← All talks

When Headlines Hit, They Strike: Predicting AI-Driven News Scams

BSides Charm 202650:523 viewsPublished 2026-06Watch on YouTube ↗
Speakers
Tags
About this talk
Piazza examines how threat actors weaponize breaking news events — wildfires, floods, elections — by rapidly spinning up phishing sites, fake donation pages, and crypto pump-and-dump schemes using AI-generated infrastructure. Drawing on threat reports from the LA wildfires, Texas floods, and the 2024 US elections, he shows recurring patterns in domain generation, registrar abuse, and social engineering. He argues that behavioral predictive intelligence can identify scam infrastructure during preparation, enabling preemptive takedowns before victims exist.
Show original YouTube description
Breaking news creates perfect crime scenes. Natural disasters. Political scandals. Economic shocks. When headlines explode, AI-powered scammers weaponize the chaos at machine speed, spinning up phishing sites, fake donation pages, and impersonation campaigns before defenders can react. This talk reveals how threat actors exploit news cycles with AI and how predictive intelligence beats them to the punch. By mapping behavioral patterns across internet infrastructure, we identify scam infrastructure during preparation, not activation, anticipating attacks by days or weeks. Internet-scale behavioral predictive AI then disrupts this malicious infrastructure before activation, enabling preemptive blocking and takedowns. Attacks get neutralized before victims exist, dramatically increasing criminal costs and slashing their ROI. Andre Piazza Andre Piazza is a cybersecurity strategist with over two decades of experience translating complex technical trends into practical strategies. He specializes in predictive security frameworks, fraud prevention, and industry analyst relations. His background spans product strategy, engineering, and market influence, including pioneering 5 cybersecurity categories. Andre regularly speaks at industry events on cybersecurity strategy to grow awareness and build a more resilient security community.
Show transcript [en]

All right everybody welcome to my session win headline. lines hit, they strike predicting AIdriven news scams. Uh I'm Andre Piaza. I'm a cyber security strategist at B4AI and I wanted to talk today about the exploits that we're seeing out there that are news-driven. So first we're going to talk about how AI is changing the game when it comes to internet attacks. Then we're going to talk about how uh we've been developing some of uh some threat reports and we're going to go over which ones they are. And then we're going to talk about we're going to go deeper into some of those that were either disasterdriven or newsworthy material that was exploited by attackers. And we're going

to drill down on how they're executing these things. time allowing. I have a couple of other bonuses to cover with you. Number one being how to actually develop these threat reports if you're interested. And number two, what are the psychological levers that are being exploited by these attackers and who they are. Does that sound like a plan? All right, I'm going to need a little bit more from you today. Right. I wanted to make this a little bit more interactive. Does that sound like a plan? Love it. Love it. All right. So, let's get started by talking about how AI is being used by attackers. Uh, first and foremost, they're using this for good old reconnaissance, right?

They're finding targets online and they're deriving a lot of information. And this time, they do not need to do the the work manually. They can actually scrape stuff and get a lot of information back, even augmented, right? So, it's easier to find and lock targets and get to know them by using AI. Number two, Gen AI. You start sounding more human than they were before. You know, in the past, and I think we're all going to agree that fishing attempts, they were kind of somewhat easy to spot in the sense that there were grammar mistakes. uh things were incoherent in messages or you could spot things from a mile away. With Gen AI, this is actually giving

them the ability to look and sound more human than they were before and that translates into being more persuasive in the scams that they are attempting to pull off. Then there is a polymorphic code which is not anything new. uh code that is actually going to be changing over time in the in attempts to be evading detection with AI that becomes more of a thing because models can generate that type of code at scale and highly customized at a very high speed. Right? Uh you we also have some turnkey tools that we see available on the dark web such as spam GPT, worm GPT and fraud GPT which are essentially turnkey solutions for scams. They just subscribe

to those services and they got access to a model that can actually give them a lot of tools for them to uh exploit. Then we have the situation of a malicious infrastructure that is being quickly deployed. That level of automation is also not news in the industry. We've we know about this. But at this point, they can actually uh reach another level of scale and speed in those things, right? And uh a great example of that is what we have in number six, which are the DGAs. By show of hands, how many of you are familiar with a DGA? domain generated domain generation algorithms. Okay, some of you thank you. Uh so that is essentially the ability that they have

