Using the Internet to Catch Traditional (non-cyber) Criminals

It can happen to anyone… and when it does it usually catches everybody – the victim and his relatives – completely unprepared. I’m talking about kidnapping.

Twice in my life I’ve been involved in helping the police track down and arrest gangs of kidnappers. The first case didn’t directly affect me or my family, but the second time a close friend of mine was kidnapped. And it turns out that our work in tackling cybercrime can also be useful to catch criminals who seem to have little connection with high-tech wrong-doing. The Internet is not just a tool for cybercrime – it is also often used to communicate with the families and friends of kidnap victims, especially to demand a ransom. When this happens, our work can be vital: evidence collected on the Internet as well, as the errors made by criminals, can help to track them down, identifying their location via their IP address.

In some cases criminals use social networking sites – and my bitter experience proves that social networks are usually unwilling to help the law enforcement authorities and won’t disclose information about account holders, even at the request of the police or a prosecutor. I saw this myself after the prosecutor sent a request to one of the most popular social networks and got a reply stating it was impossible to provide the required data. This social network justified its refusal by the laws of the country where it is located and by the fact that from their point of view the kidnapped person was in no serious danger! Some kidnappers contact the victims’ families via mail services such as Gmail, which does not show the IP address in the properties of the email header. All this makes it much more difficult to uncover the IP address of the criminals. Fortunately, a number of very dangerous criminals, who otherwise would be almost impossible to catch, are not experts in information security. This is their Achilles heel.

In the case I was involved in, our methods enabled us to track down the criminals and arrest them right on the spot where they were using the Internet. I can’t disclose all details due to ongoing investigations, but in short, the tracker delivery was a mix of high social engineering combined with a specially prepared randomly changing GIF image. An embedded script reported User agent, OS version and IP address of anyone who clicked on it. I was able to make the criminals click on the specially prepared URL leading to the mentioned image, so we got all needed information. Local law enforcement was able to instantly get information about the owner of the IP address. The arrest was so quick that as I was chatting with the criminals, police arrested them with their hands on the keyboard. The victims returned home safe and sound. The rescue operation was a complete success!

Now it’s all over, I can confirm that we will continue to assist the police in catching any criminals. After all, in cases of kidnapping a person’s life may be at stake. The price is so much higher than a stolen credit card or a plundered bank account.

Using the Internet to Catch Traditional (non-cyber) Criminals

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox