Digital Transformation of the Illicit Economy and Outsourced Crime Providers

cool all right thanks everyone for coming and uh thanks so much for b-slides and all of the sponsors for having me and for putting on such an amazing event um my name's bex knightheart i work in the digital forensics and incident response team at paraflare and i've also been one of the chapter leads at the australian women in security network perth chapter for a number of years i don't really like talking about myself too much so we'll carry on oh actually there is a very important definition there and hopefully it doesn't disappear off the stream um i'm totally not stalking cybercriminal and i completely lied when i said this is about the digital transformation of stuff because

you know i kind of didn't want a title that made me sound like a complete weirdo [Laughter] so i came across a term called spurring which still kind of sounds kind of creepy but it's about you know tracking animals or people by essentially the [ __ ] that they leave behind and i thought that was that was kind of fitting um move on move on there we go cool so what am i doing um so originally kind of started out this project because we had a you know a client came to us with a phishing incident they had multiple credentials compromised you don't actually see many companies investigate you know simple fishing incidents which is a bit of a shame because often

you know we're using kind of outdated playbooks to respond to fishing incidents and we don't fully understand um you know the scale and and the impact of them um so it was quite good you know we came in no money was lost you know looked at what data was potentially taken um but it's uh through the information sharing that's been ongoing through the security community and particularly and i always bring him up because he's so amazing daniel mcnamara telstra if you're in the jcsc slack and look in the manual ioc channel you just see him pumping in phishing links just constantly and if you can continue monitoring them you'll see patterns in certain kind of i guess

fishing operators and through that you can link certain fishing incidents to a cluster of activity whether that's a particular fishing kit an actor or a group of actors so through that i was able to identify for this client you know the kind of likely individuals involved and you know the types of things that they would do as a part of an attack they asked me to dig a little bit deeper which is pretty cool they're like well you know what do they want and you know so i did a bit of digging and um yeah found more that i was kind of expecting so i cut my teeth in digital forensics at bdo which is traditionally an

accounting firm i was in the forensic accounting team i was like i totally know accounting you should hire me um yeah the advert was kind of vaguely worded and they said you know assist with digital forensic stuff and i'm like i can do that um they want an accounting degree or you know similar well i don't know bachelor counterterrorism security intelligence that's totally related to accounting they took me on which was awesome so i got exposed to fraud investigations and got involved in forensic accounting and one of the partners there said i was a closet accountant and i think i slightly agree with her because i have really enjoyed looking at the financial aspects of this particular

actor so yeah i do kind of miss that a bit um so the information that i have found i have been sharing with law enforcement um if i identify victims i do notify them i do share certain things with industry within a kind of limited capacity given that there's a high likelihood that some law enforcement action will take place i'm having to be quite reserved in the information that i do present and if there's anyone smart enough to put two and two together please don't go on dox them online because yeah that doesn't help um yeah so um a part of also with speaking to law enforcement um they're like well can you quantify the harm

of these fishing incidents and why well how do you do that exactly um you can only really measure what you can see not many people talk about how fishing impacts them it's underreported global scale you know crime is somewhat secretive in nature but you know what we do have is you know essentially a fishing as a service operator who sells fishing templates and also offers essentially a managed fishing service and so we can see from the products and services that he sells the the types of i guess victims that you know might be involved in in particular fishing incidents and and where that may lead and so as you can see from the list here and

it's not exhaustive it covers actually quite a broad range of categories so it goes from um you know trying to get company credentials which could lead to ransomware business email compromise whatever to dating sites which goes on to romance scams property type stuff so um that's also i guess business email compromise related with be trying to divert uh really large transactions so property settlements and and things like that so yeah potentially quite devastating but how do you actually link certain incidents to a certain phishing email when nobody talks about it so you can certainly look at crime statistics and how much it costs the economy and all the rest those numbers are [ __ ] i really hate security

