Acts of God: How Cybercriminals Leverage AI to Exploit Breaking News

Welcome everybody. This is the session about Acts of God. How scammers are using AI to take profit from disasters and newsworthy material. A few things that we're going to cover today. I'm going to show you a few of the cases in which that has been true. And we're going to walk through each one of the major, the noteworthy attacks that are happening there. We're going to break it down, the exact mechanisms that attackers are using. And we're also going to be looking into what are the human motivations, you know, how do they actually pull off scams on these disasters. I'm also going to give you a hint into how to build these threat reports. So I'm gonna get you behind the curtains into the process of building these

threat reports so you can replicate some of these in your work. It's definitely gonna give you some ideas. That being said, a couple of things that I would like to let you know. First, I'm Andre Piazza. I'm a principal product manager at B4AI. And I'm coming from Austin, Texas. First thing that we're gonna do is we're gonna get you guys checked in. So you're gonna see through all this presentation, there are a series of keyword codes. I want you to know they are safe. We're gonna talk about it. We're not collecting any information from you. We're definitely gonna talk about that as well. The first step is one that was provided by the organizers. So you're checking in. So later

when you're checking out, you can review this session and provide feedback. Number two, this is about disasters and newsworthy material. So trigger warning, there may be some imagery in here, there will be mentions to politicians and things. I can promise you we're not gonna get to the bottom of politics, we're not gonna be taking sides, we're not gonna discuss merits of anything, we're here for security. That being said, All these precautions, right? This is about disasters and all of that. So there may be something triggering in all of this. Does that sound like a plan to you guys? Okay, I'm gonna need you guys to be a little bit more participant, right? I want this to be interactive, right? Does this sound like a plan to you? Yes. All

right. So let me get started by talking about how

AI is being used by attackers these days. So we spend some time, this is what we do as a company, we're actually monitoring the internet. And we're monitoring for malicious behavior. And we've been taking a look over the recent years into what is the malicious profile of an AI powered attack. And there are a few things that we have recognized here. So number one, they're using AI to collect information from targets. So that piece of reconnaissance is still in place and now they have the AI element on top of that. Then we have Gen AI. They're using that to create content that is much better from what they used to use in the past. So if you consider those times, those years in which you would be looking into

smishing or emails and we could tell from a mile away that that was an attempt at us, that is no longer the case. They're getting empowered. Not only to create content that is gonna be deceiving humans better, but they are also empowered now by deepfakes. So deepfakes and Gen.AI is definitely powering these attacks. and making them harder to recognize as being deceiving. There's also the case of polymorphic code. So essentially very adaptable code that evades detection and changes as it goes. That is the case for some malware that we've been seeing out there. And that is something that we need to take notice. There's also a few turnkey solutions that are available on the web. like spam GPT,

worm GPT, fraud GPT. Essentially, it's a GPT style solution that is gonna be enabling them to actually package phishing kits, to package the entire solution end to end. So they do have those solutions available nowadays on the dark web. Then we also have the case for speed and for scale in AI. So in essentially deploying infrastructures, when you think of how infrastructures are created, AI is now empowering them to do that at a massive scale. And not only at scale, but also at speed, right? Essentially they are automating the entire process of creating a new domain and then deploying, configuring, and then making the deployment on the cloud, plus the content piece from the previous elements that I mentioned. One of the things that is quite

interesting about this process of AI automation and scale is DGAs. By show of hands, how many of you are familiar with DGAs? Okay, some people. So domain generation algorithms. are essentially algorithms that are being used to create domains that resemble one another. They're usually formed by having a keyword, a central keyword plus numbers. So they keep multiplying the numbers and again, that is the scale that I mentioned before. They create, they buy those new domains, they get certificates, they deploy all of that, and then they land content on it. pretty fast. So DGA is actually a term that you're gonna be finding out there and that is empowering some of these attacks. And then finally, another very interesting piece is that all of a sudden they're realizing that

they need traffic. They need to attract traffic to the domains and the infrastructures that they are creating. So criminals out there are becoming very, very good about using social media and even SEO, like paid ads, to actually attract people, to lure people into their attacks. So those are some of the ways in which AI is being used these days. And we're gonna see these actually, take notice of this, because we're gonna be seeing these things being deployed here. Before I transition to this slide, there was a little bit of a spoiler, but, One thing that I would like to ask the room, right? Out of these seven here, which one or which ones are actually

visible, more visible to defenders? Seven.

