A Look At A Microcosm Of The Cybercrime Ecosystem
Show transcript [en]
all right so the actually do have an alternative title for this so this is about the wonderful world of a new crime so the alternative title is how to run your own shitty cybercrime empire and almost certainly get arrested this this is all about the wonderful world of like account hijacking and how the actual criminal legal system of that works which is something that I've been studying for a while because I was wondered you know who the [ __ ] buys stolen Netflix accounts and stuff like that and why does anybody care and turns out that it's it's big business so the mantri who on my slide I'm a security researcher consultant and cat caretaker and just a word in advance so
this was originally written as a short talk but uh and then I expanded it and then I brought the short talk slides instead the long talk slides because I'm a [ __ ] idiot who brought literally the wrong laptop so this one is missing all the really nice flow charts and stuff that looked like an economist made them so this the slides are a bit [ __ ] for that's fine we'll deal with it as for what I'm talking about it's so SME are familiar with stuff like account takeovers and stuff like that is this exploding problem the internet anybody who's been in the industry for a while is aware that stuff like credential stuff and fueled by some of the big data
leaks is a huge problem if you run a service that is of any interest anyone somebody's gonna be trying like a billion leaked passwords against it and that's just the thing we've to deal with and it's also kind of funny in that the victims are everyone like I've run into security professionals who've been victims of like account hijacking and stuff like where their Netflix been used by some idiots somewhere cuz third-party data leaks have just results in a password going somewhere it's a huge problem and it's one that we don't really do much about like as an industry because not cool like ransomware it's just this silent little problem that exists is really important and it turns out it
effects [ __ ] everyone like this is a thing that it just affects everyone now this is kind the equivalent of so I was trying to find a way to equate it to normal crime and I discovered that it's kind of similar to like volume crime in terms of how we equate it now volume crimes this lovely police term that I came across where it's the kind of crime like burglaries and [ __ ] where they don't really investigate and give a [ __ ] because their funding got cut it's like you're the crime that happens to everyone where it's not like homicide or bank robbery it's like you know oh you know we won't even come out and have a
look cuz can't be [ __ ] we don't have the money for it so it's like you know it's the crime that happens to everyone all the time and I'm sorry if there's any copper is in the room but let's be real it's not you know it's not deemed a priority and this is literally the cyber equivalent is because nobody gives a [ __ ] that somebody hacked your Netflix account you know oh your Netflix got jacked and some 16 year old in Brazil is you know using your Netflix who gives a [ __ ] you know but it turns out this happens to everyone all the time and turns out there's a whole ecosystem there's a
whole [ __ ] economy based around this type of crime you've got people who sell database dumps you've got people who sell combo lists of potential credentials use you've got websites like the one the feds shot down recently we leaked info where you can buy to have search access to databases from hot web sites you've got software developers who write specific tools they write conflicts for these tools so you can target websites like Netflix and Spotify and try get loads of accounts you have entire companies that they're only service offering is selling proxy services so that you can route your traffic through a billion compromised computers whatever you have people who sell tools to engage in post compromised
monetization strategies like what the [ __ ] do you do with ten thousand Spotify accounts I mean you're not gonna listen to 10,000 [ __ ] bits of musical ones are you no it turns out we got ways of making money with this [ __ ] you know you've got strategies for you know making money out of stolen accounts on some random service and etc etc and there's like a whole little little economy there it's uh it's [ __ ] fascinating it's you know it's it's just really interesting I thought I'd try share that with y'all today so let's say you want to you're a miscreant with bad judgment and you want to get into this business it's really
simple you've got kids these days who get in and the business of cracking and yes finally we can call hacking cracking you know because that's what it is I know we had that argument a few you know quite a long time ago but the QuickStart guide to getting into this little this economy is you buy or obtain some combo lists or database dumps you buy or obtain some proxies you get open bullet or sentry or whatever [ __ ] piece of [ __ ] software you want to use you get the configs for Netflix Spotify whatever you click the Run button and you're committing crimes at like ten thousand crimes a minute and then you profit
somehow and that's it you've got like YouTube tutorials for days which are like Oh download this run this Exe import this text file click go and bam you've you've done crime you know it's it's it's trivial to accomplish and it turns out it's big business so I'm gonna go through what some of the little bits this economy are and you know how this whole ecosystem functions and at the end a couple of bits of you know how we can unfuck ourselves but we'll start off with like the first one if you're gonna do like massive amounts of credential stuffing and try compromise loads of accounts the first thing you need is credentials to try right so we've got
