OpenTIP, command line edition

For more than a year, we have been providing free intelligence services via the OpenTIP portal. Using the web interface, anyone can upload and scan files with our antivirus engine, get a basic sandbox report, look up various network indicators (IP addresses, hosts, URLs). Later on, we presented an easy-to-use HTTPS-based programming interface, so that you could use the service in your own scripts and integrate it in existing workflow.

OpenTIP web interface – upload, look up, get results!

Of course, it is much easier to use the API when there is a set of working examples. It is also more convenient to integrate with existing tools and scripts when you have a command line utility that interacts with the service. We decided have both in one package, by releasing Python-based command line tools for the service that also implement a client class that you can reuse in your own tools.

A few words about privacy

The OpenTIP service has its own Terms of Use, End-User Agreement and a Privacy Policy; and the command line tools can only be accessed with an API token, that in turn can be only obtained after agreeing to all the terms. Please read them carefully. By default, the “opentip” scanner may upload the files being checked if their hashes are not yet known to the service, so please ensure that you are familiar with the policies. And, of course, the sample upload can be turned off.

Setting things up

The command line tools need the “apikey”, that is, a usual web API access token. You can generate it at this page (you may be required to register or log in into the web version of the service). The key can then be permanently set up as an environment variable “OPENTIP_APIKEY” or provided as a command line option “–apikey VALUE_OF_THE_KEY”. By default, the API key has certain rate limitations that may be changed in future, so please contact us if your scripts hit the rate limits.

The tools and the Python 3 client class can be all installed from pip:

pip3 install opentip

The code is also published on Github, so you can easily inspect and package it yourself. At the time of writing, the package has no external dependencies and should run on any modern Python 3 distribution.

Once installed, Python will also generate two executables (scripts, or binary wrappers, depending on the platform), named “opentip” and “check_iocs”.

The OpenTIP Scanner

The scanner is named “opentip” (or “opentip.exe”), as is the primary tool for quickly checking files and directories. The standard usage banner is pretty simple and self-descriptive:

usage: opentip [-h] [–no-upload] [–exclude EXCLUDE] [–log LOG] [–apikey APIKEY] [–quiet] path [path …]

Check files and directories with OpenTIP.kaspersky.com, optionally upload and scan unknown files

positional arguments:
path File or directory location to scan

optional arguments:
-h, –help show this help message and exit
–no-upload DO NOT upload unknown files to scan with the Sandbox, default behaviour is to upload
–exclude EXCLUDE Do not scan or upload the files matching the pattern
–log LOG Write results to the log file
–apikey APIKEY OpenTIP API key, received from https://opentip.kaspersky.com/token
–quiet Do not log clean files

The easiest and most basic mode of operation is to provide the location of the files or directories to scan. Directories are processed recursively, and unknown files are uploaded for checking by default (subject to the privacy policy, use “–no-upload” to change default behavior). The results are printed on stdout, and can also be redirected to a log file. The “–exclude” option allows you to disable the checks for any path locations, and with the “–quiet” option the script will print out only the positive detections.

$ opentip .
2022-08-01 16:23:22,638 ./package/main.py: Malware: Trojan.Python.Lofy.a
2022-08-01 16:23:22,766 ./package/package.json: NotCategorized
2022-08-01 16:23:22,965 ./package/index.js: NoThreats

Typical output of the scanner

Since the package has no external dependencies, it can be used to quickly deploy the scanner and check a fleet of remote machines, and the OPENTIP_APIKEY environment variable makes it easier to use the scanner in containers.

The IOC checker script

The second tool, named “check_iocs”, has a different purpose: you can use it to quickly query the OpenTIP service for file hashes, domains, IPs and URLs.

usage: check_iocs [-h] [–apikey APIKEY] [–out OUT] type value

Check IOCS (file hashes, IP addresses, domain names, URLs using the service OpenTIP.kaspersky.com

positional arguments:
type hash, ip, domain, url
value Value of the IOC (hash, ip, domain, url, filename with the iocs)

optional arguments:
-h, –help show this help message and exit
–apikey APIKEY OpenTIP API key, received from https://opentip.kaspersky.com/token
–out OUT, -o OUT Write output as JSON to this filename

The script requires two arguments: the type of the input data (“hash”, “ip”, “domain”, “url”, “filename”) and either the actual value of the data to check, or the path of the filename that contains the list of values, one per line.

