Successfully reported this slideshow.

Unmasking miscreants

2,680 views

Published on

DerbyCon 3.0 Talk

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Unmasking miscreants

  1. 1. Unmasking Miscreants Derbycon 3.0 Allison Nixon && Brandon Levene (⌐■_■) ( •_•)>⌐■-■ ( •_•)
  2. 2. About Us (⌐■_■)--︻╦╤─ - - - ● Allison Nixon (@nixonnixoff) ○ Incident Response & Pentesting at Integralis ○ GCIA ○ Independent Security Researcher focused on malicious services ● Brandon Levene (@seraphimdomain) ○ Incident Handler for large cloud provider ○ GCIH, GCIA, GPEN ○ Independent Security Researcher focused on Exploit Kits and associated Malware
  3. 3. Why are we interested? There are bad people on the internet. They are also dumb.
  4. 4. ● Actions taken to ensure information leakage doesn’t haunt you ● Proactive Paranoia ● Appropriate Compartmentation tldr: STFU (╯°□°)╯︵ ┻━┻ Working Definition: “OpSec” For More (from the Grugq): https://www.anti- forensics.com/operational- security-for-hackers/
  5. 5. Common Actor Traits ● Male ● 14-22 ● Middle(ish) Class ● Live with parents ○ Limited/no income ○ Most income goes towards hobbies ● Social interaction predominantly online ○ Not necessarily “anti-social”
  6. 6. Warning ● You are playing with fire! ○ Playing with fire is fun ● Identity is hard to find from online aliases ○ Account sharing ○ Hacked accounts ○ Fake accounts ● False accusations are bad. And easy ○ Hurts your reputation ○ Hurts the reputation of innocent bystanders ● No vigilantism ○ Don’t harass people you find
  7. 7. Scoping ● What do you look for? ○ Bannings ○ Complaints (generally scamming) ■ Infractions ○ Vouches ○ Purchased Reputation ○ Multi-community membership/participation ○ Technical questions related to a service ● Who do you look for? ○ Premium or Sponsored Sellers ○ Authors of stickied threads (Forums) ○ Primary sellers ○ Vouches/Reputation given/received
  8. 8. So I’ve identified a bad, what next? ● Tools ○ Google ■ Always check cached results if a link appears dead ○ Spokeo ○ checkusernames.com ■ Username reuse ○ Reverse Image Searches ○ Maltego ● Get as much information as possible, then sift through for overlaps and relationships (HUMINT) For more resources: http://www.irongeek.com/i.php?page=security/doxing- footprinting-cyberstalking
  9. 9. Youtube Fail On his Youtube account, out of all his videos, one second in one video had his name in focus.
  10. 10. Technical Recon ● Maltego ○ Consolidates Serversniffing, Whois, Dig, Registrant searches ○ Still useful to doublecheck! ● Manual inspection ○ Google Dorking (site:evil.com) ○ Tamperdata ○ Burp Proxy ○ Whatweb ● Cloud DDoS Solutions ○ Are they a dead end? ○ Nope, nocloudallowed
  11. 11. NoCloudAllowed(and other DDOS protection bypasses) ● A scanner to check every server for the existence of the hidden web site ● Many sites hide behind DDOS protection ○ (mostly Cloudflare, a few other companies) ● Bypass by contacting the origin directly ● Finding the origin is easy ○ Outbound connections ○ Outbound e-mail ○ Old DNS records ○ Server specific information leakage ● Nocloudallowed.com for details
  12. 12. Tracking ● Weaving a tangled web ● Finding e-mails ○ Whois info ○ Paypal accounts ■ Even Paypal pages that conceal the e-mail ○ Gleaming mails from ads ■ “Selling stolen credit cards! Contact evil@gmail.com” ○ E-mail contacts in their profile pages ● Database dumps are your friend
  13. 13. Honing in on Bads ● In order to sell, one must advertise ○ Find the ads! ○ Look for affiliates ● Social Media is an invaluable intelligence tool ○ Look for OOB contact methods ■ MSN, ICQ, Email(various), AIM, Skype, Twitter ■ Be wary of hacked/stolen accounts ● The longer an account has been used in similar context, the less likely its been newly compromised ■ Twitter is easy to search ■ Email <-> Facebook is trivial
  14. 14. Honing in on Bads, pt. II ● Read ○ Forum Posts (and PMs) ○ Social Media ○ Really, anything that can be attributed to the target ○ Read everything ● Watch ○ Youtube (Take screenshots!) ■ Huge vector of information leakage ○ Twitter feeds ○ Current v. Historical posting trends ○ AOL Lifestream
  15. 15. Identification ● Find data overlaps ○ Use the data a target is forced to present to the community ○ Compare against samples from multiple sources ● Utilize multiple sources to verify ○ Don’t rely on one search engine or tool for data ● Reconcile target personas ○ Utilize data overlaps/leakage to link online ID to physical person ● Document, Document, Document! ○ Its extremely likely someone else is going to need to follow your logic. Make sure its sound. ● Identity VS Reputation
  16. 16. Results! “We are taking proactive steps to prevent DDoS (Distributed Denial of Service) for hire services from using PayPal to facilitate/fund illegal activities. PayPal's Acceptable Use Policy (AUP) states that our customers may not use PayPal's service relating to transactions that encourage illegal activities. Our goal is to provide a safe payments service that buyers and sellers around the world can use every day.” -Paypal
  17. 17. Questions? ( •_•) ( •_•)>⌐■-■ (⌐■_■)

×