statistics [Laughter] because you know i think some people i mean you don't have visibility over all of the victims um then you've also got people that have ulterior motives and yeah i don't know it just it annoys me come on cool so uh we would think that you know criminals doing crimesy things would not want to make it completely obvious what they're doing and who they are and you know because you know police bashing down your door at four o'clock in the morning isn't pleasant um but just as i kind of wanted to say i'm totally not a stalker because that sounds like a really bad thing but i'm stalking a criminal so that makes it okay so i'm

you know i've got this moral justification for this totally you know probably abnormal behavior that i'm undertaking i'm not lying in bed on my phone and going through you know someone's personal life um but criminals have a similar approach to their career um you know they have moral justifications to what they do and so they don't necessarily see what they're doing is terribly bad it might actually be celebrated within their community or they have a perception that they won't get caught and you will see criminals using lots of different types of justifications for why what they're doing isn't a bad thing and the particular actor that i've been tracking recently made a post on a religious forum

and said is what i'm doing a sin if the victims of my customers are non-believers and so all these people chimed in they said yes it's still a scene that's still illegal you shouldn't do this right well all it takes is some person to say no that's totally justified all non-believers you know are deserving of of this and he can feel comfortable in himself that totally cool man um but uh yeah these people then suggested that maybe he look at a legitimate job in cyber security [Laughter] and we know that that's worked to select few people but i don't know if i would hire this person but um yeah you'd be surprised just what you can

find on on social media facebook there's public groups dedicated to scamming so type in scammers professional something will come up um type in scan pages stuff will come up type in smtp inboxes or inboxing stuff will come up um you can find it um so this guy uses his real name um including in some of the email addresses he's used to register a lot of domain names his wife is obsessive on facebook it's multiple times a day posting pictures of food and new car that they've bought and you know it's pretty cool so pretty much everything i've learned about this guy um is from social media and other stuff is from uh you know hack forums

where quite often the most juicy information comes from where one criminal has been scammed by him and is complaining about him or he's been scammed by another criminal and so he's complaining about them and they post screenshots and so there's screenshots of bitcoin addresses for some reason he shared his uh email and password with a criminal and took a screenshot of that i haven't tested it um but yeah i'd say he probably reuses that one it's it's his special one for rdp um things so yeah still in use um he also has developers who think that github is a great place to host the um the online website that he actually runs um so uh man it is just

just this never-ending kind of gold mine of stuff so he's been at fairly dodgy things probably since i'd say probably since early teens but i don't really have visibility going back that far i can see he certainly started to get involved in illegal activity around about 2011 so defacing websites planting web shelves count compromises experimenting with botnets and and all the rest it was around about 2015 that he started advertising services on online forums to um essentially sell phishing templates and letters letters are essentially the email um so another way of kind of downgrading you know what um is actually being done um so he he relied on forums quite a bit for that um

the bitcoin address that he used between 2015 and 2018 remains steady which which you know is fantastic because it's just all there you don't have to put any effort in and i'll show a graph later 2018 he established his own e-commerce website so openly advertising the sale of all of those fishing kits fishing templates that i showed earlier um he i think yeah 2015-ish he started a fairly kind of low fee and that's increased five yeah five-fold up to five-fold um over this period basically which is which is pretty decent um he's the kind of guy that likes to contribute to the community so you know if he wasn't involved in crime you know he'd probably be a top bloke um

you know he he publishes tutorials on how to do things and and helps in forums answering questions gives things away for free sometimes because he's such a generous guy buys his wife lots of bling um so spoiled um but uh yeah he his business has just picked up and especially in the last year and this is with the introduction of what i'd like to call his managed fishing services because for a very large fee i mean we're talking about a thousand dollars a month in a country where you know that's you know someone's probably half a year wages um he will deliver the phishing emails basically when accounts are compromised and particularly business accounts then we'll log in and start using the

compromised accounts within the business to spray out more phishing emails within the organization compromising more and more it's just a fan out effect and then actually use the infrastructure of victims to host fishing laws so if you've ever seen pdf hosted in some random companies onedrive with a link to a fishing site they've probably been compromised you know by the same um group i mean heaps of them heaps of them do it but uh yeah so he he'll offer that service and um you know he'll he'll give you the credlogs at the end of the week and you know by then i'd say that he's probably done what he wants to do with these logs

that are intended for the customer but um you know he's still having such a great service um um uh so that that's been a huge uh revenue generator and uh he's also he's hired some people uh which is pretty cool he's paying them a wage so you know jobs mates and and he's inc he's got automation happening you know it's like fishing site goes down because someone's reported as malicious customer can log into the port or push a button magic new fishing slide up for them um so i estimate that there's more than 100 fishing sites seriously we're up to five minutes i thought i might ramble on a bit sorry guys um so yeah it makes a lot of money 98k in