dumps for Communists which this refers to just database dumps of credentials to use some random persons PHP web [ __ ] gets hacked or some vbulletin forum somewhere the database gets dumb harsha's got cracked ends up in a nice list of email password that you then spray against [ __ ] everything in the hopes that lets you so you've got dumped or humblest which are sold traded just put on [ __ ] paste bin um this is these are obtained just my script kitties and Liddy it's hacking random web shits just to get the databases they end up being Paris to convergent to just you know lists of email password or username password and sometimes you buy
them as raw dumps sometimes you buy like you can go and literally go shopping for like 10k email password you know that are sold is just the raw dumps or sometimes they'll have been parsed and converted into like a nice usable list you just click and drag in and these are for sale fuck-all like 10 bucks will get you like 20k random passwords and emails that you can then spray against everything in payable and whatever [ __ ] coin you prefer and this is all fueled by lots of hacking using sequel injection mostly which is now 21 years old as of last night's parody for it and [ __ ] tons of like low-level hacking done
in a [ __ ] massive scale like a phenomenal amount of crime just happening that nobody gives a [ __ ] about and you know you've got kids that and you've got YouTube tutorials showing you how to use fantastic tools like this thing so this is amazing right I [ __ ] love this this is a tool called sequel I dumper V 9.5 there's like versions of it going back to the earliest version I found with version 4 and this is a tool that the little scrub Lords use when they want to when they're too lazy to use SQL map no no they've got a [ __ ] GUI that arguably works a little better
than SQL map because it's faster and all they do is they they stick in list of websites like just that they get from like doing Google queries and [ __ ] they click crime basically they just click the [ __ ] Scan button it goes in it comes back to you and it goes well we found you know a bunch of websites of sequel injection then they click into the next little tab so you've got like yeah the URL queue where you feed in like a billion URLs you click scan and then it goes and it shits out this list of here's the ones we can do sequel injection on and this screenshot taken from a tutorial on how to use it
there are YouTube videos and [ __ ] blog posts for days and how to use this [ __ ] and then you click dump database and it just [ __ ] does it you can even click only dump columns like email password go a next thing you've just got credentials raining from the [ __ ] sky and it's like the crime button and it's amazing and this is a thing that like you know it's just a thing that you know that people seem to be doing and like you look up like how to find fortnight combo list on [ __ ] YouTube and you'll find like a video guide where you've got somebody typing into notepad and
probably some [ __ ] music and they'll be like oh and here we've just committed 10 20 30 40 50 violations the computer misuse Act you know it's this is like if if you have you know if you don't want to buy dumps you can just go get them yourself because we still haven't solved sequel injection which is uh I think was Erin pointed out earlier a damning indictment of her industry the tooling is idiot proof you can be the biggest numpty in the world and you've got point-and-click software with a GUI or in a visual basic that will do the crime for you so if writing your own if creating google dorks is too hard no no
the kids these days have made tools to build Google search queries for you where it'll come up with keywords for the kind of [ __ ] you're interested in combine it with a list of like in URL blah blah blah PHP question mark blah you click it and it'll [ __ ] out a text file of here's the Google queries you can run that'll probably get you what you're looking for and then you drag that into another GUI tool which is a head this browser to do the Google queries for you because why the [ __ ] do it manually right and then you just drag and drop the output of that into the [ __ ] crime tool click the crime
button and away you go you know it's like you could teach twelve you know you can teach small children to do this you could have like a farm of like school kids just there is your criminal empire you know this is like the most trivial [ __ ] and of course maybe you're too lazy maybe you can't be [ __ ] with you know the three-step process for doing like the start of crime so maybe you decide you want to go buy your dumps instead of somebody who's doing this so you go to a company like data sense sorry company I mean criminal enterprise here and they're the best cloud-based combo lists and database provider with a AUSA
the most known and highly reputable you can get high quality combo lists and databases collected by our experienced hacker team and these these are you know companies set up companies sorry criminal enterprises set up by teenagers and they just go and do a little hacking for you and then give you lists of creds to play with and you pay like 50 bucks a month and you get like 20 new databases a day or something off these guys and you could just you know store bolts fine to if you don't want to you know bake your own crime you know is to pay somebody else to [ __ ] do it and that's one things that I found