Seven, all right. All right, okay. What else? Six. Six, okay.

There you go. You guys are doing fantastic. That is exactly what we found out. in our predictions is that six and seven are the most visible pieces of AI powered attacks. So everything else stays more hidden. So under the iceberg. And that is important to take notice because this is when it comes up, when it comes to creating these threat reports, It's really important that the human researchers that are doing the work, and I'm going to tell more about them in a second, they're using actually those signals to actually recognize these patterns, first and foremost. Now, when it comes to, let's talk about these threat reports. So these threat reports were developed by B4AI's research division called Pre-Crime Labs. They have been published over the course of the

last two and something years, two plus years. And what you're seeing here is a peek into 24 plus different threat reports. I'm gonna give you a brief overview of these. And then as you can see from the top, we're actually streaming this thing live, right? We're gonna transition into my list. So I have selected a few of these for us to deep dive. But as an overview, we have natural disasters like LA wildfires, wildfires, and Texas flooding scams. We're gonna go deeper into them. Tension in the news, we have the 2024 US elections, the tariff uncertainty, and then the Trump and Musk feud. Global events are also exploited by criminals. We have the FIFA World

Cup. Last year, around June, they started releasing the tickets. So at that point, there were a flurry of domains being created to impersonate true channels and lure people in. The Paris Olympics. And there's also the case for the Mandalorian and Grogu movie coming out later this year. Then we transition into a geopolitics and government. US actions in Venezuela, unrest in Iran, pretty recent, a Dubai police scam advisory, and there's also the Department of Education Fishing in the US. Side note here, I was favoring them to do a report on the Texas toll roads. I can, for a reason, I cannot stop receiving text messages about paying toll fees and all that stuff, but I was not able to convince the team to run a report on that. Someday

I will. So there are things that are kind of unexpected and really even more opportunistic, such as Duolingo decided to run a social campaign talking about the death of their mascot. And believe it or not, we had people actually opportunistically exploiting that. Then we have Bybit opportunists, and we're gonna get to the bottom of several of the crypto scams, how they're using crypto scams in the other disasters, which is kind of a good resemblance, a good proxy to these Bybit opportunists. There's also the case of a hot malicious pizza. Somehow they came up with the idea of using paid ads on Google to actually lure people to buy pizza from a fake shop. We have also situations in tech and cybersecurity.

We're all very familiar with the CrowdStrike incident that happened a few years ago. The launch of a comet and also a campaigns around Telegram APK. We're also gonna talk about a proxy to this, and how they're exploiting the Telegram API to actually foster posts on X from users. So quite an elaborate technical landscape there. And then finally on the last row, we have a luxury retail and CPG brands. So essentially, they're highly impacted by seasonal events. So we have a few reports in the UK, around the holidays, CPG brands, luxury brands, and then the financial sector, right? BEC in financials, domain spoofing for banks, and then IRS and tax scams, which will be coming up against this year in a few

weeks, right? This is all available at this location. and if you email me afterwards, if you connect with me on LinkedIn and ask me, I can send you all the links that I'm gonna be showing here during the presentation. So these are the two people behind these threat reports. There's Rishika, who is the main author of these reports, and there is Abubakar, who is the pre-crime lab's lead. They have been spending a considerable amount of time doing these analysis. So what are you going to see here? The shape of a campaign is usually starts with thousands of new domains that are created around a specific event. And they start the process of essentially removing false positives and then inspecting content. and then from the content going into

and understanding what's really going on and what is the mechanism in which these frauds are happening and breaking it down in these reports. So my attempt today is to honor their work and make sure that we are on track to understand how these threat reports are made. So we do have here a piece of how we could be writing these reports. So it all starts and I have this big triangle, which I thought would be the best way of communicating this. Have you guys ever taken a class on creativity? Okay, have they spoken to you and mentioned to you about convergence and divergence? Anybody familiar with the process of convergence, divergence by show of hands? Okay, just a handful of people,

