Your Info, Their Payday: A Look into the Info Stealer Economy

All right, everybody. Welcome to our session after the break. I hope you've had time to uh reconnect with some of your friends and colleagues and u took some time in the villages and met with our sponsors and hopefully you got a chance to talk with us USA, our diamond sponsor. Um we are also grateful to uh St. Mary's for hosting us here on their lovely campus and uh we couldn't do this without Toyota. So I'm going to turn the mic over to Jonathan and he is going to give us a lovely presentation on Infosstealer economy. [Applause]

Sorry, can everybody hear me? Awesome. Um, so yeah, uh, thank you guys for coming to my talk. Um, your info, uh, they'll pay a look into the info economy. So I want to uh point out a few maybe expectations before we get into this. This is not a very technical deep dive of a specific info steeler. This is a more high-level uh kind of macro um overview of info steelers what they do but as well as the economy and kind of ecosystem that they're thriving in. Um, and when I say thriving, um, I I am using, you know, uh, no false terms. Um, for those of you who have kind of been in the threat landscape, you know, uh,

as defenders, practitioners, etc., uh, a lot of you guys may know that infos stealers are quickly rising as a reputable threat vector. Um I think maybe a year or two ago it was uh exploitation of public facing um seros um uh for like software as a service vendor uh tools such like that. That's still the case. Um but those are kind of tying in together to where a lot of these exploits in a lot of these uh largecale campaigns are being facilitated by uh info stealers. So I think this talk was important because I had a lot of people uh within my organization within uh the widle kind of threat intelligence community ask kind of like what's happening with all these

infosals what what does it do you know uh what does it really mean for defenders so I'm going to talk a little bit about how they work the ecosystem um some practitional kind of tips for defense um and I think we're all just going to have a good time and learn some new stuff all right awesome So, um, a little bit about me. Um, I'm on Twitter, God's Slow Macro. You will not find a lot of technical stuff, more like just memes. Um, but, you know, they're technical means, so bear with me. Um, I graduated from UTSA, so I'm a UTSA alumni. Um, you know, San Antonio, uh, raised, went to, uh, business careers now, NSITE, just down the road

at Ingram. Um, I did digital forensics and cyber dual dual major. um sorry, information systems and cyber duo major with a minor in uh forensics and I graduated 2020. Um during college I did a lot of uh different um internships. Uh I did some in uh starting out MIS crawling under the table uh to you know put in Ethernet codes basic PowerShell updates I didn't understand. Um I went to uh DFIR I worked at Crowd Strike within the Falcon Complete MDL. Um and then I also did like vulnerability management and application security. Um now I currently am at Synchrony Financial where I help lead um the threat informed defense team which is a mix of not only threat intelligence but

also detection engineering and kind of security engineering. Um in my spare time, I have no spare time. I'm currently at John Hopkins University where I study global uh security studies which is just like a weird mix of cyber security, homeland security, politics, and kind of international relations. So if you ever want to talk to me about the more human side of, you know, cyber stuff such as like uh North Korean threat actors, uh fake IT workers or something, I'm your guy. So uh why am I standing here ranting about info stealers? Well, according to Huntress, uh in their 2025 report, uh info steelers are behind 24% of incidents that they saw. Um Verizon uh came out with a recent DBIR report,

which if y'all haven't read it, it's the gold standard in security, but uh they saw that 54% of ransomware victims reused information stealer exposed credentials. Additionally, 88% of web application attacks, those are a lot of those public exploits against software as a service vendor tooling that I um said, involve the use of stolen credentials. Um, info stealers are causing major uh impact and damage from a downstream perspective. Um, let's look at like snowflake, right? Snowflake got popped with a bunch of info uh info steals. a lot of credentials were obtained in that uh that gained them access and it breached I want to say it was like Santander um ticket master and a few other ones. So there was a lot of