fascinating about this that so much of this is outsourced about you know if you can't be [ __ ] doing the release you know doing the crime you just outsource it you act as you know you can be a broker between you know maybe maybe you don't know how to hack websites but you want to sell databases you then can broker between people who do the hacking and people who buy the database you just sit in the middle and you know make money either side and stuff and you've got [ __ ] loads of little criminal enterprises sorry I keep thinking them as legitimate businesses because their business model seems more sustainable because there's no shortage like when
it's supply and demand we've got no shortage of sequel injectable websites and we've no shortage of scrublords who want credential lists so it's you know these kids are making Bank you've got like middleman like you come you too can become a dump broker just by talking to a couple of people on web forums and then just buy and sell and trade lists um like the raw dump data gets sold resold repackaged I mean it's not like this it's not like you can get a refund you know if it turns out the bottle or - it either so it's like you can't [ __ ] call up the Better Business Bureau or whatever and go this
guy sold me ten thousand emails and passwords and none of them work you know but it turns out that you know ripping is it's termed is kind of frowned upon and it turns out the thieves are actually quite honest to each other because I guess in crime reputation is everything so you go and you know see you go get your dumps right you want to you want to do some crime so you go either hack them or you buy them and what you need next is where I found it became even more interesting so next thing you need is proxies right so you need lots of IP addresses if you're gonna spray like a million login pairs I
Spotify they're gonna [ __ ] ban you right you're gonna get blocked by rate-limiting and [ __ ] so you're gonna need a lot of IP addresses so you go to a company like these crowd who are like never get bond it will give you a some residential IP addresses and I was like okay um okay how does this work and then I started looking at the numbers and I was like May where the [ __ ] they get you know I mean some of these numbers here like nearly 150 k IP addresses in the UK they can just route your traffic through etc etc and I'm like hold on a [ __ ] minute these counts haven't gone and set
up like 150,000 [ __ ] accounts of BT where they get no you know how are they you know where are they getting the end points throughout the traffic through and uh of course you can see where this predictably goes crime and these companies are fantastic by the way the residential proxy providers if you look them up you'll see that they all claim to be super legitimate and then you go find them on like blackhat world where they mentioned oh yes we are partnered with an adware company it's like ah so it's crime then but they sell there's like legitimate companies buy these services for like web scraping and [ __ ] and they you know
you can oh you need a pool of residential IPS - web scraping or whatever go - um these companies spend like 50 percent of their customers are legit 50% of them are criminals the business is criminals and this were ties into like the broader crime ecosystem of Miami you've got these script kiddies with their account shops that are buying services stuff companies the buy services off large botnet operators and it's all quite complex and you know it's all kind of interesting how the ship tier of crime is also like tied in with like the actual good tier of crime by competent professional hard-working Russian crime is empowering like script kitty in [ __ ] knows where
crime so you know you get your proxies and away you go you know now you can avoid getting banned and I'm just gonna go back to the never get banned when accessing the web you know so now you can avoid you know getting blocked so now you've got two components of your crime the third thing you need is a software to do the credential stuffing cuz so the software that we use as pen tester isn't [ __ ] for doing like brute force attacks is [ __ ] terrible pen testers write [ __ ] hacking software no offense lads and ladies but what we really should be looking at is the software that some of these crime kids
use cuz their login testing software is [ __ ] fantastic open bullet black bullet century MBA etc there's there's a whole suite of different software that's for web application testing and it's actually just for spraying credit [ __ ] but these are amazing tools like just from a from a software perspective like they're there clicky they're usable but they're super configurable some of them are open-source some of them are commercial but you can write a say you want to brute force netflix counts you can write a config to specifically target the Netflix login page you can integrate this with a CAPTCHA breaking API to work around CAPTCHAs you can integrate proxies and [ __ ] and then just
load in your creds and spray them and it works amazingly well you know these kids have actually revolutionized certain bits of testing where we're still pissing about with like writing a janky Python script to do it no no these kids of software that actually works like actually does the job and of course you know we're talking about like the idiot level of crime here so uh if you can't be [ __ ] right in your own config for say Netflix you can pay somebody else to do it or if like Netflix change a bit of like how their web layout works you're gonna have to change the config so people sell them and Conflict like you
