Insights For Success

Strategy, Innovation, Leadership and Security

Marketing

Tochka DarkNet Marketplace

GeneralEdward KiledjianComment
Tochka.png

It's been a while since I posted a Darknet website. I would like to introduce you to the Tochka Marketplace ( http://pointgg3pgee4gic.onion/ )

Tochka was launched in 2015 by Russian speaking devs. It offers the ability to conduct transaction without the buyers and sellers having to talk. Dead-drop transactions are available for more sensitive transactions. They also offer a "Buy It Now" option called "Instant Trade".

This is a smaller marketplace and is less known that it's more popular (aka news-worthy) counterparts. It has poorer design and a questionable choice of colors.

Enter the marketplace

Tochka1.png

If you click on the vendor tab, you can choose your seller of choice.

You can buy anything from Marijuana to Marijuana oil, Research chemicals , with prescription medications, credit cards and everything in between.

Tochka2.png

Shipping Expertise

What you will find most interesting is how they have developed expertise to ship items carefully wrapped in an attempt to bypass customs inspection. Hopefully writing about it here may create interest by some police departments and shut down some of these more questionable and dangerous sellers.

Your cloud provider is making you a target

GeneralEdward KiledjianComment

Phishing is a powerful and effective tool and a favorite in the threat actor arsenal. So what happens when your cloud provider gives threat actors a roadmap to steal from you?

A couple of weeks ago, Workday sent a security advisory to its customers regarding a phishing campaign targeting its customers. Although details of the attack campaign are light, here is what I believe is happening based on discussions on various darknet forums.

What was the Workday phishing attack model?

First, none of this is a weakness or vulnerability in Workday or any of its systems or processes. The threat actors send an email to employees, pretending to originate from a high ranking executive (CFO, CEO, SVP HR, etc.) and are asking, asking them to log into "Workday" to fix an issue. This fake Workday site harvests the credentials which then allow the threat actors to log in and change direct deposit accounts for employees thus stealing money. 

Based on reports I have seen, these emails are professionally written (so they do not contain the telltale signs of being a scam) and are currently not being caught by many large spam filtering services.

How did Workday facilitate this attack?

Like many SAAS and cloud service providers, Workday proudly displays a ling list of satisfied customers on its webpage. This marketing list basically becomes an attack plan for these threat actors by knowing exactly which customer to target with which SAAS provider name and which attach to use. 

Security is a balancing act. It always has been and always will be. Ultimate security means severely reduced usability and no marketing. More marketing and usability means less security.
 

Security is a balancing act

Marketing is tasked with growing the business and nothing helps more than social proof (aka showing others that have made the same decision you are thinking about). The fact Workday marketing is publishing hundreds of customer names on its website is aligned with their objective of supporting business growth. After all, why should marketing avoid using all of the tools available to it just to protect the business from some attack that may or may not occur?

Even if marketing hadn’t published an exhaustive list, they probably would publish a press release when a new big-name customer was signed. This means a determine attacker could build his own list of high-value targets. Right?

As an example, they published this press released in April entitled “Workday Continues Momentum in Canada.” This wonderful piece of marketing includes this section:

To be clear, this is not a Workday issue but a generalized cloud services provider issue. As an example, a service provider called CVM solutions has a customer search on its webpage:

 

Where does marketing end and security start? 

Stop making it easy

In addition to publishing a customer list, most Software As A Service (SAAS) companies publish a custom login page for each customer (which is usually pretty easy to find).

In Workday's case, you go here

Enter the customer name of a customer and find their login page

Again this is a common practice by many large SAAS providers. Even a giant like Microsoft does this for their Office 365 in the cloud offering. I searched the web for Microsoft Office 365 success stories and stumbled on blog post. 

So I know the American Cancer Society uses Office 365. I then need an email address to plug into the portal page so Microsoft switches me to their customized Office 365 login portal. In this case, I chose to use a service called Jigsaw.com (from Salesforce.com) and found the email address of their CEO.

Keep in mind that finding email addresses is easy. There are billions of them on the web. There are dozens of hacked site database dumps every week. This is trivial but I chose Data.com just to show it visually here.

You then are sent to the appropriate login page for authentication.

If you are a threat actor, you scrape this page, register a close-looking URL and then target all of the users of Cancer.org you can find (remember there are huge lists everywhere on the web and darknet if you know where to look).

Let's be real

Marketing is a business necessity and every company has an obligation to maximize its top line by leveraging everything it legally can. As a potential customer, I love hearing about other customers that have already chosen the product I am evaluating and learning how they leveraged it to improve their operations (Social Proof - Social Influence). If a vendor tells me that one of my main competitors chose their product and that it is contributing to their success, I really want to know more. How can I leverage their tool too?

If I am a threat actor and determined to phish a particular company, there are other means for me to collect the data I need. A popular technique is called Open Source Intelligence (OSINT for short) and the folks at Rapid7 provide a nice example here

Using OSINT techniques, they provide a list of customers that include SAAS providers in their publicly available SPF records.

So the question is how easy to we want to make it for threat actors? OSINT is intelligence gathered from public legal sources but it still requires a more sophisticated attacker. Publishing a list of customers on your website means even the most garden variety kiddy "attacker" can easily target your customer.

I've spent half my career on the consulting and services provider side and understand the hugely powerful tool of social proof. If I tell a small shop owner other small shops (like his/hers) are using a tool and have found it immensely useful, that is a huge motivator. People love seeing others like them making the same decisions. It validates their choices. 

The company I work for recently conducted product reviews for various security tools, and  having spoken to another large multinational customer was one of the reasons we chose that product. It validated our findings and also showed others (like us) made the same conclusions.

There is no real answer

I'm going to disappoint you and say there is no magical silver bullet . Obviously user awareness is critical, since most often, the human firewall is what will allow or prevent an attack. 

