Information Security News|Cyber Security|Hacking Tutorial https://www.securitynewspaper.com/ Information Security Newspaper|Infosec Articles|Hacking News Tue, 04 Feb 2025 14:33:17 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 https://www.securitynewspaper.com/snews-up/2018/12/news5.png Information Security News|Cyber Security|Hacking Tutorial https://www.securitynewspaper.com/ 32 32 GhostGPT is out – Write your own Malicious Code https://www.securitynewspaper.com/2025/02/04/ghostgpt-is-out-write-your-own-malicious-code/ Tue, 04 Feb 2025 14:33:15 +0000 https://www.securitynewspaper.com/?p=27564 A new artificial intelligence (AI) tool called GhostGPT is being misused by cybercriminals to create harmful programs, hack systems, and send convincing phishing emails. Security researchers from Abnormal Security foundRead More →

The post GhostGPT is out – Write your own Malicious Code appeared first on Information Security Newspaper | Hacking News.

]]>
A new artificial intelligence (AI) tool called GhostGPT is being misused by cybercriminals to create harmful programs, hack systems, and send convincing phishing emails. Security researchers from Abnormal Security found that this AI model is available for sale on Telegram, a messaging platform, with prices starting at $50 per week. Hackers find GhostGPT appealing because it is fast, easy to use, and does not store user conversations, making it harder for authorities to track.

GhostGPT is not the only AI being used for illegal activities. Similar tools like WormGPT are also on the rise, offering criminals ways to bypass security controls that are present in ethical AI models like ChatGPT, Google Gemini, Claude, and Microsoft Copilot. These unethical AI models are designed to assist in writing malicious code and carrying out cyberattacks, posing a major risk to businesses and individuals.The rise of cracked AI models—which are modified versions of legitimate AI tools—has made it easier for hackers to gain access to powerful AI systems without restrictions. Security experts have been tracking the rise of these tools since late 2024 and report an increase in their usage for cybercrime. This development is alarming for the tech industry and security professionals because AI was meant to help people and businesses, not be used as a weapon. If these malicious AI models continue to grow, companies and individuals could face more sophisticated cyberattacks, making cybersecurity more challenging. The need for stronger regulations and better security measures to prevent AI abuse is now more critical than ever.

The post GhostGPT is out – Write your own Malicious Code appeared first on Information Security Newspaper | Hacking News.

]]>
WinRAR and ZIP File Exploits: This ZIP File Hack Could Let Malware Bypass Your Antivirus https://www.securitynewspaper.com/2024/11/14/winrar-and-zip-file-exploits-this-zip-file-hack-could-let-malware-bypass-your-antivirus/ Thu, 14 Nov 2024 20:38:56 +0000 https://www.securitynewspaper.com/?p=27521 In a new cyber threat exploiting ZIP file concatenation, attackers use a Trojan embedded in concatenated ZIP files to target Windows users, evading standard detection methods. This technique takes advantageRead More →

The post WinRAR and ZIP File Exploits: This ZIP File Hack Could Let Malware Bypass Your Antivirus appeared first on Information Security Newspaper | Hacking News.

]]>
In a new cyber threat exploiting ZIP file concatenation, attackers use a Trojan embedded in concatenated ZIP files to target Windows users, evading standard detection methods. This technique takes advantage of how different ZIP file readers interpret concatenated ZIP structures, allowing malicious content to remain undetected in certain programs while becoming visible in others.

Understanding ZIP File Structure

The ZIP file format, a widely used method for data compression, organizes and bundles multiple files into a single archive, making it ideal for efficient file transfers. However, the structure of ZIP files introduces potential vulnerabilities, which attackers can exploit for evasion purposes. Here’s a breakdown of the key structural components that are critical for both functionality and security:

  1. File Entries
    • These represent the actual files or folders compressed within the ZIP archive. Each entry contains essential metadata, including the file name, size, and modification date. This metadata helps the ZIP reader identify and handle each file within the archive, allowing users to retrieve individual files.
  2. Central Directory
    • The central directory acts as an index for the entire ZIP archive. Located at the end of the ZIP file, it contains a list of all the file entries along with their offsets (locations) within the archive. This structure allows ZIP readers to quickly locate and extract files without scanning the entire ZIP file sequentially. The central directory thus improves both file access speed and efficiency, making it easier to add or modify entries without impacting the overall ZIP structure.
  3. EOCD (End of Central Directory)
    • The EOCD marks the end of the central directory and includes essential metadata about the entire ZIP archive, such as the total number of file entries and the starting position of the central directory. ZIP readers rely on the EOCD record to determine where the central directory begins, which facilitates quick access to the list of files within the archive.

Together, these components are crucial for enabling ZIP files to function as compact, easily accessible archives. However, the flexibility in this structure also presents potential vulnerabilities, which threat actors exploit through techniques like concatenation. By understanding these components, we gain insight into how attackers use ZIP files to evade detection and hide malicious content.

Understanding ZIP Concatenation and the Attack Technique: ZIP files, widely used for data compression, consist of structural elements like the Central Directory and EOCD (End of Central Directory) to organize file entries efficiently. However, attackers exploit these structural elements by concatenating multiple ZIP files into a single archive, creating multiple central directories. This tactic lets them hide malicious files from detection tools or programs that only read the first directory, ensuring that the Trojan is only visible in select tools like WinRAR.

