Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Friday, August 28th 2015 SANS Daily Network Security Podcast (Stormcast) for Friday, August 28th 2015


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

ISC StormCast for Friday, August 28th 2015

SANS Daily Network Security Podcast (Stormcast) for Friday, August 28th 2015
00:00

My Next Class

Intrusion Detection In-DepthOnline | US PacificNov 16th - Nov 21st 2020
Intrusion Detection In-DepthOnline | Central European TimeNov 30th - Dec 5th 2020

… more classes

Obfuscating Malicious Word Macros Inside PDFs
https://isc.sans.edu/forums/diary/PDF+maldoc1+maldoc2/20079/

Patch For BitTorrent Traffic Amplification Bug
http://engineering.bittorrent.com/2015/08/27/drdos-udp-based-protocols-and-bittorrent/

Adobe Cold Fusion Patch
https://helpx.adobe.com/security/products/coldfusion/apsb15-21.html

Iranian Attackers Phish Google 2FA Tokens
https://citizenlab.org/2015/08/iran_two_factor_phishing/ Get a free ISC sticker (login required):
https://isc.sans.edu/sticker.html
Spotify spotify logo

Discussion

There seems to be no conclusive proof this phishing originated from "Iranian attackers".

The article linked by SANS, in turn references a report by the Israeli company Clearskysec, which in turn references a non-existent Google cache entry from Florida's College of Arts (???). See for yourselves at page 14 of http://www.clearskysec.com/wp-content/uploads/2015/06/Thamar-Reservoir-public1.pdf (version as of today 2015-08-28).

The other "intelligence" could have been intentionally spoofed: Iranian IP addresses (botnet?), a blog in Farsi (with an English name), free Iranian hosting service (without its access logs), domain registration details (can be set/changed to anything) and lastly the phone call in Farsi... I don't always send phishing, but when I do, I always phone in my native language disclosing my nationality and leaving a voice fingerprint.

All I ask is that you please label a guess as such.
Posted by Enos on Fri Aug 28 2015, 05:28

New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form

Intrusion Detection In-DepthOnline | US PacificNov 16th - Nov 21st 2020
Intrusion Detection In-DepthOnline | Central European TimeNov 30th - Dec 5th 2020
Defending Web Applications Security EssentialsOnline | US EasternDec 14th - Dec 19th 2020