onlineresolve.com phishing

Three times in the past I’ve come across onlineresolve.com , tech support scammers.

2015 on a Wii

2016 via DNSUnlocker

and in 2019 when they had changed names

Their database must now have been sold or leaked. I’ve woken up this morning to phishing email to unique email addresses given only to them.
Subject: “Action Required- Verify your Order”

The email claims to be an Amazon order and has a “manage your order” link.

“Order # 171-8121815-3772341”
“Order # 171-629457-4772” has also been used.

Your order will be sent to:
Thomas Draus
5526 N Luna Ave
Chicago, IL 60630″

and invites you to click a link.

Posted in Uncategorized | Leave a comment

How to dial from the asterisk CLI

There seem to be many, many articles and forum posts on the internet about how to trigger a call directly from the Asterisk command line.

Mostly they reference the “dial” command, which on Asterisk 17.4 doesn’t seem to exist.

Then there is voip-info which references the “originate” command but doesn’t give any context or examples. If you just type in originate into the command line it doesn’t recognise it.

You need to
channel originate PJSIP/02082446556@voiceflex-endpoint extension 01309655655@Voiceflex-Incoming

This command would dial on an outbound PJSIP extension at the VoIP provider. And would link it to extension 01309655655 in the context Voiceflex-Incoming.

(This article is mainly for my own reference at a later date).

Posted in Uncategorized | 9 Comments

BP ChargeVision / Smartcharge / chargemaster speed settings.

The energy company BP has an EV charging platform for home installations. The main name is chargemaster for the home charging box.
There are then bolt on services (free for the first 3 years) called:
-Smartcharge (the app)
-ChargeVision (the website)

The bolt on services allow you to see charging status, set a charging schedule and estimate the cost of electricity you’ve dumped into your electric vehicle.
Generally these services are usable but not really well coded or enjoyable. Documentation seems to be non existent other than a few FAQ entries on the main chargemaster site.

This blog post is about the charging speed settings in the advanced schedule settings page.

On the desktop version it looks like this:

The mobile version looks like:

BP seem to have forgotten to give any guidance or information on what the three settings Slow, Medium and Fast actually mean.

I’m in the position of having an easy method to measure my power consumption so can reveal… (And since then I’ve found the API calls give away the Amps settings)..
If you have the standard installation where the maximum possible charging speed through the home charger is 7kW then the following seems to be true:

-Slow = ~1.5kW / 6 Amps
-Medium = ~3kW / 18 Amps (though in practice I’ve found this to be around 4.5kW)
-Fast = ~7kW / 30 Amps

Chargevision (the website):
-Awful user interface bugs.
Creating a schedule often duplicates the entry, it doesn’t seem to allow for a schedule to cover all day, you need two entries.
-Missing user interface functionality.
The Smartcharge app allows you to set the cost per kWh of your electricity. These functions don’t seem to exist on the ChargeVision web interface.
-The javascript file that runs the site is 2.5Megabytes in size! What the hell.
-Never remembers the login even if you tick the option.

Smartcharge (the app):
-Also seems to log you out regularly. Every time I’ve loaded it I’ve had to sign in.
-Doesn’t allow you to take screenshots; not sure why they would need to block that function. I had to use sneaky methods to capture the screenshots used in this post.

The website vs. the App.
Posted in Uncategorized | 4 Comments

Securing LibreNMS Weathermaps

If you use LibreNMS and have setup the Weathermaps plugin… your weathermaps are open to the world if anyone guesses the image or html file name.

(How is that even a feature?)

You can fix this mess by making the following changes.. (Bearing in mind I’m not a LibreNMS expert or Weathermap plugin author.. I make no claims of the security or viability of my modification but it seems to do the job for my setup).

