Preying on the job seekers

I’m now heading towards the end of an “era” as my time as a student is almost finished. That means, I can no longer delay getting a real “job” (not saying the one I currently have is not real), and that means having to deal with applying for jobs and getting spam sent to me by recruiters, or possibly malicious parties.

Advertisements

This time, I happened to receive a phishing e-mail. It looked very odd, made me feel suspicious and reassured at the same time. Someone was claiming there are job opportunities in my area with a company called “GJC Logistics Ltd”. Looking up company details definitely increased my suspicions, as the company appeared to be registered for barely 2 years, yet the money declared was less than £5k (so how would they afford to pay new staff?). They did seem to have a website, although, looking back to it, a lot of the features are not actually working.

phishing.PNG

(Click on the images to get a better view)

I suppose I should’ve got suspicious from just the fact someone tried to contact me for a job, not the other way around, not to mention the offer sounds too good to be true. I mean, c’mon 13.50 for a job where no experience is required?

I am a bit gullible by nature, and I really wanted to believe someone is actually interested to hire me and offer me decent pay! Sadly, that was not the case.

So yes, I tried to schedule an interview. In hindsight – bad move, what if I had downloaded something malicious? The interview was cancelled under the reason that something else has happened and that I’ll receive an e-mail about more information shortly. It was also rather odd that “Tim Marshall” who is a Recruitment Manager does not have a Linkedin profile.

The day after the interview was supposed to take place I received an e-mail telling me that they would like to make me an offer, although no formal interview has been conducted and sent me a copy of a contract with my name on it, which looked convincing enough. Close to my flat, 13.50 an hour, only aspect I didn’t like is that the job was too easy, and not very fulfilling (also, why would they pay 13.50 for a receptionist job, with no formal interview?).

There was a trick though:

phishing2

In order to complete the contract you needed to provide them with your NI# and a SC1 Basic, criminal background check, also including the name of a website that would be able to complete it. Thus, it became even clearer that something is definitely off about it, so I chose to investigate further.

Firstly, a criminal background check is called a DBS check (so why would you call it SC1 Basic?), and normally conducted by the employer not the employee. They try to convince you to pay for it by reassuring you they would pay you back for it during your first week. If they would pay back for it, why not conduct it themselves?

phishing3.PNG

Going to  www.smart-checks.com you get a list of features you can order, however you’d have to e-mail them to get a quote. So, since I didn’t have to pay anything for a quote,  I wanted to get more information. I received a reply within an hour with my quote – totalling it at £100 (typically £54), just for a criminal background check on fraud history (ironic, isn’t it?).

phishing4

So, they are trying to avoid “Merchant accounts” under the excuse the order would not be completed in time (in the e-mail “Tim Marshal” asks you to provide this in less than 10 days”).

Quite an elaborate phishing scheme, aiming at a large target pool (receptionist job, no experience required). They have attempted this scheme under several company names(e.g. Orange Duck Marketing), and websites for background checks (e.g. http://elitebackgroundchecks.com), however, Tim Marshall appears to be a common factor in most of them.

This is definitely not new, as it appears to be going on for over 2 years. The only possible explanation for it lasting so long is that the internet is still full of possible (uninformed) targets (and desperate job seekers).

Thoughts on Twitter

I’ve known of Twitter ever since its popularity started rising, however I’ve always felt reluctant using it. I didn’t see any point in posting short updates about everything I do, I didn’t feel the need for it. As such, I only got an account on Twitter about 2 years ago, and I’ve barely used it ever since.

Sure, it’s a great place to get updates on other topics, but I prefer feeds. Feedly.com is a great website to follow feeds, especially since RSS is no longer supported on Chrome.

However, I’ve found it to be especially great when you need to ask for short, quick advice, or to obtain specific updates, as you typically receive a reply in a very short time (much faster than e-mail!). From that point of view, it’s great!

