Saturday, February 15, 2014

ICUTV



Russia, China + others attack  America + her Allies 

 relentlessly  and   continuously...

Phishing,   spoofing,    identity    theft,    (impersonation)   espionage,      terrorism, radicalization,    industrial   sabotage,     financial   theft, ransomware,  malware,  denial of  service attacks, bullying,  blackmail,   revenge porn,    sextortion,   extortion,   hate crimes, child pornography,  child grooming, pedophilia,   stalking,  human  trafficking,    copyright  infringement,   piracy,   theft   of   intellectual   property,   social engineering,   information- warfare     (propaganda),     cyber-warfare,   jeeezze, I  know right.... 

 *Cyber-enabled   attacks   are     exacting    an      enormous     toll     on  
American  businesses, government  agencies,  and   families.   Computer   
ntrusions cyber-crime   schemes,  and   the   covert   misuse  of    digital   
infrastructure bhave bannkrupted  firms,  destroyed   billions of   dollars
in  investments,   and    helped   influence    operations     designed    to   
undermine  fundamental American institutions.

                               *https://www.justice.gov/cyberreport   ☜downloads pdf  fil

Communication, commerce, and   government  are   just  a  few   aspectsof our daily lives that have   been   forever   changed  and  in    many  ways  made  more  convenient  by  computers,  but these  same  advancementsalso  afforded   new   tools  for  the    technologically-savvy     criminal.  Such crimes   as  terrorism,   espionage,   financial  fraud,  and   identity theft   have   long   existed  in   the   physical    realm     (analog)    but  are    currently    perpetrated     in    the      cyber domain.    One    such clever   subterfuge  is   steganography,   the   practice    of   concealing    a     pdf  file,   text   message,     images,    or   video  within   another    file,  message,  image,  o video. That particular method of   obscuration  is exemplified  by a  technique   911  terrorists    coordinated  to  utilize   autonomous    international  communications.   

As  more  nation -  state  sponsors of  terrorism  and   advanced  persistent threats    effectively  exploit  this   new  frontier  their    abuse   of   the    internet   and    technology   adds    layers    of  complexity  that   cannot    be    effectively    overcome  through    the efforts of any single agency or intelligence alliance.   As    multiple   nation -  state   sponsors   of    terrorism  and   advanced   persistent  threats      effectively    exploit  this   new   frontier    their   abuse   of   the   internet and  technology   adds    layers    of    complexity    that   cannot    be  effectively    overcome     through    the    efforts   of    any  single  agency   or  intelligence alliance.

highlighted world map of the 5 eyes agreement

We live in a super advanced  era  where  we  possess  virtually  limitless access  to   an   instantaneous    abundance  of   knowledge    and   art.    However this  exhaustive   trove of  information  comes with  a  vicious caveat;  a  dark side.  Certain  players  have  the  capability  to comport themselves behind a mask of anonymity (proxy servers, VPN’shacking this  quasi-autonomy  compels   sophisticated   criminals   to ostensibly (seemingly)   operate   with   impunity.   I  regularly   use a  VPN  (virtual private network)    on    principle.  Both  VPNs  and anonymisers   allow a  user to appear as if they were connecting to the internet from another location.  Irrespective, any activity (data)  that is flaggedlegally actionable,  or  of   some   valid   serious    intelligence concern may subject  any   ISP   to a   subpoena    requiring  logs   that pertain   to    identifying    and    authenticating   internet    traffic   in an  investigation;  this    is   why   a  VPN    is    not  completely inviolable.  Privately    *co -keyed     end   to   end    encryption  is   necessary for  entirely    secret   communications.        *encryption  keys
Thought    crime    (an  idiotic  fascistic   proposition)     are     the    primary
evidentiary    transgressions    sought     after   by     autocratic     totalitarian
despotic    governments    where    all      beliefs     and      non- beliefs    aretheir  ultimate  objective.  Anonymity   and    privacy    cannot    be    illegal!Data - mining    is     a       foregone     conclusion    and    personal    infois  tracked,   sold   and    monetized.    One     semi -  solution    to     this
'targeted  -  marketing'      dilemma    is    to    opt-out     f rom      providing
your     IP,      Internet     protocol,      ( numerical      computer    identifier).
Until the marketeers  enlisting   your   data-sets    of      demographic tracks   (commercialized    history  of   your   web  browsing)    devise    a   way  to   reimburse  you,   its    only    fair     to     exert   ownership  over  what   is
rightfully   yours.   Similarly  you  have   the   right   to  be  registered   on a
 do-not-call -list,   and   thereby    you  may  also  choose   to       opt -out   and
 effectively  reduce   annoyances  like  spam   and   potentially  dangerous
     email   traps.   In   China,  and  soon  all  of   Russia,  it   will   be   unlawful 
       to  exercise   any  fully  determinative   control   over   your   internet  privacy
  and    the  solemn   right    to    seclude  and exclude  oneself   from
  spying  and   eavesdropping.

These  privacy  and  personal   safety   measures  are  largely  forbidden   and   regarded   with    suspicion   in   non-democratic  countries   and  police - states. The observations   of  urveillance  cameras is increasing exponentially  as  the    development  of   facial  recognition  algorithms  become    almost     ubiquitous   (virtually everywhere).  Images   and  sounds are instantly sifted, time-stamped, categorized and integrated with law enforcement and numerous  intelligence   agencies  from:  public  interfacing   cameras,  sensors:   ATM's,  markets,  malls,  buses,   traffic   cameras,   fuel  stops,  airports,  phones,   smart - cars,  Skype,   web  cams,   public  buildings,   and    any   concurrent   CCTV.

A.I.   (artificial   intelligence)     paired    with     biometric   technologies    records:  time  (triangulation)    location,   voice   prints,   ambient   audio,    retinal   scans,   body   temperature,    (thermographic  cameras)    and    perceives  duress  from  expressions, as  well  as recognizes  and    assigns    identity     from    mannerisms,   posture,    gait,    cadence,   and   demeanor.    It    also   can  predict  behavioral  outcomes   based   upon    previously   detected  (observed)   activities;    OOB  requests.  

 Democracies     must  ensure     that   its     citizens    have     consistent    access    to    the   internet   all    of    the   time   and   that   their   privacy   is  assured,  guaranteed,  and  respected so    they     may    express  themselves  freely,  safely,  and   without  suspicion,   fear   of  reprisal,   retaliation,  or  some ridiculous scheme of  social  grading  by  an  impersonal   unaccountable  informant  minion  of   a  fascist   state.  
                                  Nothing could  be more un-American.   

All  personal beliefs   and  rights are  sovereign   constitutionally  protected  freedoms  (speech) therefore by logical extenuation they thereby also pertain to lawful electronically conveyed  communications.  Americans  possess rights  to  securely,   safely,  and  privately   control  whatever entities they may deem necessary to receive lawful  authenticating  information for  personal and  private   transactional  purposes    in   perpetuity.
            

In   the   USA,   citizens    are     presumed     innocent     until     proven
guilty.   Government  integrity   and   culpability   for    personal- private
civil liberties   are   the   very    basis    for      universal   human   rights.
United States    citizens    uphold      freedoms    with     the       foremost
importance   and    significance.      Independence,  a     free   press  and
 free  thought      are   inexorable     core      principles    of      a        vital
  constantly renewing  democracy.  Many  Americans   fail  to   understand
 that  complete   constitutional  liberties  are   full   rights   within   one's
properties  a nd   dwelling;    and    that    in   itself    is   being    called 
into  question   in   this young  evolving   21st century.
These are a  few reasons all people  everywhere  should be  thoroughly
 knowledgable of methods for ​reporting  and   recognizing   vulnerabilitiesand  contributing  to   the   mutual  protection  of     families,
neighbors,  businesses, government  and world   wide   civic 
and  civil  institutions.





E-mailing  (electronic mail)  is  the most prominent  function that   exposes  us  to   exploitation
in the net. Generally the average user cannot   resist  the  attraction   of    some    'come- on'  that  promises   something  'too  good  to  be  true'  and   appeals  to   a   subject  of  their  interest.  Tailored  individuated  targeting is the  primary art   and    craft   spammers   and    identity    thieves   employ  to  exploit the naïveté  (limited awareness)  of  a  neophyte  or   the
gullibility  of  the unsuspicious.    This  form   of    masquerading  utilizes and takes  advantage of  a  mutual language, circumstance, personal  interest,  underage innocence,  race   or nationality.
Crime utilizing familiarity and exploiting commonality (traits, customs, native language) most  often  target  undocumented citizenswho are at  an enormous disadvantage to resort to  the force of  law to report abuse and protect themselves and others   from harm.  This is particularly true of  immigrant communities as they have less confidence and familiarity with our laws and systems and they may be more accepting of  such  practices  depending on norms in their country of origin. Undocumented  citizens  are especially susceptible  and vulnerable to this manner of  exploitation  because of language limitations  that  complicate a native  speaker's ability  to clearly determine intent. Trickery and  guile   are rife in the web  and  we must learn  to recognize it. These links (addresses) are provided so we may educate and  inform one another regarding methods to detect abuse,  and  if   necessary,  anonymously  report   it.

Spoofing are emails or web sites that use  convincingly  appearing  presentations showing familiar  trade marks   and trade names unique to  the  respective  institutions  they  attempt  to   imitate.      They  are   commonly   used   to     trick   users    into     revealing     passwords    or  other   compromising  personal  information.   These deceptive practices include  acts of  forgery.   This is  the  typical  ploy  of  an  ID  thief  seeking  an    identity  to   use  while   impersonating  someone. In  the  context  of  network security,  a spoofing  attack  is a  situation  in  which  one  person or  program  successfully  masquerades  as   another  by  falsifying  data,  thereby   gaining  an  illegitimate  advantage. Some hackers also  use  individuated  penetrations   to    store     portions   of     (aggregated data)     on many  separate  computers, this \  is  a    compartmentalization  which conceals and collates the scattered code  synchronizing  DDOS attacks arranged through daisy-chained  machines; the use of a large number of infected  devices that lead to slow or unresponsive  web-facing  devices  and  applications.

How spear phishing works: firstly, criminals need some inside information on their targets to convince them the e-mails are legitimate. They often obtain sources by hacking into an organization’s computer network  or sometimes by combing through other websites,  blogs,   and   social    networking   sites.  Subsequently they send  imitative  e-mails  offering all sorts of urgent and legitimate-sounding explanations as to why they need your personal data. Finally, the victims are asked to click   on a link inside the e-mail that takes them to a phony but realistic-looking website, where they are asked to provide passwords, account numbers, user IDs, access codes, PINs, etc.
Spear phishing can also trick you into downloading malicious code or malware after you click on a link embedded in the e-mail or website.  Malware can also hijack your computer, and hijacked computers can be organized into enormous networks called botnets that can be used for DDOS and other  coordinated  swarming attack vectors
Spoofing  is  a  beguiling   variant   of   deceit   regarded    as  artifice  (deceptive artistry) employed by the con - artist to incorporate seemingly authentic  appearing documents that compel you to believe they are from legitimate sources. This scamming is also a tactic in phishing emails designed for the  acquisition of personal information to be used in an  attempted usurpation (appropriation) of  one's  identity via fraud,  misrepresentation,  coercion  and  extortion.  
  
Phishing by sexual predators is technically psych-ops (psychological operations) a designed  procedural access point  to compromise unwitting participants. Generally  predators  are  working schemes  on gaming sites, dating  sites,   Craig's List,   social networking,  pornography sites,Facebook,  Twitter,  Internet Relay Chat((IRC) etc. Other such  predators actually have discussions in online criminal forums. These and many other venues too numerous to cite, are considered "mines" for  (personalized) data  that criminals use to  manipulate victims.  They are target-able  resources for child grooming:   a   method   employed   to  gradually coerce minors by acquiring compromising information such as: 1) personal comments 2) contact numbers  3) personal   photographs   4) videos   5) hang-outs 
6) school schedules 7) friends  8) what  parents & siblings do  9) church attendance   10) where are they  11) vacation  times  12) jobs 13) timelines they  keep... et cetera. Anybody asking this sort of question is not a friend.  Aside from being a potential sexual predator, they could be a modern  thief casing and scouting  (phishing) a burglary site or plotting some other home invasion  scenario.

Phishing  criminals, or  imposters  are extremely adept at how they ply their  digitized  craft,  a modern  form of counterfeiting.  Although an email has convincing brandslogos proper  language usage, and a seemingly valid email address, does not mean  its legitimate. Be skeptical when it comes to your email messages, if it looks even remotely suspicious, don’t open it, put it in the trash, and then empty the  trash.  To completely  remove: (empty the trash folder)  this  subsequent (secondary) trashing procedure permanently removes copies from your  email server.  If these actions fail to remove all email then consult your preference   settings,  or consult technical support from your ISP,  Internet Service Provider.
Often these imitative schemes apply a variety of tactics to gain people’s trust and confidence.  By registering  website domain names  that   are  difficult  to distinguish from the companies they are attempting  to imitate a crafty decoying artistry  (fraud)  is  undertaken...
*Sometimes, the malicious domain created to host a data-snarfing script mimics the host domain by referencing a doppelganger (double) Web site name. For example, check out the source code for the e-commerce site bargainjunkie-dot-com and you’ll notice at the bottom that it pulls a malicious script from the domain “bargalnjunkie-dot-com,” where the “i” in “bargain” is sneakily replaced with a lowercase “L”.  *KrebsOnSecurity©

Some of those emails arrive with malware attachments that could possibly  replicate images of a victim’s desktop or transmit key log information; a hacker trick for nabbing  pass codes.  These sort of spy craft  usually require the victim to load and activate some script, or some extenuating burrowing software program,  or possibly lead them to a site or link that compels you to download a program  ultimately constructed  to assume  control  over   BIOS settings.
As  digital   tools  that  gather   cellphone   data  for   tracking   children,   friends,    and     lost   phones    have  multiplied   in  recent years,  so   also   have   the   options   for    people   who  abuse  the   technology  to  track   others   without    consent.   These   technical   and    legal   ambiguities    have created  an   environment   in   which   tools and apps  are  marketed for  both  legal   and    illegal  uses,  without  apparent  repercussion.  Exercise  caution  and use  apps that  feature   two step authentication.
To  report   spam  and   phishing   simply   resend    the   email  with  the header   copied  onto  the  top  of  your  report.  In  an   e-mail,  the   body   (content text)   is    always    preceded 
by  an   unseen   header  that  identifies   particular  routing information   of   the   message,    including     the    sender, recipient,    date    and     subject.    All   email   programs contain  similar  and  different  features,  but the headers are universal,  and remain  the same,   irrespective of  operating system.

      In many cases  (to report  spam  and   phishing)
an email with  the   header  attached  to  the 
     systems  administrator (sys-op) can minimize  some   spooks.
This  is   not    the     case    in   every   instance;
If  so  the  'abuse @  (address)'  bounce back or  return   to  sender.
   
        Search  your site of interest  for  more   specified   addresses.
       Report a phishing email  via Gmail
       1.    From Gmail:

       2.    Open the message.

       3.    Next to Reply , click the Down arrow .
       4.    Click Report phishing.\
          report phishing  web page 






        How to Protect Against the Major Source of               Cyberattacks::
         Email Threats
             Actionable Intelligence Counters Ever-Evolving Attacker Tactics

Impersonation attacks such as business email compromise (BEC) and CEO fraud are a serious—and e ective—threat. Yet, for many organizations, email remains a blind spot in their overall security strategy, because they mistakenly view email security lapses as an inconvenience rather than a serious threat.
Even though 91% of cyber incidents stem from email, spending on email security remains
only a fraction of a company’s overall security spend, indicating a sizable gap between the perceived and actual risk to organizations.

The losses are signi cant. According to CSO’s
2018 Global State of Information Security Survey, organizations su ered a loss of intellectual property as well as nancial losses, and in 22% of the compro- mises, ransomware was implanted on systems.

Although phishing awareness training reduces
risk, trusting that people will change their behavior goes only so far in securing business email. Unless organizations can protect the integrity of their email, they can’t defend against these increasingly prevalent threats. To have an advantage over threat actors,
stop threats and secure customer environments, email security solutions must be built on the most up-to-date and reliable threat intelligence.

To both detect and block malicious emails as they emerge, a multipronged strategy that includes FireEye Email Security is a smart option. This enables organizations to bene t from threat intelligence gained through covert engagement with hackers,
to track the main threat actors in nation-states, and to observe attacker behavior patterns. Access to advanced threat intelligence enables the platform to
quickly recognize and respond to high-priority threats and to continually evolve as new tactics emerge.
Email’s Evolving Threat Landscape
Increasingly, spear-phishing and impersonation email attacks are becoming more sophisticated, making them di cult to detect. When emails evade detec- tion, they land in a user’s inbox. “Many companies
are still under the misconception that spam is the greatest email risk. What they don’t realize is that breaches most often start with an email,” says Ken Bagnall, vice president of email security at FireEye.
The very high return on investment that attackers
see with CEO fraud, where attackers impersonate executives to fool nance or human resources sta into making wire transfers or releasing con dential information, has spawned a new wave of threats. Says Bagnall, “The threats that have proven so successful are continuing to evolve into more-widespread, distributed attacks.” FireEye’s Email Threat Report

for January–June 2018 a rmed that email is every organization’s biggest vulnerability. Trending of late have been malicious but malware-less attacks.
Spear-Phishing, Impersonation, and Malware-less Attacks
What were once highly targeted attacks of CEO fraud have evolved into more-pervasive types of imperson- ation attacks. Using con dential information obtained through spear-phishing campaigns, cybercriminals leverage impersonation attacks to trick a user into
a fraudulent act that seems innocent, like paying a bogus invoice, rather than delivering malware. These malware-less attacks work well, because the message appears to have been sent from a trusted source.

The tactic is growing more common as well
as more personalized. In fact, it’s become so commonly used that 90% of the emails blocked by FireEye were malware-less attacks that
evaded anti-spam security solutions. To make
the emails appear more legitimate, attackers are wrapping their phishing emails into impersonation packages to get a higher rate of success.

Attackers have also expanded the use of domain fraud for spear-phishing, using typosquat- ting—spelling a trusted domain name with an additional character, such as FiireEye.com, to trick the user’s eye. Threat actors also employ the use of homoglyphs to manipulate the domain name, changing a letter to a number or using a di erent letter or alphabet, as in FlreEye.com.
Threats in Mobile
The proliferation of mobile technology has led
to increased risks with email security. “Seventy percent of emails are answered on a mobile device, which shows how attackers have evolved their techniques to align with how we use technology,” Bagnall says. Instead of showing the sender’s full email address, email clients show only a display name. Criminals are leveraging the inherent trust users have, knowing that when users see a boss’s or colleague’s name, they trust the source.

Ransomware and Malware
To evade detection, attackers continuously modify their tactics, which is why spikes in phishing attacks occur at di erent times of year. For example, last April saw an uptick in the number of W-2 fraud attacks, where fraudsters gained employee infor- mation in order to le fake tax returns. Although the threat of clicking on a malicious attachment
is still a tactic used in email attacks, only 10% of blocked email attacks contained some sort of virus, ransomware, worm, or Trojan horse.
Email Security Is More Than Basic AV/AS
As threats have evolved, so too have the solutions that protect against them. Antivirus and anti- spam tools remain critical in email security, but consolidating these capabilities with an advanced threat protection solution has advantages.
“Companies need to combine the knowledge of the general anti-spam part of the service along with the impersonation and advanced threat information. They have to feed the information to each other to protect against these types of blended attacks,” Bagnall says.
A consolidated email security platform also plays into the overall security strategy of the organization by delivering the important information from
these email attacks to the security platform. This gives the SOC team a picture of what attacks are coming in and whether any are getting through.
“It provides analysts with information about emails they can use to see if the same URLs discovered
in malicious email tra c are posing a threat elsewhere in the organization,” Bagnall says.

Choosing the Best Email Security Platform
Because an organization can be compromised even if only a single fraudulent email gets through, malicious emails need to be blocked before they get to the user. FireEye Email Security leverages frontline exper- tise that protects against zero-day and unknown threats. Continuously evolving as new tactics
emerge, the platform seamlessly integrates into other solutions and protects the broader environment.
With the exibility to deliver a full secure email gateway or an additional layer that defends against advanced threats, FireEye Email Security is exible and adaptable. Contact us to learn which email security products are right for you.
For more information, go to www. reeye.com/email
Sponsored Content. IDG Communications, Inc.
  Fighting Cyberattacks:
                   Be as Relentless and Innovative as the Enemy
Constant Evolution Key to FireEye’s Success
Cybercrime has become one of the most lucrative industries in the world. Recently the White House estimated that cybercrime cost the U.S. economy between $57 billion and $109 billion
in 2016 alone.1 With the majority of these crimes originating from email, cybercriminals have created a busi- ness of designing email attacks that trick users into giving away corporate credentials, nances, and assets.
As with any other business, cyber- criminals are constantly innovating and evolving their tactics in hopes of increasing their rate of success and ROI. This has created an environment where it is hard for even the most educated employees to keep up with the threats they face every day in their inbox.
It’s not only employees who are having issues identifying these threats, however. Traditional email security solutions rely on a new attack variant to be seen and a signature to be created before they are able to block it. To bypass these services, cybercrim- inals have begun crafting malware-less threats such as impersonation attacks and delayed phishing attacks.
Impersonation attacks such as CEO fraud often contain no malware
or URLs, so there is nothing to create a signature for. This enables cybercriminals to send out the same attack to multiple targets with little chance of detection.

Powered by threat intelligence shared across the FireEye ecosystem, FireEye Email Security does not rely solely
on signatures. Instead Email Security employs a combination of behav- ior-based tools, lters, and algorithms that work together to identify di cult-to-detect threats such as W-2 fraud and other malware-less threats.

Unlike impersonation attacks, phishing attacks often do contain URLs, giving the attacker a small window of oppor- tunity for success before the URL is identi ed as malicious and is blocked. To increase the length of concealment for these URLs, cybercriminals are now delaying the launch of the
linked malicious site until after the attack reaches an employee’s inbox. This tactic works, because the email security solution doesn’t perceive the linked site as being dangerous until the malicious aspect is launched.
1. https://www.whitehouse.gov/articles/cea-report-cost-malicious-cyber-activity-u-s-economy/
Email Security with Advanced URL Defense is able to defend against these delayed attacks by supplying customers with time-of-click protection via consistent monitoring. URLs are extensively analyzed not only before they are sent through, but also consistently
as they wait in the inbox, enabling Email Security to identify a malicious link no matter how long the attack has been sitting in an employee’s inbox.
The best way for organizations to protect themselves and their assets from such threats is to employ a security company that is as dedicated to stopping these attacks as cybercriminals are in sending them.
Much like the attacks it stops, FireEye Email Security is consistently evolving. Utilizing a combination
of frontline experience, industry-leading threat intelligence, and award-winning innovative

tools , Email Security is able to defend against known as well as unknown attack tactics and techniques that other solutions miss.
That is why Largardére Travel subsidiary Largardére Travel Retail Italy contacted FireEye when it began facing a signi cant amount of spear-phishing and other malicious attacks hidden within its average of 350,000 to 365,000 messages per day.
“We wanted to add an extra layer of security to ensure that we weren’t vulnerable to expensive and poten- tially crippling advanced attacks from spear-phishing, malicious URLs, ransomware, or zero-day exploits,” said Alberto Signor, vice president of information
and communication technologies at Largardére.
After a one-month proof of value that showed that the solution was e ective and easy to manage, the team con rmed that Email Security – Cloud Edition was able to drastically reduce the levels of spear- phishing emails that reached employees. FireEye detected encrypted threats at both the le and text
level for added security, and because Email Security – Cloud Edition was deployed in active blocking mode, it was successful at keeping signi cant threats out of the environment entirely. The FireEye solution also quarantined a daily average of 50 malware attempts, instances that previously had gone unchecked past the existing email security product.
“Email Security – Cloud Edition helps us protect our business by providing an intelligent solution that monitors and contains the threats, spam, potential viruses, and malware instances we were experiencing,” said Signor.
With its email now secured by Email Security – Cloud Edition, the IT team was able to contain
the email-borne threats that too often impacted employees using standard Microsoft O ce 365 tools. Having this kind of threat prevention enables the company’s 1,500 employees to work securely and with the con dence that their email messages no longer had any potential to in ict damage.

FireEye o ers both Email Security – Cloud Edition and Email Security – Server Edition to t any organization’s email security needs.
About FireEye
FireEye is the intelligence-led security company. Working as a seamless, scalable extension
of customer security operations, FireEye
o ers a single platform that blends innovative security technologies, nation-state grade threat intelligence and world-renowned Mandiant® consulting. With this approach, FireEye eliminates the complexity and burden of cyber security

for organizations struggling to prepare for, prevent and respond to cyber attacks.
FireEye, Inc.
601 McCarthy Blvd. Milpitas, CA 95035 408.321.6300/877.FIREEYE (347.3393) info@FireEye.com

© 2018 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.
Protecting Against Account Takeover Based Email Attacks
Executive Summary
The onslaught of targeted email attacks such as Business Email Compromise, spear phishing, and ransomware continue uninterrupted, costing organizations of all types and sizes billions of real dollars lost1. Cybercriminals know that employees are the weak link in an organization and need only to convince these targets that
they are someone who should be trusted to achieve success. In terms of methods used to deceive employees, email spoo ng and display name deception have been the “go-to” techniques. However,

Security leaders charged with reducing this risk need to factor in yet another form of email-based identity deception tactic. According to recent Agari research, there has been a 126% increase of targeted email attacks that exploits Account Takeovers (ATO).
Prior to 2017, concerns over ATO-based email attacks were virtually non-existent. However, in early 2017, the Google Docs ATO Worm Attack2 brought a spotlight to the problem when it struck over a million users in only a few hours. Most recently, a new Osterman Survey3 found that 44% of organizations were victims of targeted email attacks launched via a compromised account in the past 12 months.
As these attacks continue to rise, organizations should be evaluating whether their existing email
security controls can analyze, detect, and block ATO-based email attacks. This report discussed a
typical ATO-based email attack ow, why they are e ective, and why organizations should be placing
a high priority on stopping these attacks in 2018 and beyond. Finally, the paper will introduce the latest Agari Enterprise Protect release and explain how its core Agari Identity Intelligence
TM technology has been enhanced to stop ATO-based email attacks.
WHAT DOES A TYPICAL ATO-BASED EMAIL ATTACK LOOK LIKE?
126%
Percentage Increas in # of Attacks
An Account Takeover (ATO)-based email attack is the process of gaining unauthorized access to a trusted email account, and using this compromise to launch subsequent email attacks for nancial gain or to execute a data breach. Since ATO-based attacks originate from email accounts of trusted senders, traditional security controls cannot detect such attacks. Moreover, given the pre-existing trust relationships, launching a targeted attack such as a Business Email Compromise from such an account, increases the likelihood that the attack will succeed. Account Takeover-based email attacks rely on leveraging a compromised account or endpoint as a launchpad for a targeted email attack such as Business Email Compromise. To achieve this goal, cybercriminals follow the below process:
1 | www.agari.com
e
Step 1: Gain Account Access
The attacker attempts to gain access to a
user account by launching a spear phishing or malware based email attack. Alternatively, with the proliferation of data breaches, he may simply purchase email account credentials from the dark web at a reasonable price:

Step 3: Conduct Internal Reconnaissance
The attacker conducts internal reconnaissance to determine how the compromised account can be exploited. For example, the attacker may use a set of manual or automated scripts, to determine the following:
  • Does the compromised account or user credentials give direct access to monetizable data, either locally or on other systems?
  • Can the victim’s contacts be exploited to achieve the final mission of financial fraud or data exfiltration?
  • Can the victim’s contacts be exploited to compromise other high value accounts?
    Additionally the attacker may lay dormant, observing email communication between the original account owner and their contacts with plans to eventually hijack the conversation.
Step 2: Establish Account Control
The attacker establishes persistent control of the account without alerting the victim or any security personnel. For example, the attacker may implement the following:
1. Create audit rules to delete his own malicious email activity.
2. Set up
forwarders to
silently monitor user communication.