thank you. So essentially in creativity, they talk about when we wanna focus and converge. So essentially you're looking for a narrow solution, you're looking for creating something that is quite specific. But there's also the process of getting inspiration or getting validation, which is the divergent. process, right? So usually the triangle is a good shape to symbolize all that, you know, the process of, you know, convergence and the process of divergence. The reason why I'm bringing this to you is because these skills are going to be necessary when it comes to the building these slides. It's not simply a convergence process. You're going to see there are elements in which you've got to take a few steps back and diverge a little bit so you can actually find

the right things in the next iteration. So we start at the top with domains. I was talking to Rishika last week and she told me that the latest report, which is about airlines, she started with 12,000 domains created over a range of just a few months. So that is a lot of domains. And then on top of that, we're going to see in a second, there is all the data enrichment on top of that, that is also got to be handled. So it's really a process of going from thousands of domains, anywhere from two to 12,000 domains, down to just a handful of domains that are really the ones that are malicious. Another very important note here, when it comes

to elaborating these threat reports, they're made public. So it's really important that we do this with a lot of integrity. because we could be pointing out to infrastructure, to domains that are legit. So these guys spend a lot of time doing that. Now, how do we bridge 12,000 domains down to the ones that are really truly the malicious ones? Usually we want to inspect content, unless the infrastructure is just being used to deliver malware or something similar. And usually that bridge is really by having keywords. And that middle ground of keywords is where some of the convergence and some of the divergence is gonna happen. So they usually start at the top with a few

keywords that they believe represent the event. And they start actually looking into new domain registrations that match that profile. Before they do that though, let's talk about how they collect, number one, how they collect domain data. Are you familiar with the acronym NRDs? By show of hands. Okay, some of you are, thank you. Newly registered domains are essentially monitored, are essentially how new domains are created. And they're published out there And a lot of this information, not all, is publicly available. Does anybody know or want to share how we collect all the newly registered domains on the internet today? What are some of the best ways of doing that?

Say that once again. CD logs, all right, that is definitely one way, right? That doesn't capture everything though. What are some, a couple of other ways in which we could do that? All right, so one way in which you can do that are the zone files that are published by the TLDs. So we do have access to most of them, I think we're talking thousand plus, at this point I really believe the number is around 1300 different TLDs. Not all of them provide zone files, and you need special approval to get to those. Some of the hardest TLDs to actually gain access to are the .coms, for example .coms.net.org, and also some ccTLDs, like the Russian ccTLD, The German, the

Brazilian one, the Spanish one, those are really tough. They require special approvals and legal processes and all that. That is the most reliable way of gaining access to newly registered domains because essentially you get a file that shows each one of them in their published time. The other mechanism, so your fallback positions would be the CT logs. So for the certificates, When they are created, the security certificates for a website, when they're created, you can actually get that information and that is publicly available. Then another way of getting access to newly registered domains is by using a passive DNS solution. So essentially you get a funnel of the most recent traffic and you compare to the websites that are already new in

the past. And then you devise which ones are newly registered. Right? So B4AI actually deploys all of these technologies. And essentially we pull all this information into a large database. And then we start the process of enriching that data. So for each newly registered domain, we actually get the WHOIS information. So we're gonna get DNS records, we're gonna get a registrar and registrant, information and that is gonna be used to actually understand what's malicious or not. So then the following step, another thing that I meant to say here is detecting malicious patterns out of DNS or who is records. There are a bunch of rules that could be deployed. Some of those could be automated and really run by AI.

Some of those are actually best run by humans. So this entire process that I'm gonna describe from two onwards, it's really dependent on that combination of machine tools and the threat researcher, which in the future would be yourselves doing this. So the next step is to filter the domains. Essentially, we start with a large list and we're going to be using those keywords that most resemble the events that we're trying to track. And that is a starting point because in this database, if you're lucky and have this information on the database, you're going to be pulling a lot of different domains. And then you're going to end up with a large list of domains that you're going to have to start inspecting for the content. So,