using AI and automation to create domains that are going to be essentially uh they have a pattern to them. So they're the the name of the domain is going to have like a keyword. It's going to have a dash and then numbers following that. They can create hundreds and in some of these attacks, we're going to go over the threat reports. We've seen thousands of DGAS being created. And that gives the the ability for them to do two things. Number one, to quickly create domains and deploy certificates, the entire infrastructure associate that with a cloud. And uh number two once one of them is taken down they can restart by taking up the next one. So that gives them you know a

level of persistence and continuity that we haven't seen before. And then finally number seven that we're going to see through the the talk today is the use of social media and search engine optimization. So the use of browsers to post malicious messages, right? And to gain actually more followers and to incite people to repost their own content. So we're talking here about advertising, social media, and forums. And we're going to go deeper into that. Question for you at this point. Out of these seven uses of AI by attackers, which ones are more easily detectable?

And I'm going to need volunteers, of course.

Thank you. Patterns. Right. So I'm I'm >> got URLs that don't make sense from a logic perspective because it's a word and then a bunch of numbers. That's not a typical pattern for URL, >> right? So patterns, patterns, right? What doesn't make sense and all that? How do we teach the machine though? What doesn't make human sense, right? Uh any any other ideas? What is Yes, please.

it can still be detected and create patterns along the way. Thank you. Uh I like that. Right. So what you're seeing here is a little bit of an iceberg effect. What you see towards the end of the list is usually what is more easily detectable and that poses a challenge for us because we cannot necessarily tell whether AI is behind an attack or not. We're going to see some examples today. Uh here are the the threat reports that uh my team has been developing. So this was developed by the the pre-rime labs. Uh it's a division of before AAI that actually researches threats and posts reports out there. This is a pretty good taste of what we

have available there. We do have a few more. I'm just going to give you an overview of uh you know what they are. Starting from the top, natural disasters uh you know and then uh we're going to go to the right. So, LA wildfires and the the Texas uh flood scams uh two big disasters that happened over the the last year and you know they were used by attackers in uh in an attempt to exploit people tension in the news. We have the elections in 2024. We have a tariffs uncertainty and then the Trump and uh uh Musk feud. we have a global events such as the the FIFA World Cup or the the Paris Olympics. I'm pretty sure that you

know whatever happened in the Paris Olympics also happened similarly with the winter Olympics. Then we have a geopolitics and government. We have a Venezuela. We have uh the Iran uh unrests that preceded the current conflict. We have the US Department of Education and we have more. We have the the Dubai police scam advisory there unexpected and opportunistic. We have dualingo decided to kill their mascot in social media for like a day or two and people exploited the death of the mascot as well by beat opportunists and there is the case of the hot malicious pizza. They're all crypto scams. So the there is someone that created a shop online to sell pizza and uh people actually bought pizza that

never got delivered, right? So that is the the hot malicious pizza right there. Uh the crowd strike incident was a big one back in the day. And then we had a perplexities come at browser launch that also created uh opportunities out there. Telegram APK campaigns uh this is becoming more and more prevalent. the use of uh messaging apps APIs to actually run attacks. I'm going to give you a few examples today. And then for luxury retail and CPG brands, consumer packaged goods, we have several reports there and also in the financial sector. These are all available at before AAI under resources and reports. There are a few more that were published more recently. There is the commercial

airlines impersonation. Uh so commercial airlines around the globe being impersonated and how people are making money off of that. And uh we have also the romance scams posted online and there's always something coming right for the presentation today. Before I I get there I just wanted to uh give a moment to pay honor to the team that is developing these reports. uh Abu is the the lead of this team and Rishika is behind most if not all of these reports and we're going to learn as we go a little bit about their process how they're researching into these things and time allowing I'm going to teach you how to make your own threat reports before we we get into the specifics I

wanted to also mention that there are ways in which we can actually cross and stay ahead of the attackers there. So talking a little bit about the use of a predictive AI in detecting malicious domains, right? The idea is that with the use of AI, you can counter an AI attack as well. And you do that because you can actually observe and using the signals that are available, you can predict that a particular infrastructure is going to be malicious. Right? So the key data that we're going to be using is NRDS. How many of you are familiar with the term newly registered domains? By show of hand. A lot of you. Thank you. Uh so you're

