Aura Over Rafah

Transcript

1. None

2. $>whoami Co-founder & CEO Book writer Black Belt Ex-SpecialOps (IDF)

   BSc Alumni & Lecturer Malware Analyst & Incident Responder Father of 3 CONFidence | Poland | Sept, 2021

3. WHOIS 10 employees worldwide /Blog Israel Cyber Alliance Responsible Disclosure

   /News Established 2019 Security as a Service CONFidence | Poland | Sept, 2021

4. CONFidence | Poland | Sept, 2021

5. Your package is awaiting delivery, we must confirm payment in

   order to process your request The bit.ly shortlink embedded to the message redirects the victim to a phishing website which is highly similar to the original one: hxxps://bit[.]ly/3gipLJX→ postisrael[.]co[.]il (original is israelpost.co.il). CONFidence | Poland | Sept, 2021

6. Meet Sigal Nadir from Tel Aviv Notice the phone #

   CONFidence | Poland | Sept, 2021

7. Meet Sigal Nadir from Tel Aviv ?! Notice the phone

   # CONFidence | Poland | Sept, 2021

8. Meet Yasmine Alaa from Palestine Notice the phone # CONFidence

   | Poland | Sept, 2021

9. Who is Yasmine Alaa from Palestine CONFidence | Poland |

   Sept, 2021

10. Yasmine Kamel & Alaa Mohmmed from Palestine Daughter: Janat Tayyem

    It’s who THEY, not who IS CONFidence | Poland | Sept, 2021

11. Who is Yasmine Alaa from Palestine Full Name: Yesmena Kamel

    (Em Janat) Status: Married + 2 kids Relatives: Tayyem Family Husband: Alaa Mohmmed Location: Rafah, Gaza (husband in UK) CONFidence | Poland | Sept, 2021

12. Meet cms2be AT gmail.com Notice the email CONFidence | Poland

    | Sept, 2021

13. Meet cms2be AT gmail.com Belongs to: Alas Tayyam Last Location

    (Aug 21,2021): El-Gharbiya, Israel CONFidence | Poland | Sept, 2021

14. Evidences Thus Far Website: postisrael[.]com FAKE WHOIS: - Name: Sigal

    Nadir FAKE - Email: cms2be[@]gmail.com -> Alas Tayyam - Phone: +97259.7104.616 -> Yasmine Alaa Facebook: - Name: Yesmena Kamel (Em Janat) - Husband: Mohmmed Alaa - Relatives: Tayyem family CONFidence | Poland | Sept, 2021

15. Evidences Thus Far Website: postisrael[.]co.il FAKE WHOIS: - Name: Sigal

    Nadir FAKE - Email: cms2be[@]gmail.com -> Alas Tayyam - Phone: +97259.7104.616 -> Yasmine Alaa Facebook: - Name: Yasmena Kamel (Em Janat) - Husband: Mohmmed Alaa - Relatives: Tayyem family CONFidence | Poland | Sept, 2021

16. Meet postisrael[.]co[.]il Notice the URL CONFidence | Poland | Sept,

    2021

17. Meet postisrael[.]co[.]il CONFidence | Poland | Sept, 2021

18. Who else is registered on cms2b AT gmail.com? CONFidence |

    Poland | Sept, 2021

19. Meet israelsecurityupdate[.]co[.]il CONFidence | Poland | Sept, 2021

20. Meet israelsecurityupdate[.]co[.]il ?! CONFidence | Poland | Sept, 2021

21. Meet postisrael[.]co[.]il Front-end (: CONFidence | Poland | Sept, 2021

22. Someone forgot to remove data from test CONFidence | Poland

    | Sept, 2021

23. Someone forgot to remove his phone # ?! CONFidence |

    Poland | Sept, 2021

24. Someone forgot to remove his phone # ?! Caller CONFidence

    | Poland | Sept, 2021

25. Someone forgot to remove his phone # ?! Caller CONFidence

    | Poland | Sept, 2021

26. That’s fun. What else can we find ? CONFidence |

    Poland | Sept, 2021

27. Wait, what is this Base64 string?! CONFidence | Poland |

    Sept, 2021

28. Hmm… Looks like it’s in the original as well CONFidence

    | Poland | Sept, 2021

29. It has something to do with PerfDrive[.]com d.createElement(e); a.async =

    true; a.src = u; b = d.getElementsByTagName(e)[0]; b.parentNode.insertBefore(a, b); })(window,document,"script","https://cdn.perfdrive.com/aperture/apertur e.js","bhkl","ssConf"); ssConf("c1" , "https://israelpost.co.il"); CONFidence | Poland | Sept, 2021

30. Perfdrive is ShieldSquare, acquired by Radware d.createElement(e); a.async = true;

    a.src = u; b = d.getElementsByTagName(e)[0]; b.parentNode.insertBefore(a, b); })(window,document,"script","https://cdn.perfdrive.com/aperture/apertur e.js","bhkl","ssConf"); ssConf("c1" , "https://israelpost.co.il"); CONFidence | Poland | Sept, 2021

31. So, it’s an anti-scraping script. The Base64 string fingerprints visitors!

    Let’s test our VM address… SUCCESS! CONFidence | Poland | Sept, 2021

32. That means that if we have front-end code of the

    attacker – containing data he left behind… What we have here is… THE IP OF THE ATTACKER’S MACHINE! CONFidence | Poland | Sept, 2021

33. It resolves to Ramallah-Palestine CONFidence | Poland | Sept, 2021

34. Phone number also resolves to Nizar H.(Zaytona) CONFidence | Poland

    | Sept, 2021

35. Nizar’s social media doesn’t seem related to Alaa & Yasmine

    CONFidence | Poland | Sept, 2021

36. Nizar’s social media doesn’t seem related to Alaa & Yasmine

    CONFidence | Poland | Sept, 2021

37. Evidences Thus Far Website: postisrael[.]co.il FAKE Website: israelsecurityupdate[.]co.il FAKE Source

    code: - Arabic language in filenames - Another phone: +97256.720.0653 -> Alaa Tim - IP Address: 46.60.67.250 (from Palestine) WHOIS: - Name: Sigal Nadir FAKE - Email: cms2be[@]gmail.com -> Alas Tayyam - Phone: +97259.7104.616 -> Yasmine Alaa Facebook: - Name: Yasmena Kamel (Em Janat) - Husband: Mohmmed Alaa - Relatives: Tayyem family CONFidence | Poland | Sept, 2021

38. Your package is awaiting delivery, we must confirm payment in

    order to process your request The bit.ly shortlink embedded to the message redirects the victim to a phishing website which is highly similar to the original one: hxxps://bit[.]ly/3gipLJX→ postisrael[.]co[.]il (original is israelpost.co.il). CONFidence | Poland | Sept, 2021

39. CONFidence | Poland | Sept, 2021 THANK YOU!