Tuesday, June 24, 2025

Piktochart - Phishing with Infographics (Guest diary on Sans Internet Storm center - isc.sans.edu)

Noticed today I'd forgotten to re-post this guest diary I shared to Storm center.   Link to original post,  My most recent work hasn't fit well with open source sharing, so I've been a bit quieter online lately, but as always feel free to reach out, and I'm always happy to learn something new or hear what you are working on or passionate about.

Thanks Johannes as always, for sharing the research to the community!


In line with our recent diaries featuring unique attack vectors for credential theft, such as phishing over LinkedIn Mail[1] and pretending to be an Outlook version update[2], we've recently learned of a phishing campaign targetting users of the Infographic service Piktochart.

During the COVID-19 pandemic, nearly every kind of company has moved to use more online collaboration tools.  This means that many small businesses, universities, primary and secondary schools, and others that may not be well-trained in online safety will be especially vulnerable to this type of attack, especially if they are using a relatively new tool, like Piktochart.

I had not used Piktochart before, but this week, security researcher @pageinsec[3] shared with me an infographic that asks the user to click on a link, in order to read a shared pdf document [4].

Piktochart has about 2,000 registered users, and about 24 million Piktocharts Created and is used by companies such as Forbes, TechCrunch, and others, according to their website.  With a legitimate business purpose that is endorsed by some large companies, it is likely this is an effective way for the attackers to evade DNS filtering or other simple defenses against credential-stealing attacks.
Piktochart has a feature that makes it even better for phishing:  Their registered "Pro users" can download an actual .pdf file, with the malicious link intact, or as well render the file into several different sizes of .png images, as indicated in the IOCs near the bottom of this page, which might be useful to hunt for similar activity.
An unsuspecting victim would receive an e-mail or social media post including the malicious Piktochart, from someone they knew, whose account had already been compromised.  If they click the link, a 2nd stage credential stealer follows, which is a pretty decent-looking (but fake) Microsoft login page hosted at the domain obggladdenlightfoundation(.)org.  This base domain currently has "0 out of 87" vendors reporting it as malicious on Virus Total, and is made out to be a non-profit in Lagos, Nigeria.  This specific example had a different site registration than most of the other, identical sites I've researched, so it is possible this site was the result of a takeover of a legitimate business' WordPress website, or a redirection of the site's DNS.



Despite the technical simplicity, this is a dangerous campaign since it is after Microsoft 0365 credentials, and evidence points to the same IP being used for a large variety of credential theft sites.

There are  quite a few  domains on the same IP[5], for example: 
pwan-heritage(.)com/pol/OfficeV4/*    
secure-official-spotify.pwanplus(.)com       
www.dhl-delivery-failure-resolve.naijamail.com  - This one includes a nice-looking DHL form [6]


Indicators of compromise - IOCs  
URLS/Domains
create.piktochart.com/output/52653368-my-visual
piktochart.com (if not needed for businses)
2nd stage/stealer
obggladdenlightfoundation.org/dfsmith/ofc3
obggladdenlightfoundation.org/dfsmith/ofc3/
obggladdenlightfoundation.org/dfsmith/ofc3/r.php?signin=d41d8cd98f00b204e9800998ecf8427e&auth=39bea2eedcf78c893b4d0898d91bba501390ced533b8de1d796bcc5973da76e5b1cf6668
obggladdenlightfoundation.org/dfsmith/ofc3/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=39bea2eedcf78c893b4d0898d91bba501390ced533b8de1d796bcc5973da76e5b1cf666
IP
173.231.197.145 [7]
Hostname:    ded5495.inmotionhosting.com
Domain registrar: 007NAMES INC.
*Used in most of the domains
Microssoft cred stealer image - hashes(sha2) 
7, 10, and 3kb versions of the same image
a90370dc587b73cd2dbe33504794e83c83dc9f365cd9cd94511593046db5ae09
bc2afe6e49541902541497a6823e1aa0f8e8683e203d4da6bc75590bddebeb702bed6013d59910f6714448cafeda98708886d48978b6b991627526964379efc0
DOM (cred-stealer page)
"
<form id="1MDAwMDMxMjAyMS0wMy0wMjE2MTQ2NTgwMDQ4NTgxMTAx"> <input type="hidden" value="[removed]"><input type="hidden" value="[removed"> </form>
"
Post request
"form id="f2" method="post" action="#" style="margin-bottom: 0px;"> <input required="" type="email" placeholder="Email, phone, or Skype" name="e"
    style="outline:none; background-color:transparent;border:0px solid;height:30px;width:300px;font-weight:lighter;font-size:15px;margin-left:5px;padding-bottom:0px;padding-top:0px;"> <img
    src="data:image/png;base64"...
Cookies
obggladdenlightfoundation.org/    1969-12-31
23:59:59    Name: PHPSESSID
obggladdenlightfoundation.org/dfsmith/ofc3/s    1969-12-31
23:59:59    Name: ip11


 JB Bowers
@cherokeejb_

References:
[1] - https://isc.sans.edu/forums/diary/The+new+LinkedInSecureMessage/27110
[2] - https://isc.sans.edu/forums/diary/Pretending+to+be+an+Outlook+Version+Update/27144/
[3] - https://apageinsec.wordpress.com/
[4] - https://create.piktochart.com/output/52653368-my-visual
[5] - https://urlscan.io/result/e02ea839-9671-4d31-a039-effd54877c0b/related/
[6] - https://urlscan.io/screenshots/205111b7-b981-48e9-9359-df55f278163b.png
[7] - https://isc.sans.edu/ipinfo.html?ip=173.231.197.145

Friday, March 5, 2021

The new "LinkedInSecureMessage"​ ?


