Category Archives: social networks

Prosecutor Robert Mueller indicted 13 Russians for a massive operation aimed to influence Presidential election

The special prosecutor Robert Mueller has accused thirteen Russian nationals of tampering with the 2016 presidential election and charged them with conspiring against the United States.

Thirteen Russian nationals and three Russian entities have been indicted for a massive operation aimed to influence the 2016 Presidential election.

The special prosecutor Robert Mueller has accused the defendants of tampering with the 2016 US presidential election and charged them with conspiring against the United States.

According to the results of the investigation conducted by the prosecutor, the Internet Research Agency, a Russian organization, and the 13 Russians began targeting the United States back in 2014.

Russian nationals used stolen American identities and local computer infrastructure to influence the 2016 Presidential election, the group deliberately denigrate the candidate Clinton to support Trump.

“Certain Defendants traveled to the United States under false pretenses for the purpose of
collecting intelligence to inform Defendants’ operations. Defendants also procured and used
computer infrastructure, based partly in the United States, to hide the Russian origin of their
activities and to avoid detection by U.S. regulators and law enforcement.” reads the Mueller’s indictment.

“Defendant ORGANIZATION had a strategic goal to sow discord in the U.S. political
system, including the 2016 U.S. presidential election. Defendants posted derogatory information
about a number of candidates, and by early to mid-2016, Defendants’ operations included
supporting the presidential campaign of then-candidate Donald J. Trump (“Trump Campaign”) and
disparaging Hillary Clinton.”

The indictment states the Russian organization since April 2014 created a specific section focused on the US population that acted to influence the sentiment of citizens on the candidates through social media platforms, including Facebook, Instagram, Twitter, and YouTube. By 2014,

The group used VPN services to connect from Russia to the US and manage their network of social media accounts.

The organization would use email addresses such as during its activities.

The Russian propaganda machine created and controlled numerous social media accounts, one of them is the Twitter account “Tennessee GOP,” which used the
handle @TEN_GOP.

“The @TEN_GOP account falsely claimed to be controlled by a U.S. state
political party. Over time, the @TEN_GOP account attracted more than 100,000 online followers.” continues the Indictment.

The group used stolen identities of US citizens to buy political advertisements on social media, they also recruited Americans to spread derogatory information.

We are facing with a powerful and efficient propaganda machine. defendants and their conspirators
constantly monitored their campaign over social media. They measured the
size of the online U.S. audiences reached by their actions and the types of engagement with the

The activity of the organization was very active in 2016, when defendants posing as American citizens and communicating with Americans began to gather intelligence to better target their campaign.

“In order to carry out their activities to interfere in US political and electoral processes without detection of their Russian affiliation, the Defendants conspired to obstruct the lawful functions of the United States government through fraud and deceit, including by making expenditures in connection with the 2016 US presidential election without proper regulatory disclosure; failing to register as foreign agents carrying out political activities within the United States; and obtaining visas through false and fraudulent statements,” the indictment reads.

Social media giants Facebook and Twitter are both accused of running ads and promoted content for the groups operated by the Organization.

Twitter has admitted the involvement of thousands of bot accounts in Russian propaganda, the company has deleted 200,000 tweets posted by army of trolls used by the Kremlin.

Pierluigi Paganini

(Security Affairs – Mueller’s indictment, 2016 Presidential election)

The post Prosecutor Robert Mueller indicted 13 Russians for a massive operation aimed to influence Presidential election appeared first on Security Affairs.

Hackers made $5,000 a night off crypto users by impersonating Elon Musk and Bill Gates

While “Nigerian princes” abound on the internet in some of the oldest known scams, there has been only one Bill Gates and one Elon Musk. Until now. Hundreds of crypto users looking to make a quick buck were scammed by criminals impersonating the two billionaires and popular cryptocurrency traders like Vitalik Buterin, discovered BleepingComputer.

How? People just don’t pay attention to minor changes such as extra or missing letters in the name. For the past two weeks at least, a dozen fake accounts such as @WarrenBuffert, @Billgavtes, @SatoshiLitev, @elonnmuusk,  @VittaliBuuteri and @officialmcafee tweeted they were giving away free cryptocurrency. If users wanted some, they had to also donate ethereum to the address in the tweet. The fake profiles had similar messages; only the amounts varied. The most profitable accounts were those impersonating John McAfee, Elon Musk and Vitalik Buterin.

