keys, then this is a great guide to change all that, and to take the necessary steps in securing your server…

    https://linuxhint.com/generate-ssh-key-ubuntu/

  • @phenomlab

    Change SSH port is good too

    I use Tabby on Windows, very very good product

    https://tabby.sh

    I search a tutorial for use SSH keys with virtualmin but Ithink it’s not obliged to desactivate root login if you have sh key no ?

    I use crowdsec for bruteforce ssh attack (and other)

    https://www.crowdsec.net

  • @DownPW thanks for the update 👍

  • @DownPW said in Secure SSH connectivty:

    Change SSH port is good too

    Yes, agreed, but easily revealed by a port scanner, and more obfuscation than actual security. Changing the default 22 is of course good security practice but won’t stop a determined attacker.

    @DownPW said in Secure SSH connectivty:

    I use Tabby on Windows, very very good product

    Not tried this, but will definitely take a look

    @DownPW said in Secure SSH connectivty:

    I search a tutorial for use SSH keys with virtualmin but I think it’s not obliged to desactivate root login if you have sh key no ?

    Again, this is more about your attitude to security. It’s a good point, but my preference is to not permit direct root access at all.

    @DownPW said in Secure SSH connectivty:

    I use crowdsec for bruteforce ssh attack (and other)

    Yes, I’m looking at this also.

  • @phenomlab said in Secure SSH connectivty:

    I use Tabby on Windows, very very good product

    Seems this product is ALPHA ?
    f64b1ad2-281b-45d6-8c65-f4200d8f4cd5-image.png

  • @phenomlab

    yep but I use it since several month and I haven’t see any bugs or crash
    In any case, I only use him anymore 🙂

    Tabby offers tabs and a panel system, but also themes, plugins and color palettes to allow you to push the experience to the limit. It can support different shells in the same window, offers completion, has an encrypted container for your passwords, SSH keys and other secrets, and can handle different connection profiles.

    Each tab is persistent (you can restore them if you close one by mistake) and has a notification system, which will let you know if, for example, a process is finished while you are tapping in another tab.

    It’s really a great terminal that will easily replace cmd.exe for Windowsians or your usual terminal. And it can even work in a portable version for those who like to carry their tools on a USB key.

    –> To test it, you can download it, but there is also a web version. Handy for getting an idea.

    https://app.tabby.sh

  • mventuresundefined mventures referenced this topic on

  • 12 Votes
    8 Posts
    87 Views

    @crazycells good question. Gmail being provided by Google is going to be one of the more secure by default out of the box, although you have to bear in mind that you can have the best security in the world, but that is easily diluted by user decision.

    Obviously, it makes sense to secure all cloud based services with at least 2fa protection, or better still, biometric if available, but email still remains vastly unprotected (unless enforced in the sense of 2fa, which I know Sendgrid do) because of user choice (in the sense that users will always go for the path of least resistance when it comes to security to make their lives easier). The ultimate side effect of taking this route is being vulnerable to credentials theft via phishing attacks and social engineering.

    The same principle would easily apply to Proton Mail, who also (from memory) do not enforce 2fa. Based on this fact, neither product is more secure than the other without one form of additional authentication at least being imposed.

    In terms of direct attack on the servers holding mail accounts themselves, this is a far less common type of attack these days as tricking the user is so much simpler than brute forcing a server where you are very likely to be detected by perimeter security (IDS / IPS etc).

  • 4 Votes
    4 Posts
    73 Views

    @phenomlab said in TikTok fined £12.7m for misusing children’s data:

    Just another reason not to use TikTok. Zero privacy, Zero respect for privacy, and Zero controls in place.

    https://news.sky.com/story/tiktok-fined-12-7m-for-data-protection-breaches-12849702

    The quote from this article says it all

    TikTok should have known better. TikTok should have done better

    They should have, but didn’t. Clearly the same distinct lack of core values as Facebook. Profit first, privacy… well, maybe.

    Wow, that’s crazy! so glad I stayed away from it, rotten to the core.

  • 1 Votes
    1 Posts
    148 Views

    1622031373927-headers-min.webp

    It surprises me (well, actually, dismays me in most cases) that new websites appear online all the time who have clearly spent an inordinate amount of time on cosmetics / appearance, and decent hosting, yet failed to address the elephant in the room when it comes to actually securing the site itself. Almost all the time, when I perform a quick security audit using something simple like the below

    https://securityheaders.io

    I often see something like this

    Not a pretty sight. Not only does this expose your site to unprecedented risk, but also looks bad when others decide to perform a simple (and very public) check. Worse still is the sheer number of so called “security experts” who claim to solve all of your security issues with their “silver bullet” solution (sarcasm intended), yet have neglected to get their own house in order. So that can you do to resolve this issue ? It’s actually much easier than it seems. Dependant on the web server you are running, you can include these headers.

    Apache <IfModule mod_headers.c> Header set X-Frame-Options "SAMEORIGIN" header set X-XSS-Protection "1; mode=block" Header set X-Download-Options "noopen" Header set X-Content-Type-Options "nosniff" Header set Content-Security-Policy "upgrade-insecure-requests" Header set Referrer-Policy 'no-referrer' add Header set Feature-Policy "geolocation 'self' https://yourdomain.com" Header set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()" Header set X-Powered-By "Whatever text you want to appear here" Header set Access-Control-Allow-Origin "https://yourdomain.com" Header set X-Permitted-Cross-Domain-Policies "none" Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" </IfModule> NGINX add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block"; add_header X-Download-Options "noopen" always; add_header X-Content-Type-Options "nosniff" always; add_header Content-Security-Policy "upgrade-insecure-requests" always; add_header Referrer-Policy 'no-referrer' always; add_header Feature-Policy "geolocation 'self' https://yourdomain.com" always; add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=();"; add_header X-Powered-By "Whatever text you want to appear here" always; add_header Access-Control-Allow-Origin "https://yourdomain.com" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;" always;

    Note, that https://yourdomain.com should be changed to reflect your actual domain. This is just a placeholder to demonstrate how the headers need to be structured.

    Restart Apache or NGINX, and then perform the test again.


    That’s better !

    More detail around these headers can be found here

    https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache

  • 0 Votes
    1 Posts
    140 Views

    1622032930658-hacked_listen-min.webp

    I’ve been a veteran of the infosec industry for several years, and during that time, I’ve been exposed to a wide range of technology and situations alike. Over this period, I’ve amassed a wealth of experience around information security, physical security, and systems. 18 years of that experience has been gained within the financial sector - the remaining spread across manufacturing, retail, and several other areas. I’ve always classed myself as a jack of all trades, and a master of none. The real reason for this is that I wanted to gain as much exposure to the world of technology without effectively “shoehorning” myself - pigeon holing my career and restricting my overall scope.

    I learned how to both hack and protect 8086 / Z80 systems back in 1984, and was using “POKE” well before Facebook coined the phrase and made it trendy (one of the actual commands I still remember to this day that rendered the CTRL, SHIFT, ESC break sequence useless was

    POKE &bdee, &c9

    I spent my youth dissecting systems and software alike, understanding how they worked, and more importantly, how easily they could be bypassed or modified.

    Was I a hacker in my youth ? If you understand the true meaning of the word, then yes - I most definitely was.

    If you think a hacker is a criminal, then absolutely not. I took my various skills I obtained over the years, honed them, and made them into a walking information source - a living, breathing technology encyclopedia that could be queried simply by asking a question (but not vulnerable to SQL injection).

