A (4:04)

Yeah. So I mean basically I began with the domains that I captured and you know, in the, in the blog I share details on domains and everything else and the screenshot that I shared just shows the one domain, but there was two because this pop up thing happened twice in a row from the same website, same initial website about the basil. And so domains are just barely enough to start with. But I used Census, which is C S. It's a great tool for looking up all kinds of different indicators. I have a free account with them. I'm sure they have a enterprise solution as well. But I was just using the free account. They were able to give me information about who was the registrar and when were these domains registered, the associated IP address, and so on and so forth. So you're really just starting to unravel at that point. And then after I looked at Census, I also took a look at a couple of other tools, Virustotal and Domain Stack, both of which I have free accounts on. And I do like to mention the fact that I'm using free accounts because it just means you don't necessarily have to have all the enterprise grade bells and whistles to do the kind of research that I do. I've certainly worked in companies where I did have all the bells and whistles, which was very nice. But lots of us out there who are doing research don't necessarily have the expensive toys. That was one of the points of my whole article, was that there is a lot that you could do with free tools. It's just a nice thing about cyber security, I think. So anyway. So yeah, I looked at Virustotal and Domain Stack as well and they basically gave the same information. But I like to verify. Right. It's rare that I would look at just one source for information. So yeah, so now I had an IP address to look at as well. So you just start building up right, with the different indicators.

B (6:26)

Now one of the things you mentioned in the research is that there was some device fingerprinting in the URLs. Can you explain to us exactly what that means?

A (6:35)

Yeah, for sure. So the domain, of course, you see there, actually the full URL or URI piece of it was very long and encoded and whatnot. But I've done work in the past on ad fraud campaigns, so I recognize this as like an ad kind of tracking thing. And threat actors use this kind of programming to deliver basically curated content. Right. So they're looking for a user on a specific type of device, or they're not really necessarily looking for these types of users, but they want to gear what they're delivering to the user accordingly. So, like you were talking about your dad getting a thing about Windows issues on the Mac, they didn't do a very good job of fingerprinting. Right. To give him that sort of thing. But I mean, threat actors are. They're not stupid. They know how to do this stuff. So it kind of, you know, flies under the radar a little bit better. So basically what this very long string broke down to, it identified the device, although it didn't really do a very good job with my phone, it just listed it as generic because it didn't know what it was. And then all the other sort of features of this campaign, and like I said, normally it would be an advertising campaign, in this case it was some sort of not advertising. Well, I guess it was actually advertising for these apps that they wanted you to install, but I'll say not a legitimate campaign. Yeah, so. But it still has all the same components. So campaign IDs, the country, the operating system, just all the data that it captures about the device.

B (8:35)

Yeah, that's all within the URL.

A (8:37)

Yeah, gotcha.

B (8:40)

Now, you mentioned apps. There was a point in this investigation when you kind of pivoted from websites to mobile apps. Can you take us through that?

A (8:49)

Yeah, sure. So if you recall, the thing that first popped up was you have malware on your phone. You need to install these apps to correct the situation. So I dug into what those apps were and. And I haven't looked lately. I don't know if they're still there or not. They probably are, but. Yeah. So there was one called Antivirus Protector, and the other one was called Antivirus Cybergate. And when I look at apps to try to get a feel for, like, whether they're legit or not legit, one of the things I always look for is the contact information for the. For the developer and also look to see what other apps the developer has provided. So it's actually not even that easy to find. It's kind of tucked away, but you can find it and I did not include that information in the blog, but it would be easy to go look it up. And that was just basically because Feedly didn't want to include contact information. But I think in both instances the email was just like a generic email, like Gmail or something like that. So this is always a red flag to me because if a developer doesn't even have a company proper domain name, like I have marcel@marcellee.com or whatever, then I'm like, that's a little sketchy, I think. So that would definitely raise some red flags for me. And it doesn't guarantee that it's something that's not cool, but it's just an indicator, possibly. I think the other thing that was interesting is both of the apps had pretty high ratings. One of them had a million downloads and the other one had 10,000 downloads. This could be a little bit deceiving because there's so many ways that those numbers can be artificially manipulated. There's, you know, you could, you can pay services to create this kind of sort of fake traffic for you. There's bot farms and click farms that, you know, I'm sure you've seen these, Dave, like in a picture or whatever, where it's just like literally a wall full of phones and they're all just clicking away or whatever. So that's a way that you can, you know, generate these things. So you can't, you can't rely on the ratings and the number of downloads necessarily.