3. Augment password change processes to maintain password control.
The longer the attacker controls the account, the more information can be gathered, and higher degree of mission success.
Step 4: ATO-based Attack
If the attacker determines that assets can be retrieved directly from the account he will immediately move to Step 5. Else, the attacker will launch a targeted email attack against the contact list of the controlled account. The type of targeted email attack will be dependent
on the previous reconnaissance and could consist of a Business Email Compromise to extract funds or a spear phishing campaign to gain a deeper foothold into the organization.
Step 5: Complete Mission
Depending on the targeted email attack, the attacker will move to exfiltrate the sensitive information or funds,
or repeat the ATO process if user accounts
credentials were requested.
2 | www.agari.com
WHY ARE ATO-BASED EMAIL ATTACKS SO EFFECTIVE?
Based on internal research, Agari has seen a 126% increase month-over-month in early 2018 alone. The data was observed from Agari Enterprise Protect, an advanced email threat solution that lters email tra c after it has been scanned by a Secure Email Gateway (SEG). As part of the analysis Agari analyzed over 1400 messages considered untrusted, over a two month period.
The reasons are due to 2 distinct adversary advantages:
1. Legitimate or established email accounts do not need to leverage impersonation techniques such as domain spoo ng or display name deception to bypass email security controls.
2. Previously established trust relationships between the original user and their contact, makes targeting and convincing the contact to give up sensitive data or release funds, a signi cantly easier task.
However, not all ATO-based email attacks are the same and the e ectiveness will depend on the type of compromised account used in the attack. According to the same research Agari determined that there are 4 account types used in ATO-based attacks.
  • Stranger - attacks using any legitimate email account of individuals unknown to the recipient (strangers) to boost reputation and leverage trusted infrastructure.
  • Employee webmail - attacks using personal employee webmail accounts (e.g. Gmail, Yahoo, Hotmail) accounts of individuals known to the recipient to exploit trust.
  • Trusted third parties - attacks using supply chain vendor accounts of individuals known to the recipient to launch spear phishing campaigns.
  • Insider business accounts - attacks that use employee corporate accounts of individuals known to the recipient to execute BEC or invoice scams.
    Additionally, based on customer feedback attacks launched from a known employee webmail or insider business account had the highest chance of success. The good news is that the large majority of today’s attacks are still only using stranger email to launch attacks.
3 | www.agari.com
Note: No Insider business account-based attacks were observed during the observation timeframe
As attackers become more adept at identifying and compromising speci c employees to target their own organizations, the e ectiveness of ATO-based email attacks and real dollars lost associated with these attack will be sure to rise.
HOW CAN I PROTECT MY ORGANIZATION AGAINST THESE ATTACKS?
ATO-based email attack protection should be added to the email security layer and integrate machine learning models to detect attacks originating from all 4 compromised account types.
Consider the following example:
Fig 2. Describes an example ATO-based email attack.
4 | www.agari.com
At rst glance, the email does not look malicious. In fact, the email originates from an account of a real user, the recipient is a known contact, the subject matter in the communication is relevant, and the communication between Todd and Steve is expected. There is no way Steve could know that this email is from a cybercriminal using Todd’s compromised account. Additionally traditional security controls predicated on rst detecting occurence of bad behavior cannot detect such attacks: after all, this email originates from a legitimate user account of trusted senders.
To detect this attack a next generation solution integrating Machine Learning models to analyze three key elements of an email communication: Identity, Behavior, and Trust must be considered. Imagine a solution that can integrate the following:
1. Identity Mapping: This process would help determine a perceived identity of the sender. In the simplest view, the process could use the following identity markers to map the message to a previously-established identity or organization.
Identity Markers
Likelihood of Identity Class: Finance Executive Todd Koslowsky ZYX Employee
Fig 3. Based on the mapping, the perceived identity is derived as Todd Koslowsky, CFO of ZYX Inc.
2. Behavioral Analytics: Given the perceived identity, the message could then be evaluated for anomalies relative to the expected sender behavior. Feature classes associated with the behavior could include but not be limited to the following:
  • Tracking the consistencvy, timing, and volume of messages sent by this identity
  • Tracking all email addresses and 3rd party services associated with this identity
  • Tracking how long this identity has been in existence and sending email
  • Tracking the types of email artifacts or subject matter commonly sent
5 | www.agari.com
Referring back to the example, a simple analysis of one factor would be to determine whether the timeframe that the email was sent is typical of the normal user behavior. Note that the email was sent at 3:00 AM in the morning, Todd Koslowsky never sends email at that time and could be an ATO indicator.
3. Trust Modeling: Finally, to further ensure accuracy as the identity of the sender is con rmed and behaviors relative to that identity tracked, the next phase would be to determine whether the communication from the sender is expected by the recipient. This modeling is a critical component to determining whether the recipient would actually open and take the requested action within the message. Sources of this modeling could include:
  • Previous email tra c seen between identities
  • Frequencies of interactions and responsiveness
  • Historical organization-speci c communications
    Below is an example of the mapping between Todd’s communication relative to Steve and all other organizations.
AGARIDATA.ATLASSIAN.NET
GOOGLE.COM
AGARIDATA.ATLASSIAN.NET
GOOGLE.COM
SYMANTEC.COM
EBAY.COM
EBAY.COM
SYMANTEC.COM
ORACLE-MAIL.COM
PAGERDUTY.COM
ORACLE-MAIL.COM
PAGERDUTY.COM
ZOOM.US
HOTMAIL.COM
ZOOM.US
HOTMAIL.COM
SALESFORCE.COM
MICROSOFT.COM
MICROSOFT.COM
DOCUSIGN.NET
GMAIL.COM
SALESFORCE.COM
DOCUSIGN.NET
GMAIL.COM
Adding the dimension of Trust, the analysis could be further expanded. For example, based on historical communication, Todd and Steve’s communication is expected but the signi cant delays in Todd’s responses are not. Given Todd sent the email at 3:00 AM where the last communication was at 2:00 PM in the previous day, could indicate that an attacker is attempting to hijack the conversation.
Taking these inputs from each dimension, a nal score could determine whether the attack is indeed an ATO and allow organizations to enforce policies to block this attack before it makes it into the end-user’s inbox.
6 | www.agari.com
HENRY
A NEW APPROACH: AGARI ENTERPRISE PROTECT
Agari Enterprise Protect leverages Agari Identity IntelligenceTM), an advanced arti cial intelligence and machine learning system that ingests data telemetry from more than two trillion emails per year to model email senders’ and recipients’ identity characteristics, behavioral norms, and personal, organizational, and industry-level relationships.
Agari has integrated updates to its core Agari Identity Intelligence machine learning algorithms to model ATO-based behavior. When a message is received it is subjected to the following phases of analysis and scoring:
1. Identity Mapping – Determines the perceived identity of the sender, mapping the sender to a previously-established sender/organization or a broader classi cation.
2. Behavioral Analytics – Given the derived identity, the message is evaluated for anomalies relative to the expected sender behavior such as whether the sender has ever interacted with the recipient, whether the content or structure of the message sent by the sender is expected, or whether the frequency and timing of when the message sent is normal. Any anomalies are obviously perceived to be suspicious.
3. Trust Modeling – Finally the nal phase determines if communication from the sender is expected by the recipient. The closer the relationship, the less tolerance for anomalous behavior because of the greater impact of the attack. Ultimately the system models interaction - how often the sender/recipient interact or if the responsiveness and timing of responsiveness between the two are normal.
4. Identity Intelligence Scoring – The nal Identity Intelligence Score of a message is a combination of the features and indicators of the 3 phases that determines whether the attack is indeed originating from a Account Takeover-based compromised account.
To support this modeling, Agari has leveraged the elasticity enabled by its cloud-native architecture to drive over 300 million daily model updates, allowing the system to maintain a real-time understanding of this type of email behavioral pattern.
Agari Enterprise Protect is the rst to model the four types of account takeover behavior: stranger email, employee webmail, trusted third, and insider business accounts.
How Agari Enterprise Works
Agari Enterprise Protect deploys as a lightweight sensor either on-premises or in the cloud to integrate with the existing Secure Email Gateway (SEG). Working as the last line of defense, Agari EP receives all messages considered clean by the SEG and analyzes the messages for the existence of ATO threat signals. Upon con rmation that the message is a malicious ATO email, security operations teams can con gure policies to immediately block or quarantine the message. Finally, email forensic information can also be extracted via email alerts or API for further incident investigations including assisting in recovering or taking down the compromised account.


CONCLUSION
The right strategy to protect against Account Takeover-based email attacks is at the email gateway and existing security solutions should be evaluated to meet the following:
  1. Ability to enforce policies to prevent targeted and scattershot phishing attempts intending to steal credentials or compromise the endpoint.
  2. Ability to enforce policies to prevent targeted email attacks launched via a compromised user account, e.g., spear phishing, BEC, or ransomware.
  3. Provide email forensic intelligence that exposes the compromised email account details to help security teams return these accounts to their rightful owners.
Given the e ectiveness of Account Takeover based email attacks and the lack of protections, attackers will be highly motivated to increase their attack rate in the coming year. Organizations must place a higher priority and re-evaluate whether their existing controls can protect against this attack category or risk becoming the next victim.
  1. Internet Crimes Report 2016: https://pdf.ic3.gov/2016_IC3Report.pdf
  2. Agari BEC Attack Report: https://www.agari.com/resources/whitepapers/bec-report/
  3. Google Docs Attack: https://www.agari.com/google-docs-account-take-over-worm/
  4. Osterman Research Report - Protecting Against Phishing, Resomeware, & BEC Attacks: https://www.agari.com/resources/whitepapers/email-threat-trends/
  5. Osterman Research Report - Protecting Against Phishing, Resomeware, & BEC Attacks: https://www.agari.com/resources/whitepapers/email-threat-trends/

