STE WILLIAMS

Phishing sites are common, but this week the internet found a strange strain that’s a little rarer: a phishing site with a URL almost a thousand characters long. Experts have a good theory about why a scammer would go to all that trouble.

Bleeping Computer learned of a strange phishing campaign which uses an unusually long URL. The mail purports to come from your email provider, telling you that your account has been blacklisted due to multiple login failures. The phisher tries to hook your mail login credentials by getting you to log in again, but of course, the link it provides isn’t really a link to your login provider’s page.

Phishing links generally arrive behind an innocuous piece of text like ‘log in’, ‘reauthorise’ or ‘validate’. Hyperlinks separate the text from the actual links that they follow, though, and unless a victim hovers over the text or right-clicks it, or checks the address bar of their browser after clicking on the link, they won’t know what sites they’re really visiting.

Phishers are aware of this and diligent ones will try to lure you with a URL that looks plausible. They’ll use tricks like top-level domains (TLDs) designed to look like the last couple of words in a legitimate domain, or homographs that use foreign character sets to create English-looking letters. Hyphens and subdomains are also a good way of creating URLs that look like a legitimate site at first glance.

This phisher didn’t bother with any of that. The link they provided was a domain that looked nothing like the recipient’s email domain. Moreover, it also used a ridiculously long combination of subdirectory and page name (those are the folders and actual pages after the top level domain name). The total URL was almost a thousand characters long.

Naked Security checked in with Eduardo Schultze, threat intelligence team lead at Axur, which uses AI to help companies with online brand protection and digital fraud detection. He is also a representative on the Anti-Phishing Working Group, an industry group that combats phishing scammers. He said:

The interesting thing is that the phishing [site] doesn’t allow you to type your email but it instead grabs it from the “email” parameter in the URL from the person who received the phishing.

This isn’t a one-off. An analysis of the weird URL by web site analysis service URLscan shows over 1100 phishing pages with a similar structure and files, suggesting that they could be coming from the same phishing kit. It also shows over 180 phishing domains hosted at the same Hong Kong-based IP address, but serving different domains.

So, what’s going on? Schultze points out that because this phishing URL uses subdirectories, it’s possible for it to take the phishing victim into a variety of folders:

The more you click, the deeper you go into the actual phishing landing page.

This feeds into the theory that the phisher is hiding the location of the phishing files on the hacked server. Stefanie Ellis, portfolio marketing manager at brand protection company Clarivate Analytics and also a representative for the APWG, has seen a small proportion of phishing sites using 500 characters or more. She said:

There’s nothing in the configuration of the URL that prevents us from detecting the site so we have to think it’s related to hiding on the server, or generally making the investigation more time-consuming or frustrating for the host.

It isn’t clear whether the variety of folders were randomly scripted or manually created, but no matter: a determined anti-phishing investigator will quickly work out that it’s a scam domain. Said Ellis:

It’s creative, but at the end of the day a longer URL is not going to prevent detection, blocking, or mitigation of the phishing site.

However, while this ridiculously long URL might alert desktop users to something phishy, infosecurity expert Spencer Alessi points out, mobile users might be oblivious:

@dvk01uk @Spam404Online @BleepinComputer @malwrhunterteam @0x736A @illegalFawn Yeah they seem to like this because… twitter.com/i/web/status/1…

—
Spencer Alessi (@techspence) February 13, 2019

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qTbMBbfvH5w/

A 20-year-old American man who allegedly used the Twitter handle @WantedByFeds has been charged with DDoSing, sending bomb threats and more along with a British teenager who is already in prison.

Timothy Dalton Vaughn, of North Carolina in the US, was indicted by a grand jury* earlier this week after American federal investigators said they found key data linking him to online aliases that had, ironically, been leaked among millions of other people’s details in a separate hack.

Vaughn is alleged to have acted as part of a loose-knit group of internet mischief-makers who called themselves the Apophis Squad. One of Vaughn’s co-defendants is 19-year-old Briton George Duke-Cohan, formerly of Garston near Watford, who was found guilty in late 2018 of sending bomb hoaxes and making DDoS attacks against various schools and colleges. Duke-Cohan, who bizarrely claimed to a forensic psychiatrist that he had a history of harming small animals, is expected to be released from prison in May 2020.

Another British resident was identified by investigators as an “unindicted co-conspirator” based in Hampshire but not charged. In the indictment that person is identified only as “PartialDuplex”, whose Twitter account refers heavily to Apophis Squad’s various activities – and stopped tweeting on 12 May 2018, weeks after Duke-Cohan was arrested for the second time on 17 April.

