You’ve Been Phished Without an Email or a PDF

Monday, March 12, 2012

Infosec Island Admin

7fef78c47060974e0b8392e305f0daf0

The Case of The Curious INSCOM Cyber Warrior Site: You’ve Been Phished Without An Email Or A PDF!

INSCOM Is Hiring A Cyber Brigade? You Don’t Say!

A tweet from @treadstone71 yesterday caught my eye and I decided to take a look at the link therein he had put out. The link, purports to be for INSCOM the Army Intelligence and Security Command’s new Cyber Brigade (images here and here).

Now, I am a bastard by nature as well as a paranoid so I decided to take a look at the site before making any kinds of re-tweets about it. Often today people just pass things along without really taking a good look at what they are talking about or recommending to others.

In this case, I am certainly glad my better nature (paranoia) took over. The site looks slick on the surface but as soon as you take a jaundiced eye to it, you see there are certain things wrong here.

Alas though, not only was there a site but also a twitter account just set up as well (images here and here).

So it seems that someone is making a full sized driftnet for information on those who would like to sign up as well as discuss the INSCOM Cyber Brigade. On the surface like I said, this looks all well and good, but once you start to poke at it though, you get some strange answers.

But, for those who don’t take a closer look WOO HOO they too can maybe get some details about how THEY CAN BE AN ARMY OF ONE... A Cyber Army of one that is. With all of the hoopla that jester is trying to stir up about his being a “patriot hacker” people in the right wing and the stupid, have been flocking to his side and to the idea that a Cyber Brigade is needed in this country. You know, like the ones that China has?

Yes, this has been the talk for a while, in fact, it pre-dates jester’s showing up and I suspect as well has something to do with it too. A Cyber Brigade or (Brigades) out there to protect us all from calamity on the Internets. Using their hi-tech skills, they will pre-pwn the Chinese, or Anonymous and protect us all like John McClane in those horrid “Die Hard” movies. I can hear the jingoism in the air now and it hurts my ears as well as my frontal lobes.

As we spin out of control planning another war in Asia, the morons abound in just blindly supporting initiatives like this one purports to be.. And it scares me to think just how many people filled out their information on this site to get more information about becoming a “Cyber Warrior”

Uh Wait... Why Is The Site on Godaddy AND It’s Hosted in Sweden?

Once you take a good look at the site though, you notice, if you bother to look, that the domain was set up in February and that it is in fact hosted by an anonymous proxy company who located the server in Sweden.

*blink blink*

That’s right kids. This site is not hosted at all on .mil domains nor seems to be at all controlled or created by INSCOM or the military. Initial contact with the mil boys has unofficial responses of “uh what?” So the reality is that this site is not what it says it is (images here and here).

So what do we have so far...

  • A site looking for you to fill out information
  • A site looking for your information that is hosted in Sweeden
  • A site that the INSCOM folks don’t seem to know about in initial contacts
  • Skulduggery

It seems pretty evident to me that as Admiral Ackbar says “It’s a TRAP!” Can you say Phishing or at the very least “cutout” I think you can. Time will tell once I hear back from the .mil guys but really, do you all think the military would host their INSCOM Cyber Brigade site in Sweden? Do you further think they would want to be hosting a site taking the future “cyber brigadiers” information there as well?

Hint... If you said yes, you are doing it wrong… Time to get out of security.

Also, if I find out that indeed the military did set this site up in Sweden Well... There you go, I am moving to the bomb shelter ASAP. Some OPSEC there huh?

OPSEC and SITUATIONAL AWARENESS

So many times I have railed about OPSEC and Situational Awareness on here but it seems some just don’t pay attention. As military, government, or INFOSEC workers should know, you have to pay attention to what you are doing and what is happening around you at all times.

In the case of this site, it seems to be out there to gather intelligence about those out there who would like to join such an outfit. Your details could be something like where you are coming from in logs (site visits) to actually getting your email address, address, name, skill sets, etc.. Or hell just a CV out of you! Think about it, they don’t have to go through LinkedIn here! They just suck up the info that YOU give to them!

Easy peezy.