familiar with that. So uh I I wanted to ask you strategies for us to actually learning newly registered domains. >> Just making a guess. Can you look at the who recording that? >> Who is record? But how do you know that new domains were created? >> Well, you're going to have information on what the data created. [snorts] >> Yeah. Yes. But that is after you have detected that that is a new infrastructure. How do you learn that there is a new infrastructure? >> I don't know. But I'm happy to learn. >> Zone files. Thank you. Uh any other ideas? >> Certificates. Very good. CTL. What else? All right. Uh, very good. I I appreciate y'all's input. Uh,

also passive DNS is another source if you have access to to passive DNS. Right. So, in brief, uh, zone files, how do you get access to that? Ayanna has a very wide coverage of domains that they provide access to and there is even a tool for you to do that to gain access to the zone files. Essentially the zone files are published by the registry the entity that actually owns the the tldd right the top level domain example.com.net.org.xyz and so forth right they have a zone file in which they publish each one of these domains that are being created right that we have available for most but not for all key exceptions being do.org.net net and a lot of the CCTLs, the

countrybased TLDDS. We're talking uh for Germany, do China, uh Spain, Brazil, and other places like that, right? So, we need alternative sources. CTL logs, right? certific transparency logs they are another source of that not 100% but a reliable source and then finally passive DNS can also see what people are trying to get to and you can learn comparing from uh what is new and and what is old right the other things and this is to your point earlier about uh who is right you can use who is or similar tools to actually get DNS records and if you do this often enough you can see how those infrastructure are actually evolving over time. So you

start seeing behavior and if you have a database of behaviors that configure maliciousness such as predictive AI has, you can capture maliciousness by behavior, right? So in short, our process is going to be uh looking at infrastructures, looking how they associate with one another. So imagine that if you had a map of the entire internet and you were able to tell how each one of those infrastructures associate and you have two main pools of data, one that is known good and known bad domains. Using predictive AI, you can associate a degree of maliciousness with each each infrastructure at the time that they're being created. Plus, if you do this mapping soon enough, frequently enough, you're going to be able to to get the

behaviors, right? So, this is what predictive AI uses to do that. So, before we move on the conversation to the threat reports themselves, I wanted to ask I wanted to give you a few ideas around know how would you go about doing that manually, right? So the first thing that I have there is checking reputations and associations IP as registers to certificates and various other DNS records. They provide you with information that you can check against a reputation score. Right? That is the the the idea behind block lists. You have a block list and you can check the reputation of a particular infrastructure. Right? This is how you do manually when you do not have

predictive AI. You can also check on recency. So recency of the registrations and recency of the certificates and how short these certificates are. And and by the way, uh I'm not saying that each one of these things individually configure maliciousness. What I'm advocating here is for, you know, expanding the context, right? The most important thing in capturing threats when they come from an external attack surface is context. So I'm kind of attempting to expand that horizon and give a few ideas around how you could be running that. Then we have the thing of a legitimacy, right? uh you can compare the DNS records from one infrastructure to a one that you know that is legit or

if you are protecting a an environment an enterprise organizational environment you can compare to your other infrastructures right that is another way to to tell first if they're different and second if they're the same depending on the record if they're the same that actually configures a problem because they're attempting to impersonate an organization. Then we have pivots which is the most important thing that you can use when you're attempting to dismantle entire campaigns. You want to pivot. You found a a registrant. You found someone that possesses a particular IP. You want to know which other infrastructures they own. And when you do that, you end up uncovering many many more domains. And you can now you have the ability not

only to dismantle a campaign but you have the ability to deter the the attacker right because you can disable their accounts. This is what we've seen in practice operating with takedowns is that sometimes when we pivot into campaigns we can find campaigns that are not affecting just one organization but an entire sector several companies. Sometimes we can see that they're actually staging things for feature attacks. You disable their accounts, you take away all that infrastructure and you provide them, you know, first with the costs and second a big effort that is all gone to toilet, right? So remember this best thing for to dismantle campaigns is to pivot in finding the threat actors. And finally

content which is you know depending on you know there there are so many strategies for rendering browser content these days. Uh there are many attempts at evading cloaking information and there is also geo fencing. By show of hands how many of you are familiar with a geo fencing? Many of you. Thank you. All right. So that is another thing you need an you know uh essentially a space an environment in which you can actually see what people are seeing in different regions of the globe in order to be able to see attacks for what they are. Right? The beauty in closing the beauty of using predictive AI in doing all these is that you can collect enough evidence

