piks3l 🏳️‍🌈🏴‍☠️ @piks3l@pouet.it

#FYI Dear entities of Pouet.it, inscriptions are currently disabled for an undefined time. They are invitation only, any user can accept invitations, so if you are already here, you can accept requests. We had a number of bots massively registrating two times already and we don't want to manage that. As we are on holidays, we are not taking care of this, we'll think of a solution after. Any input welcome. Your admins, @piks3l and @gllmhyt

Turned down the video, the sound was crap but I made a meme

#DFIR

Currently doing that IR exercise and it is such a load of fun https://dfirmadness.com/the-stolen-szechuan-sauce/

omg, there are so much knowledge to mix up there #infosec #dfir

first rocket launched in factorio <3 (after 31h, idc)

big computer god, give me strength to go through the whole week of DNS requests and have to ponder whether those are malicious or not

it's funny how some people just seem to be competent because of how aggressive they communicate

on another note, I'm almost at the rocket stage on factorio and this is pretty cool

now I can expand and mega base the hell of that world ;D

(i play in peaceful mode, because violence is not the answer)

then from there, it's field work.

Remember the difference between science and doing random shit is writing things down

detection.

But phishing and scams rarely got for long, if the page on urlscan is weird enough, you can consider it to be malicious

never

ever

click on links

or visit malicious website

without proper protection

(sandbox + VPN)

Did you get a spam a you're wondering how to check if it's legit?

* hover on any link and check the link address. DO NOT CLICK ON IT
* if the stuff look weird, right click to "save link address"
* do a first run in a search engine by setting quote paste your link quote. This will search your link as a text and search engines such as google will not try to go to it
* is it a website? check the website on https://urlscan.io/
* check on https://www.virustotal.com/gui/ to see if there have been...

this looks normal

i don't have the faith to spend another week classifying DGAs -_- please send me your spam, I'd better run regexes and build ClamAV rules

cc @fatuus @fredurb1 @Grandasse_ premières trouvailles dans les spams

If you're interested in analysing phishing kits, there is this github repo: https://github.com/danlopgom/phishing_kits

let me know, it's always funnier with people :))

wallet code here: https://www.blockchain.com/btc/address/bc1qq6u8zam54yzgc70nkm24d59vmgzjq579huy4dt you see there was actual payments :O and then the money it sent through other wallets.

* A lot of ads and weird stuff. Bare in mind when sending them to me that if they are older than 3 weeks it's possible they have been taken down and the lead would be cold.

Anyway, that was a lot of fun! I'll be happy to keep looking.

Stay aware and safe, check the links you click on!

#antispam #threathunt

look here: https://urlscan.io/responses/d43e9f0aa853156fd0b00d0e4786c863fc3db474ceb259cd6cf70ddc8f2566dc/ You can see a malicious JS that will skim some of your data. At that moment I didn't find actual malware, it was more close to a data stealer from user input. Here what was interesting was the amount of redirects that the website was operating. Next time I find something like that, I will try to map the route.

Interestingly, the pages were down 2 days after the scan.

* There was a usual: "i caught you masturbating, send me bitcoins" If you look for the (...)

So last week I asked you to send me some spams you received for analysis. Thank you a lot for your participation! <3 A lot of you send me really cool stuff.

In terms of findings, it was quite thin though, here a a couple of findings:

* A big Amazon spam, was sent to me. You can see the urlscan result here: https://urlscan.io/result/19eb86cd-539c-428f-a9c0-512315bda71f/#summary in terms of modus operandi, it was quite simple, you get a form and fill it up and the page will ask you for more information. If you (...)