Imagine you have a ZIP file named documents.zip containing two text files:

  1. invoice.txt
  2. contract.txt

Standard ZIP Structure

In a typical ZIP file structure:

  • File Entries: Each file (invoice.txt and contract.txt) is stored with metadata such as the file name, size, and modification date.
  • Central Directory: This directory is at the end of the ZIP file and includes a list of the files along with their locations within the ZIP. When you open documents.zip, the ZIP reader consults the central directory to quickly locate and display the two files.
  • EOCD (End of Central Directory): This record is located at the very end of the ZIP file and indicates where the central directory begins, making it possible for ZIP readers to efficiently find and display files without scanning the entire archive.

Exploitation via Concatenation

Attackers can exploit this structure through concatenation by appending a second ZIP archive to documents.zip. Here’s how:

  1. They create a new, separate ZIP file, malware.zip, containing a hidden executable file named virus.exe.
  2. Using concatenation, they append malware.zip to the end of documents.zip, creating a combined file that appears to be a single archive but actually has two central directories (one for documents.zip and one for malware.zip).

Example in Command Line:

zip documents.zip invoice.txt contract.txt     # Create initial ZIP with harmless files
zip malware.zip virus.exe                     # Create malicious ZIP with a hidden file
cat documents.zip malware.zip > combined.zip  # Concatenate both into a single ZIP

How Different ZIP Readers Handle the Combined ZIP

Now, let’s see what happens when different programs open combined.zip:

  • 7zip: When opening combined.zip with 7zip, only the first ZIP’s central directory (documents.zip) is read, so 7zip displays only invoice.txt and contract.txt. A minor warning might appear, but the hidden virus.exe file is not displayed.
  • WinRAR: Unlike 7zip, WinRAR recognizes the second central directory (malware.zip) and reveals virus.exe alongside the original files. This makes WinRAR a tool that could potentially expose the hidden threat.
  • Windows File Explorer: File Explorer may struggle with combined.zip. It may only show virus.exe if it detects the second archive, but it sometimes fails to open concatenated ZIPs altogether, making it unreliable in security scenarios.

Why This Matters

The discrepancy in how ZIP readers interpret concatenated archives allows attackers to disguise malware in ZIP files. Security tools relying on ZIP readers like 7zip might miss the hidden virus.exe, allowing the malware to bypass initial detection and later infect the system if opened in a program like WinRAR.

Evasion Techniques Exploited by Threat Actors

Cybercriminals often use sophisticated techniques to bypass security systems and conceal their malicious payloads. One of these techniques, ZIP concatenation, takes advantage of the structural flexibility of ZIP files to hide malware from detection tools. Here’s how threat actors exploit this technique:

1. ZIP Concatenation

  • What It Is: ZIP concatenation involves appending multiple ZIP files into one single file, so it appears as a single archive but actually contains multiple central directories and file entries.
  • How It Works: Attackers create two separate ZIP files — one benign and one malicious. They concatenate these files, resulting in a single archive that many ZIP readers interpret inconsistently.
  • Effect: By placing the malicious file in the second archive, threat actors can make it undetectable to many security tools that only read the first archive, effectively hiding malware like Trojans or ransomware within the ZIP file.

2. Targeting ZIP Reader Discrepancies

  • Different Interpretations: ZIP readers such as 7zip, WinRAR, and Windows File Explorer process concatenated ZIP files differently. This discrepancy allows attackers to exploit these inconsistencies:
    • 7zip: Often only reads the first central directory, ignoring the second archive that contains the malicious payload.
    • WinRAR: Displays all file entries from both concatenated ZIP files, exposing hidden malicious content.
    • Windows File Explorer: Inconsistent, sometimes failing to open concatenated ZIP files, or only displaying the second archive if renamed.
  • Impact: Attackers rely on users or systems using ZIP readers like 7zip to overlook the malicious content. Only when the file is opened with a more thorough reader, like WinRAR, might the malware be exposed — but by then, the system may already be compromised.

3. Disguising File Extensions and Names

  • Changing Extensions: Threat actors often rename ZIP files to extensions like .rar or .pdf to appear as legitimate documents or compressed files in emails.
  • Using Familiar Names: Malicious files within the ZIP are frequently named after commonly used files, such as “invoice.pdf” or “shipping_details.txt,” to reduce suspicion. Attackers might append a hidden executable, such as malware.exe, to bypass detection if the archive is opened in ZIP readers that miss the second directory.

4. Phishing Emails with High Importance

  • Phishing Tactics: These attacks are typically launched through phishing emails marked as “high importance” to create urgency. The email content often urges users to open attached files under the guise of critical business information, like shipping documents or invoices.
  • Targeted Recipients: These emails are crafted to appear from familiar sources (e.g., “shipping company” or “billing department”) to increase the likelihood of the recipient opening the ZIP attachment without caution.

5. Using Malicious Scripts (e.g., AutoIt) for Further Evasion

  • Scripted Malware: Once the malicious payload is extracted, attackers often use scripting languages like AutoIt to automate the deployment of further threats. These scripts can perform additional tasks, such as:
    • Downloading additional malware.
    • Stealing sensitive data.
    • Propagating within networks.
  • Evasion Benefit: Since scripting languages can rapidly execute complex tasks, this adds another layer of difficulty for detection tools that may struggle to identify and isolate malicious script-based activities embedded within the ZIP file.

6. Avoiding Detection by Security Tools

  • Security Tool Limitations: Many security tools rely on popular ZIP handlers like 7zip or OS-native readers to scan and parse ZIP files. Threat actors are aware of this and deliberately construct ZIP files to exploit these tools’ blind spots.
  • Recursive Extraction Defenses: Traditional detection solutions may lack recursive unpacking capabilities, which means they do not parse every layer of a concatenated ZIP file. Threat actors leverage this gap to keep malicious content hidden in nested or concatenated layers that security software may overlook.

