Chapter Twelve: Craigslist ads targeting job seekers in the mid-Atlantic

The QuantumFilament hackers, or one of their customers, post fake job, real estate and car ads to Craigslist. These advertisements have the following common characteristics:

  • Target audience is in Virginia, Maryland, Pennsylvania or Washington, DC
  • Contains no hyperlink and no specific reply instructions
  • Registers with Hotmail or Yahoo e-mail addresses
  • 16 of the 20 unique Hotmail addresses ended in four digits
  • All Craigslist passwords were 10 characters in length, all lowercase, seemingly random letters

Many ads appear to be copies of ads from legitimate companies. The fake ad poster periodically logged into the associated webmail accounts to check for replies to his fake Craigslist ads. In the instances in which this could be verified, no replies were ever sent by the fake ad poster. The poster simply received whatever replies he could get, the replies often including personal information and resumes. I hypothesize whatever personal information is volunteered by responders is reviewed for information that could be sold or exploited in the dark web, such as phone numbers, e-mail addresses, postal addresses, and identity information.

Date Title Notes Craigslist registration Craigslist password

.NET custom Developer,SSRS Report Developer

2015-08-20 Full-Time Product Specialist – Worcester, PA A position at Grainger Industrial Supply, a real Fortune 500 company wriwriamou
2015-08-21 Accountant / Office Admin ueagaijeac
2015-08-21 Executive Assistant huwreslouc
2015-08-22 Microsoft Office Specialist/Quickbooks Instructor – PT A position at ASI Career Institute, a real organization wraiheathu
2015-08-24 Automotive Dealership Cashier wriwriamou
2015-08-25 Dining Services Captain wraiheathu
2015-08-25 Financial Crimes Lead A position at Barclaycard US, a large financial institution sofraicrio
2015-08-27 Kitchen Manager A position at Del Frisco’s Grille, a restaurant chain with 22 locations nationwide wriwriamou
2015-08-28 Client Services Specialist A position at Survivors, Inc., in Gettysburg, PA kianicifri
2015-08-28 Administrative Assistant I – Immediate ueagaijeac
2015-08-28 Spacious 1br Apartment, New Floor, Fresh Paint uaegurioth
2015-08-31 Legal Secretary-Northern Virginia ueagaijeac
2015-09-01 Front Desk Coordinator roclaithou
2015-09-02 CamRY SHiFtKSh 2000 toYotA
2015-09-04 Renovated Home For Rent/lease, A Quiet Community frephaecri
2015-09-04 Interior Specialist Sales Associate’s – Part Time A position at Arhaus Furniture, a real furniture store chain lotastiowr
2015-09-04 NICEgPrp HoNDa ciVIC LX 2005
2015-09-04 woRkSzCqAc CamrY 2000 sILVEr TOYotA
2015-09-06 Automotive Sales Consultant – Auto Sales Representative A position at Frankel, a chain of car dealerships in Maryland slacihaica
2015-09-06 20oo ford ranger lOwEUaXo
2015-09-06 98 jeep grand cherokee ownErzSoIT
2015-09-06 Administrative Support Specialist Needed!
2015-09-06 Senior Meeting Planner roclaithou
2015-09-07 Safe and quiet neighborhood, comprehensive list or homes jadaprouha
2015-09-08 Assisted Living Administrator A position at Asbury Methodist Community, a retirement community in Maryland pheacaeuou
2015-09-11 Payroll Specialist A position at paychex, Inc., a real company hiolabuvod
2015-09-12 Dining Server A position at Brightview Senior Living, a retirement community lotastiowr
2015-09-12 Technician / Automotive Mechanic A position at Mercedes Benz of Owings Mills, Maryland gelouuouci
2015-09-13 Finance & Insurance Manager / Automotive Finance Manager A position at MileOne, Herb Gordon Volvo Subaru, a car dealership in Maryland pheacaeuou

The following passwords were used to log into some of the webmail accounts. The characteristics of passwords can be used to profile the user behind the activity.

  • wgijzMD22
  • bmoy2Oic5e
  • audoiv19A
  • dyYkt3ca4
  • qLRgdR44lNE
  • wgertUD44
  • erE2fs7f
  • ik4gAg5u
  • vsum0uK4c
  • uckfpJT65

Chapter Eleven: Hackers using Ashley Madison passwords to hack Paypal accounts?

