The Case of The Curious INSCOM Cyber Warrior Site: You’ve Been Phished Without An Email Or A PDF!
INSCOM Is Hiring A Cyber Brigade? You Don’t Say!
A tweet from @treadstone71 yesterday caught my eye and I decided to take a look at the link therein he had put out. The link, purports to be for INSCOM the Army Intelligence and Security Command’s new Cyber Brigade (images here and here).
Now, I am a bastard by nature as well as a paranoid so I decided to take a look at the site before making any kinds of re-tweets about it. Often today people just pass things along without really taking a good look at what they are talking about or recommending to others.
In this case, I am certainly glad my better nature (paranoia) took over. The site looks slick on the surface but as soon as you take a jaundiced eye to it, you see there are certain things wrong here.
So it seems that someone is making a full sized driftnet for information on those who would like to sign up as well as discuss the INSCOM Cyber Brigade. On the surface like I said, this looks all well and good, but once you start to poke at it though, you get some strange answers.
But, for those who don’t take a closer look WOO HOO they too can maybe get some details about how THEY CAN BE AN ARMY OF ONE... A Cyber Army of one that is. With all of the hoopla that jester is trying to stir up about his being a “patriot hacker” people in the right wing and the stupid, have been flocking to his side and to the idea that a Cyber Brigade is needed in this country. You know, like the ones that China has?
Yes, this has been the talk for a while, in fact, it pre-dates jester’s showing up and I suspect as well has something to do with it too. A Cyber Brigade or (Brigades) out there to protect us all from calamity on the Internets. Using their hi-tech skills, they will pre-pwn the Chinese, or Anonymous and protect us all like John McClane in those horrid “Die Hard” movies. I can hear the jingoism in the air now and it hurts my ears as well as my frontal lobes.
As we spin out of control planning another war in Asia, the morons abound in just blindly supporting initiatives like this one purports to be.. And it scares me to think just how many people filled out their information on this site to get more information about becoming a “Cyber Warrior”
Uh Wait... Why Is The Site on Godaddy AND It’s Hosted in Sweden?
Once you take a good look at the site though, you notice, if you bother to look, that the domain was set up in February and that it is in fact hosted by an anonymous proxy company who located the server in Sweden.
That’s right kids. This site is not hosted at all on .mil domains nor seems to be at all controlled or created by INSCOM or the military. Initial contact with the mil boys has unofficial responses of “uh what?” So the reality is that this site is not what it says it is (images here and here).
So what do we have so far...
- A site looking for you to fill out information
- A site looking for your information that is hosted in Sweeden
- A site that the INSCOM folks don’t seem to know about in initial contacts
It seems pretty evident to me that as Admiral Ackbar says “It’s a TRAP!” Can you say Phishing or at the very least “cutout” I think you can. Time will tell once I hear back from the .mil guys but really, do you all think the military would host their INSCOM Cyber Brigade site in Sweden? Do you further think they would want to be hosting a site taking the future “cyber brigadiers” information there as well?
Hint... If you said yes, you are doing it wrong… Time to get out of security.
Also, if I find out that indeed the military did set this site up in Sweden Well... There you go, I am moving to the bomb shelter ASAP. Some OPSEC there huh?
OPSEC and SITUATIONAL AWARENESS
So many times I have railed about OPSEC and Situational Awareness on here but it seems some just don’t pay attention. As military, government, or INFOSEC workers should know, you have to pay attention to what you are doing and what is happening around you at all times.
In the case of this site, it seems to be out there to gather intelligence about those out there who would like to join such an outfit. Your details could be something like where you are coming from in logs (site visits) to actually getting your email address, address, name, skill sets, etc.. Or hell just a CV out of you! Think about it, they don’t have to go through LinkedIn here! They just suck up the info that YOU give to them!
It would seem from the people who are already following the twitter acct, that some of you may already be looking at this site askance or you bought it hook line and sinker. One follower in particular has CIA and other intelligence community groups written all over her profile. To me that says either she is INCREDIBLY stupid or, it’s a cutout acct to further fool others into following the acct and lending credence to the site itself to those who aren’t smart enough to think critically.
Flies To Corpse Flowers
So, as this site is still up the flies will congregate to the cyber corpse flower. I wonder how many have already put their info in there… Actually it kinda reminds of of Project Viglio (Vigilo misspelled by the morons designing the logo). Remember that one post Defcon a couple years back? Yeah, BS sites and calls to action by who knows. People fall for stupid shit all the time and this is what the likes of China really want to have continue.
Yep, I said it... China.
Oh no, there I go again.. Well, yes, China or maybe in this case WikiLeaks? Or perhaps Anonymous? this site is fairly well put together on the surface so as to fool people but this is a common tactic out there. Put up a nice site and start harvesting data. In this case who would benefit from such a program?
Who would want this data? Personally I think China would love to have the cyber warriors of the “future” already marked to watch no? This however is anyone’s guess at present but I had to put it out there.
In the end, this is a cautionary tale for you all out there. Pay attention to what you are re-tweeting and signing up for.
CORRECTION: The server is not in fact located in Sweeden, it is instead in Scottsdale AZ (image here)
The server location does not change the issue at hand though. The site is a recent site that wants to take your information insecurely on a notoriously insecure hosting company’s servers. I am still waiting on INSCOM’s response from their publicity office on this but all of this has the hallmarks of being hinky and anyone in the INFOSEC world should have their ears pricked at seeing this.
Now, the companies listed are real, but this does not mean to me that they are involved nor had created the site. Remember, that the site was registered under a proxy service to who’s to know who’s site it really is.
Time will tell, and INSCOM will respond.
FOLLOW UP: So, the site is legitimate though the source at INSCOM cannot fathom why they would be using Godaddy with an anon registry AND no SSL. As the email says, it’s sad but true.
From: XXXXXXXX CPT MIL USA USINSCOM
Sent: Tuesday, March 13, 2012 9:47 AM
Subject: RE: Phishing Site for INSCOM? (UNCLASSIFIED)
Well, the site is legitimate. I just got an email verifying it is being used
to recruit new civilian talent into the INSCOM Cyber Brigade. Why they are
using that system, I have no idea. Sad, but I guess that’s the way the Army
is going. Regardless, I appreciate your attention and concern to such
matters. Thank you.
So let’s recap, a site, registered under an anonymous proxy account was taking names and information in an insecure manner for jobs potentially at NSA for INSCOM. Anyone in this business should look at such a site and question it frankly, nevermind just re-tweet it out.
As well, the Twitter account as well seemed hokey just like the site so this also makes one wonder about the site and the twitter account. Given recent events with the NATO Facebook thing, you would think that the question needs to be begged.
… And as the INSCOM guys says he isn’t sure why they are doing it the way they are and seems incredulous.
There you have it.
Pay attention to things and actually take the time to read what I am saying.
Cross-posted from Krypt3ia