Why ZIP Concatenation Evasion Works

This method is particularly effective because it exploits fundamental inconsistencies in ZIP file interpretation across different readers and tools. By strategically placing malicious payloads in parts of the archive that some ZIP readers cannot access, attackers bypass standard detection methods and target users more likely to overlook the hidden threat.

The Countermeasure: Recursive Unpacking Technology

To combat this technique, security researchers are now developing recursive unpacking algorithms that fully parse concatenated ZIP files by examining each layer independently. This approach helps detect deeply hidden threats, reducing the chances of evasion.

In summary, ZIP concatenation is an effective evasion technique, enabling threat actors to bypass standard detection tools and deliver malware hidden within seemingly innocuous files.

Recursive Unpacker: A Solution to Unmask Evasive Malware

As attackers increasingly use techniques like ZIP concatenation to evade detection, security researchers have developed recursive unpacking technology to thoroughly analyze complex, multi-layered archives. Recursive unpacking systematically dissects concatenated or deeply nested files to reveal hidden malicious payloads that traditional detection tools may miss. Here’s how the Recursive Unpacker functions and why it’s a powerful defense against evasive threats.

1. What is a Recursive Unpacker?

  • Purpose: A Recursive Unpacker is a security tool designed to break down complex file structures, including concatenated ZIP files and deeply nested archives, to expose every layer of content, whether benign or malicious.
  • Function: It goes beyond single-layer extraction by recursively (repeatedly) unpacking each layer of an archive until it reaches the final files. Each layer is individually examined to ensure no hidden content remains unchecked.

2. How It Works

  • Layer-by-Layer Extraction: The Recursive Unpacker opens an archive and extracts its contents. For each extracted file, if it detects additional compressed layers (such as a ZIP or RAR within another ZIP), it repeats the unpacking process for every inner layer.
  • Detection of Malformed or Concatenated Files: It identifies concatenated ZIP files, where multiple central directories may contain hidden payloads. By detecting and unpacking each central directory separately, the tool ensures that no segment of the file remains uninspected.
  • Dynamic Analysis Integration: After extracting all contents, the Recursive Unpacker may integrate with dynamic analysis systems that observe how the files behave when executed. This enables detection of advanced malware behaviors that might not be evident through static analysis alone.

3. Example of Recursive Unpacking in Action

Imagine an attacker has sent a ZIP file with the following structure:

  • Layer 1: invoice.zip containing:
    • document.pdf (benign)
    • hidden.zip (a nested ZIP file)
  • Layer 2: hidden.zip containing:
    • malware.exe (a malicious executable)
    • data.txt (benign text file)

When a Recursive Unpacker analyzes invoice.zip, it first extracts document.pdf and hidden.zip. Upon detecting that hidden.zip is itself an archive, it unpacks this nested layer as well, revealing malware.exe and data.txt. Without recursive unpacking, security tools may have missed malware.exe, which could contain the actual payload.

4. Advantages of Recursive Unpacking

  • Full Visibility: Recursive Unpackers ensure every layer of an archive is exposed, leaving no hidden files undetected, regardless of how deeply nested they are.
  • Handling Evasive Techniques: By unpacking concatenated and nested files, Recursive Unpackers effectively counter ZIP concatenation evasion, where hidden payloads are deliberately placed in overlooked layers.
  • Integration with Advanced Malware Detection: After extraction, files can be passed on for behavioral analysis to detect sophisticated malware that may attempt to execute or download additional payloads only under certain conditions.

5. Use Cases in Cybersecurity

  • Detecting Phishing Payloads: Recursive Unpackers are particularly valuable in identifying malicious payloads hidden within email attachments, such as Trojanized ZIP files disguised as invoices or shipping documents.
  • Protecting Endpoint Security: On corporate networks, Recursive Unpackers embedded in security software can prevent employees from inadvertently executing hidden malware embedded within ZIP files.
  • Malware Research and Forensics: Security analysts can use Recursive Unpackers to thoroughly analyze suspected malicious files, ensuring comprehensive insights into an attack’s structure and methods.

6. Limitations and Challenges

False Positives: Due to its thoroughness, Recursive Unpackers may flag benign nested files as suspicious, requiring further analysis to validate the findings.

Resource Intensity: Recursive unpacking can be resource-intensive, as it requires processing every layer of large files, which can be time-consuming.

For full details and a technical breakdown of the attack, read the original research here.

The post WinRAR and ZIP File Exploits: This ZIP File Hack Could Let Malware Bypass Your Antivirus appeared first on Information Security Newspaper | Hacking News.

]]>
How to send phishing or malware to Teams users evading Teams security features https://www.securitynewspaper.com/2023/09/21/how-to-send-phishing-or-malware-to-teams-users-evading-teams-security-features/ Thu, 21 Sep 2023 18:38:06 +0000 https://www.securitynewspaper.com/?p=27237 TeamsPhisher is a Python3 software that was designed to make it easier for phishing messages and attachments to be sent to users of Microsoft Teams whose companies or organizations permitRead More →

The post How to send phishing or malware to Teams users evading Teams security features appeared first on Information Security Newspaper | Hacking News.

]]>
TeamsPhisher is a Python3 software that was designed to make it easier for phishing messages and attachments to be sent to users of Microsoft Teams whose companies or organizations permit connection with outside parties. It is not feasible to transfer files to users of Teams who are not part of one’s company in most circumstances. Recently, Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) from JUMPSEC published a means to circumvent this limitation by modifying HTTP requests made by Teams in order to change who is sent a message with an attached file.

TeamsPhisher utilizes a number of other techniques, including some of Andrea Santese’s (@Medu554) older ones, in addition to this one.For the authentication component of the attack flow as well as other basic utility functions, it relies significantly on TeamsEnum, a brilliant piece of work that was developed by Bastian Kanbach (@bka) of SSE.