ahead of time before attacks are actually started. So uh speaking of before AI more than 80% of the takedowns are actually performed there before there is any content available on the infrastructure. So there is real potential for this to be a way of uh you know using AI against attackers that are powered by AI. This is what we're going to come back later to which is how to build these threat reports. Just want to make sure that we're going to have the time to go over my selection here. So I've selected out of uh the 25 reports that I have on screen I have selected four under the guise of newsworthy material. So I have selected the two

natural disasters and the two for tension in the news and there they are right and those are the ones that we're going to be covering today in detail. So, let's start with the LA wildfires. This is something that caught a lot of attention because it's unusual and it happened, believe it or not, January 2025. They have attempted to do many things with uh in regards to the LA wildfires. They attempted to impersonate insurance companies. They were uh of course attempting to raise funds and gather donations. they were working on the rebuilds and also attempting to simulate fire departments in in trying to get a PII from people. So, and again, this is all exploiting the sympathy and the

concern that people have for things. So if anything you know out of today you're going to see repeated patterns and uh the you know that you can actually take away and kind of spot these things earlier uh you know in your own environments and second uh there's also this recurring level of psychological levers that they're exploiting. We're going to talk more about that in a second but I wanted to give you like the high level KPIs of this. So uh 119 domains were created in six days following the the incident. So you can see that when developing these threat reports, it's really about registrations that happened around the the event. And the keywords that they used were LA

fire, wildfire relief, fund, and rebuild. You know, probably very intuitive to kind of spot these and to see that they're related to the event. 58% of these registrations came from a GoDaddy, but there were a few other registars that we usually associate with uh less reputable ones, right? But so a lot of these you can see they're coming from reputable registers that have strong abuse policies, right? That's that's the main point here. 70% of those were com followed by.org and.net. This is really impressive because this is an attempt at them to give authority and reputation to the registration to the domain and not attempt as something that you know doesn't make human sense. There's also the use of the TLD do fund

which is kind of interesting because you know it's probably a recent TLDD and it becomes a target for this kind of exploitation. Uh that being said, some of the attacks that you know they have attempted to make were emergency assistance and relief. So essentially they were exploiting people that were victims and they were attempting to get money out of people, right? Uh people were applying for emergency assistant and they were giving uh away their PIIs. legal and insurance services. Again, victim exploitation. Uh that feels really terrible, right? Considering that some of these people lost everything or you know at a minimum they were in the largest pickles of their lives along with their families and also clean up and reconstruction

services attempting to to get you know more PII and get donations. Here's one example of uh donations that they have attempted to use and this is how the their ability in finding relevant content has augmented. Uh I assume most of us are familiar with a GoFundMe campaigns. It's a a place it's a platform for donation campaigns for various uses. What you see on the left was essentially a campaign in which they were saying, "Help this dog that was a victim of the LA wildfires." And in reality, that dog has been posted three years before online and the dog was a victim of cancer, right? So essentially, they're using an image that they know that has appealed to the

public and they're exploiting that in a in a new context, which is really interesting. And this is going to be one of those recurring themes around how they're exploiting things nowadays. It's really about they're becoming really good marketing traction people. They know how to explore how to exploit channels like social media and forums and use those psychological levers to get results from people. On the right side, what you have is vulnerable animals and they have they're they're talking about horses that were affected by the LA wildfires and this has a very large appeal to people and people were donating serious money to them. Another thing that is going to be pretty recurring and you know we're going to

I'm going to show you a few examples as we go. merchandise stores. You know, people love buying t-shirts when there is an event and people love buying other things related to that. So, this is, you know, another example of a hot pizza, right? You buy a t-shirt, uh, pray for the LA wildfires and it never gets delivered. notice that I I didn't notice that until now, but they use an image that is probably the same one that I used uh to be the the cover of uh you know this piece of the presentation, right? So, I can tell they're pretty good, right? They're mimicking me. [laughter] Uh so, this is another very interesting pattern that we're seeing nowadays and

