BSidesSF 2023 - Catching the Phisherman (Nick Ascoli, Aidan Raney)

Hello everyone. I'm Nick. Um, and this is my co-presenter Aiden. And the talk we're giving today is catching some fishermen or a fisherman. I don't know what's in the program. Um, just a little disclaimer uh for this presentation, which is very fitting for a theater. But um, uh everything we're going to be talking about uh is inspired by a real investigation, but has been anonymized for um OpSec reasons, uh which is the the person we tracked isn't, you know, the you'll see. The OpSec isn't isn't the prettiest thing in the world, but uh we're we're going to do our best to practice our own. Uh I'm Nick Ascoli. I'm the founder and CEO of a company

called Fortraice. Uh we have a booth here, so if you guys have any questions about the presentation, you can stop by after this or uh come see me at the booth. Um, I volunteered at a group called the Traverse Project with Aiden. And Aiden, go ahead and introduce yourself. Yes, I'm Aiden. I'm a full-stack developer by day, uh cybercrime researcher by night as they say. Uh I have I have some published research relating to fishing and cybersecurity, including uh this particular investigation. And then I also work with several NGOs like uh the Traverse Project to combat child exploitation and human trafficking. My socials are there, so if you are took a particular interest in this and want to have the full

research, you can reach out to me there. And as well as shout out to Mantas, he did some of the initial investigation with me. Um, and he had an article on cybernews.com. Cool. So, just as important as who we are is who we are not. Uh we are not cops. Sometimes people applaud when we do that. I guess you guys are all cops. Uh we're also not lawyers. Uh I say this all to say that uh we're going to be making some accusations that aren't necessarily based in law or um things that would hold up in court. Uh so, don't hold them against us. And also uh you know, take everything with with a grain of salt. Uh what we're doing is

inspired by, you know, data-backed things, not necessarily legal or uh law enforcement-backed things. So, this investigation is going to be one that most people here are all too familiar with, which is uh fishing originating from Facebook Messenger. So, I no joke got a message this morning um from this campaign. Uh this particular campaign is is incredibly prolific. And the first time I ever saw it was in September of 2020. Um, and it's been around since like 2018 or 2019 still to this day operated uh by the same exact group. Now, Aiden came about it uh a similar way. I think it was like a family member um was targeted by it. Um, and most likely by the numbers that we'll get

into, everyone here knows someone or has personally received the link from this campaign um or clicked the link from this campaign. So, this particular campaign uh is the is that you scam. So, someone will send uh you a link via Facebook Messenger that says, "Is that you in this video?" This is like a scam as old as time itself. "Is that you? You got to see yourself in this video. You got to see these pictures of yourself." Whatever. And when you click the link, you're sent to a fake Facebook login portal. Now, to a normal user with a normal amount of tech literacy, this is not an uncommon thing to have to do with in a platform

where when you go to a different page, you go to a different part of the application, you're asked to reauthenticate. Sometimes just on a time basis, people are asked to reauthenticate in certain apps. So, most people don't bat an eye at the fact that they have to plug their credentials in one more time to access this video. Uh once you've entered your credentials, obviously it gets sent straight to the adversary. Um, and this particular adversary has posted a lot of YouTube videos, um which I think they intended to be private, but are public, where they demonstrate how the automation portion of this works. But uh this is something they sent out to people they recruit to show them how to operate it

themselves. Uh but basically there's a an Android um sort of like an Android emulator that has these uh automated macros running on it that will take the credentials, log into the account, like spin up the spin up the thing, log into the account, send um a similar message to everyone in Facebook Messenger, all of the person's contacts in Facebook Messenger automatically, um and then spin down. So, uh you can see how that kind of that's how things like this kind of spread uh exponentially. Like once the link hits a single person and ends up in the inbox of maybe like 5 or 600 people, it it it goes out like that. So, once we see it hit a

particular country, and I'll talk about how we track the the geography of the attack but um once we saw it hit a particular country, we'd hang around there for like a week or so, just really spreading through to to hundreds of thousands or millions of people in a particular geography. Now, when you click the login button, um and it's something I can't show here cuz we're we're actually live streaming this, so I'm not going to go on the infrastructure, but uh when you click the login button on the fake portal, if you're looking at like the developer console in a browser, you'll see a bunch of 200 requests and then a a 301 or 302 whatever the redirect um is.