TeamsPhisher’s goal is to include the most useful aspects of the aforementioned projects in order to provide a method that is robust, fully adaptable, and highly effective for authorized Red Team operations to use Microsoft Teams for phishing in access-related circumstances.

You will need to provide TeamsPhisher with an attachment, a message, and a list of people to target. After that, it will go over the list of targets while simultaneously uploading the attachment to the sender’s Sharepoint.

First, TeamsPhisher will enumerate the target user and check to see whether that person really exists and is able to receive messages from the outside world. After that, it will initiate a new conversation with the person you choose. Note that this is technically a “group” conversation since TeamsPhisher contains the target’s email address twice; this is a clever hack from @Medu554 that will circumvent the “Someone outside your organization messaged you, are you sure you want to view it” splash screen that might offer our targets a reason to stop and think twice about viewing the message.

The user who was identified will get the message that was sent to them along with a link to the attachment that was stored in Sharepoint after a new thread has been established between our sender and the target.

After this first message has been sent, the newly established thread will be visible in the sender’s Teams GUI and may be engaged with manually, if necessary, on a case-by-case basis. Users of TeamsPhisher are required to have a Microsoft Business account (as opposed to a personal one such as @hotmail, @outlook, etc.) that is licensed for both Teams and Sharepoint in order to utilize the software.

This indicates that you will require an AAD tenant as well as at least one user who has a license that corresponds to it. At the time of publishing, the AAD licensing center does have some free trial licenses available for download that are capable of meeting all of the prerequisites for using this product.

Before you may utilize the account with TeamsPhisher, you will have to ensure that you have at least once successfully logged into the personal Sharepoint site of the user with whom you will be exchanging messages. This should be something along the lines of tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com or tenantname-my.sharepoint.com/personal/myusername_mytenantname_mycustomdomain_tld. Alternatively, you could also use tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com.

In terms of the needs of the local community, We strongly advise upgrading to the most recent version of Python3. You will also require the authentication library developed by Microsoft:

To upload the file to a Sharepoint site, you will need to manually give the site’s name. This would most likely be required in the event if the sender’s tenant makes use of a unique domain name (for example, one that does not adhere to the xxx.onmicrosoft.com norm). Just the singular name should be used; for instance, if your SharePoint site is located at mytest.sharepoint.com, you should use the –sharepoint mytest option.

Replace TeamPhisher’s standard greeting (“Hi,”) with a personalized greeting that will be appended to the message that is supplied by the –message option. For instance, “Good afternoon,” or “Sales team,” are examples.

By default, the Sharepoint link that is provided to targets may be accessed by anybody who has the link; to restrict access to the Sharepoint file so that it can only be viewed by the target who got it, use the –securelink option. It’s possible that this will help shield your virus from the blue team.

TeamsPhisher will make an effort to determine the first name of each person it is targeting and will use that name in the welcome it sends to them. For instance, tom.jones@targettenant.onmicrosoft.com would get an email with the greeting “Hi Tom, ” as the first line of the message. This is not ideal and is dependant on the format of the emails that are being targeted; use the –preview option to see whether or not this is a suitable match for the list of emails that you are targeting.

The preview version of TeamsPhisher will be executed. This will NOT send any messages to the target users; instead, the “friendly” name that would be used by the –personalize option will be shown. In addition, a sample message that is indicative of what targets would receive with the current settings will be delivered to the sender’s Teams. You may log in to check how your message appears and make any required adjustments to it.

You may choose to have a delay of x seconds between each message sent to targets. Can be of assistance with rate-limiting concerns that may arise.

TeamsPhisher will determine which accounts are unable to receive messages from third-party organizations, which accounts do not exist, and which accounts have subscription plans that are incompatible with the attack vectors.

TeamsPhisher now enables login with sender accounts using multifactor authentication (MFA), thanks to code contributed by the TeamsEnum project.

If you use the –securelink flag, the recipients of the message will see a popup asking them to verify themselves before they can view the attachment in Sharepoint. You have the ability to determine if this adds an excessive number of additional steps or whether it adds ‘legitimacy’ by sending them via the actual Microsoft login feature.

Mitigation
By changing the choices associated with external access, which can be found in the Microsoft Teams admin center under Users > External access, companies may reduce the risk that is provided by the vulnerability that has been discovered.

Organizations are provided with the freedom to pick the optimal rights to match their requirements by Microsoft, including the ability to whitelist just particular external tenants for communications and a global block that prevents any communications from occurring.

The post How to send phishing or malware to Teams users evading Teams security features appeared first on Information Security Newspaper | Hacking News.

]]>
How AitM attack was used to breach 10000 Organizations https://www.securitynewspaper.com/2022/07/20/how-aitm-attack-was-used-to-breach-10000-organizations/ Thu, 21 Jul 2022 00:28:13 +0000 https://www.securitynewspaper.com/?p=25532 Microsoft revealed on Tuesday that a large-scale phishing campaign targeted more than 10,000 organizations since September 2021 by attacking the Office 365 authentication process even on accounts secured with multi-factorRead More →

The post How AitM attack was used to breach 10000 Organizations appeared first on Information Security Newspaper | Hacking News.

]]>
Microsoft revealed on Tuesday that a large-scale phishing campaign targeted more than 10,000 organizations since September 2021 by attacking the Office 365 authentication process even on accounts secured with multi-factor authentication (MFA).

The attackers then used the stolen credentials and session cookies to access the affected users’ mailboxes and carry out e-mail “spoofing” campaigns on their targets.