         Thieves and Geeks:
        Russian and Chinese
       Hacking Communities
By Winnona DeSombre and Dan Byrnes
Recorded Future
CTA-2018-1010
CYBER THREAT ANALYSIS
Scope Note: Recorded Future’s Insikt Group analyzed advertisements, posts, and interactions within hacking and criminal forums to explore the capabilities, cultures, and organization of Chinese and Russian hacking communities. Sources include the Recorded Future product, as well as Russian and Chinese personas created by Recorded Future to interact with actors on these forums.
This report will be of greatest interest to organizations seeking to understand the criminal underground to better monitor industry- and company-specific threats, as well as to those investigating the Russian or Chinese criminal undergrounds.
Executive Summary
When researchers primarily focus on items being sold on dark web markets, many gloss over the various types of communities that reside within the forums themselves, either focusing solely on Russian hacking collectives or not talking about forum members at all. This can cause readers to assume that the “hacker community” is an amorphous collective of individuals transcending borders and cultures. Quite the opposite — each country’s hackers are unique, with their own codes of conduct, forums, motives, and payment methods. Recorded Future has actively analyzed underground markets and forums tailored to Russian and Chinese audiences over the past year and has discovered a number of differences in content hosted on forums, as well as differences in forum organization and conduct.
Key Judgments
  • Both Russian and Chinese forums host a wide variety of international content. While it is uncommon for Russian forums to advertise data dumps from Russian companies, data dumps and malware originating from Chinese companies are usually only found on Chinese forums.
  • Chinese speakers are active on Chinese, English, and Russian forums, while few to no Russian or English speakers use Chinese forums.
  • Although current Chinese posts on non-Chinese forums are tailored to Chinese buyers, Recorded Future assesses with low confidence that Chinese buyers are beginning to bring services, data, and malware once unique to Chinese forums to a more international audience.
               www.recordedfuture.com | CTA-2018-1010 | 
                           CYBER THREAT ANALYSIS
  • Russian forums will likely continue to provide content to a wide set of buyers on the internet in order to generate as much revenue as possible.
  • Russian forums are more tailored to business transactions, while Chinese forums instead focus on building the Chinese hacking community. Both communities sell goods and services for regional users, although this is far more prevalent on Chinese forums.
  • Hacktivism originating from China as a result of politically sensitive international events has continued even after the dissolution of the original patriotic hacking groups and is likely to continue in the future.
    Analysis
    Russian Forums — Thief Spirit
    Chinese and Russian hacker groups, while emerging from similarly authoritarian countries, have very different origin stories and operate in different ways. Russian-speaking cybercriminals hold one thing above all else: money. Although sophisticated cybercrime is a trademark of the former Soviet Bloc, the financially-motivated cyber underground has much of its roots in the United States.
    In 2000, the underground forum Counterfeit Library emerged as one of the first carding and fraud forums for English speakers.1 Russian speakers, upon discovering Counterfeit Library, wanted their own version, and responded with the “Odessa Summit.” This summit brought together a group of around 20 of the most premier Ukrainian fraudsters, who later became the founders of the Russian-language “Carders Alliance,” or simply CarderPlanet.2 CarderPlanet implemented a hierarchy of moderators and vetted all vendors before allowing them to sell any dumps, CVVs, fulls,3 SSNs, eBay accounts, magnetic stripe encoders, or skimmers — all the staple products of the carder community.
    Following the lead set by CarderPlanet, the English-speaking world responded with ShadowCrew, another carding forum catered to
    1 Poulsen, K. Kingpin. Broadway Books. 2011.
    2 Ibid
    3 Personally identifiable information used for financial fraud.
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 
CYBER THREAT ANALYSIS
Western fraudsters with the professionalism and structure of the Russian-speaking underground.4 Later, in 2005, the opening of CardersMarket allowed Western and Eastern fraudsters to conduct business with each other in the same forum.5
The homepage of the original fraud and carding forum, Counterfeit Library.
During these early years in the formation of the cybercriminal underground, much of the activity surrounding credit card fraud, phishing, spamming, and the like was conducted by Americans. This is evidenced by the number of big busts and takedowns, such as Operation Firewall, Operation Shrouded Horizon, and the DarkMarket takedown, which dismantled many of the serious Western carder communities.
In Eastern Europe, technology use spread more slowly, and it took more time for internet connectivity and the personal computer to become ubiquitous in the republics and federations of the former USSR. The well-educated and underpaid citizens of these countries turned to crime against the West because they had the technical skills and needed the money. This is evidenced in the explosion of the types of scams, fraud, and malware launched by Russians in the early 2000s. For example, “Webmaster” forums such as Crutop and Master-X emerged with a focus on driving traffic to countless niche porn sites. Rogue pharmaceutical affiliate
4 Poulsen, K. Kingpin. Broadway Books. 2011. 5 Ibid.
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 3
CYBER THREAT ANALYSIS
programs (or “partnerkas”) such as GlavMed and Rx-Promotion paid affiliates to spam out ads for erectile dysfunction medications and antidepressants. Pyotr Levashov, also known as Severa, operated rogue antivirus partnerkas, referral programs that deceived victims into buying useless software claiming to clean up infected computers, in addition to spreading the infamous Waledac and Kelihos botnets. The JabberZeuS Crew, the Business Club, and other crime rings collectively pocketed over $200 million from U.S. and U.K. financial institutions using Evgeniy Bogachev’s ZeuS banking trojan before law enforcement could put a stop to it. These are only a small fraction of the cyber underground’s economic success stories, and there is little indication of it slowing down.
Current Landscape
Russian forums leave very little room for socializing or camaraderie. These sites are places of business, not bastions for community. Respect and trust are built on successful financial transactions, and the reliable, consistent forum members rise to the top of their trade, while those with lesser consistency are given poor ratings. Members with poor ratings or bad reviews often end up on the forum’s blacklist and can be sentenced to a role as a “kidala” or “ripper,” meaning an individual who rips off others. There are no apprentices in this corner of the dark web, and few Russian forum members are willing to teach anyone anything without clear financial benefit.
Despite being focused on business, successful members offer useful tools and good customer service. Carders who deal in bulk and provide good customer service, such as refunding declined credit cards in a timely manner, are preferred and rewarded with loyal buyers for as long as the supply lasts. Sellers of trojans and spam services give out holiday discounts, and bulletproof hosters pay referral bonuses to any existing customers who send them new business. These actors operate with the financial wit of the major corporations they themselves so often target.
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 
CYBER THREAT ANALYSIS
Kidala is a website dedicated entirely to tracking the rippers of the criminal underground — 15,839 and counting.
There have been multiple instances of Russian hackers engaged in patriotic, vigilante activity, such as the cyberattacks against Estonia, Georgia, and others deemed personae non gratae by the Russian Federation. According to a study by Arbor Networks titled “Politically Motivated Distributed Denial of Service Attacks,” the pro- Kremlin youth group Nashi was allegedly involved in a DDoS attack against Estonia after a Soviet monument was removed.6 There was also a DDoS bash script made publicly available on the Russian blogging site LiveJournal whose function was to ping flood a list of Estonian IPs, allowing the less technical actors to get into the fight. The study also found that during the brief Russo-Georgian war, a DDoS attack was launched in sync with Russian tanks from various BlackEnergy-based botnets. One source claims that the spammer, Peter Levashov (Severa), sent out spam messages slandering the Kremlin and Mikhail Prokhorov, and recruited hackers to the “Civil Anti-Terror” community, which targeted Islamist and Chechen- separatist websites.7 Other, more verifiable accounts of Kremlin- backed hackers include Karim Baratov and Alexsey Belan, who were recruited by the FSB to orchestrate the Yahoo breach beginning in 2014.
6 Nazario, Joes. Politically Motivated Denial of Service Attacks. 2008.
7 Shnygina, Anna. “'It’s our time to serve the Motherland’ How Russia’s war in Georgia sparked Moscow’s modern-day recruitment of criminal hackers.“ 2018.
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 
CYBER THREAT ANALYSIS
Chinese Forums — Geek Spirit
Unlike Russia’s underground hacking community, many of China’s first hackers rallied around patriotism.8 Much of this sentiment originated from China’s national determination to never relive its “century of humiliation” from the late 1800s and early 1900s, during which it was coerced by other great powers into unequal treaties, concessions, and a forced opium trade.
China’s first hacker groups emerged in the late 1990s, triggered by anti-Chinese riots in Indonesia. Chinese netizens expressed outrage at the international community for treating their fellow citizens with contempt and set up discussion boards, social media groups, and bulletin board systems to plan defacements against Indonesian government websites. Many of these boards evolved into the first Chinese hacking groups: the Green Army, China Eagle Union, and Hongke (or Honker) Union. These groups all contributed to early internet defacements, DDoS attacks, and credential thefts targeting the U.S. and other Chinese adversaries. One such attack was in May of 2001, when the Hongke Union famously DDoSed the White House site and targeted websites of U.S. businesses in retaliation for the collision between a U.S. spy plane and a Chinese fighter jet off of Hainan Island that occurred a month earlier.
8 Henderson, Scott J. The Dark Visitor. 2007.
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 
CYBER THREAT ANALYSIS
Defacement of a U.S. website by Hongke (or Honker) Union group.
While all three of these original groups have either shut themselves down, splintered, or faded away, this initial wave of cyber patriotism enabled a robust government-hacker relationship in China. Individuals have been recruited into government positions from Chinese technical forums, and many famous old-school hackers now run large cybersecurity and technology firms in China’s flourishing cybersecurity market while maintaining excellent business relationships with the Chinese government. Numerous Chinese cybercriminals have also admitted to contracting their services to national intelligence agencies and military organizations like the Ministry of State Security or the People’s Liberation Army.
Although many have also been turned into security news forums, patriotic hacking sites do still exist. Historically, Chinese hacktivist activity tends to increase noticeably whenever geopolitically sensitive events occur in the East Asian region. Chinese hacktivist groups
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 
CYBER THREAT ANALYSIS
have reemerged to deface sites in countries involved in disputes with China over islands in the South and East China Seas. In 2012, 300 Japanese organizations were listed as targets for defacement on the message board of a Hongke Union-affiliated web page (eight years after the Hongke Union’s leaders had officially called for the group’s disbandment) to proclaim Chinese sovereignty over the Diaoyu Islands, a subject of intense diplomatic dispute between China and Japan during that time.
A new hacktivist group, 1937CN, initially compromised websites in Vietnam in May 2014 after Vietnamese outrage over a Chinese oil rig deployed in Vietnamese territorial waters. After primarily defacing websites in the Philippines in late 2015, 1937CN famously compromised the check-in systems at multiple major Vietnamese airports in July 2016, exposing the personal data of approximately 411,000 passengers in the process. This was allegedly a patriotic response to Vietnam’s relocation of missile launchers to disputed islands in the South China Sea.
It is difficult to determine how independently these hackers are acting. Malware found during the 1937CN’s Vietnamese airport compromise has been linked to wider, possibly state-sponsored cyberespionage campaigns against Vietnamese organizations. However, the group also seems to contain elements of hacktivism. 1937CN has a Zone-H web defacement account, various social media accounts linked to their website, and even a promotional video consisting of multiple hooded individuals wearing Guy Fawkes masks, uploaded to a popular video-sharing site in July 2017.9 Additionally, the Chinese government took down 1937CN’s website in March 2017, which it has done in the past to websites of other Chinese hacker groups that too aggressively pursue perceived slights to China’s reputation.
Current Landscape
Chinese forum members feel an overwhelming sense of community online. The term “geek spirit” (极 客精神) is used to denote forum culture and refers to groups of technical individuals who hope to
9 While also known as the symbol of international hacking collective Anonymous, the Guy Fawkes mask was popularized by 2005 film V for Vendetta, widely thought to be banned in China until 2012.
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 8
CYBER THREAT ANALYSIS
create a more ideal society. Many of these forums require members to engage with a post, either through a comment or personal message, before being able to purchase or trade malware. Daily interaction on a forum can also be a prerequisite for maintaining forum membership or a way to generate in-forum currency — money specifically held inside the forum used to buy products and added to by outside sources such as Bitcoin and Alipay.
This required social interaction with other forum members builds community; comments within forums range from slang praising the tools written by advertisers, to messages thanking the seller outright. In addition, Chinese hackers advertise applications for apprenticeship programs on similar forums, where a more experienced hacker will teach an apprentice for a fee, dividing work among members based on skill level. Potential hackers will also ask for tutelage to get more involved in the community. This willingness to teach and social engagement is in stark contrast to the norms on Russian language forums that we detailed above.
Forum post requiring a “回复,“ or reply, before a user can gain access to software that copies digital signatures.
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 9
CYBER THREAT ANALYSIS
Encouraging replies on a forum thanking a user for sharing a custom tool.
Organization of Russian Underground Forums
The social dynamics within the Russian criminal forums are fairly compartmentalized and professional. This is exemplified by the fact that Russian fraudsters and Russian hackers largely operate on different forums. Fraud and carding forums are focused on the sale of stolen financial information, while hacking forums have more of a focus on malware, exploits, and other technical tools. Among general hacking forums, three main tiers of forums have evolved: open, semi-private, and closed. Open forums are largely available to all users, requiring only a functional email account for registration. Semi-private communities have some threshold for entry, such as a $50 registration fee or proof of membership on other boards. The administrators of more prestigious “closed” forums require those applying for membership to prove the authenticity of the illicit services they offer and/or require current forum members to vouch for them. Other forums like Exploit require users to have a certain number of posts to see more sensitive content.
Historically, these forums have been accessible on the clearnet, but many have adopted Tor mirrors as both a backup and a separate means of access for those without virtual private networks (VPNs). The forum administrators for Verified moved to Tor entirely in 2018 due to difficulties staying online on the clearnet, cycling through
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 10
CYBER THREAT ANALYSIS
multiple top-level domains and hosts. Other criminal resources, like the carding shop Joker’s Stash, have adopted blockchain DNS, utilizing a decentralized approach to their carding operation and resilience against traditional takedown efforts.
Banner ads posted in English and Russian from the forum Korovka.
Russian fraudsters and hackers do not rely on the traditional banking system to facilitate payments. Some of the original digital currency systems, like the now defunct E-gold, ePassporte, and Liberty Reserve, required little more than a valid email address to transfer stolen money into usable bank accounts and debit cards. For well over a decade, WebMoney was the go-to method of payment used on the Russian forums, but Recorded Future has since observed a substantial decline in its use since the rise in cryptocurrency. Presently, Bitcoin, Monero, and other cryptocurrencies have been widely adopted in the Russian underground forums, and a cottage industry of cashout services have cropped up to exchange those coins into dollars or rubles. Money laundering operations like Fethard and ChronoPay are also used on top of cryptocurrencies, as the operations utilize an ever-changing network of banks and front companies to cover the final destination of currency used in illicit transactions.
Russian cyber outlaws must abide by an unwritten law if they desire to remain in front of their computer screens instead of a judge at the Moscow City Court: do not target citizens of the Commonwealth of Independent States. While Eastern Bloc cybercriminals have been known to test their malware on the domestic population before turning their cyber weapons toward Western targets, offenders who do more than just testing are quickly arrested. Dmitry “Paunch” Fedotov used his Blackhole exploit kit to spread multiple forms of malware internationally, but was only arrested when
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 11
CYBER THREAT ANALYSIS