Image of a stage 1 malware, from a pdf in a inkedin mail phishing message


With all the talk of secure messenger applications lately, I bet you’d like to have just one more, right? In the past few weeks, we’ve noticed a new variant on a typical cred-stealer, in this case offering itself up as a new, secure messaging format used right here on the career website LinkedIn.

There’s only one problem with this… there is no such thing as a “LinkedIn Private Shared Document”.

Not Quite Secure

Victims will receive an ordinary message, likely from someone which they already are connected with. These are not from the more recent, unsolicited “InMail” feature, but a regular, internal “Message” on LinkedIn. There is nothing interesting about the message, although it contains a 3rd-party link, claiming to be a “LinkedInSecureMessage” which serves up the nice-looking pdf file shown above.

If you click “VIEW DOCUMENT,” it opens up a convincing LinkedIn login page. ...


...this diary was published on the Internet Storm Center website, read the complete article at:

https://isc.sans.edu/forums/diary/The+new+LinkedInSecureMessage/27110/


Wednesday, October 7, 2020

Thank you's and inspirations for "Comparing open source adversary emulation platforms for red teams" (Re-post including new content)



I'll be mostly focusing the next several months on MacOS malware and any new or innovative threats and defenses that come up. I'll also revisit an awesome friend and discuss how the threat-landscape prioritization has evolved over the past 18 months, so I'd better share this re-post now.



Since last spring when I set out to compare "red team" emulation platforms, and explore this notion of cyber "emulation" in general, I felt like there were not enough thanks given, as well as "shout-outs" to a small selection of the folks who's work have inspired me to continue learning every week.

As well since I worked on this topic, the community at large has even further embraced "emulation" including lots of great, new documentation up on the Atomic Red Team project sites, see for example, the wiki page at the Invoke-Atomic repository There are a series of short instructional videos on this YouTube channel. You can also find an in-depth 2 hour webcast here with 11 hands-on labs here.As well, on that page, Invoke-AtomicRedTeam installation and use instructions can be found on the index to the right (in the sidebar).

Monday, January 13, 2020

Featured on the Brakeing Down Security Podcast






I just revisited a show we did recapping the year in InfoSec, looking forward to 2020, and which focused largely around building community and gaining insight from other industries. Instead of a special guest, Bryan, Amanda, and Brian invited the leaders of their online community, including myself, to come join the show this time around. If you haven't heard this already it is worth checking out if the topic sounds interesting to you. If you're not a regular BrakeSec listener, but follow me, you may remember a show from over 2 years ago which I recorded for BrakeSec at Sans Berlin.


Below are the complete "show notes" from the Brakeing Down Security Podcast's [sic] website, which you can find here with all complete contact information, and as well here is the show link on iTunes:


https://brakeingsecurity.com/2019-046-end-of-the-year-end-of-the-decade-predictions-and-how-weve-all-changed


---


End of year, end of decade Good, Bad, Ugly The Future Other topics Recent news News Stories from 2010 (see if they still make sense, or outdated)

x


Are things better than 10 years ago? 5 years ago?


If there was one thing to change things for the better, what would that be?






Did naming vulns make things better?


Which industries are doing a good job of securing themselves? Finance?


What do you wished never happened (security/compliance wise)?


Ransomware infections with no bounties


Still have people believing “Nessus” is a pentest






https://nrf.com/


https://www.retailitinsights.com/eventscalendar/eventdetail/1c77d5c6-8625-4f2b-bb98-89cca6590c49


https://monitorama.com/


https://www.apics.org/credentials-education/events






PREDICTIONS!!!


Bryan: The rise of the vetting programs (Companies will want to vet content creators in their eco-systems)


Cybuck: An uptick in surveillance tech; both disguised as cool home smart gadgets and straight up public safety. Triggering a US GDPR type response.


Injection remains as the undisputed heavyweight champion of app sec vulnerability (OWASP top 10). And wishful thinking...broken authentication moves lower, denial of service goes down. https://twitter.com/WeldPond/status/1207383327491137536/photo/1


JB: a major change in social media/generational shift in how we use it, legal or focus on new types of mobile tech for example… Human networking in real-life in the age of ‘social’ ….“When you hire someone… you also hire their rolodex” --- what do you think about this statement? ..it’s role in InfoSec? Talent?






JB- shouted out https://github.com/redcanaryco/atomic-red-team (Invoke-Atomic framework with powershell now on Linux, OSX, and Windows)






JB - Link to hunting/stopping-human-trafficing org i mentioned :


Shoutout


Sherrie Caltagirone, Executive Director, Global Emancipation Network @GblEmancipation


https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1569941622.pdf






Mentioned https://monitorama.com/ https://github.com/viq/air-monitoring-scripts (viq form brake sec )









Talk about where you were 10 years ago, and what you did to get where you are?


Best Hacking tool?


Best Enterprise Tool?






https://www.zdnet.com/article/more-than-38000-people-will-stand-in-line-this-week-to-get-a-new-password/


https://www.phoronix.com/scan.php?page=news_item&px=CERN-MALT-Microsoft-Alternative


https://www.iotworldtoday.com/2019/12/21/2020-predictions-apis-become-a-focus-of-iot-security/


https://www.jonesday.com/en/insights/2018/10/california-to-regulate-security-of-iot-devices










https://www.infosecurity-magazine.com/magazine-features/what-makes-a-ciso-employable/


https://www.csoonline.com/article/2231454/verizon-s-2010-dbir--rise-in-misuse--malware-and-social-engineering.html


https://www.owasp.org/index.php/OWASPTop10-2010-PressRelease

Piktochart - Phishing with Infographics (Guest diary on Sans Internet Storm center - isc.sans.edu)

Noticed today I'd forgotten to re-post this guest diary I shared to Storm center.    Link to original post ,  My most recent work hasn...

Follow by RSS