"Antisocial" engineering: the role of the human factor in the fight against carders

[Father]

The human factor is one of the ineradicable problems of information security. No matter how layered the defense of the company's infrastructure is – there is always an employee who will knowingly or inadvertently click on a phishing link and infect their device with malware, or compromise their account data.

However, the human factor also works in the opposite direction, since cybercriminals are also people. They tend to make mistakes, be inattentive, or simply succumb to certain baits that are used by information security specialists or forensic scientists. Often, the capture of a hacker leads to an accident at all. For example, a non-timely "fallen off" VPN.

This article examines the main behavioral and social factors that lead to deanonymization of cybercriminals and their subsequent capture, as well as software solutions that help "exploit human vulnerabilities".

How hackers work​

The main weapon of a hacker is not HPE or exceptional knowledge about vulnerabilities in the attacked system, but social engineering. You can use it to gain access to the target infrastructure, find out the payment details of a huge number of people, or infect the user's device.

Nikita Leokumovich
Head of Response and Digital Forensics at Angara Security

The main and only tool of a hacker aimed at the human factor is social engineering. This term refers to ways to manipulate people in order to get information from them or perform any actions. People who use social engineering techniques influence our emotions.

For example, they cause fear: a "window" suddenly pops up in the browser and signals that the computer is infected. Or a call comes in that a loved one is in trouble. They use human curiosity, which makes you insert a flash card you find into your computer or click on a bright ad. They influence your wishes with simple messages – "You won a million rubles", "Invest 10 rubles and get 100,000 rubles in a week".

What techniques exist:

Phishing is the use of communications to deceive and gain benefits from users. There are several types of phishing cyberattacks.

1. Vishing. Criminals use the phone to mislead victims. For example, an attacker may introduce himself as an employee of a bank or insurance company and, under the pretext of advertising new services, find out the personal data of the interlocutor.

2. Smishing is phishing through SMS messages.

3. Targeted phishing targets a specific person or organization. It involves a long preliminary period of exploration and collection of information about the victim.

4. Phishing aimed at top managers of a company is a type of targeted phishing, but the victim is a very well-known person or a large organization.

5. Clone phishing – using similar fake addresses to deceive the victim. For example, a real public service resource looks like this – gosuslugi.ru, and the fake resource uses a very similar character set – golusugi.ru.

People who succumb to temptation do not have time to assess the danger of the situation and report sensitive information to intruders themselves or perform any actions.

At the same time, social engineering is used for a variety of types of attacks and purposes, from creating a botnet or hacking a company, to mass spam and destabilizing the mood of individual groups of people with "lists"compiled from several leaks.

The main problem from the point of view of cybersecurity is that the risks of implementing a scenario using social engineering can be significantly reduced, but cannot be completely leveled. No amount of training or security software guarantees that the employee will not perform the intended action for the hacker.

The downside of Social Engineering​

Cybersecurity specialists, in turn, also use social engineering methods against cybercriminals. First of all, this concerns the analysis of digital traces that an attacker leaves during his attack.

Mikhail Prokhorenko
Head of the Department for Combating Cyber Threats, BI. ZONE

There are several types of behavioral factors.

1. Human inattention, forgetfulness, and laziness

Even if an attacker knows perfectly well how to erase their tracks, they are not always ready to do this: such work may require too much effort and time. The task of a technical expert is to find clues, sometimes even tiny ones.

For example, a fraudster needs to log in to the victim's system many times — up to a thousand times-masking their IP address, system name, and browser fingerprint. However, there are so many login and connection episodes in each of them that at some point the attacker is not insured. Sometimes it is necessary to investigate each of them based on the human factor — laziness or inattention of the attacker.

2. Timestamps

Another typical trace for computer hardware expertise is timestamps. If the attackers moved a new file to the computer or changed an existing one, they are given timestamps. Even if the culprit has hedged his bets, changing a file can't be accurate to nanoseconds.

3. Search queries

Some methods of investigating computer crimes do not differ from everyday ones. For example, queries in Yandex can also help you search.

4. Speech patterns

If the fraudster corresponded with potential victims, the investigation team can identify them by their characteristic phrases and phrases, mistakes in words and punctuation. This method is usually used near the end of an investigation, when there are several specific suspects. Features of written speech can betray even the country of the interlocutor. For example, the use of brackets ")" and "(" as emoticons instead of emojis is typical for the Russian-speaking population and residents of the CIS.