This is a very interesting pattern when it comes to doing this analysis of a content, is that you could actually be filtering out by those malicious patterns that I mentioned to you. One of the malicious patterns that is most frequently used in this type of research is identifying new registrations and in the WHOIS records, IEPs or infrastructures that are suspicious or malicious. This is how we're able to identify bulletproof hosting. This is how we're able to identify malicious behavior in terms of a rapid dynamic change in their configuration. And this is what we're gonna be bringing to the next step into extracting the KPIs. So with each one of these reports, we have a few metrics that are being published out

there. One of those metrics is the top registrars and the top TLDs used in the attack. So we're gonna be seeing down the road, when I talk about some of these attacks, you're gonna be seeing some profiles. We're gonna be seeing some of the registrars also in which these things happen. And then I'm gonna ask you if you're surprised or not by seeing those names. And also in this process of filtering out, you can gain access to DGAs. And that actually becomes quite helpful because once you identify the forming template, the pattern, you can actually apply that and identify hundreds if not thousands of other domains that apply to this. Then the final step would be essentially getting down to the bottom of the

triangle which is inspecting content. This is where the research, that more delicate aspect of the research really starts because by inspecting content, you actually see what they're talking about and now you have a new list of keywords that are used in these events. And then you can retrofit this information up there and rerun a filter and everything else to identify other emails, other domains. So out of maybe a few thousand domains, we end up with a few hundred domains. Sometimes it's in the dozens, sometimes it's actually in the hundreds. But that is usually how this iterative process happens. From there, there is also the aspect of these things are getting sophisticated, and we're gonna cover this in a second. They're using social media, they're using

messaging apps, they're using all kinds of

artifacts to make these things more convincing and more deceiving to the users. And then finally, this is how the reports are built. Without any further ado, I have selected a few for us to go over today. They cover a little bit of natural disasters, they cover tension in the news, and they cover global events. So this is my list of items to review today. And I wanted in true form to the SOC, I wanted to prioritize these four things. So by show of hands, how many of you wanna see more about the LA wildfires? A few people. How about the Texas flooding scams? You guys like Texas, thank you. Musk love Texas. Trump and Musk feud. Few of you, and how

about the movie, The Mandalorian Grogu? Several of you, all right. How did I know that that was going to happen? All right, so let me break it to you. I do not have a report on the new Mandalorian movie that is coming out. So we have just prioritized a false positive. I would never give you a deep fake, but I would definitely give you a false positive to remind you that accuracy is still imperative in the SOC. But I came here today in good company.

And what if I told you that you could actually take this little foundling home today with you? So we're gonna work on that, which is essentially our giveaway. And that is one QR code that I have for you. So this is how this is gonna work. First and foremost, we're not collecting any private information from you. So there's no ploys here to get your email, contact, anything of that sort. Essentially, and we build this in a way that actually becomes very transparent and easy for us to follow. So you're gonna scan this QR code or you're gonna go to this webpage before.ai.mandalorian, and you're gonna be getting to a page where you can learn your Mandalorian name.

Your first and last name are used in that web page but none of that is tracked that is actually code that is run locally to you so we're not capturing anything from you and then you're going to go to the LinkedIn post that is connected on that page and you're going to click on that and you're going to make a comment underneath the the LinkedIn post and that is how we're going to pick a winner we're going to be selecting from everyone that commented on the post We're suggesting to use your Mandalorian name if you like it. We're giving you three options on the webpage. Or you can comment, this is the way. Whatever you comment on that post, you're actually in for the giveaway, right? And we're gonna

be finding out who's the winner at the end of the event. Are we good on the giveaway? Does that's okay? So I have kept on the QR code on the screen in case you actually need more time to work on this. So feel free to get to work on those things. Now we know that the Mandalorian is actually a false positive. So we're not gonna be covering that. We're gonna jump into the three topics that we have for today. So we're gonna go over the LA wildfires. So this happened in January 2025, a little over a year ago. And we're gonna talk about how insurance claims rebuilds and even the fire departments were actually used by criminals

in getting people scammed, right? So the registration profile was around 119 malicious domains registered in six days. The main keywords used, and again, this shouldn't be coming out as any surprise, LA file, fire, wildfire, relief, fund, and rebuild. 58% of those registrations happened with GoDaddy. And then we have names like Namecheap, Register, IONOS, Hostinger, Squarespace, Two Cows. Are you surprised to see some of those registers being used by criminals?