downstream impact as in you target this vendor with uh info stealers you gain credentials to a lot of different environments and you're able to access those environments too. Um so information stealers are now playing your role through the entire attack attack chain. It's not only used to um you know gain that foothold uh to enter the room. It's also being used to keep that door open. Um and it's being used by both cyber criminals and state aligned threat actors. So um one um information stealers collect a lot. Uh we're going to go into specifically what they collect um but they collect a lot that makes it really easy. And when you think about advanced persistent threats

um state aligned actors, you would say why don't they just use a lot of their like sophisticated stuff that makes them sophisticated um that makes them advanced that puts the A in a well it's a low barrier of entry. Why are you going to spend uh cycles uh exploiting or creating custom tools when you can just you know use information sealers that already give you a lot of informations. Um, also why are you going to take the risk of, you know, potentially exposing your infrastructure, your tools to, uh, you know, intelligence researchers, vendors like Crowd Strike, Mandon and stuff when you can just use credentials to get your way into the door. So, uh, why are they such a headache?

Um, to full practitioners um, a lot of times the theft is instant and often irreversible. Uh, so credentials, tokens, and cookies can be exfiltrated like that. Um, Crowdstrike does a great uh yearly blog where they talk about um the breakout time, you know, the breakout time from initial access to like handson intrusion and that uh amount of time is going to like eight, I think it's like 18 minutes or something like that, but even shorter. So the time from just um you know info steel uh exfiltration to potential hands-on keyboard uh you know uh incidents all decreasing in the amount of pace um long-term exposure stolen data is reused months later. You know you can take it

you can sell it maybe it doesn't sell immediately but then someone says hey I want to hack that company cool I'm going to buy it. So it can stay there for days and you have to rely on the organization that rotates its credentials. I don't know if you've ever been in an organization. I don't know if that happens. Um but a single log can lead to an incident, right? It could be maybe a VPN credential. It could be, you know, an MFA token, something like that. A single log or source of item for the info stealer can get you that access. Um and you know, when you're grabbing uh logs that have a lot of volume, it it

just takes one, right? Um, info stealers can uh capture valid session tokens uh in cookies um allowing for like remote session hijacking. So a lot of MFA stuff they were circumventing um and a lot of zero trust controls uh remediation is incomplete. You know password resets uh doesn't invalidate the data that was taken a lot of times. uh session tokens, ooth keys and app secrets if you don't rotate them, if you don't immediately, you know, take action, uh they extend your overall exposure, you know, um you know, when I look at an info steel or incident, you know, in the process tree, if I see it's ex if it's made an outbound network connection and data was

outsourced, right, we have an incident on our hands. You know, a lot of people say, "Oh, I killed it. I killed the process. I removed it." No, it already made an outsourced connection. and you need to start incident response. So, uh they're quick um and you know they need to keep uh defenders on their toes. So, let's talk about kind of the timeline, right? So, um early 2000s, you know, um a lot of the, you know, uh OG hackles and stuff, uh they created things like sub7 1999. Uh those are like, you know, basic kind of remote access toolings. Uh that started out a lot of it was basic key capturing, screen capturing. um they did it a lot

for pranking you know so maybe it wasn't uh exfiltrating VPN data but it was getting your um CD trade to open something like that um but it was very manual and you know you had ILRC chat uh floppy disc as like the main vectors uh going towards like the late 2000s you had like Zbot Zeusbot those are kind of purpose-built info stealers those were kind of like the first banking trojans if you kind of heard that going around that world has kind of like died down a bit but it was very prevalent uh for the last like 10 years. So those started to harvest things like FTP uh client credentials like FileZilla, Outlook data, browser form data. Um they did man

in the browser keystroke logging. Um and then of course with all of the kind of like old forums and stuff, you started seeing the rise of like MAS, which is malware as a service. So like, hey, I can give you this, I can sell you this, I can do this for you, right? So you start seeing that kind of ecosystem start to really pop up and thrive uh on the dark web. Uh one example is like a forum uh shadow crew kind of like one of the false ones, right? Uh they started offering things like that on that forum. Um 2010s, uh banking trojan. So a lot of it was, hey, we're creating this, but