$check_iocs hash list_of_md5.txt
[IOC]: d41d8cd98f00b204e9800998ecf8427e : Unknown
[IOC]: 46c5070ed139ca8121c07eda20587e3f : {‘Zone’: ‘Grey’, ‘FileGeneralInfo’: {‘FileStatus’: ‘NotCategorized’, ‘Sha1′: ’24F7BAF656DCAC1FF43E4479AD8A5F4DF8052900’, ‘Md5′: ’46C5070ED139CA8121C07EDA20587E3F’, ‘Sha256′: ’04FC2B072775EA05AB6C9E117EFBFD1C56D2F1B45D1AC175001A186452269F3C’, ‘FirstSeen’: ‘1970-01-01T00:00:00Z’, ‘LastSeen’: ‘1970-01-01T00:00:00Z’, ‘Size’: 464, ‘Type’: ‘text’}, ‘DynamicAnalysisResults’: {‘Detections’: [{‘Zone’: ‘Red’}, {‘Zone’: ‘Yellow’}], ‘SuspiciousActivities’: [{‘Zone’: ‘Red’}, {‘Zone’: ‘Yellow’}, {‘Zone’: ‘Grey’}], ‘NetworkActivities’: [{‘Zone’: ‘Red’}, {‘Zone’: ‘Yellow’}, {‘Zone’: ‘Green’}, {‘Zone’: ‘Grey’}]}}
[IOC]: 0067bc5d4d92fe9445e41f347944196e : {‘Zone’: ‘Red’, ‘FileGeneralInfo’: {‘FileStatus’: ‘Malware’, ‘Sha1’: ‘F666104C83CB18F2ED345A11C34EE9A32CD2ABC1’, ‘Md5’: ‘0067BC5D4D92FE9445E41F347944196E’, ‘Sha256’: ‘8B615582D92D42FEEFCEEBA03E65D16773F2B227ED1CD17C82462641A9D249D9’, ‘FirstSeen’: ‘2022-07-27T11:48:00Z’, ‘LastSeen’: ‘2022-07-30T12:44:00Z’, ‘Size’: 10466, ‘Type’: ‘Txt’, ‘HitsCount’: 10}, ‘DetectionsInfo’: [{‘LastDetectDate’: ‘2022-07-30T12:50:35.887Z’, ‘Zone’: ‘Red’, ‘DetectionName’: ‘Trojan.Python.Lofy.a’}], ‘DynamicAnalysisResults’: {‘Detections’: [{‘Zone’: ‘Red’}, {‘Zone’: ‘Yellow’}], ‘SuspiciousActivities’: [{‘Zone’: ‘Red’}, {‘Zone’: ‘Yellow’}, {‘Zone’: ‘Grey’}], ‘NetworkActivities’: [{‘Zone’: ‘Red’}, {‘Zone’: ‘Yellow’}, {‘Zone’: ‘Green’}, {‘Zone’: ‘Grey’}]}}
[IOC]: e1dc5ff6a1febdd4db11901fc295364f : {‘Zone’: ‘Green’, ‘FileGeneralInfo’: {‘FileStatus’: ‘NoThreats’, ‘Sha1’: ‘49217E09D0C33FF3C958AFBDCB60F977E10104E0’, ‘Md5’: ‘E1DC5FF6A1FEBDD4DB11901FC295364F’, ‘Sha256’: ‘EAB0020A475BB1CF70CA5C9569DEFE5F1A7160A9D334144DA47924418EE2C9E7’, ‘FirstSeen’: ‘2022-07-30T10:03:00Z’, ‘LastSeen’: ‘2022-07-30T10:20:00Z’, ‘Size’: 34768, ‘Type’: ‘Js’, ‘HitsCount’: 10}, ‘DynamicAnalysisResults’: {‘Detections’: [{‘Zone’: ‘Red’}, {‘Zone’: ‘Yellow’}], ‘SuspiciousActivities’: [{‘Zone’: ‘Red’}, {‘Zone’: ‘Yellow’}, {‘Zone’: ‘Grey’}], ‘NetworkActivities’: [{‘Zone’: ‘Red’}, {‘Zone’: ‘Yellow’}, {‘Zone’: ‘Green’}, {‘Zone’: ‘Grey’}]}}

Typical output of the check_iocs tool

The output is much more comprehensive than the one provided by the scanner and is JSON-encoded, so that it can be parsed automatically.

