Nextdoor and Conversation around Business Card QR Codes

Conversations around QR codes on business cards (not QR codes in delivered packages) and if the QR code on that business card is safe (spoiler alert: yes it is safe)

Narrative:

There is currently conversation on Nextdoor around scams utilizing QR codes, as well as a company placing business cards with a QR code under windshield wipers. At least one Nextdoor user accused the business placing cards on cars of being one of the scammers/hackers. A Nextdoor user posted a photo of the QR code. I decided to use that QR code to run tests to see if the business cards with the QR codes are malicious or not.

Procedure:

I fired up an Android test device that’s isolated from the rest of my network. I used a program called tcpdump on my firewall in order to monitor and record traffic coming to and from that test device. I piped the output from that into a utility called tree so that I could save it and monitor it in real time at the same time. Then piped that back into tcpdump and piped that output into tree again as plaintext and monitored and saved that. I was left with two files: a dump file that could be opened in WireShark, and a txt file that listed all of the output as regular plain text.

This gave me a baseline of activity that my android device was doing before scanning any QR codes. I repeated the steps above while scanning the QR code.

My next step was to take the plain text output of both and pipe the output through filtering utilities like grep and sed to have only IP addresses and not the other information. I piped those through the utilities sort and uniq and so all that was left was a list of IP addresses BEFORE scanning the QR code, and IP addresses AFTER scanning the QR code. Then I piped everything through diff and was left with ONLY ip addresses that were not a part of the baseline (i.e. the IP addresses of servers visitied by scanning the QR code)

Those IP addresses were run through ip2location.io and infobyip.com for some basic information like location, hosting, and domain names.

Next I ran the domain in the QR code, as well as the domain the first one links to, through dnslytics.com for some more domain information.

Then, I ran the QR code link, and the destination link through virustotal.com.

Finally I examined the dumps in WireShark after filtering out IP addresses from the baseline checks.

Results:

It is not malicious

The servers contacted are all web hosts.

The first link is to a company that creates QR codes for you to link to, and then shares information such as “How many people scanned my QR code this week?” “Are there more people scanning this with Android or with iOS?” “What cities are the people scanning my QR code in?”

The second link is just the company website.

Neither website was shown to be malicious in virustotal.com‘s URL scanner


list for https://www.infobyip.com/ipbulklookup.php:

vqr.vc
tigersden.co
18.211.201.92
18.238.25.116
18.238.25.3
18.238.25.31
18.238.25.38
3.160.5.110
3.160.5.25
3.160.5.47
3.160.5.68
3.214.242.45
34.149.206.255
34.149.87.45
34.49.229.81
35.171.58.3
44.193.186.194
50.17.183.161
54.175.126.84

Nextdoor Credit Card Stealing Scammers

Re-posted from a post I made on Nextdoor

Whoever is in control of the Nextdoor account “Jared H.” in “Mill Hill” is a scammer. I’m not saying Jared H. is a scammer, but whoever has control of that account is.

Thank you to the Nextdoor Neighbors that brought this account to my attention. If you come across suspicious posts or chat messages (especially from that user, please report them to Nextdoor).

There are some red flags in the message and the link. To me, the most telling part is the fact that these DMs came from a seemingly random user impersonating Nextdoor Support. Nextdoor Support does not reach out to end users in this manner.

Additionally, the domain of the link in the DM is NOT a Nextdoor website. All the website does is re-route whoever clicks on it to another website. That website, also not a Nextdoor owned website, impersonates Nextdoor and asks for credit card information, ostensibly to verify your identity.

The wesbites were both registered today. As we all know, Nextdoor is older than one-day-old.

I looked at the source-code, and it contains publicly available code for credit-card stealing webpages, as well as some writing in Cyrillic. I put the Cyrillic into Google Translate, and it was identified as Russian (Nextdoor is not based in Russia, nor programmed in Russian).

Finally, at the bottom of the source-code, was a link to a Rick Roll (a YouTube video of “Never Gonna Give You Up, which used to be a common prank)

I then looked to the webservers hosting these websites. They each have unique IP adresses, but other than that, they appear identical. Running them through some OsInt tools didn’t yield any useful results either, except that they are now beginning to slowly classify these sites as threats.

Additionally, each link to the first website is unique, which leads to a link to the second website which is also unique, and the reason for this is that the final page is customized with the target’s name to lend credibility. Using a link that goes to another link, or layering, aids in hiding the scammer websites, as well as helping to keep the scamming sites around longer, because the first link, essentially a decoy, will not flag most malware detectors because they’re just a re-direct, so even with anti-virus, the link will appear to be “safe”

Please let me know if you have any questions!