The two are also said to have targeted infosec journalist Brian Krebs, who has written about his experiences of identifying them, separately from the official investigation.

Vaughn and Duke-Cohan, along with “PartialDuplex”, are said to have gone on a spree of DDoSes, bomb and school shooting threats, as well as taking down encrypted email service Protonmail and forcing the evacuations of hundreds of schools in both America and Britain, as well as sending multiple threats of sending bombs and anthrax-filled packages to an FBI office in Omaha, Nebraska. Their tactics allegedly included spoofing email addresses to make it appear as if prominent people were sending threats on their behalf, including Sadiq Khan, the mayor of London.

They are also said to have DDoS’d the website hoonigan.com, which looks like Top Gear but features people below retirement age actually modifying and driving cars.

The 11 charges against Duke-Cohan and Vaughn, which include the bomb threats, attacks on computers, fake school shooting threats, could potentially see Vaughn locked up for 80 years and Duke-Cohan’s prison term extended by 65 years in the US. ®

Bootnote

* A grand jury is an odd American legal custom in which prosecutors herd 23 random people into a room and refuse to let them leave until at least half agree on whether or not criminal charges ought to be brought against some third party who is not allowed to know what’s going on or speak in his/ her defence. Originally conceived in English law around a thousand years ago as a safeguard against over-powerful nobles declaring themselves judge, jury and executioner, grand juries have long since been superseded in the rest of the world.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/14/apophis_squad_indictment_timothy_dalton_vaughn_george_duke_cohan/

There’s no better place to brush up on the latest malware than Black Hat Asia in Singapore next month with a cornucopia of practical Trainings, Briefings, and Arsenal tool demos.

There’s no better place to sharpen your cybersecurity skills than Black Hat Asia in Singapore next month, where you’ll have access to a cornucopia of practical, hands-on Trainings, Briefings, and Arsenal tools intended to help you master even the trickiest malware.

If you’ve never been to the Black Hat Asia Arsenal before, know that it’s a hub of live tool demonstrations in an open, conversational environment where presenters are able to interact with attendees and provide a hands-on experience.

For example, stop by at 10 AM on Thursday, March 28th to check out a live demo of “Unprotect Project: Unprotect Malware for the Mass.” Malware remains effective by staying hidden or otherwise hard to study; the Unprotect Project is an open-source countermeasure aimed at classifying all known malware evasion techniques that help you analyze and understand potential threats. While the project is currently focused on Windows PE (Preinstallation Environment) malware, the plan is to extend it to other platforms in the future.

On Friday at 10 AM, come back for the “Weapons of Office Destruction: Prevention with Machine Learning” demo, which promises a fresh perspective on the ever-present problem of preventing malware distribution via Microsoft Office documents and other common currencies of the modern workplace.

To better leverage the rules already used in traditional anti-virus solutions, the presenters of this Arsenal demo use a simple random forest-based machine learning (ML) classifier model trained on a comprehensive list of over 3,000 existing heuristic rules drawn from around 92,600 real-world benign and malicious MS Office documents (including Word, Excel and PowerPoint file formats.)

They’ll show you how the model works and reveal why this approach exhibits enhanced performance and significantly outperforms 11 well-known commercial anti-virus scanners, with a much higher true positive rate of 98.46% achieved while maintaining a low false positive rate (0.33%). Of the evaluated commercial AV scanners, the best one achieves a TPR of 87.5%, which is more than 10% lower than the proposed ML model you’ll see in this demo.

Complement that hands-on look at fighting Office-spawned malware by attending the 50-Minute “Office in Wonderland” Briefing, in which security researchers Peter Ceelen and Stan Hegt explore a wide range of novel techniques that abuse Microsoft Office features for offensive purposes. The pair will disclose details on new Word and Excel vulnerabilities, release attack vectors that Microsoft deems as features, and demonstrate the security impact of the architectural design of the MS Office suite.

If mobile malware is more of a concern for you, make time for this year’s “When Voice Phishing Met Malicious Android App” Briefing. Presented by expert Min-Chang Jang, this 50-Minute Briefing will showcase the results of a live study of various strains of Android voice phishing malware.

These malicious mobile apps can intercept outgoing calls to trusted institutions (like banks or government agencies), creating opportunities for innocents to be scammed by imposters. In this session you’ll get a unique look at how they’re distributed and deployed, using data gathered by a crack team who broke into distribution servers (as well as a central command control server) and analyzed about 3,000 voice phishing apps. Don’t miss it!