Add the following to the bottom (before the last } bracket) of /etc/nginx/conf.d/librenms.conf

 location ~ /plugins/Weathermap {
    location ~ \.png$ {
      rewrite ^(.*)\.png$ /plugins/Weathermap/accesscheck.php;
    }
 }

Then make a file /opt/librenms/html/plugins/Weathermap/accesscheck.php:

<?php

#If debugging remove the content type as image and echo out the data you need as html / text

    include 'config.inc.php';
    $init_modules = ['web', 'auth'];
    require $librenms_base . '/includes/init.php';

        if (!Auth::check()) {
                header('Location: /');
                exit;
        } else if (Auth::user()->username == 'externalcontractorusernamehere') {
                #Do nothing, no access.
                $im = imagecreate(200, 300);
                $bg = imagecolorallocate($im, 255, 255, 255);
                $textcolor = imagecolorallocate($im, 0, 0, 255);
                imagestring($im, 5, 0, 0, 'No Access.', $textcolor);
                header('Content-type: image/png');
                imagepng($im);
                imagedestroy($im);
        } else {
                #echo('I am authed as ');
                #echo(Auth::user()->username);
                #echo(' with email ');
                #echo(Auth::user()->email);
                #echo(' with admin status: ');
                #echo(auth()->user()->isAdmin());
                #echo(' wanting to access file ');
                #$htmlfile = str_replace('.php','.png',basename($_SERVER['PHP_SELF']));
                $htmlfile = basename($_SERVER['REQUEST_URI']);
                #echo($htmlfile);
                header('Content-type: image/png');
                readfile('/opt/librenms/html/plugins/Weathermap/'.$htmlfile);
        }
?>

The code does the following..

1) Imports LibreNMS configuration and initalisation scripts.
2) Checks if the user is authenticated.. if they are not it redirects them to the login page (although in practice this is a .png request so the visitor won’t hit that unless they right click and “View image” and the browser follows the request).
3) Blocks a specific named user (if you wanted to) in case you had an authenticated user who wants LibreNMS access but no access to Weathermap images.
4) Otherwise reads the image and spits it out to an authenticated visitor.

Obviously you can expand and customise things as you need.

In one setup the image files were in /output/ so the config file path needed editing with output in the path, accesscheck.php placing in the output folder and accesscheck.php editing so the final “readfile” line has /output/ in it.

Posted in Uncategorized | Leave a comment

“020 3097 1793” tech support scam

Not much information on this one as I doubt I’m going to have much time spare to investigate it.

Contacted by someone today who had been using Microsoft Edge (hah) to browse using Bing search and one of the results had caused their computer to make loads of noise and lock out with an authentication box that had the following words on it:

“The server http://www.clothscard.online is asking for your username and password.

That server also reports: “Suspicious movement distinquished on your IP address because of a spyware introduced in your PC. Call Toll Free now @ 020 3097 1793 for any help. Your information is at a Serious risk. There is a Computer framework record missing because of some Harmful malware infection Debug Malware error (code 0x80093acf). Call Immediately to correct the issue. Please do not Open web browser or make any changes for your Security Issue to avoid data loss & Corrupt system files & drivers, Call immediately to save Hard disk Failure & Data loss. This Harmful malware is affecting your online information & can Track Financial Activity Contact Certified Technicians at 020 3097 1793 PLEASE DO NOT SHUT DOWN OR RESTART YOUR COMPUTER, DOING THAT MAY LEAD TO DATA LOSS AND FAILURE OF OPERATING SYSTEM, ONLINE INFORMATION. HENCE NON BOOTABLE SITUATION RESULTING COMPLETE DATA LOSS . CONTACT ADMINISTRATOR DEPARTMENT TO RESOLVE THE ISSUE ON 020 3097 1793 (TOLL FREE).”.”

The website that triggers the message for authentication seems to be down at the moment so I can’t identify much about that. I might try to troll them on the phone if I have time and a spare computer setup to trick them with.

Posted in Uncategorized | Leave a comment

Electronics goods scam, 2020-2021 version

I’ve a long history of tracking electronics good scam websites (The 2015 to 2019 saga is here)…

2020-05-15_13_50_49

This year they are finally back again*.. I was first alerted to them after a BBC news article. What is more worrying this time is they catch their victims by advertising in the Google Shopping tab making their site(s) look far more legitimate.

(*I’m pretty sure it is the same people but not 100% certain.)

The scammers go under the company names:

Related at some undetermined time in the past:
gerber-elektronik.com – seems to have targeting German speaking victims.

“Owl Geek” (OWL-GEEK.COM – registered 28th March 2020).