Example Message sent to potential victims
Some source code with some Cyrillic
It was Russian
There was also a Rick Roll in there
Credit Card Steeler

https://verifyingordr.lol/6b4f4b -> https://nextdoor.7562587027.cfd/1770969236 -> Martin Chaney

http://verifyingordr.lol/dc11af -> https://nextdoor.7562587027.cfd/6047719614 -> Kathy Henson

The creepy creeper camera that I found

I looked at one of those websites for finding devices. I wanted to find traffic cameras in my town. They’re there, but evidently not accessible to the public. But on this website, I found a bunch of cameras that were from the DOT. Yay! The bad news is that these cameras weren’t in my state after all. They were in a different state. I identified the city, and found out that they are public on purpose, so I called it a day.

Except… there was one camera that didn’t match the others. It was blurry. I wanted to try and focus it, so I logged in. There was no manual focus. Bummer. But it had a PTZ function. So I panned, tilted, and zoomed, and what I found shocked the hell out of me. The camera is attached to some little switch, a Cradlepoint cellular bridge, and an uninterruptible power supply. It’s in a tiny little box, the inside of which is painted black. There’s a window, held in place with electrical tape. Not an ordinary window, though, but a very familiar one. It’s a Faraday cage from a microwave oven. My guess is that even when the sun is shining directly on this box, it is impossible to see what’s inside it.

Sometimes I find the camera pointed at cars in the street. Sometimes it’s zoomed in on the windows of the apartments across the alleyway.

I find this very, very, disturbing. One the one hand, say that it is an legal surveillance. Then the cops are inept at InfoSec and OpSec (par for the course, but something that should be improved). Say that it’s not the cops… who is the scumwad creeper doing this?

I didn’t attempt to gain root. That’s too intrusive, and probably illegal, so not for me.

Geolocating the IP points to a default location for Verizon wireless hot spots. All I could figure out based on daylight is that it’s in the Western timezone.

Maybe I can use weather images and daily satellite images to figure out a more specific locale based on whether or not there’s snow on the ground.

I reached out to Super Tech Support on Reply All – no response so far.

I don’t like this. I get a bad vibe from this. It feels like some one is up to something creepy.

So you’re going to buy some security cameras…

This was a post that I posted to Nextdoor on 15JAN2020, and then updated on 19FEB2020

So you’re going to buy some security cameras…

There’s a lot to consider. First, you have to determine what level of skill you have and how much effort you want to put into it. You must also look into how reputable the manufacturer is, and whether or not you’re going to monitor this yourself, or have a company monitor it for you. Are you going to host at home, in the cloud, or both? Constant recording, or just when there’s an event? And finally, cost.

About eight years ago when I lived on Highland Ave, my house was broken into. We decided that having conspicuous cameras on the outside of the house *๐˜ฎ๐˜ช๐˜จ๐˜ฉ๐˜ต* be a deterrent to 90% of criminals, and cameras inside the houses would help to identify culprits should anyone break in. I first accomplished this with – I kid you not – an IBM ThinkPad that was pulled out of the trash, a copy of Debian Linux, a USB hub, some USB webcams and repurposed Android phones that were headed for the trash, and LOTS of time writing bash scripts, cron jobs, free webcam software for Linux and Android, an email server for notifications, and a secure website for management. A pain in the butt, but very cheap.

My next system came with several weather proof cameras with built in night vision, an NVR/DVR that sat in my bedroom, and an accompanying app for remote access that could be achieved through a remote connection to my house OR the manufacturer’s cloud server. Both of the above systems recorded continuously. Only the first one had alerts.

My third system is a popular name brand. Each camera is 100% wireless with the option to wire in power, records only on events, and can detect and identify the difference between motion, people, cars, packages, animals, and smoke alarms, with options for sounding an alarm, e911, two-way audio, monitoring service, record only on event or continuously, cloud storage, etc etc.

My current set-up uses the last option as well as the second option. 90% of burglars are looking for the “low hanging fruit” such as houses without cameras or signage. The indoor cams will get a good look at anyone that enters. So it’s a deterrent, as well as a way to hopefully identify any burglars.

