Humanitarian Aid Attack Investigation

Scenario

You are a freelancing human rights cyber security analyst. You have been contacted by a humanitarian aid group from Venezuela that claims they were attacked and need your help conducting the cyber investigation. You have been given some background information and a twitter post to begin your investigation.

Background

Venezuela is currently in the throes of a major political crisis as opposition leader and self-declared interim President Juan Guaidó is attempting to oust the incumbent President, Nicolas Maduro, who had been re-elected for a second term in a very controversial election that many are refusing to recognize as legitimate.

Back in February, shortly after declaring himself as interim president, Guaidó called for citizens of Venezuela to volunteer in helping international organizations deliver humanitarian aid to the country because Maduro was refusing to accept aid and blocking desperately needed supplies, food, and medicine at their borders.

A website was set up where volunteers could register to help, which required them to provide personal information such as their name, phone number, address, and whether they have things like a medical degree or a car.

This website appeared online on February 6th. Only a few days later, on February 11th, the day after the public announcement of the initiative, another almost identical website appeared with a very similar domain name and structure.

Only people inside of Venezuela seemed to be affected by this attack.

Twitter posts started to show an identical fraudulent website. Below are the actual twitter posts.

https://twitter.com/ElPensante2015/status/1095908115848052736

Zoomed-in view of the fraudulent website URL:

Fake IP 159[.]65[.]65[.]194, Real IP 54[.]240[.]186[.]199

Here is an actual video that was posted to Twitter of the DNS poisoning attack in Venezuela.

https://twitter.com/i/status/1095511930339581953

Searches

First search: Perform a search for the domain www.voluntariosxvenezuela.com.
https://community.riskiq.com/search/www.voluntariosxvenezuela.com

Second search: Perform a search for the domain www.voluntariosvenezuela.com.
https://community.riskiq.com/search/www.voluntariovenezuela.com

Third search: Perform a search for the domain www.voluntariosxxvenezuela.com.
https://community.riskiq.com/search/www.voluntariosxxvenezuela.com

Fourth search: Perform a search for the IP address 159[.]65[.]65[.]194.
https://community.riskiq.com/search/159.65.65.194

URL for urlscan.io: https://urlscan.io
 

Goals:

Your goal is to investigate both websites from back in February 2019 and determine the following and provide your evidence: 

  1. Is www[.]voluntariosvenezuela[.]com fraudulent?
  2. Are any other websites also infringing on the real website www[.]voluntariosxvenezuela[.]com?
  3. Can you determine or infer who is behind this domain infringing DNS poison attack?
  4. Are there any other websites that the threat actor is currently using or has used in attacks?
  5. What are some ways people can to do to be protect against DNS spoofing? 

Step by Step Video