These are all examples of the human factor, which is incredibly difficult to control. We can say that the tactic of the investigation is to study each fact of the case and find out exactly where the attacker made a mistake.

A whole set of event detection and incident analysis tools helps specialists collect this data. In addition to studying digital traces, there are also proactive software solutions that allow you to provoke a hacker to perform a certain action in the infrastructure in order to unmask his presence in it.

All deception tools are based on the thesis "to appear, but not to be" – they simulate a certain element of infrastructure that is attractive to the hacker, which he should "fall for". This can be disguised as an open port, a database, or something else.

Vladislav Luzhnikov
Analyst of cyber fraud technologies (Deception) at R-Vision

In order to mislead the attacker, various cyber Deception techniques are used, which allow the attacker to distort the real picture of infrastructure data. For example, using the honeytokens tools, you can create and place plausible trigger files that generate an information security event when an attacker interacts with them. Or use honeypots-trap hosts that distract the hacker's attention from real assets, as well as false honeyusers accounts, etc. To implement such protection schemes, you can use both public tools and commercial solutions of the Deception class.

Proper use of Deception tools and techniques allows you not only to detect an attacker, but also to keep him in the deception layer for some time. Of course, as in the case of an attack, as the amount of data about the attacker increases, the quality of "deception" in security tools also increases. At the same time, there are cases when individual companies have effectively used deception techniques to take such a step as "hack back", entering into hacker wars with an attacker, but in most cases this method is extremely risky and is outside the legal framework.

Based on this information, further reports are compiled and databases (including TI platforms) are updated, which allows cybersecurity specialists to build effective protection against a specific hacker group, taking into account its behavior and potential attack targets.

This information is also used to update security policies, make adjustments to the rules for detecting incidents by information security systems, create new correlations of events, and generally enrich the knowledge of information systems and specialists.

Yakov Grodzensky
Head of Information Security at CTI

There are solutions to counteract the circumvention of information security tools( SPIs), when special software information security solutions intercept requests to the OS kernel and respond in the affirmative to requests about the presence of certain SPIs on the host, even if there is no SPI, and thus the attack stops at the very start.

Threat Hunting technology is gaining popularity, which allows you to get information about suspicious actions on hosts based on telemetry data. It is necessary to mention the Anti-APT and XDR class solutions that can prevent attacks by studying the actions of suspicious files and links, as well as based on compromise indicators.

However, to the greatest extent, social engineering against hackers is used by various state intelligence services and departments whose tasks include combating hacker activity, calculating and arresting hackers.

The state and the fight against carders​

Different countries also use social engineering, but in the opposite direction - in order to catch hackers. As a rule, it is used to solve the following two tasks:

• deanonymization of malicious users;
• their actual arrest.

As a rule, special services use the same methods to fight hacker groups as they do to arrest representatives of drug cartels. A textbook example was the Carderplanet service, where the US special services managed to introduce several of their agents at once. Subsequently, they were able to lure leading representatives of the community to a jurisdiction loyal to the United States and make an arrest.

Sergey Polunin
Head of the Infrastructure IT Protection Group at Gazinformservis

In fact, the story goes far beyond the human weaknesses of hackers, of which I would call vanity the most prominent. At the dawn of hacktivism, it was even good form to leave messages in hacked systems and identify yourself unambiguously. Cybervandalism in this form did not last long, but nevertheless.

Today's hackers, unless they are lone enthusiasts, are usually tightly connected to the law enforcement agencies of their countries and perform very specific tasks. We are already beginning to talk, in fact, about cyber forces. Waiting for such people to leave some extra information about themselves on the web is no longer necessary, this is a completely different level. For example, the Lazarus group is associated with the special services of Server Korea. But it's unlikely we'll see a high-profile trial in the near future, even though the US Department of Justice has indicted several people.

Hackers just happen to be careless. Our compatriot Alexey Burkov, was engaged in stealing bank card data of US citizens, and was detained in Israel, after which he was safely extradited to the United States, after spending about four years in Israeli prisons. Even if factual material is accumulated, it is necessary to wait until the suspect is in the right jurisdiction to be able to arrest him.