it's becoming pervasive, which are the crypto pump and dump schemes. How does that work? They get a relevant topic, they get they agitate people or people are already agitated by the news and they just feed into that. They create they mint a a crypto coin. They start posting that to relevant forums. Forums in which people that are crypto friendly uh early adopters of cryptos, you know, X is probably one of these places and they actually get people to repost their content, right? and they start pumping that thing in the sense that they create a sense of a FOMO, right? The fear of missing out of a great investment opportunity leads people into investing into these crypto scams. We have a

couple of uh meme coins that is how they are calling them these days that were actually coined and used at this right there is I think LA fire was uh pumped to 1,500% and then it was completely dumped. They walked away with the entire money. Now transitioning to the Texas flooding scams. Um I live in Austin, Texas and this happened about 1 hour away from Austin. So very close to me and some of these people were actually affected by you know of course uh this is these are rivers, right? But there were waves of water that were as tall as 20 feet of water, right? It was it was a massive thing that happened in the in the region

and kind of unheard of at least in this scale. we're going to see that they were again exploiting the victims and the public with uh things that were very similar to the LA wildfires which kind of takes me to the point of that is one of the reasons why we teach these kind of things. It is because these are becoming recurring kind of attacks and they are actually industrializing these type of attacks. So in the next opportunity, they're going to be deploying the same kind of patterns. Speaking of the KPIs for this campaign, we have 70 suspicious domains in uh 10 days of the onset of the the situation. 46 were considered suspicious registrations after the the flood's resolution. And in

this particular case, we're not deeming them as necessarily malicious. We're calling them suspicious. And this is not a minor thing. This is very important because as we're developing threat reports, we want to be very, you know, protect the integrity of people. We do not want to point fingers to people that are doing legit things. So in this case, we're calling them suspicious because we couldn't necessarily assert whether they were malicious or not. What were some of the reasons for the suspicions here? There was the reuse of a subdomain style fishing paths uh slashregister claim donate and volunteer, right? That becomes similar to an attempt at exploiting the the public in that situation. cloning of known relief or news pages very much

like lookalikes from uh previous uh campaigns and situations right so that tells us you know they're trying to exploit and probably there is a template for industrialized exploitation some domains redirecting to telegram or WhatsApp bot links this is amazing the the these messaging platforms publish APIs that actually allow people to uh bypass as they no longer need a C2 infrastructure. They can use the API of the messaging app to actually perform the rest of the attack. So that gives like you know an upper hand in terms of infrastructure that they can use. they were using here who is privacy was enabled for on 94% of these domains and the majority of them were hosted in

free page builders right which is also another pretty big pattern I'm pretty sure you saw you heard about a versel being attacked over the the past week right it's make no mistake you know it's uh there is the possibility of people using subdomains in free hosting platforms to host particularly when it's about content persuasive content that is going to be pulling people in a particular direction. Now less than 10% of these were uh available on a virus total which tells you that a lot of these infrastructures that we're reviewing today they go unnoticed right and finally these reasons for suspicions once again individually they do not configure maliciousness or even reasons for suspicions take a look at

the entire context when you're doing these uh these are some examples disaster claims fraud, donation and relief, volunteer registration baits, e-commerce abuse, search redirection and cloaking of data and reputation pigbacking, right? Just like you know.orgs and doggov style names that would give uh authority to infrastructures. A few examples, merchandise shops, things that people purchased that never got delivered, and plus they now have their credit card numbers, right? Uh, transitioning now over to the Trump and Musk feud. Uh, they fight, the internet gets entertained, and threat actors exploit. That happened in June last year. And uh that is a big example now transitioning from disasters into newsworthy material right some of the KPIs that we found

there 39 crypto domains created two days of the onset of the the situation the keywords you can see that there's a lot of verses in there uh and of course you know names right and then we we have you know billion dollar betting private access and game. So, this is interesting, right? Maybe for us that are less familiar with other crypto space, some of these keywords, they wouldn't necessarily mean anything, but for people in the space, they actually mean and they create authority and credibility. You know, I kind of surprised by private access, but you know, that seems to be an exploit into a FOMO. Uh, nonetheless, 54% were docom. So a little less they were using other