It would seem from the people who are already following the twitter acct, that some of you may already be looking at this site askance or you bought it hook line and sinker. One follower in particular has CIA and other intelligence community groups written all over her profile. To me that says either she is INCREDIBLY stupid or, it’s a cutout acct to further fool others into following the acct and lending credence to the site itself to those who aren’t smart enough to think critically.

Flies To Corpse Flowers

So, as this site is still up the flies will congregate to the cyber corpse flower. I wonder how many have already put their info in there… Actually it kinda reminds of of Project Viglio (Vigilo misspelled by the morons designing the logo). Remember that one post Defcon a couple years back? Yeah, BS sites and calls to action by who knows. People fall for stupid shit all the time and this is what the likes of China really want to have continue.

Yep, I said it... China.

Oh no, there I go again.. Well, yes, China or maybe in this case WikiLeaks? Or perhaps Anonymous? this site is fairly well put together on the surface so as to fool people but this is a common tactic out there. Put up a nice site and start harvesting data. In this case who would benefit from such a program?

Who would want this data? Personally I think China would love to have the cyber warriors of the “future” already marked to watch no? This however is anyone’s guess at present but I had to put it out there.

In the end, this is a cautionary tale for you all out there. Pay attention to what you are re-tweeting and signing up for.

K.

CORRECTION: The server is not in fact located in Sweeden, it is instead in Scottsdale AZ (image here)

The server location does not change the issue at hand though. The site is a recent site that wants to take your information insecurely on a notoriously insecure hosting company’s servers. I am still waiting on INSCOM’s response from their publicity office on this but all of this has the hallmarks of being hinky and anyone in the INFOSEC world should have their ears pricked at seeing this.

Now, the companies listed are real, but this does not mean to me that they are involved nor had created the site. Remember, that the site was registered under a proxy service to who’s to know who’s site it really is.

Time will tell, and INSCOM will respond.

FOLLOW UP:  So, the site is legitimate though the source at INSCOM cannot fathom why they would be using Godaddy with an anon registry AND no SSL. As the email says, it’s sad but true.

—–Original Message—–
From: XXXXXXXX CPT MIL USA USINSCOM
[mailto:XXXXXXXXX]
Sent: Tuesday, March 13, 2012 9:47 AM
To: XXXXXXXXXX
Subject: RE: Phishing Site for INSCOM? (UNCLASSIFIED)

Mr. XXXXXX,

Well, the site is legitimate. I just got an email verifying it is being used
to recruit new civilian talent into the INSCOM Cyber Brigade. Why they are
using that system, I have no idea. Sad, but I guess that’s the way the Army
is going. Regardless, I appreciate your attention and concern to such
matters. Thank you.

XXXXXXXXX

So let’s recap, a site, registered under an anonymous proxy account was taking names and information in an insecure manner for jobs potentially at NSA for INSCOM. Anyone in this business should look at such a site and question it frankly, nevermind just re-tweet it out.

As well, the Twitter account as well seemed hokey just like the site so this also makes one wonder about the site and the twitter account. Given recent events with the NATO Facebook thing, you would think that the question needs to be begged.

… And as the INSCOM guys says he isn’t sure why they are doing it the way they are and seems incredulous.

There you have it.

Pay attention to things and actually take the time to read what I am saying.

Cross-posted from Krypt3ia

Possibly Related Articles:
10092
General
Information Security
Phishing scam China Social Engineering Patriot Hackers Infosec Intelligence OpSec Cyber Militia INSCOM HUMINT
Post Rating I Like this!
0ff0a77035f9569943049ed3e980bb0d
Paranoia big destroya - Sometimes, we all make mistakes and this blog is one of them.

For quite some time now I have been on the distribution list for TechExpoUSA receiving notifications of hiring events, many times for cleared individuals. The email I received from Ken Fuller is as follows:

Can you imagine working at the forefront of national security addressing our nation's growing needs in cyberspace? Are you looking to help develop new technologies and security strategies to establish broad-based cyber operations? If so, come join us and be a part of history in a stable federal (non-military) government working environment, with competitive pay and generous benefits.