“Perlmann-Store” (perlmann-store.com – registered 11th April 2020).

“Pearce-Store” (pearce-store.com – registered 17th April 2020).

“Tech Ziox” (techziox.com – registered 18th April 2020).

“Cynax Tech” (cynaxtech.com – registered 18th April 2020).

“My Tech Domestic” (mytechdomestic.comĀ  – registered 20th April 2020).

“Cynax” (cynax.co.uk – registered 26th April 2020).

“Tech Fave” (techfave.co.uk – registered 2nd May 2020).

“shopavo” (shopavo.co.uk – registered 3rd May 2020).

“Shop Zeal” (shopzeal.co.uk – registered 7th May 2020).

“Boboxo” (boboxo.co.uk – registered 8th May 2020).

“Storaxy” (storaxy.co.uk – registered 14th May 2020).

“Wiovo” (wiovo.co.uk – registered 15th May 2020).

“Zeppler” (zeppler.co.uk – registered 15th May 2020).

“Tofevo” (tofevo.com – Registered 20th May 2020).

“Riellazi Electronics” (riellazielectronics.co.uk – Registered 30th June 2020).

“TV & Electronics” (tvandelectronics.com – Registered 4th July 2020).

“Sure Market” (suremarket.co.uk – Registered 3rd August 2020).

“Store Excellence” (storeexcellence.co.uk – Registered 3rd August 2020).

“Salesrific” (salesrific.co.uk – Registered 3rd August 2020).

“Ever Market” (evermarket.co.uk – Registered 3rd August 2020).

“Exclusive Market” (exclusivemarket.co.uk – Registered 3rd August 2020).

“Grand Gadgets” (grandgadgetz.co.uk – Registered 7th September 2020).

“tiersales” (tiersales.co.uk – Registered 9th December 2020). (alexjohnson9812)

“dealsdiscount” (dealsdiscount.co.uk – Registered 8th December 2020). (alexjohnson9812)

“Commerce Perfect Electronics” (commerceperfect.co.uk – Registered 3rd August 2020).

“Saleave Electronics Store” (saleave.co.uk – Registered 15th December 2020).

“Market Bump Electronics” (marketbump.co.uk – Registered 15th December 2020).

“ingadgets” (ingadgetsltd.co.uk – Registered 21st December 2020).

“salepush” (salepush.co.uk – Registered 15th December 2020).

“Mart Find” (martfind.co.uk – Registered 15th December 2020).

“Sale Phase” (salephase.co.uk – Registered 15th December 2020). Not yet in use.

“Sale Park” (salepark.co.uk – Registered 15th December 2020). Not yet in use.

“Sale Logic” (salelogic.co.uk – Registered 15th December 2020). Not yet in use.

“Market Banter” (marketbanter.co.uk – Registered 15th December 2020).

“Apex Electronics Limited” (apexelectronicslimited.co.uk – Registered 15th January 2021).

“buyerpro” (buyerpro.co.uk – Registered 9th February 2021).

“Gadget Space” (gadgetspace.co.uk – Registered 4th February 2021).

“Cartlo Store” (cartlo.co.uk – Registered 9th February 2021).

“salesrepublic” (salesrepublic.co.uk – Registered 13th February 2021).

“Cheapsey Store” (cheapsey.com – Registered 22nd February 2021).

“Best Store” (beststoresday.com – Registered 4th March 2021).

“Olstuff” (olstuff.com – Registered 4th March 2021).

“AIteck Store UK” (aiteck.co.uk – Registered 8th March 2021).

“FM Gadgets” (fmgadgets.com – Registered 22nd March 2021).

“Fit Lab” / “The Fit Lab” (thefitlab.co.uk – Registered 31st March 2021).

“Storm Gadget” (stormgadget.co.uk – Registered 9th April 2021).

“Top Retail” / “Top Retails” (topretails.co.uk – Registered 10th April 2021).

“Cheapsy Store” (cheapsy.co.uk – Registered 9th February 2021).

“HiFi Mania” (hifimania.co.uk – Registered 20th November 2020).

“Techea” (techea.co.uk – Registered 18th May 2021).

