Full Report
-snip- From: Haroon Meer To: Marc Schneider Subject: Re: http://www.sensepost.com – Contact needed Hi Dr Schneider. * Marc Schneider [[email protected]] seemed to say: >I am Dr. Marc Schneider and I work for Multilingual Search Engine >Optimization Inc. in Washington DC ( Tel: 1 202-250-3645) – I would >like to speak with the person in charge of your international >clientele. Who is my contact? Who should I speak to?? > >In fact, after visiting http://www.sensepost.com , I have noticed that your >website >cannot be found on foreign search engines (I tested it on Hispanic >search engines, German search engines, Asian search engines, etc.) Our >company is specialized in multilingual search engine promotions in 28 >languages . From the Japanese Google to the German Yahoo, from the AOL >in Spanish to the MSN in Chinese, we can show you how to develop a >true international online presence by promoting your website on >foreign search engines.
Analysis Summary
# Main Topic
Unsolicited contact (potential SPAM/phishing vector) from an entity offering Search Engine Optimization (SEO) services, which was leveraged by the recipient for defensive security consultation instead. The narrative focuses on a suspicious outreach attempt disguised as legitimate business development.
## Key Points
- An individual named Dr. Marc Schneider, claiming to be from "Multilingual Search Engine Optimization Inc. in Washington DC," aggressively contacted SensePost regarding poor international search engine visibility.
- The sender's emails included direct contact details (phone number: 1 202-250-3645) and offered promotional services across 28 languages on platforms like Google, Yahoo, AOL, and MSN.
- The recipient (Haroon Meer of SensePost) noted the persistent nature of the emails ("many (many many) emails").
- The recipient turned the solicitation into a potential security engagement, pointing out basic infrastructure weaknesses in the inquirer's purported company domain (zone transferability issues and co-located primary/secondary DNS servers).
- The recipient explicitly requested communication switch from phone calls to email, prioritizing security resolution over marketing discussion.
## Threat Actors
- **Actor:** Dr. Marc Schneider, representing "Multilingual Search Engine Optimization Inc." (The context suggests this entity may be a front or part of a low-level social engineering or spam campaign, given the persistence and the target's quick pivot to security assessment.)
- **Motivation:** Initially appears to be business promotion (SEO services); however, the persistent nature and the nature of the response suggest the possibility of unsolicited sales annoyance or a poorly targeted spam/social engineering attempt.
## TTPs
- **TTP 1 (Social Engineering/Unsolicited Contact):** Use of email to initiate contact regarding perceived business deficiencies (poor search engine ranking) to establish a relationship.
- **TTP 2 (Information Gathering):** Targeting companies for potential vulnerabilities or service sales based on public website observation.
- **TTP 3 (Infrastructure Weakness Exploitation - Defensive Observation):** Observing and noting basic configuration mistakes on the target's domain infrastructure (e.g., DNS server co-location).
## Affected Systems
- **Victim (Initial Target):** SensePost's website visibility (as perceived by the spammer).
- **Observed Vulnerable System:** The domain belonging to "Multilingual Search Engine Optimization Inc." (whose contact information was provided by the inquirer).
## Mitigations
- **Handling Unsolicited Outreach:** Preferring email communication over phone calls when dealing with persistent, unsolicited business inquiries.
- **Infrastructure Hygiene (Defensive Recommendation):** Ensuring primary and secondary DNS servers are not located on the same physical network (improving redundancy and resilience).
- **Domain Management:** Ensuring proper management of domain zone transfers.
## Conclusion
This context describes a high-volume, potentially unsophisticated business outreach campaign characterized by persistence. While not framed as a direct hacking incident, the interaction serves as a reminder of external actors probing for initial engagement points. The actionable intelligence here is the defensive posture taken: turning a perceived sales pitch into an opportunity to identify and recommend fixes for basic infrastructure security and resilience flaws observed in the inquirer's operational domain.