Fake Offers For Mobile Airtime Haunts Indian Users

Co-Author: Avdhoot Patil

Symantec is familiar with phishing sites which promote fake offers for mobile airtime. In December, 2011, the phishing sites which utilized these fake offers as bait have returned. The phishing sites were hosted with free web hosting.

When end users enter the phishing site, they receive a pop up message stating they can obtain a free recharge of Rs. 100:

Upon closing the pop up message, users would arrive at a phishing page which spoofs the Facebook login page. The contents of the page would be altered to make it look as though the social networking site was giving away free mobile airtime. A list of 12 popular mobile phone services from India would be displayed with their brand logos. Once the page completes loading, the theme songs for each of these mobile services play, one after the other.

This phishing page gives a long (fake) offer description. In the description, users are required to enter their login credentials to receive the free airtime offer. The description further states with pride that the site is the first ever to provide this offer and reminds it is always free for users. In reality, if users enter their credentials the phishing page will redirect to a legitimate web retailer selling online purchases of mobile airtime. The strategy behind bothering to redirect to such a site is to mislead users into believing that a valid login has taken place and avoid suspicion. If users do fall victim to these phishing sites, phishers will have successfully stolen their information for identity theft purposes.

Users should be careful. In the fake login below (in blue and purple text) you can see the claims of free airtime:

The URLs on the phishing page also contained text in them to further lead users to believe this social networking website has a relationship with online mobile airtime recharging. The examples:

hxxp://www.******.******.com/Facebook-rc/facebook2011.html  [Domain name removed]
hxxp://free-r3charg3.******.cc/facebook2011.html  [Domain name removed]
hxxp://free-rechargess.******.cc/recharge/1/3.php  [Domain name removed]

Here are a few best practices for Facebook users to combat these threats:

  • Use unique logins and passwords for each of the websites you use.
  • Check to see that you're logging in from a legitimate Facebook page with the facebook.com domain.
  • Be cautious of any message, post or link you find on Facebook that looks suspicious or requires an additional login.
  • Do not click on suspicious links in email messages.
  • Avoid providing any personal information when answering an email.
  • Never enter personal information in a pop-up page or screen.
  • Become a fan of the Facebook Security Page for more updates on new threats as well as helpful information on how to protect yourself online.
  • Frequently update your security software (such as Norton Internet Security 2012) which protects you from online phishing.

Jolt in WikiLeaks Case: Feds Found Manning-Assange Chat Logs on Laptop

A government digital forensic expert examing the computer of accused WikiLeaks source Bradley Manning retrieved communications between Manning and an online chat user identified on Manning’s computer as “Julian Assange,” the name of the founder of the secret-spilling site that published hundreds of thousands of U.S. diplomatic cables.

Investigators also found an Icelandic phone number for Assange, and a chat with a hacker located in the U.S., in which Manning says he’s responsible for the leaking of the “Collateral Murder” Apache helicopter video released by WikiLeaks in spring 2010.

Until Monday’s revelation, there have been no reports that the government had evidence linking Manning and Assange, other than chat logs provided to the FBI by hacker Adrian Lamo last year. Assange is being investigated by a federal grand jury, but has not been charged with any crime, since publishing classified information is not generally considered a crime in the U.S. But if prosecutors could show that Assange directed Manning in leaking government documents that he then published, this could complicate Assange’s defense that WikiLeaks is simply a journalistic endeavor.

The news of the chat logs between Manning and Assange came on the fourth day of Manning’s pre-trial hearing being held to determine whether he’ll face court martial on 22 charges of violating military law for allegedly abusing his position as an intelligence analyst in Iraq in order to feed a treasure trove of classified and sensitive documents to WikiLeaks.

Mark Johnson, a digital forensics contractor for ManTech International who works for the Army’s Computer Crime Investigative Unit, examined an image of Manning’s personal MacBook Pro and said he found 14 to 15 pages of chats in unallocated space on the hard drive that were discussions of unspecified government info between Manning and a person believed to be Assange, which specifically made a reference to re-sending info.