it's very financial um targeting based. Uh so that is uh kind of aligned also with the uptick in trends on like ransomware right because a lot of times they will doing it to collect the credentials and stuff and then pop ransomware. So they will um increasingly targeting banking info. So that's credentials uh relevant PII um and credit card information check data stuff like that. Um you start seeing a lot of the uh really prevalent forums that we know today and a lot of them all shut down you know uh dog code uh raid forums uh breach stuff like that. Um then in the recent years you kind of have a lot more just e-crime apt and uh you know

really advanced uh adoptions and that is uh really they started seeing uh info steel utilized for a lot of different things. So you have intelligence collection but also you know like I said before you're using it to create a foothold for these intrusion campaigns in operations. So you start to see that e-rime economy kind of expand to specialize in the different needs of someone who wants to use an info steel against an enterprise. Do you want to use it just to get the data and sell it? You don't care about the enterprise at all. You don't want to do anything else. Do you want to sell it for people who want to ransom the organization? Do you

want to create kind of like an affiliate um ail affiliate uh operation in which you know you you get them and then you sell them to people that you know you trust to kind of do operations and they give you a cut. You start to see all of these kind of relationships, alliances, stuff like that form. Um and then of course you start to see a lot of different malware families. So you see like Vid Doll, Luma, Steeler, Luma got taken down like a month ago by the FBI and they're starting to already increase in operations again. Um, Raccoon, Stealer, Redline, most of these have gone through some type of FBI uh DOJ uh Europole in pole takedown, but you know,

it was very short-term and you know, a lot of them are thriving still. Um, but going into that, yeah, you have more uh law enforcement uh based scrutiny and disruption because law enforcement went uh it's actually one of my thesises I'm writing on. They went from just saying like, "Hey, we're looking to arrest this person and now they're saying like, "Ah, too many jurisdictions, too many people in Russia, Sweden, Switzerland, and stuff. Now we're just going to go after infrastructural because even if it pops up, uh, you know, uh, 10 minutes later, we can get some logs. maybe we can get enough stuff over time to make an indictment. Um and then now today where

we are it's kind of like the recent yields but also we have a thriving economy of info stealers. Um you have centralized and decentralized markets. So you have aggregation forums in which you know a million different info steelers. Then you have uh forums for just one info stealers. You have people self-hosting their info stealer infrastructure in service models. Um they're easy to develop. We're going to talk about why um they're using AI now. Um if I I don't know if I talk about it later, so I want to talk about it right now. Recorded Futurel did an amazing blog last year in which uh uh Info Steelers are using something called OCR, which is uh

>> Yeah, exactly. Can you say it again? >> Exactly. So what they are doing, thank you. I don't have a prize, but you get a high five. Um what they are doing is they're utilizing AI within their info sealers to do things like extract seed images for like crypto wallets um out of not plain text files but images. So a lot of people were saying don't store your seed uh phrases in text files right easy enough right stored in an image or something. Well now these info stealers are using AI to do OCR to extract the seed phases. So, you know, innovation. Um, they got uh uh toxic AI bros also. Um, but yeah, they're using uh

integration just across all parts of the attack chain. Um, so while these attack chains get disrupted by law enforcement, um, we're going to talk about it later, it's often shortterm um, and you know, not very reactionary. So, let's talk about kind of info stealers in general. Like I said, I'm not going to go like reverse engineering or anything, but we're going to talk about just what they do at a high level. So, initial access, there's a lot of ways they could come in. Um, fishing, as we know, um, SEO poisoning. Um, SEO poisoning was very rampant. It still kind of is, you know, um, in which you may want to, uh, say, how I want to