    Over the years, I took an interest in all forms of technology, and was deeply immersed in the “virus era” of the 2000’s. I already understood how viruses worked (after dissecting hundreds of them in a home lab), and the level of damage that could be inflicted by one paved the way for a natural progression to early and somewhat infantile malware. In its earliest form, this malware was easily spotted and removed. Today’s campaigns see code that will self delete itself post successful execution, leaving little to no trace of its activity on a system. Once the APT (Advanced Persistent Threat) acronym became mainstream, the world and its brother realised they had a significant problem in their hands, and needed to respond accordingly. I’d realised early on that one of the best defences against the ever advancing malware was containment. If you “stem the flow”, you reduce the overall impact - essentially, restricting the malicious activity to a small subset rather than your entire estate.

    I began collaborating with various stakeholders in the organisations I worked for over the years, carefully explaining how modern threats worked, the level of damage they could inflict initially from an information and financial perspective, extending to reputation damage and a variety of others as campaigns increased in their complexity). I recall one incident during a tenure within the manufacturing industry where I provided a proof of concept. At the time, I was working as a pro bono consultant for a small company, and I don’t think they took me too seriously.

    Using an existing and shockingly vulnerable Windows 2003 server (it was still using the original settings in terms of configuration - they had no patching regime, meaning all systems were effectively vanilla) I exhibited how simple it would be to gain access first to this server, then steal the hash - effortlessly using that token to gain full access to other systems without even knowing the password (pass the hash). A very primitive exercise by today’s standards, but effective nonetheless. I explained every step of what I was doing along the way, and then explained how to mitigate this simple exploit - I even provided a step by step guide on how to reproduce the vulnerability, how to remediate it, and even provided my recommendations for the necessary steps to enhance security across their estate. Their response was, frankly, shocking. Not only did they attempt to refute my findings, but at the same time, dismissed it as trivial - effectively brushing it under the carpet so to speak. This wasn’t a high profile entity, but the firm in question was AIM listed, and by definition, were duty bound - they had a responsibility to shareholders and stakeholders to resolve this issue. Instead, they remained silent.

    Being Pro Bono meant that my role was an advisory one, and I wasn’t charging for my work. The firm had asked me to perform a security posture review, yet somehow, didn’t like the result when it was presented to them. I informed them that they were more than welcome to obtain another opinion, and should process my findings as they saw fit. I later found out through a mutual contact that my findings had been dismissed as "“unrealistic”, and another consultant had certified their infrastructure as “safe”. I almost choked on my coffee, but wrote this off as a bad experience. 2 months later, I got a call from the same mutual contact telling me that my findings were indeed correct. He had been contacted by the same firm asking him to provide consultancy for what on the face of it, looked like a compromised network.

    Then came the next line which I’ll never forget.

    “I don’t suppose you’d be interested in……”

    I politely refused, saying I was busy on another project. I actually wasn’t, but refused out of principle. And so, without further ado, here’s my synopsis

    “…if you choose not to listen to the advice a security expert gives you, then you are leaving yourself and your organisation unnecessarily vulnerable. Ignorance is not bliss when it comes to security…”

    Think about what you’ve read for a moment, and be honest with me - say so if you think this statement is harsh given the previous content.

    The point I am trying to make here is that despite sustained effort, valiant attempts to raise awareness, and constantly telling people they have gaping holes in systems for them to ignore the advice (and the fix I’ve handed to them on a plate) is extremely frustrating. Those in the InfoSec community are duty bound to responsibly disclose, inform, educate, raise awareness, and help protect, but that doesn’t extend to wiping people’s noses and telling them it wasn’t their fault that they failed to follow simple advice that probably could have prevented their inevitable breach. My response here is that if you bury your head in the sand, you won’t see the guy running up behind you intent on kicking you up the ass.

    Security situations can easily be avoided if people are prepared to actually listen and heed advice. I’m willing to help anyone, but they in return have to be equally willing to listen, understand, and react.

  • 0 Votes
    1 Posts
    142 Views

    1631812756399-catfish-min.webp
    Anyone who uses dating agencies or even social media itself should be aware of the risk that a “catfish” poses. However, despite all of the media attention, catfish are constantly successful in their campaigns, and it seems as though everyday there is yet another victim. But why is this persistent campaign so successful ? In order to understand how a catfish scam operates, we first need to look at who they target, and why. Trust is gained as quickly as possible as the risk of being caught out very early in the process is much too high. Catfish campaigns tend to target individuals – particularly those considered vulnerable. But how do they know that these individuals are vulnerable and a healthy target in the first place ? More on that later. For now, let’s look at how a catfish will apply their skills on unsuspecting victims. By far the most common type of attack is via online dating, and seeing as there appears to be plenty of choice in terms of platforms and users adopting their services, the fruit on the tree is plentiful, and replenished at an alarming rate.

    How does a catfish select a target ?

    The more experienced catfish will have multiple targets and campaigns running concurrently. Adopting this approach as a “beginner” is actually unwise, as there is too much detail to remember in order to pull off an effective deception without raising suspicion. Can you imagine grooming a target then getting their name wrong, or other key information they may have unwittingly provided ? No. For this exact reason, the novice catfish will target one individual at a time. Whilst this doesn’t sound very enterprising, the experienced catfish, however, will operate multiple campaigns simultaneously. This produces a significantly higher yield, but it also means that the risk of exposure is greater. Based on this, each campaign is carefully tracked and “scripted” - in fact, each campaign has a written story - pretext if you will, that is simply copied and pasted in communications. This provides the assurance that the particular “story” being used does not stray off course, or arouse suspicion unintentionally. Based on official evidence, the origin of where most catfish campaigns originate from is Nigeria. In fact, it’s big business - well over USD 2bn in fact.

    Here’s a video courtesy of ABC that describes some of the techniques I have mentioned above - including the “scripted” mechanism.

    The catfish selects their target based on a number of factors – with social skills being top the list. A personality of a wet blanket is seldom effective, so the catfish must create an online persona (usually a Facebook profile) that is credible, and can be reinforced and intertwined with real life events. Such an example of this is a soldier serving in Afghanistan (there are many others, although this is an active campaign which is known to succeed). It would appear that the military lifestyle, the uniform, and the exciting stories are enough to entice a lonely individual looking for friendship and romance. A vital component of the scam is that the occupation of a soldier allows multiple periods where contact can be minimal for various “military” reasons that the catfish informs their target they cannot divulge for official secrecy reasons.

    This actually provides the perfect cover in order for the scam to progress. Time is required in order to plan the next stages of the campaign if it is to succeed. Another important element to remember is that the catfish needs to be mindful of time zones – you cannot be based in Nigeria and use the same timezone when you are supposedly stationed in Afghanistan, for example. The catfish would have collected enough intelligence about their target to remain one step ahead at all times. This typically involves research, with most of the required information sadly provided by social media. This includes dates and places of birth, interests, hobbies, and a myriad of other useful data that all adds up to the success of the campaign. The catfish uses this information to form trust with the target, and, coupled with the online persona created previously, the wheels are firmly attached. The con is on, so to speak. Using the data collected earlier, the catfish makes use of a variety of techniques in order to gain confidence and trust, with the social element being of utmost importance. Another key point for the catfish is the ability to engage in discussion, be articulate, and most of all, come across as being intelligent. Spelling is important, as is the ability to use grammar and punctuation correctly.

    Those of us who are “grammar snobs” can easily spot a deception in the form of a social media message or email owing to the notoriously poor grammar – usually always the result of English not being the primary language in use. Bearing in mind that most initial contact is via instant messaging, online chat, and email, it is important for the catfish to avoid suspicion and early detection - and in essence, remain “under the radar” at all times.

    How much effort is involved ?