Separately, it is worth mentioning about pro-government APT groups, the fight against which is seriously complicated by the fact that these are professional closed communities that are almost impossible to infiltrate. Such groups are well aware of the methods of the security services and do a great job of minimizing the risks associated with deanonymization. If we go back to the example of North Korea – it is very likely that they do not leave the country at all, which makes the risks of their arrest close to zero.

It is important to understand that the fight against hacker activity in many countries is not reactionary, but programmatic in nature, and is conducted preemptively, regardless of whether a potential hacker has managed to commit a crime or is just about to do it.

Alexey Drozd
Head of the Information Security Department at Serchinform

Most often, specialized security services conduct a man-in-the-middle attack (MITM attack). They infiltrate a hacker group, collect evidence of fraudulent activities, or catch a member of the group in order to force them to betray the other members. After that, the security services can seize control of the site.

Not so long ago, details of the FBI operation were revealed. Then the special services distributed "protected" smartphones with a pre-installed "author's" application for encrypted messages called Anom as bait for catching criminals. The FBI used this trap app to track criminals ' communications. As a result, international intelligence agencies conducted hundreds of arrests.

Another incident related to the human factor occurred with the organizer of DDoS services Quantum Stressor. The owner of the largest DDoS service was hiding from the security services for six years, but gave himself away when ordering pizza. When placing an order for pizza delivery, the cybercriminal specified the email address that he used when registering Quantum Stressor. This ill-fated order attracted the attention of the special services.

However, the methods used by States to find and catch cybercriminals are not always effective due to the difference in jurisdictions. The interaction of countries and services in this area remains quite bureaucratic, so each such operation is "based" on kilograms of permits, requests and approvals.

What kills hackers​

A hacker is also a person who tends to have personal traits, attitudes, behavioral patterns, and other socio-cultural attributes. Sometimes quite banal laziness or inattention leads to capture, which, to some extent, is characteristic of all people on the planet.

Sergey Antonov
Engineer of the Information Security Department of the Abak-2000 system integrator

The most revealing story in my opinion is the story of Tomas Skowron. He stole money from accounts using malicious software. The scheme is as old as the world: the Trojan stole access to Internet banking, the attacker gained access to the victim's accounts and transferred money to front persons, and then cashed it out. It is noteworthy that he managed to withdraw more than $ 1 million, and users around the world became victims of the hacker.

To prevent the hacker from being found out, he used a VPN to change his IP address. But one day, either he forgot to turn it on, or the VPN failed and the real IP of the attacker appeared in the Internet banking logs. As a result, Tomas was presented with a trip to places not so far away for a period of 5 years.

It happens that the VPN connection may "fall off"unnoticed by the user. For example, there was a failure in the vpn connection and some of the traffic went around it, thereby revealing the real IP address. In this example, Tomas was killed by his own laziness, because if he had set up a firewall, then if the VPN connection was broken, the traffic would not have bypassed the VPN connection.

Chance, coupled with inattention, can destroy even the most "advanced anonymous user" who has always left a minimum of digital traces in the attacked systems and did everything to protect their privacy.

Inattention can be not only situational, but also strategic. Such cases, for example, can include reckless trust in certain services, software that a hacker uses both in everyday life and for implementing cyber attacks.

Dmitry Demin
Head of Application Solutions and Monitoring Department, Sitronics Group

In 2013, Pavel Vrublevsky organized a DDoS attack on the servers of the competitor company Assist. As a result, the sites of Assist's clients, including the site of Aeroflot, could not function normally.

How they were able to identify the hacker and prove his guilt: Vrublevsky, along with his "accomplices", used the ICQ messenger. First, this messenger belongs to Mail.Ru A group whose close cooperation with law enforcement agencies is no secret. Secondly, the ICQ service itself is not secure. It was necessary to choose a more secure messenger or at least use encryption. Obviously, the deanonymization was due to the group's stupidity or banal laziness. If they were more knowledgeable about encrypting messages in instant messengers, it would be much more difficult to prove their guilt.

The same thesis is true for the shadow segment of the Internet – not all forums and platforms on the darknet provide a high level of data security that is stored in them. And the very fact of communicating on such a platform can already be dangerous for a hacker, especially if he is prone to vanity and "needs approval".