Look down

You said “Look up“, but I chose to look down, for what’s above is just as cloudy as ever.

lookdown

It hardly feels like summer anymore, only the flowers around the town seem to think otherwise. I’m still wearing my winter jacket, and it’s almost mid-July. Having come back from my home country, where temperature was over 20° Celsius (up to over 30°) every day, I feel sad I can no longer wear my summer dresses.

Cowardice

If you look up the word cowardice, it’s described as the lack of bravery. Cowardice could therefore be interpreted as a choice, the choice of not being brave. The choice of rather hiding than facing your problems and fears.

I am a coward from many points of view. I’m afraid of heights, I’m afraid of doing anything too “crazy”, I’m afraid of being hurt, I’m even afraid of the dark (or rather the absence of light). But, that doesn’t mean I’m not also brave, I couldn’t have made it this far without facing at least one of the things that frighten me! I didn’t choose to embrace my cowardice, I only accepted it as a part of me.

So far, I’ve  tried to face as many of my fears as I could! And they slowly become less scary every single time! 🙂

In response to “Daily Prompt

Dionaea on Ubuntu 14.04

Installing, configuring and hiding Dionaea from nmap scans.

Dionaea is a malware capturing honeypot, which also features a VoIP module (of interest to me). It was originally developed under The Honeynet Project’s 2009 Google Summer of Code (GSoC).

My servers were running on Ubuntu 14.04, and it appeared most guides haven’t been updated since 12.04 came out. With thorough research, I found out that setting it up has become a lot easier, so much easier that I first doubted it was actually working, and tried to adapt the 12.04 guides. I believe there’s a lot of ambiguity surrounding it, as I can only access the original site (as I understand it) through the wayback machine.

So this is how I set it up:

Brian has been a life saver with his guide, which simply tells you how to get it up and running:

apt-get update
sudo apt-get install software-properties-common python-software-properties -y
sudo add-apt-repository ppa:honeynet/nightly -y
sudo apt-get update -y
sudo apt-get install dionaea-phibo -y
sudo service dionaea-phibo start

So yes, that’s really how easy it is now to get it started. However, that’s only the default configuration. He does tell you that you need to have a look at /etc/dionaea/dionaea.conf which is the configuration file for dionaea.

At this point I obviously had no idea how to configure it, so I kept searching for something that might explain it, and I found this . It’s quite a good basic configuration to make it into a VoIP honeypot (you definitely don’t want the http service running when dionaea is live). My only change is that I commented out the default submit section (sorry!). I didn’t find the first part useful as the script also installs kippo, and I found myself locked out from my ssh connection, sometimes even before the script finished installing (not to mention I didn’t want kippo).

Once I tried to scan it with nmap I realised it could easily tell it’s a honeypot, so I looked for a way to hide it. I found this other useful guide  by  which tells you straightforward, and nicely explains, what values should be modified to avoid identification.

The only problem left then was the ssh service; it would easily identify it as an ubuntu machine. Therefore, I made the service listen to 127.0.0.1 in its config file /etc/ssh/sshd_config (ListenAddress, uncommented).  As far as I can understand, you cannot change the way it recognises your machine as it’s hard coded, and is required in order to properly interact with other machines. Thus, the only option then was to get rid of it entirely. Don’t forget to restart the service!

service ssh restart

I got p0f to work by using this other guide, if you’re interested in it working for you.

At this point I realise there’s an awful lot of guides I used to get it up and running, none my original work, but since they were all so spread out, I thought it could be useful to have them all in one place!

It took me days to find the “right combo” but now it’s really easy to set-up a Dionaea honeypot – average 30 minutes set-up time. I’ve tried to extend it as well, but I couldn’t make any sense of the MySQL configuration (got everything else running), so if anyone could help me with that, I would highly appreciate it!
Bonus : You can get $50 credit for digitalocean using the github Student Developer Pack to set up your own servers! And another $10 if you use my referral link! 🙂