But you'll see a bunch of 200 status codes and then redirects and then 200 status codes, redirects. And what that is, um it doesn't take much research of the the links it's hitting to find out those are all ad networks. Particularly usually like sketchy ones or scammy ones, but a lot of just legitimate ad networks um that that people use to broker or bid ads uh for you know, normal normal to large companies. Um, and that's how the adversary makes money. That's how the the the scammer in this case makes money is when someone clicks the login button. I mean, they also bundle up the creds and sell them, but most of the money that's made through this operation is

made from the uh the ad harvesting. So, it it's really it's kind of a form of click fraud where you you click the login button and the browser registers as you having viewed like 15 or so ads, um and then the person who referred you to those ads gets a kickback. And that kickback is split between a bunch of different people involved in this operation. Uh but when we looked at the code, the HTML, and the um JS that's involved in the website, there were a couple things that stuck out. One is the author of the code signed it. So, the person who wrote the original um login portal and the backends for it signed the code as their

own. Um two is they used a web analytics tracker. So, a website that like footprints the connections and takes out basic stuff, um user agents, uh you know, geo locations, the IP, um and a couple other uh and then it'll extract from that like what are they what OS are they coming from, um what browser context are they coming from. And each uh we found, you know, tons of pages um associated with the campaign that had the same code, but the only thing that changed between them was the web analytics tracker would have a different thing appended to the end of it, which we would come to find out is is usernames. The The only other thing that was

different, and this is something that would rotate on like a weekly or monthly monthly basis, was a server. So, it was a server that they would retrieve additional code from that did pretty pretty, you know, benign tasks, uh usually like uh tracking locations, uh referring back to the the adversary's backend where the person was referred from. Um, but this is something that would stay the same for a while, some XYZ domain, uh and then rotate eventually. But between every page, we would see this little username at the end change. So, what we figured out is if you visit the uh web analytics tracker itself and swap out widget, which is what they were using to make the call to provide the

context to the uh host. If you switch out widgets with stats, you're able to without authenticating uh view again, don't know if that's a bug or a feature, but without authenticating, you can see all of the activity on a on a user's account. So, you can see right when you visit the page, you see like a history of the past couple hours. Uh and you can also see active sessions on the site. So, if you click readers, that shows you all the active sessions. That's what I have on the right here. So, those were people who are currently on the site, people who are referred to the site, where they're coming from, whether it's uh

what OS context, whether they're within Facebook Messenger or not, um and whether they're mobile or desktop. Uh now, using these session tracking URLs, we plug them into uh urlscan.io. And using a couple queries, relatively simple ones, we were able to figure out um all of the other sites that referred people to this uh or that had somewhere in the transactions uh the web transactions a referral to uh the stats tracking site. And we found and spot-checked I think like about a hundred of them by hand uh and started plugging in the usernames to the uh to the backend of the of the stats tracking application that I showed you before. Uh and then clicking view shows us

historical page views. And all of the numbers we're going to show you are from 2022. Um, the campaign has really not slowed down at all in 2023. It's gotten a little bit larger, in fact. But this is when you plug in one of those usernames to the page views thing, uh we see 8 million for that page in 2022. And that's for a sing Each one of these is hosted by a single user. Um and 5 million unique sessions. So, you can see like these links really spread around uh and a lot of people end up hitting them several times uh because the the tracking ID's the same, but the message might be slightly different. The URL itself might be

slightly different. And then using a tool called Looky Lou, which is man- maintained by the CERT of Luxembourg, um it's a it's a really cool free um web forensics tool. We used a feature they have uh that allows you to search for embedded elements across other websites that have been scanned in Looky Lou. So, across urlscan.io and Looky Lou, our sort of bottleneck is that all the pages we were looking at are things that have been submitted either manually or programmatically to these sites. So, our footprint of the campaign is only what we could find. Um, but once we get into the numbers, you'll see that uh that footprint alone is is is really substantial.

So, using the embedded elements feature, we saw at the time of this, it was about 400 uh 489 unique domains uh that had the embedded element on it. Spot-checked all of them. They are all the exact same thing, all associated with the same um code and infrastructure, all the same same pretty much everything. Uh same backend servers serving up the JavaScript. Um more recently, it was closer to 900. So, that's the figure we we operate on. It's probably more now. That 900 figure is from uh months ago. So, uh what we're operating on is is uh putting all these estimates together uh that we're going to talk about based on 900 unique domains um that we found and the traffic

we were able to extract associated with this uh uh particular campaign. Now, Aiden gets to do the fun part. All right. So, let's talk about bad guy codes, our author. Um his domain was seized in 2021 uh thanks to Nick's work or might not be Nick at all. I'm not sure. Um but uh as you can see, um it's been seized and it Interesting side note, we're going to only talk about this for a few minutes. It had his phone number, his name, and when it was seized, it started redirecting to a an interesting image on my image BB. So, that's quite the funny note. He doesn't seem to be too happy that he uh

