A Small Spam Campaign

About a week ago, I saw this on VirusTotal:


A user by the name of “sgsturby” reported that it was spam. I only had about 20 minutes free so I done some quick google searches involving the domain, which resulted in this:


The domain is listed at untrustworthy with a category of Spam by Web of Trust. I then went onto twitter and searched for the domain and found these two twitter accounts regurlarly tweeting the domain as well as some other spam:

What I first noticed is that these two account mainly tweet in Japanese and occasionally English and Russian.

After that, I did a WhoIs check on the domain and found this information:

Domain Name: lnaj7k8qspkistk3sll0hqp6mo2wq8go.com
Registry Domain ID: 2110457972_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.discount-domain.com
Registrar URL: http://www.onamae.com
Updated Date: 2017-04-03T00:00:00Z
Creation Date: 2017-04-02T00:00:00Z
Registrar Registration Expiration Date: 2018-04-02T00:00:00Z
Registrar IANA ID: 49
Registrar Abuse Contact Email: email@gmo.jp
Registrar Abuse Contact Phone: +81.337709199
Domain Status: ok https://icann.org/epp#ok
Registry Registrant ID: Not Available From Registry
Registrant Name: Whois Privacy Protection Service by onamae.com
Registrant Organization: Whois Privacy Protection Service by onamae.com
Registrant Street: 26-1 Sakuragaoka-cho
Registrant Street: Cerulean Tower 11F
Registrant City: Shibuya-ku
Registrant State/Province: Tokyo
Registrant Postal Code: 150-8512
Registrant Country: JP
Registrant Phone: +81.354562560
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: email@whoisprotectservice.com
Registry Admin ID: Not Available From Registry
Admin Name: Whois Privacy Protection Service by onamae.com
Admin Organization: Whois Privacy Protection Service by onamae.com
Admin Street: 26-1 Sakuragaoka-cho
Admin Street: Cerulean Tower 11F
Admin City: Shibuya-ku
Admin State/Province: Tokyo
Admin Postal Code: 150-8512
Admin Country: JP
Admin Phone: +81.354562560
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: email@whoisprotectservice.com
Registry Tech ID: Not Available From Registry
Tech Name: Whois Privacy Protection Service by onamae.com
Tech Organization: Whois Privacy Protection Service by onamae.com
Tech Street: 26-1 Sakuragaoka-cho
Tech Street: Cerulean Tower 11F
Tech City: Shibuya-ku
Tech State/Province: Tokyo
Tech Postal Code: 150-8512
Tech Country: JP
Tech Phone: +81.354562560
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: email@whoisprotectservice.com
Name Server: ns1.elasticdomain.net
Name Server: ns2.elasticdomain.net
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2017-04-03T00:00:00Z <<<

Using a tool called Fiddler, I then checked out some of the bitly links that these accounts were posting and found these domains:


From what I have gathered, this spam campaign mainly operates using Email services, Twitter and spams website inboxes using contact forms.

Keep in mind that I have not done an in-depth analysis of these domains and this is not the full extent of the spam campaign. This is just a quick blog post to make security researchers aware of the campaign.


The IoT Revolution

Over the past 10 years, connecting physical things to the internet has become quite a trend. People have been adding more and more devices to the internet, such as toasters, televisions, dog food dispensers, baby monitors and even wheelchairs. These devices provide very useful functionality in the average home, since you can change various environmental factors within your home just by clicking a button on a web app.

Of course, as with any fairly new technologies, there are some valid concerns from various viewpoints, including the privacy, security, design, environmental and economical impact on the world. These internet connected devices are becoming increasingly more common. In 2015, an average household had at least 7 internet connected devices.  This contrasts the IoT landscape of the early 80’s when almost no households had any kind of internet connected devices.

You’ve all heard the story of the baby monitor that got hacked. And a 7 month old baby found itself being shouted at by an unknown male. These kind of attacks can happen, because devices such as baby monitors are now connected to the internet.

Attackers can also infect ‘smart’ devices with malware, allowing them to see everything happening in the home of a victim. Devices such as Smart TVs and CCTV cameras are often hijacked and used to spy on the people around them. For devices without a camera or microphone, such as IoT toasters or wheelchairs, criminals infect them with trojan-backdoors, allowing the attackers to use them as part of a large botnet or as a proxy device to hide malicious actions in with legitimate events.

In the case of the Mirai botnet, the devices were infected with a set of malware that listened to a command and control server, waiting for commands. Once it found a command, It would execute it. The threat actor behind the Mirai botnet used these devices to launch a DDoS attack on various services and DNS providers.

Companies get it wrong too!

