Your SlideShare is downloading. ×
Unmasking miscreants
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Unmasking miscreants

2,428
views

Published on

DerbyCon 3.0 Talk

DerbyCon 3.0 Talk

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,428
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Unmasking Miscreants Derbycon 3.0 Allison Nixon && Brandon Levene (⌐■_■) ( •_•)>⌐■-■ ( •_•)
  • 2. About Us (⌐■_■)--︻╦╤─ - - - ● Allison Nixon (@nixonnixoff) ○ Incident Response & Pentesting at Integralis ○ GCIA ○ Independent Security Researcher focused on malicious services ● Brandon Levene (@seraphimdomain) ○ Incident Handler for large cloud provider ○ GCIH, GCIA, GPEN ○ Independent Security Researcher focused on Exploit Kits and associated Malware
  • 3. Why are we interested? There are bad people on the internet. They are also dumb.
  • 4. ● Actions taken to ensure information leakage doesn’t haunt you ● Proactive Paranoia ● Appropriate Compartmentation tldr: STFU (╯°□°)╯︵ ┻━┻ Working Definition: “OpSec” For More (from the Grugq): https://www.anti- forensics.com/operational- security-for-hackers/
  • 5. Common Actor Traits ● Male ● 14-22 ● Middle(ish) Class ● Live with parents ○ Limited/no income ○ Most income goes towards hobbies ● Social interaction predominantly online ○ Not necessarily “anti-social”
  • 6. Warning ● You are playing with fire! ○ Playing with fire is fun ● Identity is hard to find from online aliases ○ Account sharing ○ Hacked accounts ○ Fake accounts ● False accusations are bad. And easy ○ Hurts your reputation ○ Hurts the reputation of innocent bystanders ● No vigilantism ○ Don’t harass people you find
  • 7. Scoping ● What do you look for? ○ Bannings ○ Complaints (generally scamming) ■ Infractions ○ Vouches ○ Purchased Reputation ○ Multi-community membership/participation ○ Technical questions related to a service ● Who do you look for? ○ Premium or Sponsored Sellers ○ Authors of stickied threads (Forums) ○ Primary sellers ○ Vouches/Reputation given/received
  • 8. So I’ve identified a bad, what next? ● Tools ○ Google ■ Always check cached results if a link appears dead ○ Spokeo ○ checkusernames.com ■ Username reuse ○ Reverse Image Searches ○ Maltego ● Get as much information as possible, then sift through for overlaps and relationships (HUMINT) For more resources: http://www.irongeek.com/i.php?page=security/doxing- footprinting-cyberstalking
  • 9. Youtube Fail On his Youtube account, out of all his videos, one second in one video had his name in focus.
  • 10. Technical Recon ● Maltego ○ Consolidates Serversniffing, Whois, Dig, Registrant searches ○ Still useful to doublecheck! ● Manual inspection ○ Google Dorking (site:evil.com) ○ Tamperdata ○ Burp Proxy ○ Whatweb ● Cloud DDoS Solutions ○ Are they a dead end? ○ Nope, nocloudallowed
  • 11. NoCloudAllowed(and other DDOS protection bypasses) ● A scanner to check every server for the existence of the hidden web site ● Many sites hide behind DDOS protection ○ (mostly Cloudflare, a few other companies) ● Bypass by contacting the origin directly ● Finding the origin is easy ○ Outbound connections ○ Outbound e-mail ○ Old DNS records ○ Server specific information leakage ● Nocloudallowed.com for details
  • 12. Tracking ● Weaving a tangled web ● Finding e-mails ○ Whois info ○ Paypal accounts ■ Even Paypal pages that conceal the e-mail ○ Gleaming mails from ads ■ “Selling stolen credit cards! Contact evil@gmail.com” ○ E-mail contacts in their profile pages ● Database dumps are your friend
  • 13. Honing in on Bads ● In order to sell, one must advertise ○ Find the ads! ○ Look for affiliates ● Social Media is an invaluable intelligence tool ○ Look for OOB contact methods ■ MSN, ICQ, Email(various), AIM, Skype, Twitter ■ Be wary of hacked/stolen accounts ● The longer an account has been used in similar context, the less likely its been newly compromised ■ Twitter is easy to search ■ Email <-> Facebook is trivial
  • 14. Honing in on Bads, pt. II ● Read ○ Forum Posts (and PMs) ○ Social Media ○ Really, anything that can be attributed to the target ○ Read everything ● Watch ○ Youtube (Take screenshots!) ■ Huge vector of information leakage ○ Twitter feeds ○ Current v. Historical posting trends ○ AOL Lifestream
  • 15. Identification ● Find data overlaps ○ Use the data a target is forced to present to the community ○ Compare against samples from multiple sources ● Utilize multiple sources to verify ○ Don’t rely on one search engine or tool for data ● Reconcile target personas ○ Utilize data overlaps/leakage to link online ID to physical person ● Document, Document, Document! ○ Its extremely likely someone else is going to need to follow your logic. Make sure its sound. ● Identity VS Reputation
  • 16. Results! “We are taking proactive steps to prevent DDoS (Distributed Denial of Service) for hire services from using PayPal to facilitate/fund illegal activities. PayPal's Acceptable Use Policy (AUP) states that our customers may not use PayPal's service relating to transactions that encourage illegal activities. Our goal is to provide a safe payments service that buyers and sellers around the world can use every day.” -Paypal
  • 17. Questions? ( •_•) ( •_•)>⌐■-■ (⌐■_■)

×