The scam made about $5,000 in a single night from gullible crypto users hoping to become rich quick through a crypto giveaway. Since cryptocurrency is anonymous by nature, the money is lost and the scammers can’t be detected. Because they are violating its user agreement, Twitter will most likely block the accounts, but that doesn’t mean hackers won’t create new ones.

It’s recommended users pay close attention to whom they engage with on social media. Before sending money, double check that the address, campaign or person involved are legitimate to reduce the risk of phishing. Avoid clicking on links that seem fake or if there are any doubts about the domain’s validity, especially when purchasing wallets. Most importantly, never give away personal information, passwords or private keys, and beware of deals that are too good to be true.

How to hack Facebook accounts exploiting CSRF in Oculus app

Facebook has fixed a couple of vulnerabilities that could have been exploited by attackers to hijack accounts by abusing integration with the Oculus virtual reality headset.

In March 2014, Facebook founder Mark Zuckerberg announced the acquisition of Oculus VR and included the handsets produced by the company to its bug bounty program.

White hat hackers discovered several vulnerabilities in Oculus platform since, including the ones addressed now by Facebook.

The flaws were reported in October by the security consultant Josip Franjković who analyzed the Oculus application for Windows.

“Oculus enables users to connect their Facebook accounts for a more “social” experience. This can be done using both the native Windows Oculus application and using browsers.” wrote Franjković. “I took a deeper look at the native Windows flow, and found a CSRF vulnerability which allowed me to connect a victim’s Facebook account to attacker’s Oculus account. Once connected, the attacker could extract the victim’s access token, and use Facebook’s GraphQL queries to take over the account.”

Facebook oculus

One of the features implemented by the Oculus application is the authentication to a Facebook account, Franjkovic discovered that attackers could have exploited specially crafted GraphQL queries to connect any user’s Facebook account to their Oculus account.

GraphQL is a query language created by Facebook in 2012 for describing the capabilities and requirements of data models for client‐server applications, a GraphQL query is a string that is sent to a server to be interpreted and fulfilled, which then returns JSON back to the client.

Franjkovic discovered that a specially crafted query allowed an attacker to obtain the victim’s access token and use it to impersonate the victim by accessing his account.

In a proof of concept attack, Franjkovic shows how to use a specially crafted query to add a new mobile phone number to the targeted account and use it to reset the victim’s password.

The vulnerability was reported to Facebook on October 24, the social network giant temporary solved the issue by disabling the facebook_login_sso endpoint.

On October 30, Facebook rolled out a patch to address definitively the problem, but a few weeks later, the expert discovered a login cross-site request forgery (CSRF) flaw that could have been exploited to bypass Facebook’s patch.

The experts informed Facebook on November 18 that disabled again the facebook_login_sso endpoint to mitigate the problem. A complete patch was rolled out after a few weeks.

Facebook paid the expert for his discoveries and classified the vulnerabilities as critical.

Step by step procedure exploited by the researcher is described on its blog, below the timeline of the hack:

  • 24th of October, 2017, 03:20 – Report sent to Facebook
  • 24th of October, 2017, 10:50 – First reply from Facebook
  • 24th of October, 2017, 11:30 – Temporary fix for the bug (disabled /facebook_login_sso/ endpoint)
  • 30th of October, 2017 – Bug is now fixed.

Pierluigi Paganini

(Security Affairs –Facebook Oculus, hacking)

The post How to hack Facebook accounts exploiting CSRF in Oculus app appeared first on Security Affairs.

Still Stealing

Two years ago in October 2015 we published a blogpost about a popular malware that was being distributed from the Google Play Store. Over the next two years we detected several similar apps on Google Play, but in October and November 2017 we found 85 new malicious apps on Google Play that are stealing credentials for All of them have been detected by Kaspersky Lab products as Trojan-PSW.AndroidOS.MyVk.o. We reported 72 of them to Google and they deleted these malicious apps from Google Play Store, 13 other apps were already deleted. Furthermore, we reported these apps with technical details to One of these apps was masquerading as a game and was installed more than a million times according to Google Play Store.

One of the apps detected as Trojan-PSW.AndroidOS.MyVk.o was distributed as a game.