Update: 14.9%, or 8,643 of the 57,819 unique e-mail addresses observed logging into Paypal, were found on Ashley madison lists. It is clear that the QuantumFilament hackers have other sources of e-mails and passwords to try on Paypal, but the Ashley Madison data, with millions of e-mail addresses and passwords, is likely being used. Users who use the same password on Ashley Madison and Paypal, and have not changed their passwords, are particularly at risk.

Original post

I was reading Andrea Peterson’s article on Ashley Madison passwords, which led me to this Ars Technica article with the top 100 passwords used on the Ashley Madison website. That inspired me to look at my data for the approximately 60,282 login attempts to Paypal, the “financial service” discussed here. From the Ars Technica article, the top 20 passwords used on Ashley Madison are:

  • 123456
  • 12345
  • password
  • 123456789
  • qwerty
  • 12345678
  • abc123
  • pussy
  • 1234567
  • 696969
  • ashley
  • fuckme
  • football
  • baseball
  • fuckyou
  • 111111
  • 1234567890
  • ashleymadison
  • password1

If we marry (pun intended) the Ashley Madison data with the Paypal data, we get some interesting results.

Password Ashley Madison rank Paypal attempts rank
123456 1 1
12345 2 4
password 3 3
123456789 5 2
qwerty 6 6
12345678 7 5
abc123 8 15
pussy 9 1,473
1234567 10 10
696969 11 1,592
ashley 12 33
fuckme 13 164
football 14 11
baseball 15 38
fuckyou 16 62
111111 17 8
1234567890 18 13
ashleymadison 19 n/a
password1 20 24

Now let’s examine the rest of the top 20 passwords tried against Paypal accounts by the QuantumFilament hackers (or someone using their network of hacked routers).

Password Paypal attempts rank Ashley Madison rank
iloveyou 7 42
123123 9 27
1234 12 n/a
000000 14 30
654321 16 26
987654 17 53
princess 18 94
Exigent 19 n/a
hongkong 20 n/a

The results don’t correlate perfectly, but it does suggest one source for the attempted Paypal logins might be the e-mail addresses and passwords of Ashley Madison users.

Chapter Ten: Target Skype (updated)

The QuantumFilament network logged into Skype using stolen credentials to send instant messaging spam. The spam was written in the Cyrillic alphabet, and was most likely written in the Russian language.

Stat Count
Usernames 5,374
Compromised usernames with passwords 623
Contacts found 6,504
Spam messages attempted 6,340
Spam messages rejected due to rate limiting 240

From the perspective of the Skype administrators, the login attempts and instant messages would appear to originate from the IP addresses of QF’s hacked routers.

Here are the text of the Cyrillic alphabet instant messages:

Continue reading Chapter Ten: Target Skype (updated)

Chapter Nine: The Russian Connection (updated)

So far, this blog has established that a group of cyber operators breaks into home and office routers, and installs software on the routers. I will provide one example of what comes next.

One of the programs installed on the routers turns the routers into a proxy. A proxy is a service that can be used to disguise the original source of network traffic.

The QuantumFilament operators, or one of their customers using QuantumFilament’s network of hacked routers, tried to log into a financial service 16,991 times. The 16,991 attempted logins used 16,971 unique user IDs. The success rate was about 1.33%.

Status Count
DENIED 14,712

I have contacted the financial service offering to share my information about the hacked accounts.

The financial service has an Apple iOS mobile app, and the evidence indicates the QuantumFilament hackers or customers are using the same internal API calls as the iOS mobile app to try to log into the financial service accounts. When the hacker’s program tries to log into the financial service, it sends along information about an Apple iOS device. Most likely, the programmer who built the alternative login app copied the template of the real financial service app running on a real Apple iOS device. Here is some of the information sent by the hacker’s login app, common to all 16,991 login requests.

Information Value
Device Apple iPhone
Operating system Jailbreak iOS 9.1
Language setting ru (Russian)
Country ru (Russia)
Time zone Europe/Moscow
Wifi network ZHK_SU
iPhone name ZHK
LAN IP address
Proxy IP
Proxy port 8888

The original programmer who reverse engineered the internal API of the financial service likely copied the submission values from the legitimate Apple iOS app, and this iOS app was probably running on a jailbroken iPhone, located in Russia, in the Moscow time zone.