When considering where to place the cameras, I visited the Summit County GIS website and printed up photos of my yard and house. I got some graph paper and determine a scale and mapped it on the graph paper, and added in the foot print of the house. I then used a protractor to determine each camera’s field of vision. Then I cut out some stencils that I created with a ruler and compass based on that measurement. I was able to place these stencils on the graph paper to determine where the cameras would be able to see.

Finally, there are two big name camera companies in the news right now for all the wrong reasons. Wyze’s customer database was recently breached https://www.cnn.com/2019/12/30/tech/wyze-data-breach/index.html and Ring cameras have seen a rash of breaches https://www.popularmechanics.com/technology/security/a30242264/ring-doorbell-hack/ These issues can be mitigated against with a couple of important steps. (1) ๐—ก๐—˜๐—ฉ๐—˜๐—ฅ re-use a password ever, anywhere and (2) ๐—”๐—Ÿ๐—ช๐—”๐—ฌ๐—ฆ use long passwords with Two-Factor Authentication or Multi-Factor Authentication.

I’m not saying those brands should be avoided for ever, but maybe wait until they have a chance to learn from their mistakes and make improvements. Whatever you decide, make sure that you consider single-points of failure, and build in redundancy.

I will gladly answer any questions that DO NOT have to do with any of the following: *Details on my specific set-up, such as brands (for my safety) *Whether or not some one should or should not have surveillance of their own property or things in plain view of the public (this is not the place for that conversation)

(How did I learn about CCTV technology, security, and safety? I’ve worked in security, armed protection, and private law enforcement on and off from 2006 to 2012. I have about five years experience as a senior network engineer, and six years in information security. Currently I’m my company’s Information Security Officer)

http://summitmaps.summitoh.net/

(P.S. Password complexity is less important than overall password entropy. So, instead of a complicated password like P@$$w0rd!, consider a pass๐˜ฑ๐˜ฉ๐˜ณ๐˜ข๐˜ด๐˜ฆ such as CorrectHorseBatteryStaple)

Update:

๐˜•๐˜ฐ๐˜ธ I can ๐˜ง๐˜ช๐˜ฏ๐˜ข๐˜ญ๐˜ญ๐˜บ add Ring to my list of recommended brands.

UPDATE: I have removed Ring once again. They share all of your footage and live feeds with law enforcement without court order or subpoena, AND any Ring engineer employees/contractors have full access to not only the footage and live feed, but also the devices.

  • Wyze
  • Arlo
  • ADT
  • Spectrum
  • Zosi

(In no particular order, and with varying levels of challenges and features)

Predictions for extra-terrestrial life in our solar system

Mars

My prediction for Mars is the most complicated. I wager that life will be discovered here first in the form of microbial colonies, and maybe stuff like lichens. I bet this will be discovered before the end of 2030. I think there will be a huge debate though, because I think that it will be discovered that there are many many genetic similarities between indigenous Martian life, and indigenous Terran life. I think it will start this whole debate about where bio-genesis occurred, where it occurred first, if it occurred more than once, and if panspermia played a role in Martian and Terran life. My prediction is that it’s going to take another century to get to the bottom of it, but they’re going to find that bio-genesis happened on both Earth and Mars independently, and then, thanks to panspermia, the two biomes got all tangled up together.

Europa and Enceladus

I’m putting these two together because as far as I’m concerned, they’re basically the same thing. A ice ball with a warm salty ocean inside it. I predict independent bio-genesis occurred here, and that at least some of the sea creatures are going to resemble fish. There’s not a much more efficient shape for moving through sea-water than a fish. Where life gets discovered first is really up to where the exploration is done first.

Titan

My prediction for Titan is that life will be discovered sometime after one or both of the icey/watery moons I mentioned above. I’m predicting that the life there will be more advanced than Mars, but less advanced than Europe/Enceladus – maybe bugs? Or something that resembles bugs?

Venus

SURPRISE! I think that after Titan, life will be detected in the form of mico-organisms in the upper atmosphere of Venus. That’s gonna get the eggheads thinking that they need to check the atmosphere of the gas giants Jupiter and Saturn, and the ice giants Uranus and Neptune. And that’s not to say that they aren’t already – I just don’t think humanity knows exactly what to look for there yet.

Jupiter, Saturn, Uranus, Neptune

See above

Luna

Our moon, Luna, is contaminated with a bunch of tardigrades (a.k.a. water bears). I don’t know if they’re still alive, or if they’re dead, or dormant or what. My wager is that those are the only organisms up there.

Mercury

Nothin’.