In November 2015, the technology company VTech was hacked. The company created various devices for kids and families. The hack exposed Dates of birth, Email addresses, Family members’ names, Genders, IP addresses, Names, Passwords, Physical addresses, Security questions and answers, Usernames and Website activity of not only the adults but also the kids. After the breach, VTech shutdown most of their IoT services and online services, as there were signs that the hacked data was being used to maliciously control or access the devices owned by families.


Although IoT Devices do have their advantages such as being able to remotely make coffee or throw food at your household dog, developers and engineers should be careful about how they implement the devices into homes, how the devices are communicating, what information they are storing and who they are sending information to. I predict that in the future, IoT devices will become an essential part of our everyday life, just like TV has become. Because of this, we need to make sure that the IoT devices are protected against attacks.

Project PWD [Free Backgrounds]

On the 11th February 2017, I tweeted this:

I wasn’t expecting the positive outcome that it got. With the exception of the 1 person that voted no, the majority of people do actually want free backgrounds. Project PWD is a project that lasted about 2 weeks and it was mainly just focusing on me learning new ways to create interesting designs and backgrounds.

For Project PWD, I used some design techniques that I had never used before. This includes: Cloud effects, Median blurring and different types of overlay.

When using the backgrounds included in Project PWD, I recommend setting your background image setting to either “fill” or “stretch” in order to get the full quality of the images.

This project may be extended in the future 🙂

All assets of Project PWD are licensed under a Creative Commons Attribution 4.0
International License

You can download Project PWD here.

Ransomware Fundamentals

The general concept of ransomware is that the victim is forced into paying a ransom in order to gain access to their computer or virtual property.

Crypto Ransomware

Crypto Ransomware (Short for Encryption Ransomware) encrypts or encodes the victims files on their computer or business network and then demands that the victim pay money in order to gain access to their files. This type of ransomware is the most popular among cyber-criminals and malware creators, due to the profits that they gain through this extortion method. An example of crypto ransomware is CryptoLocker.

Locker Ransomware

Locker Ransomware works by locking the victim out of their computer and then threatening them with the deletion of their files if they do not pay a certain amount of money. Locker Ransomware is usually easy to deal with, as they don’t encrypt any files or modify any of the user’s data. This means that the victim can use a rescue disk to remove the ransomware in order to gain access to their machine.

Crypto Ransomware (Technical Summary)

Creators of Crypto Ransomware usually use asymmetric encryption algorithms such as AES and RSA in order to make it extremely hard for security researchers to create a decryption tool for the ransomware. When they encrypt the files, they send the decryption key to their server in a heavily encrypted form, so that even if a law enforcement agency gains access to the criminal’s server, there is no guarantee that the law enforcement agency will be able to get the decryption keys. Sometimes, the ransomware can act as a Remote Access Trojan. This gives the cyber-criminals access to the victims computer, allowing them to steal sensitive information as well as install more malware on their computer. In some cases, the malware creators use these RAT capabilities in order to decrypt the files of their victims.

Locker Ransomware (Technical Summary)

Locker Ransomware usually works by modifying the computer start-up routine (Master Boot Record) in order to launch the ransomware when the computer first turns on. The ransomware then blocks the normal logon screen and displays the ransom message instead. Locker Ransomware is not very popular among ransomware creators, because locker ransomware can easily be removed from the computer by a rescue disk or by removing the ransomware from the MBR. Occasionally, the ransomware may modify certain registry keys in order to make sure that the ransomware will launch first at start-up.

Why does ransomware work?

Most ransomware variants use many tactics in order to trick the victim into paying the ransom. These are:

Authority – Some ransomware claim that the ‘FBI’ or law enforcement agencies have access to their machine.

Time – The ransomware tells the user that if they do not pay the ransom by a certain time, their files will be deleted.

Urgency – Ransomware creators know that precious files (such as pictures, videos and other documents) are very important to their victims, resulting in their victims being more likely to pay the ransom in order to get their files back.

What should I do if I am infected by ransomware?

DON’T PAY THE RANSOM – There is no guarantee that you will get your files back if you pay the ransom. Statistics show that 1/5 people who pay the ransom, don’t get their files back. Even if you do pay the ransom, not only are you giving your money to a cyber criminals, but you are also confirming to the cyber criminals that the ransomware works.

REMOVE THE MALWARE FROM YOUR COMPUTER – Use a malware scanner, such as Malwarebytes Anti-Malware in order to remove the malware from your system. If a certain malware scanner is not able to remove the malware, use another malware scanner with a good reputation.

USE A DECRYPTION TOOL – Not every piece of ransomware has a decryption tool available, but a lot of them do. You can use the NoMoreRansom Tool in order to find out what type of ransomware you have been infected by. Once the tool has identified the ransomware, you will be presented with the decryption tool that will decrypt your files for free. Alternatively, you can look for the decryption tools manually by visiting this page.