Companies have and will continue using customer names to convince the next prospect to jump on-board. Threat actors will always continue to be create and find news ways to do bad things to good companies.

I believe the only solution is to ensure marketing and security are talking regularly and openly about strategy and impact. It is only through tight collaboration built on mutual respect and trust, that companies can decide what the right balance is between public disclosure and security.

To a hammer, everything looks like a nail. To a security professional, everything looks like a security vulnerability, but it is important to remember that sales is the only reason you are around. Our job as security professionals, is to provide enough security to protect our customers and support our business objectives. 

The dangers of using that Facebook personality game

GeneralEdward KiledjianComment
Image by  Ludovic Bertron  used under Creative Commons License

Image by Ludovic Bertron used under Creative Commons License

Tends to find fault with others o these questions look familiar?

  • Tends to find fault with others
  • Is relaxed, handles stress well
  • Is emotionally stable, not easily upset
  • Is easily distracted
  • etc

A large percentage of Facebook users have played with these "personality analysis" games at least once in their life (some do them regularly). Why not? It's a fun way of finding out if a "test" will evaluate you the same way you evaluate yourself... right? WRONG!

These online games and questionnaires are known as the OCEAN test and rate you against 5 psychological traits:

  1. Openness
  2. Conscientiousness
  3. Extraversion
  4. Agreeableness
  5. Neuroticism

What may seem like a fun way to spend a few minutes and then boast to your friends about the results may be a firm performing deep psychometric analysis of you. 

We believe companies like Cambridge Analytica have been using these Facebook games as a toolkit to build psychological profiles representing millions of users worldwide. 

The company claimed it had data on around 230 million adults in the USA and approximately 4000 “data points” on every one of them, including gym and club memberships, charity donations, and card transactions.
— First Post, https://goo.gl/SxG5dK

They collect this incredible treasure trove of data by creating enticing Facebook games and questionnaires. Usually they provide a quick peak at your OCEAN score summary but then using Facebook tools, they can associate that psychological snapshot with your Facebook profile and real name. This link to your online/offline self is what makes this practice controversial and the term used to describe it is onboarding.

Cambridge Analytica has said they have 3000-5000 data points for each of the 230 million psychological profiles they track. These data points may include age, income, debt, hobbies, criminality, purchase history, religious/secular beliefs,etc.

The pedigree

Cambridge Analytica is a spin-off of British firm SCL (Strategic Communication Laboratories  https://goo.gl/iuh9gz) which is known tp have performed PsyOps (Psychological Operations) counter-terrorism in war torn countries like Afghanistan.

The Trump efffect

During the last hotly contested US election, the media repeated a fact over and over "that the trump campaign wasn't using traditional media advertising". The media was right. Instead of traditional macro targeting, Trump turned to Cambirge Analytica (first used by his adversary Cruz) to win voters or dissuade voters of his opposition.

When you bake a good cake it’s the sum of the ingredients ... it’s actually flour, and eggs, and ginger, and everything else. And that’s what we’re looking at,[...]
— Alexander Nix, CEO Cambridge Analytica to NBC News - https://goo.gl/uqs0GA

The real problem lies with lax privacy laws implemented in the US. In Europe, most countries have strict data protection and privacy laws severely limiting the second or third hand use of personal data about their citizens. The US has no such protection for its population which means data brokers can access a treasure trove of (often) very private and personal data about its targets. This is how true, powerful and proven micro-targeting is implemented at its best.

Facebook is doing very well. They successfully moved to mobile and their increased profitability from advertising shows it. They are sticky now with 1.71 billion monthly active users. Stickiness doesn't tell the true story. The question is how much was each user worth to Facebook? 

  • A global user generates $3.82 a user per year (up from $2.76 a year ago)
  • A USA user generates $14.34 a user per year (up from $9.30)

The power of Facebook advertising isn't so much the reach but the micro-segmentation it makes available is. This micro-segmentation is possible because facebook knows who you are, where you live/work, who your friends are, what you like/dislike, how much you make and much more. I wrote an article entitled Facebook knows more about you than you realize

What are dark posts?

To continue the discussion, we need to talk about something called Dark Posts or Dark Ads. In simple term, they are posts using news feed style layouts visible in your feed but not actually posted in it. Confused yet? Because they aren't traditional advertising posts cluttering up your newsfeed, you are less likely to "hide" the advertising which otherwise would look like spam. Imagine how powerful this becomes for companies performing A/B testing.  They could run multiple ads against the same person in one day without looking like SPAM.

Think of these as special newsfeed items seen only by the person being targeted, all the wile looking like "normal" posts (not jumping out as advertising) and being temporary. 

Let's make the cake

So take the power of Cambridge Analytica and merge it with the hidden advertising of Facebook dark posts and this is (we believe) what allowed Trump's digital marketing team to serve the right ad to the right voter at the right time. 

A good example is the divisive issue of gun ownership. A gun owner profiled to be anti-establishment could be shown ads about how the opposition wants to weaken the USA by taking guns away (the national anthem playing in the back with a flag waving in the wind). A gun owner with strong religious family values could be shown a pleasant message about how father and son could bond over hunting, alone in the wilderness [but that the opposition would make guns illegal and take this beautiful bonding opportunity away].

Dark ads with good psychological profiles can also be used to create apathy and encourage some opponent voters not to turn out therefore reducing the power of the opponent. Trump created anti Hillary ads pushing out negative messages (Hillary claimed to carry hot sauce with her (link))

Conclusion

What may seem as a simple and fun way to spend 5 minutes could allow a company, well funded group or government to psychologically manipulate you without you ever becoming consciously aware. 

I hope that by sharing this blog article, you will be a little more careful and a lot more distrustful about what you see on Facebook.