Chapter Eight: Really? A fourth Serverel data center IP hacked by QF?

Its true. IP, registered to Serverel, made a couple thousand connections to and from 16:13 UTC to 21:41 UTC 25 August. Time to tell the Serverel NOC.

Update: Serverel responds:

based on information from this customer, this server is not in use and he really forgot about him. i.e. server is 100% hacked, our customer will cancel this server in few hours and we will power it off next.

Hackers thrive on accessing neglected, abandoned or forgotten computers. With the space, CPU power and bandwidth of a server, without any accountability or expense, hackers can turn forgotten servers into anything–a launching pad for more hacks, storage space for data–anything.

Chapter Seven: More trouble from the SERVEREL data centers

Today, August 25, from 1410 to 1446 UTC, an IP address registered to SERVEREL, a data center or hosting provider based in California, used the QuantumFilament proxy network to access the Tumblr blogging site. Most likely that IP address at SERVEREL,, is a third IP address at SERVEREL that has been compromised and used by the QF group. How many more IP addresses at SERVEREL have been hacked and are being abused? I could tell SERVEREL about this, but that doesn’t really solve their issue.

Update 1: Serverel has now been informed. I see activity from this Serverel IP going back to August 3. Even if QuantumFilament is kicked out of Serverel, they hhav hacked into additional data centers/hosting providers worldwide.

Update 2: Serverel writes back:

many thanks for your report. is used by our customer since June 2012 and i think this server could be compromised. This is 100% legitimate customer.

Serverel’s emphasis is that there is a live, legitimate customer using this IP, and they don’t want administrators around the Internet to block this IP, thereby blocking the real customer’s connectivity.

Update 3: More from Serverel:

looks like this server is really in use, we ask end user to escalate this issue and find what is a reason for this report.

Interlude: Finding bugs in Wireshark

There are many different areas of expertise in cyber security, each area is quite important and distinct. Some people write security policies or handle communications during an incident. Others examine a hard drive and recover lost, hidden or deleted files. Others examine a suspicious binary program and can reverse engineer that program, revealing its function, algorithms and communication protocols.

My particular expertise is the examination of the recordings of traffic traveling on or through a network. Practically all activities online (e-mail, web browsing, social media and voice-over-IP, to name just a few) involve one device communicating with another device, and this traffic can be recorded and analyzed. One of the most common open source software tools to analyze recorded network traffic is Wireshark, and its command line counterpart, TShark.

TShark is very powerful because, like Wireshark, it can parse protocols such as web and e-mail and display this information. In addition, TShark’s output can be easily saved to a file. This output can then be read and processed by additional programs or scripts.

This simplified example uses TShark to read a file called “traffic”, and instructs TShark to output information about any web, e-mail or proxy activity captured.

tshark -r traffic -T fields -e frame.number -e frame.time -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e socks.dst -e socks.remote_name -e socks.port -e http.request.full_uri -e ssl.handshake.extensions_server_name -e imf.from -e -e imf.subject

Wireshark and TShark are critical tools for this research, so it was frustrating when TShark routinely crashed. Wireshark understands hundreds of protocols and formats used on the Internet, but doing this is not simple, and software bugs are inevitable. Still, I was very frustrated. I could try to work around the crashes, but the situation was definitely not ideal.

Wireshark is open source software, which means any volunteer can modify and fix sourcecode. But first I had to report the bug. I examined the network traffic files that crashed Wireshark, and tried to look for commonalities. I wanted to tell the Wireshark team why I thought the program crashed. Being unsuccessful, I then constructed the smallest file I could that still crashed the program, and reported the bug to the Wireshark developers.

I was convinced the crashes were due to a bug in the interpretation of the network traffic. But instead, the bug was in something more fundamental. I had discovered a bug in the part of Wireshark that managed system memory. The bug was diagnosed and fixed on the same day, and the Wireshark team issued a security advisory for this memory management bug.

I later reported a more mundane bug that was caused by misinterpretation of Internet traffic. As a result of these fixes, I have to ensure all of my computers run Wireshark 1.12.7 or later.