The Python API class

Both command line tools are actually using a single Python class to access the OpenTIP service, and you can use the source code of the tools as a reference for your own scripts.

The OpenTIP client can be easily instantiated with a few lines:

from opentip.client import OpenTIP
client = OpenTIP(APIKEY)

To query the OpenTIP for a known indicator, use a single call:

client.get_verdict_by_ioc(ioc_type, ioc)

For example:

>>> client.get_verdict_by_ioc(‘hash’, ‘0067bc5d4d92fe9445e41f347944196e’)

To scan a file (with upload turned on by default), returning a tuple of (filename, results), call:



>>> client.scan_file(‘package/main.py’)
(‘package/main.py’, ‘{“Zone”:”Red”,”FileGeneralInfo”:{“FileStatus”:”Malware”,”Sha1″:”F666104C83CB18F2ED345A11C34EE9A32CD2ABC1″,”Md5″:”0067BC5D4D92FE9445E41F347944196E”,”Sha256″:”8B615582D92D42FEEFCEEBA03E65D16773F2B227ED1CD17C82462641A9D249D9″,”FirstSeen”:”2022-07-27T11:48:00Z”,”LastSeen”:”2022-07-30T12:44:00Z”,”Size”:10466,”Type”:”Txt”,”HitsCount”:10},”DetectionsInfo”:[{“LastDetectDate”:”2022-07-30T12:50:35.887Z”,”Zone”:”Red”,”DetectionName”:”Trojan.Python.Lofy.a”}],”DynamicAnalysisResults”:{“Detections”:[{“Zone”:”Red”},{“Zone”:”Yellow”}],”SuspiciousActivities”:[{“Zone”:”Red”},{“Zone”:”Yellow”},{“Zone”:”Grey”}],”NetworkActivities”:[{“Zone”:”Red”},{“Zone”:”Yellow”},{“Zone”:”Green”},{“Zone”:”Grey”}]}}’)

To disable file upload for unknown files, instantiate the OpenTIP with no_upload=True.

>>> client = OpenTIP(OPENTIP_APIKEY, no_upload=True)
>>> client.no_upload

Any ideas are welcome

This is just the beginning, and we welcome any kind of input, pull requests and feature requests to make the service more convenient. If you have any issues or questions regarding the scripts, please contact us by creating a Github issue or using the OpenTIP contact form.

We released Python-based command line tools for our OpenTIP service that also implement a client class that you can reuse in your own tools.Read More

Education hammered by exploits and backdoors in 2021 and 2022

In May of 2021, education underwent a siege of exploit attempts using the vulnerability CVE-2021-21551, which exploits a Dell system driver bug and helps attackers to gain access to a network. Considering that many schools across the United States use Dell hardware, it’s understandable to see such a large amount of this exploit. 

In fact, both Rockland Schools in Massachusetts and Visalia USD in California were hit with ransomware attacks during this period. The states that detected this threat the most were Minnesota and Michigan, with Detroit being the biggest target in the US. 

In September of 2021, there was a spike of the malicious setting, RiskwareTool.IFEOHijack, with detections having increased from July 2021 onward. This threat is flagged when malware modifies a registry setting that changes the default Windows debugger to a malware executable. It is a red flag that needs to be investigated immediately. Unfortunately, it doesn’t pinpoint which malware made the modification, but the increased presence of this threat, especially in Oklahoma and Washington State, calls for deeper threat hunting on the victims’ networks. During the same period, a spike in exploit detections was observed and Howard University was breached.