he started spreading malware for the Carberp gangs, who made their living targeting Russian citizens. Pavel Vrublevsky, owner of Russian payment processing service ChronoPay, provided money laundering and logistical services for illegal pharmaceutical sales and rogue antivirus without Russian government intervention, but he was arrested after ordering a DDoS attack on the rival Russian payment processor Assist. Recorded Future has and still sees many Russian hackers who specifically state that their malware is not to be used against Russians or members of the CIS.
Organization of Chinese Underground Forums
Chinese hacker groups are organized in notably different ways to their Russian counterparts, partially due to China’s strict censorship regime. The Golden Shield Project, or what would later become known as the “Great Firewall of China,” has been run by China’s Ministry of Public Security since 2000. The project was initially conceptualized to promote the adoption of advanced technology to strengthen central police control, responsiveness, and crime combating capacity. However, much of the project evolved over time to focus on content-filtering for Chinese individuals through IP blocking, IP address misdirection, and data filtering as internet adoption spread quickly throughout China.
The Great Firewall blocks websites, apps, social media, emails, messages, VPNs, and other internet content determined by the Chinese state to be inappropriate or offensive. For Chinese hackers, this often makes searching for foreign hacking content or illegal content for sale difficult. Additionally, the Great Firewall has multiple methods to identify outgoing Tor connections and shut down use of the Tor network, where many underground forums and marketplaces reside. One of the only consistent ways to “跳 墙,“ or jump the Great Firewall, is for Chinese citizens to use a VPN.
However, as of 2017, China’s Ministry of Industry and Information Technology (MIIT) requires VPN providers in China to be licensed by Chinese officials, and has subsequently shut down many VPNs it claimed to be “unauthorized.” This further stunts the ability of Chinese hackers to anonymously search the web or find international hacking sources. Because jumping the Great Firewall is so difficult, far fewer Chinese forums or marketplaces are hosted
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 12
CYBER THREAT ANALYSIS
on Tor than their Russian or English counterparts; instead, Chinese hackers have developed their own communities based loosely on their original domestic patriotic hacking groups, and have set up a wide variety of lower-level hacking forums easily available on the Chinese internet.
In addition to these online communities, many hackers heavily utilize invite-only chat groups or forums within Chinese social media apps QQ, Baidu, and WeChat. However, native Chinese chat groups and forums are also heavily censored and occasionally shut down by the Chinese government. The government has shut down multiple hacking and fraud sites in the past for various legal reasons. Some QQ groups still advertised on dark web sites are no longer accessible, and searches for Tieba bars that housed known hacker activity also show up as banned. Furthermore, because the Chinese government has historically driven hacking activity through both formal and informal channels, many Chinese forum members are fully aware of the consequences of acting outside that informal agreement and usually stay away from targeting systems within their homeland.
Onion site showcasing a QQ group that no longer exists.
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 13
CYBER THREAT ANALYSIS
Many Chinese entry-level forums also do not use Bitcoin due to China’s de facto ban of cryptocurrencies. China banned domestic initial coin offerings (ICOs) in September 2017, is actively blocking foreign cryptocurrency exchanges from domestic access, and has prevented Chinese financial institutions from conducting any Bitcoin transactions since 2013. To address the difficulty of obtaining Bitcoin in China, Chinese forums accept payments such as Alipay or Chinese bank transfers. Members can also generate forum currency by interacting with posts.
Admin post on Chinese forum stating that the forum accepts payments through Alipay, WeChat, QQ, online banking, and PayPal. A forum member has the option to share this post on multiple Chinese social media outlets.
Chinese forums are also usually not as compartmentalized as their Russian counterparts, and are more community focused rather than business focused. Fraudsters and exploit writers will often use the same forums (albeit advertising their wares in different channels within the forum) and Chinese marketplaces dedicated to specific items like drugs or pornography will also contain a “hacker” section. Additionally, many underground forums for erotic content will also advertise “cracked web cameras” — cameras in bathrooms or bedrooms that have been broken into by amateur hackers. Member accounts on many forums have also been somewhat gamified: Chinese accounts are sometimes associated with levels — numbers correlated with how often an account logs onto a forum, the number of sales posts from an account, and whether the account has ever violated any forum rules. Chinese forums can encourage users to interact and share more online. This is similar to Russian forums, which require a user to surpass a set number of forum posts in
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 14
CYBER THREAT ANALYSIS
order to view certain content. However, while both Russian and Chinese forums will also offer VIP-only channels and content as rewards for consistent forum interaction, Chinese forums will also offer in-forum currency, as mentioned above.
Menu of drug website with a section for “hackers” next to sections for mushrooms and LSD.
In general, Chinese forums and marketplaces are organized similarly to the three tiers (open, semi-private, and closed) of Russian forums. As with Russian forums, the quality and complexity of the products sold on the more open forums are usually not as good as products on their closed counterparts. This is usually due to the difference in vendor sophistication and reliability. Forums in both languages also contain an administrator-verified “blacklist” section, where individuals can post proof that a vendor has provided a faulty or deliberately false product or service. This usually provides a good enough deterrent against unreliable vendors. The forums with higher barriers to entry usually result in more experienced vendor membership simply by having a vetting process. While most vetting processes are explicit — paying a forum admin, proving access to other forums, or having an existing forum member sponsor the new member — some Chinese forums also have implicit vetting processes. For example, many Chinese hacker QQ group and WeChat group numbers are advertised on semi-private forums, meaning that one must have been pre-vetted by a different forum prior to gaining access to the group itself.
Another implicit vetting process a Chinese forum can employ is to simply host the forum on Tor. Many Chinese forums hosted on Tor only require an email for registration, but all Chinese users must be able to jump the Chinese firewall and understand how to find the forum in order to register. This likely contributes to why most users of these forums are more technical than users on the Chinese clearnet.
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 15
CYBER THREAT ANALYSIS
Content in Russian Underground Forums and Marketplaces
Malware
Malware on Russian forums has rapidly evolved, but forum tradecraft has largely stayed the same. Ransomware, loaders, trojans, exploit kits, installs, spam bots, web traffic, forged documents, money mules, bank accounts, and credit cards are all still present and accounted for — they just look a bit different. For example, rogue antivirus has evolved into scareware, then from scareware to lockers, from lockers back to scareware, and finally, from scareware to ransomware. Each type has its own flavor, but all render a victim’s computer useless until hackers are paid to go away. The exploit kits Blackhole, Phoenix, and Nuclear have all come and gone, championed today by Rig, Magnitude, and Grandsoft. One of the few significant differences in tradecraft today is that malware is more likely to be dropped from weaponized Word macros than the once-dominant exploit kits.
ZeuS persists to this day across Russian malware forums as a trojan blueprint, despite its takedown in 2014. The leak of its source code was used to build a plethora of banking trojans like SpyEye, Dridex, and Carberp, and its lineage still survives to this day as Tinba and others. While banking trojans are certainly still in play, groups like FIN7 cut out the middleman and target banks directly. Although their top three members are in jail, Recorded Future believes the remaining members of Combi Security have potentially learned enough from their former managers to pose a threat to financial institutions in days to come.
Because the release of source code can increase the number of vendors selling the same or derivative malware like ZeuS’s descendants, malware source code is carefully guarded by its authors. Malicious programs on the underground, like banking trojans and loaders, are sold in the form of “builds,” which are similar to individual software licenses. For example, Smokebot, sold by the actor SmokeLdr, costs $400 per license, with the option to purchase additional modules, such as a form-grabber for $300 and a cryptominer for $100. There are even terms of agreement stating that each build (license) is only for one individual and is not to be resold. Rebuilds of Smokebot, or modification of the configuration file, are an additional $10 each, and are necessary if the customer
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 16
CYBER THREAT ANALYSIS
needs to add a new command-and-control server in the case of a takedown or blacklisting. Only SmokeLdr has the ability to update the program’s configuration, as the actor is the only one with the source code. All of these facets — full control of the source code, the additional modules, and the eventual need for rebuilds — allow for maximum monetization of Smokebot and are common practice throughout the Russian underground.
Partnerkas, or affiliate programs, are also employed by malware authors to maximize their revenue from a single piece of software. This method is used by ransomware strains like Cerber, operated by the threat actor crbr, who distributes builds of Cerber to the affiliates, or actors participating in the partnerka. These affiliates then spread Cerber themselves through vectors like spam or malvertising, and in return, earn a percentage of every ransom paid. A partnerka setup like this one allows crbr to focus primarily on the development of Cerber and its infrastructure, while outsourcing all the distribution to third parties without sharing the source code with anyone else.
Fraud
Dealing in fraud often means dealing in bulk quantities of information. The Target and Home Depot attackers absconded with the data of 40 and 56 million payment cards, respectively. Selling this many cards on forums or over Jabber chats would be a herculean labor, requiring a large support staff operating around the clock. To solve this problem, automated vending sites (also referred to as “carding shops”) like Rescator, Trump’s Dumps, and Joker’s Stash were created to allow carders to order the specific types and quantities of credit and debit card data without any human interaction at all. These have a layout similar to Amazon or Ebay, where buyers can point and click on what they want, add it to their cart, and check out within a matter of minutes. Without carding sites such as these, it would be extremely difficult to monetize the massive amounts of data stolen from mega breaches.
Other fraud-related services require a much more personal touch. Criminals of all sorts often require fake identification in the form of driver’s licenses, IDs, and passports, all of which can be found on Russian forums. The actor vengativo offers one such service, claiming
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 17
CYBER THREAT ANALYSIS
that the fraudulent documents they sell are indistinguishable from the real things. This actor sells ID cards from dozens of European countries costing as much as $400, passports for countries such as the U.S. and Germany for $2,000, and even fake diplomas from Lithuanian universities. Believable identification documents are essential for fraudsters looking to make in-store purchases of high- value electronic devices with stolen payment cards, or open a bank account in a foreign country for money laundering.
Miscellaneous: Bulletproof Hosting and VPNs
Criminal forums, Jabber servers, banking trojans, and other criminal operations all could not exist without hosting, and those individuals who use these services could not use them securely without some sort of network anonymity. Thus, bulletproof hosting — hosting services operating in jurisdictions that large tech companies and federal law enforcement have no influence over — form the backbone of the criminal underground. Actors like Whost, who has been in business for over a decade, offers servers in Beirut, Lebanon for as little as $100 per month. The fast-flux hosting services operated by actors like Yalishanda make takedown efforts against malware extremely difficult, allowing infrastructure like CnC domains to be constantly cycled through ever-changing series of IP addresses. Additionally, VPNs allowing actors to hide their true IPs are sold on Russian forums. Actors like FirstVPN offer a variety of VPN configurations with servers available in 24 different countries for untraceable network activity. These different autonomous services comprise a sort of dark web ISP, upon which the criminal underground is built.
Content in Chinese Underground Forums and Marketplaces
Malware
Common categories within Chinese malware forums include DDoS tools, remote access trojans, antivirus evasion techniques, and penetration testing. Certain forums will also contain sections for cracked software and will have areas for individuals to hire hackers. In addition to selling malware and other tools, individuals will share programming and hacking tutorials on these same forums, occasionally offering or asking for teaching or mentorship services.
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 18
CYBER THREAT ANALYSIS
Many posts on malware and tooling on the clear web usually use code words or state that the use of these tools is only for “research purposes.”
Many lower-tier or open Chinese forums contain advertisements either for malware created by foreign vendors, or open source tools. However, the same forums often also contain malware unique to these Chinese communities. Much of this malware originates from newer hackers who wish to receive criticism of malware they write themselves and usually only have access to lower-level forums. Forum posts under the original advertisement will often contain reviews of custom malware and suggestions on how the malware author can improve. Because of this, individuals will often release multiple builds of their product, similar to users on Russian forums. However, unlike their Russian counterparts, many Chinese malware authors will offer up their source code for a small fee in order to receive feedback from other members to incorporate into newer editions. Cracked software is also often advertised on Chinese forums and is usually tailored to the East Asian market. For example, Xunlei Download Manager, YangCong Math, and the Baidu Wangpan cloud service are all products primarily consumed by Chinese speakers, and cracked versions of their software are readily found on underground Chinese forums.
Forum categories including source code sharing, software cracking, tools and software, and remote access trojans.
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 19
CYBER THREAT ANALYSIS
Mentions of cracked software on forums collected by Recorded Future.
Fraud
While Chinese forums will advertise credit card data and personal information belonging to international users of large multinational corporations, many posts will also contain equal amounts of data belonging to China’s unique domestic technology industry. For example, Taobao and Alipay accounts are almost as prevalent as a set of Visa card numbers on certain forums. Most data belonging to these companies consist of East Asian user accounts.
Furthermore, some of this data is only found on Chinese forums, as is the case of a data dump from 51job, Inc. from June 2018. The dump of 2.45 million accounts from the major Chinese job board and provider of integrated human resource services was found by Recorded Future on DeepWebChinese on June 14, 2018. Recorded Future did not detect any other reference to the data dump on any non-Chinese forums. Similarly, Chinese delivery service SF Express also suffered a data breach in July 2018, the content of which has only shown up on Chinese dark web marketplaces as of late August 2018.
Recorded Future assesses with medium confidence that domestic data dumps are not shared beyond domestic Chinese marketplaces due to linguistic and cultural barriers. Not only is there little language crossover between forums, but the act of taking advantage of a Chinese account or personal information requires knowledge of Chinese services. China’s technology industry is largely tailored to
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 20
CYBER THREAT ANALYSIS
its domestic market with services and functionality that are distinct from their international competitors. For this reason, Chinese accounts are primarily used and understood by native Chinese- speaking individuals.
Aside from providing opportunities to make money through cybercrime and identity theft, Chinese vendors will advertise forged documents for sale, most of which are tailored to a Chinese audience. Foreign diploma forgeries are incredibly popular. Paste sites and forums of all languages show Chinese advertisements for diploma creation services to fool family and friends. Many vendors even claim that their diplomas fool state-owned corporations, which check credentials through the Chinese Ministry of Education. Other common forgery services found include forged foreign passports and Chinese business licenses. Vendors play into the concept of “mian-zi” in China to attract clientele by claiming that these diplomas, passports, and business licenses will provide better career opportunities and respect from family members. Like Chinese hackers, Chinese fraudsters will also openly sell their tools and tutorials alongside their wares.
What Is Mian-Zi?
The concept of “mian-zi,” or “face,” can be described as gaining and retaining respect or prestige from peers. Much of China’s culture revolves around this concept, especially
when pertaining to family and business. “Losing face” can be such a fear for individuals in China that they would rather deceive others than be honest about their shortcomings. For example, many women going back to their hometowns over Chinese New Year would prefer to rent fake boyfriends to show off to their parents rather than admit that they are single, and young Chinese businessmen have realized that purchasing a fake diploma is an easy way to beef up a resume before looking for a job.

