sábado, 26 de septiembre de 2015

Hacking Throughout Latin America




Recently I was doing some tests with modems supplied by the ISP's in my country, specifically with the model "Technicolor TC7300", this modem is provided by many companies in Colombia and throughout Latin America, the problem of this modem is as follows:

The ISP in Colombia always refuse to give the password to users, so they the same change, for better security, however these companies use bad practices when choosing passwords in some cases use the same password for all modems across the country, in other cases the identification numbers of the customer, other than these passwords are easy to break, this device can be hacked through brute force method to get your password.

Just imagine a bot breaking passwords throughout Latin America, accessing the settings without permission mixed success of their modems and forwarding for all of your internal network to all ports, after this, imagine the rest.

Passwords used by companies in Colombia are:

- CLARO:
User: admin | Pass: Uq-4GIt3M | Pass: Swe-ty65 | Pass: RdET23-10 | Pass: TmcCm-651 | Pass: Ym9zV-05n | Pass: 1234 | Pass: 12345

- UNE:
User: admin | Pass: d3c0ntr0l | Pass: Cpe04Epm | Pass: CPE# + numbers
User: gestionune | Pass: g3sti0nr3m0t4
User: admin-UN3 | Pass: CM4CC3SS

- MOVISTAR:
User: admin | Pass: 6 numbers

- ETB:
User: administrator | Pass: customer phone number
User: customer | Pass: ClienteETB + year


This PoC (Proof of Concept) requires configuring TOR to run.


viernes, 4 de septiembre de 2015

Threat Target: Security Researchers

Several of our researchers received these LinkedIn invitations themselves with a fake recruiter profiles, someone is doing a mapping about Security researchers; I wondered who would want to attack these people, some days ago I received a fake email from fake accounts he pointed to phishing sites, ask me: this will be related, I said sure if someone is mapping overall security researchers accounts then let them phishing, but it is strange this must be analyzed more thoroughly, I did that deep down there is something that smells worse.


Jennifer White Fake Profile


Lea David Fake Invitation


List Fake Profiles


Fake Customer Message

Fake Customer Message for do Phishing

Phishing Site

The WhoIs about this Phishing host:

Domain Name: TNCPKHARGONE.COM
Registry Domain ID: 1832762529_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2014-10-28T06:56:32Z
Creation Date: 2013-10-28T06:55:31Z
Registrar Registration Expiration Date: 2015-10-28T06:55:31Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited

Registry Registrant ID: 
Registrant Name: Mayank Shah
Registrant Street: hemkunt colony
Registrant City: Delhi
Registrant State/Province: Delhi
Registrant Postal Code: 10027
Registrant Country: India
Registrant Phone: 011462011
Registrant Email: mayankshah1986@hotmail.com

Registry Admin ID: 
Admin Name: Mayank Shah
Admin Street: hemkunt colony
Admin City: Delhi
Admin State/Province: Delhi
Admin Postal Code: 10027
Admin Country: India
Admin Phone: 011462011
Admin Email: mayankshah1986@hotmail.com

Registry Tech ID: 
Tech Name: Mayank Shah
Tech Street: hemkunt colony
Tech City: Delhi
Tech State/Province: Delhi
Tech Postal Code: 10027
Tech Country: India
Tech Phone: 011462011
Tech Email: mayankshah1986@hotmail.com

Well ask to Google: https://goo.gl/MV0yHr 

And google shows an list online pharmacy and Hindu things = Phishing

And do a reverse WhoIs: http://goo.gl/P4Rvkx and this say me, this guy buy other 17 domains, maybe for phishing too.

Google Plus Profile

Facebook Profile

LinkedIn Profile

Phishing Site Scan Report

The next step, puts on contact with GoDaddy.com Abuse email abuse@godaddy.com and catch this stupid guy, good luck idiot ;)

Virus Total Report: https://goo.gl/NnJN3E

Source Article: https://labsblog.f-secure.com