can shop around and you'll find like like configuration files that allow you to attack various services that they're prepackaged like attack Suites where you just buy like the config for like Netflix Spotify pornhub whatever bang it into the software and you're good to go and some of them will have like as a bonus they'll integrate with a CAPTCHA breaking thing some will not some will like not support proxies some will so like there is varying and the prices vary I mean the prices vary within the region of like two to ten bucks you know this sheet and you know there's like this literally whole software ecosystem there and it's pretty neat to like observe that there's like that thing and
then we've got the fun problem of this is where it got really fun so how the [ __ ] do they make money out of the what do you do with like a bunch of accounts for random [ __ ] and this is where it took me a while to get answers I had to go and actually talk to people which I [ __ ] hate you know you have to message some idiot on jabber and you're like so uh so how do I make money off this you know you have to like to pretend to be a crook a little bit and you know cosplay as a cyber criminal on the internet which was a lot less fun
than you think cause like you're dealing with a bunch of [ __ ] lords and little edgy teens who think that their big [ __ ] because they're doing like hacking Netflix accounts and you're asking them so how do you make money off this and it turns out that some things like porn site logins Netflix logins spotify premium accounts VPN services there's this fantastic secondary market for like reselling those people just [ __ ] going by Netflix logins because they can't be [ __ ] paying for it themselves you know people are a little bit in the sketchy side of life but I mean they just go by it because instead of paying like you're 7 or 8 bucks a month you
just pay 10 bucks and use somebody else's [ __ ] login for a while and it's not like I mean anybody here use Netflix you know how many people you share your password with you know you're never gonna change that [ __ ] passwords you got the account for life because next thing you have to ring your second cousin three times removed to tell them you know he brings you up going have you changed your Netflix password you're like I haven't spoken to you in three years since I've never to if you ever want to you know get in touch with you know fire remove bits your family you just change your Netflix login they'll come crawling out of the
woodwork see you know you've some [ __ ] you can directly sell and then you've got some other [ __ ] which has more involved and lucrative like cash out stuff so I decided to take a look at a couple of these and some of these are fascinating in their ingenuity as like just the the kind of the level of like should we say criminal thought that goes into like some of the way as their cash out is just amazing and I was like [ __ ] that's actually kind of cool so the first one is the [ __ ] would you want a million Spotify accounts well it turns out some crackers made a service called
Lana fight it's a streaming bot I didn't know that if you publish music on Spotify you can get paid for it I never realized this and it turns out that you can get paid for the amount of times your music gets streamed or whatever so these [ __ ] went and wrote a bot that streams your upload to like 10,000 different accounts so you get the [ __ ] ad revenue Vanessa that's [ __ ] clever [ __ ] they've just turned like a bunch of like password 1 2 3 s it to Spotify cutting them a check every month like [ __ ] these little shits probably make a more than I do they've got a successful music career
it's all legit they prony even pay tax on it well [ __ ] and they you know they've this is just one of the many ways it turns out that like inflating YouTube views and making revenue that way this various other services for your contents being streamed you make money off it and it's oh and I don't fully understand some of it like I've no idea how twitch works but apparently there's ways to make money through twitch and I guess if people are watching you play minecraft or whatever but they have BOTS that will increase your view count I'm like well [ __ ] these little shits have got to figure it out yeah they that's just one of the ways
that they are they monetize what I thought was a useless resource I did not think there was any value in having like 10,000 spotify accounts until I stumbled across this and it was like oh ah and then we've got some more traditional fraud so certain websites which shall not be named but we all have used them that the website I'm speaking of in particular also offers a web services thing and they used to be a bookstore but ah so you can buy gift cards from this company using your storage credit card details that they seem to just retain forever and when you buy gift cards those gift cards for that website have their you know resellable online and there is an
actual legitimate secondary market for a few of a gift card for some service you can flog it for like half the price or whatever if you don't need it and legitimate secondary market you know it turns out that the bulk of the available product is crime and cheeky money laundering so the simplest way to cash out is you crack a fuckload of accounts on various sites that allow you to buy gift cards through the website using stored payment details you start buying gift cards and just flog them online and it turns out that's an incredibly popular way of monetizing the thing in its fraud and what I found fascinating is when I spoke to some people about this because
