Defang all the things!, (Tue, Aug 22nd)

Today, I would like to promote a best practice via a small Python module that is very helpful when you're dealing with suspicious or malicious URLs. Links in documents are potentially dangerous because users can always click by mistake on them. Many automated tools and scripts are processing documents to fetch links. Even if the original document does not provide dynamic links, many applications will detect them and change them to real links. Clicking on a link could not only affect the security of the user/computer but it could also leak data or pollute statistics. A good example is the kill switch domain of WannaCry that was linked in many articles by journalists a few weeks ago.

Posted on: 22 August 2017 | 1:29 am

It's Not An Invoice ..., (Sun, Aug 20th)

Jeff received an invoice via email, did not trust it and submitted it to us.

Posted on: 20 August 2017 | 7:50 am

tshark 2.4 New Feature - Command Line Export Objects, (Fri, Aug 18th)

There is nothing new about Wireshark releasing an update; however, the new 2.4 branch has new feature that is quite useful that I have been waiting to be able to use for a while. In case you missed it, tshark now has the ability to Export Objects. I have tested the export using large pcap files with multiple objects and tshark does a good job "dumping" all the files in the specified directory (i.e. destdir).

Posted on: 19 August 2017 | 2:20 pm

EngineBox Malware Supports 10+ Brazilian Banks, (Fri, Aug 18th)

1. Introduction

Posted on: 18 August 2017 | 10:43 am

Maldoc with auto-updated link, (Thu, Aug 17th)

Yesterday, while hunting, I found another malicious document that (ab)used a Microsoft Word feature: auto-update of links. This feature is enabled by default for any newly created document (that was the case for my Word 2016 version). If you add links to external resources like URLs, Word will automatically update them without any warning or prompt.

Posted on: 17 August 2017 | 1:45 am

Analysis of a Paypal phishing kit, (Wed, Aug 16th)

They are plenty of phishing kits in the wild that try to lure victims to provide their credentials. Services like Paypal are nice targets and we can find new fake pages almost daily. Sometimes, the web server isn't properly configured and the source code is publicly available. A few days ago, I was lucky to find a ZIP archive containing a very nice phishing kit targeting Paypal. I took some time to have a look at it.

Posted on: 16 August 2017 | 1:48 am