“Venture Electronics” (venturelectronics.co.uk – Registered 19th April 2021).

“Mart Hub” (marthub.co.uk – Registered 16th June 2021).

“Appliance Store” (appliancesstore.co.uk – Registered 25th May 2021).

“Sneakers Republic” (sneakersrepublic.co.uk – Registered 32rd June 2021).

“AM Home Appliances” (amhomeappliances.co.uk – Registered 24th May 2021).

“Crypto Gadgets” (cryptogadget.co.uk – Registered 4th June 2021).

“Right Gadget” (rightgadget.co.uk – Registered 29th May 2021).

“Electronic Marts” (electronicmarts.com – Registered 8th June 2021).

“Gadget Mart” (gadgetmart.co.uk – Registered 23rd June 2021).

“Electronics Online Limited” (electronicsonlineltd.com – Registered 28th June 2021).

“Sneakers Hub” (sneakershubs.com – Registered 7th July 2021).
Likely unrelated to all the electronics themed sites. This one appears to be run by “ofdads@gmail.com” (Skype: md.omar.faruk.123 and Telegram: @omar.faruk1999 and @omarfaruqe) who is in the business of arranging verified Stripe accounts (a credit card processor).

“Electronic Bargain” (electronicsbargain.co.uk – Registered 9th July 2021).

“APRO Electronics” (aproelectronics.co.uk – Registered 12th July 2021).

“AG Electronics” (agelectronics.co.uk – Registered 12th July 2021).

“Instant Electronics” (instantelectronics.co.uk – Registered 23rd July 2021).

“Retail Gold” (retailgold.co.uk – Registered 23rd July 2021).

“AdvanceDive Electronics Limited” (advancedive.co.uk – Registered 10th August 2021).

“Silicon Gadgets” (silicongadgets.co.uk – Registered 10th August 2021).

“e-tronics gadgets” (e-tronicsgadgets.co.uk – Registered 24th August 2021).

“Home Appliances Trade” (homeappliancestrade.co.uk – Registered 15th September 2021).

“Cappy Gadgets Limited” (cappygadgetsltd.co.uk – Registered 28th September 2021).

“Gadgetsbag” (gadgetsbag.co.uk – Registered 14th October 2021).

“AB Appliances, Shop on the go” (ab-appliances.co.uk – Registered 17th October 2021). Live chat operator is in Nigeria. Has a fake credit card payment screen and then claims that failed and then asks for BACS to Sort Code: 04-00-75 Account Number: 63183013, Then moved to 04-00-04, 96801455. Then moved to 04-00-75, 55408974. Then moved to 04-00-75, 66899257. If you lost money to any of these accounts please comment below as depending on timing (and when the bank was made aware of the accounts) you may be due an immediate refund under the destination banks failure of duty of care.

“Electronics Locker TM” (electronicslocker.co.uk – Registered 18th October 2021).

“Connection Appliances Limited” (connectionapplianceslimited.co.uk – Registered 20th January 2021). Requests bank transfer to Sort Code: 04-00-75 Account Number: 57023956. If you lost money to any of this account please comment below as depending on timing (and when the bank was made aware of the account) you may be due an immediate refund under the destination banks failure of duty of care.

“HOMEPROF” (homeprof.co.uk – Registered 7th November 2021). Uses a Russian language version of wordpress in the back end.

Some of the newer sites have “astroturfed” fake positive reviews on trustpilot and other sites. These quickly get swamped by victim complaints after a week or two.

VICTIMS: Please see the previous article for advice on how to recover any lost funds. It is also very important that you report the fraud to ActionFraud to help collate data and also allocate crime fighting resources to the crime.

Posted in Uncategorized | 50 Comments

Host-to-LAN (OpenVPN) drop in replacement from ZeroShell to OPNsense

Due to the lack of IPv6 support in ZeroShell I’ve recently had to move over to a different routing operating system.

My setup is fairly complex with lots of needs:

-The ability to tcpdump
-Failover and routing rules for multiple internet connections
-VPN hosting for me to get into my network remotely and site-to-site to access remote LANs.
-Multiple IPs per LAN interface
-A mix of NAT and PPPoE routed subnets.
-Requirement to be able to “intercept” and give my own responses to DNS zones and hosts.
-QoS to prevent a single device on the network causing my internet to perform badly.
-NTP Server
-Bandwidth reporting globally and per device.