there's a semi-legitimate kind of secondary market and gift cards being sold and there's third-party sites where you can buy like a gift card for whatever [ __ ] thing you want the websites so let's say let's say I I'm a normal consumer and I want a cheap gift card for a book site that also does web services so and I find a legit seeming website that will sell me one a hundred pound gift card for 60 bucks unlike cool so I buy one that gift card has been purchased using somebody's hacked account that person gets refunded or wherever and web services and books company goes [ __ ] we're not going to invalidate that gift card II
though we've refunded and whatever because it was fraudulently obtained because it's now been passed on to somebody and we don't want the bad PR of like canceling loads of people's [ __ ] so this kindness fascinating thing where the person who gets [ __ ] in the end like John Q consumer with password 1 2 3 gets royally [ __ ] and web services companies also make a loss and the banks also getting [ __ ] and you've got some cheeky scrublord somewhere just laughing all the way to the bank and yeah that's like a huge thing like if you look on any of the forums there's like you get like a PSN gif you know sold at like
half price and there's like tutorials on how to set up your own shop for these things how to automate the process and the third way to cash out is fascinatingly funny so it's video game accounts online games have stuff like rare items and all this [ __ ] that are traded like your skins in fortnight or what-have-you and in-game items get stolen like I John say I hack in to somebody's fortnight account or whatever and they have some rare items that I do I don't understand hope like I'm not really a games person but I vaguely understand you can transfer these things to another user and apparently people actually pay money for in-game items so they've direct financial value and
you end up with like loot boxes and all that crap people like break into your steam account or whatever buy a bunch of crap or you know just give another account all their items and items get sold and it turns out this is a huge problem so much so that one of the games companies one particularly popular mobile game they had such a problem with account hijacking that they actually incentivized their players to enable two-factor by giving them some rare in-game item that they could only get it was worth like ten bucks of like virtual currency or something but you could only get it if you enable two factors suddenly they've all the kids figuring out what the
[ __ ] a two-factor enabling it and you've got games companies now having to do security in ways they never thought they would and I just thought this was really neat and turns out that like for some reason video game accounts are a popular target for this kind of thing because games apparently like in-game items are worth money and there is value there you've got then the I mean you've got the direct to consumer sales of accounts which is like the most obvious way of cashing out now this is a screen grab from an account shop that I stumbled across one of millions become shops and this is this was pretty neat so you can actually see the prices there
like an account on some IPTV things six bucks ten bucks for a peloton account so you can attend be cycling or something I don't know a dope Creative Cloud goes fifteen quid you can uh you can steal somebody's antivirus license for ten bucks VPN accounts you're a popular one for sale this just a screen grab of like just what was visible in my browser I scrolled down and it was scrolling for [ __ ] days you know you want the subscription a pretty much [ __ ] anything somebody will be selling it at a cut rate like there was every newspaper I could think of there was like I hope we got we got a subscription
for that for you a lot cheaper than the newspaper we'll be charging you for it VPN providers every adult site in the world you can just get your accounts there and that's cheaper and also crime whatever and the scale of the problem is like it's pretty impressive if you go on Google right now and just look up the words account shop just just search that you will find like a few you know you don't have to go looking on the deep dark web or whatever no no you just Google by Netflix account by Twitter logins and that's just out in the open just brazenly oh yeah you want ten thousand Twitter accounts there'll be a couple hundred bucks you
know and you can see where that one goes or you want to load of Spotify is you just go and buy the damn things and yeah it's just it's just business I guess and the scale the problem is pretty weird as well so these are numbers that I kind of have estimated based on browsing a couple of forums I think these are conservative estimates and this is just I did have a very very pretty set of graphs for this but I [ __ ] up cuz I'm a numpty and left the graphs behind so there's at least a couple of hundred account shops that I've been able to stumble across and find like hundreds probably thousands of like little shitty