The Trojan TechSupportScam covers an array of applications all designed to fool users into calling a “tech support” number to solve a problem created by the application, such as a blue screen, error message, activation alert, etc. These tools started spiking in January of 2022.  Educational institutions in New Jersey have had to deal with this threat more than any other state, however the public school district of Albuquerque, NM suffered a breach during the same month that could have been influenced by this spike in scams. Students and staff likely encountered these threats when installing risky software and/or visiting shady sites.

Finally, Pennsylvania schools have been dealing with an active campaign of backdoors, specifically QBot, since March of 2022, which will likely result in greater infections during the rest of 2022.

Beyond spikes in detections, the education sector has dealt with an onslaught of attacks ranging from spyware and denial of service tools to ransomware.  Throughout the year, almost every month has a report of an educational institution under attack. The first half of 2021 saw attacks against schools in Florida, New York, Oregon, Massachusetts, and California, while the second half saw attacks against Texas, Washington D.C., Wisconsin, and Illinois. The biggest attack of 2022, so far, would be the breach of Austin Peay State University in April, though time will tell if that remains true.

The education industry has the largest userbase out of all industries, considering the constant rotation of students and faculty. Therefore, the greatest threat to these organizations are the users themselves, who may download their own applications, visit dangerous websites, and even make system modifications to get around monitoring tools.

Recommendations for education

Our recommendation for this sector includes keeping an eye out for all new exploits that might affect your organization, especially commonly used systems. In a lot of cases, organizations may have a difficult time updating quickly, because of operational needs, but in the case of schools, a single vulnerability might be duplicated across 99% of its endpoints, which turns each of those systems into backdoors for the bad guys. So, making vulnerability patching one of the highest priorities will reduce attacks and decrease malicious file installation.

Next, systems that have been infected may leave behind artifacts of its operations, for example the IFEOHijack registry setting. Additionally, threats that may be installed on day one, might not activate until a user does something specific, or a certain date comes around, allowing the threat to hide in the meantime. To combat this threat, consider creating a secure, default system image that can be easily duplicated to endpoints, returning them to a default state. While this is likely already done by many schools every year, consider increasing the frequency to every quarter, maybe even every month, and have students save their files on cloud-based storage solutions.

By utilizing a default image, an organization can erase hidden malware, reset modified settings, and provide confidence in quickly isolating or wiping out an infected system. For the education industry, it’s not so much about what threats are actively targeting schools, but rather what threats have been left behind, that open doors for other, future attacks.

How to incorporate ACM PCA into your existing Windows Active Directory Certificate Services

Using certificates to authenticate and encrypt data is vital to any enterprise security. For example, companies rely on certificates to provide TLS encryption for web applications so that client data is protected. However, not all certificates need to be issued from a publicly trusted certificate authority (CA). A privately trusted CA can be leveraged to issue certificates to help protect data in transit on resources such as load-balancers and also device authentication for endpoints and IoT devices. Many organizations already have that privately trusted CA running in their Microsoft Active Directory architecture via Active Directory Certificate Services (ADCS).

This post outlines how you can use Microsoft’s Windows 2019 ADCS to sign an AWS Certificate Manager (ACM) Private Certificate Authority (Private CA) instance, extending your existing ADCS system into your AWS environment. This will allow you to issue certificates via ACM for resources like Application Load Balancer that are trusted by your Active Directory members. The ACM PCA documentation talks about how to use an external CA to sign the ACM PCA certificate. However, it leaves the details of the external CA outside of the documentation scope.

Why use ACM PCA?

AWS Certificate Manager Private Certificate Authority (ACM Private CA or ACM PCA) is a private CA service that extends ACM certificate management capabilities to both public and private certificates. ACM PCA provides a highly available private CA service without the upfront investment and ongoing maintenance costs of operating your own private CA. ACM PCA allows developers to be more agile by providing them with APIs to create and deploy private certificates programmatically. You also have the flexibility to create private certificates for applications that require custom certificate lifetimes or resource names.

Why use ACM PCA with Windows Active Directory?