was caught. Um let's talk about bad guy code. It's it's relevant because when I first started investigating this group, I only know knew about the author. I didn't really know the infrastructure side of things. So, I reached out to this author pretty upset. It was a family member who was hacked. So, I wanted to know why it happened, who did it, and and how can I stop them? Obviously, he didn't want me to stop them, but he did tell me about who they were. Um mostly just where they're from and how much money they make. So, they make around $150 for every 1,000 visits from the United States. Now, to me that seems a little high. So, I'm going to take

that number with a grain of salt, but keep in mind even at $5 per 1,000 visits, which doesn't seem too extreme, uh especially for United States users who are more lucrative, um that's a significant amount of money even with the numbers we're about to see. So, let's move on. Let's talk about the revenue estimate. So, like we said, we have 900 unique domains that we found um through uh Lucky Lou, URL Scan, and all these different tools. Um and we average the number of visitors on each of these domains, and the number came out to just short of a million, uh which is 985,000. So, that's the number of sessions per each domain. Then we took that number and multiplied

it by um the number that our threat actor gave us, $150, um and we come up with $37 million after adjusting for the click-through rate. Uh the reason we have to adjust for the click-through rate is because most of these links never transferred to direct redirects. So, they were still showing the fishing page one year, two years later. So, the only way you could get these ads was by clicking the login link and being successfully fished. So, uh even then, 28% is a corporate click-through rate. Now, the user base of corporate click-through rate is tech-literate people who are maybe a a bit younger, and this is Facebook. So, um we can uh infer that the click-through rate is

going to be much higher. Um so, again, the number is much higher than even what we calculated. Um and it's still using the 900 domains, which is less than what it probably is now. So, our grand total, $37 million. That's for ad revenue, and then for uh credential harvesting, cuz we know these guys are selling these combos on the dark web, uh $248,000. And keep in mind, these are fresh credentials. So, these are actively being used by users on Facebook. So, they're much more lucrative. If they're using it on Facebook, they could be using it on their bank or other sensitive sites. So, they could be charging more than a dollar per 1,000 ballistically. And on the low end of

this conservative estimate, um we're getting uh $12 million. Hey, Nick, the estimate is 0.15 per click. Mhm. Wait, 15 on the high end, 5 on the low end. Are you still using the $150 though? No, cuz the the low end estimate was the ad It doesn't matter. Okay. We're going to stick with those numbers. All right. Let's talk about the back end. Let's talk about what these bad guys are doing. So, uh when I first started this, I took an initial index of all the different domains we had so I could perform network reconnaissance on all of these domains. Um and one of those was uh nox.app or we'll say it is. Um and in nox.app, we found uh I found a

residual file called um with a with a text called displayz4, um as well as a byline of of who made this dashboard. Um it looked to be a splash page image that would appear behind a login prompt. Um so, pretty useful. Uh we did some very basic OSINT on it and found an existing uh dashboard that was indexed by Google. So, we were able to find that as well as a repository belonging to Mr. Cheese, our kingpin here. So, Mr. Cheese also had that uh his author uh he was an author of this repository, and on his uh profile for this uh GitHub-like site, we have his name, which is David L um and the name of it,

cheese Gruyère. There we go. And uh so, uh using this, we were able to find uh credentials through tools like dehashed. Of course, we didn't need it, cuz we found an uh unauthenticated dashboard we were able to access most of the information we need. So, let's talk about that. This is really exciting. Here we go. We're into the bad guys' infrastructure. So, we have combos, clusters, and users. Let's talk about combos first. Like I said, uh these individuals uh were selling these uh credentials, and we could see that because on the dashboard, you could export um credentials based off of country, which is important because you might not want to sell United States credentials for the same cost as the Indian

credentials. So, very important that that was a clue that they were selling these. In addition, the format of the files that they were exporting was username or email colon password, which if you've ever looked at credential leaks where they're selling them on on dark websites or even clear websites like um I don't know, what's one of the more recent ones that's been raided? Uh Breached. Um that's the format they have. So, they're definitely selling these credentials, and so that's how we know that. In addition, we have clusters. We're going to circle back to that. Let's talk about users first. So, each of these users of the dashboard paid to use the dashboard. They were selling this as a service. Think of it

