BDIR Podcast Episode-001

Join us for Episode-001, our guest will be:

  • Martin Brough - Manager of the Security Solutions Engineering team in the email phishing industry

Topic of the day will be:

"Credential Stealing emails what can YOU do"

Show Notes:

  • Introductions
  • Introduce our Guest
    • Martin Brough
      • Twitters - @HackerNinja
      • Blog -


  1. The Register: Perv raided college girls' online accounts for nude snaps – by cracking their security questions.  Personal info obtained to pull off 1,400 password resets. Now he's behind bars.

Powell's interest in all this was obtaining private sexually explicit photos, which people apparently store in their email accounts without much thought about security. It's not immediately clear why the large number of such images on the internet did not suffice.

Jonathan C. Powell, who hacked into over 1,000 email accounts in search of sexually explicit images and videos of college-aged women, was jailed for six months for computer fraud, the US Department of Justice said on Thursday.

"During that time frame, those Reset Utility accesses resulted in approximately 18,600 attempted password changes in connection with approximately 2,054 unique [Pace] email accounts, and approximately 1,378 successful password changes in connection with approximately 1,035 unique [Pace] email accounts," explained FBI special agent Christopher Merriman in the complaint.

2. The Hacker News: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

The article states that “As CrossRAT is written in Java, it requires Java to be installed"  Not entirely true, as the dropper can check for java, if none is present, can download JRE and run locally or can install “jportable launcher”.

Also, it is interesting that the article calls it undetectable in the title, but then tells you how to detect it by looking for a runkey.

3. Windows 10 Creator update breaks purposefully set security tweaks

Win 10 fail Tweet.jpg

4. TrickBot

  • Artifacts

    • Delivered by a Word Doc with Macros

      • So cscript and PowerShell to grab the dropper

      • PS gets the dropper and also launches one of the batch files to load

    • Stores files in %appdata%, so Appdata Roaming\localservice

    • Some oddly named binary

    • Client_ID file

    • Group_tag file

    • A directory named Modules

    • You can see a couple batch files in %temp% and the binary before it is copied

    • Persistence is a Task called “services update”

    • Named Pipes connection for PowerShell

    • The IP it uses was a US based hosting service



  • MalPedia - reports and info on malware families and their actors and yara signatures


Topic of the DAY

Credential Stealing emails what can YOU do….

What to look for if you DON’T have a lab or also in your lab

  • Screen Shots – Good indicator a credential stealing site with an authentication page

  • Domain age - How old is the website in days or years.  Is it new? DGA (Domain Generating Algorithms)

  • Blacklists – Is the domain in any blacklists, if so, why is the SMTP gateway not catching it

  • Category – Has the site been categorized (BLOG/Malware/etc.)

  • Reputation – Is this a Bad, Neutral or Good site

  • Country – Where is this URL from

  • Alexa Rating - How known is it

Evaluating it in a Lab

  • LOG-MD Babbeeeee

Steps to take when you get a Phishing email

1.  Of course.. You get an alert of some kind or are notified

2. Get a copy of the email - You can’t evaluate it if you don’t have an actual copy, your help desk copy might not have the context correct

3.  Evaluate the URL

  • In a lab, click all the way through, login too (fake creds)
  • Or with one of the URL eval sites

4.  Block the URL - Ya need a Web Proxy of course

  • Or the IP in the firewall

5.  Monitor the IPs in log management from your firewall logs

  • Who else went there
  • You will have a HUGE gap for offsite/roaming people

6.  Consider Fast and Mass disabling of accounts

7.  Recall the message from your mail servers

  • Keep people from opening it

8.  Monitor any Internet facing non-2-Factor email logins

  • Unless you reset all your users that received the phish

9.  Monitor any Internet facing non-2-Factor VPN logins

  • Unless you reset all your users that received the phish

10.  Monitor any Internet facing non-2-Factor Cloud Storage logins

11.  Monitor any Internet facing non-2-Factor Virtual Desktop logins

12.  Monitor for password resets to make sure you got everybody

13.  Contact the sender to say you have been owned

  • Assuming you know it actually came from them.. SMTP logs

14.  Create a Report

  • What happened, how did it come in
  • What improvements can be made to avoid it
  • Improvements to monitoring or hunting

15.  Update your Email Investigation process

  • You will improve each time
  • Someone will need to do this when YOU are not at work or sleeping