Many enterprises already use Active Directory to manage their IT resources. Whether it is on-premises or built into your AWS accounts, Active Directory’s built-in CA can be extended by ACM PCA. Using your ADCS to sign an ACM PCA means that members of your Active Directory automatically trust certificates issued by that ACM PCA. Keep in mind that these are still private certificates, and they are intended to be used just like certificates from ADCS itself. They will not be trusted by unmanaged devices, because these are not signed by a publicly trusted external CA. Therefore, systems like Mac and Linux may require that you manually deploy the ADCS certificate chain in order to trust certificates issued by your new ACM PCA.

This means it is more efficient for you to rapidly deploy certificates to your endpoint workstations for authentication. Or you can protect internal-only workloads with certificates that are constrained to your internal domain namespace. These tasks can be done conveniently through AWS APIs and the AWS SDK.

Solution overview

In the following sections, we will configure Microsoft ADCS to be able to sign a subordinate CA, deploy and sign ACM PCA, and then test the solution using a private website that is protected by a TLS certificate issued from the ACM PCA.

Configure Microsoft ADCS

Microsoft ADCS is normally deployed as part of your Windows Active Directory architecture. It can be extended to do multiple different types of certificate signing depending on your environment’s needs. Each of these different types of certificates is defined by a template that you must enable and configure. Each template contains configuration information about how Microsoft ADCS will issue the certificate type. You can copy and configure templates differently depending on your environment’s requirements. The specifics of each type of template is outside the scope of this blog post.

To configure ADCS to sign subordinate CAs

On the CA server that will be signing the private CA certificate, open the Certification Authority Microsoft Management Console (MMC).
In the left-side tree view, expand the name of the server.
Open the context (right-click) menu for Certificate Templates and choose Manage.

Figure 1: Navigating to the Manage option for the certificate templates

This opens the Certificate Template Console, which is populated with the list of optional templates.

Scroll down, open the context (right-click) menu for Subordinate Certification Authority, and choose Duplicate Template, as shown in Figure 2. This will create a duplicate of the template that you can alter for your needs, while leaving the original template unaltered for future use. Selecting Duplicate Template immediately opens the configuration for the new template.

Figure 2: Select Duplicate Template to create a copy of the Subordinate Certification Authority template

To configure and use the new template

On the new template configuration page, choose the General tab, and change the template display name to something that uniquely identifies it. The example in this post uses the name Subordinate Certification Authority – Private CA.
Select the check box for Publish certificate in Active Directory, and then choose OK. The new template appears in the list of available templates. Close the Certificate Templates Console.
Return to the Certification Authority MMC. Open the context (right-click) menu for Certificate Templates again, but this time choose New -> Certificate Template to Issue.

Figure 3: Issue the new Certificate Template you created for subordinate Cas

In the dialog box that appears, choose the new template you created in Step 1 of this procedure, and then choose OK.

That’s all that’s needed! Your CA is now ready to issue certificates for subordinate CAs in your public key infrastructure. Open a browser from either the ADCS CA server itself or through a network connection to the ADCS CA server, and use the following URL to access the certificate server’s certificate signing interface.


Now you can see that in the Certificate Templates list, you can choose the Subordinate Certification Authority template that you created, as shown in Figure 4.

Figure 4: The interface to sign certificates on your CA now shows the new certificate template you created

Deploy and sign the ACM Private CA’s certificate

In this step, you will deploy the ACM PCA, which is the first step to create a subordinate CA to deploy in your AWS account. The process of deploying the ACM PCA is well documented, so this post will not go into depth about the deployment itself. Instead, this procedure focuses on the steps for taking the certificate signing request (CSR) and signing it against the ADCS, and then covers the additional steps to convert the certificates that ADCS produces into the certificate format that ACM PCA expects.

After the ACM PCA is initially deployed, it needs to have a certificate signed to authenticate it. ACM PCA offers two options for signing the new instance’s certificate. You can choose to sign either through another ACM PCA instance, or via an external CA. Since you are using ADCS in this walkthrough, you will use the process of an external CA. The ACM PCA deployment is now at a point where it needs its CSR signed by Microsoft ADCS. You should see that it is ready in the AWS Management Console for ACM PCA.