Every other celestial object in our solar system that is known to science. (some examples are the Main Asteroid Belt, The Kuiper Belt, and the Oort Cloud. And there’s a ton of other things like dwarf planets and transient comets and stuff)

Probably nothing

Closing:

The same people that told you that there are only three states of matter: Solid, Liquid, Gas, are the same people that say that there’s only one planet in the circumstellar habitable zone of our solar system. There are three. Venus, Earth, and Mars. Venus had a run-away greenhouse effect and it’s an oven. Mars was too small for an active core to produce a magnetic field to shield it from solar radiation, so its atmosphere was ablated away. Earth didn’t have a run-away greenhouse effect, and we have a nifty magnetic field that mitigates atmospheric ablation. That’s why you’re reading this and we don’t have neighbors.

Ceres

Oh my gosh I forgot Ceres! I bet there’s some organisms there, too.

Clandestine Behavior Modification is better than Direct Conflict

Taijiquan, Judo, Jujitsu… I appreciate these forms. They redirect your opponent’s momentum. Did I mention that I’m a nerd? Let me throw this out there too, I have read Sun Tsu’s The Art of War like four or five times. Now if all of this seems cringeworthy, get your cringes out of the way and I’ll tell you the story about how I made an opponent lose the will to fight through a form of attrition – the cost just wasn’t worth the payoff. Keep this in mind in all aspects because everyone is looking for the “low hanging fruit” – you just gotta make sure your fruit is higher up!

Another thing that I want to get out of the way is that every one makes mistakes – I’ve made a million of them! So have you! When these two events occurred, I was coming to it with years of experience in information security, information technology, physical security, and private law enforcement, as well as tons and tons of years in customer service. Not to mention my experience in aviation – I don’t know if that helped, but I’m compelled to tell people that I’m a pilot whenever I can.

Part One

So one of my jobs was doing some outsourced IT work. I worked as head of InfoSec and head of tech support, as well as being the lead engineer. Some of our customers were schools. One school in particular… I was sitting there Monday through Friday to try and turn the account around. Every summer, this school puts on summer camps for things like coding and movie making for little kids. The summer before I started there, the summer camp went so wrong because the IT department (allegedly) screwed up everything.

I kept that in mind while overseeing that IT department in person during my first summer camp there. Previously, I had been overseeing it from afar, but now that I was there, I had a much tighter reign. So… one day during the camp, our Internet bandwidth was completely saturated – everything was bogged down – classrooms, administrative, maintenance, secretaries – everyone. Because we used the best tools and best practices, it took exactly one minute to find out exactly what was going on – one student in the entire building was playing a Flash game that was somehow using 300Mbps up and down (Bitcoin jacking?) – Workstation number six in computer lab A.

I already had a plan. I was going to walk in there and very gently ask the instructor to excuse my interruption, and explain the situation. Now, you see, these weren’t students in the sense that they could get a detention or even a bad grade – their parents paid for them to be there, and as long as they weren’t doing anything that could get the school in trouble like looking at porn or preventing the other students from getting what their parents paid for. At least, that’s how the superintendent and assistant-superintendent explained it to the company I was working for (how they explained it to the ownder/CEO and how the explained it to me)

I walked into the classroom. No one noticed me. I’m six feet tall and at the time I weighed about 315lbs. No one noticed because I didn’t want them to notice me. >>>Cue the James Bond theme song<<< I counted workstations and figured out that it was the young boy in the front right corner. I don’t know what he was playing. It looked like a movie making website. Ironic, because that class was about movie making.

I approached the instructor: “Hi, my name is Tony. I’m from the IT department. The reason for my visit is because there’s a student playing an online game – which normally during a summer camp, wouldn’t be a big deal, but, it’s taking up all of the bandwidth in the building. I actually found out because the superintendent called me directly to talk about it. So, I’m just asking if you could ask the student to stay on task.”

The instructor had no problem with this at all. The problem is that two of my team mates walked into the room behind me. One of them had come here from working in security (he didn’t learn as much as I did. No force continuum, including the most effective step on the continuum, “officer presence”. No de-escalation.No verbal judo. All things that would have been relevant in this case. The other guy, well, he makes me look tiny. He’s actually still one of my best friends! One of the few people that checked in on me during my darkest days. So my two team mates both stood there, pointing and counting out loud, super, super obviously, and then, with pissy attitudes, told the instructor that one of her students crippled the whole building’s computers. The kid panicked. He kept looking back and forth between his computer screen, us, the teacher, the computer, etc. etc. He closed his flash game and looked at the computer next to his and started copying what that kid was doing – drawing geometric shapes in Microsoft Paint. Which cracked me up, because that kid wasn’t working on the assignment either.