like a SaaS company, but for criminals. Um so, you could access the dashboard, use all their tools, and their infrastructure, and for that, you would have to pay a a nominal fee up front in addition to a percentage moving forward. Um in addition, we had subgroups. Let's talk about that. These These clusters of individuals, which we identified as kind of like Think of it as a low-level gang in a mafia. So, we have our kingpins and our our management and our head guys at the top of the mafia, and they're taking the biggest cut. And then we have our individual groups with their own leaders who are taking a cut of the low-level criminals who would be responsible for

spreading these links using the tutorials we talked about earlier where they're um finding them on YouTube. So, each individual user had their own page, and this is where we able to confirm the idea that they're redirecting to multiple links to increase profit and the compensation. Um by default, these users were getting 30% of the money that they made. So, the kingpin is taking 70% of $37 million. That is a lot of money for fishing. This is a low-level crime. We don't think about it as an organized crime. At least I I didn't before I learned about this. So, it it puts in perspective the amount of money that these uh organizations can make when they uh get on a scale like this.

Um and then for these groups, they were also able to specify how much their individual users make. So, that's that structure again. All right. Let's talk about Mr. Cheese again. He's very important here. It's also my favorite person in the whole wide world because I'm from Wisconsin, so I love cheese. So, Mr. Cheese again had this repository, which he created, so we could see his name. And through that name, we found a LinkedIn. Now, uh this LinkedIn has a company that he owns and and operates called uh Détails Automatiques. Uh That's not how you pronounce it. I'm not French. I don't know French. And this is in Paris, France. So, think of this as a front

company because there's no way I mean, I'll give you credit. You can probably make a lot of money off of detailing cars in France. I'm sure there's some nice cars. You're not making $37 million and taking home a Ferrari, right? That's just not realistic. So, um what we were able to link this company to the the dashboard is through an account named after the dashboard where they uploaded files relating to the company. So, very clearly, this is a front company. And we were able to confirm it, obviously, again, through the name of the file and the name of the account with this document. So, that is a taste. A taste of the infrastructure and uh scale of of this

organization and and how they operate. Um normally here, we would do a a demonstration of some of the other pages we found, a live demonstration. Uh but since this is recorded and live-streamed, obviously, we can't do that because if Mr. Cheese himself is watching, we wouldn't want him to know what we know. So, um again, just a taste of this. Any researchers in the audience who want to reach out to us afterwards, please do. We'd love to work with you. And uh of course, there is our our our socials on the first two slides. If you got a chance to take a picture of that, you can reach out there as well. And after that, I will pass it on to Nick.

Okay. So, a question you might be asking yourself after hearing about a pretty common and relatively unsophisticated uh well, impressively sophisticated for the for the nature of the operation, but relatively unsophisticated technically. You might be asking yourself, why does this matter? There's a million of these going on. Um the scale that they operate at is relatively large, but um the victim here is just uh you know, the end user um having their credentials stolen. So, in uh in all of the sort of post, you know, after collecting all the numbers, collecting a lot more forensic artifacts that we end up delivering to a lot of different um parties who may or may not have been involved, um

we found a lot of third-party web application deployment services that the adversary was using to host the websites. So, these are really common, right? glitch.me, um ecoz.net, uh SamCart, which is, you know, largely hosting legitimate businesses. Uh all of these service providers are are places you can you can typically quick deploy a project um using their infrastructure or yours, but host it on uh using them as a parent domain. So, your project is a subdomain. Now, it's not super easy for these social uh networks to outright block uh the use of all of these third-party web application deployment services because they could be blocking a lot of legitimate activity. Now, we reached out to a lot of these um

and the the adversary themselves has uh they have a page where they that they send to the recruitees to generate these URLs. Um and they have options for for most major um social network companies. So, they're not strictly focused on Facebook. The numbers we covered are specific to Facebook, um but they're focused on all kinds of uh all kinds of different social networks that people operate on. Um and this is a a relatively anecdotal um finding, but in looking through all of the uh web forensics tools that inventory the subdomains of these uh places and checking them out in in very large amounts, it seems like potentially an overwhelming at least a lot or potentially you know,

anecdotally an overwhelming majority of of projects spun up on these services are scams, are phishing pages, um are totally illegitimate, um and do not represent uh real companies on the back end. Uh so, uh we reached out to all the parties involved, told them about the scale, told them about the numbers, um gave them all the artifacts they needed to you know, do whatever it is they want to do with the information. Um and surprisingly or unsurprisingly, uh we got no response. Well, we got responses, but the res- responses were um sort of like a we don't want to know um kind of situation. You might be asking yourself why or maybe not, but uh put on your tin foil hat for this