Black Hat Asia returns to the Marina Bay Sands in Singapore March 26-29, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/learn-new-malware-fighting-tools-and-techniques-at-black-hat-asia/d/d-id/1333872?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security practitioners reveal what’s causing them the most frustration in their roles.

(Image: Milanmarkovic78 – stock.adobe.com)

Cybersecurity isn’t an easy gig. It’s tough to keep track of the most stressful problems because adversaries are constantly evolving their tactics and security threats are constantly changing.

In fact, the rapid evolution of threats is one of many issues plaguing security pros. The onslaught of emerging threats is made more difficult by lack of resources. All the while, employees are bringing unsecured smartphones and devices into office environments.

“You can’t predict what you can’t see, and so the adoption of BYOD policies at companies, combined with an increasingly complex network environment, leave organizations susceptible to attack,” says YL Ventures principal John Brennan.

Movement to the cloud, vulnerability management, data governance, and choosing, implementing, and managing new security products compound the challenges and give security teams even more to worry about. For small organizations, where one person is responsible for securing everything on his or her own, the list of issues can be overwhelming.

Here, security pros across the industry share what’s most stressful about their jobs. What is most stressful about your job? Feel free to jump in the comments section, below, and add to the list.

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/security-spills-9-problems-causing-the-most-stress/d/d-id/1333874?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

When each member of your security team is focused on one narrow slice of the pie, it’s easy for adversaries to enter through the cracks. Here are five ways to stop them.

Today, enterprises consist of complex interconnected environments made up of infrastructure devices, servers, fixed and mobile end-user devices and a variety of applications hosted on-premises and in the cloud. The problem is traditional cybersecurity teams were not designed to handle such complexities. Cybersecurity teams were originally built around traditional IT—with a specific set of people focused on a specific set of tools and projects.

As enterprise environments have grown, this siloed approach to cybersecurity no longer works. When each member of your security team is only focused on one narrow slice of the pie, it’s far too easy for adversaries to enter through the cracks. The following are critical steps chief information security officers (CISOs) must take in order to establish a dream team for the new age of cybersecurity.

1. Take a Talent Inventory
Before making any new hires, CISOs should evaluate their current cybersecurity talent and determine the competencies and gaps of each member on the existing team. Ideally, you want people who think creatively — and can think like the adversary. Successful hackers are resourceful and inventive, and they are looking for ways around your standard security controls. If the members of your security team are only concerned with whether existing controls are working correctly, you’re going to get hacked. The attack surface is massive and growing every day, and your security team must include individuals who continuously look for vulnerabilities the adversary could exploit — no matter where they are — so these issues can be addressed.

2. Hire Top Talent or Outsource Top Talent
Hiring and retaining top talent for your cybersecurity team is crucial to successfully increasing cyber-resilience. This is not easy, especially when the cybersecurity skills shortage is only worsening. Training existing employees on security skills and arming them with new tools that leverage artificial intelligence, machine learning, and automation for a force multiplier effect is one way you can go. Alternatively, CISOs can choose to outsource parts of the security function to expert managed security service providers (MSSPs). No matter how you choose to assemble your team, it is critical that your security team understands your specific business and network context as well as your focus on improving cyber-resilience, and have the needed skills and tools to protect business-critical assets while continuously improving security posture.

3. Get Companywide Buy-in (Including Your Board)
Gone are the days when cyber-risk was manageable solely by the security team. According to Gartner, at least 95% of security failures through 2022 will be the result of human error. This could potentially stem from anyone in the company. All stakeholders in a business — including C-suite, employees, customers, partners, vendors, etc. — MUST be educated on how their actions can positively or negatively affect the security of their company, and how the success of the company lives and dies with cyber-resilience.

Security today is a business issue, not just a technology one, and everyone must do their part. CISOs need to shoulder the primary responsibility of getting everyone in the company aligned with their security objectives. CISOs must engage with their board of directors, educate them on cybersecurity challenges, and get them on board (no pun intended) with stated objectives and approaches to improving cyber-resilience. For example, after sharing a security posture transformation plan with his/her board, the CISO can follow up in three- or six-month increments and share exactly how much cyber breach risk has been reduced during the time period. CISOs should be able to quantify this with calculations and trends for items such as: “risk to intellectual property,””risk of operational disruption” and “risk to customer data.” 