    The amount of effort a catfish will put in generally depends on multiple factors. The sole aim of the perpetrator is financial, and any seasoned criminal will be looking to gain trust quickly, and will always have a story prepared. The point here is that the target needs to be a willing participant – nobody is holding a gun to their head, and they must be convinced of the integrity of their new online beau in order to part with money of their own volition. The previously constructed story needs to be consistent, and plausible if the campaign is to succeed. Once the target is engaged, the catfish is then in a position to effectively “groom” the individual, and uses the response and personality of the target to gauge when the next part of the plan should be executed. This in itself can be a fine art depending on the target. If they are intelligent, it may take a considerable amount of time and effort to reel them in. Before the catfish makes this investment, they have to be sure it will be worth it. But how ? Again, social media to the rescue. You’d be hard pressed to believe this, but money and the associated social lifestyle it provides and promotes is a key focal point of social networking, and by definition, “engineering”.

    If the target regularly posts about dining out, drinking, holidays, etc., then this is a clear indicator that they are worth perusing and exploiting, as they clearly have money to spend. Once the catfish has been able to convince the target of their sincerity, the deception then proceeds to the next level. Using the tried and tested “soldier based in another country, shortly completing his tour of duty, and leaving the army” scam, this provides an ideal mechanism to extort money from the target after they have been convinced that the individual they have been talking to wants to start a business, and needs capital etc in order to get started. Another well-known and successful ruse is to claim that they have a sick child (or children) that need urgent hospital care, and they don’t have the money to finance this. Another additional means of topping up the “fund” is the additional ruse that the soldier is not a citizen in the target country, and wants to be with his “new partner”. The by now besotted target agrees to pay for air fare, visa costs, and other associated permits in order to make their dream romance a reality – without realising that they are parting with a significant sum that carries absolutely no guarantee that it will be delivered. In fact, this could not be further from the truth. In a cruel twist, the catfish instructs their target to pay the funds into an account setup and accessible by the criminals involved, where it is collected without delay - often by a “mule” (more on this later).

    The target is completely unaware this has taken place, and only realises what has happened after their romance never materialises, the person they trusted never arrives, and a gaping hole has appeared in their finances as a result. They are now left with the inevitable emotional and financial damage this scam creates, and they must somehow come to terms with the impact – and the associated consequences. The ultimate twist of fate is that the victim transferred their money of their own free will – it wasn’t stolen from them, and, believe it or not, no crime has been committed based on this fact (it sounds crazy, and it is absolutely fraud - but that’s the law). You will also find yourself hard pressed to convince any bank that you have not acted negligently.

    Reducing the risk

    So how can you reduce the risk ? Whilst the below list should start with “…never talk to strangers…”, its not that simple. The below points are guidelines, but should be used along with your own judgement. - Never engage in discussions of a financial or personal nature with people you do not know. The internet is a dangerous place, and the anonymity it provides only makes this worse.

    If you join a dating agency, ensure that all requests for contact are fully screened by the agency themselves before being sent on to you. Most agencies now insist on home visits to new clients in order to combat this growing trend. Never agree to setup a new bank account, or transfer cash – this is a smoking gun, and should be avoided at all costs. Never allow the discussions to continue “off platform” – in other words, always use the dating agency’s systems so that any conversations are captured and recorded. This means no texts, no personal messaging systems, and strictly no contact over social media If someone sends you a friend request on Facebook, ask yourself basic questions, such as “do I actually know this person ?” and “why are they contacting me ?”. If you don’t know them, don’t accept. Try to avoid being tempted by emotional flattery. Whilst we all like praise and the feelgood factor it brings, don’t be reeled in by a catfish. This is one of the core weapons in their arsenal, and they will deploy it whenever necessary Remember – relationships have their foundations firmly rooted in trust. This has to be earned and established over the course of time – it’s not something that appears overnight.
  • 0 Votes
    1 Posts
    133 Views

    cropped-vault2-min.jpg.webp
    Over the years, I’ve been exposed to a variety of industries - one of these is aerospace engineering and manufacturing. During my time in this industry, I picked up a wealth of experience around processing, manufacturing, treatments, inspection, and various others. Sheet metal work within the aircraft industry is fine-limit. We’re not talking about millimeters here - we’re talking about thousands of an inch, or “thou” to be more precise. Sounds Imperial, right ? Correct. This has been a standard for years, and hasn’t really changed. The same applies to sheet metal thickness, typically measured using SWG (sheet / wire gauge). For example, 16 SWG is actually 1.6mm thick or thereabouts and the only way you’d get a true reading is with either a Vernier or a Micrometer. For those now totally baffled, one mm is around 40 thou or 25.4 micrometers (μm). Can you imagine having to work to such a minute limit where the work you’ve submitted is 2 thou out of tolerance, and as a result, fails first off inspection ?

    Welcome to precision engineering. It’s not all tech and fine-limit though. In every industry, you have to start somewhere. And typically, in engineering, you’d start as an apprentice in the store room learning the trade and associated materials.

    Anyone familiar with engineering will know exactly what I mean when I use terms such as Gasparini, Amada, CNC, Bridgeport, guillotine, and Donkey Saw. Whilst the Donkey Saw sounds like animal cruelty, it’s actually an automated mechanical saw who’s job it is to cut tough material (such as S99 bar, which is hardened stainless steel) simulating the back and forth action manually performed with a hacksaw. Typically, a barrel of coolant liquid was connected to the saw and periodically deposited liquid into the blade to prevent it from overheating and snapping. Where am I going with all this ?

    Well, through my tenure in engineering, I started at the bottom as “the boy” - the one you’d send to the stores to get a plastic hammer, a long weight (wait), a bubble for a spirit level, sky hooks, and just about any other imaginary or pointless tool you could think of. It was part of the initiation ceremony - and the learning process.

    One other extremely dull task was to cut “blanks’’ in the store room from 8’ X 4’ sheets of CRS (cold rolled steel) or L166 (1.6mm aerospace grade aluminium, poly coated on both sides). These would then be used to make parts according to the drawing and spec you had, or could be for tooling purposes. My particular “job” (if you could call it that) in this case was to press the footswitch to activate the guillotine blade after the sheet was placed into the guide. The problem is that after about 50 or so blanks, you only hear the trigger word requiring you to “react”. In this case, that particular word was “right”. This meant that the old guy I was working with had placed the sheet, and was ready for me to kick the switch to activate the guillotine. All very high tech and vitally important - not.

    And so, here it is. Jim walks into the store room where we’re cutting blanks, and asks George if he’d like coffee. After 10 minutes, Jim returns with a tray of drinks and shouts “George, coffee!”. George, fiddling with the guillotine guide responds with “right”…. See if you can guess the rest…

    George went as white as a sheet and almost fainted as the guillotine blade narrowly missed his fingers. It took more than one coffee laden with sugar to put the colour back into his cheeks and restore his ailing blood sugar level.

    The good news is that George finally retired with all his fingers intact, and I eventually progressed through the shop floor and learned a trade.

    The purpose of this post ? In an ever changing and evolving security environment, have your wits about you at all times. It’s not only your organisation’s information security, but clients who have entrusted you as a custodian of their information to keep it safe and prevent unauthorised access. Information Security is a 101 rule to be adhered to at all times - regardless of how experienced you think you are. Complacency is at the heart of most mistakes. By taking a more pragmatic approach, that risk is greatly reduced.