Miscellaneous: Weapons, Pornography, VPNs
Compared to other hacker forums, Chinese marketplaces advertise a wide variety of miscellaneous wares that are uniquely tailored to Chinese and other East Asian buyers. Although the possession of many of these items are completely legal in other countries, they are illegal in mainland China.
For example, only a small amount of the pornographic content shared in Chinese marketplaces would be considered illegal outside
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 21
CYBER THREAT ANALYSIS
of China. However, the Chinese Communist Party considers all pornography to be a form of “illegal publication,” and its General Administration of Press and Publications (GAPP) has attempted to shut down pornography sites since the early 2000s. As such, online pornography vendors have evolved from blatant advertising to using internet slang (the terms "welfare"10 or "getting on a car"11 are both common terms for explicit content) and have moved largely from open sites to live-streaming applications and underground forums.
As for weaponry, large knives are commonly found on Chinese dark web marketplaces. This is likely the result of national regulation controlling the sale of knives with blades larger than 5.9 inches, due to knife attacks within the country in 2008, 2011, and 2014 attributed to Uighur separatists.
Although the sale of VPNs is not a uniquely Chinese forum characteristic, the massive number of VPNs for sale on Chinese forums is notable. Mentions of VPN access shared or sold on Chinese underground forums have steadily increased since January 2017, when the Ministry of Industry and Information Technology announced that it now requires VPN providers to be licensed by Chinese officials. The activity rose even more rapidly once China’s official ban against VPNs came into effect in March 2018
10 福利: Welfare/material comforts; slang for explicit content. 11 上车: Getting on a car; slang for sharing explicit content.
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 22
CYBER THREAT ANALYSIS
Mentions of VPNs on Chinese forums and dark web marketplaces in Recorded Future.
Interactions Between Chinese and Russian Hackers in Forums
Analysis of select underground forums in Recorded Future demonstrates that Russian forums consist of primarily English and Russian posts with some Chinese overlap. The Chinese posts indicate that Chinese vendors are communicating with Chinese buyers on foreign forums. Additionally, many Chinese posts within Russian or English forums are fraud services tailored to Chinese audiences, like the fake diploma sales mentioned above.
In contrast, Chinese forums consist almost entirely of Chinese language posts, with most English posts on the forums consisting of numbers, code, or simple words. Thus, it is probable that while some Chinese vendors and buyers are on Russian and English forums, very few non-Chinese vendors advertise on Chinese forums. The lack of Russian or English speakers on Chinese forums could be due to a language barrier that exists between Chinese and Russian hackers. Chinese is among one of the hardest languages to learn and only a handful of Russians speak foreign languages at all.
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 23
CYBER THREAT ANALYSIS
More likely, however, is that the abundance of Russian and English language hacking forums eliminate the need for actors fluent in these languages to search for other forums. These two points would also explain the lack of Chinese malware or data dumps on non-Chinese forums. Because non-Chinese speakers do not use both sets of forums, products that originate on Chinese forums are less frequently resold on foreign forums, if at all. On the other hand, even the small presence of Chinese speakers on non- Chinese forums indicates that Chinese vendors are attempting to decrease their exposure to domestic monitoring and government intervention, while increasing their exposure to buyers posting in foreign marketplaces to ensure they stay in business. If so, this may be a result of the Chinese government’s efforts to censor and shut down Chinese forums.
Breakdown of select forums by post language. Source: Recorded Future data.
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 24
CYBER THREAT ANALYSIS
Outlook
The hacker cultures of China and Russia each have their own unique genesis and have evolved to take advantage of their respective regional circumstances. Understanding the differences within these communities is essential to grasping the respective threats they currently pose and the manner in which these threats may evolve.
Recorded Future assesses with high confidence that the Russian underground will follow the money above all else. Predominantly, these forums have catered to the former Soviet Bloc, but they also have a unique appeal to the international community, as the databases and credit cards sold on them come from victims throughout the world. The exploit kits and bulletproof hosting are open to most anyone with enough Bitcoin. In fact, a number of sales threads on Russian forums are posted in both English and Russian, demonstrating a willingness to expand into other markets. This cross-cultural endeavor is reminiscent of the original fraudster forums and could once again bring the English-speaking hacker communities closer to their Russian comrades. Anyone with enough background in English — a mandatory language to study in China — could find their way into some of these Russian forums and access the extensive criminal arsenal therein. This may result in the exchange of tactics and tools across English, Chinese, and Russian-speaking criminal groups, whose target bases will suffer from potentially new methods of attack.
The members of the Russian-language cyber underground pose a global threat due to their sophistication and diverse criminal operations. Regardless of their location, every financial institution, social network, and ISP should take note that they and their customers are or could be a target, and ensure that their systems are continually patched against commonly known vulnerabilities.
Recorded Future also assesses with medium confidence that China’s determination to shut down Tor and VPN access to its citizens in a crusade toward a “clean and righteous internet” will cause Chinese markets and hacker forums to shut down. Increasing numbers of Chinese dark web vendors will peddle their wares on foreign sites as a result, thereby increasing foreign access to previously unique regional malware and hard-to-get data. If no drift occurs
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 25
CYBER THREAT ANALYSIS
and the Chinese underground forums do not shut down while China tightens its noose on online anonymity, we assess that the Chinese government implicitly accepts domestic cybercrime under a certain threshold.
For now, companies doing business in China or the wider East Asian region should monitor Chinese hacking forums and marketplaces for credential leaks and operations targeting company infrastructure, due to the variety of East Asia-specific data, specifically on these sets of forums. Additionally, companies with offices within East Asia should ensure that their infrastructure is secured against malware developed within Chinese forums, and monitor politically sensitive regional events that might spur Chinese patriotic hacktivism.
About Recorded Future
Recorded Future arms security teams with the only complete threat intelligence solution powered by patented machine learning to lower risk. Our technology automatically collects and analyzes information from an unrivaled breadth of sources and provides invaluable context in real time and packaged for human analysis or integration with security technologies.
Recorded Future | www.recordedfuture.com | CTA-2018-1010 | 26 