download LogMe and rescue, right? And you go on Google, you type in LogMe and rescue tool. You think you go to the official site, turns out it's not. Um, it's a malicious site. that's using a lot of SEO optimization tactics to uh kind of get number one in Google as the top spot. You click it, you download the tool, you downloaded an info steel. So things like that. Uh malvertizing social engineering, so like Discord, LinkedIn. Hey, I have this like resume I want you to look at. Um hey, uh North Korea is doing it a lot right now. Not with infos, but just malware. They say, hey, I'm a I'm a recruiter. um I want to

interview you for this job or something and kind of vice versa um and they say hey download this interview software and you know it's malware kind of the same thing um drive by downloads uh is a no tactic so a lot of ways they could get their foot in um but once they do that execution so what can they steal they can steal everything now they can steal your session data they can steal your save passwords out of uh you know your Google kind of password manual. So for example like when you say like hey I want to save this password and stuff they can steal that um uh relevant cookies uh such as like session cookies

um cookies to any um applications that you may have been logged into at the current session on your computer. Um API keys um on any you know applications you're in. authentication tokens, um, login data for things like VPN, uh, any browser extensions. So, like for a lot of people who do crypto, there's like, uh, MetaMask, there's a lot of different extensions. They can grab the data off of that. So, sometimes they don't even need to go into your file system to find all the crypto data or whatever. They can just find it out of the browser extensions. Um, but yeah, pretty much anything in your uh, active browser session. So for those of you who have 52

tabs open all the time, uh they're salivating when they see that. Um also when we look at the file system, they can look in documents, uh current wallets that you may have downloaded. They're looking for those seed phrases that can get them into the wallets, configuration files. Uh so if you have software or anything like that, they want to look for open- source code, anything that they can kind of steal and market. Some of them are sophisticated in which they'll actually look for that. Some of them are just like you look like code a log file. I'mma steal you. Um and uh additionally uh system status details. They want to know like what type of computer it is because there's

some info stealers that they want to make sure they're targeting production servers, not uh some Windows XP host. Um and yeah, there's Windows XP host still. Uh and then additionally just uh clipboard contents. So, you know, for those of you who use like sticky notes, clipboards, anything like that on mass um in your day-to-day operations, they want to steal that afterwards. You know, that's where uh they have the choice to deploy ransomware um additional remote access tooling if they want, but a lot of uh info stealers are utilizing remote access tooling um and an additional payload. You know, anything for destruction, intelligence gathering really just depends on what their goal is. Um then you kind of get into uh

Xfiltration. So you can Xfill by HTTPS uh post requests um Telegram bots uh Discord web hooks. So they can have a C2 uh operating as a Discord channel. Uh C2 is commanding control. It's kind of like the bad guys. So they'll sending all of this to like a Discord channel um Slack channel some like that in which all the data is going to there via a web hook they designed. um they can set up FTP or custom HTTP servos. Um they have encrypted config blogs with a lot of their um kind of data that they're sending out and it's encrypted. So unless if you're doing like decryption on transit or anything like that um you're not seeing it um which makes it

hard for defenders. They also have things like hardcoded domains or domain generated algorithms DGA. So, for example, um they can create domains on the fly that they purchase beforehand to send there. So, um let's say if you think it's going one place, they can kind of switch tactics and send it to three different ones if for some reason network traffic blocks it. Um so, they exfiltrated it. What are they going to do with it? So, they're going to sell it. Uh they can sell the credentials, cookies, session tokens if they want to bypass MFA. um they can just hijack and steal all your stuff. So if it's crypto um uh your Steam account, maybe they

want your video games, you know, maybe you got game of the year edition and they saw that and they like that. Uh banking info, PayPal information, they can just decide, hey, I want that. Um they can sell that access via uh initial access brokers. So those are basically the people who say hey I have the credentials uh you know if you want to do an operation with them I have them to buy. So uh those are initial access protocols. So they can sell that access via being a member of those forums. Um and then like I said before ransom or extortion um if they if they are kind of the ones facilitating that operation um

and then they can use it to uh maintain persistence. so they can reuse it on future sessions um and kind of you utilize the tokens that they grabbed. Um also, uh one feature that they do that really helps kind of the monetization and use step of the way is they're starting to use AI a lot to pulse the data quickly as far as all the logs. They do it either when they're compromising uh the the host or sometimes when they already xfilled, but they're using AI to just really pulse the data fast, filter it. Maybe they only want um company information. They can filter it that way. Maybe they only want, I don't know, Discord uh login.