  • 0 Votes
    1 Posts
    134 Views

    When you look at your servers or surrounding networks, what exactly do you see ? A work of art, perhaps ? Sadly, this is anything but the picture painted for most networks when you begin to look under the hood. What I’m alluding to here is that beauty isn’t skin deep - in the sense that neat cabling resembling art from the Sistine Chapel, tidy racks, and huge comms rooms full of flashing lights looks appealing from the eye candy perspective and probably will impress clients, but in several cases, this is the ultimate wolf in sheep’s clothing. Sounds harsh ? Of course it does, but with good intentions and reasoning. There’s not a single person responsible for servers and networks on this planet who will willingly admit that whilst his or her network looks like a masterpiece to the untrained eye, it’s a complete disaster in terms of security underneath.

    In reality, it’s quite the opposite. Organisations often purchase bleeding edge infrastructure as a means of leveraging the clear technical advantages, enhanced security, and competitive edge it provides. However, under the impressive start of the art ambience and air conditioning often lies an unwanted beast. This mostly invisible beast lives on low-hanging fruit, will be tempted to help itself at any given opportunity, and is always hungry. For those becoming slightly bewildered at this point, there really isn’t an invisible beast lurking around your network that eats fruit. But, with a poorly secured infrastructure, there might as well be. The beast being referenced here is an uninvited intruder in your network. A bad actor, threat actor, bad guy, criminal…. call it what you want (just don’t use the word hacker) can find their way inside your network by leveraging the one thing that I’ve seen time and time again in literally every organisation I ever worked for throughout my career - the default username and password. I really can’t stress the importance of changing this on new (and existing) network equipment enough, and it doesn’t stop at this either.

    Changing the default username and password is about 10% of the puzzle when it comes to security and basic protection principles. Even the most complex credentials can be bypassed completely by a vulnerability (or in some cases, a backdoor) in ageing firmware on switches, firewalls, routers, storage arrays, and a wealth of others - including printers (which incidentally make an ideal watering hole thanks to the defaults of FTP, HTTP, SNMP, and Telnet, most (if not all of) are usually always on. As cheaper printers do not have screens like their more expensive copier counterparts (the estate is reduced to make the device smaller and cheaper), any potential criminal can hide here and not be detected - often for months at a time - arguably, they could live in a copier without you being aware also. A classic example of an unknown exploit into a system was the Juniper firewall backdoor that permitted full admin access using a specific password - regardless of the one set by the owner. Whilst the Juniper exploit didn’t exactly involve a default username and password as such (although this particular exploit was hard-coded into the firmware, meaning that any “user” with the right coded password and SSH access remotely would achieve full control over the device), it did leverage the specific vulnerability in the fact that poorly configured devices could have SSH configured as accessible to 0.0.0.0/0 (essentially, the entire planet) rather than a trusted set of IP addresses - typically from an approved management network.

    We all need to get out of the mindset of taking something out of a box, plugging it into our network, and then doing nothing else - such as changing the default username and password (ideally disabling it completely and replacing it with a unique ID) or turning off access protocols that we do not want or need. The real issue here is that today’s technology standards make it simple for literally anyone to purchase something and set it up within a few minutes without considering that a simple port scan of a subnet can reveal a wealth of information to an attacker - several of these tools are equipped with a default username and password dictionary that is leveraged against the device in question if it responds to a request. Changing the default configuration instead of leaving it to chance can dramatically reduce the attack landscape in your network. Failure to do so changes “plug and play” to “ripe for picking”, and its those devices that perform seemingly “minor” functions in your network that are the easiest to exploit - and leverage in order to gain access to neighbouring ancillary services. Whilst not an immediate gateway into another device, the compromised system can easily give an attacker a good overview of what else is on the same subnet, for example.

    So how did we arrive at the low hanging fruit paradigm ?

    It’s simple enough if you consider the way that fruit can weigh down the branch to the point where it is low enough to be picked easily. A poorly secured network contains many vulnerabilities that can be leveraged and exploited very easily without the need for much effort on the part of an attacker. It’s almost like a horse grazing in a field next to an orchard where the apples hang over the fence. It’s easily picked, often overlooked, and gone in seconds. When this term is used in information security, a common parallel is the path of least resistance. For example, a pickpocket can acquire your wallet without you even being aware, and this requires a high degree of skill in order to evade detection yet still achieve the primary objective. On the other hand, someone strolling down the street with an expensive camera hanging over their shoulder is a classic example of the low hanging fruit synopsis in the sense that this theft is based on an opportunity that wouldn’t require much effort - yet with a high yield. Here’s an example of how that very scenario could well play out.

    Now, as much as we’d all like to handle cyber crime in this way, we can’t. It’s illegal 🙂

    What isn’t illegal is prevention. 80% of security is based on best practice. Admittedly, there is a fair argument as to what exactly is classed as “best” these days, although it’s a relatively well known fact that patching the Windows operating system for example is one of the best ways to stamp out a vulnerability - but only for that system that it is designed to protect against. Windows is just the tip of the iceberg when it comes to vulnerabilities - it’s not just operating systems that suffer, but applications, too. You could take a Windows based IIS server, harden it in terms of permitted protocols and services, plus install all of the available patches - yet have an outdated version of WordPress running (see here for some tips on how to reduce that threat), or often even worse, outdated plugins that allow remote code execution. The low hanging fruit problem becomes even more obvious when you consider breaches such as the well-publicised Mossack Fonseca (“Panama Papers”). What became clear after an investigation is that the attackers in this case leveraged vulnerabilities in the firm’s WordPress and Joomla public facing installations - this in fact led to them being able to exploit an equally vulnerable mail server by brute-forcing it.

    So what should you do ? The answer is simple. It’s harvest time.

    If there is no low-hanging fruit to pick, life becomes that much more difficult for any attacker looking for a quick “win”. Unless determined, it’s unlikely that your average attacker is going to spend a significant amount of time on a target (unless it’s Fort Knox - then you’ve have to question the sophistication) then walk away empty handed with nothing to show for the effort. To this end, below are my top recommendations. They are not new, non-exhaustive, and certainly not rocket science - yet they are surprisingly missing from the “security 101” perspective in several organisations.

    Change the default username and password on ALL infrastructure. It doesn’t matter if it’s not publicly accessible - this is irrelevant when you consider the level of threats that have their origins from the inside. If you do have to keep the default username (in other words, it can’t be disabled), set the lowest possible access permissions, and configure a strong password. Close all windows - in this case, lock down protocols and ports that are not essential - and if you really do need them open, ensure that they are restricted Deploy MFA (or at least 2FA) to all public facing systems and those that contain sensitive or personally identifiable information Deploy adequate monitoring and logging techniques, using a sane level of retention. Without any way of forensic examination, any bad actor can be in and out of your network well before you even realise a breach may have taken place. The only real difference is that without decent logging, you have no way of confirming or even worse, quantifying your suspicion. This can spell disaster in regulated industries. Don’t shoot yourself in the foot. Ensure all Windows servers and PC’s are up to date with the latest patches. The same applies to Linux and MAC systems - despite the hype, they are vulnerable to an extent (but not in the same way as Windows), although attacks are notoriously more difficult to deploy and would need to be in the form of a rootkit to work properly Do not let routers, firewalls, switches, etc “slip” in terms of firmware updates. Keep yourself and your team regularly informed and updated around the latest vulnerabilities, assess their impact, and most importantly, plan an update review. Not upgrading firmware on critical infrastructure can have a dramatic effect on your overall security. Lock down USB ports, CD/DVD drives, and do not permit access to file sharing, social media, or web based email. This has been an industry standard for years, but you’d be surprised at just how many organisations still have these open and yet, do not consider this a risk. Reduce the attack vector by segmenting your network using VLANS. For example, the sales VLAN does not need to (and shouldn’t need to) connect directly to accounting etc. In this case, a ransomware or malware outbreak in sales would not traverse to other VLANS, therefore, restricting the spread. A flat network is simple to manage, but a level playing field for an attacker to compromise if all the assets are in the same space. Don’t use an account with admin rights to perform your daily duties. There’s no prizes for guessing the level of potential damage this can cause if your account is compromised, or you land up with malware on your PC Educate and phish your users on a continual basis. They are the gateway directly into your network, and bypassing them is surprisingly easy. You only have to look at the success of phishing campaigns to realise that they are (and always will be) the weakest link in your network. Devise a consistent security and risk review framework. Conducting periodic security reviews is always a good move, and you’d be surprised at just what is lurking around on your network without your knowledge. There needn’t be a huge budget for this. There are a number of open source projects and platforms that make this process simple in terms of identification, but you’ll still need to complete the “grunt” work in terms of remediation. I am currently authoring a framework that will be open source, and will share this with the community once it is completed. Conduct regular governance and due diligence on vendors - particularly those that handle information considered sensitive (think GDPR). If their network is breached, any information they hold around your network and associated users is also at risk. Identify weak or potential risk areas within your network. Engage with business leaders and management to raise awareness around best practice, and information security. Perform breach simulation, and engage senior management in this exercise. As they are the fundamental core of the business function, they also need to understand the risk, and more importantly, the decisions and communication that is inevitable post breach.