What are those words that trigger Echelon?
Updated According to various UK media sources today, the buzzwords said to trigger the US, UK, Canada, New Zealand spying mechanism Echelon have been "posted on the Internet". We haven't found the file and it hasn't popped up on the authoritative site for these sorts of things, Cryptome.org, so we'd not put too much weight behind it.
However, just for your interest, we give you a quick run-through on what some of them:
There are the obvious phrases like "Kill the President" which caused two schoolboys from the UK to be quizzed by special branch, "anarchy", "echelon" :-), "nuclear", "assassinate".
Then there are ones that are dodgy (cause they fit in with X-file type paranoia) like "Roswell", "Waco", "World Trade Center", "Soros" - after George Soros, "Whitewater".
Then there are a suspiciously large number of hacker names: Furby, Bugs Bunny, Bubba the Love etc. But just when we thought it was obviously some script-kiddie hoax, a few interesting words crop up:FRU - the cover name for the SAS in Northern Ireland Lebed - an ex-Russian general, now a politician HALO - a type of parachute jump Spetznaz - the Russian SAS Al Amn al-Askari - a member of the Iraqi cabinet Glock 26 - a ceramic handgun that can't be detected by airport scanners (a reader informs us that the Glock 26 is only partly ceramic, the bullets are metal and is can be detected at airports - so we should really shift this one into the X-file list) Steak Knife - the codename for an IRA double agent 
Rewson, SAFE, Waihopai, INFOSEC, ASPIC, MI6, Information Security, SAI, Information Warfare, IW, IS, Privacy, Information Terrorism, Terrorism 
Defensive Information, Defense Information Warfare, Offensive Information, Offensive Information Warfare, The Artful Dodger, NAIA, SAPM, ASU, ASTS, 
National Information Infrastructure, InfoSec, SAO, Reno, Compsec, JICS, 
Computer Terrorism, Firewalls, Secure Internet Connections, RSP, ISS, JDF, 
Ermes, Passwords, NAAP, DefCon V, RSO, Hackers, Encryption, ASWS, CUN, CISU, 
CUSI, M.A.R.E., MARE, UFO, IFO, Pacini, Angela, Espionage, USDOJ, NSA, CIA, 
S/Key, SSL, FBI, Secert Service, USSS, Defcon, Military, White House, 
Undercover, NCCS, Mayfly, PGP, SALDV, PEM, resta, RSA, Perl-RSA, MSNBC, bet, 
AOL, AOL TOS, CIS, CBOT, AIMSX, STARLAN, 3B2, BITNET, SAMU, COSMOS, 
Furbys, E911, FCIC, HTCIA, IACIS, UT/RUS, JANET, ram, JICC, ReMOB, LEETAC, 
UTU, VNET, BRLO, SADCC, NSLEP, SACLANTCEN, FALN, 877, NAVELEXSYSSECENGCEN, DATTA, Colonel, DERA, 
BZ, CANSLO, CBNRC, CIDA, JAVA, rsta, Active X, Compsec 97, RENS, LLC, 
JIC, rip, rb, Wu, RDI, Mavricks, BIOL, Meta-hackers, ^?, SADT, Steve Case, 
Tools, RECCEX, Telex, Aldergrove, OTAN, monarchist, NMIC, NIOG, IDB, MID/KL, 
NADIS, NMI, SEIDM, BNC, CNCIS, STEEPLEBUSH, RG, BSS, DDIS, mixmaster,
BRGE, Europol, SARL, Military Intelligence, JICA, Scully, recondo, Flame, 
Infowar, FRU, Bubba, Freeh, Archives, ISADC, CISSP, Sundevil, jack, BCCI, 
Investigation, JOTS, ISACA, NCSA, ASVC, spook words, RRF, 1071, Bugs Bunny, 
Verisign, Secure, ASIO, Lebed, ICE, NRO, Lexis-Nexis, NSCT, SCIF, FLiR, JIC, 
bce, Lacrosse, Flashbangs, HRT, IRA, EODG, DIA, USCOI, CID, BOP, FINCEN, 
FLETC, NIJ, ACC, AFSPC, BMDO, site, SASSTIXS, NAVWAN, NRL, RL, 
NSWC, USAFA, AHPCRC, ARPA, SARD, LABLINK, USACIL, SAPT, USCG, NRC, ~, O,   NAVWCWPNS, ISN, SHAPE, EDI, Masuda, GRU,SUKLO, 
NSA/CSS, CDC, DOE, SAAM, FMS, HPCC, NTIS, SEL, USCODE, CISE, SIRC, CIM, 
DJC, LLNL, bemd, SGC, UNCPCJ, CFC, SABENA, DREO, CDA, SADRS, DRA, 
bird dog, SACLANT, BECCA, DCJFTF, HALO, SC, TA SAS, Lander, GSM, T Branch, 
AST, SAMCOMM, HAHO, FKS, 868, GCHQ, DITSA, SORT, AMEMB, NSG, HIC, 
benelux, SAS, SBS, SAW, UDT, EODC, GOE, DOE, SAMF, GEO, JRB, 3P-HV, 
Forte, AT, GIGN, Exon Shell, radint, MB, CQB, TECS, CONUS, CTU, RCMP, GRU, 
SASR, GSG-9, 22nd SAS, GEOS, EADA, SART, BBE, STEP, Echelon, Dictionary, 
MD2, MD4, MDA, diwn, 747, ASIC, 777, RDI, 767, MI5, 737, MI6, 757, Kh-11, 
EODN, SHS, ^X, Shayet-13, SADMS, Spetznaz, Recce, 707, CIO, NOCS, Halcon, 
NSS, Duress, RAID, Uziel, wojo, Psyops, SASCOM, grom, NSIRL, D-11, DF, ZARK, 
SERT, VIP, ARC, S.E.T. Team, NSWG, MP5k, SATKA, DREC, DEVGRP, DSD, FDM, 
LRTS, SIGDEV, NACSI, MEU/SOC,PSAC, PTT, RFI, ZL31, SIGDASYS, TDM. 
Schengen, SUSLO, TELINT, fake, TEXTA. ELF, LF, MF, Mafia, JASSM, CALCM, 
TLAM, Wipeout, GII, SIW, MEII, C2W, Burns, Tomlinson, Ufologico Nazionale, 
Centro, CICAP, MIR, Belknap, Tac, rebels, BLU-97 A/B, 007, nowhere.ch, 
bronze, Rubin, Arnett, BLU, SIGS, VHF, Recon, peapod, PA598D28, Spall, dort, 
50MZ, 11Emc Choe, SATCOMA, UHF, The Hague, SHF, ASIO, SASP, WANK, 
domestic disruption, 5ESS, smuggle, Z-200, 15kg, DUVDEVAN, RFX, nitrate, 
OIR, Pretoria, M-14, enigma, Bletchley Park, Clandestine, NSO, nkvd, argus, 
afsatcom, CQB, NVD, Counter Terrorism Security, Enemy of the State, SARA, 
Rapid Reaction, JSOFC3IP, Corporate Security, 192.47.242.7, Baldwin, Wilma, 
ie.org, cospo.osis.gov, Police, Dateline, Tyrell, KMI, 1ee, Pod, 9705 
Samford Road, 20755-6000, sniper, PPS, ASIS, ASLET, TSCM, Security 
Consulting, M-x spook, Z-150T, Steak Knife, High Security, Security 
Evaluation, Electronic Surveillance, MI-17, ISR, NSAS, Counterterrorism, 
real, spies, IWO, eavesdropping, debugging, CCSS, interception, COCOT, 
NACSI, rhost, rhosts, ASO, SETA, Amherst, Broadside, Capricorn, NAVCM, 
Gamma, Gorizont, Guppy, NSS, rita, ISSO, submiss, ASDIC, .tc, 2EME REP, FID, 
7NL SBS, tekka, captain, 226, .45, nonac, .li, Tony Poe, MJ-12, JASON, 
Society, Hmong, Majic, evil, zipgun, tax, bootleg, warez, TRV, ERV, 
rednoise, mindwar, nailbomb, VLF, ULF, Paperclip, Chatter, MKULTRA, MKDELTA, 
Bluebird, MKNAOMI, White Yankee, MKSEARCH, 355 ML, Adriatic, Goldman, 
Ionosphere, Mole, Keyhole, NABS, Kilderkin, Artichoke, Badger, Emerson, 
Tzvrif, SDIS, T2S2, STTC, DNR, NADDIS, NFLIS, CFD, BLU-114/B, quarter, 
Cornflower, Daisy, Egret, Iris, JSOTF, Hollyhock, Jasmine, Juile, Vinnell, 
B.D.M., Sphinx, Stephanie, Reflection, Spoke, Talent, Trump, FX, FXR, IMF, 
POCSAG, rusers, Covert Video, Intiso, r00t, lock picking, Beyond Hope, 
LASINT, csystems, .tm, passwd, 2600 Magazine, JUWTF, Competitor, EO, Chan, 
Pathfinders, SEAL Team 3, JTF, Nash, ISSAA, B61-11, Alouette, executive, 
Event Security, Mace, Cap-Stun, stakeout, ninja, ASIS, ISA, EOD, Oscor, 
Tarawa, COSMOS-2224, COSTIND, hit word, hitword, Hitwords, Regli, VBS, 
Leuken-Baden, number key, Zimmerwald, DDPS, GRS, AGT. AMME, ANDVT, Type I, 
Type II, VFCT, VGPL, WHCA, WSA, WSP, WWABNCP, ZNI1, FSK, FTS2000,       
GOTS, SACS STU-III, PRF, PMSP, PCMT, I&A, JRSC, ITSDN, Keyer, KG-84C, 
KWT-46, KWR-46, KY-75, KYV-5, LHR, PARKHILL, LDMX, LEASAT, SNS, SVN, 
TRANSEC, DONCAF, EAM, DSCS, DSNET1, DSNET2, DSNET3, ECCM, EIP, 
DDN, DDP, Merlin, NTT, SL-1, Rolm, TIE, Tie-fighter, PBX, SLI, NTT, MSCJ, 
MIT, 69, RIT, Time, MSEE, Cable & Wireless, CSE, SUW, J2, Embassy, ETA, 
Porno, Fax, finks, Fax encryption, white noise, Fernspah, MYK, GAFE, 
forcast, import, rain, tiger, buzzer, N9, pink noise, CRA, M.P.R.I., top 
secret, Mossberg, 50BMG, Macintosh Security, Macintosh Internet Security, 
OC3, Macintosh Firewalls, Unix Security, VIP Protection, SIG, sweep, Medco, 
TRD, TDR, Z, sweeping, SURSAT, 5926, TELINT, Audiotel, Harvard, 1080H, SWS, 
Asset, Satellite imagery, force, NAIAG, Cypherpunks, NARF, 127, Coderpunks, 
TRW, remailers, replay, redheads, RX-7, explicit, FLAME, J-6, Pornstars, 
AVN, Playboy, ISSSP, Anonymous, W, Sex, chaining, codes, Nuclear, 20, 
subversives, SLIP, toad, fish, data havens, unix, c, a, b, d, SUBACS, the, 
Elvis, quiche, DES, 1*, N-ISDN, NLSP, OTAR, OTAT, OTCIXS, MISSI, MOSAIC, 
NAVCOMPARS, NCTS, NESP, MILSATCOM, AUTODIN, BLACKER, C3I, C4I, CMS, CMW, CP,  GOSIP, TACSAT, EKMS, EKMC, 
SBU, SCCN, SITOR, SHF/DOD, Finksburg MD, Link 16, LATA, NATIA, NATOA, 
sneakers, UXO, (), OC-12, counterintelligence, Shaldag, sport, NASA, TWA, 
DT, gtegsc, nowhere, .ch, hope, emc, industrial espionage, SUPIR, PI, TSCI, 
spookwords, industrial intelligence, H.N.P., SUAEWICS, Juiliett Class 
Submarine, Locks, qrss, loch, 64 Vauxhall Cross, Ingram Mac-10, wwics, 
sigvoice, ssa, E.O.D., SEMTEX, penrep, racal, OTP, OSS, Siemens, RPC, Met, 
CIA-DST, INI, watchers, keebler, contacts, Blowpipe, BTM, CCS, GSA, Kilo 
Class, squib, primacord, RSP, Z7, Becker, Nerd, fangs, Austin, no|d, 
Comirex, GPMG, Speakeasy, humint, GEODSS, SORO, M5, BROMURE, ANC, zone, SBI, 
DSS, S.A.I.C., Minox, Keyhole, SAR, Rand Corporation, Starr, Wackenhutt, EO, 
burhop, Wackendude, mol, Shelton, 2E781, F-22, 2010, JCET, cocaine, Vale, 
IG, Kosovo, Dake, 36,800, Hillal, Pesec, Hindawi, GGL, NAICC, CTU, botux, 
Virii, CCC, ISPE, CCSC, Scud, SecDef, Magdeyev, VOA, Kosiura, Small Pox, 
Tajik, +=, Blacklisted 411, TRDL, Internet Underground, BX, XS4ALL, wetsu, 
muezzin, Retinal Fetish, WIR, Fetish, FCA, Yobie, forschung, emm, ANZUS, 
Reprieve, NZC-332, edition, cards, mania, 701, CTP, CATO, Phon-e, Chicago 
Posse, NSDM, l0ck, beanpole, spook, keywords, QRR, PLA, TDYC, W3, CUD, CdC, 
Weekly World News, Zen, World Domination, Dead, GRU, M72750, Salsa, 7, 
Blowfish, Gorelick, Glock, Ft. Meade, NSWT, press-release, WISDIM, burned, 
Indigo, wire transfer, e-cash, Bubba the Love Sponge, Enforcers, Digicash, 
zip, SWAT, Ortega, PPP, NACSE, crypto-anarchy, AT&T, SGI, SUN, MCI, 
Blacknet, ISM, JCE, Middleman, KLM, Blackbird, NSV, GQ360, X400, Texas, 
jihad, SDI, BRIGAND, Uzi, Fort Meade, *&, gchq.gov.uk, supercomputer, 
bullion, 3, NTTC, Blackmednet, :, Propaganda, ABC, Satellite phones, IWIS, 
Planet-1, ISTA, rs9512c, Jiang Zemin, South Africa, Sergeyev, Montenegro, 
Toeffler, Rebollo, sorot, Yucca Mountain, FARC, Toth, Xu Yongyue, Bach, 
Razor, AC, cryptanalysis, nuclear, 52 52 N - 03 03 W, Morgan, Canine, GEBA, 
INSCOM, MEMEX, Stanley, FBI, Panama, fissionable, Sears Tower, NORAD, Delta 
Force, SEAL, virtual, WASS, WID, Dolch, secure shell, screws, Black-Ops, 
O/S, Area51, SABC, basement, ISWG, $@, data-haven, NSDD, black-bag, rack, 
TEMPEST, Goodwin, rebels, ID, MD5, IDEA, garbage, market, beef, Stego, ISAF, 
unclassified, Sayeret Tzanhanim, PARASAR, Gripan, pirg, curly, Taiwan, 
guest, utopia, NSG, orthodox, CCSQ, Alica, SHA, Global, gorilla, Bob, 
UNSCOM, Fukuyama, Manfurov, Kvashnin, Marx, Abdurahmon, snullen, Pseudonyms, 
MITM, NARF, Gray Data, VLSI, mega, Leitrim, Yakima, NSES, Sugar Grove, WAS, 
Cowboy, Gist, 8182, Gatt, Platform, 1911, Geraldton, UKUSA, veggie, XM, 
Parvus, NAVSVS, 3848, Morwenstow, Consul, Oratory, Pine Gap, Menwith, 
Mantis, DSD, BVD, 1984, blow out, BUDS, WQC, Flintlock, PABX, Electron, 
Chicago Crust, e95, DDR&E, 3M, KEDO, iButton, R1, erco, Toffler, FAS, RHL, 
K3, Visa/BCC, SNT, Ceridian, STE, condor, CipherTAC-2000, Etacs, Shipiro, 
ssor, piz, fritz, KY, 32, Edens, Kiwis, Kamumaruha, DODIG, Firefly, HRM, 
Albright, Bellcore, rail, csim, NMS, 2c, FIPS140-1, CAVE, E-Bomb, CDMA, 
Fortezza, 355ml, ISSC, cybercash, NAWAS, government, NSY, hate, speedbump, 
joe, illuminati, BOSS, Kourou, Misawa, Morse, HF, P415, ladylove, filofax, 
Gulf, lamma, Unit 5707, Sayeret Mat'Kal, Unit 669, Sayeret Golani, Lanceros, 
Summercon, NSADS, president, ISFR, freedom, ISSO, walburn, Defcon VI, DC6, 
Larson, P99, HERF pipe-bomb, 2.3 Oz., cocaine, $, imapct, Roswell, ESN, COS, 
E.T., credit card, b9, fraud, ST1, assasinate, virus, ISCS, ISPR, anarchy, 
rogue, mailbomb, 888, Chelsea, 1997, Whitewater, MOD, York, plutonium, 
William Gates, clone, BATF, SGDN, Nike, WWSV, Atlas, IWWSVCS, Delta, TWA, 
Kiwi, PGP 2.6.2., PGP 5.0i, PGP 5.1, siliconpimp, SASSTIXS, IWG, Lynch, 414, 
Face, Pixar, IRIDF, NSRB, eternity server, Skytel, Yukon, Templeton, 
Johohonbu, LUK, Cohiba, Soros, Standford, niche, ISEP, ISEC, 51, H&K, USP, 
^, sardine, bank, EUB, USP, PCS, NRO, Red Cell, NSOF, DC7, Glock 26, 
snuffle, Patel, package, ISI, INR, INS, GRU, RUOP, GSS, NSP, SRI, Ronco, 
Armani, BOSS, Chobetsu, FBIS, BND, SISDE, FSB, BfV, IB, froglegs, JITEM, 
SADF, advise, TUSA, LITE, PKK, HoHoCon, SISMI, ISG, FIS, MSW, Spyderco, UOP, 
SSCI, NIMA, HAMASMOIS, SVR, SIN, advisors, SAP, Monica, OAU, PFS, Aladdin, 
AG, chameleon man, Hutsul, CESID, Bess, rail gun, .375, Peering, CSC, 
Tangimoana Beach, Commecen, Vanuatu, Kwajalein, LHI, DRM, GSGI, DST, MITI, 
JERTO, SDF, Koancho, Blenheim, Rivera, Kyudanki, varon, 310, 17, 312, NB, 
CBM, CTP, Sardine, SBIRS, jaws, SGDN, ADIU, DEADBEEF, IDP, IDF, Halibut, 
SONANGOL, Flu, &, Loin, PGP 5.53, meta, Faber, SFPD, EG&G, ISEP, blackjack, 
Fox, Aum, AIEWS, AMW, RHL, Baranyi, WORM, MP5K-SD, 1071, WINGS, cdi, VIA, 
DynCorp, UXO, Ti, WWSP, WID, osco, Mary, honor, Templar, THAAD, package, 
CISD, ISG, BIOLWPN, JRA, ISB, ISDS, chosen, LBSD, van, schloss, secops, 
DCSS, DPSD, LIF, J-Star, PRIME, SURVIAC, telex, Analyzer, embassy, Golf, 
B61-7, Maple, Tokyo, ERR, SBU, Threat, JPL, Tess, SE, Alex, EPL, SPINTCOM, 
FOUO, ISS-ADP, Merv, Mexico, SUR, blocks, SO13, Rojdykarna, RSOC, USS 
Banner, S511, 20755, airframe, jya.com, Furby, PECSENC, football, Agfa, 
3210, Crowell, moore, 510, OADR, Smith, toffee, FIS, N5P6, EuroFed, SP4, 
shelter, Crypto AG Croatian nuclear FBI colonel plutonium Ortega Waco, Texas 
Panama CIA DES jihad fissionable quiche terrorist World Trade Center 
assassination DES NORAD Delta Force Waco, Texas SDI explosion Serbian Panama 
Uzi Ft. Meade SEAL Team 6 Honduras PLO NSA terrorist Ft. Meade strategic 
supercomputer $400 million in gold bullion quiche Honduras BATF colonel 
Treasury domestic disruption SEAL Team 6 class struggle smuggle M55 M51 
Physical Security Division Room 2A0120, OPS 2A building 688-6911(b), 
963-3371(s). Security Awareness Division (M56) Field Security Division (M52) 
Al Amn al-Askari Supreme Assembly of the Islamic Revolution in Iraq (SAIRI) 
Binnenlandse Veiligheidsdienst Komitet Gosudarstvennoi Bezopasnosti 
Federalnaia sluzhba besopasnosti GCHQ MI5 Kill the president