To deploy and sign the ACM PCA’s certificate

When the ACM PCA is ready, in the ACM PCA console, begin the Install subordinate CA certificate process by choosing External private CA for the CA type.

Figure 5: Options for signing the new instance’s certificate

You will then be provided the certificate signing request (CSR) for the ACM PCA. Copy and paste the CSR content into the ADCS CA signing URL you visited earlier on the CA server. Then choose Next. The next page is where you will paste in the new signed certificate and certchain in a later step.
From the ADCS CA URL, be sure that the new Subordinate Certification Authority template is selected, and then choose Submit. The new certificate will be issued to you. The ADCS issuing page provides two different formats for the certificate, either as Distinguished Encoding Rules (DER) or base64-encoded.
Copy the base64-encoded files for both the certificate and the certchain to your local computer. The certificate is already in Privacy Enhanced Mail (PEM) format, and its contents can be pasted into the ACM PCA certificate input in the console. However, you must convert the certchain into the format required by the ACM PCA by following these steps:
To convert the format of the certchain, use the openssl tool from the command line. The process of installing the openssl tool is outside the scope of this blog post. Refer to the OpenSSL site documentation for installation options for your operating system.
Use the following command to convert the certchain file from Public Key Cryptographic Standards #7 (PKCS7) to PEM.

openssl pkcs7 -print_certs -in certnew.p7b -out certchain.pem

Using a text editor, open the certchain.pem file and copy the last certificate block from the file, starting with —–BEGIN CERTIFICATE—– and ending with —–END CERTIFICATE—–. You will notice that the file begins with the signed certificate and includes subject= and issuer= statements. ACM PCA only accepts the content that is the certificate chain.

Return to the ACM PCA console page from Step 1, and paste the text the you just copied into the input area provided for the certificate chain. After this step is complete, the private CA is now signed by your corporate PKI.

Test the solution

Now that the ACM PCA is online, one of the things it can do is issue certificates via ACM that are trusted by your corporate Active Directory joined clients. These certificates can be used in services such as Application Load Balancers to provide TLS protected endpoints that are unique to your organization and trusted only by your internal clients.

From a client joined to our test Active Directory, Internet Explorer shows that it trusts the TLS certificate issued by AWS Certificate Manager and used on the Application Load Balancer for a private site.

Figure 6: Internet Explorer showing that it trusts the TLS certificate

For this demo, we created a test web server that is hosting an example webpage. The web server is behind an AWS Application Load Balancer. The TLS certificate attached to the Application Load Balancer is issued from the new ACM PCA.


Organizations that have Microsoft Active Directory deployed can use Active Directory’s Certificate Services to issue certificates for private resources. This blog post shows how you can extend that certificate trust to AWS Certificate Manager Private CA. This provides a way for your developers to issue private certificates automatically, which are trusted by your Active Directory domain-joined clients or clients that have the ADCS certificate chain installed.

For more information on hybrid public key infrastructure (PKI) on AWS, refer to these blog posts:

How to implement a hybrid PKI solution on AWS
Integrating Microsoft Active Directory with AWS Certificate Manager Private CA using Secardeo certEP

For more information on certificates for Mac and Linux, refer to the following resources:

Add certificates to a keychain using Keychain Access on Mac
Ubuntu – Installing a root CA certificate in the trust store
RedHat – Making CA certificates available to Linux command-line tools

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Want more AWS Security news? Follow us on Twitter.

Geoff Sweet

Geoff has been in industry for over 20 years, and began his career in Electrical Engineering. Starting in IT during the dot-com boom, he has held a variety of diverse roles, such as systems architect, network architect, and, for the past several years, security architect. Geoff specializes in infrastructure security.

