I tried to gather all the related Web Cache vulnerabilities techniques into one blog post.
My latest blog post
A cybercrook who has been setting up websites that mimic the self-destructing message service privnote.com accidentally exposed the breadth of their operations recently when they threatened to sue a software company. The disclosure revealed a profitable network of phishing sites that behave and look like the real Privnote, except that any messages containing cryptocurrency addresses will be automatically altered to include a different payment address controlled by the scammers.
The real Privnote, at privnote.com.
Launched in 2008, privnote.com employs technology that encrypts each message so that even Privnote itself cannot read its contents. And it doesnβt send or receive messages. Creating a message merely generates a link. When that link is clicked or visited, the service warns that the message will be gone forever after it is read.
Privnoteβs ease-of-use and popularity among cryptocurrency enthusiasts has made it a perennial target of phishers, who erect Privnote clones that function more or less as advertised but also quietly inject their own cryptocurrency payment addresses when a note is created that contains crypto wallets.
Last month, a new user on GitHub named fory66399 lodged a complaint on the βissuesβ page for MetaMask, a software cryptocurrency wallet used to interact with the Ethereum blockchain. Fory66399 insisted that their website β privnote[.]co β was being wrongly flagged by MetaMaskβs βeth-phishing-detectβ list as malicious.
βWe filed a lawsuit with a lawyer for dishonestly adding a site to the block list, damaging reputation, as well as ignoring the moderation department and ignoring answers!β fory66399 threatened. βProvide evidence or I will demand compensation!β
MetaMaskβs lead product manager Taylor Monahan replied by posting several screenshots of privnote[.]co showing the site did indeed swap out any cryptocurrency addresses.
After being told where they could send a copy of their lawsuit, Fory66399 appeared to become flustered, and proceeded to mention a number of other interesting domain names:
You sent me screenshots from some other site! Itβs red!!!!
The tornote.io website has a different color altogether
The privatenote,io website also has a different color! Whatβs wrong?????
A search at DomainTools.com for privatenote[.]io shows it has been registered to two names over as many years, including Andrey Sokol from Moscow and Alexandr Ermakov from Kiev. There is no indication these are the real names of the phishers, but the names are useful in pointing to other sites targeting Privnote since 2020.
DomainTools says other domains registered to Alexandr Ermakov include pirvnota[.]com, privatemessage[.]net, privatenote[.]io, and tornote[.]io.
A screenshot of the phishing domain privatemessage dot net.
The registration records for pirvnota[.]com at one point were updated from Andrey Sokol to βBPWβ as the registrant organization, and βTambov districtβ in the registrant state/province field. Searching DomainTools for domains that include both of these terms reveals pirwnote[.]com.
Other Privnote phishing domains that also phoned home to the same Internet address as pirwnote[.]com include privnode[.]com, privnate[.]com, and prevnΓ³te[.]com. Pirwnote[.]com is currently selling security cameras made by the Chinese manufacturer Hikvision, via an Internet address based in Hong Kong.
It appears someone has gone to great lengths to make tornote[.]io seem like a legitimate website. For example, this account at Medium has authored more than a dozen blog posts in the past year singing the praises of Tornote as a secure, self-destructing messaging service. However, testing shows tornote[.]io will also replace any cryptocurrency addresses in messages with their own payment address.
These malicious note sites attract visitors by gaming search engine results to make the phishing domains appear prominently in search results for βprivnote.β A search in Google for βprivnoteβ currently returns tornote[.]io as the fifth result. Like other phishing sites tied to this network, Tornote will use the same cryptocurrency addresses for roughly 5 days, and then rotate in new payment addresses.
Tornote changed the cryptocurrency address entered into a test note to this address controlled by the phishers.
Throughout 2023, Tornote was hosted with the Russian provider DDoS-Guard, at the Internet address 186.2.163[.]216. A review of the passive DNS records tied to this address shows that apart from subdomains dedicated to tornote[.]io, the main other domain at this address was hkleaks[.]ml.
In August 2019, a slew of websites and social media channels dubbed βHKLEAKSβ began doxing the identities and personal information of pro-democracy activists in Hong Kong. According to a report (PDF) from Citizen Lab, hkleaks[.]ml was the second domain that appeared as the perpetrators began to expand the list of those doxed.
HKleaks, as indexed by The Wayback Machine.