While the chat logs were encrypted, Johnson said that he was able to retrieve the MacBook’s login password from the hard drive and found that the same password “TWink1492!!” was also used as the encryption key.

Assange’s name was attached to a chat handle “[email protected]” listed in Manning’s buddy list in the Adium chat program on his computer. That Jabber address uses the same domain name allegedly mentioned by Manning in the chat logs that ex-hacker Adrian Lamo gave to the FBI and to Wired.com last year. In that earlier chat log, Manning was making reference to a domain that Assange was known to use.

In Manning’s buddy list there was also a second handle, “[email protected],” which had two aliases associated with it: Julian Assange and Nathaniel Frank. CCC.de in the domain refers to the Chaos Computer Club, a hacker club in Germany that operates the Jabber server.

When asked about the two aliases, Johnson said it was odd for a user to assign two names to one account, implying that some subterfuge might have been at play.

The chat logs mention a request to re-send some unspecified data, showing that the parties had talked before, Johnson said, as well as discussion about using SFTP for uploading data securely to an FTP server.

Johnson testified that he also found SSH logs on Manning’s computer that showed an SFTP connection from a Verizon IP address, that resolved to Manning’s aunt’s house in the U.S., to an IP address associated with a Swedish ISP called PRQ that is known to have links to WikiLeaks.

In a separate chat with Eric Schmiedl, who appears to be a photographer, lock picker and member of the hacker scene who lives in the U.S., Manning confesses that he leaked the Apache attack video, which documented the deaths of two Reuters employees.

Manning: Are you familiar with WikiLeaks?
Schmiedl: Yeah, I am
Manning: I was the source of the 12 Jul 07 video from the Apache Weapons Team which killed two journalists and injured two kids

Johnson testified that he found two attempts to delete data on Manning’s laptop. Sometime in January 2010, the computer’s OS was re-installed, deleting information prior to that time. Then, on or around Jan. 31, someone attempted to erase the drive by doing what’s called a “zerofill” — a process of overwriting data with zeroes. Whoever initiated the process chose an option for overwriting the data 35 times — a high-security option that results in thorough deletion — but that operation was canceled. Later, the operation was initiated again, but the person chose the option to overwrite the information only once — a much less secure and less thorough option.

All the data that Johnson was able to retrieve from un-allocated space came after that overwrite, he said.

Johnson says he also examined an external hard drive found in Manning’s bunk room in Iraq that contained a text file called wl-press.txt that was created on Nov. 30, 2009, right around the time that Manning told Lamo that he first made contact with WikiLeaks.

The file included the line: “You can currently contact our investigations editor directly in Iceland at 354.862.3481 : 24 hour service : ask for Julian Assange.”

During re-direct with Johnson, government attorney Joe Morrow referred Johnson to one of the charges against Manning that relates to the “United States Forces -Iraq Microsoft Outlook / SharePoint Exchange Server global address list belonging to the United States government,” which Manning allegedly stole between May 11-27, 2010.

Morrow asked Johnson if he’d found any evidence related to the global address list (GAL) and he replied that investigators found a text file in unallocated space that contained a task instruction to obtain the global address list for U.S. forces in Iraq. He also found thousands of Exchange-formatted email addresses on the computer. Asked if there was any evidence that the GAL had been released, Johnson replied, “I did not discover that, no.”


Johnson didn’t mention any date in relation to the GAL evidence he found on Manning’s computer, but on May 7, 2010, WikiLeaks had tweeted a request for people to send it .mil email addresses.

“We would like a list of as many .mil email addresses as possible. Please contact [email protected] or submit,” the Tweet read.

Also testifying today, was Special Agent David Shaver, who revealed that he examined an SD card found at Manning’s aunt’s house, where Manning had lived for a while, and found an encrypted zip file on it that contained three files he was able to open, and references to two files that had been deleted and were no longer accessible. The two deleted files were named “Nathan2_events.tar.br2″ and “Nathan2_event.”

