Murder Blog Series: Chapter 2 – Investigations

Sanna/ April 30, 2021/ Stories

Letters as Windows to the World

When young people discover the world, they are often happy to receive mail. Who doesn’t like it when others think of you? Once the love letters from the crush have undergone the metamorphosis into heartless letters with windows, we realize: Money rules their content, just like in this story.

Leon has a habit. When walking back from the mailbox, he likes to feel the meaning of the contents of letters with his fingers. Here, it’s the letter from the credit card bill. And it has grown to several meaty millimeters. Leon hopes for a change in the terms and conditions. However, after opening it, it turns out that, unfortunately; it is a list of payments. He can barely remember the individual items. There are just too many—and most of them are not from him! In the column of numbers, various amounts have lined up and marched in lockstep to the total. He neither knows the items nor the companies claimed to have been paid by him. Slowly, sanity returns. Leon searches his wallet, but all the cards are still there. Then he reaches for the phone and has the credit card blocked.

Over the next few days, Leon is pretty busy applying for a new credit card and canceling payments. Besides his studies and his part-time job, this eats up a hell of a lot of time and nerves. Especially the latter. Two resources that are finite for all of us and, in Leon’s case, would have been better spent elsewhere.
What happened to him?

Accounts and Cards

The answer to this question begins with the use of the credit card. In the analog world, you think about when you use the card where and for what purpose. Often, that’s manageable and tied to geographic locations. Digitally, this becomes more difficult because online merchants often offer the option of storing credit card details in user accounts. This automatically creates a link to the access data of these accounts. If you are logged in, you can make payments from this platform. In most cases, it requires a login and password for online accounts. Under some circumstances, an e-mail address is used as a login. In contrast to the physical credit card, one must now clarify which online account handles a payment. Was the online portal compromised? Was the password too weak? Or did someone gain access to the email account?

In Leon’s case, several possibilities are conceivable. Affected accounts may have become part of a data leak. With bad luck, the platforms that “lost” the data don’t know about it yet. So they can’t investigate the matter. Another possibility is malware on the devices that were used. Resourceful malicious code looks on systems for stored accounts, browser history, in documents and other usable data. These are smuggled out and analyzed in the attackers’ command centers. Usually, there are entire campaigns behind such attacks, which are well prepared and organized.

Social Media Alter Ego

Social media postings move the world, especially when ex-presidents tweet. You know your own timelines. Some people look for trustworthy sources, follow them, and in this way have created human filters for information that are supposed to control the daily flow of facts. Trust forms networks.

The cell phone rings. Leon picks up.
“Are you completely stupid now? Why do you post such nonsense! I hope you’re drunk! “, it comes to him without greeting. Several minutes of incomprehension follow and cannot be cleared up. Simply hung up. After the third call, the picture forms. According to his friends, his Twitter account published things that were racist and not suitable for minors. He immediately sets out to find the cause, but realizes that his login no longer works.
This incident is not fiction and has happened to many people. Chains of trust in social networks are worthwhile targets, especially when a clear name requirement still leads to public identification. Account credentials are usually compromised through theft. Malware looks for active accounts to grant access to third parties. Leon’s example is still a harmless case, albeit very embarrassing for him as the affected party. It’s not just about public messages, but also about direct communication (so-called “direct messages” on Twitter, Instagram, Mastodon or similar messages). How is Leon or I supposed to know if someone is reading?

Many providers report when the last login is not plausible. Some always report when you logged in with which device from where (geographically or network-wise). This only helps if you also register this information and irregularities become visible. We usually recommend so-called two-factor authentication (2FA). Here, the login needs a second channel that provides a code for verification. This can be a classic SMS. But there are also code generators that deliver time-based numbers that change every minute. You start the generator with a value that is stored in the respective online account. If someone steals the access data, the second factor is (hopefully) missing and the other person still cannot log in, even though they could capture the login and password.

Leon didn’t have 2FA for his Twitter account. Until that day, he thought it was only for privacy fanatics and people who had something to hide.