Lots of you may be saying “just do NTP on a linux machine” or similar.. which I could do. But it is nice to have all of the above in a single system. My previous ZeroShell setup does that.

After a bit of hunting around it looked like OPNsense is a suitable replacement.

This specific article is about what you need to set on OPNsense to allow windows based OpenVPN TAP clients to connect to your new OPNsense without needing to upgrade their configuration.
I use only user and password authentication so things may be different if you use Certificate Authentication for users.

To start – on your ZeroShell machine take a copy of the certificate and private key for the certificate authority:

root@zeroshell ssl> cat /Database/etc/ssl/certs/cacert.pem

 

 

and

root@zeroshell ssl> cat /Database/etc/ssl/private/cakey.pem

 

 

On OPNsense go to System.. Trust .. Authorites. Click on Add.
Give the Trust Authority a name and paste in the certificate data (the “cacert.pem” content) and the private key box (“cakey.pem” content).

To find the serial number for next certificate go to your ZeroShell web interface and then “X.509 CA”. Look at the Serial column and find the highest used number and add one. On my system it was 8, so on OPNsense I put in 9.

Click Save on OPNsense.
In the Trust menu on OPNsense. Click on Certificates. Click on Add.
Change the Method to “Create an internal Certificate”.
In the Name type in whatever you want. Make sure you select “Type” to be “Combined client/server certificate”.
Fill in the Sate, City, Organisation etc.. and click Save.

Now go to VPN on the left menu of OPNsense then to OpenVPN.
Click Servers. Click Add. Type in any description you like.
In Server Mode select “Remote Access ( User Auth )”
Backend for authentication needs to be “Local Database”.
On Protocol I had to select UDP4 as otherwise it seemed to automatically only listen on IPv6.
Make sure Device Mode is “TAP” as this is the old style connection that ZeroShell used. Make sure your Interface to listen for connections on is selected correctly and the Local port is the same as you used on ZeroShell.

Un-tick “TLS Authentication // Enable authentication of TLS packets.”

In the Peer Certificate Authority select the one you imported from your ZeroShell in the first step where you copy and pasted the pem files.

In Server Certificate click and select the certificate you created rather than “Web GUI SSL”.

In the “IPv4 Tunnel Network” box type in “192.168.250.0/24” if you use the default ZeroShell setup.. otherwise just copy the IP range you use in the ZeroShell “Client IP Address Assignment” box on the “Host-to-LAN” Screen. You may need to ask someone for help converting it from a “from IP to IP” range to CIDR notation.

In the “IPv4 Remote Network” box type in: “0.0.0.0/0”

In the “Compression” drop down make sure it is selected on “Enabled without Adaptive Compression”.

On my setup I made sure “Dynamic IP” and “Address Pool” were ticked.. I’m not sure if either help so if you know better than I do – make sure you select what you think is best and also leave me a comment.

I ticked “DNS Servers” and typed in the first IP within the “IPv4 Tunnel Network” range.. in the default setup this would be “192.168.250.1” for “Server #1”.

The screenshot below shows my setup – note that I use an unusual UDP port and most default setups will be on a port like 1194.

Once done you also need to make sure that your users exist in OPNsense under System, Access, Users. The root / administration user should also be able to connect anyway without adding any other users.

I expect your firewall will also need the inbound port adding for the OpenVPN server.

2020-04-12_17_40_03.png

Hope this helps.. it was a lot of trial and error to get to this stage for me so documenting it will also help me in the future.

 

Posted in Uncategorized | Leave a comment

“imgs.love” and YouTube comment spam.

Appearing in the last 5 days is a domain “imgs.love” that seems to be being used in an affiliate / spam marketing comments scheme on YouTube.

2020-04-08_22_08_25.png

The comments all have a link in and sing about how amazing whatever product it is, is.

Every Spammer user on YouTube has about 3 or 2 videos and a premier or two set to go. Plus a playlist of some videos.

The links to imgs.love contain a unique affiliate number so that clickthrough can be tracked.