Of the three files he was able to open, one file “Irq_events.csv” was created on Jan. 5, 2010 and contained more than 400,000 action reports from Iraq, pulled from the Combined Information Data Network Exchange, or CIDNE. The other file, “Afg_events.csv,” was created on Jan. 8, 2010 and contained about 91,000 action reports from Afghanistan. The third file, a readme.txt file, appeared to be a message to someone, likely WikiLeaks.

Items of historical significance of two wars Iraq and Afghanistan Significant Activity, Sigacts, between 00001 January 2004 and 2359 31 Dec 2009 extracts from CSV documents from Department of Defense and CDNE database. These items have already been sanitized of any source identity information.

You might need to sit on this information for 90 to 180 days to best send and distribute such a large amount of data to a large audience and protect the source.

This is one of the most significant documents of our time removing the fog of war and revealing the true nature of 21st century asymmetric warfare.

Have a good day.

Shaver said he was able to open those encrypted files using the same password he extracted from the MacBook.

“You got kind of lucky?” asked the prosecutor.

“Yes, sir,” Shaver replied.

In the summer and fall of 2010 WikiLeaks, and several media partners in the U.S. and Europe, published what WikiLeaks referred to as the Iraq War Diary – a cache of more than 400,000 so-called Sigact reports from the Iraq War – as well as the Afghan War Diary, a trove of some 91,000 Sigacts from the Afghan War.

UPDATE 7:55pm EST: To add information about evidence related to the GAL.

UPDATE 10:57pm EST: To add information about two files that had been deleted from the SD memory card, and to include names and dates of the files that were accessible on the card.

Photo Credit: Julian Assange photo by Lily Mihalik/Wired

MySQLPasswordAuditor – Free MySQL Audit/Password Recovery & Cracking Tool

MysqlPasswordAuditor is the FREE Mysql password recovery and auditing software. Mysql is one of the popular and powerful database software used by most of the web based and server side applications. If you have ever lost or forgotten your Mysql database password then MysqlPasswordAuditor can help in recovering it easily. It can also help you [...]

Read the full post at darknet.org.uk


Android Trojan Spreads Message of Revolution

Hacktisivm, or as one blogger put it “Revolution 2.0”, is something I would describe as an activist agenda where there may be no visible monetary gain by the instigator. Instead the overall goal is to send a message or get a point across. Even though, on occasion, the message may be something many will sympathize with, this doesn’t mean it’s a victimless crime. In many cases, the cost of getting an agenda across may involve using resources (even people without consent).  An example of this emerged over the past weekend. For many across the Arab world, December 18, 2010, marked the birth of what is now come to be commonly known as “The Arab Spring”. Among the many online tools that are being used to coordinate, inform, and get the word out about protests, Symantec has discovered a Trojan mass-mailer/downloader embedded in an Android App.

The Trojan was embedded into a pirated, popular Islamic compass app. Based on our research, the malicious version was only distributed through forums focusing on Middle Eastern issues. The official version of the app, available on the Android Market, is not affected and, as the screenshot indicates, this pirated app contains expanded permissions beyond what is requested from the official one.

After the installation of the app, the code goes to work on device start up, silently working in the background as a service called “alArabiyyah”. It randomly picks one link from a list of eighteen and then sends out an SMS message to every contact in the address book of the compromised device, sending them a link to a forum site. Each forum site has identical content and appears to be a tribute to Mohamed Bouaziz.

Examining the web content, we haven’t ruled out the possibility that the posts on these forums were the result of a SQL injection attack, hence the identical content, but we haven’t been able to confirm this due to the number of people sympathizing with the cause and reposting content from other sites.

There is an added functionality in the code: if the compromised device reports back the country ISO as BH, which is the country code for the Kingdom of Bahrain, an attempt is made to download a PDF file to the SD Card of the device. The PDF file was examined and does not contain any malicious code or exploits. The report itself is a fact-finding inquiry by the Bahrain Independent Commission of Inquiry on allegations of human rights violations.

There has been a lot of discussion regarding the impact of the Internet, social media, and even the availability of cheap cell phones on the uprisings in the Middle East. In a way, this threat is a testament to the rise of Hacktisivm 2.0.

For those using Norton Mobile Security, Symantec detects this threat as Android.Arspam.