You're very quiet. Is that a yes or is that a no? Not at all. Not at all. All right, I like that. So you guys are familiar with a low reputation registrars. 70% of these were .com registrations, right? And then .org and .net. So this is not really a big surprise because they wanna show up as being government related. they wanna show up as being official, and a lot of the look and feel of the web pages actually mimic some governmental agencies. Also, there was the .fund TLD being used in this case. They were trying to actually make use of that TLD to capture funds from the public, right? So there are a few themes over here. You can read faster than

I can speak, but essentially, you can see the themes around emergency assistance and relief, in which they're harvesting PIIs. So they make it look like if you wanna volunteer, if you wanna donate, they're gonna be asking PII information from you that they can use later in fraud. Legal and insurance services, and this is something that really made me very sad because people that had losses, they were desperate for finding resources, and then they are arriving at these websites that sometimes are even getting promoted via SEO, and landing pages in which they're further scammed. And cleanup and reconstruction services,

That is another piece in which they're coming up with offerings that people that were affected fall prey to. Now, we're gonna talk here about the GoFundMe campaigns that we're able to find. And on the left, you're gonna see the very interesting case of a dog that was an image of a dog that had cancer, was used in this fake campaign to get aid from people. You can see that their goal was $2,400 as a goal, but they were essentially getting an image that had been published before, and that is what you see on the right side of that image. That is a dog called Lily that used to have cancer. So Lily was recovering from cancer, and then this guy said that this dog called

Bobo, actually was needing help. And on the other side, we have another campaign that was way more ambitious. They wanted $50,000, right? And was essentially for vulnerable animals. So they're really getting creative in the ways that they're exploiting the public sympathy and even reusing previous assets. Then we have the merchandise stores, which is a common theme in a situation of disasters. People wanna support a cause, and buying t-shirts or hats. That seems to be the easiest way of doing that. So they're also profiting from that and of course they're never delivering the goodies. Then we also have the crypto scams that happen here. So some people minted a couple of crypto coins and they're exploiting another mechanism which is the FOMO

of investors. One of these cryptos, I believe that was the LA Fire one, that was actually pumped to 14,000%,

sorry, 1400%. So they minted the coin, they used social media and crypto forums to actually get people to buy. That was raising its value and that is a new thing called a pump and dump. At that point, they liquidated the crypto and they got all the money with them. Another thing of interest here is the use of a social media as attraction channel. So they're creating fake profiles and they're putting out their true content that resembles something that is really like a true crypto for people to actually pay attention and buy. Now we transition over to the Texas flooding camps. So that happened July 2025. It was really sad. These locations are about one hour

away from Austin. We got a lot of rain, but not that much rain that they got. Essentially, people were flooded by a tsunami of eight or nine feet of water. Truly sad situation, and we're gonna be seeing that they were exploiting the supporting services, donation drives, and volunteer registration forms. So 70 suspicious domains were created within 10 days of the floods. And we're talking in this particular report, we're talking about suspicious because the content looks suspicious, the registration looks suspicious, but we do not want to necessarily claim that they are not legit. because we do not know. But nonetheless, we wanted to report because things are really looking suspicious here, right? That is something that actually lingered, which is also

surprising because usually disasters are like punctual, but we had 46 registrations that happened several weeks after the fact. So that means that they were continuing to exploit disasters. And that is something that I wanted to share with you. Only 10% of these websites, domains were actually flagged on VirusTotal, which shows that there is a lot of potential for us defenders to capture these things. Now talking about reasons for suspicions in this case. So phishing paths that are pretty common, slash register, claim, donate, volunteer. Those are the things that we can really use AI to track. Cloning of a non-relief for news pages. That is one-on-one. When you can find a match to that particular content, you know that is not an approved reuse of that type of content,

and that becomes suspicious. Then we have the redirecting to Telegram and WhatsApp bot links in an attempt to actually get the user to further trust. to share more information and potentially even post in social media about these things. Whois privacy is enabled on 94% of these domains. Another suspicious patterns that you capture from Whois. And the majority of these are hosted in free page builders. So that is another critical pattern these days when it comes to maliciousness, is that you're gonna find content in pages that are sometimes even free or very low cost, and they can get in or out very fast. All right. Lots of themes to talk about, and you can see that we have some of the IOCs

associated on the table. Disaster claim fraud, donation and relief fraud, volunteer and registration baits, e-commerce like merchandising, search redirection and cloaking, and reputation and piggybacking, which is essentially replicating content from .org or governmental websites.