    There is no silver bullet when it comes to protecting your network, information, and reputation. However, the list above will form the basis of a solid framework.

    Let’s not be complacent - let’s be compliant.

  • 1 Votes
    1 Posts
    259 Views

    What would happen if a cyber criminal attempted to scam a security professional ? Well, some time ago, this happened to me. Like everyone, I certainly receive my fair share of junk email, scams, and pretty much everything else that the internet these days tends to throw at you. For the most part, each one of these “attacks” is ignored. However, one caught my eye after only the first paragraph. Not only was the format used absurd, but the supposedly “formal tone” was nothing short of a complete joke. Unfortunately, there really is no “TL;DR” synopsis for this particular event.

    Scrolling to the bottom of the article is of course up to you, but you’ll not only miss out on key information - you’ll also miss out on my sarcasm 🤣

    Admittedly, this “scam” sounds far fetched. But, believe it or not, this particular campaign has a high success rate (and, all content in this article actually happened). If this were not the case, would a potential criminal go to such lengths to impersonate and engage ? No. They rely on that one human trait known as trust. Trust which in this case is readily exploited. I promise that this article will be worth your while reading. Ready ? Buckle up. its going to be an interesting ride. During the journey, I’ll highlight the warning signs and provide an explanation into each. Let’s start.

    Day 1

    Out of the blue, I was contacted via email by someone calling themselves “Andrew Walter” - purportedly an employee at Bank of America. The first immediate sign that something is not quite all it seems here is that the email address used is in fact from the contact form on this site. What’s significant about that ? Well, there are a variety of techniques used by cyber criminals to gain access to legitimate email addresses. One known and widely used technique is the scraping of email addresses from websites and social media - in fact, the most notable is LinkedIn.

    Despite its age and somewhat basic approach, it still works very well. Why didn’t I secure it ? Simple. The contact form on this site also doubles as a honeypot. You’d be surprised what lands in here - as this “campaign” did. For the record, Phenomlab does not retain any information from this contact form. The initial text in the email might have been relatively convincing if it hadn’t contained a ”glow in the dark” grammatical error within the first line. What I’m alluding to here is that the email may as well have arrived complete with sirens and flashing lights. Here’s a snapshot

    Dear Mark Cutting. “I added you to my professional network in order to share a confidential proposal with you please contact me on my private email: andrewwalter411@gmail.com for briefing on proposal since i can not send attachment via linkedin”.

    Actually, you didn’t. I received no such request. Let’s have a look at the initial baiting technique. Who writes an email using the full name of a person without addressing them in the business (or even personal for that fact) sense ? In addition, why would you wrap what you want to say in quotes ? Finally, “I can not send attachment via LinkedIn” - actually, I received two from trusted sources in the same platform a day earlier. This email was so cringe worthy, I thought it rude to not reply ?

    Andrew, Can I ask what this is in relation to please ? Thanks

    That’s the hook that a scammer needs. After this, the response is a lot more detailed as the criminal plays out the story. I’m going to highlight the areas of interest here as I go, and have attached the full text in order to keep this article sane.

    I will start by saying thanks for your response…How is your family doing? I hope okay.

    Good start. Make it look like you know me personally and commence with the pleasantries - even though you in fact know nothing about me, and, in reality, couldn’t care less.

    My proposal is very important to me so please I want you to take the content of this mail very serious. All I want is an honest business transaction between us.

    This is anything but honest

    Day 2

    First of all, I will start by introducing myself. My name is Andrew Walter, I am currently working with Bank of America. I have been working here for 17 years now, and I have a good working record with my bank.

    That’s strange. According to the array of fake Andrew Walter (Bank of America) LinkedIn profiles, you’ve been there for 12 years. Did you step into a time machine and not tell anyone ? Perhaps you banged your head and lost 5 years in the process. What’s more than likely is that like most bad liars, you’ve lost track of what you told one person as oppose to the next. At least you tried to enforce a bit of trust with your statement around “I have a good working record with my bank”.
    1614967980-136791-linkedinpng.webp1614967988-257399-linkedin2png.webp

    I am also the personal accountant to Engineer (Lex Cutting ), a foreign contractor who has an investment account with my bank with a huge sum of money in it.

    Note the misplaced bracket here, and also note, that there is no “Lex Cutting” in my family tree. Am I a grammar snob ? No, but I expect a “business transaction” (if you can call it that) to at least not contain basic grammatical errors.

    My late client was a chemical consultant contractor with Royal Dutch Shell until his death in a fatal car accident while at France on sabbatical with his entire family. The accident unfortunately took the lives of the family members comprising of himself, his wife and two kids in the summer of 2007 may their soul rest in perfect peace.

    He banked with us here at Bank of America and had a very huge sum of money in his account which has still yet not been claimed by anybody as there was no living will in place when he died.

    “May their soul rest in perfect peace” and “A very huge sum of money” - instant alarm bells owing to the poor grammar. If you’re working under the pretence of being an educated individual employed by a tier 1 bank, you’re not doing a very good job.

    The amount of money involved here is about $15,812,664 (Fifteen Million, Eight Hundred and Twelve Thousand six hundred and sixty four US Dollars.) in account with indefinite interest.

    Holy s***, I’ve won the lottery !! Contain yourself man, and remember, its a fake ! Ok, composure resumed.

    Since the death of my client; my bank and I have made several inquiries to his embassy to locate any of his extended family members or relatives but this has proven unsuccessful. I came to know about you in my search for a person who shares the same last name as my late client.

    Yes - I and thousands of others no doubt. How lucky I’ve been selected for this “unique opportunity”.

    employed the services of LinkedIn search solely for this purpose as I feel it would not have been the last wishes of my late client for his whole life work to be transferred to a government (Es cheat) he had always complained of their unfavorable public monetary policies, taxes and so on while he was alive.

    Ok, so let me get this straight. You’ve trawled LinkedIn looking for “beneficiaries” when there are other far more orthodox and reliable channels to obtain this information. I can smell the sweat and toil of poorly conducted fraud here. Oh, and by the way, “Es cheat” is actually one word (ESCHEAT).

    My bank has issued me several notices to provide the next of kin or the account risk been es cheat within the next 10 official working days. The last notice for claim came to my desk last week. I am contacting you to assist me in repatriating the funds left behind before they are declared un-serviced by my bank. I am seeking your consent to present you as the next of kin of my late client since you share and bear the same last name.

