Using the Internet to Catch Traditional (non-cyber) Criminals

It can happen to anyone… and when it does it usually catches everybody – the victim and his relatives – completely unprepared. I’m talking about kidnapping.

Twice in my life I’ve been involved in helping the police track down and arrest gangs of kidnappers. The first case didn’t directly affect me or my family, but the second time a close friend of mine was kidnapped. And it turns out that our work in tackling cybercrime can also be useful to catch criminals who seem to have little connection with high-tech wrong-doing. The Internet is not just a tool for cybercrime – it is also often used to communicate with the families and friends of kidnap victims, especially to demand a ransom. When this happens, our work can be vital: evidence collected on the Internet as well, as the errors made by criminals, can help to track them down, identifying their location via their IP address.

In some cases criminals use social networking sites – and my bitter experience proves that social networks are usually unwilling to help the law enforcement authorities and won’t disclose information about account holders, even at the request of the police or a prosecutor. I saw this myself after the prosecutor sent a request to one of the most popular social networks and got a reply stating it was impossible to provide the required data. This social network justified its refusal by the laws of the country where it is located and by the fact that from their point of view the kidnapped person was in no serious danger! Some kidnappers contact the victims’ families via mail services such as Gmail, which does not show the IP address in the properties of the email header. All this makes it much more difficult to uncover the IP address of the criminals. Fortunately, a number of very dangerous criminals, who otherwise would be almost impossible to catch, are not experts in information security. This is their Achilles heel.

In the case I was involved in, our methods enabled us to track down the criminals and arrest them right on the spot where they were using the Internet. I can’t disclose all details due to ongoing investigations, but in short, the tracker delivery was a mix of high social engineering combined with a specially prepared randomly changing GIF image. An embedded script reported User agent, OS version and IP address of anyone who clicked on it. I was able to make the criminals click on the specially prepared URL leading to the mentioned image, so we got all needed information. Local law enforcement was able to instantly get information about the owner of the IP address. The arrest was so quick that as I was chatting with the criminals, police arrested them with their hands on the keyboard. The victims returned home safe and sound. The rescue operation was a complete success!

Now it’s all over, I can confirm that we will continue to assist the police in catching any criminals. After all, in cases of kidnapping a person’s life may be at stake. The price is so much higher than a stolen credit card or a plundered bank account.

Using the Internet to Catch Traditional (non-cyber) Criminals

Your email address will not be published. Required fields are marked *



Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

Subscribe to our weekly e-mails

The hottest research right in your inbox