Threat Level: green Handler on Duty: Tom Webb

SANS ISC Daily Network Security Podcast Details


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

ISC StormCast for Friday, August 28th 2015

Episode 1614 A daily summary of events from the SANS Internet Storm Center
Author:Johannes Ullrich
Created: Friday, August 28th 2015
Length: 5:58 minutes
This podcast ist supported by Threatstop.
Keywords: maldoc pdf

Show Notes

Obfuscating Malicious Word Macros Inside PDFs
https://isc.sans.edu/forums/diary/PDF+maldoc1+maldoc2/20079/

Patch For BitTorrent Traffic Amplification Bug
http://engineering.bittorrent.com/2015/08/27/drdos-udp-based-protocols-and-bittorrent/

Adobe Cold Fusion Patch
https://helpx.adobe.com/security/products/coldfusion/apsb15-21.html

Iranian Attackers Phish Google 2FA Tokens
https://citizenlab.org/2015/08/iran_two_factor_phishing/

Discussion

There seems to be no conclusive proof this phishing originated from "Iranian attackers".

The article linked by SANS, in turn references a report by the Israeli company Clearskysec, which in turn references a non-existent Google cache entry from Florida's College of Arts (???). See for yourselves at page 14 of http://www.clearskysec.com/wp-content/uploads/2015/06/Thamar-Reservoir-public1.pdf (version as of today 2015-08-28).

The other "intelligence" could have been intentionally spoofed: Iranian IP addresses (botnet?), a blog in Farsi (with an English name), free Iranian hosting service (without its access logs), domain registration details (can be set/changed to anything) and lastly the phone call in Farsi... I don't always send phishing, but when I do, I always phone in my native language disclosing my nationality and leaving a voice fingerprint.

All I ask is that you please label a guess as such.
posted by Enos,

Login here to join the discussion.