How to catch an Internet cyber thief
Devoted cyber sleuths are fighting industrial espionage and botnets
They're out there, says security researchers: the
Chinese hackers attempting to break into U.S. enterprises, and
jihadist terrorists
that brazenly post videos of sniper killings, while stealing
credit-cards to launder money for funding nefarious campaigns in Mideast
or Caucasus hot spots.
It's just a matter of finding them, and Dell SecureWorks researcher Joe Stewart described at the
RSA Conference
this week how he caught one by laboriously collecting information
related to a Chinese hacker. He's calling the incident the "Sin Digoo
Affair" after the misspelling of San Diego in Internet domain
registrations under the fake name of "Tawnya Grilth" that he saw over
and over again, which was but one clue, including many others such as
malware signatures, he followed in his quest to track down an attacker
based on a case of industrial espionage and botnets.
"We
know we have a set of domains exclusively used for espionage activity,"
says Stewart. After months of sleuthing, Stewart managed to link the
email
jeno_1980@hotmail.com
used to register those domains to a multitude of other clues to follow a
trail that led him to believe "Tawnya" is a Chinese hacker whose
probably part of a group promoting SocialUp.net, a site that accepts
payment, including PayPal, for delivering "artificial likes, often
through bots" so people can get promoted on Facebook.
More: What's hot at RSA 2012
Tracking
this laboriously amassed evidence, including known Chinese hacker
websites, Stewart thinks he has identified the espionage hacker he set
out to find through his real Chinese name. Undisclosed publicly, this
name and what's known about him has been turned over to the FBI, though
the outcome of any meaningful prosecution of espionage activity through
China may at the moment be slim. Still, Stewart wants to make the point
that criminal activity related to bots can be investigated, though he
emphasizes what he's found is simply evidence of an individual's
activity.
Another session at RSA talked about what jihadist
extremists are doing today on the Web and how they launder money for
terrorist causes. Mikko Hypponen, chief research officer at F-Secure,
says he spent time combing the Internet to find evidence of what
extremists, mostly Arab speaking but also Chechens from the Caucasus who
have made terrorist attacks on Russian civilian targets, are doing in
terms of sophisticated use of technology online.
"My first impression is high-tech terrorists don't exist," said
Hypponen in a media briefing today. But after considerable online
research, his opinion has changed. He has found evidence of a growing
amount of interest in technology, encryption and hacking in online
jihadist publications that now include topics such as an "Open Source
Jihad" section to "Technical Mujahaden" which tells how to hide files
using rootkits and steganography. He said he's also analyzed what he
thinks is probably British intelligence counter-efforts to trojanize
fake versions of these publications so that if they're downloaded,
monitoring of possible terrorist activity could take place on whatever
computer it's downloaded to.
One of the biggest cases linking
Islamic terrorists to high-tech operations like stealing credit cards
through botnets that controlled thousands of victims' computers was that
of London-based
Tariq Al-Daour,
sentenced a number of years ago after his gang was caught playing at
the Absolute Poker site with stolen credit cards, mainly to launder $3.5
million in poker games, says Hypponen. He spent the money he stole on
satellite phones, sleeping bags and lot of other gear he sent to support
terrorist activity connected to Al Qaeda. He paid a Russian to build
his software, Hypponen noted.
The situation today with extremist
groups using high-tech hacking and bots "isn't out of hand," Hyponnen
says. But there's mounting evidence that extremist groups are
increasingly interested in high-tech, writing in their slick multimedia
online publications about Apache, PGP, NMAP, and creating their own
public crypto keys, right alongside instructions for bomb-building. He
says it may be time to pay more attention to it.
Ellen
Messmer is senior editor at Network World, an IDG publication and
website, where she covers news and technology trends related to
information security.
source: http://www.infoworld.com/d/security/how-catch-internet-cyber-thief-187741?page=0,0