DomainTools shows there are more than 1,000 other domains whose registration records include the organization name βBPWβ and βTambov Districtβ as the location. Virtually all of those domains were registered through one of two registrars β Hong Kong-based Nicenic and Singapore-based WebCC β and almost all appear to be phishing or pill-spam related.
Among those is rustraitor[.]info, a website erected after Russia invaded Ukraine in early 2022 that doxed Russians perceived to have helped the Ukrainian cause.
An archive.org copy of Rustraitor.
In keeping with the overall theme, these phishing domains appear focused on stealing usernames and passwords to some of the cybercrime undergroundβs busiest shops, including Brianβs Club. What do all the phished sites have in common? They all accept payment via virtual currencies.
It appears MetaMaskβs Monahan made the correct decision in forcing these phishers to tip their hand: Among the websites at that DDoS-Guard address are multiple MetaMask phishing domains, including metarrnask[.]com, meternask[.]com, and rnetamask[.]com.
How profitable are these private note phishing sites? Reviewing the four malicious cryptocurrency payment addresses that the attackers swapped into notes passed through privnote[.]co (as pictured in Monahanβs screenshot above) shows that between March 15 and March 19, 2024, those address raked in and transferred out nearly $18,000 in cryptocurrencies. And thatβs just one of their phishing websites.
Roughly nine years ago, KrebsOnSecurity profiled a Pakistan-based cybercrime group called βThe Manipulaters,β a sprawling web hosting network of phishing and spam delivery platforms. In January 2024, The Manipulaters pleaded with this author to unpublish previous stories about their work, claiming the group had turned over a new leaf and gone legitimate. But new research suggests that while they have improved the quality of their products and services, these nitwits still fail spectacularly at hiding their illegal activities.
In May 2015, KrebsOnSecurity published a brief writeup about the brazen Manipulaters team, noting that they openly operated hundreds of web sites selling tools designed to trick people into giving up usernames and passwords, or deploying malicious software on their PCs.
Manipulaters advertisement for βOffice 365 Private Page with Antibotβ phishing kit sold on the domain heartsender,com. βAntibotβ refers to functionality that attempts to evade automated detection techniques, keeping a phish deployed as long as possible. Image: DomainTools.
The core brand of The Manipulaters has long been a shared cybercriminal identity named βSaim Raza,β who for the past decade has peddled a popular spamming and phishing service variously called βFudtools,β βFudpage,β βFudsender,β βFudCo,β etc. The term βFUDβ in those names stands for βFullyΒ Un-Detectable,β and it refers to cybercrime resources that will evade detection by security tools like antivirus software or anti-spam appliances.
A September 2021 story here checked in on The Manipulaters, and found that Saim Raza and company were prospering under their FudCo brands, which they secretly managed from a front company called We Code Solutions.
That piece worked backwards from all of the known Saim Raza email addresses to identify Facebook profiles for multiple We Code Solutions employees, many of whom could be seen celebrating company anniversaries gathered around a giant cake with the words βFudCoβ painted in icing.
Since that story ran, KrebsOnSecurity has heard from this Saim Raza identity on two occasions. The first was in the weeks following the Sept. 2021 piece, when one of Saim Razaβs known email addresses β bluebtcus@gmail.com β pleaded to have the story taken down.
βHello, we already leave that fud etc before year,β the Saim Raza identity wrote. βWhy you post us? Why you destroy our lifes? We never harm anyone. Please remove it.β
Not wishing to be manipulated by a phishing gang, KrebsOnSecurity ignored those entreaties. But on Jan. 14, 2024, KrebsOnSecurity heard from the same bluebtcus@gmail.com address, apropos of nothing.
βPlease remove this article,β Sam Raza wrote, linking to the 2021 profile. βPlease already my police register case on me. I already leave everything.β
Asked to elaborate on the police investigation, Saim Raza said they were freshly released from jail.
βI was there many days,β the reply explained. βNow back after bail. Now I want to start my new work.β
Exactly what that βnew workβ might entail, Saim Raza wouldnβt say. But a new report from researchers at DomainTools.com finds that several computers associated with The Manipulaters have been massively hacked by malicious data- and password-snarfing malware for quite some time.