The intrusions involved the creation of adversary-in-the-middle(AitM) phishing sites, in which the attacker deploys a proxy server between a potential victim and the target website so that recipients of a phishing email are redirected to similar pages designed to capture credentials and MFA information.In AiTM phishing, an attacker attempts to obtain a target user’s session cookie so they can skip the whole authentication process and act on the latter’s behalf.  

To do this, the attacker deploys a webserver that proxies HTTP packets from the user that visits the phishing site to the target server the attacker wishes to impersonate and the other way around. This way, the phishing site is visually identical to the original website (as every HTTP is proxied to and from the original website). The attacker also doesn’t need to craft their own phishing site like how it’s done in conventional phishing campaigns. The URL is the only visible difference between the phishing site and the actual one. 

The phishing page has two different Transport Layer Security (TLS) sessions: one with the target and one with the actual website the target wants to access.

These sessions mean that the phishing page works almost like an AitM agent, intercepting the entire authentication process and extracting valuable data from HTTP requests, such as passwords and, more importantly, session cookies.

The phishing campaign detected by Microsoft was organized to identify Office 365 users by spoofing the Office online authentication page. The AiTM phishing process can currently be automated using open-source phishing toolkits and other online resources. Among the widely-used kits include Evilginx2, Modlishka, and Muraena.   The actors used the Evilginx2 phishing kit to carry out the attacks.

The attacks did not end there, as the attackers abused their mailbox access for payment fraud using a technique called “email thread hijacking” to trick parties on the other end of the conversation into illicitly transferring funds to accounts under your control.

While AiTM phishing attempts to circumvent MFA, it’s important to underscore that MFA implementation remains an essential pillar in identity security. Defenders can also complement MFA with the following solutions and best practices to further protect their organizations from such types of attacks:

  • Enable conditional access policies. 
  • Invest in advanced anti-phishing solutions 
  • Continuously monitor for suspicious or anomalous activities:

The post How AitM attack was used to breach 10000 Organizations appeared first on Information Security Newspaper | Hacking News.

]]>
Are you getting spams? fast check for email address on online platforms https://www.securitynewspaper.com/2020/01/31/are-you-getting-spams-fast-check-for-email-address-on-online-platforms/ Fri, 31 Jan 2020 14:15:03 +0000 https://www.securitynewspaper.com/?p=18455 Email addresses, spammer loves these. Emails is the main source of authentication for most social media platforms. On daily basis, fake social media accounts are used by various cyber criminal.Read More →

The post Are you getting spams? fast check for email address on online platforms appeared first on Information Security Newspaper | Hacking News.

]]>
Email addresses, spammer loves these. Emails is the main source of authentication for most social media platforms. On daily basis, fake social media accounts are used by various cyber criminal. Now days, social media crimes are increasing, because of the Social media popularity. Many users uses bots or automation scripts to become popular in short period of time. According to ethical hacking researcher of International Institute of Cyber Security you can find list of many leaked email address on pastebin and underground links.

There are many cases on cyber bulling, stalking which shows that fake accounts are used. After the investigation, its normally found that fake accounts are the main reason for spreading rumors on any person or public figure to create an chaos among users. Most of the time Twitter becomes the main source for spreading fake news. Every news or chaos are found to be connected with any account. We will show you socialscan which is used to validate email addresses on social media accounts. Users can search by typing email addresses or using any bulk list of email addresses. Socialscan uses various social media platforms, api’s, svc-api’s. Below you can checkout the python script written by socialscan developer which clearly shows instagram, twitter, tumblr or emails, usernames are used to check the availability of email addresses.