The US Army Intelligence and Security Command (INSCOM) Cyber Brigade is being formed with the best and brightest cyber professionals recruited throughout the US. This new unit comprised civilian and military cyber warriors will introduce added capacities to the US arsenal of defense and response capabilities. These elite cyber professionals will design, plan, collect, analyze, exploit, and conduct full-spectrum cyberspace operations.

INSCOM is seeking both experienced cyber professionals with at least three years of work experience in the field, and recent college graduates with IT, Engineering, and Mathematics degrees.

Are you ready to work for the federal government with opportunities available around the country? If you have the drive, skills, and the desire, then make your move and contact us today. Don’t wait to start your future in cyber warfare!

Come visit us: March 9, 2012 at 10AM-3PM
Courtyard Marriott
387 Winter St Waltham, MA 02451

Send a copy of your resume to cyber@mbacsi.com today!

If you follow the domain name in the email, you will find that MBA Consulting Services was awarded a contract on 3/30 to staff INSCOM (Cyber Brigade) http://mbacsi.com/033111.htm

It did not take much to validate something that has always been legit.

If you want to reach out to Ken to speak with him directly, do so here (or send a resume if you want to get involved in the INSCOM Cyber Brigades).


Kenneth Fuller
Vice President
TECHEXPO Top Secret
276 Fifth Avenue, Suite # 906
New York, NY 10001
Tel: 212.655.4505 ext. 234
Cell: 516.813.7719
Fax: 212.655.4501
KFuller@TechExpoUSA.com
www.linkedin.com/in/kennethfuller
www.TechExpoUSA.com

A little paranoia can go a long way. On the other hand, checking with those who have posted a Tweet can lesson the wild thoughts of Chinese espionage that leads to a cry wolf FUD event. We have enough Chinese espionage activities. That's one of the reasons for the Cyber Brigades.

"If God dropped acid, would He see people?" - Steven Wright
1331593185
6f11dfa37d387cd7c2099ebcd00bccdd
Laura Walker umm http://mbacsi.com/was.htm

and
MBA CONSULTING SERVICES, INC.
SCC ID: 05287982
Business Entity Type: Corporation
Jurisdiction of Formation: VA
Date of Formation/Registration: 10/20/1999
Status: Active
Shares Authorized: 5000

Principal Office
14900 CONFERENCE CENTER DR
STE 340
CHANTILLY VA 20151

Registered Agent/Registered Office
REES BROOME PC
8133 LEESBURG PIKE 9TH FL

VIENNA VA 22182-2706
FAIRFAX COUNTY 129
Status: Active
Effective Date: 5/4/2007
1331593641
D15e0b682a84587af9af463961d00f22
John Nicholson As I noted on the original blog, someone clearly has a sense of humor, since Treadstone71 was the shadow organization that employed Jason Bourne.

If that doesn’t trigger suspicion, I don’t know what will.
1331595396
0ff0a77035f9569943049ed3e980bb0d
And you still drink the Krypt3ia kool aid

“Nobody stopped thinking about those psychedelic experiences. Once you’ve been to some of those places, you think, ‘How can I get back there again but make it a little easier on myself?’” - Jerry Garcia
1331595808
706ee93ea89aeaef262e506ef44cb9e1
Xander Cage Time to relax! There is no need for name calling. I reviewed the site as well and had concerns. Hosting a site on Godaddy, not using SSL on Forms, Uploading resumes to an insecure environment screamed to me this would never pass a FISMA test. In lieu of this mornings news "Facebook Social Engineering Attack Strikes NATO"
http://www.informationweek.com/news/security/government/232602419

Scot's reaction would be on point considering all the Espionage going on.

- My 2 Cents
1331598597
0ff0a77035f9569943049ed3e980bb0d
When you open the door and let the cat out, you have to expect that the dogs in the yard might just react especially when the cat starts urinating in the dogs back yard.
1331598762
0ff0a77035f9569943049ed3e980bb0d
"Now, I am a bastard by nature as well as a paranoid so I decided to take a look at the site before making any kinds of re-tweets about it. Often today people just pass things along without really taking a good look at what they are talking about or recommending to others."