smaller account shops and stuff but [ __ ] loads every little idiot seems to be able to run one there's no effort thousands of people like literally thousands of members on some of these forums actively engaged in credential stuffing attacks and the related criminal activity like the money laundering involved the cash out operations the database dumping shed thousands most of them young men like mostly teenage boys from what I can gather and this is literally like little [ __ ] level of crime maybe they graduate into real crime when they grow up but this is actually real crime you know but this is like it's largely little shits like and they all have discord channels
for the forums and holy [ __ ] you know you hop in any of these like account cracking discards and it's just the most toxic cesspool it's like oh Jesus millions of compromised accounts every week you know like we're talking [ __ ] accounts for days you know it's just like the the scale of like what you can do with some of this offer like you can test thousands of logins per minute like on a pretty [ __ ] connection through you know you can just hammer it out and they're just it's raining accounts and like some of the numbers these kids are doing site [ __ ] that's a lot of crime if each one of those is like a computer
misuse Act by itself which it is I mean you'd be breaking records you know if like every cop my account was like one criminal charge we'd be [ __ ] stacking paper for days just on your charge sheet you know cops probably just let you go because it couldn't be [ __ ] all the paperwork I mean I assume it's like one sheet of paper for each charge right so you know it's probably like 10 kajillion charges somebody just be like I'll [ __ ] this you know this is the scale of the problems enormous and nobody gives a [ __ ] cuz it's not ransomware it's not affecting enterprise it's affecting the consumer and nobody gives a [ __ ] about the
consumer because the consumer can't pay for pen testing or whatever you know the consumer is not you know so nobody's really doing much about it and there's only a couple of things that the end user actually can do to avoid being a victim of this and that's what I'm quickly gonna go over so if you're a consumer there's two things you can do you could enable two-factor and you can use a password manager and stop reusing your passwords that's all you can do you're pretty much [ __ ] beyond doing that this [ __ ] all you can do to protect yourself you know you just have to kind of hope you don't get unlucky and it's
really amusing like because it's like they're like somebody that somebody in the like in the community recently went [ __ ] I just found out some cheeky little [ __ ] been using my Netflix account didn't think that it ever happened to me and I was like happens to everyone you know it's like it could have it could be happening to you right now and you would never know until your recommendations get all weird until you're like hang on a minute why is my recommendations full of watch and that's the first hint that you know somebody has [ __ ] wrecked you or your accounts been sold you might never realize it because you know it's
like it's kind of like it's the type of thing where you feel uncomfortable because you've been owned but it's not doing enough damage to you for you to really care too much until like the hit your Amazon sorry the unnamed web services company and royally [ __ ] you by charging like 10 grand to your credit card in gift cards or whatever but yeah you can do shagged all about this and if you're a site that is a target of this and if you're if you run a website that does anything vaguely interesting for users that has accounts you're going to have credential stuffing happen I've chatted a couple of devs at a start-up in London that has an app
that's like very popular with the kids these days and they were like ya know we've started getting all these credential stuffing [ __ ] we have no [ __ ] idea what what they're doing with the accounts we see absolutely no value in these accounts being compromised but the kids are hacking the accounts anyway and the kids may have figured out a way of monetizing the [ __ ] thing that the people had said our name startup haven't figured out yet which means the kids are probably a better more sustainable business model in the actual company they're exploiting which I thought was kind of funny the only things you can do are make automated log-in testing really
difficult which in the in the ear of the mobile app you're kind of [ __ ] cuz it turns out a lot of the automated brute-force scripts attack the mobile endpoint the app API and stuff which you don't really want to stick CAPTCHAs in your app right so I mean you can use rate limits which kind of work except for the fact that rate limits work based on IP your session normally and well we've got millions of residential IP addresses to use so [ __ ] that same temporarily blocks oh what's amusing that residential proxy service again so get [ __ ] with your IP banning CAPTCHAs oh we can just firm that out to a
CAPTCHA firm in Vietnam and that will be fine so I guess the only thing you knew is you can enable users to use like past managers into FA and be kind of a responsible company but that sound you know that sounds like hard work you have to implement the two-factor and you have to get rid of your stupid no pasting thing and that sounds like an awful lot of work can't be [ __ ] we'll just let the users get rekt not our problem but ya know if you're a website that offers a service you have put the work in to prevent yourself from being a vector for this crime and you should also probably fix all the sequel