4. Get Proactive and Prioritize Accordingly
Many security tactics focus on reactively detecting and remediating attacks. Security teams are often completely overwhelmed trying to sift through alerts. If this is all we do, we will always be behind and will never get ahead of the adversary. Rather than being purely defensive, security teams should instead focus more efforts on predicting and proactively avoiding breaches. CISOs should set aside budget and team resources that focus exclusively on proactive efforts to improve the enterprise security posture.

That said, there are myriad potential attacks that threaten organizations through hundreds of attack vectors, making it impossible for CISOs to proactively protect all assets at all times. Therefore, CISOs must differentiate what is critical and what is less important in order to prioritize the necessary actions to protect essential business assets and information. It’s also important to institute programs that address cybersecurity posture in a strategic manner, such as two-factor authentication, password managers, impact-based mean-time-to-patch SLAs, bastion hosts, and dynamic network segmentation. 

5. Add AI to Your Team
With the number of cybersecurity threats growing every day and increased digitization of assets/processes that could be vulnerable to those threats, it is mathematically impossible for humans to monitor for threats and sift through hundreds of thousands of vulnerabilities to determine which to prioritize. Even the largest security team composed of the most skilled IT professionals can’t effectively accomplish this without the assistance of artificial intelligence. These tools, which continuously monitor all assets and proactively predict what vulnerabilities are most likely to be exploited, are becoming increasingly essential for keeping up with the constantly evolving attack methods employed by cybercriminals, as well as the ongoing digital transformation of enterprises. Humans are certainly still needed to effectively manage cybersecurity, but AI needs to be a welcome new member to the team.

Follow the above five tips, and you will have a dream team truly prepared to protect your business in this new age of cybersecurity.

Related Content:

• 7 Tips for Communicating with the Board
• 4 Practical Questions to Ask Before Investing in AI
• KISS, Cyber the Humble but Nourishing Chickpea

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Gaurav Banga is the founder and CEO of Balbix, and serves on the boards of several companies. Before Balbix, Gaurav was co-founder and CEO of Bromium and led the company from inception for over five years. Gaurav has a Ph.D. in computer science from Rice University, and a … View Full Bio

Article source: https://www.darkreading.com/cloud/how-to-create-a-dream-team-for-the-new-age-of-cybersecurity/a/d-id/1333849?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Canonical has issued an update for Ubuntu to address a security vulnerability that can be exploited by malware and rogue users to gain root access.

As this bug affects desktop and server editions of the Linux distro, this is an irritating flaw for folks using shared systems, such as labs or offices of workstations.

Chris Moberly gets credit for the discovery and reporting of the flaw in question, CVE-2019-7304, which is an elevation-of-privilege vulnerability present in Ubuntu versions prior to 19.04. To reiterate, the flaw is not remotely exploitable, so a miscreant would need to already have a foothold on victim’s machine.

“Current versions [before 19.04] of Ubuntu Linux are vulnerable to local privilege escalation due to a bug in the snapd API. This local service installs by default on both ‘Server’ and ‘Desktop’ versions of Ubuntu and is likely included in many Ubuntu-like Linux distributions,” Moberly said in his report.

“Any local low privilege user can exploit this vulnerability to obtain immediate root access to the server.”

The vulnerability is found in Snapd, Canonical’s open-source toolkit for packaging and running applications via systemd. Exploiting the flaw would allow an attacker to elevate their access from unprivileged process to that of the root user, essentially allowing a complete takeover of the system.

Linux Mint 18.3: A breath of fresh air? Well, it’s a step into the unGNOME

READ MORE

Moberly found that, by abusing the way Snapd’s API handles HTTP data requests, the tool could be tricked into believing the user has a uid of 0, aka the root user. This would let an attacker use functions reserved for the superuser, and eventually take over the box. Rather than being a memory corruption bug – the code in question is written in Go, after all – this is a cockup in handling submitted text.

For those so inclined, Moberly has developed a proof-of-concept script called “dirty sock” that shows how an exploit would operate in the wild.

Canonical has since addressed the flaw, so run your usual package update cycle to get the fix. The snapd tool itself is fixed by updating to version 2.37.1.

Ubuntu users who do install the update should also take a moment to make sure they have updated their versions of Flash Player. Yesterday, Adobe posted a fix for an information disclosure bug as part of its Patch Tuesday dump. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/14/snapd_priv_escalation_bug/

Taiwanese NAS maker QNAP has admitted its devices are affected by mysterious malware that alters hosts files on infected boxen following The Register‘s report.

