From 44a9897f2a95978ce8de1d25d1a3aaa2f5d5fcdb Mon Sep 17 00:00:00 2001 From: Jean-Louis Huynen Date: Tue, 3 Dec 2019 16:26:29 +0100 Subject: [PATCH 1/7] add: [dark-pattern] galaxy to tag dark patterns --- clusters/social-dark-patterns.json | 291 +++++++++++++++++++++++++++++ galaxies/social-dark-patterns.json | 9 + 2 files changed, 300 insertions(+) create mode 100644 clusters/social-dark-patterns.json create mode 100644 galaxies/social-dark-patterns.json diff --git a/clusters/social-dark-patterns.json b/clusters/social-dark-patterns.json new file mode 100644 index 0000000..997d589 --- /dev/null +++ b/clusters/social-dark-patterns.json @@ -0,0 +1,291 @@ +{ + "authors": [ + "Jean-Louis Huynen" + ], + "category": "dark-patterns", + "description": "Dark Patterns are user interface that tricks users into making decisions that benefit the interface's holder to the expense of the user.", + "name": "Dark Patterns", + "type": "social-dark-patterns", + "uuid": "61397bd8-0cc3-487e-b887-6212ca5b24d3", + "values": [ + { + "description": "Repeated requests to do something the firms prefer", + "meta": { + "category": [ + "Nagging" + ], + "refs": [ + "https://dl.acm.org/citation.cfm?id=3174108", + "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205" + ] + }, + "uuid": "1187c11d-7506-4d7d-95a2-a55d9dfe3618", + "value": "Nagging" + }, + { + "description": "Misleading notice about other consumers' actions", + "meta": { + "category": [ + "Social Proof" + ], + "refs": [ + "https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf", + "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205" + ] + }, + "uuid": "349f3f22-2f5c-4cba-903f-6c9db2c73d9b", + "value": "Activity Messages" + }, + { + "description": "Misleading statements from customers", + "meta": { + "category": [ + "Social Proof" + ], + "refs": [ + "https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf", + "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205" + ] + }, + "uuid": "ffe91c0a-1aa7-450d-9c2e-28a0292ea513", + "value": "Testimonials" + }, + { + "description": "Asymmetry between signing up and canceling", + "meta": { + "category": [ + "Obstruction" + ], + "refs": [ + "https://dl.acm.org/citation.cfm?id=3174108", + "https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf", + "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205" + ] + }, + "uuid": "9175e2d8-80bc-4d72-bc28-d5502c47e2ed", + "value": "Roach Motel" + }, + { + "description": "Frustrates comparison shopping", + "meta": { + "category": [ + "Obstruction" + ], + "refs": [ + "https://www.darkpatterns.org/", + "https://dl.acm.org/citation.cfm?id=3174108", + "https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf", + "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205" + ] + }, + "uuid": "0303d7fa-eb2a-417d-ae79-2d5ff4f8b992", + "value": "Price Comparison Prevention" + }, + { + "description": "Purchases in virtual currency to obscure cost", + "meta": { + "category": [ + "Obstruction" + ], + "refs": [ + "https://www.darkpatterns.org/", + "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205" + ] + }, + "uuid": "9f0c9e89-75ab-4b6b-981e-ae8161c0d3e3", + "value": "Intermediate Currency" + }, + { + "description": "Item consumer did not add is in cart", + "meta": { + "category": [ + "Sneaking" + ], + "refs": [ + "https://www.darkpatterns.org/", + "https://dl.acm.org/citation.cfm?id=3174108", + "https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf", + "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205" + ] + }, + "uuid": "c4ae0bb6-cd07-46f5-b2c5-ec2df04e5484", + "value": "Sneak into Basket" + }, + { + "description": "Costs obscured / disclosed late in transaction", + "meta": { + "category": [ + "Sneaking" + ], + "refs": [ + "https://www.darkpatterns.org/", + "https://dl.acm.org/citation.cfm?id=3174108", + "https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf", + "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205" + ] + }, + "uuid": "b2e1e74b-a740-4f8c-b8f4-6822ee7d197d", + "value": "Hidden Costs" + }, + { + "description": "Unanticipated / undesired automatic renewal", + "meta": { + "category": [ + "Sneaking" + ], + "refs": [ + "https://www.darkpatterns.org/", + "https://dl.acm.org/citation.cfm?id=3174108", + "https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf", + "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205" + ] + }, + "uuid": "fbd42a71-0adb-4fb4-a2f7-47c8113d5cab", + "value": "Hidden subscription / forced continuity" + }, + { + "description": "Customer sold something other than what's originally advertised", + "meta": { + "category": [ + "Sneaking" + ], + "refs": [ + "https://dl.acm.org/citation.cfm?id=3174108", + "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205" + ] + }, + "uuid": "92d3a49e-6443-4dbf-a82a-fbc6e7cb1130", + "value": "Bait & Switch" + }, + { + "description": "Important information visually obscured", + "meta": { + "category": [ + "Interface Interference" + ], + "refs": [ + "https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf", + "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205" + ] + }, + "uuid": "339df582-ff4d-4d62-9815-58e06014ba8f", + "value": "Hidden information / aesthetic manipulation / false hierarchy" + }, + { + "description": "Firm-friendly default is preselected", + "meta": { + "category": [ + "Interface Interference" + ], + "refs": [ + "https://petsymposium.org/2016/files/papers/Tales_from_the_Dark_Side__Privacy_Dark_Strategies_and_Privacy_Dark_Patterns.pdf", + "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205" + ] + }, + "uuid": "c2e274a5-2629-42a5-8c72-fd841f26c819", + "value": "Preselection" + }, + { + "description": "Emotionally manipulative framing", + "meta": { + "category": [ + "Interface Interference" + ], + "refs": [ + "https://dl.acm.org/citation.cfm?id=3174108", + "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205" + ] + }, + "uuid": "9ca69b66-3497-473e-a0fd-44ff05f20703", + "value": "Toying with emotion" + }, + { + "description": "Intentional or obvious ambiguity", + "meta": { + "category": [ + "Interface Interference" + ], + "refs": [ + "https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf", + "https://dl.acm.org/citation.cfm?id=3174108", + "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205" + ] + }, + "uuid": "edf55230-f295-45d8-9be0-8ceb201154d6", + "value": "Trick questions" + }, + { + "description": "Consumer induced to click on something that isn’t apparent ad", + "meta": { + "category": [ + "Interface Interference" + ], + "refs": [ + "https://dl.acm.org/citation.cfm?id=3174108", + "https://www.darkpatterns.org/types-of-dark-pattern", + "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205" + ] + }, + "uuid": "e19cbaaf-0f6d-4607-aff6-0608d361efdf", + "value": "Disguised Ad" + }, + { + "description": "Choice framed in way that seems dishonest / stupid", + "meta": { + "category": [ + "Interface Interference" + ], + "refs": [ + "https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf", + "https://www.darkpatterns.org/types-of-dark-pattern", + "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205" + ] + }, + "uuid": "45259adf-e499-42f6-9813-c16a6606b467", + "value": "Confirmshaming" + }, + { + "description": "Consumer tricked into thinking registration necessary", + "meta": { + "category": [ + "Forced Action" + ], + "refs": [ + "https://petsymposium.org/2016/files/papers/Tales_from_the_Dark_Side__Privacy_Dark_Strategies_and_Privacy_Dark_Patterns.pdf", + "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205" + ] + }, + "uuid": "6cb4c01c-9edc-40fb-8744-ac866f64c695", + "value": "Forced Registration" + }, + { + "description": "Consumer falsely informed of limited quantities", + "meta": { + "category": [ + "Urgency" + ], + "refs": [ + "https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf", + "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205" + ] + }, + "uuid": "e8fe07aa-83c1-44c5-9042-fb3449a5ab94", + "value": "Low stock / high-demand message" + }, + { + "description": "Opportunity ends soon with blatant false visual cue", + "meta": { + "category": [ + "Urgency" + ], + "refs": [ + "https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf", + "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205" + ] + }, + "uuid": "bab8c47f-2f1d-47ba-ae53-9c2c49c0f520", + "value": "Countdown timer / Limited time message" + } + ], + "version": 1 +} diff --git a/galaxies/social-dark-patterns.json b/galaxies/social-dark-patterns.json new file mode 100644 index 0000000..934bcf1 --- /dev/null +++ b/galaxies/social-dark-patterns.json @@ -0,0 +1,9 @@ +{ + "description": "Social Engineering - Dark Patterns", + "icon": "link", + "name": "Dark Patterns", + "namespace": "deprecated", + "type": "social-dark-patterns", + "uuid": "41c42956-972e-4eef-a3e3-ef3ea35ff1f8", + "version": 1 +} From 100299f3fdacee98ee61890d2e45a6b975034045 Mon Sep 17 00:00:00 2001 From: Jean-Louis Huynen Date: Tue, 3 Dec 2019 17:09:57 +0100 Subject: [PATCH 2/7] add: [dark-pattern] add a source --- clusters/social-dark-patterns.json | 1 + 1 file changed, 1 insertion(+) diff --git a/clusters/social-dark-patterns.json b/clusters/social-dark-patterns.json index 997d589..4280391 100644 --- a/clusters/social-dark-patterns.json +++ b/clusters/social-dark-patterns.json @@ -5,6 +5,7 @@ "category": "dark-patterns", "description": "Dark Patterns are user interface that tricks users into making decisions that benefit the interface's holder to the expense of the user.", "name": "Dark Patterns", + "source": "CIRCL", "type": "social-dark-patterns", "uuid": "61397bd8-0cc3-487e-b887-6212ca5b24d3", "values": [ From bd3cc6d8ee098f98b233147caefe82f5ed363156 Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Tue, 3 Dec 2019 18:13:44 +0100 Subject: [PATCH 3/7] added TA2101 --- clusters/threat-actor.