There were some other popular apps among them too – seven apps had 10,000-100,000 installations from Google Play and nine apps had 1,000-10,000 installation. All other apps had fewer than 1,000 installations.

App detected as Trojan-PSW.AndroidOS.MyVk.o on Google Play Store

Most of these apps were uploaded to Google Play in October 2017, but several of them were uploaded in July 2017, so they were being distributed for as long as 3 months. Moreover, the most popular app was initially uploaded to the Google Play Store on March 2017, but without any malicious code—it was just a game. Cybercriminals updated this app with a malicious version only in October 2017, having waited more than 7 months to do so!

Most of these apps looked like apps for – for listening to music or for monitoring user page visits.

App detected as Trojan-PSW.AndroidOS.MyVk.o on Google Play Store

Sure, such apps need a user to login into an account – that’s why they didn’t look suspicious. The only apps whose functionality was not VK-related were game apps. Because VK is popular mostly in CIS countries, cybercriminals checked the device language and asked for VK credentials only from users with certain languages – Russian, Ukrainian, Kazakh, Armenian, Azerbaijani, Belarusian, Kyrgyz, Romanian, Tajik, and Uzbek.

Code where a Trojan checks the device language.

These cybercriminals were publishing their malicious apps on Google Play Store for more than two years, so they had to modify their code to bypass detection. In these apps they used a modified VK SDK with tricky code–users logged on to the standard page, but the cybercriminals used malicious JS code to get the credentials from the login page and pass them back to the app.

Malicious code where a Trojan executes JS code to get VK credentials.

Then the credentials are encrypted and uploaded to the malicious website.

Code where a Trojan decrypts a malicious URL, encrypts stolen credentials and uploads them.

The interesting thing is that although most of these malicious apps had a described functionality, a few of them were slightly different—they also used malicious JS code from the OnPageFinished method, but not only for extracting credentials but for uploading them too.

Malicious code where a Trojan executes JS code to get and upload VK credentials

We think that cybercriminals use stolen credentials mostly for promoting groups in They silently add users to promote various groups and increase their popularity by doing so. We have reason to think so because there were complaints from some infected users that their accounts had been silently added to such groups.

Another reason to think so is that we were able to find several other apps on Google Play that were published by the same cybercriminals responsible for Trojan-PSW.AndroidOS.MyVk.o. They were published as unofficial clients for Telegram, a popular messaging app. All of them were detected by Kaspersky Lab products as not-a-virus:HEUR:RiskTool.AndroidOS.Hcatam.a. We notified Google about these apps too and they deleted them from Google Play Store.

App infected with not-a-virus:HEUR:RiskTool.AndroidOS.Hcatam.a on Google Play Store

These apps were not only masquerading as Telegram apps, they were actually built using an open source Telegram SDK and work almost like every other such app. Except one thing – they added users to promoted groups/chats. These apps receive a list with groups/chats from their server. What’s more, they can add users to groups anytime – to do so they steal a GCM token which allows cybercriminals to send commands 24/7.

We also discovered an interesting thing about the malicious website According to KSN statistics, in some cases it was used for mining cryptocurrencies by using an API from




Package name MD5
com.parmrp.rump F5F8DF1F35A942F9092BDE9F277B7120
com.weeclient.clientold 6B55AF8C4FB6968082CA2C88745043A1
com.anocat.stelth C70DCF9F0441E3230F2F338467CD9CB7
com.xclient.old 6D6B0B97FACAA2E6D4E985FA5E3332A1
com.junglebeat.musicplayer.offmus 238B6B7069815D0187C7F39E1114C38
com.yourmusicoff.yourmusickoff 1A623B3784256105333962DDCA50785F 1A7B22616C3B8223116B542D5AFD5C05
com.musicould.close 053E2CF49A5D818663D9010344AA3329
com.prostie.dvijenija 2B39B22EF2384F0AA529705AF68B1192
com.appoffline.musicplayer 6974770565C5F0FFDD52FC74F1BCA732
com.planeplane.paperplane 6CBC63CBE753B2E4CB6B9A8505775389

Twitter – Den of Iniquity or Paragon of Virtue… or Someplace in Between?

