Hackers trying to hack Largnet

Those following our blogs will know we open sourced a SMTP honeypot. This has been publicly available on the internet for some time now. Here are some spam bot results:

41.217.106.30,captpatricwilliams00@gmail.com,captpatrickwilliams00@gmail.com,2019-02-16 06:38:31

41.217.106.30,captpatricwilliams00@gmail.com,redacted@hotmail.com,2019-02-16 06:38:32

41.217.106.30,captpatricwilliams00@gmail.com,redacted@gmail.com,2019-02-16 06:38:32

2019-02-19 11_01_33-ScamWarners.com View topic - Capt. Patrick Williams captpatrickwilliams00@gmail..png

Clearly spam, and what’s interesting is that there seems to be a common theme where the spammers attempt to spam using 3 emails and then stop. Let’s look at the whois of this IP address source.

inetnum: 41.217.96.0 - 41.217.127.255

netname: Spectranet-LTE-5

descr: Used for Spectranet LTE Customers

country: NG

admin-c: ACS1-AFRINIC

This spam source is Nigeria. Nothing surprising here. Did you know Nigeria only has ~15,000 wired internet connections and the Introduction of LTE technologies has enabled millions of Nigerians to join the internet?

There’s no easy way to link @largnet.ca and our honeypot. If you check the MX records on largnet.ca it’s clearly hosted in office365. So a spam bot would be unable to make this connection.

66.228.212.116,test@largnet.ca,redacted@yahoo.com,2019-02-18 08:21:09

66.228.212.116,test@largnet.ca,redacted@gmail.com,2019-02-18 08:21:09

66.228.212.116,test@largnet.ca,redacted@aol.com,2019-02-18 08:21:09

or

88.99.174.28,info@largnet.ca,criptowu@gmail.com,2019-02-08 15:22:42

88.99.174.28,test@largnet.ca,criptowu@gmail.com,2019-02-08 23:47:12

88.99.174.28,admin@largnet.ca,criptowu@gmail.com,2019-02-09 15:44:38

These attempts which use @largnet.ca would almost certainly be a human. Every organization has lots of bots attacking them like the first example, but there will be some more advanced human threats who are trying to break in. These human hackers are significantly rarer than bots but the threat they pose is significantly higher. Are you secure enough to prevent them?

Antivirus update February 2019

Just a quick update on our antivirus and honeypot adventures. Our last update was post-holidays.

Antivirus

The top 4 antivirus from our our previous update are still the same. What’s interesting is that Kaspersky, Zone Alarm, and Dr Web are all within 1 virus detection of each other.