Yesterday in MIOS: Doin’ A FISA I thought I was really on to something.

The call logs I have are real. And the other information connected to them absolutely means this is FISA territory. But I stumbled into a really annoying false positive which I’m going to explain here in detail.

Attention Conservation Notice:

Pissed off ISP/hosting engineer ahead. I’m liable to use some driving words before this is over. Enter at your own risk.

Driving Words:

My ex-wife was typically polished and proper in her public presentation, but she had the biggest potty mouth imaginable behind the wheel. When our son started getting to the point of full sentences I made him aware that there were “driving words” - words that he could start using when he was old enough to get behind the wheel, but until then they were forbidden.

That being said, let’s explore a shithole web site and see if we can find the cock gobblers who operate it.

The nature of the call logs are such that there are some food security organizations in the mix. When I started processing the 606 ten digit phone numbers I found, I pasted them into Maltego in format we typically use XXX-YYY-ZZZ, when XXX is the three digit area code and YYY is the three digit exchange. Since I knew some things about the people I was seeking, simply using the “Google Me” function available when you right click an entity was fine. A bare phone number search is often hopeless, but if you’ve got a couple keywords, Google will do fine.

Those are the two known numbers for me - 202-642-1717 is my professional presence, which has not had an actual phone attached for ten years. 706-47-TROLL is a number I keep and occasionally use because it amuses me. The 706 number has been used recently, but a search for the 202 number brings up the aforementioned shithole.

So that’s factoid #1 - a bunch of random phone numbers all showed up as The Feed Foundation. That IP address, 45.79.187[.]117 is being used for thefeedfoundation[.]org

FEED Foundation, domain feedfoundation.org, is a Guidestar listed nonprofit founded by Lauren Bush. They’ve been having some trouble with scam calls - this is from their Instagram.

And here’s where I began the plunge …

Have a look at the Maltego results for these domains. FeedProject.org is its own thing there at the lower left. But feedprojects[.]com and thefeedproject[.]org are entangled at the level of various martech identifiers. Now go and look at FEED Foundation and Feed Projects. They overlap in appearance and if you get mad enough to really start digging (which I did) you find there’s overlap in personnel.

And to spare you the gore of the excavation, after not quite three hours I got out pencil & paper and started checking the timeline of events very carefully.

I don’t know who Kristina Fell is or was, but someone using that name (or alias) was responsible for domain registration at FEED Foundation. And either through a business decision, or more likely an oversight, she lost control of thefeedfoundation[.]org in late 2018, and it was promptly scooped by the aforementioned cock gobblers.

What I Thought I Was Seeing:

This really looked like a nation state actor running a scammy phone number lookup site and using a wave of fraud to conceal the identities of the operators of a bunch of burner phones. Smoke screen for a network of agents for a hostile foreign power.

A Better Explanation:

A number of oddities converged here which left me seeing shapes where there were just shadows. Specifically:

• The partition of management with shared ownership is unusual when the two legitimate sites have a similar atmosphere.

• The happenstance of TheFeedFoundation domain being entangled with phone number lookups when I expected to see food security related stuff.

• Who could imagine Lauren Bush would marry Ralph Lauren’s son, David? Lauren Bush LAUREN doesn’t sound like a mistake a Nigerian 419er would make, does it?

• The martech entanglements and the progression of hosting wasn’t easy to separate, I literally did have pencil and pad out as I was checking off stuff going through RiskIQ.

Calling In An Air Strike:

About twenty years ago I opened an email and … just paused. I think the source was Chet Uber, but one of the people involved was Vint Cerf. If the internet were the music business, that’s the equivalent of Taylor Swift getting cc: on something sent to you. I never talked to him, I was just a groundling doing groundling type stuff.

Now here we are, a couple decades later, and I’m again in a circle where someone said “I’m not sure who fixes that at Google, but I’ll ask Vint …”

So we’re in a chat room this morning discussing if this is a systemic problem that’s happening all over, or if it’s a never to be repeated corner condition. I think it’s repeatable for any high recognition site that’s fumbled, but the trick is stimulating the Google immune system enough to react to it. They have internal constraints that they don’t explain, but as I understand it one does not just casually adjust the input/output. Getting the system to ignore this one specific thing is likely a bridge to far.

Ground Assault:

It’s been six years since I published something on the nrauhauser Open Threat Exchange, but this one has me … cranky. This is probably not the right place to put this, but I’m not properly tuned into the MITRE ATT&CK universe. If nothing else this will give anyone digging with commercial Maltego or using RiskIQ with the OTX integration something in the way of a heads up about this.

As I’m poking around in this thing, using TAILS, I am seeing the same pattern I saw in East Bay Craigslist Scammer. This site is profiting by having an affiliate link to Intelius(!)

Conclusion:

Welp, I did it, here’s my sad little OTX Pulse on this problem. It just amazes me that a front line service like Intelius would permit affiliate marketing through something like this. Should I stop trying to do anything real and focus on farming a bunch of affiliate junk like that here?

lol nah … the reason I went down this rabbit hole still IS a national security threat. Since I don’t want to live in some shitty little theocracy, I guess I better stay on station and alert.

And having reviewed this … I think it’s time to have a word with the nice people at feedfoundation.org. They might have fangs long enough to get through and put a stop to this.