Maybe they only want uh session tokens. um maybe they only want passwords that are more than if they can have if they can find it more than three months old, stuff like that. So um they can use AI now to pulse a lot of the data very fast either real time in operations because uh one way one reason they would do this is you don't want a 500 gigabyte text file leaving the network all at once. You know that's probably going to trigger some alarms depending your enterprise. Um, and you can do things like beacon it out, stuff like that in little increments, or you can just try to trim the fat as you do uh your

intrusion. So, what do these cyber uh criminal forums that all of these info steals in the data uh what do they offer and what makes them so I guess pre prevalent and kind of uh attractive to use if you're a cyber criminal? Well, um let's say if you are someone who downloaded Kali Linux yesterday and you say I I want to be a bad guy. Okay, you can download the full binary. Um it's very it's pre-ompiled. It's ready to deploy um off the shelf. So you can just plug it, play, deploy. Um you have access to the whole guey, everything like that. So it's easy. Um it's very user friendly. Additionally, if you just want to kind

of deploy uh the info steel on a no increment, you have the command and control panels that also get sold to you. So command and control panels, I have images of them later. They let the tackle manage the infection infected machines issue commands and kind of aggregate that stolen data and pulse it kind of a gooey format kind of like an admin panel if you will. Um they have dashboards uh so you can have a telegram dashboard, a discord dashboard, a crypto dashboard in which they pulse all the data into those fields um accordingly. Uh it also tells you the bot status. So the bots are the infected machines. So it tells you like hey this one went

offline, this one hasn't reported back. Um and it just gives you different ways to filter out that data. also builder kits. Maybe uh you're technical and you want to do customization. You want to add more features, more um I don't know uh injection um capabilities to evade like EDL um stuff like that. Um you can build a kit that some of them offer a gooey scriptbased interface, but um you can generate and kind of tweak the builds. Um, so there's uh there's also ones that for kind of low skill actors in which it's kind of like you can make them more incremental. So you have the ones for the really technical people that give a

lot of customization but require high technical uh skill set and you have the low-level builder kits in which um it's pretty much just you want this feature, drag it. You want this feature, drag it, pay. So it kind of diffs uh cryptos. So uh crypto services in which they encrypt or obuscate the payloads uh to bypass you know AV engines EDL uh network traffic stuff like that um and even hindle uh reverse engineering and static analysis kind of operations. So they want to make sure that hey not only is it not caught but also if someone wants to take a look at your operation uh if they have your executable whatever they can't do that.

uh packos uh pacos are basically uh things that compress or restructural uh executables. So they compress them, they make them in a way that will bypass EDL. Uh they also sell log puls. So I think I talked a little bit before about how AI was doing it. But log puzzles are kind of add-ons you can buy that really help pulse all of the logs being xfilled um to make them very readable into what you want out of operation. also self-help guides. If you've never done it, if you want to create a whole criminal empire, they make wikis. Um, yeah. Uh, exactly. Um, so it tells them how to operate it, how to spread it, and how to monetize

it, you know. So, yeah, you have like self-help people also on um, dark web. uh these all bundled also with the kits because they want to say like hey's you know like a little uh Lego my false stealer kit you know stuff like that so um they're very great for just uh selling stolen credentials access tools like info stealers um but the ecosystem itself supports a lot of people developers resellers uh those initial access brokers and then the people who want to buy them um a lot of these forums such as uh well some of the more complex ones uh enable reputation systems. So you have to post for an amount of time. You have to uh have a