one, uh but the adversarial activity operating on the um social networking sites um as well as on the uh third-party web application deployment services sites, this is this conversation is informed by conversations with a lot of people who work in uh internet advertising and online ad bidding, um a lot of this malicious activity generates based on the numbers we showed you just about a billion clicks from what we found over the last year, um generates a lot of traffic. Now, for the web application deployment services, these traffic this traffic is their metrics for success. It's the new users, it's the new website spun up, it's new accounts, it's retention rate, it's referrals from other websites. The

numbers uh generated by this malicious activity um are the success success metrics they use to raise money, that they show their board, things that they things that they deliver to say, "Look how much activity's going on on our website. Look how many people are using our web service." Um it's it's really ideal for them not to know. And uh on the advertising side, after conversations with with ad bidding uh people, a lot of the uh a lot of the social networks um price their ads by uh previous day's activity and by volume. So, how many people are visiting our website, how many people are clicking links and leaving our website, how many people like, you know,

start on Snapchat and then end up on an article or in a web store or in something else. This is part of the algorithm apparently a reasonably large part of the algorithm that informs how much they're going to charge for an ad. And the you know, ads on these platforms is their bread and butter. It's it's really how they make money and a lot of them are struggling right now um at least like in the stock market. So, suffice it to say uh eliminating all of this traffic, which anecdotally having looked at a lot of the sites spun up on these uh these quick web app deployment services, um look overwhelmingly malicious. I mean, we're talking about billions of

clicks just for uh you know, a handful of campaigns. Um allowing this activity to continue or at least looking the other way on it uh is good for the books. It's good for the bottom line. It's really helpful for raising money. Um and it makes money. There is actually a a financial motive to allow the activity to continue because the victim here is well, A like a a small part of the bottom line of many companies who are paying these sketchy ad bidding services to present their ads, uh but also the users. And these are end users, which to the tune of you know, we we see them selling the credentials. We uh in the

dashboard um had access to the export function for uh the combos, which they organize regionally. And we're talking tens of thousands usually in a couple days, clear them out, tens of thousands, clear them out. Um that's how they operated. So, we're talking about a lot of people, but it it's just people and they're not complaining. Um they're certainly not organized in their complaints uh and they're not really blaming the platforms uh for the scam. So, really everyone's happy with the way things are right now. Uh despite the very impressive numbers, um the impact to the user doesn't seem to be enough to move the needle um despite the relatively non-technical solutions uh that would be required to patch up

this problem um sort of once and for all. So, with that said, you can take the tin foil hats off. Uh I'll finish the presentation with the second annual Scammy McScams a Lot Awards. Uh we did this one last year for a different scammer, uh but for this year, um again, relatively unsurprising, but our winner is David El Gruyere from Paris, France. Net worth maybe $30 million. Um and his hobbies include stealing your grandparents' Facebook credential. And the superlative he's been presented with this year was most atrocious opsec. We really we just touched um the amount of stuff that uh was out there about um this individual and their groups and the employees of the front companies, but

the opsec was was truly impressively bad. So, round of applause for David. Good work. See you again next year. So, that's it. Thank you guys for sticking around. Uh we'll now open the floor for questions. Oh. Yeah. Well, instead of reporting to the companies, why don't you just report to the podcast company and report to the board instead of reporting financing? Don't forget to repeat the question. That's an idea. Um so, his question was why don't you report directly to the board? Um I can't imagine the board would would have a different, you know, resolution. It's good for business or at least it's it's good to look the other way to maintain the business cuz

removing the activity is going to hurt ad revenue uh and it's going to hurt, you know, user metrics for the uh for the web application deployment services. So, who knows?

Yeah. He said the audit board would want to know. Probably true. Yes. Uh that was the annual figure. So, that's about like again, if we're talking about $150 um was what he said for 1,000 visitors from the US, that's like 15 cents a click, which is insane um and probably not accurate. We we put it down to a more realistic 5 cents informed by conversations with ad rev people. Um uh or five per session. So, that put the annual revenue probably closer to like 15 million. Again, the low end was 12. If they're telling the truth, if that's how much they get cuz most of their visitors were from um Europe and the US. Uh we could see the regions, right? Um

most of them uh if they're actually worth that much, then you know, it's closer to 20 or 30 million. At the high end, you know, 37. But again, just of what we found. That's just in what what we found in our poking and prodding.

Any other questions? All right, I think we're good. Thanks, everyone. [Applause]