  • For testing we will use Kali Linux 2018.4 amd64.
  • Before installing socialscan, make sure python3 is installed.
  • Type open terminal, type sudo apt-get update and then type sudo apt-get install python3, then type sudo apt-get install python3-pip
  • Type pip3 –version, If you found error while running pip3, Type sudo apt-get purge python3, then type sudo apt-get install python3-pip
root@kali:/home/iicybersecurity/Downloads/socialscan# pip3 --version
pip 18.1 from /usr/lib/python3/dist-packages/pip (python 3.7)
root@kali:/home/iicybersecurity/Downloads/socialscan# pip3 install socialscan
Requirement already satisfied: socialscan in /usr/local/lib/python3.7/dist-packages/socialscan-1.1.5-py3.7.egg (1.1.5)
Requirement already satisfied: aiohttp>=3.5.0 in /usr/local/lib/python3.7/dist-packages/aiohttp-4.0.0a1-py3.7-linux-x86_64.egg (from socialscan) (4.0.0a1)
Requirement already satisfied: colorama in /usr/lib/python3/dist-packages (from socialscan) (0.3.7)
Requirement already satisfied: tqdm>=4.31.0 in /usr/local/lib/python3.7/dist-packages (from socialscan) (4.31.1)
Requirement already satisfied: async-timeout<4.0,>=3.0 in /usr/local/lib/python3.7/dist-packages/async_timeout-3.0.1-py3.7.egg (from aiohttp>=3.5.0->socialscan) (3.0.1)
Requirement already satisfied: attrs>=17.3.0 in /usr/local/lib/python3.7/dist-packages (from aiohttp>=3.5.0->socialscan) (19.1.0)
Requirement already satisfied: chardet<4.0,>=2.0 in /usr/lib/python3/dist-packages (from aiohttp>=3.5.0->socialscan) (3.0.4)
Requirement already satisfied: multidict<5.0,>=4.5 in /usr/local/lib/python3.7/dist-packages (from aiohttp>=3.5.0->socialscan) (4.5.2)
Requirement already satisfied: typing-extensions>=3.6.5 in /usr/local/lib/python3.7/dist-packages/typing_extensions-3.7.4.1-py3.7.egg (from aiohttp>=3.5.0->socialscan) (3.7.4.1)
Requirement already satisfied: yarl<2.0,>=1.0 in /usr/local/lib/python3.7/dist-packages (from aiohttp>=3.5.0->socialscan) (1.3.0)
Requirement already satisfied: idna>=2.0 in /usr/lib/python3/dist-packages (from yarl<2.0,>=1.0->aiohttp>=3.5.0->socialscan) (2.6)
  • After then type python3 setyp.py install
root@kali:/home/iicybersecurity/Downloads/socialscan# python3 setup.py install
running install
running bdist_egg
running egg_info
writing socialscan.egg-info/PKG-INFO
writing dependency_links to socialscan.egg-info/dependency_links.txt
writing entry points to socialscan.egg-info/entry_points.txt
writing requirements to socialscan.egg-info/requires.txt
writing top-level names to socialscan.egg-info/top_level.txt
reading manifest file 'socialscan.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
writing manifest file 'socialscan.egg-info/SOURCES.txt'
installing library code to build/bdist.linux-x86_64/egg
running install_lib
running build_py
creating build/bdist.linux-x86_64/egg
creating build/bdist.linux-x86_64/egg/socialscan
copying build/lib/socialscan/__init__.py -> build/bdist.linux-x86_64/egg/socialscan
copying build/lib/socialscan/util.py -> build/bdist.linux-x86_64/egg/socialscan
copying build/lib/socialscan/platforms.py -> build/bdist.linux-x86_64/egg/socialscan
copying build/lib/socialscan/__main__.py -> build/bdist.linux-x86_64/egg/socialscan
copying build/lib/socialscan/cli.py -> build/bdist.linux-x86_64/egg/socialscan
byte-compiling build/bdist.linux-x86_64/egg/socialscan/__init__.py to __init__.cpython-37.pyc
byte-compiling build/bdist.linux-x86_64/egg/socialscan/util.py to util.cpython-37.pyc
byte-compiling build/bdist.linux-x86_64/egg/socialscan/platforms.py to platforms.cpython-37.pyc
byte-compiling build/bdist.linux-x86_64/egg/socialscan/__main__.py to __main__.cpython-37.pyc
byte-compiling build/bdist.linux-x86_64/egg/socialscan/cli.py to cli.cpython-37.pyc
creating build/bdist.linux-x86_64/egg/EGG-INFO
copying socialscan.egg-info/PKG-INFO -> build/bdist.linux-x86_64/egg/EGG-INFO
copying socialscan.egg-info/SOURCES.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying socialscan.egg-info/dependency_links.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying socialscan.egg-info/entry_points.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying socialscan.egg-info/requires.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying socialscan.egg-info/top_level.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
zip_safe flag not set; analyzing archive contents...
creating 'dist/socialscan-1.1.5-py3.7.egg' and adding 'build/bdist.linux-x86_64/egg' to it
removing 'build/bdist.linux-x86_64/egg' (and everything under it)
Processing socialscan-1.1.5-py3.7.egg
Removing /usr/local/lib/python3.7/dist-packages/socialscan-1.1.5-py3.7.egg
Copying socialscan-1.1.5-py3.7.egg to /usr/local/lib/python3.7/dist-packages
socialscan 1.1.5 is already the active version in easy-install.pth
Installing socialscan script to /usr/local/bin

Installed /usr/local/lib/python3.7/dist-packages/socialscan-1.1.5-py3.7.egg
Processing dependencies for socialscan==1.1.5
Searching for tqdm==4.31.1
Best match: tqdm 4.31.1
Adding tqdm 4.31.1 to easy-install.pth file
Installing tqdm script to /usr/local/bin

Using /usr/local/lib/python3.7/dist-packages
Searching for colorama==0.3.7
Best match: colorama 0.3.7
Adding colorama 0.3.7 to easy-install.pth file

Using /usr/lib/python3/dist-packages
Searching for aiohttp==4.0.0a1
Best match: aiohttp 4.0.0a1
Processing aiohttp-4.0.0a1-py3.7-linux-x86_64.egg
aiohttp 4.0.0a1 is already the active version in easy-install.pth

Using /usr/local/lib/python3.7/dist-packages/aiohttp-4.0.0a1-py3.7-linux-x86_64.egg
Searching for yarl==1.3.0
Best match: yarl 1.3.0
Adding yarl 1.3.0 to easy-install.pth file

Using /usr/local/lib/python3.7/dist-packages
Searching for typing-extensions==3.7.4.1
Best match: typing-extensions 3.7.4.1
Processing typing_extensions-3.7.4.1-py3.7.egg
typing-extensions 3.7.4.1 is already the active version in easy-install.pth

Using /usr/local/lib/python3.7/dist-packages/typing_extensions-3.7.4.1-py3.7.egg
Searching for multidict==4.5.2
Best match: multidict 4.5.2
Adding multidict 4.5.2 to easy-install.pth file

Using /usr/local/lib/python3.7/dist-packages
Searching for chardet==3.0.4
Best match: chardet 3.0.4
Adding chardet 3.0.4 to easy-install.pth file
Installing chardetect script to /usr/local/bin

Using /usr/lib/python3/dist-packages
Searching for attrs==19.1.0
Best match: attrs 19.1.0
Adding attrs 19.1.0 to easy-install.pth file

Using /usr/local/lib/python3.7/dist-packages
Searching for async-timeout==3.0.1
Best match: async-timeout 3.0.1
Processing async_timeout-3.0.1-py3.7.egg
async-timeout 3.0.1 is already the active version in easy-install.pth

Using /usr/local/lib/python3.7/dist-packages/async_timeout-3.0.1-py3.7.egg
Searching for idna==2.6
Best match: idna 2.6
Adding idna 2.6 to easy-install.pth file

Using /usr/lib/python3/dist-packages
Finished processing dependencies for socialscan==1.1.5
  • Type socialscan –help
root@kali:/home/iicybersecurity/Downloads/socialscan# socialscan --help
usage: socialscan [-h] [--platforms [platform [platform ...]]]
                  [--view-by {platform,query}] [--available-only]
                  [--cache-tokens] [--input input.txt]
                  [--proxy-list proxy_list.txt] [--verbose] [--version]
                  [query [query ...]]