Twitter - Den of Iniquity or Paragon of Virtue or Someplace in Between

Recently there's been some coverage of Twitter's propensity for porn. Some research has shown that
one in every thousand tweets contains something pornographic. With 8662 tweets purportedly sent every second, that's quite a lot.

Now, this is not something that has escaped our notice here at Smoothwall HQ. We like to help our customers keep the web clean and tidy for their users, and mostly that means free of porn. With Twitter that's particularly difficult. Their filtering isn't easy to enforce and, while we have had some reasonable results with a combination of search term filtering and stripping certain tweets based on content, it's still not optimal. Twitter does not enforce content marking and 140 characters is right on the cusp of being impossible to content filter.

That said - how porn riddled is Twitter? Is there really sex round every corner? Is that little blue bird a pervert? Well, what we've found is: it's all relative.

Twitter is certainly among the more gutter variety of social networks, with Tumblr giving it a decent run for boobs-per-square-inch, but the likes of Facebook are much cleaner — with even images of breastfeeding mothers causing some controversy.

Interestingly, however, our back-of-a-beermat research leads us to believe that about 40 in every 1000 websites is in some way linked to porn — these numbers come from checking a quarter of a million of the most popular sites through Smoothwall's web filter and seeing what gets tagged as porn. Meanwhile, the Huffington Post reports that 30% of all Internet traffic is porn - the biggest number thus far. However, given the tendency of porn toward video, I guess we shouldn't be shocked.

Twitter: hard to filter, relatively porn-rich social network which is only doing its best to mirror the makeup of the Internet at large. As a school network admin, I would have it blocked for sure: Twitter themselves used to suggest a minimum age of 13, though this requirement quietly went away in a recent update to their terms of service.

Clandestine Fox, Part Deux

We reported at the end of April and the beginning of May on an APT threat group leveraging a zero-day vulnerability in Internet Explorer via phishing email attacks. While Microsoft quickly released a patch to help close the door on future compromises, we have now observed the threat actors behind “Operation Clandestine Fox” shifting their point of attack and using a new vector to target their victims: social networking.

An employee of a company in the energy sector recently received an email with a RAR archive email attachment from a candidate. The attachment, ostensibly containing a resume and sample software program the applicant had written, was from someone we’ll call “Emily” who had previously contacted the actual employee via a popular social network.

FireEye acquired a copy of the suspicious email – shown below in Figure 1 – and attachment from the targeted employee and investigated. The targeted employee confirmed that “Emily” had contacted him via the popular social network, and that, after three weeks of back and forth messaging “she” sent her “resume” to his personal email address.  

[caption id="attachment_5658" align="aligncenter" width="441"]clandestine2 Figure 1: Sample email illustrating how “Emily” attacks a victim employee[/caption]

Working our way backwards, we reviewed “Emily’s” social network profile and noticed a few strange aspects that raised some red flags. For example, “her” list of contacts had a number of people from the victim’s same employer, as well as employees from other energy companies; “she” also did not seem to have many other “friends” that fit “her” alleged persona. “Her” education history also contained some fake entries.

Further research and discussions with the targeted company revealed that “Emily,” posing as a prospective employee, had also contacted other personnel at the same company. She had asked a variety of probing questions, including inquiring who the IT Manager was and what versions of software they ran – all information that would be very useful for an attacker looking to craft an attack.

It’s worth emphasizing that in the instances above, the attackers used a combination of direct contact via social networks as well as contact via email, to communicate with their intended targets and send malicious attachments. In addition, in almost all cases, the attackers used the target’s personal email address, rather than his or her work address. This could be by design, with a view toward circumventing the more comprehensive email security technologies that most companies have deployed, or also due to many people having their social network accounts linked to their personal rather than work email addresses.

Details - Email Attachment #1

The resume.rar archive contained three files: a weaponized version of the open-source TTCalc application (a mathematical big number calculator), a benign text copy of the TTCalc readme file, and a benign PDF of Emily’s resume. The resume was a nearly identical copy of a sample resume available elsewhere on the Internet.  The file details are below.