eye holes that will result in you user DB getting sold for like ten quid I mean Dead is cheap these days it means it's not too much more dislike unfortunately I don't have all the shiny graphs and stuff so I will be wrapping in a bit early but this there's a lot more that can be said on this kind of like but a lot of it's like more so if there's questions I guess like I could chat for days about like the ins and outs of like some of the account shops and boreal to death as like the prices of databases but let's not so I guess yeah I'll wrap it and say if you've any
questions or if you want to get in touch I will be putting up the slides and a series of blog posts about all the little bits once I can actually be [ __ ] finishing the web design thing because you know what it's like you can get in touch via Twitter and stuff but if anybody has questions abuse accusations of criminal activity just go for a mean you could get someone's there they yeah the like the cool thing is like the actual software support for like some of the tooling is actually legit as [ __ ] like it turns out criminals do customer support better than like certain security vendors you're more guaranteed to get an answer
out of like crime or US than you are attainable under updates or like a lot quicker they ship it you know yeah vehicles on I'm a big fan of that so yeah having so unique email address for every service is a great idea because it not only gives you you know you don't get comp you know you don't get cross-contamination but you also find out when somebody gets [ __ ] so when you start getting spam to your email address that you only used on one service you know that service got compromised or you know you can you can use them as Canaries almost which i think is pretty cool unique emails if you run your own domain and you have
your own mail server or if your G suite or whatever like website name at domain.com is a pretty legit way of doing it so most of them yeah will be like email password pairs sometimes email username past repairs from certain like from web Florence Jane and when you go shopping for accounts you'll find like yeah you'll find it'll all be like list of email like imagine a CSV file with just email password maybe that is normally sold as like here's an email in the password to log into AVG or whatever so you know who's accounted is that you've been [ __ ] with you know you're like oh this is this is Tim and maybe
Tim hasn't changed his email password either so yeah years ago there was same thing but it's gone by how was that locked into this part it's also this not get more end of teams virtues as your average my rubbish lesson because you actually do find like if you so the there is actually an overlap there in a sense so sites like it's like the now-deceased we leaked info who's found who's that admins that got posted like last week or some [ __ ] sites like that you can target companies by putting in a like a domain and specifically by like the passwords that are associated to like a company domain and you'll also find there is actually
an overlap with the already P shops so a lot of the kids will buy hacked or DPS like Windows box the Remote Desktop creds to run their tools from because the kids are learning about OPSEC now and it's [ __ ] hilarious but like some of those or DP sellers are literally the same ones who will sell you say access to company ax they're just selling different different bits of the market but the same vendors I mean so if you start targeting company domain like from an RDP vendor they're gonna rip the [ __ ] out of you on price because they know you're looking for something but if you just say that you want a
bunch of domain joined remote desktops you pay like two bucks a pop and then you you know you have a bunch of companies you now own have fun thing is like what nobody really twigs is how [ __ ] cheap access is you know it's a commodity there is like overlap but like you've got the more serious crooks doing the serious crook things and like the funny thing as well yet you got these these teens like they some of the stuff they get access to they just don't use it to its full potential because instead they're after their fortnight's and whatever [Music] any other questions just bc so yes and no i have like one of the things that we
have observed when sitting in the boards is like when just sitting there kind of engaging with these people is like you do have some some people who are more show say better criminals right like maybe a bit older maybe a bit better at crime unlike they'll buy up stuff or they'll like sometimes like drop hints and there's almost like almost I guess he called like criminal mentorship the other time like you know people like show you how to set up like your own like when you're wandering around crime forums eventually somebody's gonna be like oh how about you know you know do you want to set up your own botnet or whatever and you'll find there is
overlap in tooling um like we've seen shitty he loggers sold script kiddies and hack forums being used elsewhere because they're cheap like it's cheap crime like we're talking like I know at the moment in this in security industry line we've this whole thing about Oh offensive security tooling being bad or something allegedly the Twitter nonsens going on at the moment about that but like you can go in hack forums and buy it a rat for like 20 bucks and you've got like you've got you've definitely got overlaps and you've got yeah I mean I wouldn't say that the Russian mafia are encouraging teenagers or whatever but like I think there's this related interest you know