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index df07394..0cbe8c6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7800,7 +7800,17 @@ }, "uuid": "200d04c8-a11f-45c4-86fd-35bb5de3f7a3", "value": "Calypso group" + }, + { + "description": "Proofpoint researchers detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware. The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails. For their campaigns in Germany, the actor chose Cobalt Strike, a commercially licensed software tool that is generally used for penetration testing and emulates the type of backdoor framework used by Metasploit, a similar penetration testing tool. Proofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and impersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor targeting organizations in the United States using the IcedID banking Trojan while impersonating the United States Postal Service (USPS).", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us" + ] + }, + "uuid": "39925aa0-c7bf-4b9b-97d6-7d600329453d", + "value": "TA2101" } ], - "version": 143 + "version": 144 } From 872df00262402fcb63b80e2bfd10cf8adb306d1d Mon Sep 17 00:00:00 2001 From: Jean-Louis Huynen Date: Wed, 4 Dec 2019 09:28:14 +0100 Subject: [PATCH 4/7] chg: [dark-pattern] namespace: misp --- galaxies/social-dark-patterns.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxies/social-dark-patterns.json b/galaxies/social-dark-patterns.json index 934bcf1..7a529d3 100644 --- a/galaxies/social-dark-patterns.json +++ b/galaxies/social-dark-patterns.json @@ -2,7 +2,7 @@ "description": "Social Engineering - Dark Patterns", "icon": "link", "name": "Dark Patterns", - "namespace": "deprecated", + "namespace": "misp", "type": "social-dark-patterns", "uuid": "41c42956-972e-4eef-a3e3-ef3ea35ff1f8", "version": 1 From 62e88bd2c70a3ee6748f477a6ceb758deb04e28b Mon Sep 17 00:00:00 2001 From: Jean-Louis Huynen Date: Wed, 4 Dec 2019 09:44:39 +0100 Subject: [PATCH 5/7] add: [dark-pattern] updates the README --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 9eb0244..5a45dbf 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,7 @@ to localized information (which is not shared) or additional information (that c - [clusters/sectors.json](clusters/sectors.json) - Activity sectors - [clusters/cert-eu-govsector.json](clusters/cert-eu-govsector.json) - Cert EU GovSector +- [clusters/social-dark-patterns.json](clusters/social-dark-patterns.json) - Social Engineering - Dark Patterns # Available Vocabularies From 94b3c1ec07eacec6045cd39549f0c61a697f489b Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Sat, 7 Dec 2019 12:44:30 +0100 Subject: [PATCH 6/7] added APT-C-34 / Golden Falcon --- clusters/threat-actor.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0cbe8c6..3dad8c1 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7810,7 +7810,21 @@ }, "uuid": "39925aa0-c7bf-4b9b-97d6-7d600329453d", "value": "TA2101" + }, +{ + "description": "As reported by ZDNet, Chinese cyber-security vendor Qihoo 360 published a report on 2019-11-29 exposing an extensive hacking operation targeting the country of Kazakhstan. Targets included individuals and organizations involving all walks of life, such as government agencies, military personnel, foreign diplomats, researchers, journalists, private companies, the educational sector, religious figures, government dissidents, and foreign diplomats alike. The campaign, Qihoo 360 said, was broad, and appears to have been carried by a threat actor with considerable resources, and one who had the ability to develop their private hacking tools, buy expensive spyware off the surveillance market, and even invest in radio communications interception hardware.", + "meta": { + "refs": [ + "http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html", + "https://www.zdnet.com/article/extensive-hacking-operation-discovered-in-kazakhstan/" + ], + "synonyms": [ + "Golden Falcon" + ] + }, + "uuid": "feb0cfef-0472-4108-83d7-1a322d8ab86b", + "value": "APT-C-34" } ], - "version": 144 + "version": 145 } From 8da36c09e1b71c43f032ed2e2d6275a03ffcc55a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 8 Dec 2019 09:03:14 +0100 Subject: [PATCH 7/7] chg: [threat-actor] jq --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3dad8c1..e38fee0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7811,7 +7811,7 @@ "uuid": "39925aa0-c7bf-4b9b-97d6-7d600329453d", "value": "TA2101" }, -{ + { "description": "As reported by ZDNet, Chinese cyber-security vendor Qihoo 360 published a report on 2019-11-29 exposing an extensive hacking operation targeting the country of Kazakhstan. Targets included individuals and organizations involving all walks of life, such as government agencies, military personnel, foreign diplomats, researchers, journalists, private companies, the educational sector, religious figures, government dissidents, and foreign diplomats alike. The campaign, Qihoo 360 said, was broad, and appears to have been carried by a threat actor with considerable resources, and one who had the ability to develop their private hacking tools, buy expensive spyware off the surveillance market, and even invest in radio communications interception hardware.", "meta": { "refs": [