    As such, the proceeds of the account can be paid to you as soon as you contact my bank and apply for the funds to be released to you as the next of kin. If we can be of one accord, I see no reason why we would not succeed. We both have to act swiftly on this matter in other to beat the deadline es cheat date.Please get back to me immediately for us to proceed.

    Wait a minute. If I’m the sole beneficiary, why do you want half ? Sounds like easy money to me. And the usage of “one accord” is somewhat “odd”.

    I am after the success of this transaction with your full co-operation. All I require is your honesty and full co-operation to enable us see this cool deal go through.

    I bet you are. “Cool deal” ? I thought I was taking to a professional here, not a school kid. Seems like our man has let his guard down for a split second and now his “Inna Gangsta” is shining through.

    I guarantee you that this will be executed under a legitimate arrangement that will protect you and me from breaching USA laws. I want to also inform you that I am a very religious person and I cannot tell a lie because of my strong believes; I would expect the same from you.

    Oh please, do me a favour. Pull the other one - its got bells on.

    I will attach a copy of my international passport in my next mail for authenticity so we have equal ground to trust each other. If you are interested in my proposal I will send you more information directing you on further procedure on how we can claim the money in the account successfully. If this proposal is alright by you then kindly get back to me.

    “Alright by you” - there’s that superb [sic] usage of business language again. This guy is awesome.

    The content of this mail should be treated with utmost confidentiality and a quick response from you will be highly appreciated. However, if you are not interested in this proposal, please accept my apologies for sending you the message and kindly delete message, I promised that you will never hear from me. I anticipate your co-operation.

    Of course. You wouldn’t want local law enforcement or the ”feds” knocking at your door now, would you ?

    Day 3

    This by now is so hilarious that I just had to respond.

    Hi. This sounds great. What would the next steps be ? Eagerly awaiting your response.

    And, without delay, here’s the response

    Dear Mark Cutting. I thank you for responding to my mail, I want to stress again that this transaction is very legitimate and there is no risk involved as I am the personal accountant to Late Engineer (Lex Cutting ) anything I say concerning this will be followed by the bank Executives.

    I bet. Actually, I’m struggling to follow your appallingly bad grammar here, but I expect you have your “very legitimate” reasons.

    However, before we can proceed further, I want you to assure me that you will be honest during the transaction and as soon as the funds is transferred to you we can meet in person and share money peacefully. You should understand that this transaction can be successful if we work together and as soon as I give you all legal procedure you will receive the funds from my bank, so I really need your assurance before we shall proceed.

    Wait - you want me to be honest ? Who’s scamming who here ?? What a complete scumbag.

    As I read your email I am very convinced with you and serious about this arrangement process as such, I would want you to take this serious too. My personal instinct directed me to contact you and I hope it was not a wrong thing to do.I shall direct you on the process of the claim; we shall start by sending a formal application to this effect. I will send you the text for the claims and transfer application to this effect. Thereafter, the bank will request of you the relevant back up documents to your claim and application according to the demand of our probate law for transfer of funds.

    Once you have provided the Bank with their demands, they would now be under legal obligation to transfer the funds to bank account provided by you. As part of the procedure of the claims, the documents that will be required from you will have to be acquired through legal procedures as the application of claim will be complimented with a legal award we shall have to seek from our law Court here. Be assured that the procedures to be adopted in effecting the transfer in your favor will be official and legal which will protect us from any breach of the law, We have the next 10 official working days.

    Right. Sounds fairly “straightforward”.

    Note: High confidentiality is required at all times. Do not tell anyone about this because, it might be unsafe for both of us. It would be safer for us to communicate by email for now as we have the trust. I hope you see reason with my decision on us talking by mail for now. As soon as the money has been transferred to your account, I will look for a country of our choice where we can see in person and subsequently share the funds in the ratio as discussed earlier.

    I can assure you it won’t be unsafe for me, but it probably is for you -“…now we have the trust”. Note, that the scammer gains confidence here, and starts making some fairly basic mistakes.

    Above all, I personally count on God to facilitate our plan and understanding, to produce not just success but also peaceful sharing of the funds at the end of the day and a wealthy family business relationship between us. I also pray for establishment of cordial relationship between us, God being our helper.

    I agree - you’re definitely going to need all the help you can get here. You’re not getting anything from me, so divine intervention is probably the only thing you have left.

    As soon as I hear from you and receive your assurance, I will send you the Text of Application for you to contact my bank for the release of the funds in the account of (Lex Nicholl) to your account as his next of kin.

    Hold it right there ! Who is Lex** “Nicholl”** ? Major alarm bells here. Looks like this guy has his wires crossed or didn’t get good morning injection of caffeine. This is a glaring oversight and I’m guessing all those lovingly created campaigns have a similar fault.

    would advice that you follow all the steps and procedures which I will give you so that we can get to the end of this transaction quickly. I need you to send a copy of your international passport to me and I will send mine as soon as I receive your reply indicating understanding from both of us.

    Of course. You need my passport. How undeniably stupid of me to think that you could complete this “transaction” without stealing the holy grail of personally identifiable documents in the process and using it like the gift that keeps giving for your other criminal campaigns (I sincerely hope they are better than this one).

    Day 4

    Time to turn up the heat a bit

    Hi. Can you send me the claims transfer forms for review ? Thanks

    This guy is like a dog on heat and he’s well and truly bitten this

    Dear Mark Cutting. I hope you and your family are well am so sorry for my late response as i read your email I was convinced, and I want you to understand that I need proper confirmation as I states below to be more in assurance of doing this transaction with you. The documents that will be required from us will have to be acquired through legal procedures as I explained, the application of claim will be complimented with a legal back up confirming this as a legitimate transaction, I have the account details with all access codes and will give it to you once it is required by the bank, also with me here all approvals will be provided and the transfer released to you.

    We are going to keep our communication on email for now to ensure that we are under absolute security due to high level call interception here in United States I would like you to see it with me that security is very necessary we have to be on email or text messages until the transaction is completed and I will visit you to implement our sharing.

    Yes, I agree that security is “very necessary” and also appreciate you do not want roughing up by “the feds” anytime soon. Let’s keep the communication on email so I don’t start to question who you are ? A quick side note here - if you want a secure channel, email is completely the opposite unless its been encrypted - which this hasn’t, and could be subject to eavesdropping. And, as a way of putting my mind at rest, here’s a lovely fake passport for your viewing pleasure. To the untrained eye, this could look convincing, but it a fake. One of the key identifiers here are the “wavy lines” over the picture. This is in fact a security watermark, and is unique for each passport issued. The lines will never repeat each other - if you look carefully at the below, the lines do in fact repeat.
    1614968131-783791-passport-fakepng.webp
    Below is an actual fake passport that was used in a scam a number of years ago. You’ll notice that this one is slightly less complex as it has the watermark missing, but is still fake, nonetheless.
    1614968502-542440-fake-passport-examplejpg.webp

    The transfer in your favor will be official and legal which will protect us from any breach of the law. Whatever the cost of his transaction will be, is going to be on both of us which I believe that you will not let me handle all the process alone.

    Of course not. You wouldn’t want to have to share any of the spoils, would you ? And just like any other “business transaction” you don’t want to be spending any of your money unnecessarily. Interesting that he’s actually used the US English “favor” rather than the UK English of “favour”. Pity he’s not been so diligent elsewhere. I know…let’s try and spend mine.

    I will give you the text application letter of the transfer request for our ledger department and also details on the way forward with the transaction once you have agreed with the following

    Are you ready to maintain the high level of confidentiality required for the successful conclusion of this transaction?

    Are you promising me that your account can be able to carry a transaction of such magnitude without any problem

    Are you willing to accept 50% for your participation without any problems in collecting my share from you?