certain account age to be able to post uh because they want to make sure that hey the FBI guy the local researcher didn't just turn on tails and tour and then connect to it. So a lot of times if you want to post, if you want to kind of seek the more sensitive information, you have to validate yourself in some way or been on the platform a certain amount of time. Uh that's also to reduce scams because who knew criminal uh cyber criminal forums have like criminal activities uh like scams. So um the access also allows um various abilities if you're a member of these uh forums. So, for example, let's say if I'm company A, I work there. Um, and I want

to hack into my company. I'm an insider threat. If I'm a member of certain forums and I have a good reputation, I can kind of pre-order credentials. So, I put in the name of the company and I say if a credential log ever comes that um advertises this stuff, I want a alert. Um, and it'll do that. So that's why you have a lot of advanced persistent threats um nation state aligned uh you know scattered spidal and stuff uh they're utilizing these because they can just sit wait while they do all those stuff um a lot of them uh all you know multilingual with a significant portion in Russian speaking communities uh they have a lot of infrastructure taken there

um because you know they can't get taken down because you can knock on Russia's door and be like hey someone's hosting that they're going to be like all right go So, so, um, here's one example of a steel. Um, I thought about doing kind of like Vidal Raccoon and stuff, but I actually just stumbled upon this one while I was kind of like just researching. So, this one's called Abola Stealer. Um, it wasn't on a forum or anything, not that I've seen. It was actually self-hosted on a site called Myell Off, which is very popular for like um, selling. It's like an independent uh, Shopify marketplace, if you will. They sell everything from like game hacks,

anti-cheat stuff, all that stuff. Um, so this is uh created by they call themselves dead destroyers. Um, they had a telegram in a discord. I was in the discord for like two seconds and then I got kicked. Um, yeah. Yeah, I have that impression, I guess. But, um, no, uh, Dead Destroyers, I guess, is pretty popular on kind of YouTube and stuff. They have over 30k um, subscribers on certain platforms. Uh they're very popular for things like Discord bombing in which you can buy their tool uh drop it in Discord. They create a bot that basically just violates uh terms of service and gets that channel kick uh shut down. So you know the bot is

basically just the worst human being you could think of. Um but yeah uh I I stumbled upon this one. So we're going to kind of go into it a bit. Oh, I'll come back to that one. That's not that's not right. Oh well, I'll I'll just come back. Uh I'll do it now. So this is an example of one uh dark web forum called uh darknet army. So you can kind of see uh on these forums what's advertised. So you have like trusted rat seller which a lot of them just link their telegrams. Um you have free drop of logs. A lot of them uh when they're free they just say like hey uh they're probably stale logs

from a long time ago. Also log cash out guide. So it tells you like, hey, how to get rich off these and also just like, hey, can someone help me do these logs? So looking in uh going back into um dead destroyal, they have like a customer review page. So for example, I I found it funny automatic feedback after seven days. They're just five staring themselves. I mean, I appreciate the initiative. Um they have pages in which they kind of um showcase their capabilities. So, I'm not going to read it all, but extracts data from over 20 different apps. Um, extracts over 10 popular desktop wallets. Um, extracts system information including RDP, FTP, system info. Um, injects the Discord

operation. Um, there's additional capabilities such as uh WM Python WM. Uh, so that's kind of the follow on payloads kind of follow on activities. Um, ability to view the webcam. Um if you go down where was it? Yeah. Uh among its commands is lockdown and encrypt decrypt. So they have a ransomware capability. Um nuke uh overwrites the entire main disc of the operating system making it impossible to boot again. I wish I was five because I did that by myself and I wish I could have blamed it on these guys. And then screamer displays a screamer for 3 seconds with the volume at maximum. I'm assuming that's like sorry someone screaming uh like you know those bad YouTube videos