Command-line interface for checking email address and username usage on online
platforms: GitHub, GitLab, Instagram, Lastfm, Pastebin, Pinterest, Reddit,
Snapchat, Spotify, Twitter, Tumblr, Yahoo

positional arguments:
  query                 one or more usernames/email addresses to query (email
                        addresses are automatically be queried if they match
                        the format)

optional arguments:
  -h, --help            show this help message and exit
  --platforms [platform [platform ...]], -p [platform [platform ...]]
                        list of platforms to query (default: all platforms)
  --view-by {platform,query}
                        view results sorted by platform or by query (default:
                        query)
  --available-only, -a  only print usernames/email addresses that are
                        available and not in use
  --cache-tokens, -c    cache tokens for platforms requiring more than one
                        HTTP request (Snapchat, GitHub, Instagram. Lastfm,
                        Tumblr & Yahoo), reducing total number of requests
                        sent
  --input input.txt, -i input.txt
                        file containg list of queries to execute
  --proxy-list proxy_list.txt
                        file containing list of HTTP proxy servers to execute
                        queries with
  --verbose, -v         show query responses as they are received
  --version             show program's version number and exit

  • Type socialscan #######a######@gmail.com, for security purposes the email address is masked.
  • socialscan will find accounts with given email addresses.
root@kali:/home/iicybersecurity/Downloads/socialscan# socialscan  #######a######@gmail.com
  0%|                               | 0/12 [0.00s]/usr/local/lib/python3.7/dist-packages/aiohttp-4.0.0a1-py3.7-linux-x86_64.egg/aiohttp/client.py:977: RuntimeWarning: coroutine 'noop' was never awaited
  self._resp.release()
RuntimeWarning: Enable tracemalloc to get the object allocation traceback
 50%|███████████████▌               | 6/12 [0.88s]/usr/local/lib/python3.7/dist-packages/aiohttp-4.0.0a1-py3.7-linux-x86_64.egg/aiohttp/client.py:518: RuntimeWarning: coroutine 'noop' was never awaited
  resp.release()
RuntimeWarning: Enable tracemalloc to get the object allocation traceback
/usr/local/lib/python3.7/dist-packages/aiohttp-4.0.0a1-py3.7-linux-x86_64.egg/aiohttp/client.py:541: RuntimeWarning: coroutine 'noop' was never awaited
  resp.release()
RuntimeWarning: Enable tracemalloc to get the object allocation traceback
 75%|███████████████████████▎       | 9/12 [1.22s]Future exception was never retrieved
future: <Future finished exception=SSLError(1, '[SSL: KRB5_S_INIT] application data after close notify (_ssl.c:2629)')>
Traceback (most recent call last):
  File "/usr/lib/python3.7/asyncio/sslproto.py", line 530, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "/usr/lib/python3.7/asyncio/sslproto.py", line 207, in feed_ssldata
    self._sslobj.unwrap()
  File "/usr/lib/python3.7/ssl.py", line 778, in unwrap
    return self._sslobj.shutdown()
ssl.SSLError: [SSL: KRB5_S_INIT] application data after close notify (_ssl.c:2629)
Future exception was never retrieved
future: <Future finished exception=SSLError(1, '[SSL: KRB5_S_INIT] application data after close notify (_ssl.c:2629)')>
Traceback (most recent call last):
  File "/usr/lib/python3.7/asyncio/sslproto.py", line 530, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "/usr/lib/python3.7/asyncio/sslproto.py", line 207, in feed_ssldata
    self._sslobj.unwrap()
  File "/usr/lib/python3.7/ssl.py", line 778, in unwrap
    return self._sslobj.shutdown()
ssl.SSLError: [SSL: KRB5_S_INIT] application data after close notify (_ssl.c:2629)
----------------------------------------
        #######a######@gmail.com
----------------------------------------
Instagram
Lastfm
Pastebin
Twitter
GitHub
Pinterest
Spotify
Tumblr
  • Above shows listed of social media platforms that have accounts associated with this searched email address. Below in output social media accounts are mentioned in different colors.
  • Socialscan uses two different colors to indicate the presence of email address on social media platform.
Socialscan_result
Socialscan_result
  • In Yellow Color, it shows email address tested is used in creating accounts on different social media platforms.
  • In Green Color, this email address is not used in creating accounts on these platforms.
  • Let’s try some other email addresses. For testing, you can found different email addresses on pastr.io.
  • Type socialscan ja#####ep#####ki@gmail.com
  • As per ethical hacking researcher of International Institute of Cyber Security, socialscan checks the availability of email address by trying to create account or trying to use username suggestion functionality available on social media platforms.
root@kali:/home/iicybersecurity/Downloads/socialscan# socialscan   ja#####ep#####ki@gmail.com
  0%|                               | 0/12 [0.00s]/usr/local/lib/python3.7/dist-packages/aiohttp-4.0.0a1-py3.7-linux-x86_64.egg/aiohttp/client.py:977: RuntimeWarning: coroutine 'noop' was never awaited
  self._resp.release()
RuntimeWarning: Enable tracemalloc to get the object allocation traceback
 58%|██████████████████             | 7/12 [0.69s]Future exception was never retrieved
future: <Future finished exception=SSLError(1, '[SSL: KRB5_S_INIT] application data after close notify (_ssl.c:2629)')>
Traceback (most recent call last):
  File "/usr/lib/python3.7/asyncio/sslproto.py", line 530, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "/usr/lib/python3.7/asyncio/sslproto.py", line 207, in feed_ssldata
    self._sslobj.unwrap()
  File "/usr/lib/python3.7/ssl.py", line 778, in unwrap
    return self._sslobj.shutdown()
ssl.SSLError: [SSL: KRB5_S_INIT] application data after close notify (_ssl.c:2629)
 75%|███████████████████████▎       | 9/12 [0.83s]/usr/local/lib/python3.7/dist-packages/aiohttp-4.0.0a1-py3.7-linux-x86_64.egg/aiohttp/client.py:518: RuntimeWarning: coroutine 'noop' was never awaited
  resp.release()
RuntimeWarning: Enable tracemalloc to get the object allocation traceback
/usr/local/lib/python3.7/dist-packages/aiohttp-4.0.0a1-py3.7-linux-x86_64.egg/aiohttp/client.py:541: RuntimeWarning: coroutine 'noop' was never awaited
  resp.release()
RuntimeWarning: Enable tracemalloc to get the object allocation traceback
 83%|█████████████████████████     | 10/12 [1.43s]Future exception was never retrieved
future: <Future finished exception=SSLError(1, '[SSL: KRB5_S_INIT] application data after close notify (_ssl.c:2629)')>
Traceback (most recent call last):
  File "/usr/lib/python3.7/asyncio/sslproto.py", line 530, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "/usr/lib/python3.7/asyncio/sslproto.py", line 207, in feed_ssldata
    self._sslobj.unwrap()
  File "/usr/lib/python3.7/ssl.py", line 778, in unwrap
    return self._sslobj.shutdown()
ssl.SSLError: [SSL: KRB5_S_INIT] application data after close notify (_ssl.c:2629)
----------------------------------------
       ja#####ep#####ki@gmail.com
----------------------------------------
GitHub
Lastfm
Pastebin
Instagram
Pinterest
Spotify
Tumblr
Twitter
  • Above shows social media accounts which are connected with the given email addresses. Socialscan uses two different colors to indicate on which social media platform.
Socialscan_Bulk-Email
Socialscan_Bulk-Email
  • In Yellow Color, it shows above email address is used in creating accounts on different social media platforms.
  • In Green Color, this email address is not used in creating accounts on these platforms.
  • In Social media crimes, Digital forensics investigator can use Socialscan for verifying the email addresses. Or if any user received some spamming emails from any email ID. User can check the social media behavior of that account by finding social media accounts using Socialscan.
  • In some common email addresses, it might shows false positives but still according to its developer it provides 100% accuracy.
  • While searching accounts on social media, we do found account with particular email address on social media platforms. For further verification, you can manually search for the email ID on social media logins. For verification we have used above first email ID for verifying on twitter.com For security reasons, we have masked the email id.
Twitter_Login
Twitter_Login
  • Above shows that “we could not identify you by the email address. Please enter your username to first your account” which means that twitter does not have any account using above email. For security purposes, we have hidden the email id.