TLDDS for this kind of attack such as XYZ.info online fun space WTF live site store and ICU. Uh this is kind of interesting because this is starting to show another kind of a pattern happening here into the crypto space which is creating deep fake lives right so the the live keywords and the live domain is not a random choice these are very intentional choices on their end and again using APIs so that they do not need to build C2 infrastructure and without needing to build C2 infrastructure. They also avoid detection on that end. So here's one example of you multi- channelannel possibilities being created by these messaging APIs. to the right you have a message that was posted on X

and it's essentially pumping people to actually jump into their crypto and not only that to actually repost this context. So this is important, right? Because now we're talking about people that are not only investing in advertising their fraud, but they're getting others to post about that. Of course, they're going to be needing psychological levers to do that. And in this case, you know, uh essentially they're talking about people becoming soldiers, right? So there's a sense of belonging here and that could be exploited into other dimensions as well. Then there's a bunch of I have a list here of IoC's uh for crypto scams which also is a a reminder that uh in all these flat reports you're going to get

lists of IOC's. I haven't mentioned this to you but at any given point we're you know before starting looking into these uh threat reports the team is looking at a thousands of domains and they're able to actually figure out how many of them are really malicious which is a little bit of a funnel right so think of about a funnel a triangle in which you go from many to the vital few ones uh for these crypto scams uh there was also O the work of checking out crypto forums and social media. But as you can see from the list, it's essentially exploiting uh the personalities involved in this situation. There's also gaming and engagement lures. So uh some attacks

they actually had games that were built with these uh these two people. So you had a Trump and you had uh Allen and uh they were both being featured in in their games and there was also betting and merchandise. I think poly market became a larger thing this year and I just cannot stop seeing that on the news about a fraud that was generated you know insider fraud uh fraud and things of the sort that were actually being used in this channel. So that kind of preceded that in a few months, but the mechanism is essentially the same. You can bet on outcomes and of course, you know, good old merchandise. And then finally, we have the situation here of

the US elections. So, uh, the 2024 elections, we found a few patterns there that I'm going to go over with you, right? Number one being campaign centered around the candidates. uh presidential level and local level alike, primarily presidential of course, but there were a few local campaigns. You can see that the keywords are mimicking names and that the emotional exploit here was patriotism, fear or anger. So these are very powerful emotions that are going to be driving action from people, right? And we we got to be mindful of what's happening here, right? The idea is that they would be collecting PII including credit cards, credit card numbers, and of course getting donations from people that were agitated by those

emotions. Then we have the situation of enduring infrastructure. So you can see that a vote and election, they're kind of generic because they could be applying to any election. Uh maybe some of you are fans of uh that movie uh Napoleon Dynamite. Uh so yeah, maybe that could even apply to the election that people were uh voting for Peter, right? Vote vote for Pedro, right? It was Pedro back in in the day, right? What is the power of having a generic domain and content? It is the fact that it is enduring and it could be applied or manipulated. the the content could be pivoted to a new thing in every new situation and at the same

time you actually avoid detection. So this is pretty convenient and that is the power of uh taking down malicious infrastructures and pivoting to campaigns because you eliminate all of that effort that was built by the the attackers. Uh we also have here a big advantage for them which is those domains built to endure. They end up building credibility. Right? Remember when I told you that one of the ways of looking into maliciousness is recency. Right? In this case no they were registered five years ago. They were registered three five even sometimes even more. They have longstanding uh certificates. Right? that makes you think that those are legit infrastructures when in reality again it's about to endure. Right? A lot

of these campaigns were also applying misinformation. So you have a vote suppression. They were giving away information that was wrong about places where people could be voting locations. So locations, dates and times and the idea is that they would be avoiding people from showing up and voting. Right? That was also that misinformation was also used along whistleblower websites. The type of website in which you you read news quote unquote news about what a person said or did or what they're planning on doing and they have a levels of fakeness and lacking in reality. So there was a lot of that in this kind of a situation. merchandise shops. Some of you you can you can see

like, you know, they're pretty simplified, right? We're talking about using deep fakes, but in this case, you know, you're you know, you have, you know, pretty simplified type of uh graphics in the t-shirts and again a recurring pattern free website hosting platforms in which they have zero cost at posting content there. uh a lot of uh for this particular situation for the election uh we detected that a lot of the content was coming from China. So that kind of gives a hint of people from abroad having interests in things and uh or redirecting things. A good old redirect to ADAware or spyware making people waste time or actually attempting to get into their devices. more crypto pump and dump of course and