    “Yes, yes, yes !” Let’s do this thing, and I’ll also throw in a portable radio to make the deal even more “appealing”.

    I will need your help in directing me and investing part of my share in your country the investment will be under your control until I am able to take over or it can be a joint venture depending on your decision. as soon as i receive a copy of your passport or id document and i as well have attached a copy of my passport for you to see whom you are working with.

    Please reply as soon as possible if you in understanding with me so that we can proceed with the bank with text application.

    Day 5

    Now this is getting interesting. What this really means is that once I have your bank details, I won’t be making a deposit - only a withdrawal (from my account, of course). Time to contact the Bank of America - this guy is an absolute riot (anagram of idiot) and yes, I can’t spell either, or count.

    Dear Sirs, I write with reference to what I believe to be a 419 Nigerian scam, sent to my email address. I am a security expert by trade, and wish to report this to yourselves. I believe the “sender” is impersonating one of your employees. I have also enclosed a scanned PDF file of the “passport”, which I also believe to be fake. I’m currently entertaining this individual as a way of reeling him in so I can report him to the necessary authorities.

    Clearly, I have no intention of supplying any sensitive information, including my passport. Whilst I expect that you receive many emails of this nature, I would like confirmation that the enclosed photo in the passport is not in fact a Bank of America employee

    Sadly, absolutely no response from Bank of America. I expect that they receive thousands of emails like this on a regular basis. Oh well, onward and upward. Let’s not keep our friend waiting.

    Hi Mark , Thank you for your email, and understanding, we do not have much time to complete this transaction to avoid reaching the es-cheat date.i will start the preparation of the application text which will be submitted to the bank as official application to cover the estate by the family member of Late Mr. Lex Cutting.

    I will send it to you for review by tomorrow. As a side note, there’s that misplaced capital letter

    Well now, that’s more like it ! Now we’re best friends forever, we can lower our guard a bit and revert to informal language (well, formal in the sense that our author is suffering from capital letter displacement). Perhaps we caused a bit of suspicion in our last messages and want to be a bit more convincing ? I’m game if you are buddy. Let’s make this a bit more interesting.

    Hi Andrew, Thanks for the email. I’ve just moved house, and things are in a bit of a mess, so I cannot place my passport for a few days until I’ve finished unpacking - hopefully, this doesn’t cause you any problems. I can answer “yes” to all the questions below.

    In the meantime, to speed up the process, is there any way we can proceed whilst I attempt to find my passport ?

    Thanks

    Well, look at me ! I know exactly where my passport is and I haven’t moved house - we need a bit of time here to do some further digging, so I’m throwing him off the scent for a few days whilst I perform some background investigation and analysis. I let this go on for 6 days before responding - note, that previously, “Andrew” had warned me we only had 10 days to nail this “cool deal”.

    We’ve since passed that landmark, but interestingly, he’s not that worried it seems. Admittedly, at this point I thought of sending a copy of Jason Bourne’s passport which are readily available for download via a quick Google - http://www.indyprops.com/pp-bournepass.htm. However, despite my assumption that this person I’m dealing with is stupid, I don’t think there’s many people on this planet who haven’t heard of Jason Bourne or seen at least one movie from the franchise.

    Based on this simple conclusion, its not a wise move in my view as it means ending the story here (unless this guy has been living under a rock)…. and there’s so much more to tell yet ! Therefore, we’ll need to take another route. Let’s increase the stakes. Note that by this point, we’re up to day 5, and we only had 10 days to complete this “cool deal”.

    Its now day 11 after I’ve kept him waiting for 6 days intentionally.

    Day 11

    Hi Andrew, Sorry for the delay. I finally found my passport, and have scanned a copy. However, I’ve read that email isn’t secure, so I can either FedEx a copy to you (I’ll need an address of course), or I can provide a secure link for you to download a password protected zip file. I’ll email you the password for that under separate cover. Would this be ok ? Keen to get things moving. Thanks

    I can almost hear the cogs in motion as my best friend formulates a response. A spanner in the works and probably not on his “canned response” sheet. This guy now needs to up his game to stay in the running.

    Hi mark. I hope you and your family are well? thank you so much for your mail please scan and send the copy of your international passport to this email (andrewwalter166@gmail.com) will can communicate much better even while i’m right in my work place i can reply over there anytime. as soon i receive your reply we will be proceeding with the text of application.

    I will be waiting to hear from you.

    Yes, I bet you will. This is the response I expected (note the “new” email address highlighted in yellow above - why change this now ? Keep reading) - if I then dropped out afterwards, this guy would still have a copy of my genuine passport, and could (and undoubtedly would) use this to commit other types of fraudulent activity.

    Essentially, its all about the money, so if the primary campaign fails, there is a good chance the second one will succeed, which is why the passport is requested so early to avoid over investment in terms of time.

    Hi Andrew, I really don’t want to send my passport by email. Can you give me an address of where it can be sent (postal) or let me know if you’d be ok downloading the copy needed from a link I will provide ? Thanks

    “Hang him on a hook and let me play with him”
    1614968549-147228-hhoahjpg.webp
    I’m so bad. Let’s see how much he wants this. Pushing for the postal address risks blowing the (supposedly carefully planned) cover and exposing him. He can’t exactly give me an address in Africa now, can he ? I’ve already preempted this and laid the foundations for a honeypot trap. I need to explain myself a bit here for those reading this and scratching their heads with images of Winnie the Pooh and a honey jar, so bear with me.

    A honeypot is a computer system or landing page that is set up to act as a decoy to lure fraudsters and cyber criminals - its essential function is to detect, deflect or study attempts to gain unauthorized access to information systems that are not for public use. At the heart of this honeypot is a system that is capable of obtaining a wealth of information about the accessing user in terms of IP address, geographic location, and a whole variety of data that would allow the recipient to piece together a trail of breadcrumbs. Any seasoned cyber criminal knows about the existence of such technology (its not exactly new) and would typically use a TOR browser to connect to any links provided by the victim in order to avoid detection.

    The TOR network is a complex array of secured computer systems acting as “nodes” that traverse the internet using a variety of encryption mechanisms and connection masking, allowing the user to hide behind a number of random proxies that make it look as though he or she is accessing from a completely different geographical location. The TOR network was originally intended for use by the US navy, but found its way out and became the favourite watering hole for many a cyber criminal - and today, known as either the deep web, or worse, the dark web. Ok, that’s enough history and boring technical terms. Let’s get back on track. Essentially, I’ve created a hidden honeypot on this site and the only two people who have this link are myself, and our scammer friend. The page cannot be indexed or crawled by Google either. Time to up the stakes

    Hi Andrew, Any update to this please ? Thanks

    Day 12

    No response. Perhaps I’ve pushed this a little too far. Let’s see

    Hi Andrew, I’m concerned that I haven’t heard from you and don’t want to miss out on this amazing opportunity. Can you let me know what we need to do next please ? Thanks

    I honestly thought that he wouldn’t reply, but he did.

    Dear Mark Cutting. Hope all is fine with you and the family? i am writing to know if you are still interested with this transaction i need a copy of your international passport in other to know whom i’m working with for more verification as soon you send it down here

    Now, when I went to school, the UK was across from America and not down - hence the term “across the pond”. Did I miss something here ? A figure of speech perhaps, but more likely a slip of the tongue. Looking at a map “down here” would indicate south, surely ?

    we will be proceeding with the text of application to contact my bank for funds relic please update me as soon as possible.