Scanning List of Email Addresses

  • Type socialscan –platform instagram –input list2.txt
  • –platform to write any particular platform. We have searched for Instagram.
  • –input is used to enter list of email addresses.
root@kali:/home/iicybersecurity/Downloads/socialscan# socialscan --platform instagram --input list2.txt
  0%|                               | 0/37 [0.00s]/usr/local/lib/python3.7/dist-packages/aiohttp-4.0.0a1-py3.7-linux-x86_64.egg/aiohttp/client.py:518: RuntimeWarning: coroutine 'noop' was never awaited
  resp.release()
RuntimeWarning: Enable tracemalloc to get the object allocation traceback
/usr/local/lib/python3.7/dist-packages/aiohttp-4.0.0a1-py3.7-linux-x86_64.egg/aiohttp/client.py:541: RuntimeWarning: coroutine 'noop' was never awaited
----------------------------------------
          kkne########3@gmail.com
----------------------------------------
Instagram
----------------------------------------
         slo#######en@gmail.com
----------------------------------------
Instagram
----------------------------------------
       jame##########ki@yahoo.com
----------------------------------------
Instagram
----------------------------------------
        Ky#########ps@hotmail.com
----------------------------------------
Instagram
----------------------------------------
       gia#########ris@gmail.com
----------------------------------------
Instagram
----------------------------------------
          big##########@gmail.com
----------------------------------------
Instagram
----------------------------------------
       th##########erjwo@yahoo.com
----------------------------------------
Instagram
----------------------------------------
        chu##############her@yahoo.com
----------------------------------------
Instagram
----------------------------------------
         kin#########94@gmail.com
----------------------------------------
Instagram
----------------------------------------
        con#########17@gmail.com
----------------------------------------
Instagram
----------------------------------------
          car########g@gmail.com
----------------------------------------

----------------------------------------
       sir#########lker@gmail.com
----------------------------------------
Instagram

Available, Taken/Reserved, Invalid, Error
Completed 12 queries in 4.38s
  • Above shows list of email addresses which are taken or they are available.

The post Are you getting spams? fast check for email address on online platforms appeared first on Information Security Newspaper | Hacking News.

]]>