that circulated 10 years ago. But um here's an example of the of a C2 panel um in which they can build the executable uh put in the command line accordingly um put the name the file description uh and then upload the payload if they want. Yeah. So, um, here's like the checkout. Um, I I put there because, yeah, um, you can also kind of purchase in a lot of different varieties. So, you can purchase it for one week in which they may give you like just one uh I I'm assuming it's one file for like one week. Um, then you have access for one month. Um, and then you have a lifetime subscription. So, I don't know what a

lifetime is. I guess until the FBI or cloud fail um finds it, whichever one comes first. Um oh yeah, here's a lot of different dashboards. So this one is Exodius, which I think is crypto creds. So uh various logs. Um there's Discord. This is where they can uh create their uh web hook if they want to inject into a C2 operated discord channel. Um here all different user accounts um in which uh these are the bots which are just infected machines. So you see like password, cookies, wallets. You see the little icons there telling you like what they grabbed like someone grabbed a Minecraft. Um, yeah. Oh, I had a Discord one, but I guess it

I left it out. But yeah, they they had like uh one for Discord in which it showed all the profiles kind of um and saying like, "Hey, we have these bots um and it showed the uptime. Were they online or were they not?" Um so do uh law enforcement takedowns of these ecosystems kind of work? Um it's kind of a mix. So, I made that joke about Cloudflare, but for short-term, um, going to like GoDaddy and Cloudflare is a great job on a lot of these self-hosted ones. Um, for the FBI and, you know, uh, law enforcement operations, takedowns will temporarily mess up operations, uh, and as I said before, bring some great intelligence, but criminals will just move to new

forums or kind of stand up the original ones just in kind of a V2 format. uh and a lot of times with better security. So one example on Dulk web forums is a lot of kind of higher security ones will make you enable JavaScript. Researchers don't like that because a lot of JavaScript stuff uh when you enable it, it can footprint your kind of machine and also those JavaScriptbased web exploits that you can be vulnerable to. So they can kind of create these defenses that kind of act as deterrence. Um, also those fake um fake or scam sites that pop up. So, uh, let's say raid forums got taken down. You may have another raid forums pop up in which

people are saying, I don't know if that's a scam or if that's a honeypot by law enforcement, right? So, you're kind of playing with dice there. Um, so overall takedowns aren't stopping the activity for long operationwise, but the users do get more careful. you get a lot of drop off in uh the amount of people who go to the sites and will go to the next one because they're saying I don't know if I trust that guy's infrastructure anymore. Um so they do it and they drop off to avoid getting caught or scammed afterwards. So um it's all part of a short-term uh solution as part of a wider initiative which is you want to arrest these people by and at

the very least try to dox them, try put their um identities out there, right? You may say like, "Hey, this guy's in Russia um and uh the DOJ put out sanctions against this guy. Who cares?" Well, a lot of these guys go to like another country that is affiliated with the US intelligence agencies on vacation and that's where we scoop him up. So, a lot of times it's a waiting game. So, defenses, I know I got a short amount of time, but um I there's a a million defenses we can use, right? But I want to give kind of practitionalbased ones. Um, TLDD and delivering blocking. Um, TLDD is all top level domains. Um, those are domains like uh.com

and all that, but it's also the more obscure ones like top.shop.bot, all those. Um, you can go on Google, find them all. Check your network traffic at the enterprise level. A lot of times you will see no hits or if you see a hit, it's junk traffic. Block them. You do not need them. that Ebola stealer was on a top domain, right? If I block it, it's easy. Verify false. You don't want to take down half of your network. Um, if you have proof point, any sort of email tool, uh, see if you can block uh, suspicious file extensions via email gateway. Um, when I look at my intelligence collection and stuff, I see a lot of obscure um, extensions and I'll

be like, I don't see anybody ever doing that in a realistic email conversation. I'm going to block that. Um, also, uh, CDN, so like Discord CDN, Mega File Transfer, uh, file transfer sites, Telegram. Um, if you do not need to be communicating with it with it in any way, block that traffic. Um, file and content validation, strict mime type inspection. So, you want to try to block if you have any capabilities stopping an EXE that's disguised as a PDF. I mean, EDLs do a great job of that, but if you have anything at the kind of email gateway level, that helps. Um, blocking unsigned PowerShell command, WScript, uh, at the GPL level or with some of your enterprise