Treasures of the Networks

Most of the time, everything evolves around money. In the digital world, however, other aspects come into play. Goods and monetary assets are more diverse. Valid bank accounts, credit cards, access to e-mail accounts or similar resources such as social media profiles indirectly represent assets that are stolen and traded. The picture on such incidents gets distorted in the process. After all, we humans like to think, “Why are they after me? «. Or “I’m far too uninteresting for them”. But that’s not always the point. You also become a target if you have resources that are interesting. Real email senders are popular, of course, because they increase the credibility of a fake email. Even access to websites is a sought-after commodity because the criminals can store data for their actions there or on the web servers behind the website. It recently happened to an acquaintance that his blog was used to distribute Emotet. The file with the malicious software was put on his server, and from all over the world the file was retrieved via phishing mails and downloaded to the computers of people who had clicked the link in the e-mail. All because of a non-updated plugin in the WordPress he uses to run his blog.

Automation multiplies the added value. Many a scam e-mail may have caused amusement or amazement. But if only a fraction of a percent of millions of emails fall for the scam, then the bottom line doesn’t look bad at all. All the downloads of the Emotet file speak for it. The same applies to the other areas. Of course, we can block stolen credit cards and change account passwords. But to do that, the theft has to be noticed first. In the digital world, data is not simply “gone” or “disappeared”; it is copied, which means that unauthorized access is not noticed immediately. It only becomes noticeable when the copied access data is actively used. And that can be an unknown number of others who retrieved the data from wherever and are now using it.

“Follow the money” is therefore still valid. Cui bono? The concept has just to be extended to values.

Virtual Motifs

Besides money and revenge, there are other motivations for digitized criminals. One factor that is difficult to accept is simply resources. This also means computing power. Anything that has access to the Internet and can execute code is a target. It becomes even more interesting if it is poorly secured or barely monitored. Almost anything called “IoT” (“Internet of Things,” networked things like toothbrushes, cameras, coffee makers, heating thermostats or bathroom scales, etc.), falls into this category. Another good example is an old computer (or smartphone). It may also be a server, whether in the cloud or self-operated. Old is relative; It is enough that it runs software without security updates, while the physical thing itself can be brand new (IoT). If the system has storage space, can run programs, and may use the Internet, it’s interesting because it can serve as a springboard for further actions.
This approach allows to disguise the origin of attacks. The origin is rarely the direct source of incidents. For those affected, of course, it is no consolation to be bycatch.
For investigations, it is important to establish relationships. Is a victim the actual target, a means to an end, or a deliberate deception? Occasionally, there are false leads laid in order to steer the assignment of the perpetrators in a certain direction.


Catherine Miller is a police officer. Cybersecurity, the people with the nimble Internet connections and the pre-installed Tor browser for investigations in the so-called darknet. For some time now, one name has been coming up in her mind again and again: Leon Dragic. Katharina is still not sure whether he is the victim or rather the perpetrator. It would be a lot of chutzpah if he had rented all the servers from which malware spreads on the net with his actual name. But it wouldn’t be the first time a guy thought he was invulnerable or untraceable. So far, she’s gotten them all. Some just took longer. And the list of notes on Leon is slowly but surely getting longer.

The Red Thread

A common thread in motifs is benefits. What is the benefit of a compromised system or account? This is not the same question as “cui bono?”. Rather, the question of who benefits from an attack for obfuscation. What is the benefit of a system itself? What can it see, e.g. what does it have access to? With IoT devices, a coffee machine might see a lot of other devices on the same network. Or what data is going over that network. It may also see cell phones that may not be logged into the same Wi-Fi, but are communicating with the coffee machine via the Bluetooth interface. And depending on what else the marketing agency that built the app for the coffee machine needs for “marketing purposes”, it may also see the phone book on the cell phone, the photos, data from other apps stored on the SD card, and perhaps the data from the device’s sensors such as accelerometer or position sensor.

The thought of visibility and access inevitably leads to chains of trust, which is also a goal. Friends of friends are always interesting because they trust each other. They use this for email or even SMS scams in all shapes and colors. Plausible senders wash messages clean. The damage is only worse when attackers have full access to other accounts.

00 Prequel (German / English)
01 Chapter 01: Traces (German / English)
02 Chapter 02: Investigations (German / English)
03 Chapter 03: Serial Hackers (German / English)
04 Chapter 04: State Hacking (German / English)

Klaudia’s blog has also the German versions of the articles.

Our presentation at #pw20 (in German) can be found here:

Share this Post