    And here we have another schoolboy error. This guy thinks he can relax now he’s done his chore. Not only is the text clearly copied and pasted (with the formatting intact so he first line doesn’t match the rest in terms of font size), but much worse is the fact that he’s now using a different email address altogether and hasn’t even made any attempts to hide this. Clearly, he’s got a lot going on, and there are undoubtedly hundreds of “Andrew Walter” doppelgangers lurking in the shadows like something out of Michael Jackson’s “Thriller”.

    To understand this complete failure, let’s take a closer look - perhaps he’s got some sort of “Salesforce(esque)” campaign on the go where willing participants are directed to another email address for easy reference (milking)! The email address we started with was “andrewwalter411@gmail.com” which in itself isn’t very convincing. Now we’ve suddenly switched to “andrewwalter166@gmail.com” and also lazy again with our grammar as “Andrew Walter” is now “andrew walter”.
    1614968634-496024-emails.webp
    I suppose I could send him a Starbucks voucher so he can get a strong coffee and wake up, but, this is his gig, so I’ll let him play his hand.

    Hi Andrew, As I previously mentioned, I won’t send my passport via email because I was told it wasn’t secure. Instead, I’ll provide a link to a secure website where it can be downloaded as a zip file. I’ll also provide the password for the zip file so you can extract it. I’ll get this over to you today. Thanks

    Now we’re “upping the ante” a bit. Not only do we respond to the original email, but also to the new one with the same message above. I’m relatively sure at this point that our friend isn’t exactly an experienced fraudster, and probably won’t even notice his own mistake. Wait for a bit……. then send the link. Note that the link itself has been redacted for obvious reasons and is not the original.

    Dear Andrew, I’ve scanned a copy of my passport to PDF and placed it in a password protected ZIP file. It can be downloaded using the link below. https://[redacted]/KCXXu4MN8G6FZqFt4Mb7hQfRZXmHA3Fn/securedownload/ Let me know as soon as you’ve downloaded the ZIP file, and I’ll send you the password in a separate email. Thanks

    I wasn’t really expecting this guy to bite if I’m being honest, but never say die - he’s just fallen straight into the honeypot (or should I say, “boiling pot”)

    Hi, the link is infected i can not open it my system refused to run the link. send it via pdf which i can view before download or jpg.

    Actually “Andrew”, the link **isn’t **infected. I understand your frustration though, as its very annoying having your time wasted by a moronic idiot who seems to lack the ability to string even basic sentences together…… Alright - that’s enough of that. The thing is “Andrew”, you didn’t follow my instructions. Not that this really matters at the moment anyway as I have got what I came for. The string on the carrot has just been made shorter. I know at this point, you can almost taste it, but I’m not finished with you just yet.

    Hi Andrew, The link works fine on my PC. its a password protected ZIP file created by 7Zip. If you use this to extract, you’ll need to enter the password to extract the PDF which I’ll send you under separate cover. Regds

    He’s in for a bit of a surprise when he gets around to opening that Zip file. There’s a PDF there all right, but it’s certainly not my passport. In fact, “Andrew” has had three attempts at downloading that file
    1614968689-559410-file-downloadpng.webp
    According to the honeypot, it would appear that he’s operating out of Randburg (Johannesburg, South Africa) - a very well known fraud hotspot.
    1614968849-529265-locationpng.webp
    The GEO information is provided courtesy of https://db-ip.com/41.113.125.214

    If those coordinates are accurate, then the local law enforcement aren’t too far away. Have a look below
    1614968903-340115-policepng.webp
    In fact, about 12 miles away (dependant on exact location of course, which the local ISP can provide when requested by law enforcement agencies)
    1614969237-763652-directions1.webp

    Day 13

    The next steps here are quite obvious. Pass it onto the local authorities to investigate, with a copy of all material received thus far

    Dear Sirs, I write with reference to an incident where a scammer in your location has trawled LinkedIn and obtained my address with a view to commit coercion and fraudulent activity. The IP address that this fraud attempt has originated from is https://db-ip.com/41.113.125.214. I have a complete record of all activity, plus a copy of what I believe to be a stolen passport.

    I am a security professional by trade, and wish to report this as criminal activity. I have a complete evidence chain of emails relating to this particular event - the incumbent has requested a copy of my passport (which for obvious reasons I will not be providing), and no doubt will also attempt to acquire my bank details. This person is posing as “Andrew Walter” from Bank of America - there are several fake profiles on LinkedIn relating to this individual. I am also aware that local law enforcement can request the physically connected location for this address - you should find its about 12 miles away from your location.

    I have obtained this fraudster’s IP address via a honeypot on my website, which I purposely setup to extract this information. I would appreciate your cooperation in this individual’s apprehension, as it would appear that the same person is responsible for a number of similar campaigns designed to extract funds from others. I am based in the UK, but can be free to discuss as you deem fit. I have enclosed copies of all emails received so far, plus an example of the LinkedIn profiles which I believe are fake. Mark Cutting

    And the below read receipt shows that this email has been read (well, opened, at least)

    Your message was read on 16 May 2018 10:32:48 AM UTC. Final-recipient: RFC822; T0023694@saps.gov.za Disposition: automatic-action/MDN-sent-automatically; displayed X-MSExch-Correlation-Key: c1tMJuEijE6r4WJRtMhQlw== X-Display-Name: GPS:Randburg SC Admin

    its at this point where things become much clearer. This guy really hasn’t done his homework. He’s been conversing with me outside of US time zones (well, Johannesburg is only currently 1 hour ahead of the UK after all) which can only mean he either has severe insomnia, or isn’t actually based in the USA. I wonder which one it could be ? Perhaps he should see a doctor and get some pills for that…. 🙂 I’ve since sent “Andrew” another email, but unfortunately, he hasn’t replied. I guess he’s “busy” with his next victim.

    Hi Andrew,

    I’m a bit concerned I’ve not heard from you, and with the deadline approaching, I really do not want to miss out. Can you let me know if you were able to open the zip file with 7zip as I previously mentioned ?

    When you try to extract it, you’ll need a password which I’ll provide to you once you confirm you’re able to open.

    Please keep me updated.

    Thanks

    The ironic thing here is that “Andrew” in fact already has the password for that zip file I sent him ! If he’s the hotshot he makes out to be, then I’m sure he’ll work it out. In the meantime, I’m guessing you all want to know what that zip file contained ? Well, I did say it was a PDF, but its not my passport. Here you go.
    1614969001-333126-pdf1png.webp

    Conclusion

    Sadly, there’s been no response to the email I sent to SAPS (South African Police Services). Oh well. They have all the evidence they need, although in fact, no actual “fraud” has been committed. That effectively means that “scoping out” a potential victim and attempting to reel them in isn’t actually an offence. Although identity impersonation certainly is and I’d be surprised if they were not interested in this.

    So there you have it - a walk-through of what to look for in these types of scam. Here’s the highlights

    No official institution like the Bank of America is going to allow its employees to conduct business over a GMAIL account. In all honesty, faking the bankofamerica.com domain would have been much more convincing, and wouldn’t have taken much effort either. After a quick iteration of the real name, I found the below If an email supposedly comes from the US, then why are all emails being sent outside of their working hours ? Any transaction of this sort would never be conducted over email anyway - for this amount (if this were indeed real), it would have to be completed face-to-face in the presence of bank officials, lawyers, compliance, and a whole raft of others. No institution is going to request a copy of any identifiable details (passport, bank accounts, etc.) over email. Poor grammar is an immediate warning sign. You need at least a decent grade in English if you are going to pretend to be someone you’re not Bad spelling is another. There are so many errors here and it makes any campaign stand up and shout “hey, I’m fake !”

    Hope you enjoyed this somewhat absurd journey.

    Keep safe out there, folks.