Well, all I am looking for is an apology. Your credibility is at stake and your action/inaction will validate your integrity. Your choice. And that's all I have to say about that. Signing off on this subject
1331599262
D15e0b682a84587af9af463961d00f22
John Nicholson My bad. I misunderstood the original post and thought Treadstone71 was actually the twitter account claiming to be INSCOM (which would have been both funny and suspicious), not just someone tweeting about the website.
1331599924
Bd623fa766512fdf6b57db66f522b741
Ali-Reza Anghaie http://www.packetknife.com/oh-please-krypt3ias-credibility-is-not-at-sta

I tried hard not to comment on the INSCOM / Krypt3ia / Treadstone debacle but in all the pissing I think some good issues are being missed.

First, lets get this out of the way. Scot and I have worked together professionally, work together informally, he is a good friend, we co-host the Cloak & Swagger podcast. We've been accused of cuddling over stacks of jihadist forum posts. I wouldn't have posted what Scot did here but I'm not at all surprised it is posted nor do I think the various reactions are realistic. Scot does good work and even if this turns out to be wrong - he still brought to light numerous issues that should be corrected by the effort owners.

It's not Scot's job to vet sites and how the heck are we supposed to get these things officially vetted? No clear way. And just because it's not his job doesn't mean he can't talk about it. This wasn't a Jester approach to things, he didn't DDoS the site. If it's legitimate did he perhaps hurt the contracting companies or recruitment efforts? Perhaps. Or maybe upon further review INSCOM will reconsider how this should be done and a better system will result. A few bruised egos and wallets - that's unfortunate - but not the end of existence. If it happens to you, it sucks, I get it.. keep reading.

If it's legit, why the heck did it not get linked or announced on the INSCOM website itself? There are a number of links about employment and recruiting there. It would've reduced a lot of headache for everyone involved. As it stands various LinkedIN information, a Facebook page, a few PRs, a few other sites, WHOIS information, etc. can all be pulled. Even PR on contract announcements but it's hard to track those back to an Army verifiable site. Again, solve this problem by coordinating the announcement w/ the INSCOM - linking where their existing employment information does.

"Shadow IT" does these things all the time, I've seen it a number of times, from recruiting, to bids for new "secure" offices, to fleet management - costs and processes don't fall in line and people have a deliverable. They either don't know where to go or have little to no oversight. And, often, when they do go to the right pathway - that path is entirely too difficult or expensive to maneuver. And ultimately the original person given the contract and/or task will pay the price of non-delivery. It's not right - it's reality - we have to consider that across the board (Government or Private enterprise) to reduce our exposures. It's in Government and Private industries best interests to hammer these procedural issues out quickly to allow a continued lower-cost sourcing approach without unnecessarily increasing risk exposure.

The risk of the site even if it was phishing really doesn't change much of the landscape. It's not entirely clear if it was panic worthy but again, even if it was entirely panic worthy, who the fsck are you supposed to panic to? Companies put out security addresses and forms, prominently displayed, why do we not have the same thing for the Government? Perhaps the various Inspector General offices would be the brokering agents while the DHS and friends work out a Cyber Command? These are large organizations, much biggest than any private enterprise, and we all (should) know how hard it can be to find the right "owner" of a project sometimes. An argument could be made, as Scot clearly has National Security on the mind, that he legitimately wanted the highest possibly visibility to this immediately. He got it. Style points weren't his goal here.

Scot's human and has biases. The other day he himself RTed a Monsanto / Blackwater conspiracy story without vetting it. I've done similar before. That's not a hanging offense - not even close. Credibility doesn't get destroyed by making a mistake. Credibility is just as likely to be destroyed if you buckle to an angry mob (of one even). Scot had to take a step back and wait and see. At ~this~ point, that's the right thing to do. If he rushes to try to vet he may make a mistake and either further damage or legitimize something he isn't responsible for or unsure of. Again, at this point, when the cat is out of the proverbial bag... that's the right thing to do. He'll apologize in his own stabby way if appropriate. He is taking a risk here too - he knows that - he isn't naive.

Tone. Yeah, I've disagreed w/ Scot on his tone and approach a lot before. Disagree here too. Except I don't go to Scot's site expecting FactCheck.org and some British formality. That's not what he does and if you don't like it, chill the fsck out. He isn't the Pope and Catholics aren't changing their browsers to Biblefox over this.