Filename MD5 Hash
resume.rar resume.rar 8b42a80b2df48245e45f99c1bdc2ce51 8b42a80b2df48245e45f99c1bdc2ce51
readme.txt readme.txt 8c6dba68a014f5437c36583bbce0b7a4 8c6dba68a014f5437c36583bbce0b7a4
resume.pdf resume.pdf ee2328b76c54dc356d864c8e9d05c954 ee2328b76c54dc356d864c8e9d05c954
ttcalc.exe ttcalc.exe e6459971f63612c43321ffb4849339a2 e6459971f63612c43321ffb4849339a2

Upon execution, ttcalc.exe drops the two files listed below, and also launches a legitimate copy of TTCalc v0.8.6 as a decoy:

%USERPROFILE%/Application Data/mt.dat

%USERPROFILE%/Start Menu/Programs/Startup/vc.bat

The file mt.dat is the actual malware executable, which we detect as Backdoor.APT.CookieCutter. (Variants of this family of backdoor are also referred to as “Pirpi” in the security industry). In this case, the malware was configured to use the following remote servers for command and control:

    • swe[.]karasoyemlak[.]com
    • inform[.]bedircati[.]com (Note: This domain was also used during Operation Clandestine Fox)

Metadata for mt.dat:

Description MD5 Hash
md5 md5 1a4b710621ef2e69b1f7790ae9b7a288 1a4b710621ef2e69b1f7790ae9b7a288
.text .text 917c92e8662faf96fffb8ffe7b7c80fb 917c92e8662faf96fffb8ffe7b7c80fb
.rdata .rdata 975b458cb80395fa32c9dda759cb3f7b 975b458cb80395fa32c9dda759cb3f7b
.data .data 3ed34de8609cd274e49bbd795f21acc4 3ed34de8609cd274e49bbd795f21acc4
.rsrc .rsrc b1a55ec420dd6d24ff9e762c7b753868 b1a55ec420dd6d24ff9e762c7b753868
.reloc .reloc afd753a42036000ad476dcd81b56b754 afd753a42036000ad476dcd81b56b754
Import Hash Import Hash fad20abf8aa4eda0802504d806280dd7 fad20abf8aa4eda0802504d806280dd7
Compile date Compile date 2014-05-27 15:48:13 2014-05-27 15:48:13

Contents of vc.bat:

  @echo offcmd.exe /C start rundll32.exe "C:\Documents and Settings\admin\Application Data\mt.dat" UpdvaMt

Details - Email Attachment #2

Through additional research, we were able to obtain another RAR archive email attachment sent by the same attackers to an employee of another company. Note that while there are a lot of similarities, such as the fake resume and inclusion of TTCalc, there is one major difference, which is the delivery of a completely different malware backdoor. The attachment name this time was “my resume and projects.rar,” but this time it was protected with the password “TTcalc.”

Filename MD5 Hash
my resume and projects.rar my resume and projects.rar ab621059de2d1c92c3e7514e4b51751a ab621059de2d1c92c3e7514e4b51751a
SETUP.exe SETUP.exe 510b77a4b075f09202209f989582dbea 510b77a4b075f09202209f989582dbea
my resume.pdf my resume.pdf d1b1abfcc2d547e1ea1a4bb82294b9a3 d1b1abfcc2d547e1ea1a4bb82294b9a3

SETUP.exe is a self-extracting RAR, which opens the WinRAR window when executed, prompting the user for the location to extract the files. It writes them to a TTCalc folder and tries to launch ttcalcBAK.exe (the malware dropper), but the path is incorrect so it fails with an error message. All of the other files are benign and related to the legitimate TTCalc application.

Filename MD5 Hash
CHANGELOG CHANGELOG 4692337bf7584f6bda464b9a76d268c1 4692337bf7584f6bda464b9a76d268c1
COPYRIGHT COPYRIGHT 7cae5757f3ba9fef0a22ca0d56188439 7cae5757f3ba9fef0a22ca0d56188439
README README 1a7ba923c6aa39cc9cb289a17599fce0 1a7ba923c6aa39cc9cb289a17599fce0
ttcalc.chm ttcalc.chm f86db1905b3f4447eb5728859f9057b5 f86db1905b3f4447eb5728859f9057b5
ttcalc.exe ttcalc.exe 37c6d1d3054e554e13d40ea42458ebed 37c6d1d3054e554e13d40ea42458ebed
ttcalcBAK.exe ttcalcBAK.exe 3e7430a09a44c0d1000f76c3adc6f4fa 3e7430a09a44c0d1000f76c3adc6f4fa

The file ttcalcBAK.exe is also a self-extracting Rar which drops and launches chrome_frame_helper, which is a Backdoor.APT.Kaba (aka PlugX/Sogu) backdoor using a legitimate Chrome executable to load the malicious DLL via side-loading. Although this backdoor is used by multiple threat groups and is quite commonly seen these days, this is the first time we've observed this particular threat group using this family of malware. The malware was configured to communicate to the command and control domain www[.]walterclean[.]com ( at the time of discovery) using the binary TCP protocol only. The file details are below, followed by the malware configuration.