How the NSA Plans to Infect ‘Millions’ of Computers with Malware

Top-secret documents reveal that the National Security Agency is dramatically expanding its ability to covertly hack into computers on a mass scale by using automated systems that reduce the level of human oversight in the process.
The classified files – provided previously by NSA whistleblower Edward Snowden – contain new details about groundbreaking surveillance technology the agency has developed to infect potentially millions of computers worldwide with malware “implants.” The clandestine initiative enables the NSA to break into targeted computers and to siphon out data from foreign Internet and phone networks.
The covert infrastructure that supports the hacking efforts operates from the agency’s headquarters in Fort Meade, Maryland, and from eavesdropping bases in the United Kingdom and Japan. GCHQ, the British intelligence agency, appears to have played an integral role in helping to develop the implants tactic.
In some cases the NSA has masqueraded as a fake Facebook server, using the social media site as a launching pad to infect a target’s computer and exfiltrate files from a hard drive. In others, it has sent out spam emails laced with the malware, which can be tailored to covertly record audio from a computer’s microphone and take snapshots with its webcam. The hacking systems have also enabled the NSA to launch cyberattacks by corrupting and disrupting file downloads or denying access to websites.
“The NSA has masqueraded as a fake Facebook server”
The implants being deployed were once reserved for a few hundred hard-to-reach targets, whose communications could not be monitored through traditional wiretaps. But the documents analyzed by The Intercept show how the NSA has aggressively accelerated its hacking initiatives in the past decade by computerizing some processes previously handled by humans. The automated system – codenamed TURBINE – is designed to “allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually.”
In a top-secret presentation, dated August 2009, the NSA describes a pre-programmed part of the covert infrastructure called the “Expert System,” which is designed to operate “like the brain.” The system manages the applications and functions of the implants and “decides” what tools they need to best extract data from infected machines.
Mikko Hypponen, an expert in malware who serves as chief research officer at the Finnish security firm F-Secure, calls the revelations “disturbing.” The NSA’s surveillance techniques, he warns, could inadvertently be undermining the security of the Internet.
“When they deploy malware on systems,” Hypponen says, “they potentially create new vulnerabilities in these systems, making them more vulnerable for attacks by third parties.”
Hypponen believes that governments could arguably justify using malware in a small number of targeted cases against adversaries. But millions of malware implants being deployed by the NSA as part of an automated process, he says, would be “out of control.”
“That would definitely not be proportionate,” Hypponen says. “It couldn’t possibly be targeted and named. It sounds like wholesale infection and wholesale surveillance.”
The NSA declined to answer questions about its deployment of implants, pointing to a new presidential policy directive announced by President Obama. “As the president made clear on 17 January,” the agency said in a statement, “signals intelligence shall be collected exclusively where there is a foreign intelligence or counterintelligence purpose to support national and departmental missions, and not for any other purposes.”
 “Covertly record audio from a computer’s microphone and take snapshots with its webcam”
The NSA began rapidly escalating its hacking efforts a decade ago. In 2004, according to secret internal records, the agency was managing a small network of only 100 to 150 implants. But over the next six to eight years, as an elite unit called Tailored Access Operations (TAO) recruited new hackers and developed new malware tools, the number of implants soared to tens of thousands.
To penetrate foreign computer networks and monitor communications that it did not have access to through other means, the NSA wanted to go beyond the limits of traditional signals intelligence, or SIGINT, the agency’s term for the interception of electronic communications. Instead, it sought to broaden “active” surveillance methods – tactics designed to directly infiltrate a target’s computers or network devices.
In the documents, the agency describes such techniques as “a more aggressive approach to SIGINT” and says that the TAO unit’s mission is to “aggressively scale” these operations.
But the NSA recognized that managing a massive network of implants is too big a job for humans alone.
“One of the greatest challenges for active SIGINT/attack is scale,” explains the top-secret presentation from 2009. “Human ‘drivers’ limit ability for large-scale exploitation (humans tend to operate within their own environment, not taking into account the bigger picture).”
The agency’s solution was TURBINE. Developed as part of TAO unit, it is described in the leaked documents as an “intelligent command and control capability” that enables “industrial-scale exploitation.”
TURBINE was designed to make deploying malware much easier for the NSA’s hackers by reducing their role in overseeing its functions. The system would “relieve the user from needing to know/care about the details,” the NSA’s Technology Directorate notes in one secret document from 2009. “For example, a user should be able to ask for ‘all details about application X’ and not need to know how and where the application keeps files, registry entries, user application data, etc.”
In practice, this meant that TURBINE would automate crucial processes that previously had to be performed manually – including the configuration of the implants as well as surveillance collection, or “tasking,” of data from infected systems. But automating these processes was about much more than a simple technicality. The move represented a major tactical shift within the NSA that was expected to have a profound impact – allowing the agency to push forward into a new frontier of surveillance operations.
“The system has been operational in some capacity since at least July 2010″
The ramifications are starkly illustrated in one undated top-secret NSA document, which describes how the agency planned for TURBINE to “increase the current capability to deploy and manage hundreds of Computer Network Exploitation (CNE) and Computer Network Attack (CNA) implants to potentially millions of implants.” (CNE mines intelligence from computers and networks; CNA seeks to disrupt, damage or destroy them.)
Eventually, the secret files indicate, the NSA’s plans for TURBINE came to fruition. The system has been operational in some capacity since at least July 2010, and its role has become increasingly central to NSA hacking operations.
Earlier reports based on the Snowden files indicate that the NSA has already deployed between 85,000 and 100,000 of its implants against computers and networks across the world, with plans to keep on scaling up those numbers.
The intelligence community’s top-secret “Black Budget” for 2013, obtained by Snowden, lists TURBINE as part of a broader NSA surveillance initiative named “Owning the Net.”
The agency sought $67.6 million in taxpayer funding for its Owning the Net program last year. Some of the money was earmarked for TURBINE, expanding the system to encompass “a wider variety” of networks and “enabling greater automation of computer network exploitation.”


How to Create an Anonymous Email Account

Not long ago, the sharing economy seemed to take over. Privacy was dead, and no one cared. But that was a pre-Snowden era. Now, for some, the need to go truly anonymous is more important than ever.

What do you do if you want to set up an email address that is completely secret and nameless, with no obvious connection to you whatsoever without the the hassle of setting up your own servers?

This goes beyond just encrypting messages. Anyone can do that with web-based email like Gmail by using a browser extension like Secure Mail by Streak. For desktop email clients, GnuPG (Privacy Guard) or EnigMail is a must. Web-based ProtonMail promises end-to-end encryption with zero access to the data by the company behind it, plus it has apps for iOS and Android.
But those don't hide who sent the message.
Secure email services will. It's a market expected to explode over the next six years. Here are the services you should use to create that truly nameless, unidentifiable email address. But be sure to use your powers for good.

First Step: Browse Anonymously

Your web browser is tracking you. It's that simple. Cookies may not know your name, but they know where you've been and what you've done and they're willing to share. Sure, it's mostly about serving you targeted ads, but that's not much consolation for those looking to surf in private.
Your browser's incognito/private mode can only do so much—sites are still going to record your IP address, for example. And incognito mode doesn't matter if you sign into online accounts.
If you want to browse the web anonymously (and use that private time to set up an email), you need a VPN service and the Tor Browser, a security-laden, Mozilla-based browser from the Tor Project. Tor used to be called The Onion Router; it's all about keeping you anonymous by making all the traffic you send on the internet jump through so many servers that bad guys on the other end can't figure out where you really are. It'll take longer to load a website using Tor than it would with Firefox or Chrome, but that's the price of vigilance.
The free Tor Browser is available in multiple languages, for Windows, macOS, and Linux. It's self-contained and portable, meaning it'll run off a USB flash drive if you don't want to install it directly. Even Facebook has a Tor-secure address to protect the location of users, which allows them access in places where the social network is illegal or blocked. There is also a version for Android devices.
Tor is not perfect and won't keep you 1,000 percent anonymous. The criminals behind the Silk Road, among others, believed that and got caught. However, it's a lot more secure than openly surfing.

Second Step: Anonymous Email

You can set up a relatively anonymous Gmail account, you just have to lie like a bathroom rug. That means creating a full Google account, and not providing Google your real name, location, birthday, or anything else the search giant asks for when you sign up (while using a VPN and the Tor Browser, naturally).
You will eventually have to provide Google some other identifying method of contact, such as a third-party email address or a phone number. With a phone, you could use a burner/temp number; an app like Hushed or Burner or buy a pre-paid cell phone and fib throughly when asked for any personal info. (Just know that even the most "secure" burner has its limits when it comes to keeping you truly anonymous.)
Why You Need To Protect Your Email Address
There are anonymous email services you can use, so why use Gmail at all? The Electronic Frontier Foundation (EFF) says it's smart to use a different email provider from your personal account if you crave anonymity—that way you're less likely to get complacent and make a compromising mistake.
Note that you also should use an email service that supports secure sockets layer (SSL) encryption. That's the basic encryption used on a web connection to prevent casual snooping, like when you're shopping at Amazon. You'll know it's encrypted when you see HTTPS in the URL, instead of just HTTP. Or a lock symbol shows up on the address bar or status bar.
Gmail, Yahoo Mail, and Outlook.com all support HTTPS; Google's Chrome browser now flags all non-HTTPS sites as insecure. The HTTPS Everywhere extension for Firefox, Chrome, Opera, and Android also ensures that websites default to using the protocol.
That's great for web surfing, but neither HTTPS nor VPN keeps you hidden when emailing. You know that.
Pseudonyms in email (like anonguy55@gmail.com) aren't enough, either. Just one login without using Tor means your real IP address is recorded. That's enough for you to be found (if the finder can get your provider to give up some records). It's how General Petraeus got nailed.
The point is, once you've gone this far, there's no reason to go back. Utilize a truly anonymous web-based mail service. Here are some of the best.

ProtonMail

With servers in Switzerland (a country that appreciates secrecy), ProtonMailprovides fully encrypted messages. Anyone can get a free account that holds 500MB of data and up to 150 messages per day, or pay 4 euros per month to get advanced features like five addresses each with 5GB storage for up to 1,000 messages per day, and support for ephemeral messages that disappear after a time period you set.
Encryption is one thing, but anonymity comes with ProtonMail's specific support for Tor via an onion site it set up at protonirockerxow.onion. It also provides full instructions on how to set up Tor on your desktop or mobile phone. Having anonymous users is so important to ProtonMail, it doesn't require any personal info when you sign up. It even supports two-factor authentication.

Guerrilla Mail

Guerrilla Mail provides ephemeral messaging—disposable, temporary email you can send and receive—and it's all free. Technically, the address you create will exist forever, even if you never use it again. Any messages received, accessible at guerrillamail.com, only last one hour. You get a totally scrambled email address that's easily copied to the clipboard. You can even attach a file if it's less than 150MB in size, or use it to send someone your excess bitcoin.
There's an option to use your own domain name as well, but that's not keeping you under the radar. Coupled with the Tor browser, Guerilla Mail makes you practically invisible. It's also available on Android.

Tutanota

Tutanota
Germany-based Tutanota is so secure, it even encrypts subject lines and contacts. A free plan for private use comes with 1GB of storage, but you can upgrade for 12 to 60 euros per year, depending on your needs. Premium features include aliases, inbox rules, support, more storage, custom domains, logos (on the high-end version), and more. It's limited to the Tutanota domain, but there are apps for iOS and Android.

Hushmail

Recommended by the EFF and others, Hushmail's entire claim to fame is that it's easy to use, doesn't include advertising, and has built-in encryption between members.
Of course, to get all that, you have to pay, starting at $49.98 per year for 10GB of online storage; there's a free 14-day trial for personal use. Access it on the web or iOS. Businesses can use Hushmail starting at $3.99 per user/month for nonprofits, going up to $5.99 for small businesses and $9.99 for legal and HIPAA-compliant healthcare entities. There's a one-time $9.99 setup fee for everyone.
Note that Hushmail has turned over records to the feds before, well over a decade ago, and its terms of service state you can't use it for "illegal activity," so it's not going to fight court orders. But at least it's honest about it upfront.

TorGuard Email

TorGuard is a global VPN service, which goes for around $9.99 per month to start. The service provides a separate Anonymous Email, which is free for 10MB storage; get 30GB for $6.95 per month, $15.95 per quarter, or $49.95 annually. All accounts get secure G/PGP encryption of mail, no ads, and 24/7 help; try it free for seven days. For more, see PCMag's full review of TorGuard VPN.

TrashMail.com

TrashMail.com isn't just a site, it's also a browser extension for Google Chromeand Firefox, so you don't even have to visit the site. Create a new email from a number of domain options, and TrashMail.com will forward messages to your regular email address for the lifespan of the new TrashMail address, as determined by you. The only limit is how many forwards you get; to go unlimited, pay $21.99 a year. The site provides a full address manager interface so create as many addresses as you like to stay anonymous and ubiquitous.

Mailfence

Mailfence
Belgium-based Mailfence has been providing email privacy for years (it started as a collaboration suite for organizations in 1999) and still offers a 500MB free plan to anyone who needs it, complete with encrypted email and two-factor authentication logins. You can jump up to 5GB storage with 10 alias for 2.50 euros per month, or go Pro for 7.50 and get 20GB, 50 aliases, and more—like full mobile and Exchange support. Businesses and non-profits can get a customized interface.

Abine Blur

Abine Blur Main Window
For $39, Blur provides a service unlike anyone else. This browser add-on is a password manager that lets you go about your online business without revealing anything about yourself. While almost every site/service online needs your email address to function—most use it as a username—Blur lets you create an unlimited number of anonymous, masked email addresses (and one anonymous phone number and masked credit cards) Use them anywhere and everywhere. All the messages sent to the various anon emails will funnel to your regular email address. The only company in the know about who you are, really, is Abine. Read the full review; Blur is one of our Best of the Year 2018 products.

No comments:

Post a Comment