Using certificates to authenticate and encrypt data is vital to any enterprise security. For example, companies rely on certificates to provide TLS encryption for web applications so that client data is protected. However, not all certificates need to be issued from a publicly trusted certificate authority (CA). A privately trusted CA can be leveraged toRead More


Former Twitter Employee Found Guilty of Spying for Saudi Arabia

A former Twitter employee has been pronounced guilty for his role in digging up private information pertaining to certain Twitter users and turning over that data to Saudi Arabia.
Ahmad Abouammo, 44, was convicted by a jury after a two-week trial in San Francisco federal court, Bloomberg reported Tuesday. He faces up to 20 years in prison when sentenced.
The verdict comes nearly three yearsA former Twitter employee has been pronounced guilty for his role in digging up private information pertaining to certain Twitter users and turning over that data to Saudi Arabia.
Ahmad Abouammo, 44, was convicted by a jury after a two-week trial in San Francisco federal court, Bloomberg reported Tuesday. He faces up to 20 years in prison when sentenced.
The verdict comes nearly three yearsRead More

The Security Pros and Cons of Using Email Aliases

One way to tame your email inbox is to get in the habit of using unique email aliases when signing up for new accounts online. Adding a “+” character after the username portion of your email address — followed by a notation specific to the site you’re signing up at — lets you create an infinite number of unique email addresses tied to the same account. Aliases can help users detect breaches and fight spam. But not all websites allow aliases, and they can complicate account recovery. Here’s a look at the pros and cons of adopting a unique alias for each website.

What is an email alias? When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that prefaced by a “+” sign just to the left of the “@” sign in your email address. For instance, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to my inbox and create a corresponding folder called “Example,” along with a new filter that sends any email addressed to that alias to the Example folder.

Importantly, you don’t ever use this alias anywhere else. That way, if anyone other than example.com starts sending email to it, it is reasonable to assume that example.com either shared your address with others or that it got hacked and relieved of that information. Indeed, security-minded readers have often alerted KrebsOnSecurity about spam to specific aliases that suggested a breach at some website, and usually they were right, even if the company that got hacked didn’t realize it at the time.

Alex Holden, founder of the Milwaukee-based cybersecurity consultancy Hold Security, said many threat actors will scrub their distribution lists of any aliases because there is a perception that these users are more security- and privacy-focused than normal users, and are thus more likely to report spam to their aliased addresses.

Holden said freshly-hacked databases also are often scrubbed of aliases before being sold in the underground, meaning the hackers will simply remove the aliased portion of the email address.

“I can tell you that certain threat groups have rules on ‘+*@’ email address deletion,” Holden said. “We just got the largest credentials cache ever — 1 billion new credentials to us — and most of that data is altered, with aliases removed. Modifying credential data for some threat groups is normal. They spend time trying to understand the database structure and removing any red flags.”

Why might spamming aliases be a bad idea? According to the breach tracking site HaveIBeenPwned.com, only about .03 percent of the breached records in circulation today include an alias.

Email aliases are rare enough that seeing just a few email addresses with the same alias in a breached database can make it trivial to identify which company likely got hacked and leaked said database. That’s because the most common aliases are simply the name of the website where the signup takes place, or some abbreviation or shorthand for it.

Hence, for a given database, if there are more than a handful of email addresses that have the same alias, the chances are good that whatever company or website corresponds to that alias has been hacked.

That might explain the actions of Allekabels, a large Dutch electronics web shop that suffered a data breach in 2021. Allekabels said a former employee had stolen data on 5,000 customers, and that those customers were then informed about the data breach by Allekabels.

But Dutch publication RTL Nieuws said it obtained a copy of the Allekabels user database from a hacker who was selling information on 3.6 million customers at the time, and found that the 5,000 number cited by the retailer corresponded to the number of customers who’d signed up using an alias. In essence, RTL argued, the company had notified only those most likely to notice and complain that their aliased addresses were suddenly receiving spam.

“RTL Nieuws has called more than thirty people from the database to check the leaked data,” the publication explained. “The customers with such a unique email address have all received a message from Allekabels that their data has been leaked – according to Allekabels they all happened to be among the 5000 data that this ex-employee had stolen.”

HaveIBeenPwned’s Hunt arrived at the conclusion that aliases account for about .03 percent of registered email addresses by studying the data leaked in the 2013 breach at Adobe, which affected at least 38 million users. Allekabels’s ratio of aliased users was considerably higher than Adobe’s — .14 percent — but then again European Internet users tend to be more privacy-conscious.