60 days and people are saying maybe you should go get a legit job [Laughter] don't know about that man but majority of the income is coming through that managed fishing service and the vip phishing service which is up the top that is where customers can choose to target specific lists of email addresses essentially lots of bitcoin um i'm still kind of collecting i can only track as much as i can find um but all this information has come from well uh there was a hundred and something page pdf document with invoices for web design and hosting um back in 2019 2020 and also uh a more recent kind of list of customers and the things that they bought

and so he kindly put the transaction id number for quite a lot of these customers i was then able to find their bitcoin addresses associated with it one of the earlier ones if people want to take a photo quickly just if you want to go down a rabbit hole this was this was one of the um change addresses uh for a bitcoin payment that was made to him associated with the shadow brokers apparently um so once everyone's got a photo i'll move on see what we can find around there at least this won't come back to him so one of the things that really frustrated me was that i had a photograph of his license and

domain names were registered in his name with his address i was like cool i know where this guy lives [ __ ] he's building a new home where is he going um then we have google so his mate that helped build the house left a five five-star review he's uploaded photos of his house he's called the place after his son um and it looks like this heavily fortified kind of bikey clubhouse except it has this mule at the front so this is my artist's because i'm not going to show the actual house because you know how that goes um so so last night i was like okay i have to show you something to kind of give an

indication of what it looks like yeah it totally no crime here there's you know this cartoon mural out the front legit innocent yeah cool that's my final slide i'm not finishing on the thank you one [Applause] thanks bex um is there any questions we do have a portal microphone now for those people listening online so if anyone has a question dolls yeah are we going to online first or uh we will go in person yeah okay does this person live in a jurisdiction where it's possible yes so thankfully thankfully we have afp liaison officers over there um so very good chance it's just that international law enforcement agency has very limited resources um which is a shame but

hopefully we'll get there um

because it's he's listed as married to her on his facebook account

it's it's fantastic it's just ah christine luke yesterday

this is enough now to condense it first and then yeah really really good uh question there uh from the feedback i've received that's definitely enough to get him um it's just that i'm weird and i like to do this and so i keep on doing this and i don't know how long you know it's going to take for them to catch them and so part of actually what i'm doing now is looking at the customers so i've been able to identify some of the customers as well so i'm just going to keep filling in my time doing strange things but really good question um you know what's the point of burning resources if you've got enough but i'm doing it for

fun so yeah up the back

he's he's got staff he's got kids he's also got a new puppy you know like dude i saw the fluffy thing i was like oh man you know [Laughter] i need to donate some dog biscuits later all right we probably have time for one more question that's up the front here dolls on his face

uh well he used his facebook to talk about like he's a part of a public hacking group on facebook his he uses his real name on facebook he uses his real name um on domain registrations and sub domains of some of his illicit websites like he's just fully uh through like digging through all of the related domains on his infrastructure like he used a you know virtual private server and he he also screenshotted what sorry took a photo of his screen with the ip address as well which was pretty fun no no i found the bitcoin address uh just by digging into him and then found a complaint which included a discussion on icq about the

transferring of funds to purchase things

um just through looking at uh you know who was linked to the fishing infrastructure essentially so yeah it just you kind of you just follow things and then eventually you'll come to something where you go ah yeah got it and um then you just use various points and then increase your level of confidence in what you found and whether that actually makes sense and it is solid absolutely solid so yeah cool cool thanks bex uh now it's donuts time again we're going to eat them outside this time so please enjoy [Applause]