At the time of writing most of the links just go to images of the product but I assume that once the spam has gone undetected the links will change to places to buy the product.

Most people will think that the comments are just helpful and showing a photo of the product so leave the comment alone? Then profit at a later date by changing where the link forwards to.

Beware. Spam. Don’t click the link and certainly don’t buy from anything you find if you do click the link.

A username of “mupking” is another artefact related to the domain

Posted in Uncategorized | Leave a comment

Ransomware by runlocker / ranlock

Pandemics do not stop malware script kiddies.

Today is a (pretty much honeypot) computer with VNC enabled on the default port with a simple password set (single lower case dictionary word) that got brute forced by someone.

The hacker then checked if the machine was on the network and what other users were on the computer.

2020-04-06_14_02_58.png

All files across the drive on the machine were encrypted with a file extension specific to the infection instance …2020-04-06_14_04_11.png

And the ransomware note “!!! ALL YOUR FILES ARE ENCRYPTED !!!.txt” contained..

!!! ALL YOUR FILES ARE ENCRYPTED !!!

All your files, documents, photos, databases and other important files are encrypted.

You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.

To be sure we have the decryptor and it works you can send an email: runlocker@protonmail.com and decrypt one file for free.
But this file should be of not valuable!

Do you really want to restore your files?
Write to email: runlocker@protonmail.com
Reserved email: ranlock@keemail.me

Your personal ID: A50-90E-EC9

Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

The timeline looks like they hacked the computer the March around 42 minutes past midnight.
Then at 01:12am they snooped through the files (not much on the honeypot system but they did open a file called ” password.txt”.

At 01:14 they downloaded a file using Chrome:
hxxps://aes.one/files/d/a5e/17e641m6n07en291al7w21gn7t/c8ecdba9ef806c83/

Which in turn provides a .exe file called “zeppelin.exe“.

MD5	7e867d82199a59d28ce35d31ea688dee
SHA-1	52adcf0361aa8fb3a34daa1bb67a620d58b2b8a7
SHA-256	b3a71d2611660242a98236e332e964bf9c1e6d647b570cc650e2815d8054afc5

The initial attempt to download this file was thwarted by Microsoft’s Windows Defender – the hacker then manually snoozed / turned off defender to complete their attack.
It is likely that the file gets copied into c:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\spoolsv.exe and is detected as “Ransom:W32/ZZeppelin.A!MSR”

2020-04-06_14_23_08.png

At 01:16am they fired off the encryption of all the files.

Potentially linked or maybe another hacker had also run a powershell script 10:11:48 03/04/2020 which did something with: hxxp://31.44.184.47:80/aa which appears to be a base64 encoded file containing further powershell script containing another base64 encoded file which then needs binary xor to produce a valid file.

Windows Defender also identifies this file.

MD5	4a79e1626ce14d7ae5f5b7965c872103
SHA-1	350cfa0b6f502672cb5e15ce10e17bc17632e749
SHA-256	35cd8737cebb9f72db999a49b260c5d9188615b31302d8e7d01b4f37ba4609db

I must say a massive thank you to GCHQ for their amazing tool CyberChef which made analyzing this so much easier.

Posted in Uncategorized | Leave a comment

Capita SIMS FMS and “Unable to write to SIMS.INI” error.

I’ve spent a bit of time trying to work out why FMS from Capita would produce the following error when trying to add a journal in the “Add Journal Wizard”…

2020-03-31_13_36_32.png

“SIMS FMS Module”
“Unable to write to SIMS.INI.”

Looking at process monitor seems to show FMS accessing c:\windows\sims.ini before erroring. Setting this file to writable by everyone does not solve the issue. Process Monitor shows no errors yet FMS still claims it is unable to write to SIMS.INI.

In my instance I couldn’t see any other attempts to access or write anywhere.

The solution turned out to be the user having an invalid “Home folder” path set in their domain user properties! I probably couldn’t see the failed file access as it pointed at a server that no longer existed (OS couldn’t do a DNS lookup so then couldn’t attempt to write to that file share).

So if you find you have similar errors – check that the users paths in their domain account are all still valid and working!

Posted in Uncategorized | Leave a comment