Whatsapp suspicious message

Received a message from an unknown individual on WhatsApp messenger. I did not recognize the number (the person is not on my contact list), and there is probably an attachment (4 messages were sent).

I deleted the message and the attachment without tapping to open the message (whatsapp asked whether I wanted to delete the attachment, I chose yes).

I believe the message was from a possible scammer sending a virus embedded in an attachment.

I also uninstalled and re-installed WhatsApp messenger.

A virus scan using multiple software on my phone yielded nothing was wrong.

Question 1: Are there any other steps I should do to be secure? Question 2: Is there a way to prevent random messages like this on WhatsApp? (I have blocked this specific sender but I want to prevent such messages in general)

Regularly receiving suspicious certificate errors online

For the past few weeks, I have frequently been receiving error messages from websites stating that the certificate is invalid. This tends to happen for a while and then resolve itself. Other devices on the same network connection are also experiencing odd behaviour, including a very sporadic internet connection that is either very slow or turns on and off. We had an engineer visit this week to diagnose whether there was a faulty connection, but they left, happy that the connection is working properly.

I understand that receiving ‘bad’ certificates can sometimes be a sign of the system clock or internet settings being poorly configured. I had assumed this might be the case, until I interrogated one of these ‘invalid certificate’ messages more closely (from Firefox on Mac):

Web sites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for eur03.safelinks.protection.outlook.com. The certificate is only valid for the following names: cloudflare-dns.com, *.cloudflare-dns.com, one.one.one.one, 1.1.1.1, 1.0.0.1, <…>

The website I was trying to visit in this case has nothing to do with cloudflare, and the links above lead to a website that appears to be selling a VPN-type service.

Should I be concerned that my internet connection has been tapped, and what would be the appropriate action to take to shake this off?

Suspicious behavior by Google when verifying users via nodejs

I’m building a user authentication system in Nodejs and use a confirmation email to verify a new account is real.

The user creates an account, which prompts him/her to check the email for a URL that he/she clicks to verify the account.

It works great, no issues.

What’s unusual is that in testing, when I email myself (to simulate the new user process), and after I click the verify-URL, immediately afterward there are two subsequent connections to the endpoint. Upon inspection, it appears the source IPs belong to Google. What’s even more interesting is that the user agent strings are random versions of Chrome.

Here’s an example of the last sequence. The first one is the HTTP 200 request and the next two — the HTTP 400s are Google. (I remove upon user verification the user’s verification code from the database so that subsequence requests are HTTP 400s.)

162.158.78.180 - - [03/Jul/2020:20:35:40 +0000] "GET /v1/user/verify/95a546cf7ad448a18e7512ced322d96f HTTP/1.1" 200 70 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" "hidden.com" "72.191.192.163" "US" "en-US,en;q=0.9" 162.158.187.117 - - [03/Jul/2020:20:35:43 +0000] "GET /v1/user/verify/95a546cf7ad448a18e7512ced322d96f HTTP/1.1" 400 28 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36" "hidden.com" "74.125.210.22" "US" "en-US,en;q=0.9" 162.158.187.117 - - [03/Jul/2020:20:35:43 +0000] "GET /v1/user/verify/95a546cf7ad448a18e7512ced322d96f HTTP/1.1" 400 28 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36" "hidden.com" "74.125.210.8" "US" "en-US,en;q=0.9" 

Now I’m using Cloudflare so the first IP address in each line is a Cloudflare IP address but the second one you see is the real one [as reported by Cloudflare] … I modified my "combined" log format in Nginx.

Anyhow, any idea what this is? Or why Google would be doing this?

It’s just incredibly suspicious given the use of randomized user agent strings.

And one last note, if I inspect my console w/Chrome and go into the network tab before I click a verification link from my email, the 2 subsequent connections never come. It’s like Google knows I’m monitoring … this is just so incredibly odd that I had to ask the community. I’m thinking maybe this is an extension that’s infected w/some kind of tracking, but how then do the IPs come back as Google?

Suspicious termination in some Windows Services names [closed]

Introduction

I’ve been poking around the Services tab on my Windows machine and saw some services with a "normal" name but this termination _1f699ad as in the next examples:

  • ConsentUX_1f699ad
  • CredentialEnrollmentManagerUserSvc_1f699ad
  • DevicePicker_1f699ad
  • and many more with the same termination

Here some pictures taken from the services tab.

enter image description here enter image description here enter image description here

My question is simple: Is this OK or should I be worried?

Because some of them have access to ScreenCapture and others which can potentially be harmful (i.e data theft) and I see no reason to add a meaningless termination other than supersede and stay hidden.

Suspicious hop on gmail

I received a suspicious message today from a friend of mine’s inbox, I suspect it’s been compromised.

I analyzed the header and obviously coming from the mail server gmail has all the authentication parameters configured (SPF,DKIM,DMARC) and correctly passed.

I’m suspicious of the first hop that the mail performs on an IPV6 with HTTP protocol

msgHeaderHop

Is it considered a regular activity?

How to proceed with suspicious SMS from an apparent delivery service

Around a month ago, I received this SMS:

enter image description here

Translation: “Package XXX-xxxxx could not be delivered on 31.01.2020 because the delivery charges were not paid in full. Check delivery: http: //4jm.us/xxxx

Me receiving a delivery isn’t that unusual, as I backed a game on Kickstarter, which is in the process of shipping backer rewards, but this is the first time that a delivery was put “on hold” because of something not being paid. Is that normal? It looks a lot like a scam to me, but I also fear that maybe different packages are delivered by different companies and those companies simply handle things differently. How should I proceed?

Suspicious calls to testgvbgjbhjb.com

On the last few days, one of our endpoints calls to testgvbgjbhjb.com

I used TCPView to find suspicious connections and checked if there any unknown extension.

The owner of the domain made it a 127.0.0.1 record and set the next txt record:

“The owner of this domain does not know why your machine is reaching out to it. Owner saw suspicious traffic in multiple networks and bought it.”

I read the next analysis but I can’t find the cause of these calls.

  • https://urlscan.io/result/14f59032-94ab-4b39-b7ef-1c0d33bc02f7/

  • https://www.joesandbox.com/analysis/199223/0/html

Any Idea?

What should I do if I find a suspicious device in public space?

This question is partially inspired by this video.

In case I find a suspicious device somewhere in a public space. What should I do with the device?

  • Take the device I’ve found to my home/lab to analyze it (I’d like to)
  • Hand it to the authority responsible for the area
  • Leave it alone and report to the authority

I’d assume it’s best to hand it to the authority, but again, should I take the device to them?