In a security advisory published yesterday, QNAP told its customers: “A recently reported malware is known to affect QNAP NAS devices. We are currently analyzing the malware and will provide the solution as soon as possible.”

While the advisory’s severity was given as “high”, the company said that the types of affected products were “to be confirmed”. QNAP did not comment further when The Register invited it to do so.

Affected folk were urged to manually install the latest version of QNAP’s MalwareRemover product, detailed instructions for which are at the security advisory linked above. In addition, QNAP also dished out the standard advice for ensuring all apps on NASes are up to date.

This could be difficult for some people whose devices are infected by the mysterious malware. As we reported on Monday, QNAP users began complaining on the company’s forums that around 700 entries were added to their machines’ hosts file, all pointing to IP address 0.0.0.0. Those entries sinkholed all requests to common antivirus update servers.

QNAP NAS user? You’d better check your hosts file for mystery anti-antivirus entries

READ MORE

Forum users noticed that the company’s Derek Be Gone malware removal script had now incremented to version 1.4 since El Reg‘s first article. One in particular, who appears to believe their NAS is infected with the malware, posted that they couldn’t install or update packages on their NAS thanks to “errors telling me that the architecture is wrong”, with MalwareRemover not running either “because apparently the Python QPKG is somehow missing”. The user also noticed a “dodgy looking .sh file” had appeared on the box, as well as unfamiliar entries in the autorun.sh file.

QNAP did apologise for not responding when we asked them for comment about the malware last week, reasonably pointing out that they were on holiday for Chinese New Year. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/14/qnap_mystery_malware_plot_thickens/

In this week’s Naked Security Live video, we’re giving you three quick and easy security tips for Valentine’s Day…

…and for every other Day (and every other day) in the year.

(Watch directly on YouTube if the video won’t play here.)

PS. Like the shirt in the video? They’re available at: https://shop.sophos.com/

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mbpiIAM2S1c/

A US federal judge has refused to unseal court paperwork that would show how the FBI tried to force Facebook to snoop on calls made through its instant-messaging app.

Judge Lawrence O’Neill this week rejected [PDF] a petition from the American Civil Liberties Union (ACLU) to make the documents public because, he argued, “the materials at issue in this case concern techniques that, if disclosed publicly, would compromise law enforcement efforts in many, if not all, future wiretap investigations.”

The judge also refused to release partially redacted versions – a move favored by Facebook if details of its systems were removed – because “sensitive investigatory information is so thoroughly intertwined with the legal and factual arguments in the record such that redaction would leave little and/or misleading substantive information.”

In August 2018, it was revealed that the Department of Justice (DoJ) had tried to force Facebook to give it access to voice-call conversations made via its Messenger app. When Facebook refused, the DoJ tried to hold the social media giant in contempt of court.

We note that while Facebook Messenger offers so-called Secret Conversations, which are chat sessions strongly end-to-end encrypted using the Signal protocol, voice calls are not, to our knowledge, end-to-end encrypted, meaning Facebook can in theory snoop on them. We assume the calls are encrypted in transit, to prevent man-in-the-middle spies from listening in, however, by not being truly end-to-end, they can be potentially intercepted by the social network.

In any case, it appears Facebook refuses to build for Uncle Sam the capability to eavesdrop on Messenger voice calls.

Soon after this legal tussle emerged, the ACLU sued the DoJ in an effort to get the relevant documents made public. Those files almost certainly include the legal arguments put forward by the US government to compel a private third-party to intercept and, if need be, decrypt private chatter.

As such, the ACLU argued, there is a clear public interest in what the US government’s arguments. “Whether and how the government can compel internet communications platforms to modify their technology to enable surveillance against their users is a topic of vigorous public debate,” the civil rights advocacy group argued in its filing [PDF].

It argued that the First Amendment and “common law rights of access” to court docs provided the necessary legal authority.

Overwhelming

Judge O’Neill disagreed, however, deciding instead that “the compelling interest of the DOJ to preserve the secrecy of law enforcement techniques in Title III wiretap cases overwhelms that qualified right.”

This is far from the first time that law enforcement has tried to force tech companies to hand over and, if necessary, unscramble encrypted data. Most significantly, the FBI and Apple ended up a heated dispute over access to the iPhone of a man who had shoot and killed numerous people in San Bernardino, California.

The FBI told Apple to give it access to his phone’s encrypted file system, and Apple argued that to do that it would have to create software that would break its own encryption system: something it said was beyond the authority of the Feds.