How can I protect myself from ransomware?

First of all, get a good anti-malware software installed on your device.

Next, add exploit protection mechanisms or software that can protect you from 0-day exploits that can affect even the most up to date system.

Optionally, use custom YARA rules that identify known ransomware families and also have a YARA rule for generic ransomware behaviour.

CREATE BACKUPS! If all of this fails, it’s good practise to have a up-to-date backup ready in case of a ransomware attack.

Extra Stuff


A Brief Explanation of Anti-Ransomware Applications

Over the past 2 years, various companies have developed Anti-Ransomware technologies, designed to stop the vast amount of ransomware variants doing harm on a user’s computer. These programs usually work by classifying applications based on behavioural analysis, system activity, disk activity as well as calling specific functions that encrypt data.

Most ransomware variants found today use asymmetric encryption. This is where the data is encrypted with a private key kept by the attackers, and can only be decrypted by using a public key. The public key is usually stored on the cyber-criminal’s server until the user pays the ransom.

The most basic of Anti-Ransomware solutions work by detecting calls / references to specific encryption schemes and calls to certain system libraries such as “system.cryptography”. The problem with this is that non-malicious applications often use these libraries and functions in order to interact with various other things such as the world wide web or VPN connections. Because of this, simply detecting references to these encryption libraries will create lots of false-positive detections.

To avoid this, we can take heuristic signatures from various ransomware families and integrate them within the anti-ransomware applications. However, the main problem with this is that it will not detect new ransomware families. Thus making the tool useless.

What we need is something that determines whether or not an application is malicious based on its behaviour, heuristic detections, generic encryption detections and other factors. The program should also be able to identify unknown and known ransomware variants that infect a computer. It should also be able to detect any signs of infection by looking at web traffic and determining if an application is sending encryption keys used by the ransomware to a C&C server.

But wait! That’s just the detection 😛 Anti-Ransomware products should also be able to isolate and prevent any applications detected as ransomware from mass encrypting the system or killing anti-malware products. The product should also be able to reverse the malicious actions executed by the ransomware. They can do this by using shadow copies of files, keeping an external backup of system settings or simply lowering the access rights of the application so that it cant access system settings.


There are many anti-ransomware solutions out there that you can download. A few examples are Malwarebytes Anti-Ransomware, Kaspersky Anti-Ransomware and Emsisoft’s Behaviour Blocker. Keep in mind, it is impossible to detect 100% of all ransomware variants, but you can protect yourself from the vast majority of ransomware by using a good security product.


BACKUP BACKUP BACKUP… It is important to always have backups ready and up to date in-case you ever do get affected by ransomware. Backups should never be kept in the same environment as your normal hardware systems, and they should be physically separated on either different drives or put on magnetic tapes.


My Summary of Cyber Security in 2016

In early 2016 security researchers across the world noticed an increase in ransomware. In fact, it was an estimated 200-400% rise in the number of ransomware infections. Such ransomware families included TeslaCrypt, Cerber, Jigsaw and many others that were propagated in many different forms – Malvertising, File-Sharing and compromised websites.

For a lot of 2016, the US presidential election was headlines in a lot of the world, with Trump being ridiculed due to his policies and beliefs. The Clinton email scandal also evoked an investigation by the FBI, which concluded that she was not guilty. However, this was denied by activists and people in the cyber-security industry with the release of the Clinton emails from the breach of her personal email server.

In August 2016, the British Parliament authorised a bill which would allow certain organisations and ISPs to spy and collect the data of British citizens and users of British internet connections. Soon after, the creator of the World Wide Web, Sir Tim Berners-Lee, tweeted “Dark, dark days”, as a reference to this bill. Some people took even more action by stating that they would be using the Tor Anonymity Network as well as VPNs in order to circumvent the collection of internet traffic.

WikiLeaks released emails from the Italian company HackingTeam, showing that they had targeted computer security companies, aiming to find vulnerabilities in their software, and then exploiting these to prevent their backdoor/spy programs from being detected. It was also revealed that they had worked with the British counterpart of the NSA – GCHQ – to gain a warrant in order to disassemble software belonging to the security companies. This warrant was supposedly issued by the foreign secretary of the United Kingdom sometime in early 2016. In the HackingTeam emails, it was discovered that they used ‘demo’ targets in order to provide a simulation of what their malware would do once the victims infrastructure had been infected. Their malware included Remote Access Trojans and backdoor programs running on various operating systems and infrastructures.

In late 2016, internet users across the world experienced the effects of the DDoS attack on Dyn’s services, caused by the Mirai botnet. This DDoS attack interrupted many services including Twitter, Soundcloud, Spotify and more. Security researchers found that the malware used by the botnet specifically targeted IoT devices, as well as home routers. Some hysteria found its way to Twitter, with some users claiming that Russia was behind the attack, however, security experts quickly concluded that the Mirai botnet was mainly based in the United States of America.

