@BagheeraAltered the hardest part is choosing the ASCII art to display in the terminal when the script is run! I spend 50% effort working on a script, the other 50% selecting some absurdly silly ASCII art to go with it

I'm excited to be presenting with @Kcin418 at both @bsidessf and @bsidesroc this year. Siked to have the full hour or so to talk more about my work investigating a massive Facebook credential harvesting campaign (over 200 million creds). #BSidesSF #BSidesROC @bsidessf @bsidesroc @Kcin418

@thepacketrat if you find someone let me know. I’ve been tracking a group targeting them and a few other exchanges for a while now. They cycle through domains a LOT for most exchanges they target, but very rarely need new domains for crypto.com as they aren’t getting burned by them (lol?)

I just wrote a blog about it:
https://pixmsecurity.com/blog/phish/cybercrime-group-expands-cryptocurrency-phishing-operation/

https://www.bleepingcomputer.com/news/security/attackers-bypass-coinbase-and-metamask-2fa-via-teamviewer-fake-support-chat/

Been working on this investigation for a while, excited to see it getting some coverage!

TL;DR: bad guys are continuing to do bad guys things

https://www.bleepingcomputer.com/news/security/attackers-bypass-coinbase-and-metamask-2fa-via-teamviewer-fake-support-chat/

Dinner time just hasn’t been the same since my kitchen appliances were unwilling participants in the Mirai botnet.

I wrote this lil Python script a couple years ago to pull out PDB Paths from large malware sample repos and run them through Sherlock to see if the usernames are active handles on various platforms. Always find some crazy stuff (samples from totally seperate campaign tied back to the same author, usernames that point to devs IRL identities, reused PDB paths to cause mis-attribution) when I run it still.

https://github.com/SecurityRiskAdvisors/PDBlaster

I check malware repos out of pure curiosity every once in a while to check if malware authors are still leaving their username (and occasionally full legal names) in the PDB Path of their PE’s. They still are. Some things change, some stay the same.

Fun fact if you download then run exiftool against an internet facing file people are editing in Sharepoint Online or Onedrive you get some really interesting metadata about the file, the users, and the Sharepoint tenant (example is just a few of the fields, there’s often quite a bit more).

How my dog looks at me when I get a reverse shell (slightly condescendingly?)

@alyssam_infosec going to speak with legal about changing our name to “Red Blue Zero One Net”

@malwaretech

Want to get in touch with your enterprise security team? Here are some helpful tips!

[the professional way] send an email

[the correct way] start using certutil -urlcache instead of curl to download files

I’m here to post dumb thoughts and Python scripts … and I’m all out of Python scripts