In the end, just days before a judge was due to rule on the issue, the g-men backed down and claimed they had found their own technical workaround and so the issue was moot. It found nothing on the phone, but that was almost irrelevant since the entire issues was seen as the FBI trying to create a legal precedent.

They’re back! ‘Feds only’ encryption backdoors prepped in US by Dems

READ MORE

It’s not clear why the FBI felt that Facebook would be an easier target or whether it had put forward different legal arguments in an effort to get that same legal precedent – and that’s why the ACLU and others want to know what is in the documents filed against Facebook.

What we do know is that the request covered encrypted voice calls between suspected MS-13 gang members in Fresno, California, at least according to the ACLU.

While the judge’s decision may be understandable – an effort to protect investigative techniques that are used elsewhere – it has unfortunately given the FBI a clear method by which they can keep making legal arguments for access to encrypted material without being subject to public scrutiny. All the Feds have to do is include information about their techniques and specific targets alongside its legal arguments for access, and then, wham: down come the shutters.

That in itself is a dark tunnel down which the US government can create secret surveillance laws: a rerun of the system that enabled the NSA/FBI and others to engage in the kind of mass surveillance that was exposed by Edward Snowden, and which was subsequently found to be illegal once exposed to the full spotlight of the law. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/13/facebook_fbi_messenger/

US prosecutors on Wednesday announced the indictment of a former US counterintelligence agent on charges of helping Iran conduct cyberattacks on her former colleagues.

The legal eagles also charged four Iranian nationals said to have carried out related computer crimes.

Former US Air Force intelligence agent Monica Elfriede Witt, 39, defected to Iran in 2013, according to the Justice Department. She’s charged with providing Iranian intelligence with classified information and with helping to compile background research on US intelligence agents to facilitate online attacks against them.

The four Iranians named in the indictment – Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar and Mohamad Paryar – have been charged with conspiracy, attempted computer intrusion and aggravated identity theft for cyber attacks against Witt’s former colleagues and other US intelligence personnel in 2014 and 2015. The four are said to have worked on behalf of the Iranian Revolutionary Guard Corps (IRGC).

Arrest warrants have been issued for Witt and her alleged co-conspirators, who remain at large.

“This case underscores the dangers to our intelligence professionals and the lengths our adversaries will go to identify them, expose them, target them, and, in a few rare cases, ultimately turn them against the nation they swore to protect,” said Assistant Attorney General for National Security John Demers in a statement.

“When our intelligence professionals are targeted or betrayed, the National Security Division will relentlessly pursue justice against the wrong-doers.”

Breaking out the sanctions stick

In conjunction with the indictments, the US Treasury Department has announced sanctions again two organizations – New Horizon Organization and Net Peygard Samavat Company – and nine affiliated individuals for supporting spying operations against US intelligence personnel. The sanctions limit the ability of named organizations and individuals to conduct certain financial transactions.

Witt’s indictment describes her defection to Iran, her revelation of the name of a US operative conducting counterintelligence against an undisclosed target, and her efforts involving multiple fake accounts on Facebook to compile data on members of the US intelligence community for the benefit of Iranian operations.

The four Iranians named are said to have conducted spearphishing attacks to distribute malware that included keyloggers, webcam takeover code, and other surveillance applications. The links and attachments they allegedly sent were intended to hijack recipients’ devices.

What’s Farsi for ‘as subtle as a nuke through a window’? Foreign diplomats in Iran hit by renewed Remexi nasty

READ MORE

Among the attempted attack techniques, according to the indictment, was the creation of an imposter Facebook account using the photo of an intelligence agent from a legitimate Facebook account. The fake account was used to establish friend connections with actual intelligence agents and induce them to click on shared links with malicious files.

Through friend requests, the fake Facebook account managed to befriend several actual US intelligence agents. But beyond that, the indictment makes no mention of whether the attackers managed to compromise any targeted systems; the charges describe attempted but not successful computer crimes.

One message cited in the indictment, sent to induce a US intelligence agent to click on a malicious link, shows no sign of sophistication, at least in its text. It includes the sort of errant English found in common junk messages and makes a request that should set off alarm bells.

“I’ll send you a file including my photos but u should deactivate your your anti virus to open it because i designed my photos with a photo album software, I hope you enjoy the photos i designed for the new year, they should be opened in your computer honey.”

If such inept wording actually works, there’s hope the Justice Department could catch its fugitive defendants by messaging them about an inheritance fortune waiting for them in the US. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/14/counterintelligence_agent_espionage/