controls. Um, that helps. I mean, uh, EDLs do a great job of blocking like PowerShell execution, but you always want to make sure you have defense in depth. Um, other ideas, uh, TLS inspection to decrypt and inspect HTTPS post traffic. that is very complicated and requires a lot of effort a lot of times. Uh so that's part of a wider initiative. Um as I said before, Telegram bot APIs, Discord, web hooks, other outbound channels. You want to block uh the main uh tactics of Xfill that they're utilizing. Um uh I've seen organizations disable built-in uh browser password storage via GPO, MDM, favoring password manuals like Delino or Bitwalden. um they use those alongside SSO and conditional access uh

in MFA accordingly. Um make sure to lock down um you know your administrative controls as far as like hey if this user's in accounting they probably shouldn't have the ability to access the entry ID portal stuff like that. Um, additionally, a lot of it, the last part is like basic uh stuff. If you don't have an EDL that it helps or if you have an EDL, it helps, but it's just um basic things. Monitor for LOL bin abuse like PowerShell run DL for those kind of follow on actions. Um, flag unusual access to credential stores if you have like any SQL databases, things like that. And then look at free or commercial uh digital risk platforms.

Those like Flail, Flashpoint, have I been pawned? Um, a some of them offer community offerings for small businesses, some of them are paid. Uh, but you should look up the keyword digital risk. Um, it's looking at things like exposed credentials, social media analysis of your organization. Um, and it's growing to be a very big part of your security in death defense. Um, I just have one more slide. Basically, this is a fun one. This came from CrowdStrike in 2023. This was from their intelligence team at a conference called Sleuth Con, which is really amazing in Virginia. It's CTI based um cyber crime based. They did a talk in which they went into breach forums data after it

was taken down um and they analyzed uh various um sectors and kind of the uh advertised uh stuff on the dark web as far as like advertised uh log, stolen data and stuff. And they found out that when they look at these posts and what they're priced at um for like you know passwords for like this financial company, this uh logging company, stuff like that. They found a few key insights. Government and financial sectors have a much higher pricing equilibrium than other sectorals. Age of posts slightly have a negative effect on leak data set pricing. Basically, you know, uh uh credentials get rotated, stuff gets stale. uh they could also repackage passwords and then a review comes in

saying like hey this data set is from 20 2007 you know and then the price goes down because they just want to offload it. um leaks. So if you see like a big leak at a company, it drives user growth of forums because you know you have people trying to buy it easy. You also have security resources um stuff like that. Um and then buyer demand as far as who wants to uh where they want to buy the data, it's primarily in the financial and tech sector. So that's where they're really looking. Um so I thought that was very interesting. This is a great uh just a fun little presentation in which you learn a lot

about kind of what people price it at and kind of the economy. So, I wanted to put that in. Um make sure you all watch it. But here's some great places to read about this. Um do I have any questions?

>> Like via QR code or something? >> Yeah. Um, I should have it. I consented for it to be in recorded, so it should be recorded. They're usually pretty good at releasing it in like a week or two. Um, but you know, uh, if for some reason I don't, I'm Jonathan Gonzalez, connect with me on LinkedIn, whatever. Uh, and I'll send it to you. >> Yeah. >> Anybody else? >> Awesome. Thanks. [Music] I forgot this wasn't my laptop, so I was about to pull it up. >> That's all right. Everybody, thank you so much for joining Jonathan on his presentation. And on behalf of Bside San Antonio, we have a token of our appreciation for speaking today. Thank

you everybody. Uh we have about five minutes, I think five or 10 minutes before our next presenter, so we will welcome them soon. Enjoy the rest of your uh right before lunch. Thank you.