We are continuing a series of articles about hackers’ error stories that led to either their arrest or detecting their identity. In the first part, we have already talked about such famous cybercriminals as Jeremy Hammond, Cody Kretsinger and Ross Ulbricht. But this chapter appeared no less interesting, and we will start it with the most canonical error that led a lot of hackers to the dock.
I forgot to switch VPN on
A resident of the UK Tomasz Skowron stole money using malicious software. The time-tested scheme was used, with the help of a trojan the access to Internet banking was stolen, and then the money was transferred to figureheads, who then cashed it. Thus, the criminals managed to withdraw more than $ 1 million from accounts worldwide.
Tomasz Skowron was directly involved in the transfer of funds from hacked accounts, and once his VPN failed. The original IP address of the cybercriminal appeared in the logs of connections to the victim’s Internet bank account. After a while, Tomasz was expecting a visit from law enforcement services, and after that for the sentence of 5 years in prison.
Even if the criminal uses VPN, there is always the possibility of software malfunction, for example, the connection may “fall off” unnoticeably for the user, or if the Internet is down, the VPN application will not have time to redirect the Internet traffic to the VPN server, and some of the data will bypass VPN. And it also happens that some may simply forget to switch VPN on.
Even if the VPN contains the function of blocking data bypassing the VPN, failures are still possible (I have already talked about this in the chapter on bugs and errors). They happen to everyone, just for some programs this “crash” of the service will lead to an unpleasant error notification, and the user will have to restart the program, in the case of a VPN error the hacker’s real IP address will be in the hands of law enforcement services.
An effective solution could be to use the Whonix-Gateway as a firewall; fortunately for our bank accounts, Tomash Skowron did not know about this. In terms of the course, I will show several ways to block leaks reliably, but I considered and consider Whonix-Gateway as the most reliable of them, although it is not the most convenient one.
Documents remember who opened and edited them.
We are talking about Microsoft Office and Apple office products, such as Pages and Numbers. This is a useful option allowing you to find out who, when and what changes were made to the document. Safe for anyone, but not for a hacker who views stolen documents and plans to publish them in the future.
You have probably heard about hacking emails and publishing documents of the US Democratic Party in July 2016, many have written about this in the media and I would not like to retell this story. You may have heard about the “Russian trace” in this case, let's look at the evidence of this version.
The first is that the analysis of the posted documents showed that the Russian-speaking user Felix Edmundovich took part in editing and what is most importantly is that his name was written in Cyrillic.
The second one is about the fact that the documents and the site where they were posted, contained enough evidence indicating that there was a Russian-speaking user behind it. A trivial example is a smiley symbol in the form of three brackets “)))”, which is popular on the territory of the former CIS.
The third one is that the edits were made from the hacked version of Microsoft Word, which is popular in Russia. And the most important one is the fourth point, which is that there were error messages in Russian that appeared during the conversion of the document in the Russian version of the program.
As you may see, even the used version of office software can become an indirect tool for narrowing the hacker’s search range or destroying a legend when a hacker tries to pretend someone they really aren’t.
As part of the course, we will teach you how to remove metadata from various types of documents and substitute data about the software used for editing. It is possible that someday you will need this skill.
Pictures save the place of shooting
Hacker Higinio Ochoa, like “Felix Edmundovich” from a previous story, loved to hack various American resources and upload data to the network. In one of his publications, he put a photo of a girl with the inscription “PwNd by w0rmer & CabinCr3w <3 u BiTch's!” made on the iPhone.
This was a fatal mistake, as the photo involved the coordinates of the location of the shooting. Although they found only his girlfriend, from that moment he was fated and the rest actions were a matter of technique. Fortunately, many popular sites now remove the coordinates of the filming location at uploading, many, but not all.
Being able to check for the location coordinates of the shooting in the photo metadata and deleting them are useful skills, but within the course we will not limit ourselves to it, we will replace the shooting location. For example, a photo taken in Moscow will contain the coordinates of the remote places of the Siberian taiga.
The location is not the only thing that you can find out from the photo and what you should think about when uploading the picture to the network; a separate chapter is devoted to this issue.
The end of the telephone terrorism era.