While overall adoption of email aliases is still quite low, that may be changing. Apple customers who use iCloud to sign up for new accounts online automatically are prompted to use Apple’s Hide My Email feature, which creates the account using a unique email address that automatically forwards to a personal inbox.

What are the downsides to using email aliases, apart from the hassle of setting them up? The biggest downer is that many sites won’t let you use a “+” sign in your email address, even though this functionality is clearly spelled out in the email standard.

Also, if you use aliases, it helps to have a reliable mnemonic to remember the alias used for each account (this is a non-issue if you create a new folder or rule for each alias). That’s because knowing the email address for an account is generally a prerequisite for resetting the account’s password, and if you can’t remember the alias you added way back when you signed up, you may have limited options for recovering access to that account if you at some point forget your password.

What about you, Dear Reader? Do you rely on email aliases? If so, have they been useful? Did I neglect to mention any pros or cons? Feel free to sound off in the comments below.

One way to tame your email inbox is to get in the habit of using unique email aliases when signing up for new accounts online. Adding a “+” character after the username portion of your email address — followed by a notation specific to the site you’re signing up at — lets you create an infinite number of unique email addresses tied to the same account. Aliases can help users detect breaches and fight spam. But not all websites allow aliases, and they can complicate account recovery. Here’s a look at the pros and cons of adopting a unique alias for each website.Read More

Compliance Certifications: Worth the Effort?

Because demonstrating compliance with industry regulations can be cumbersome and expensive, it’s important to ensure they’re also absolutely essential.Because demonstrating compliance with industry regulations can be cumbersome and expensive, it’s important to ensure they’re also absolutely essential.Read More

Twilio breached after social engineering attack on employees

Cloud-based communication platform provider Twilio has announced a breach via a social engineering attack on employees.

On August 4, 2022, Twilio says it became aware of unauthorized access to information related to a limited number of Twilio customer accounts, through the social engineering attack which was designed to steal employee credentials.

Text messages

A number of current and former employees received text messages that appeared to come from Twilio’s IT department. The messages said either the recipient’s password had expired, or that their schedule had changed, and that they needed to log in. To increase the credibility of the URLs they contained words including “Twilio,” “Okta,” and “SSO” (short for single sign-on) to try and trick users to click on a link which led to a fake log in site. At this site, the attacker could intercept the login credentals and use those to access the compromised accounts.

The attackers must have put in some effort to link the Twilio employees to their phone numbers. It seems likely they used data from another breach, or breaches, and searched for Twilio employee names with their phone numbers. It would be easy to assume that it might have been one of the LinkedIn data breaches from 2021, because employer data would be needed, but unfortunately there are many other options to combine data from other breaches.

It certainly does add a layer of credibility to the attack, since most people don’t give their telephone number to just anyone, but their employer would know it.

Take down

Once Twilio confirmed the incident, its security team revoked access to the compromised employee accounts to mitigate the attack and a forensics firm was engaged to aid the ongoing investigation.

The text messages originated from US carrier networks, and Twilio says it worked with these carriers to shut down the numbers, and worked with the hosting providers serving the malicious URLs to shut those accounts down. It’s possible, however, that the attackers will continue to rotate through carriers and hosting providers to resume their attacks.

Twilio customers

Twilio has notified the affected customers. If you were not contacted by Twilio, then it means there is no evidence that your account was impacted by this attack.


By providing employees with mobile devices or allowing them to use personal smartphones for work, organizations have increased the possible number of targets for phishing campaigns.

Since employees’ phones are usually outside of the scope of an organizations security software, protection against this sort of attack is not easy.

The massive use of smartphones, tablets and mobile applications in our daily lives, for personal and professional purposes, turns them into essential tools that we trust maybe a tad too much.

And it’s not just text messages you need to worry about. Social media, messaging apps, and even dating apps have created many other channels to deliver an attack.

Providing your employees with software that blocks malicious text messages and URLs will only be effective against long-running campaigns, so it’s likely that this one would have made it through.

The most effective strategy is education. Users need to learn that text messages are to be treated with the same amount of suspicion as unexpected emails. Especially if the text message contains a link.

Stay safe, everyone!