The QuantumFilament hackers, or one of their customers, post fake job, real estate and car ads to Craigslist. These advertisements have the following common characteristics:
- Target audience is in Virginia, Maryland, Pennsylvania or Washington, DC
- Contains no hyperlink and no specific reply instructions
- Registers with Hotmail or Yahoo e-mail addresses
- 16 of the 20 unique Hotmail addresses ended in four digits
- All Craigslist passwords were 10 characters in length, all lowercase, seemingly random letters
Many ads appear to be copies of ads from legitimate companies. The fake ad poster periodically logged into the associated webmail accounts to check for replies to his fake Craigslist ads. In the instances in which this could be verified, no replies were ever sent by the fake ad poster. The poster simply received whatever replies he could get, the replies often including personal information and resumes. I hypothesize whatever personal information is volunteered by responders is reviewed for information that could be sold or exploited in the dark web, such as phone numbers, e-mail addresses, postal addresses, and identity information.
|Date||Title||Notes||Craigslist registration||Craigslist password|
|2015-08-19||.NET custom Developer,SSRS Report Developerfirstname.lastname@example.org||huwreslouc|
|2015-08-20||Full-Time Product Specialist – Worcester, PA||A position at Grainger Industrial Supply, a real Fortune 500 email@example.com||wriwriamou|
|2015-08-21||Accountant / Office Adminfirstname.lastname@example.org||ueagaijeac|
|2015-08-22||Microsoft Office Specialist/Quickbooks Instructor – PT||A position at ASI Career Institute, a real email@example.com||wraiheathu|
|2015-08-24||Automotive Dealership Cashierfirstname.lastname@example.org||wriwriamou|
|2015-08-25||Dining Services Captainemail@example.com||wraiheathu|
|2015-08-25||Financial Crimes Lead||A position at Barclaycard US, a large financial firstname.lastname@example.org||sofraicrio|
|2015-08-27||Kitchen Manager||A position at Del Frisco’s Grille, a restaurant chain with 22 locations email@example.com||wriwriamou|
|2015-08-28||Client Services Specialist||A position at Survivors, Inc., in Gettysburg, PAfirstname.lastname@example.org||kianicifri|
|2015-08-28||Administrative Assistant I – Immediateemail@example.com||ueagaijeac|
|2015-08-28||Spacious 1br Apartment, New Floor, Fresh Paintfirstname.lastname@example.org||uaegurioth|
|2015-08-31||Legal Secretary-Northern Virginiaemail@example.com||ueagaijeac|
|2015-09-01||Front Desk Coordinatorfirstname.lastname@example.org||roclaithou|
|2015-09-02||CamRY SHiFtKSh 2000 toYotAemail@example.com|
|2015-09-04||Renovated Home For Rent/lease, A Quiet Communityfirstname.lastname@example.org||frephaecri|
|2015-09-04||Interior Specialist Sales Associate’s – Part Time||A position at Arhaus Furniture, a real furniture store email@example.com||lotastiowr|
|2015-09-04||NICEgPrp HoNDa ciVIC LX firstname.lastname@example.org|
|2015-09-04||woRkSzCqAc CamrY 2000 sILVEr TOYotAemail@example.com|
|2015-09-06||Automotive Sales Consultant – Auto Sales Representative||A position at Frankel, a chain of car dealerships in Marylandfirstname.lastname@example.org||slacihaica|
|2015-09-06||20oo ford ranger lOwEUaXoemail@example.com|
|2015-09-06||98 jeep grand cherokee ownErzSoITfirstname.lastname@example.org|
|2015-09-06||Administrative Support Specialist Neededemail@example.com|
|2015-09-06||Senior Meeting Plannerfirstname.lastname@example.org||roclaithou|
|2015-09-07||Safe and quiet neighborhood, comprehensive list or email@example.com||jadaprouha|
|2015-09-08||Assisted Living Administrator||A position at Asbury Methodist Community, a retirement community in Marylandfirstname.lastname@example.org||pheacaeuou|
|2015-09-11||Payroll Specialist||A position at paychex, Inc., a real email@example.com||hiolabuvod|
|2015-09-12||Dining Server||A position at Brightview Senior Living, a retirement firstname.lastname@example.org||lotastiowr|
|2015-09-12||Technician / Automotive Mechanic||A position at Mercedes Benz of Owings Mills, Marylandemail@example.com||gelouuouci|
|2015-09-13||Finance & Insurance Manager / Automotive Finance Manager||A position at MileOne, Herb Gordon Volvo Subaru, a car dealership in Marylandfirstname.lastname@example.org||pheacaeuou|
|Password||Ashley Madison rank||Paypal attempts rank|
Now let’s examine the rest of the top 20 passwords tried against Paypal accounts by the QuantumFilament hackers (or someone using their network of hacked routers).
|Password||Paypal attempts rank||Ashley Madison rank|
The results don’t correlate perfectly, but it does suggest one source for the attempted Paypal logins might be the e-mail addresses and passwords of Ashley Madison users.
The QuantumFilament network logged into Skype using stolen credentials to send instant messaging spam. The spam was written in the Cyrillic alphabet, and was most likely written in the Russian language.
|Compromised usernames with passwords||623|
|Spam messages attempted||6,340|
|Spam messages rejected due to rate limiting||240|
From the perspective of the Skype administrators, the login attempts and instant messages would appear to originate from the IP addresses of QF’s hacked routers.