The result is that the Internet usage was normal for the rest of the summer camp. The fall out is that the kid told his parents, his parents called the school, the enemies we had at that school blew everything out of proportion, there was a meeting with us, the superintendent, and the teacher, and everything ended well once the teacher stuck up for us. Still sucked though. It’s better, in my opinion, for a customer to not have any bad tastes in their mouth, as opposed to me having to pour Listerine down their throats.

Part Two

Fast forward roughly twelve months. I’m still overseeing this customer’s account personally. Summer camp time. There was lots more drama in Part One that wasn’t relevant to this story, and different and irrelevant drama in part two as well. But here’s what happened – basically the exact same thing, except a different Flash game, this time a clone of Call of Duty or something. This classroom happened to have security cameras in it (students and parents know about the cameras of course), and guess which department runs the security cameras…

So I pull up a couple of live views of the classroom, and a remote view of the teacher’s computer and the student’s computer and also glanced at some of the other screens to make sure that this game wasn’t some how part of the curriculum. It of course was not. In fact, the student would minimize the screen whenever the teacher would walk by. Doesn’t exactly take Sherlock Holmes to crack this case.

What the hell? He’s playing the game in Microsoft Edge? Come on, guy. What are you doing? I opened a remote command line into that workstation and sent taskkill /f /im edge.exe and lo and behold, the game he was playing suddenly vanished from the screen. Gotta give the kid some credit though. He reopened Edge and started loading the game again, skillfully avoiding the watchful eye of the teachers in the room. I watched the screen while the game loaded, and as soon as it hit 99%, I press the up arrow and then hit enter, re-sending the command that kills Microsoft Edge. He starts laughing, bumping into the kids on either side of him. They’re all joking around a little. The teachers come by, look around, go back to the front of the room…. Then here comes Edge again. Wait until 99%…. up arrow enter key – no more Microsoft Edge. He tried once more before giving up.

The Moral of The Story

This kid decided that the amount of effort that he had to put in to play the game was not worth the payoff. waiting for it to load and only getting a minute into the game, or 99% past the loading screen without any payoff. See, there has to be some payoff for anything that some one does, and that payoff has to outweigh the cost. The more impulsive the person is, the less patient they are going to be – the payoff has to be immediate. The less impulsive a person is, the longer they can wait. I went to school and got certs and learned first hand by working for free at first, all so that years later I’d be working at a job that I actually enjoy going to. Good things come to those who wait. And I think that bad things come less often to those who make it so that the impulsive people trying to do them harm have to wait longer than they want to wait; have to put in more effort then they want to expend for the payoff.

Here in lies the “Low Hanging Fruit” adage that is hopefully familiar to you. If there’s a hacker group that wants to hack some companies. They send their automated attack all at once against 10,000 different companies. Out of those 10,000, 9,000 are wiiiiiiiide open – they get in by exploiting vulnerable software, vulnerable people, vulnerable passwords, etc. Then out of the remaining thousand, 500 of them can be hacked with an extra few weeks worth of work. And the last 500 would take months or work.

What do you get from a hacked company? An attacker can make a ton of cash in a ton of ways – regardless of what the company even does or sells or whatever. Now, would spending a few months trying to hack one company be the end of the world to an attacker? No, absolutely not. But why would they bother when they’ve already compromised 9,000 in a day and a half? The low hanging fruit is there’s That’s a little bit of effort for a big pay off. But what about the fruit at the middle of the tree and on the top of the tree? It’s probably not any sweeter than the fruit that can be reached without even standing on tippie toes (trust me on that), so why bother getting out a ladder or an extra couple of people to try and get those last pieces of fruit? It’s a lot of effort for a small amount of something the attacker already has a lot of for free.

Do the basic best practices. It moves your fruit higher from the ground, and the attackers ignore it in favor of the easier to obtain – and just as tasty – fruit.

My Blog…. Rebooted

For new posts, check the blog menu up top!

I had/have some blogs from back in the day when I was less mature, and my topics were all over the place.

I’m going to start a new one. It’s gonna have some new stuff, and some old stuff that I find relevant.

Look for InfoSec, OpSec, IT, Aviation, Physical Security, Protection, Private Law Enforcement, Aerospace – top tier nerd stuff.