September 3rd, 2018 |
A little while ago, a client called me in to do a security operations ‘best practices’ education session. They were a dot com site that had recently spun off from one of the major financials. They had not yet laid down their sec ops roots and were still engaged in establishing the fundamentals. They wanted an informal education session to get the entire team on the same page.
Their conference room was packed with their security team as well as several people from their operations center, which I had requested. In many instances, the ops team is on the front line and often identifies and conducts the initial steps in handling security incidents.
At some point during the session, I started to talk about scammers. One trick that malicious people use is to acquire domain names that are similar to the site they are targeting. Since the client was a financial and their site contained personal information for hundreds of thousands of consumers, and was an attractive target. I first recommended they acquire or actively monitor all sound-alike and similar domains. For example, if their domain name is jacks.com, they should acquire or monitor jax.com and jaks.com.
Second, I recommended that all permutations of domains that could be mis-typed by users should be acquired or monitored as well; specifically, any combination of surrounding characters on the keyboard for each letter that makes up their domain name. For example, if their domain name is abc.com, they should monitor domains where the ‘A’ in abc.com is replaced with S, X, Z, W, and Q. If a company wanted to take it a step further, they would cover the immediate two surrounding characters on the keyboard as well. Should users mistype, which they often do, they should not be directed to a look-alike site that they would innocently offer their credentials.
Third, I suggested that the plural version of the words included in their domain name should be acquired and monitored. As I was making this third point, I typed in the plural of their domain name – and their site showed up. I thought I had made a typo, that through muscle memory I had entered in their correct domain name. I double checked, and I had typed exactly what I intended to type – the incorrect, plural variant.
I was impressed. I thought to myself that they were ahead of me and had already acquired the plural domain and redirected it to their site. “Smart! You guys already got this?” I said to the group. I looked around the room and saw confused expressions all around. Finally, someone said, “I don’t think that we did – I’m pretty sure we didn’t.”
After a Dig on the Fully Qualified Domain Name (FQDN) and an MTR (a better traceroute) it became clear that the site was not theirs. It looked exactly like their site including the login page. However, it was not using their IP block nor any of their ISPs. It traced back to Las Vegas, Nevada.
Needless to say, the training session abruptly ended and became a real-life incident response. The organization’s executives, their general counsel, all security team members, and all IT managers and above joined an emergency meeting in the conference room. Anyone not on-site joined via conference bridge.
During the meeting, their sharp help-desk manager offered that he had seen an increase in the number of calls for password reset requests in the past two weeks. We started connecting the dots.
We came away from the meeting with several action items:
- We needed to determine if there was a compromise, and if so, how many users it impacted and its duration.
- The help-desk team set out to cross correlate password reset support calls and the date/time of failed authentication logins in their logs.
- They would identify any users who called for a password reset whom had no corresponding failed login attempts in the logs. There was roughly a dozen dating back only two weeks.
- The help-desk team contacted these users and established completely new identities for them.
- My team was to implement an emergency infrastructure should the malicious person attempt to use the stolen identities.
- I reached out to my contacts in the FBI cyber-crime team and reported the issue, and Agent Brown from the New York cybercrimes team was assigned to our case.
- We contacted a law firm with experience in cyber crimes along with the organization’s retained counsel.
- The legal team started to outline a notice as was required by compliance in preparation, should notifications be necessary.
After this, my team members and I set out to execute on a plan to identify and catch the person.
First, a honeypot. The compromised user credentials correlated by the helpdesk were redirected to a training system that looked and functioned just like their application, but contained dummy data. With this in place, the risk that any (more?) data theft, manipulation or deletion was mitigated.
Then, we implemented a high performance packet capture system using a powerful server, hardware offloading network interface and several open-source tools to collect all communications from the malicious person/people. We made sure that the packet capture system was implemented and processed with proper evidentiary chain of custody standards.
Finally, we configured the units to send us text messages as soon as any of the compromised accounts were accessed.
We were finally ready to track the malicious people.
In less than forty-eight hours we architected, acquired the highly specialized equipment required, and configured and tested the infrastructure. I then set out to document everything, including the operations runbook for these new systems, which included evidentiary chain of custody handling of any evidence collected.
I personally spent near seventy-two hours straight at the customer’s data center hopped up on adrenaline and coffee. It’s rare to catch hackers and scammers, and I felt strongly that we had a good chance of doing so in this case.
In the meantime, the FBI requested and received a subpoena for the IP address of the server as well as the domain name registrar. Fortunately, the ISP provided the physical address associated with the identified IP address quickly.
Agent Brown called the FBI field office in Nevada and requested agents drive by and visualize the address location. A few hours later we received information that the address was actually a car dealership. The FBI agents in Nevada managed to trace the ISP connection to the basement of the dealership. When they inquired about the Internet connection, the dealership informed them that the basement was rented to another party who was hardly ever there.
Technically, the malicious people had not done anything substantially criminal. So between the customer, the FBI and my team we decided to hang back and wait for the malicious people to attempt access to the customer system, and more importantly, to download personal identity information. There was no risk to any of the site users since the data the malicious people would access was made up training data.
We didn’t have to wait long. At 3:00am early morning the following day my phone started buzzing with alerts. I quickly logged on to see what had transpired. Jackpot! The malicious people had logged on under three different accounts and had systematically accessed multiple identifies before generating a report that can only be identified as an identity theft starter kit.
A quick check showed a Canadian IP address as the source. Every packet of the communications was collected and logged. We had all that was required to completely recreate and replay the malicious people’s entire effort.
The session was short. It had only lasted 15 minutes. But it was all that was necessary. There were no other attempts that day.
Early the following morning, we contacted Agent Brown and the cybercrime task force supervisor and arranged for collection of the evidence. During the call we also determined our next course of action.
The FBI could have reached out to the Canadian authorities, but thought it best to try to lure the person to the US.
The plan was that the FBI would get a court order to confiscate the computer in Las Vegas. If they spotted cameras they would simply disconnect the Internet connection at the Network Terminal outside the building.
And then – the FBI surprised us. They had a person of interest in the case. They did not share many details about how they found this person of interest. Our best guess is that the person had been on the FBI’s radar, and had somehow been associated with the stolen identity which was used to fraudulently pay for the acquired domain name and the Las Vegas basement housing the computer.
If all was to go as planned, the malicious person would think there is a technical issue and come to fix it.
Later that morning the FBI Agent Brown came to our offices and we held an evidence hand-off ceremony. The next day we noticed that the scam site had gone down. Now there was not much else for us to do but wait.
All was quiet for a while and life started to resume normalcy. Two weeks later we got word that there had been an arrest!
It was a Russian whom a few days after the site had gone down had flown to Canada and from Canada to Las Vegas. He was arrested at the airport port of entry. Apparently, when presented with the evidence he made a plea bargain and soon after plead guilty at the hearing.
The team’s dedication, professionalism and expertise drove this incident’s success. Both the customer and my team operated flawlessly together, and the FBI came through in a big way. At a time when hackers attack indiscriminately, it felt great to catch one and snag a win for the good guys.
Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE+ Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE+ Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world.