Dorblue
Regular
- Joined
- 28.09.20
- Messages
- 94
- Reaction score
- 239
- Points
- 33
I forgot to enable VPN
A resident of the United Kingdom, Tomas Skowron, stole money using malicious software. A time-tested scheme was used: using a Trojan, access to Internet banking was stolen, and then the money was transferred to front persons, who then cashed it out. Thus, the criminals managed to withdraw over $ 1 million from accounts around the world. Tomas Skowron was directly involved in transferring funds from hacked accounts, and once his VPN failed. The real IP address of the cybercriminal was found in the logs of connections to the victim's Internet banking account. After some time, Tomas was expected to be visited by law enforcement agencies, and after the verdict-5 years in prison. Even if a criminal uses a VPN, there is always the possibility of a software failure. for example, the connection may "fall off" unnoticed by the user, or if the Internet is interrupted, the VPN application will not have time to redirect Internet traffic to the VPN server, and some of the data will bypass the VPN. And it also happens that the VPN is simply forgotten to enable. Even if the VPN contains a data blocking function that bypasses the VPN, there may still be malfunctions (I already talked about this in the Chapter about bugs and errors). Everyone has them, but for some programs, a "crash" of the service will lead to an unpleasant error notification, and the user will have to restart the program.in case of a VPN error, the hacker's real IP address will be in the hands of law enforcement agencies. An effective solution is to use Whonix-Gateway as a firewall; fortunately for our Bank accounts, Tomas Skowron did not know about this.
Documents remember who opened and edited them
We are talking about Microsoft Office and Apple's office products, such as Pages and Numbers. This is a useful option that lets you find out who, when, and what edits were made to the document. Safe for anyone, but not for a hacker who views stolen documents and plans to publish them in the future. You probably heard about the hacking of emails and the publication of documents of the us Democratic party in July 2016, this was written a lot in the media, and I would not like to retell this story. And you may have heard about the "Russian trace" in this case, so let's look at the evidence for this version. First, an analysis of the uploaded documents showed that the Russian-speaking user "Felix Edmundovich" took part in editing them, and, most importantly, his name was written in Cyrillic. Second, the documents and the site where they were posted contained enough evidence to indicate that a Russian-speaking user was behind it. A banal example is the smiley face in the form of three parentheses ")))", which is popular in the former CIS. Third, the edits were made from a hacked version of Microsoft Word, which, oddly enough, is popular in Russia. And most importantly, the fourth – error messages in Russian that occurred during the conversion of the document in the Russian version of the program. You see, even the version of office SOFTWARE used can become an indirect tool for narrowing the search circle of a hacker or destroying the legend when a hacker tries to impersonate someone who is not really there.
Images save the location where they were taken
Hacker Higinio Ochoa, like "Felix Edmundovich" from the previous story, liked to hack various American resources and upload data to the network. In one of the publications, he placed a photo of a girl taken on an iPhone with the inscription " PwNd by w0rmer & CabinCr3w <3 u BiTch's !».
This was a fatal mistake, as the photo saved the coordinates of the shooting location. And although they only found his girlfriend, from that moment on he was doomed and the rest was a matter of technology. Fortunately, many popular sites now delete the coordinates of the shooting location when uploading, many, but not all. Being able to check for location coordinates in the photo metadata and delete them is a useful skill, but we will not limit ourselves to it as part of the course, we will replace the shooting location. For example, a photo taken in Moscow will contain the coordinates of the Siberian taiga hinterland. The location of the photo is not the only thing that you can find out from the photo and what you should think about when uploading a picture to the network.
End of the era of telephone terrorism
This technology is already being actively implemented in banks, in a number of countries it is in the Arsenal of special services, and the old scheme "I bought a one-time mobile phone for one anonymous call" no longer works. Each voice has its own unique fingerprint, which can be used to identify its owner-many people know this. But the fact that the changes in the voice that are made by standard voice modification programs are not a problem and do not protect against detection is a surprise.
Vitalik from a provincial town in Russia decided to take part in a large-scale campaign to "mine" Moscow railway stations. To do this, he got Internet telephony, Double VPN and a program for changing the voice. Concerned about his anonymity, he purchased an account for voice telephony on an underground forum. Nice set of a professional phone terrorist, isn't it? He successfully "mined" the train station, and enjoyed his success until nightfall, watching the news. In the morning, Vitalik himself became a participant in local criminal news: guys from the Federal security service came to him with a search. Now Vitalik is awaiting trial and, at best, a huge fine. His voice print helped him figure it out. Vitalik's call was recorded, then the experts processed it, restoring the original voice. The program that so successfully changed the voice did not become a serious obstacle, and a sample of his voice fingerprint turned out to be in a database that is unified in Russia: both banks and law enforcement agencies have access to it.