Here are the text of the Cyrillic alphabet instant messages:
So far, this blog has established that a group of cyber operators breaks into home and office routers, and installs software on the routers. I will provide one example of what comes next.
One of the programs installed on the routers turns the routers into a proxy. A proxy is a service that can be used to disguise the original source of network traffic.
The QuantumFilament operators, or one of their customers using QuantumFilament’s network of hacked routers, tried to log into a financial service 16,991 times. The 16,991 attempted logins used 16,971 unique user IDs. The success rate was about 1.33%.
I have contacted the financial service offering to share my information about the hacked accounts.
The financial service has an Apple iOS mobile app, and the evidence indicates the QuantumFilament hackers or customers are using the same internal API calls as the iOS mobile app to try to log into the financial service accounts. When the hacker’s program tries to log into the financial service, it sends along information about an Apple iOS device. Most likely, the programmer who built the alternative login app copied the template of the real financial service app running on a real Apple iOS device. Here is some of the information sent by the hacker’s login app, common to all 16,991 login requests.
|Operating system||Jailbreak iOS 9.1|
|Language setting||ru (Russian)|
|LAN IP address||192.168.0.102|
The original programmer who reverse engineered the internal API of the financial service likely copied the submission values from the legitimate Apple iOS app, and this iOS app was probably running on a jailbroken iPhone, located in Russia, in the Moscow time zone.
Its true. IP 126.96.36.199, registered to Serverel, made a couple thousand connections to login.live.com and http://www.outlook.com from 16:13 UTC to 21:41 UTC 25 August. Time to tell the Serverel NOC.
Update: Serverel responds:
based on information from this customer, this server is not in use and he really forgot about him. i.e. server is 100% hacked, our customer will cancel this server in few hours and we will power it off next.
Hackers thrive on accessing neglected, abandoned or forgotten computers. With the space, CPU power and bandwidth of a server, without any accountability or expense, hackers can turn forgotten servers into anything–a launching pad for more hacks, storage space for data–anything.
Today, August 25, from 1410 to 1446 UTC, an IP address registered to SERVEREL, a data center or hosting provider based in California, used the QuantumFilament proxy network to access the Tumblr blogging site. Most likely that IP address at SERVEREL, 188.8.131.52, is a third IP address at SERVEREL that has been compromised and used by the QF group. How many more IP addresses at SERVEREL have been hacked and are being abused? I could tell SERVEREL about this, but that doesn’t really solve their issue.
Update 1: Serverel has now been informed. I see activity from this Serverel IP going back to August 3. Even if QuantumFilament is kicked out of Serverel, they hhav hacked into additional data centers/hosting providers worldwide.
Update 2: Serverel writes back:
many thanks for your report. 184.108.40.206 is used by our customer since June 2012 and i think this server could be compromised. This is 100% legitimate customer.
Serverel’s emphasis is that there is a live, legitimate customer using this IP, and they don’t want administrators around the Internet to block this IP, thereby blocking the real customer’s connectivity.
Update 3: More from Serverel:
looks like this server is really in use, we ask end user to escalate this issue and find what is a reason for this report.
There are many different areas of expertise in cyber security, each area is quite important and distinct. Some people write security policies or handle communications during an incident. Others examine a hard drive and recover lost, hidden or deleted files. Others examine a suspicious binary program and can reverse engineer that program, revealing its function, algorithms and communication protocols.
My particular expertise is the examination of the recordings of traffic traveling on or through a network. Practically all activities online (e-mail, web browsing, social media and voice-over-IP, to name just a few) involve one device communicating with another device, and this traffic can be recorded and analyzed. One of the most common open source software tools to analyze recorded network traffic is Wireshark, and its command line counterpart, TShark.
TShark is very powerful because, like Wireshark, it can parse protocols such as web and e-mail and display this information. In addition, TShark’s output can be easily saved to a file. This output can then be read and processed by additional programs or scripts.
This simplified example uses TShark to read a file called “traffic”, and instructs TShark to output information about any web, e-mail or proxy activity captured.
tshark -r traffic -T fields -e frame.number -e frame.time -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e socks.dst -e socks.remote_name -e socks.port -e http.request.full_uri -e ssl.handshake.extensions_server_name -e imf.from -e imf.to -e imf.subject
Wireshark and TShark are critical tools for this research, so it was frustrating when TShark routinely crashed. Wireshark understands hundreds of protocols and formats used on the Internet, but doing this is not simple, and software bugs are inevitable. Still, I was very frustrated. I could try to work around the crashes, but the situation was definitely not ideal.
Wireshark is open source software, which means any volunteer can modify and fix sourcecode. But first I had to report the bug. I examined the network traffic files that crashed Wireshark, and tried to look for commonalities. I wanted to tell the Wireshark team why I thought the program crashed. Being unsuccessful, I then constructed the smallest file I could that still crashed the program, and reported the bug to the Wireshark developers.
I was convinced the crashes were due to a bug in the interpretation of the network traffic. But instead, the bug was in something more fundamental. I had discovered a bug in the part of Wireshark that managed system memory. The bug was diagnosed and fixed on the same day, and the Wireshark team issued a security advisory for this memory management bug.
I later reported a more mundane bug that was caused by misinterpretation of Internet traffic. As a result of these fixes, I have to ensure all of my computers run Wireshark 1.12.7 or later.