Many famous hackers were caught, among other things, due to the fact that information about them was quite well known "among their own", and the capture led to the "side arrest of a colleague", who during interrogation, in order to reduce his sentence, told about other hackers.

Pavel Kuznetsov
Product Director of the company "Garda Technologies"

In the context of this issue, it is more appropriate to say that, fortunately for all of us, the attackers are not representatives of the planet Shelezyak, who masterfully own any technologies, but the same people. This means that they make mistakes, including those associated with "dizziness from success." For example, when they seek to share with their surroundings their "stunning" results in illegal activities. Suffice it to recall the story of the famous Kevin Mitnick, when, if I remember correctly, two of his arrests were the result of testimony against him by his friends.

Sometimes the personal vanity of one attacker is supplemented by the vanity of his colleagues in the group, which results in a perverse "corporate ethics".

Vain, arrogant hackers are a real godsend for the special services, because their desire to prove their "coolness" often prevails over prudence and the banal instinct of self-preservation. "Prove that you are not weak" is literally a child's "wiring", but it also works for quite adult, intelligent people.

Alexander Zubrikov
General Director ITGLOBAL.COM Security

One of the most striking examples of recent years is the case of catching hackers by playing with their ego and thirst for profit. One of the most striking cases of recent days is the conflict between Anonymous and LulzSec, which led to the capture of the most dangerous cybercriminals and the collapse of the largest hacker groups. Each of these groups considered itself the most powerful and influential, and demanded public attention. The special services played on this, pitting them against each other by social engineering, and, as a result, were able to identify and arrest many members of these groups.

One of the most recent high-profile cases is the capture of not only hackers, but also the fight against drug trafficking by creating a fake secure messenger that was advertised on closed sites. Social engineering and phishing techniques were also used to make attackers use this software with hidden functionality embedded in it,which helped in the future during operational search activities and collecting evidence.

Along with the desire to become famous, there is often a craving for luxury. Cryptographers, carders and other representatives of the cybercrime world are beginning to "burn their hands" with big money, and the soul in response asks for luxury hotels and luxury cars.

Trips to hot countries, in this context, are especially dangerous, since there is a high risk of encountering not beach barkers, but employees of the special services of a particular country after arrival. In this regard, the detentions of hackers are often demonstrative-with special forces, a police helicopter, sirens and loud screams.

Sergey Petrenko
Head of Information Security at IT Academy

A year ago, in January 2022, 14 members of the REvil criminal group, also known as Sodinokibi, which became famous for delivering "ransomware as a service", were detained. Every month, cyber scammers conducted at least 15 attacks. In addition, REvil attracted attention with high-profile attempts to extort celebrities. So, in 2020, attackers extorted $ 42 million from US President Donald Trump.

The hackers were caught using social engineering techniques, the FSB checked 25 addresses and found 14 members of the REvil group. During the detention, hackers were seized $600 thousand, €500 thousand and 426 million rubles. Communications equipment and technical means for committing cybercrime were also seized, including 20 premium cars.

There are also cases when the hacker is ruined not by vicious traits, but by banal sentimentality. Many people, contrary to the advice of information security specialists, put associative passwords on their accounts.

For example, someone's name (in the worst case-your own, along with the date of birth), some symbolic word or name: the first trip, a pet, or the first brand of car. Such sentimentality is very fraught.

Alexey Marinin
Senior Mobile App Developer, Independent expert

An illustration of the fact that the human factor is often the cause of hacker deanonymization is the story of Jeremy Hammond. He hacked into the database of a major intelligence agency, whose clients are large corporations and even the state. Jeremy didn't stop there; he made a large donation from the agency's clients ' bank cards. The attacker stored all the information on a remote, encrypted disk, but the password to the disk itself consisted only of the name of his cat and a couple of ordinal digits. The FBI agents had been following Jeremy for a long time, so they knew his pet's nickname. So naivety and partly stupidity provided him with 10 years in prison.

Summing up all the cases, we can conclude that the problem of social engineering remains a double-edged one. And as long as the hacker remains a person, that is, a biosocial being with a lot of needs and personal characteristics, he will make mistakes that will allow him to be calculated.

On the other hand, hacker victims, no matter how advanced anti-phishing technologies are, will repeatedly fall into the traps of social engineering and "give" their account data to intruders.