he said this is my house if life is what we are really good verse there so one the first steps for like if if you're a company that's like shall we say a target of cred snuffing attacks start trying to mitigate it and just make it expensive stuff like cut like I've mixed feelings about the use the utility of like like putting in like temporary IP blocks rate limiting captures stuff like that it doesn't prevent it slows down and actually put in logging because you'll know straightaway when you're getting lit up by some script kiddie with sentry when your application logs start going three kajillion failed logins and like allowing users and incur incentivizing users to enable to if a
and stuff like what the unnamed games company did was pretty lit like actually putting an incentive for its users I think keeping a not like looking for it even is like the best Eric's like nobody really seems to look at the you know is our API being brute force nobody really checks uh-huh me personally no I personally prefer the Pirate Bay so actually do if an Amazon account and so I'm a little bit terrified of uh you see as a much younger and stupider me found out doors are really expensive to replace and when somebody is a big metal key on your door it it sucks I be I mean I'm always I'm like yeah
like I kind of find it funny like that it's almost normal consumers they're just a little sketchy that is like a hawk Netflix or whatever because I'm like are you worried that like you're gonna get like a knock on the door you know it's just a little it always kind of sketches me out a bit how to get how to get kids to not do crime I'll get back to you on that when I guess if I can answer that question I should probably become the prime minister or something stuff like like SSO and stuff yeah so that can like there is actually an interesting thing that I spotted when I was looking through some of the dumps
that were made available when people use like Google as their login to say whatever service the when they use say you use Google to log into web site a and if website a gets dumped there's no credentials for you in those it's just like the the token thing which is useless and I think that ISO is actually kind of neat for preventing making this [ __ ] less useful because it reduces the amount of credentials that you're chucking around yourself you know reduce the amount of management you have to do of identity using credit on privacy a little so yes and also know what like I think that yes like if if to log into
Netflix you have to use your Google account that means if to compromise your Google account to use your Netflix which I mean password spraying Gmail is actually really bloody difficult cuz Google actually are good at unfuckin themselves yeah this I mean it's kind of on those things where it's like we can't do better but we just have to figure out how kind boat-like I mean it's I mean yeah it's it's a bit of boat like it's not that there's a skill shortage per se its misapplication almost and I think as well like there is kind of like nobody really wants to you know do some you know sell and then manage customers for software like that except for people
doing crime like I mean this is that's in my view it's kind of a bit of both but it's a bit of a mess as well like I need to do some thinking
[Music]
so that there is a couple of so that's the first part there are a couple of publicly available lists that people have compiled of like the more like this somebody has a list of like some of the forums that where a lot of this business shall we say goes on so there are directories and lists and you can [ __ ] like a lot of it does happen out in the open and you can find it fairly easily to go search and gather Intel as for the staying on the right side the law bit sometimes that can be a bit of a pain in the ass like you'd need to like it's one of those things were
setting up an account to monitor a webform or whatever is prop is fine but you might want to speak with your legal about engaging with people a bit because depending on like how you're engaging with people like do you want to do like I know some people who will go out and they will as threat intelligence collection they will go and buy database dumps they try buy up data and they see this is fine but it also could be seen as funding criminal activity so like depending on the yeah your your in-house like or your lawyer really should be consulted depending on what level of collection you want to do like like how much you want to engage with stuff like
is controlled buying okay yes no like yeah I think yes there there is some value like especially literally what you just said the they do the risky [ __ ] so you don't have to I mean I have my own questions sometimes about companies like that about the like the validity of some of the data they collect because the the odd time they come out with things that absolutely do not track with my own observations and they're very closed off but they're sources and methods but they are an acceptable source I guess so it's if you've got the budget for it yes use is useful like any information any better visibility is always useful but I
sometimes have my you know little niggling concerns the back of my head room like ye is that real you know or are they like you know sometimes it's not they're making up BS it's just sometimes they're getting bad data in giving bad date out especially when it comes to their their views on like sometimes when those companies talk about the prices of things I'm like [ __ ] hell you know they saw you coming a lot you know any other question
you
Related talks
43:26
32:45
45:00
30:45
22:47
47:59