Category Archives: Maghreb

Political Spearphishing

If you’ve ever visited my LinkedIn you know that I admit to working for a “nameless detective agency” in Los Angeles. I haven’t displayed any of the stuff I’ve been doing, but this week I got something where I can make my findings public, a broad political spearphishing campaign.

 

The origin of the emails were obfuscated, but all anchored at mesrv.com. Using Maltego I found dozens of subdomains.

Many Mail Servers

Many Mail Servers

The Whois lookup for the domain was completely useless, a proxy registration intended to thwart diggers.

mesrv.com Current Whois

mesrv.com Current Whois

But this particular operator didn’t register clean at the start of this game. Hello, Mohammed Benyahia.

mesrv.com by Mohammed Benyahia

mesrv.com by Mohammed Benyahia

The other 21 domains associated with his name were available:

Mohammed Benyahia domains

Mohammed Benyahia domains

Domains are registered to mohamed.benyahia@tersea.com, and a quick scan shows that mesrv.com and tersea.com are quartered in the same place today. This gives me the sense I’ve got the right guy, it’s not like someone picked up the mesrv.com domain at random and put it to work using Benyahia’s business as a cover.

mesrv.com & tersea.com

mesrv.com & tersea.com

I visited tersea.com’s site and they conveniently revealed the @tersea Twitter account. It only took moments to find @Salutismo, Benyahia’s personal account, and then from there the rest fell out quickly.

@tersea & @Salutismo Common Contacts

@tersea & @Salutismo Common Contacts

Some of those are big media accounts, stripping those, it appears we’ve found some possible associates:

Benyahia's Probable Associates

Benyahia’s Probable Associates

Among them, I most like Dany Tech aka Omar Salhane, since he’s locked down and that sounds like a Moroccan name, same as Benyahia. Small accounts like these, particularly long abandoned, are absolutely treasure, they’re a candid admission of how things were in the past, and only a really experienced player will know to clean up, or to salt their trail with fake stuff.

Omar Salhane's One Mention

Omar Salhane’s One Mention

 

So that’s some initial recon. We’re looking for someone who can pick out who is important in a specific left leaning political organization and go at them hard. A Moroccan living in Paris with rented servers in Ireland? That doesn’t add up, so at this point I guess this guy is a service provider to many activities, perhaps some shady, and I change direction a bit.

 

If found thirteen IPv4 and two IPv6 addresses active for the twenty one domains.

Active IPs

Active IPs

tersea.com & Friends

tersea.com & Friends

The tersea.com domain is hosted within AS36884 Wana in Morocco. There are some other servers within AS8560 1 & 1 in France.

1 and 1 Servers

1 & 1 Servers

I thought it would be interesting to employ ThreatCrowd, a Maltego transform that queries Alien Vault’s Open Threat Exchange. Two of the fifteen IPs came back hot – involved in malware campaigns. Notice the number of German domains here? All of Benyahia’s contacts are French speakers, so this looks like a generalized place for bad actors.

ThreatCrowd Results

ThreatCrowd Results

And the main teasea.com domain came back hot, too.

tersea ThreatCrowd Results

tersea ThreatCrowd Results

 

I think Benyahia is a fraudster, a spammer, but he doesn’t read like someone who goes hunting in the American political space. He probably sold some services to someone who did, and that’s a deeper level of digging required to expose the truth. I haven’t seen the details on the attempts so I can’t predict if I’ll be able to display them here, or if they’re specific enough to identify the target.

This sort of work is fun for me, like doing a puzzle where there’s a scavenger hunt for the pieces before I can even start.

 
masecretaireprivee.com
meilleuregarantie.com
hotlineprivee.com
hotline-privee.com
clickconsulte.com
groupe-tersea.com
clikconsulte.com
clicconsult.com
clikconsult.com
clicconsulte.com
updatemybox.com
abdellahyacoubi.com
satisfaction-tui.com
pescallness.com
tercea.com
cozact.com
tersea.net
tersea.com
tersalia.com
mesrv.com
monrdvpro.com

The Simmering Maghreb

Arab Spring

Arab Spring

Starting in Tunisia with the self immolation of Mohammed Bouazizi in late December of 2010, Arab Spring spread like wildfire, bowling over four governments and straining all their neighbors. Three years have passed and a wave of weapons from Libya, coupled with fighters from all over, have destabilized the ring of nations adjacent to those which have already revolted.

North Africa Islamist Troubles

North Africa Islamist Troubles

The nations in the next tier to the south are equally disturbed, with Boko Haram in Nigeria to al Shabaab attacks in Kenya, while the Central African Republic is melting down due to internal issues and unfinished business due to the separation of South Sudan threatens to revive their conflict with Sudan.

Central Africa

Central Africa

Imperial implosions are always messy affairs. North Africa bear the marks of lines that have been repeatedly redrawn over the last 1200 years. The continent had hardly finished digesting the 20th century collapse of the English and French imperial efforts before the Soviet Union took a tumble. The U.S. is in a similar position to what the Soviet Union faced in the late 1980s, militarily and financially exhausted, staggering home from long running low intensity conflicts.

I mentioned AFRICOM’s expansion in U.S. Military in Africa and 2014 will bring both a Quadrennial Defense Review as well as the second ever Quadrennial Diplomacy & Development Review. I am looking forward to comparing the 2010 documents to what will be presented for 2014, seeking clues as to what our stance will be in this region.