Unmasking Miscreants

Derbycon 3.0

Allison Nixon && Brandon Levene

(⌐■_■)

( •_•)>⌐■-■

( •_•)

About Us (⌐■_■)--︻╦╤─ - - -

● Allison Nixon (@nixonnixoff)

○ Incident Response & Pentesting at Integralis

○ GCIA

○ Independent Security Researcher focused on

malicious services

● Brandon Levene (@seraphimdomain) ○ Incident Handler for large cloud provider

○ GCIH, GCIA, GPEN

○ Independent Security Researcher focused on Exploit

Kits and associated Malware

Why are we interested?

There are bad people on the

internet.

They are also dumb.

● Actions taken to ensure

information leakage doesn’t

haunt you

● Proactive Paranoia

● Appropriate Compartmentation

tldr: STFU

(╯°□°）╯︵ ┻━┻

Working Definition: “OpSec”

For More (from the Grugq):

https://www.anti-

forensics.com/operational-

security-for-hackers/

Common Actor Traits

● Male

● 14-22

● Middle(ish) Class

● Live with parents ○ Limited/no income

○ Most income goes towards hobbies

● Social interaction predominantly online

○ Not necessarily “anti-social”

Warning

● You are playing with fire! ○ Playing with fire is fun

● Identity is hard to find from online aliases ○ Account sharing

○ Hacked accounts

○ Fake accounts

● False accusations are bad. And easy ○ Hurts your reputation

○ Hurts the reputation of innocent bystanders

● No vigilantism ○ Don’t harass people you find

Scoping

● What do you look for? ○ Bannings

○ Complaints (generally scamming)

■ Infractions

○ Vouches

○ Purchased Reputation

○ Multi-community membership/participation

○ Technical questions related to a service

● Who do you look for? ○ Premium or Sponsored Sellers

○ Authors of stickied threads (Forums)

○ Primary sellers

○ Vouches/Reputation given/received

So I’ve identified a bad, what next?

● Tools ○ Google

■ Always check cached results if a link appears

dead

○ Spokeo

○ checkusernames.com

■ Username reuse

○ Reverse Image Searches

○ Maltego

● Get as much information as possible, then

sift through for overlaps and relationships

(HUMINT) For more resources: http://www.irongeek.com/i.php?page=security/doxing-

footprinting-cyberstalking

Youtube Fail

On his Youtube account, out of all his videos, one second in one video had his name in focus.

Technical Recon

● Maltego ○ Consolidates Serversniffing, Whois, Dig, Registrant

searches

○ Still useful to doublecheck!

● Manual inspection

○ Google Dorking (site:evil.com)

○ Tamperdata

○ Burp Proxy

○ Whatweb

● Cloud DDoS Solutions

○ Are they a dead end?

○ Nope, nocloudallowed

NoCloudAllowed(and other DDOS

protection bypasses)

● A scanner to check every server for the

existence of the hidden web site

● Many sites hide behind DDOS protection ○ (mostly Cloudflare, a few other companies)

● Bypass by contacting the origin directly

● Finding the origin is easy ○ Outbound connections

○ Outbound e-mail

○ Old DNS records

○ Server specific information leakage

● Nocloudallowed.com for details

Tracking

● Weaving a tangled web

● Finding e-mails ○ Whois info

○ Paypal accounts

■ Even Paypal pages that conceal the e-mail

○ Gleaming mails from ads

■ “Selling stolen credit cards! Contact

evil@gmail.com”

○ E-mail contacts in their profile pages

● Database dumps are your friend

Honing in on Bads

● In order to sell, one must advertise ○ Find the ads!

○ Look for affiliates

● Social Media is an invaluable intelligence

tool

○ Look for OOB contact methods

■ MSN, ICQ, Email(various), AIM, Skype, Twitter

■ Be wary of hacked/stolen accounts ● The longer an account has been used in similar context, the

less likely its been newly compromised

■ Twitter is easy to search

■ Email <-> Facebook is trivial

Honing in on Bads, pt. II

● Read ○ Forum Posts (and PMs)

○ Social Media

○ Really, anything that can be attributed to the target

○ Read everything

● Watch

○ Youtube (Take screenshots!)

■ Huge vector of information leakage

○ Twitter feeds

○ Current v. Historical posting trends

○ AOL Lifestream

Identification

● Find data overlaps ○ Use the data a target is forced to present to the

community

○ Compare against samples from multiple sources

● Utilize multiple sources to verify ○ Don’t rely on one search engine or tool for data

● Reconcile target personas ○ Utilize data overlaps/leakage to link online ID to physical

person

● Document, Document, Document! ○ Its extremely likely someone else is going to need to

follow your logic. Make sure its sound.

● Identity VS Reputation

Results!

“We are taking proactive steps to prevent DDoS

(Distributed Denial of Service) for hire services from using

PayPal to facilitate/fund illegal activities. PayPal's

Acceptable Use Policy (AUP) states that our customers

may not use PayPal's service relating to transactions that

encourage illegal activities. Our goal is to provide a safe

payments service that buyers and sellers around the world

can use every day.”

-Paypal

Questions?

( •_•)

( •_•)>⌐■-■

(⌐■_■)