Some of the samples that we have for this is a couple of merchandise shops here. I know you guys like Texas, so I know you're gonna be praying for Texas. You can buy a t-shirt that is never gonna get delivered in those shops. And then we transition into the Trump and Musk feud. So, Essentially what happened here was June 2025 and they had some kind of a fallout. And believe it or not, people use that as an attempt to get people to do things for them. So we found 39 crypto domains in two days of the onset of their public fight. And we found a bunch of keywords. And you can see Trump versus Allen,

Allen versus Trump and so forth. There is one that is called Allen Private Access, which was a little bit of a surprise to me. Of course, I'm not familiar with crypto and these kind of things. But it's kind of interesting because in this case, we have associations of keywords. So we have main keywords and we have those compound keywords with crypto, billion dollar betting, private access and game, right? 54% of those are dot coms. And then we have some of the other usual suspects. Probably some of you were missing a conversation about a dot xyz. They got much better over the recent years, but they were still used in this case. And over here, another thing that was pretty daring from the criminals

was multi-channel mechanisms. involved in all this, which is exactly what I have here, right? So this website, Trump versus Allen.com, they're using code to redirect people over a Telegram bot. Once they open on Telegram, and in case you do not know this, Telegram is very much used by the crypto community, right? A lot of the crypto community conversation happens on Telegram. So essentially they lure people into that and they build a further trust and they can, you know, they encourage users to post about their crypto scams on X. So KTO army till the end, that was one of the ways in which they did all of that. In order to get to this information, to understand all the ins and outs Rishikai actually had

to go undercover on Telegram to be able to actually talk to criminals and understand a little bit of these mechanisms. So there's also that in the work that they are doing. Let's talk about the crypto scams, right? You can see that there is a collection of IOCs over here. I'm not gonna get to the details of those, but essentially you can see that it's about luring people in and they're using very sophisticated content mechanisms to build trust. Sometimes they get people to buy crypto. Sometimes they get people to actually give them information. And believe it or not, they have those schemes in which you send a particular amount of money and the promise is to actually give back to you in double. So

people are actually being lured by these kind of sophisticated attacks. Gaming and engagement lures. This is quite sophisticated in the sense that they even created a deep fake conversation between Alan and Trump in which they would be supposedly resolving their feud live on a conversation. Complete deep fake And that was one of the mechanisms in which they drive traffic and then they get people to click and do thanks. Even games, they publish games in which, you know, Alan and Trump were fighting one another. There's also betting mechanisms involved in here in our merchandise shops. So you could buy a t-shirt that celebrates the event. Now, kind of starting our moment of wrapping up, and then we're gonna get to

questions, and then we're also gonna get to the giveaway. This is a little bit of a summary of everything that we spoke of today. I'm gonna talk about the attacker profiles that we are seeing for these attacks. First, I would like to tell you which kind of attackers are not here at play. So we do not have any APTs. We do not have any state, nation, actors acting in here.

It's essentially not their cup of tea. Their cup of tea is to build infrastructure that is going to be staying hidden. Their cup of tea is stealing IP and trade secrets. Their main goal is to stay hidden. These situations of disasters or newsworthy materials, they are not where they thrive. So you're not going to be finding them here, but you're going to be finding opportunistic people out there. that are gonna be deploying a few of the tactics that we mentioned today, right? They're looking for financial gain via donations. They're looking for crypto, selling crypto. They're looking to harvest your personal information. And they thrive on creating content using AI and other tools that are gonna be deceiving people, such as sympathy. Or in the case of crypto,

you're gonna be seeing that they're exploiting the fear of missing out. And even the volatility of the fake crypto that they have created. So people see the crypto gaining value over the hours and people think that there is a great idea to jump in into those. And believe it or not, those are the same levers that I have used to stay here until the end for the Grogu giveaway. Your fear of missing out, what if somebody else gets Grogu? Or even your sympathy, Grogu is a little bit of a public figure and widely recognized. So my key message for you today is that besides all these technical aspects of finding out about attacks is that these are human levers in our psychology, right? We shouldn't

be playing this on the victims. This is actually about some criminals out there. And the difference between what you do with these things is quite narrow, right? So I can use the same FOMO and the same, you know, appeal, and I can actually truly give away something to you, right? Or I can take something from you, which is definitely not my goal. So, in keeping in line with everything, we're gonna be, you know, before we proceed with the giveaway, I wanted to check in with you. Do you have any questions or any comments? Great talk, thank you. Is there a way to measure, is there a way for you to measure how successful these campaigns are? But with money, do people afford they've been a victim?