B (11:38)

We'll be right back. These days, attackers rarely start with a bang. They start quietly. A leaked credential, stolen session cookie, a lookalike domain that shouldn't exist. That's where Nordstellar comes in. Nordstellar is a threat exposure management platform that helps organizations see what attackers already know about them before it turns into an incident. It brings together data breach monitoring, dark web monitoring, attack surface management, and cyber squatting detection in a single platform. That means visibility into leaked credentials and malware logs, insight into brand impersonation attempts, and a clear picture of exposed Internet facing assets. And shadow it. For CISOs, it's a way to reduce response costs, prioritize real risk, and communicate clearly with the board. For security teams, it's real time alerts, contextual intelligence and faster investigations without the noise. Most companies only react after the damage is done. Don't wait until your data is already for sale. Protect your business today with Nord Stellar. Learn more@nordstellar.com CyberWire Daily don't forget to mention CyberWire 10 for an exclusive offer. Maybe that's an urgent message from your CEO. Or maybe it's a deepfake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back from automatically dismantling cross channel attacks to building team resilience and more. Doppel outpacing what's next in social engineering. Learn more@doppel.com that'S-O-P p e l.com. So you are looking at these apps and did you get to the point of actually downloading them?

A (13:59)

No, I did not. So I used to have a nice setup for doing mobile app analysis, but it's been so long since I that I didn't have it set up anymore. But I do have a friend who does do mobile app analysis, so I passed this information along to them to see if they wanted to take a look. So I'm not sure if that happened or not.

B (14:25)

Right, right. Stay tuned. Perhaps more to come.

A (14:28)

Exactly, exactly.

B (14:30)

I think it brings up an interesting point though that a lot of folks, I believe, assume that if something is in one of the big app stores, either Google Play or Apple's app store, that they're safe. And that's not necessarily so.

A (14:47)

No, it's not, especially in Google Play. And I'm obviously an Android user, so I'm not dissing Google Play. But they really don't vet from sort of a security standpoint. Basically the process to get an app approved is you have to have a privacy policy. You have to provide your developer contact information. But as I said, it doesn't really matter. It could just be randomail.com and then when they do the review process, they're really just checking to make sure that you've provided those things that as far as I know, I don't think anybody at Google is over there, you know, running the apps and seeing what they do just to, you know, to make sure that they're copacetic.

B (15:42)

Right, right. What's your suspicion? You suspect that once you install something like this on your device that all bets are off, they're going after everything.

A (15:53)

Yeah. So there's a couple of possibilities. Like one, it could be actually, you know, a malicious app that would be targeting, you know, you as the user or the device, maybe stealing data, stealing banking information, that kind of thing. Or it could be something more along the lines of ad fraud. There's certainly apps out there that are really just generating advertising clicks to make money. We did a lot of that research when I used to work at Human Security. And it's fascinating. Like the whole ad fraud ecosystem is very, very deep, I guess I would say. So threat actors as they do know this and take advantage of it so you can actually make a fair bit of money with just fake clicks and so on and so forth.

B (16:50)

There's a turn of phrase that you used in your blog posts that really caught my eye. You talk about how indicators expire, but behaviors last.

A (17:01)

Yeah, for sure. And I'm sure you've seen the Pyramid of Pain where it's like some things are very sort of ephemeral, like a domain name or an IP or whatever, that's not that hard to change. But the way the threat actor actually conducts their business, if you will, is less likely to change. And that's where mitre, ATT and CK comes into play. Like, I love mitre, ATT and CK framework for basically categorizing threat actor behavior and activity. So how did they get in in the first place? What was the means of initial access? How do they do lateral movement? How do they do exfiltration? And it's just like anybody, right? You have your way that you do things and, and chances of you changing your way that you do things are pretty small, but. Yeah, but they can change infrastructure pretty handily. That's easy. But changing just sort of their own fingerprint of activity is a little bit more difficult.

B (18:16)

How do defenders use this kind of mapping of the tactics, techniques and procedures proactively and not just reactively to what's coming at them?

A (18:29)