you can see that this is the language of how this is posted out there, how the the crypto community kind of consumes content, which is kind of amazing, right? In the sense that they're becoming better marketers than marketers themselves in exploiting these forums in learning how to talk to these particular personas, right? Here's another example of a social media traction. they're posting a particular meme and they have a coin associated with that and they're manipulating all those levers, right? Since we do have time, I'm checking here. Uh let's talk briefly about you know the the attacker profiles right who are these people right first let's just start by saying these are not state nation attackers these are not advanced

persistent threats these people have other objectives their tooling is way more sophisticated and it's about stealing IP and trademarks from governments and organizations military commercial critical infrastructure and so forth and when I say IP heres I'm talking about intellectual property right no so this is not the case their objective is to stay hidden but uh in this case it doesn't apply these are smaller attacks and these are the type of things that we can clearly see them visible and then what we have we're left with opportunistic scammers and coordinated profit seekers right they're exploiting the human nature in in the sense that They're exploiting the fear of missing out. They are uh exploiting sympathy from people. They are using the

tactics of building rapid infrastructure. So quickly deploy these things on the onset of a crisis and then get some money and then move on to the next thing. They are also using reputation piggyback piggybacking uh via their content. We also have uh the sales of non-existent goods and things of the sort. Right? So these are how the attackers are exploiting attackers. Uh today before we wrap up, I do have a couple minutes before we open up for Q&As's. And I wanted to talk briefly about how to make your own threat reports. So the idea here is that you have a very large triangle which is that process that I mentioned to you. You're going to go

from thousands of newly registered domains that you're going to be analyzing on a daily basis, right? Uh I don't know if you know this, but uh on any given day on the internet, we have anywhere from 100 to 500,000 new domains being registered. So the amount of data is really large and you got to filter this down using the keywords, right? But you're going to see smaller dark triangles in there which is which means you know as you go from domains into keywords and in keywords you start inspecting content on those infrastructures and from those you start deriving the TTPs that we described today. You can do also the opposite as you're doing as you're inspecting the

content you can learn about other potential keywords and you can augment your scope of a search. Same thing when you learn about a TTP you can look back into everything that you have already reviewed and see for other campaigns are exploring the same TTPs. Right? So it is a little bit of a convergence but there's also a divergence process in the making of this uh threat reports. So, uh, if that makes sense to you, I'm opening now for Q&A. Uh, before we do that, I just wanted to thank you for this opportunity. Uh, maybe at the end of this talk, we can mint our own uh, cryptocoin. I am suggesting crab. Maybe I don't know

if the name is taken, but that would be a name to honor uh, besides Baltimore in their 10 years since inception. I would love to connect with you and I'm going to leave the QR code for you to connect with me on LinkedIn. I'm open to questions via LinkedIn or right now.

[applause]

Thank you. No questions, huh? All right.

Yeah. Uh, regular expressions, right? So, working with domains, we're very used to typo squatting, which is the process of changing an I for a one and so forth, right? So, we the same rules apply to those

All All right. So repeating the question, right? Uh a lot of context in the art space. There's also exploitation of a sympathy from people and uh there's also content that is being created. And the the question that was asked was uh this applies to newsworthy, this applies to each one of us, right? If we're protecting a particular individual organization against these type of attacks, would the same rules apply? And the answer is yes. Right? That was the objective today is that you can take this to use and protect your own brands, the organizations that you serve.

Right. So, uh in your question would be or is that a comment?

So if I understood you correctly right uh when you own a TLDD you have certain obligations to I can and their contract means if you do not prevent abuse you're going to be punished and you know that could be as far as losing the tod entirely. >> Yes. So uh as far as I can they have placed over the last couple years probably a little longer than that but over the couple years a lot of effort and a lot of discussions into abuse prevention to the point that a todd registries are investing a lot in protecting their tods against abuse first and foremost because if uh captured uh short enough within seven days they can get the registration the I

can uh registration fees back right and that multiplies right to you know it's$1 or two dollars but you know if you have a thousands of domains applying to that you know that can over the the course of a year become large right and second because the community is realizing we have to fight bad to reputation right this is the point where some of the commercial providers were a few years ago and they have invested time and effort in making them less of an option for attackers to use, right? To the point that we're seeing some of that migration, you know, some of the attackers are migrating from those into subdomain providers, free content hosters, right? So, that is more or less

the the dynamics of the market precisely for those reasons. Thank you. All right, folks. Uh this is time for me. You've been an amazing audience. Thank you so much. [applause]

[ feedback ]