Social networks are hackers best enemies
Many people would be interested to know who views their social media pages, how long, and how often. The page of Dmitry Smilyants, a young and successful man, was viewed not only by friends, relatives and fans, but also by FBI agents. He was known to them as a cybercriminal under the pseudonym "Bold". In July 2013, he posted a photo of himself on Instagram, where he posed against the background of the inscription "I Amsterdam". The agents immediately called hotels nearby, and one of them informed them that Dmitry Smilyanets was indeed staying with them, but was currently sleeping.
The next morning was the last for Dmitry at large, he was waiting for arrest and transfer to the hands of American justice. In the end, he will spend 5 years behind bars. Why not just put him on the wanted list? Russian hackers are very good at getting information about the wanted list from Interpol, and, of course, an officially wanted hacker will not leave Russia or will do so with maximum precautions to countries where the FBI will not be able to request his extradition. Therefore, agents follow suspects through social networks, and as you can see, this gives results.
I would like to tell you about another rather instructive mistake of a cybercriminal who was engaged in a bad business‒trading malicious software. He was an intermediary, or so-called reseller. Working with several malicious software developers, he developed a reputation and knew the shadow markets very well. But Alexey (let's call him that) did not become a popular malware merchant right away. He started by trying to hack mailboxes and offered services through the Vkontakte social network.
He acted rather primitively: with the help of a phishing kit purchased on the black market, he tried to catch victims for inattention. It didn't come out very often, but at that moment, to yesterday's schoolboy, it seemed like an incredibly lucrative business. Naturally, all cool hackers have some cool nickname, and Alexey was no exception, having come up with a new "hacker" name for himself. He added it to the name of his page on the social network, and it was also displayed in the link to the page after the slash (/). Years have passed, and Alexey is no longer a self-taught hacker, but an outstanding professional who is wanted by law enforcement agencies in more than one country in the world. But something from those times has been preserved and this is his unique nickname. And so, while collecting information about him, law enforcement agencies came across his old page. The future serious cybercriminal, who does not go beyond the top, at that time entered the social network from his home IP address and gave service customers a wallet issued with their passport data for payment. Finding a page with information about him a few years later will lead to his arrest.
A resident of the United Kingdom, Tomas Skowron, stole money using malicious software. A time-tested scheme was used: using a Trojan, access to Internet banking was stolen, and then the money was transferred to front persons, who then cashed it out. Thus, the criminals managed to withdraw over $ 1 million from accounts around the world. Tomas Skowron was directly involved in transferring funds from hacked accounts, and once his VPN failed. The real IP address of the cybercriminal was found in the logs of connections to the victim's Internet banking account. After some time, Tomas was expected to be visited by law enforcement agencies, and after the verdict-5 years in prison. Even if a criminal uses a VPN, there is always the possibility of a software failure. for example, the connection may "fall off" unnoticed by the user, or if the Internet is interrupted, the VPN application will not have time to redirect Internet traffic to the VPN server, and some of the data will bypass the VPN. And it also happens that the VPN is simply forgotten to enable. Even if the VPN contains a data blocking function that bypasses the VPN, there may still be malfunctions (I already talked about this in the Chapter about bugs and errors). Everyone has them, but for some programs, a "crash" of the service will lead to an unpleasant error notification, and the user will have to restart the program.in case of a VPN error, the hacker's real IP address will be in the hands of law enforcement agencies. An effective solution is to use Whonix-Gateway as a firewall; fortunately for our Bank accounts, Tomas Skowron did not know about this.
Documents remember who opened and edited them
We are talking about Microsoft Office and Apple's office products, such as Pages and Numbers. This is a useful option that lets you find out who, when, and what edits were made to the document. Safe for anyone, but not for a hacker who views stolen documents and plans to publish them in the future. You probably heard about the hacking of emails and the publication of documents of the us Democratic party in July 2016, this was written a lot in the media, and I would not like to retell this story. And you may have heard about the "Russian trace" in this case, so let's look at the evidence for this version. First, an analysis of the uploaded documents showed that the Russian-speaking user "Felix Edmundovich" took part in editing them, and, most importantly, his name was written in Cyrillic. Second, the documents and the site where they were posted contained enough evidence to indicate that a Russian-speaking user was behind it. A banal example is the smiley face in the form of three parentheses ")))", which is popular in the former CIS. Third, the edits were made from a hacked version of Microsoft Word, which, oddly enough, is popular in Russia. And most importantly, the fourth – error messages in Russian that occurred during the conversion of the document in the Russian version of the program. You see, even the version of office SOFTWARE used can become an indirect tool for narrowing the search circle of a hacker or destroying the legend when a hacker tries to impersonate someone who is not really there.