Filename MD5 Hash
chrome_frame_helper.dll chrome_frame_helper.dll 98eb249e4ddc4897b8be6fe838051af7 98eb249e4ddc4897b8be6fe838051af7
chrome_frame_helper.dll.hlp chrome_frame_helper.dll.hlp 1b57a7fad852b1d686c72e96f7837b44 1b57a7fad852b1d686c72e96f7837b44
chrome_frame_helper.exe chrome_frame_helper.exe ffb84b8561e49a8db60e0001f630831f ffb84b8561e49a8db60e0001f630831f


Metadata MD5 Hash
chrome_frame_helper.dll chrome_frame_helper.dll 98eb249e4ddc4897b8be6fe838051af7 98eb249e4ddc4897b8be6fe838051af7
.text .text dfb4025352a80c2d81b84b37ef00bcd0 dfb4025352a80c2d81b84b37ef00bcd0
.rdata .rdata 4457e89f4aec692d8507378694e0a3ba 4457e89f4aec692d8507378694e0a3ba
.data .data 48de562acb62b469480b8e29821f33b8 48de562acb62b469480b8e29821f33b8
.reloc .reloc 7a7eed9f2d1807f55a9308e21d81cccd 7a7eed9f2d1807f55a9308e21d81cccd
Import hash Import hash 6817b29e9832d8fd85dcbe4af176efb6 6817b29e9832d8fd85dcbe4af176efb6
Compile date Compile date 2014-03-22 11:08:34 2014-03-22 11:08:34

Backdoor.APT.Kaba Malware Configuration:

PlugX Config (0x150c bytes):

Flags: False True False False False False True True True True False

Timer 1: 60 secs

Timer 2: 60 secs

C&C Address: www[.]walterclean[.]com:443 (TCP)

Install Dir: %ALLUSERSPROFILE%\chrome_frame_helper

Service Name: chrome_frame_helper

Service Disp: chrome_frame_helper

Service Desc: Windows chrome_frame_helper Services

Online Pass: 1234

Memo: 1234

Open Source Intel

The domain walterclean[.]com shares registration details with securitywap[.]com:

The following domains are registered to QQ360LEE@126.COM

Domain: walterclean[.]com

Create Date: 2014-03-26 00:00:00

Registrar: ENOM, INC.

Domain: securitywap[.]com

Create Date: 2014-03-26 00:00:00

Registrar: ENOM, INC.


In short, we attributed these attacks to the same threat actor responsible for “Operation Clandestine Fox,” based on the following linkages:

  • The first-stage malware (mt.dat) is a slightly updated version of the Backdoor.APT.CookieCutter malware dropped during Operation Clandestine Fox
  • Based on our intel, Backdoor.APT.CookieCutter has been used exclusively by this particular threat group
  • Finally, the command and control domain inform[.]bedircati[.]com seen in this activity was also used during the Clandestine Fox campaign

Another evolutionary step for this threat group is that they have diversified their tool usage with the use of the Kaba/PlugX/Sogu malware – something we have never seen them do before.

As we have noted in other blog posts, APT threat actors take advantage of every possible vector to try to gain a foothold in the organizations they target. Social networks are increasingly used for both personal and business reasons, and are one more potential threat vector that both end-users and network defenders need to think about.

Unfortunately, it is very common for users to let their guard down when using social networks or personal email, since they don’t always treat these services with the same level of risk as their work email.  As more companies allow their employees to telecommute, or even allow them to access company networks and/or resources using their personal computers, these attacks targeting their personal email addresses pose significant risk to the enterprise.


 The author would like to acknowledge the following colleagues for their contributions to this report: Josh Dennis, Mike Oppenheim, Ned Moran, and Joshua Homan.