We do not have that information. It's usually hard unless you can see like, you know, the crypto scams that are a little bit more visible because we do have tracking associated with them. Other than that, maybe we can measure traffic to certain websites using some tools, right? But, you know, can we actually establish average order value on a merchandise shop like this? Maybe we can do some proxies. And that is such a great idea. I really appreciate you sharing that. I'm going to be taking and sharing that with the team. as well

we do not know exactly well sometimes we we actually know uh but i don't think that we have a detailed you know what kind of information is collected and you know from the information that is collected we would be able to get a range of ideas about what they're doing with that, right? But definitely, you know, name and address information. They may be actually storing that for feature usage. I don't know if you know this, but our social security information is out there big time, right? For someone that already has a database and they wanna get updated information, that becomes, you know, a way of exploiting that. And of course, credit cards.

You showed us the Kickstarter for the LA Fire. You showed that the photo that they used was a photo that had been taken from someone's Instagram for years ago. What are some other indicators of fake Kickstarter? Yeah, actually GoFundMe, right? That is the website, not Kickstarter. Right. So GoFundMe campaigns, indicators, reused content. Also, when they were established and how legit the registration looks, the person handling those campaigns are. Those are the key indicators that we're using for the GoFundMe campaigns.

When there's only a couple dozen of these, but two or 60 of them, how many are being done by one threat actor pumping out 20 different scam sites versus 20 different? It really depends. So that in the process, the triangle that I showed you in coming up with these threat reports, one of the things that you see, as much as we're collecting DNS information, we're also using the registering information to pivot and see all the registrations that pertain to a particular registrant that seems like a threat actor. That being said, sometimes it could be one or two, sometimes it could be a couple dozen. Usually it doesn't get into the hundreds unless they're using DGAs. So if

like for funsies, someone wanted to try and do an investigation of their own at home, are there any open source tools that you could recommend? Like . There is a bunch of, so we're using Elasticsearch. and getting all this information from these sources. Remember, I mentioned to you zone files, CT logs, passive DNS. We're condensing all of that on a database and using Elasticsearch to actually query that. Again, thousands and thousands of domains. Then we're using tools to actually augment that with a who is information. You have a few free tools available out there. I do not know from the top of my head right now, and I do not want to give away a name that I haven't vetted, right? But we can definitely follow up on that

one. We do have a recommendation for the Whois tools that you can use. The challenge in doing this kind of work is that you need a little bit of an infrastructure. Maybe you're going to be able to do a little bit less by just using public sources or leveraging other systems. In the interest of time, I'm gonna, you know, I'm gonna, I can take more questions later, but I wanna proceed with the giveaway, right? So how this is gonna work is that we're gonna go together to the, we're gonna go to the app, Sordios, and we're gonna be feeding here the link to the post. And from there, we're gonna actually pick a winner. Let's see how many posts we have there.

The name is not working. That is a bummer. I made fun of my entire team because of the names that were given by that web page. And I even had a name myself. You know, he had a cleanse. right so the person that i was going to call here i was going to ask you know what's your clan name and then we're going to be asking oh hey uh clan what do you say right and people would be saying this is the way right but no that is not going to happen anymore we're gonna get this thing to work though we're gonna get you going in a second here

All right, people, so this is not working, but I'm definitely not taking Grogu home. Somebody from this room is taking Grogu home, right? So I'm going to think of a number in between one and 50. I'm going to go around and I'm going to ask you, you know, can we agree that this is the best way for us to do this in the present of time? Thank you. I appreciate that. In between one and 50 numbers. No.

No. 32. Nope. 43. Nope. 47. Nope. 9. No. 15. Nope. 7.

Nope. 35. No. 22. No. 26. No. 25. No. No. 37. Nope. 26. Nope. 22. Nope. 17? No. 3, 5.

No. 1? No. 21? No. 2? No. 46? No. 42? No. 3? You got it!