The US Justice Department on Wednesday announced the arrest of five suspected members of the notorious Scattered Spider phishing crew, but the most interesting part of the case was a US Federal Bureau of Investigation (FBI) document detailing how easily the feds were able to track the phishers’ movements and activities. In recent years, services that push anonymous communications and transactions, including through cryptocurrencies, free and disposable email addresses, and services that register domains to shield the actual owners’ identities, have soared in popularity, worrying many in the CISO community.But the newly-published FBI investigation details show that these services don’t deliver anonymization or secrecy as much as they make the information time-consuming, expensive, and cumbersome to track. In short, they don’t shield identities. They simply make it a hassle to unearth those identities. “The hardest part of forensic investigations is the many layers of obscurity built into all digital crime,” said cybersecurity attorney Mark Rasch, who spent years overseeing the high-tech crimes unit of the Justice Department. “But both data and money eventually have to go from one place to another. When they do so, they leave a digital trail.”Before the FBI went through the laborious effort of tracking the global movements of the attackers and the stolen currency, which Rasch painted as “a combination of digital tools and old-fashioned shoe leather,” they apparently got lucky.That luck came in the form of Scottish law enforcement, which happened to arrest one of the suspects on an unrelated charge. But that arrest gave them access to various digital systems controlled by the suspect, and some of the data captured from those systems matched inquiries from US law enforcement. Those systems were then turned over to the FBI.According to the FBI information filed to California federal judge Margo Rocconi by an unidentified FBI agent, the suspects used multiple techniques to trick victims into trusting the phishing links. First, the link appeared to be from the domain of the victim’s employer. Secondly, the attackers leveraged the name of enterprise security vendor, Okta, by adding “-okta.net” to the end of the visible portion of the phishing domain name. The attackers then reportedly used a domain registry called NameCheap, which dubs itself as offering “private domain registration” and touts, with an element of irony given the customers at issue here, that they allow customers to “stay protected from fraud and identity theft. Your contact details will be hidden from the public Whois database.”The suspects then used a bogus username (a celebrity name coupled with an offensive term) along with a free email address from Gmail. “These records showed that both phishing domains were registered on June 2, 2022, the same date that Victim Companies 1, 2, and 3 were targeted in the phishing scheme,” the FBI filing said.”Records from NameCheap for the Subject NameCheap Account also showed that the account was used to register other phishing domains with names that suggested that they were designed to similarly target additional telecommunication, cryptocurrency exchange, social media, and technology companies,” said the filing. The suspects also used email accounts from Proton, which bills itself as offering “secure email that protects your privacy” and says on its website, “keep your conversations private with Proton Mail, an encrypted email service based in Switzerland.”This is where the devices confiscated by Scottish authorities come into play, along with a lot of dot-connecting by the FBI.”Two of the devices contained information relating to a Proton email address that had been used by (one suspect) to book a flight, based on information provided by British Airways. This flight reservation was associated with (suspect’s) true U.K. passport number. The internet browser history from one of (suspect’s) devices showed that he accessed (i) a NameCheap registration and control panel page for Phishing Domain 2, which was used to target Victim Company 2; and (ii) the Subject Gmail Account, which was used to register the Subject NameCheap Account that in turn registered Phishing Domain 1, Phishing Domain 2, and many other apparent phishing domains as discussed above,” the FBI memo said. “The hash value of the phishing kit on [suspect’s] device matched the hash value of the phishing kits found on three virtual private servers that were used to host phishing websites. The fact that these files all shared the same hash value indicates that they were exact copies of the same phishing kit.”The FBI used browsing histories to connect suspects to various systems involved in the scheme. The systems may have been obscured, but thanks to the confiscated computers, connections between systems could be established. And seized records from cloud hosting firm BitLaunch helped yet more in following the trail.”Records from Bitlaunch show that Subject Server 2 was accessed using IP address on June 3, 2022one day after the phishing attacks. On the same day, the Subject NameCheap Account was also accessed from this same IP address,” the filing said. “These accesses from the same IP address on the same day indicate that the same person or persons who controlled Subject Server 2 also controlled the Subject Namecheap Account.”The suspects then reportedly used messaging service Telegram, which also boasts on its web site about its privacy. “Telegram messages are heavily encrypted and can self-destruct,” the site noted. Because of those “self-destruct” capabilities, one of the suspects wanting to preserve a conversation with his colleagues “discussing dividing up the proceeds” did a screen capture to preserve that money discussion. The FBI apparently appreciated that. The confiscated machine revealed those screen captures from the Telegram conversation.Blockchain powered cryptocurrency was another critical way the suspects tried to maintain secrecy. But as others have discovered, cryptocurrency transaction movement is not actually that secret.But one of the suspects made it even easier for the FBI by saving the relevant blockchain explorer page as a shortcut on his web browser. The Justice Department’s statement about the arrests of the reported members of Scattered Spider said the accused were charged with one count of conspiracy to commit wire fraud, one count of conspiracy, and one count of aggravated identity theft. They were identified as: Ahmed Hossam Eldin Elbadawy, 23, a.k.a. “AD,” of College Station, Texas; Noah Michael Urban, 20, a.k.a. “Sosa” and “Elijah,” of Palm Coast, Florida; Evans Onyeaka Osiebo, 20, of Dallas, Texas; and Joel Martin Evans, 25, a.k.a. “joeleoli,” of Jacksonville, North Carolina. “Also unsealed [Wednesday] was a criminal complaint charging Tyler Robert Buchanan, 22, of the United Kingdom, with conspiracy to commit wire fraud, conspiracy, wire fraud, and aggravated identity theft,” the statement said.”We allege that this group of cybercriminals perpetrated a sophisticated scheme to steal intellectual property and proprietary information worth tens of millions of dollars and steal personal information belonging to hundreds of thousands of individuals,” said United States Attorney Martin Estrada in the statement. “As this case shows, phishing and hacking has become increasingly sophisticated and can result in enormous losses. If something about the text or email you received or website you’re viewing seems off, it probably is.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3610829/fbi-pierces-anonymity-of-cryptocurrency-secret-domain-registrars-in-scattered-spider-probe.html