No publicity is bad publicity so if this is entirely legit I bet better candidates will result out of the whole debacle. You won't want those not willing to understand realities of enterprise issues (Government level in this case). And you don't want those running haphazardly to hand over everything.

With all that said if it were me and I was raising an eyebrow, I ask around... from what I understand, Scot did. And then he went forward with it. We can argue about specific tactic but it still doesn't change the realities of process noted above. There was no clear right way to be on either side of this issue. Minor changes could've prevented a whole bunch of headache. Lets work on that now instead of trying to assassinate one particular blogger.

I feel bad for ATSC, Treadstone71 (Jeff here), MBACSI, and Scot in this case. I don't see how anybody could've done what was right by them in an environment that seems sometimes engineered against clarity and transparency. Cheers, -Ali
1331603960
6f11dfa37d387cd7c2099ebcd00bccdd
Laura Walker Scot's credibility isn't on the line - he has plenty of that. I think this is just a case of a hasty post. Happens to everyone.
1331604630
Default-avatar
Kenneth Fuller I am the person responsible for organizing the event for MBA-CSi and ATSC. Being that everyone is a critic, I am here to defend myself, the events, the emails and everything else that I do. I have been producing hiring events for over a decade in the defense and intelligence arena and happen to be a respected event producer. If you would care to discuss this event, or any events that I produce, please feel free to contact me in my office: 212.655.4505 ext.234

As far as a ghost web site, phishing for emails and information about people, that is just absurd. I appreciate everyone who defended myself, my event and my clients desire to find qualified professionals to work on a very important project. We do happen to be in a horrible job market, so anytime some can help put people back to work, isn't that a good thing???

Thanks again, sorry for any confusion and best wishes to all.....

Thanks Jeff:)
1331660270
296634767383f056e82787fcb3b94864
Jeffrey Carr There were some constructive suggestions in the mix, Kenneth. If your website looks "phishy", I'd think you be interested in making some improvements to make it less so. And if information is being collected in an insecure manner on your site (i.e., not using SSL), then that's another criticism that you could find benefit in addressing. Bottom line - you continue to do your good work for your client but in a more secure way. Win - Win.
1331681372
Default-avatar
Kenneth Fuller Correction, my web site is: www.TechExpoUSA.com the web site in question is that of MBA-CSi, not mine. However, this was just a splash page to inform those of the INSCOM award and events.

Thanks for the information though, I will forward on to those who need to know.
1331730623
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia —–Original Message—–
From: XXXXXXXX CPT MIL USA USINSCOM
[mailto:XXXXXXXXX]
Sent: Tuesday, March 13, 2012 9:47 AM
To: XXXXXXXXXX
Subject: RE: Phishing Site for INSCOM? (UNCLASSIFIED)

Mr. XXXXXX,

Well, the site is legitimate. I just got an email verifying it is being used
to recruit new civilian talent into the INSCOM Cyber Brigade. Why they are
using that system, I have no idea. Sad, but I guess that’s the way the Army
is going. Regardless, I appreciate your attention and concern to such
matters. Thank you.

XXXXXXXXX

If INSCOM says it's sad.. My point is made.
1331732656
706ee93ea89aeaef262e506ef44cb9e1
Xander Cage This site highlights several issues we are facing. While NIST is working on developing federal contracting standards for security, non-governmental entities must also be concerned about security for compliance with data breach laws, in some particular industries for regulatory compliance, and generally for marketing considerations.

1. Is my site handling information in a safe and secure manner?

2. Am I in compliance with the guidelines.

3. Is their a link the the contract awarded for this site.

As Scot reported this immediately, their was no malicious intent. Information should have been in the Domain Whois to contact the trusted source.

The fear of Social Media is on the rise. The Robin Sage Experiment has brought concern to the military http://www.dcmilitary.com/article/20120302/NEWS10/120309980/the-robin-sage-experiment-the-dangers-of-friending-strangers-online .

So much so DOD created socialmedia.defense.gov

All Scott did was show an immediate concern to open a live discussion on a site that looked Phishy.
1331737197
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.