Images save the location where they were taken
Hacker Higinio Ochoa, like "Felix Edmundovich" from the previous story, liked to hack various American resources and upload data to the network. In one of the publications, he placed a photo of a girl taken on an iPhone with the inscription " PwNd by w0rmer & CabinCr3w <3 u BiTch's !».
This was a fatal mistake, as the photo saved the coordinates of the shooting location. And although they only found his girlfriend, from that moment on he was doomed and the rest was a matter of technology. Fortunately, many popular sites now delete the coordinates of the shooting location when uploading, many, but not all. Being able to check for location coordinates in the photo metadata and delete them is a useful skill, but we will not limit ourselves to it as part of the course, we will replace the shooting location. For example, a photo taken in Moscow will contain the coordinates of the Siberian taiga hinterland. The location of the photo is not the only thing that you can find out from the photo and what you should think about when uploading a picture to the network.
End of the era of telephone terrorism
This technology is already being actively implemented in banks, in a number of countries it is in the Arsenal of special services, and the old scheme "I bought a one-time mobile phone for one anonymous call" no longer works. Each voice has its own unique fingerprint, which can be used to identify its owner-many people know this. But the fact that the changes in the voice that are made by standard voice modification programs are not a problem and do not protect against detection is a surprise.
Vitalik from a provincial town in Russia decided to take part in a large-scale campaign to "mine" Moscow railway stations. To do this, he got Internet telephony, Double VPN and a program for changing the voice. Concerned about his anonymity, he purchased an account for voice telephony on an underground forum. Nice set of a professional phone terrorist, isn't it? He successfully "mined" the train station, and enjoyed his success until nightfall, watching the news. In the morning, Vitalik himself became a participant in local criminal news: guys from the Federal security service came to him with a search. Now Vitalik is awaiting trial and, at best, a huge fine. His voice print helped him figure it out. Vitalik's call was recorded, then the experts processed it, restoring the original voice. The program that so successfully changed the voice did not become a serious obstacle, and a sample of his voice fingerprint turned out to be in a database that is unified in Russia: both banks and law enforcement agencies have access to it.
Social networks are hackers best enemies
Many people would be interested to know who views their social media pages, how long, and how often. The page of Dmitry Smilyants, a young and successful man, was viewed not only by friends, relatives and fans, but also by FBI agents. He was known to them as a cybercriminal under the pseudonym "Bold". In July 2013, he posted a photo of himself on Instagram, where he posed against the background of the inscription "I Amsterdam". The agents immediately called hotels nearby, and one of them informed them that Dmitry Smilyanets was indeed staying with them, but was currently sleeping.
The next morning was the last for Dmitry at large, he was waiting for arrest and transfer to the hands of American justice. In the end, he will spend 5 years behind bars. Why not just put him on the wanted list? Russian hackers are very good at getting information about the wanted list from Interpol, and, of course, an officially wanted hacker will not leave Russia or will do so with maximum precautions to countries where the FBI will not be able to request his extradition. Therefore, agents follow suspects through social networks, and as you can see, this gives results.
I would like to tell you about another rather instructive mistake of a cybercriminal who was engaged in a bad business‒trading malicious software. He was an intermediary, or so-called reseller. Working with several malicious software developers, he developed a reputation and knew the shadow markets very well. But Alexey (let's call him that) did not become a popular malware merchant right away. He started by trying to hack mailboxes and offered services through the Vkontakte social network.
He acted rather primitively: with the help of a phishing kit purchased on the black market, he tried to catch victims for inattention. It didn't come out very often, but at that moment, to yesterday's schoolboy, it seemed like an incredibly lucrative business. Naturally, all cool hackers have some cool nickname, and Alexey was no exception, having come up with a new "hacker" name for himself. He added it to the name of his page on the social network, and it was also displayed in the link to the page after the slash (/). Years have passed, and Alexey is no longer a self-taught hacker, but an outstanding professional who is wanted by law enforcement agencies in more than one country in the world. But something from those times has been preserved and this is his unique nickname. And so, while collecting information about him, law enforcement agencies came across his old page. The future serious cybercriminal, who does not go beyond the top, at that time entered the social network from his home IP address and gave service customers a wallet issued with their passport data for payment. Finding a page with information about him a few years later will lead to his arrest.