Header Ads

Using OSINT to determine if an actor is malicious.

Some weeks back the CTO of Cyber SOC NG posted a notification of a website spreading the emotet banking malware. See tweet below:



 My first thoughts were "okay, this seems easy enough. Use domain tools, find contact details of the web admin and tell them they've been hacked." Upon further consideration (or rather my curiosity got the best of me) I decided to first inspect the site. Opening the domain in a sandbox, I am greeted with the message that winkpayment "is the most reliable and fastest way to sell and buy bitcoin" (talk about irony).



This immediately changed my perspective, I started thinking, what if these guys were not victims? What better way to spread banking malware than through people buying and using cryptocurrency? To test this hypothesis, I decide to visit some more pages to see what information I could glean. I head over to their contact page to see if I could get an address and a number for more research. Now, this is where things began to get interesting. I typed in their address on Google map but did not get a fix on the address. Just the town name came up, so I had to type some part of the address while leaving out the rest until I was able to locate the place. The problem was the street name on the website was wrong, instead of "olabode," they wrote, "lambode." See the screenshot below.





Now several questions came to mind. As a business owner, how possible is that you would get the name of your street wrong? I can understand if someone asked you where your business address was, you might forget the street name, but to put a wrong street name on your contact page? What kind of business puts a wrong street name on a contact page? Seeing that this seemed more than just a passing error, I copied the address as it was written on winkpayment contact page and did a Google search. The results showed two other websites, webcurrency and crytocoinsmart with the same address.



A whois search confirmed that both domains were registered by the same person.



So, we have three different businesses using the same address all owned by the same person or people. There could be several explanations for this kind of behavior, but I think this might be a variation of the multiple domain strategy (an SEO tactic in which you register multiple domains to dominate a particular keyword). As for the business location, I made a phone call to another business in the building (their number was online) but they were not cooperative. Hence I couldn't ascertain whether winkpayment, cryptocoinsmart or webcurrency have a physical presence there. Considering the blunder with the street name, I doubt they are at that location but probably must have visited there, and used it to make their contact page more "professional." While going down the rabbit hole of finding out if winkpayment is a scam was very tempting, my objective was to find out if they were intentionally spreading malware.  I theorized that if they were spreading the malware themselves, then most likely it would be on all 3 sites (why put it on just one site?). And if the Admin's Email was not in any public data dumb, then most likely he has good online security habits (there are other ways his email and site could have been compromised, but I chose these two because they are easy to confirm via OSINT).

Testing both webcurrency and cryptocoinsmart on virus total, both domains show no signs of infection. Pasting the admin email in have I been pawned and dehashed , I get notifications that the email has been pawned and is available in certain data dumps.





This last piece of info swings the pendulum in the direction that it wasn't winkpayment that was spreading the malware. Since the admin's email was involved in a breach, there is every possibility that some malicious actor could have gotten his credentials, and being like most people, he probably used the same password for different online services.

So to answer my central concern, from the available data (which I am sure there could have been more if I kept digging), it is very probable that winkpayment.com was hacked and malware put on their site. As for the legitimacy of their business operations, that is another kettle of fish. 

No comments

Powered by Blogger.