DomainTools says the malware infections on Manipulaters PCs exposed βvast swaths of account-related data along with an outline of the groupβs membership, operations, and position in the broader underground economy.β
βCuriously, the large subset of identified Manipulaters customers appear to be compromised by the same stealer malware,β DomainTools wrote. βAll observed customer malware infections began after the initial compromise of Manipulaters PCs, which raises a number of questions regarding the origin of those infections.β
A number of questions, indeed. The core Manipulaters product these days is a spam delivery service called HeartSender, whose homepage openly advertises phishing kits targeting users of various Internet companies, including Microsoft 365, Yahoo, AOL, Intuit, iCloud and ID.me, to name a few.
A screenshot of the homepage of HeartSender 4 displays an IP address tied to fudtoolshop@gmail.com. Image: DomainTools.
HeartSender customers can interact with the subscription service via the website, but the product appears to be far more effective and user-friendly if one downloads HeartSender as a Windows executable program. Whether that HeartSender program was somehow compromised and used to infect the serviceβs customers is unknown.
However, DomainTools also found the hosted version of HeartSender service leaks an extraordinary amount of user information that probably is not intended to be publicly accessible. Apparently, the HeartSender web interface has several webpages that are accessible to unauthenticated users, exposing customer credentials along with support requests to HeartSender developers.
βIronically, the Manipulaters may create more short-term risk to their own customers than law enforcement,β DomainTools wrote. βThe data table βUser Feedbacksβ (sic) exposes what appear to be customer authentication tokens, user identifiers, and even a customer support request that exposes root-level SMTP credentialsβall visible by an unauthenticated user on a Manipulaters-controlled domain. Given the risk for abuse, this domain will not be published.β
This is hardly the first time The Manipulaters have shot themselves in the foot. In 2019,Β The Manipulaters failed to renew their core domain nameΒ β manipulaters[.]com β the same one tied to so many of the companyβs past and current business operations. That domain was quickly scooped up byΒ Scylla Intel, a cyber intelligence firm that focuses on connecting cybercriminals to their real-life identities.
Currently, The Manipulaters seem focused on building out and supporting HeartSender, which specializes in spam and email-to-SMS spamming services.
βThe Manipulatersβ newfound interest in email-to-SMS spam could be in response to the massive increase in smishing activity impersonating the USPS,β DomainTools wrote. βProofs posted on HeartSenderβs Telegram channel contain numerous references to postal service impersonation, including proving delivery of USPS-themed phishing lures and the sale of a USPS phishing kit.β
Reached via email, the Saim Raza identity declined to respond to questions about the DomainTools findings.
βFirst [of] all we never work on virus or compromised computer etc,β Raza replied. βIf you want to write like that fake go ahead. Second I leave country already. If someone bind anything with exe file and spread on internet its not my fault.β
Asked why they left Pakistan, Saim Raza said the authorities there just wanted to shake them down.
βAfter your article our police put FIR on my [identity],β Saim Raza explained. βFIRβ in this case stands for βFirst Information Report,β which is the initial complaint in the criminal justice system of Pakistan.
βThey only get money from me nothing else,β Saim Raza continued. βNow some officers ask for money again again. Brother, there is no good law in Pakistan just they need money.β
Saim Raza has a history of being slippery with the truth, so who knows whether The Manipulaters and/or its leaders have in fact fled Pakistan (it may be more of an extended vacation abroad). With any luck, these guys will soon venture into a more Western-friendly, βgood lawβ nation and receive a warm welcome by the local authorities.
Overview
If you have open positions at your company for information security professionals and would like to hire from the /r/netsec user base, please leave a comment detailing any open job listings at your company.
We would also like to encourage you to post internship positions as well. Many of our readers are currently in school or are just finishing their education.
Please reserve top level comments for those posting open positions.
Rules & Guidelines
Include the company name in the post. If you want to be topsykret, go recruit elsewhere. Include the geographic location of the position along with the availability of relocation assistance or remote work.
You can see an example of acceptable posts by perusing past hiring threads.
Feedback
Feedback and suggestions are welcome, but please don't hijack this thread (use moderator mail instead.)
Blockchain technology has experienced remarkable adoption in recent years, driven by its use across a broad spectrum of institutions, governments, retail investors, and users. However, this surge in⦠Read more on Cisco Blogs
Last chapter of my windows kernel development series with usermode and kernel mode memory patching, AMSI bypass driver and more