mapping criminal infrastructures from “patient zero” using ...€¦ · what search-and-pivot...
TRANSCRIPT
Mappingcriminalinfrastructuresfrom“patientzero”usingWhois
DavidPiscitelloInterisle ConsultingGroup
Massivedatabreaches– e.g.,Target,Sony–weretheresultofasuccessfulphishing
attack
Whoishelpsinvestigatorslearnwhat’sbelowthesurfaceofbreachesorothercyberattacks
PatientzeroThefirstpatientinan
outbreakwhoisnoticedbyhealthauthoritiestypicallytriggersa
responseorinvestigation
Frompatientzeroinvestigatorsgatherinformationtomapthe
progressionofadiseaseoutbreak
•Whoispatientzero?•Whatarehissymptoms?•Wherewashefound?•Wheredidhetravelfromandto?•Whendidhetravel?•Whatthreatdoeshisconditionpose?
Indexdomainsarethe“patientzeros”ofcyberinvestigations
•Whoisthedomainholder?§Notifythebreachvictim§ Pursuethecyberattacker
•Whereandwhenwerethedomainsregistered?•Whatotherdomainshavesimilarregistrationdata?
Attacksofteninvolveaconspiracyofdomains…useindexdomaintoidentifythatconspiracy
HowdofirstrespondersuseWhois?
CriminalAbuseofDomainNames:BulkRegistrationandContactInformationAccess
http://www.interisle.net/sub/CriminalDomainAbuse.pdf
CASESTUDYCRIMINALDOMAINS
IN.TOKYO
• Abuseactivityin.TOKYOfromDecember12,2018throughDecember25,2018
• 8,715.TOKYOcriminalabusedomainnames
RegistrarIANAID
CriminalAbuse
DomainsIdentified
Percent
GMOInternet,Inc.d/b/aOnamae.com
49 8,713 100.0
NameCheap,Inc.
1068 2 0.0
Nearlyallofthesewereregisteredusingasingleregistrar
WHYTHISREGISTRAR?- VERYCHEAPDOMAINREGISTRATIONS- CUSTOMERSCANREGISTERINVOLUME- CUSTOMERSCANGENERATERANDOMLOOKINGDOMAINS 8
1¥=€0.0083
Customerscanuploadafileofnames
Websitewillcreaterandomnames
CHEAPDOMAINNAMESCONTRIBUTETOACRIMINALMARKETPLACEINWHICHSMALLINVESTMENTSCANYIELD
EXTRAORDINARYRETURNS
9
1000s OFDOMAINNAMESCANBEACQUIREDFORPENNIESPER
DOMAINFROMREGISTRARSLIKEGMOINTERNET
MAILINGLISTSCANBE
PURCHASEDINTHEDARKWEBOR
ONLINE
RANSOMWARECANBEPURCHASEDASASERVICEFOR€35
PHISHING KITSCANBEDOWNLOADEDFORFREEFROM
SOCIALMEDIASITES
ONLINETUTORIALSAREAVAILABLEFROMYOUTUBE
ASSUMINGARANSOMWARE
EXTORTIONFEEOF$200-500USD,ARANSOMWARE
ATTACKISPROFITABLEWITHAHANDFULOF
VICTIMS
EVENASINGLERANSOMWAREORPHISHINGCAMPAIGNISALUCRATIVEENTERPRISE
IDENTIFYINGCRIMINALACTORS:SEARCHANDPIVOT
• .TOKYOsamplespansa“post-GDPR”timeperiod
• UsehistoricalandrecentWhoisrecords• Use{registrantname,registrantorganization,registrantemail} to
• SEARCH historicalWhoisdatabases• PIVOT tootherdatabasesorsocialmedia
• toidentifythecriminalactors
• OnlysomeWhoisrecordscontaincontactdata• Assumethatcriminalssubmitinaccurateorfraudulentlycomposeddata
10
WHATDOESSEARCH-AND-PIVOTREVEALS?• Theharmfulcontentorattackmessages• Wherecriminalactorshostinfrastructure,e.g.
• Malwareorransomwareexecutables
• Phishingorfinancialfraudwebpages
• Politicalinfluencecampaignmaterial
• Mailserversthatsendphishinglures
• DNSserversthatsupportDDoSattacks
• Otherdomainholdersthatmaybepartofacriminalenterprise
• OtherTop-leveldomainsinwhichthecriminalactorhasregisterednames
11
WHATSEARCH-AND-PIVOTFROM“PATIENTZERO”REVEALED
• ThesuspectappearstohaveusedGMO’sbulkregistrationtoolstogeneratethousandsofrandom-lookingdomainsnamesinmattersofminutes.• GMOoffered.TOKYOdomainsregistrationsatverylowcost.
• ThesuspectprovidedaregistrantaddressinJapan.• Thesuspectstargeted.TOKYObutnotexclusively..INFO,.CLUB,.ONLINE,.XYZ,.BIZ,.SPACE,and.WORKwerealsotargeted.
• ThesuspecthostedJapanesephishingormalwareatthreehostingproviders:• InterQ GMOInternet,Inc.,IDCFrontier,Inc.,SakuraInternet,Inc.
LET’SREVIEW:
JAPANESESPAMMERSTARGETEDJAPANESEUSERSUSINGAJAPANESEREGISTRARANDJAPANESEHOSTINGOPERATORS
13
COMPLETEWHOISRECORDSAREESSENTIAL
IFFIRSTRESPONDERSANDLAWENFORCEMENT
ARETOIDENTIFYVICTIMSANDCRIMINALACTORS
BUT…DUETOANOVERLYBROADINTERPRETATIONOF
THEEUGDPR
PUBLICWHOISISNOWDARK
EU’SGDPRISINTENDEDTOPROTECTPERSONALPRIVACY
WhoisimplementationprotectsInternetcriminalsordarkorganizations
ADVERSEEFFECTSOFICANNWHOISPOLICY
“Onesizefitsall”
RegistriesareredactingmoredatathanisrequiredbyGDPR
Solutionassumesalldataprotectionlawswillalignwith
GDPR
Legitimatedisclosureofnon-publicWhoisisstillnotdefined
Nopolicyfortimelyorpredictableaccess Noaccreditationframeworks
Blanketredaction
Inhibitssearchestocorrelatedomainsoractorstoattacks
NodiscriminationbetweenEUdatasubjectsandlegalpersons
16
EFFECTOFICANNPOLICYONACCESSTO
HISTORICALCOMPLETEWHOIS
RECORDS
Facts&Figures:WhoisPolicyChangesImpairBlocklistingDefenses
http://lnnk.in/@whoisimpedesblocklisting
• WHENPRIVACYREGULATIONBLOCKSCRIMINALINVESTIGATIONCITIZENSAREEXPOSEDTOHARMANDLOSS
• DATAPROTECTIONREGULATIONSMUSTACCOMMODATEFIRSTRESPONDERANDLAWENFORCEMENTACCESSTOCRITICALINFORMATION
18
PRIVACYPROTECTIONANDPUBLICSAFETY:ADELICATE
BALANCINGACT
CreativeCommons
• Slide2,3:LassaFeverinvestigation,MikeBlythhttps://www.flickr.com/photos/blyth/
• Slide3:EnzooticPlagueinvestigation,CDCGlobal,https://www.flickr.com/photos/cdcglobal/
• Slide4:WorldMap,Sharereproductions,https://www.flickr.com/photos/shaireproductions/
• Slide10:ComputerHackers,https://www.flickr.com/photos/121483302@N02/
• AllotherimagesfromPixabay Images