This technology is already being actively implemented in banks, in a number of countries it is in the arsenal of special services, and the old “bought one-time mobile for one anonymous call” scheme no longer works. Each voice has its own unique imprint, by which it is possible to identify its owner, this is what many know about. But the fact that the changes in the voice, which make the standard programs to change the voice, are not a problem and do not protect against the detection, becomes a surprise.
Vitalik from a provincial town of Russia decided to take part in a large-scale action on “mining” the Moscow railway stations. To do this, he got Internet telephony, Double VPN and a voice changing program. He bought on the underground forum an account for voice telephony, worrying about his anonymity, which is a good set of professional telephone terrorist, isn’t it?
He successfully “mined” the station, and enjoyed the success until the night, watching the news. In the morning Vitalik himself became a member of local criminal news, as the guys from the federal security service came to him with a search. Now he is waiting for trial and, at best, a huge fine.
His voice imprint helped to identify him. Vitalik's call was recorded, then experts processed it, restoring the original voice. The program, which so successfully changed the voice, did not become a serious obstacle, and a sample of its voice imprint appeared in the database, which is united in Russia, i.e. banks and law enforcement services have access to it.
Social networks are the best enemies of hackers
Many would be interested to know who is viewing their pages on social networks, for how long and how often. The page of Dmitry Smilyants, a young and successful man, was viewed not only by friends, relatives and fans, but also by FBI agents.
They knew him as a cybercriminal with the pseudonym "Brave". In July 2013, he posted his photo on instagram, where he posed in front of the “I Amsterdam” words. Agents immediately phoned hotels nearby, and in one of them they were informed that Dmitry Smilyants was indeed living with them, but was currently sleeping.
The next morning turned out to be the last one for Dmitry being free, he had the arrest and was transfered to the hands of American justice. In the end, he would spend 5 years behind bars.
Why wouldn't they make him wanted? Russian hackers are perfectly able to receive information about the search from Interpol, and, of course, the officially wanted hacker will not leave Russia or will do it with maximum precautions to countries where the FBI will not be able to request their extradition. Therefore, agents follow the suspects with the help of social networks, and, as you can see, this gives a result.
I would like to talk about another rather enlightening error of a cybercriminal who was engaged in a bad business, namely trading malicious software. He was a mediator, or so-called reseller. Working with several malware developers, he earned a reputation and knew shadow markets perfectly.
But Alexei (let's call him this way) was not immediately a popular malware merchant, he began by trying to hack mailboxes and offering services through the social network Vkontakte. He acted rather primitively, since with the help of a phishing set bought on the black market, he tried to catch victims due to their carelessness. It didn’t happen very often, but at that moment yesterday’s schoolboy seemed to be an incredibly profitable businessman.
For sure, all cool hackers have some cool nickname, and Alexey was not an exception, inventing a new "hacker" name for himself. He entered it in the name of his page on the social network, it was also displayed in the link to the page after the slash (/).
As years have passed, Alexey was no longer a self-taught hacker, but an outstanding professional who was wanted by law enforcement agencies of more than one country in the world. But something from that time has left and this is his unique nickname. And now, collecting information about him, law enforcement services stumbled upon his old page.
The future serious cybercriminal, not getting out of Tor, at the time, entered the social network from his home IP-address and gave customers a wallet issued for his passport data. Finding a page with the information about him a few years later will lead to his arrest.
VPN, Tor and proxy are not an obstacle as well
VPN, Tor and proxy are not an obstacle, and people using them can be deanonymized. It’s a big mistake not to believe this, there are plenty of ways to get a genuine IP address, here are some examples:
- Deanonymization of VPN and proxy users via cookies
- Deanonymization of VPN and proxy users through third-party sites
- Deanonymization of VPN and proxy users through mapping connections
- How the FBI obtains authentic IP addresses of criminals using Tor, VPN or proxy
- Cross-device tracking. Deanonymization of users Tor, VPN, proxy using sound beacons.
Not only the IP address is dangerous
Another big misconception is the belief that only an IP address can lead to identification. Many factors can lead to identification, but the MAC address is especially dangerous. We have already told in this chapter how the identities of cybercriminals are established using a MAC address.
Did you like this article? Join us.