Yeah, so there's a few different ways. And when I've worked with, you know, in infosec, with different infosec teams, you can, you can do a lot of different things. Right? You can work with your red team, your penetration testing team, to tell them like, this is the kind of activity that we're seeing in the wild. This is probably something you should test our organization for a certain type of user execution, whatever technique that helps inform them for their testing. Also you can help support incident response, certainly, obviously incident response is reactive by its very nature, but having some idea about the kinds of things that the threat actor might be doing might help them with their investigation in terms of where do we look for what might have happened. And also just like security awareness too. I think I have such a passion for better awareness for people and not just the checkbox compliance awareness that everybody has to do, but just giving users real world examples of what threat actors are actually doing. This blog, for example, could be used as a case study for an awareness program to let users know about what happens if I get some pop up like this and what should I do? I think it just really enriches the user awareness experience to have like a real story. And I mean, I could go on and on with like all the different sorts of, you know, teams that you would find in InfoSec. I've also found OGRC, Government Risk and compliance. Having them understand the kinds of behaviors also helps them quantify risk. And then, oh, gosh. Last but not least, you can keep thinking of other ways, but you can, you know, bake this information into like your security tools too. So your edr, you could be like, okay, we want to have some rules set up for this particular type of behavior. And MITRE makes it easy, right, because most of these tools are designed to track things by like the ID number, whatever. So, yeah, there's lots of different things that you can do. That's why like threat intel is just so important because it really can help such a variety of different stakeholders.

B (21:16)

Do you suppose that, you know, the original website that you were going to look at, you know, trying to harvest your basil, is it likely that they had no idea that this sort of malicious ad content had been grafted onto to theirs?

A (21:31)

Yeah, 100%. And that's. We see that all the time, right? Compromised websites. Most of the time these folks aren't going to have any idea, right, because somebody's probably just hacked into like their WordPress account or whatever and, and then just added, you know, a directory or a file or something. And unless you're doing like an active review of your website all the time, you're just not going to know it, especially if you're not, you know, a technical person at all.

B (22:02)

I want to swing back around to what you were saying about using free tools that are available. You know, I think we've got a lot of people in our audience who are starting out or just coming up and this is good information for them. You know, I think a lot of people think if I don't have the latest, greatest things and I won't be able to do the kind of work I want to do. But you're saying based on your experience, there's a lot of stuff out there that you can do to, to get where you want to be.

A (22:35)

Yeah, 100%. And I always call this like having your toolbox and, you know, sort of a metaphorical toolbox, of course, but just knowing what websites to go to and knowing what tools to use, this is something that you gradually learn as you get into the field. Right. But it's really useful to keep track of handy sites that you find. So like on my GitHub I have a list of which probably sadly needs massive updating, but a list of like my go to websites. I'm making a mental note to self that I should probably look at that and update it. But yeah, so yeah, there's just a lot out there and you know, it's not one size fit all. Like some people might prefer one domain lookup over another one, but you learn that as you try them. But if you don't even know then how do you try them? I found a lot of stuff just by accident by Googling of course. But then you also get it from other folks too. Somebody would be like oh this tool is really cool, you should try it.

B (23:48)

Yeah, it seems to me like it's the perfect thing if you go to an event or a local meetup or anything like that. And you know, we all go to those things and we think to ourselves oh, what am I going to have to talk about? Right. But yeah, this is a great thing you could talk about like what do you use? What's, what's good? You know, is there anything that you use that you think I should use and that sort of thing and. And away you go.

A (24:12)

Yeah, no, for sure. I hadn't really thought of it that way but it's very true. And then you know, I will throw in sort of the obligatory AI comment, but I have started incorporating AI into my research a bit more. So for example, one of the things I used AI for, for this research was when I was looking at the, the URI and trying to parse out all the bits of it, I basically had AI help me dissect it and, and also do like the comparison of like the 1 URI to the other one that I had. So I feel like AI to me is an assistant. So something that I could probably do, but my time is better spent maybe actually doing the research and writing the blog and they can do the kind of more tedious unpack this encoded blob of stuff.

B (25:11)

Yeah. What are the take homes for you in terms of lessons learned from going through this process?

A (25:18)

I guess I think one of the things for me is I only recently started using Census, for example and I really have decided that I love that platform. It's really, it's now one of my go tos and it wasn't before. I've also learned not so much from this particular blog, but I was at Bsides Bournemouth and I did a workshop with somebody from URL Scan and they were showing how you can actually look up file hashes in URL scan, which I did not know. So if you have like some kind of, you know, maybe an icon or something in a website, you can search to see if that pops up somewhere else, which I did try in this particular case, but it wasn't really like relevant. But still it was something to explore. And I also, I think my another big takeaway was that I need to get less rusty on the app analysis, but there's only so much time in the day. You can only do so many things. But I do have an extra old Android phone that I'm considering setting up again to do, you know, the app research. So.

B (26:43)

Right, right. Throw it. Throw it to the wolves.

A (26:47)

Exactly.

B (26:59)

Our thanks to Marcel Lee, a cybersecurity consultant and researcher. The research we discuss today is titled CTI Trade Investigating a Mobile Scareware Campaign. We'll have a link in the show notes and that's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or say send an email to cyberwire2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26. I'll see you in San Francisco.