Murder Board Blog Series: Chapter 3 – Serial Hackers: Organized Crime or Grand Theft Data
Motivations and Motifs of the “Cosa Data”
Elevate data to a valuable commodity and it gets automatically traded, hoarded, stolen and counterfeited. We can use digital processes both legally and illegally, just like the economy in the physical world. However, cyber crime is about much more than data. Accounts with certain privileges also represent value because they act as a multiplier. For example, a simple e-mail account with stored contacts (address book or even the contact data in existing e-mails). This has several properties at once: Identity, trust and an archive of messages. The archive can be searched directly for valuable data. The identity can be used for fraud with the help of the trust of the contacts to get further access to more accounts and data.
Motivation is—on balance—always something like a benefit or profit. Data sold directly has an immediate benefit.
More often, data is obtained in several steps.
Methods: Organized and Neat
The organization in digital crime follows analog models. There are service providers for all roles and stations that are necessary. You will find everything that you would find in a well-established company. There are technicians, marketing, a helpdesk for victims (with extortion software—yes, indeed!), notaries, traders, security experts, banking and whatever else they need in business. This structure implies the procedure and preparation of operations. Something like dramaturgically prepared scenes, where within a few minutes of hectic keyboard strokes entire IT systems are riddled with holes, exists only on television or in imaginary books. Reality is much simpler and very routine.
Values of the Shadow Economy
The shadow world is full of service providers offering their respective expertise. This results in an accurate reflection of the legal economy. Opportunities for business arise from the collaborations. Fraud campaigns collect data from victims via email sends. This data is compiled into databases. These go to refiners, who refine the raw data through verification and classification. By the way, you don’t even have to click a link in an email for your email address to be added to the convolute. Emails often contain “tracking pixels” and it is enough to open (or preview) the email to trigger tracking and report to the sender that this email has been opened. So, just by viewing the email, one confirms it is a real and active email address that can be resold. This increases the value of the individual records. The goods prepared in this way are then passed on to traders who offer the products on marketplaces. There, besides the traders and buyers, there are notaries and payment service providers (up to and including banks and money launderers), who ensure that the transactions are processed securely. One crow may not peck out another’s eye, but it’s better to be safe than sorry. After all, you probably don’t know each other.
The usual suspects
Or maybe they know each other. The usual suspects. Like the 30 to 80 people on Catherine Miller’s watch list. She surfs the usual sites day in, day out, monitoring the offers and the people offering them. Nicknames are always changing, and people are constantly joining or dropping out. But the “hard core” is always there, under some name or another. For most of her job, she doesn’t even have to start the Tor browser, most of it happens on the regular Internet. Among the newcomers, there is an “ldra002” since last month. Seems to be quite active. She puts the name on her list.
00 Prequel (German / English)
01 Chapter 01: Traces (German / English)
02 Chapter 02: Investigations (German / English)
03 Chapter 03: Serial Hackers (German / English)
04 Chapter 04: State Hacking (German / English)
Klaudia’s blog has also the German versions of the articles.
Our presentation at #pw20 (in German) can be found here: https://media.ccc.de/v/pw20-367-murderboard-wo-krimi-privatsphre-und-it-sicherheit-zusammenkommen
Pingback: Murder Blog Series: Chapter 2 - Investigations | DeepSec In-Depth Security Conference