With ransomware on the rise, security vendors have been forced to take the necessary steps in order to protect their customers from ransomware. One such attempt was in the creation of ‘No More Ransom’ (https://nomoreransom.org) by Intel Security, Kaspersky Lab and various law enforcement agencies in many countries, aiming not only to help people who had been infected by ransomware, but also educate them about the growing threat currently facing today’s computer users. Some ransomware variants even allow victims to decrypt their files by infecting other people with the ransomware.

Yahoo was hit by two massive security breaches. The first one, released the information and personal data of around 500,000,000 people worldwide. The second, released the personal information of 1,000,000,000 users worldwide. In both instances, Yahoo claimed that it was a state-sponsored attack, which explains why the breached data has not been released to the public yet. However, some security researchers, such as Troy Hunt, suggested that the phrase ‘state-sponsored’ was simply used to make the breach seem less important to victims, resulting in the victims dismissing the breach as a minor incident.

2016 also saw a large number of phishing attacks utilising services such as Gmail and Hotmail, in order to trick users into clicking on fake attachments. These fake attachments would then open a raw html page in the browser, which was disguised in order to look like the Google login page. These fake login pages contained keylogger scripts (usually in JavaScript) that would send the keystrokes of the victim to the threat actor behind the phishing attack. If the keylogger failed, the username and password would be sent to the attacker when the user clicked the submit / login button. The user wouldn’t notice anything, as once the user “logged in”, they would be redirected to the real email website.

With 2016 coming to an end, I want to wish everyone a happy holiday! In terms of Information Security, 2016 has been a crazy year. I used various services / information sources to research this year’s events before writing this blog post. They can be found below:

My Viewpoint on Cyber-Security in Education

This blog post describes my experiences. It may differ for you.

When someone hears the phrase “Cyber-Security”, they automatically think of either a hacker or some nerd in an underground lab. The problem is not the Cyber-Security community itself, it’s education. In many schools across the UK, Information Security in primary schools, secondary schools and sometimes even universities are taught in an insufficient manner. By this, I mean that tutors do not go into enough detail about cyber-security and they don’t put enough emphasis on how important it is.

When I was 10 years old, the only thing I was told was:

  1. Don’t tell anyone your passwords
  2. Make your password something that no one will guess

The problem with this is that we don’t get told why we should do it. It is natural human behaviour to dismiss something if there is no satisfying reason for doing it. Tutors in primary schools and secondary schools don’t emphasise information security enough to students.

This may not seem like a problem in the short-term side of things, but once someone uses a bad practice once, they will know nothing better than using the same terrible practises over and over again, until they allow their accounts to get compromised in a security breach without realising that it’s their own fault.

Online Safety is also insufficiently taught

Online safety is taught in secondary schools in a students first year. However, once again I have seen the same fundamental problem; that it’s not being emphasised enough to students how important online safety and information security is. I still see students using passwords such as “toffee123” or “chelsea13”.

Then there is the problem of online bullying and harassment between students. So far, in 2016, I have seen 3 social media attacks on students in my year from groups of “friends”. These bullying groups usually contain 5-15 people and usually attack a minority group or a single person.

It’s not just students with poor security

This section is just an anecdote. Feel free to skip it.

In late 2015, a group of students in my year teamed up and started trying to gain credentials of various staff members. I first encountered this group a few weeks before they were discovered, when I saw two of their members trying to eavesdrop on a staff member trying to type their username and password into a printer. At the time, I didn’t think anything of it, as I only saw 2 people, and this thing had happened many times before. A week later, there were many rumours of this group gaining access to some staff members accounts on various websites. I didn’t know if it was true or not, as no one I asked could confirm it, but one thing did become clear – I was reasonably certain on who was involved in it.

Once again, I couldn’t verify anything, but this time, I knew much more about what they were doing and who they were targeting. A few days later, the group was uncovered by the technicians in my school. 1 student (the leader) was expelled, 7 students were given detentions every day for a week and the rest were spoken to by the behaviour manager. In total, 3 staff members were affected, with their usernames and passwords for various websites including banking services, email and other personal information being leaked. The personal information of many innocent students were leaked; as a result, a staff meeting was held in order to ensure that it wont happen again.

So far I have seen no more incidents involving this group and the group seems to have been dissolved. The targeted attack described above was actually the second incident that I had seen from that group.


People don’t see their stupid security practises until they have actually been affected by a security incident / breach. We should do more in schools to teach people about the importance of cyber-security and also help people gain awareness of online safety, instead of just leaving this as a last option.