Incidents

Using the Internet to Catch Traditional (non-cyber) Criminals

It can happen to anyone… and when it does it usually catches everybody – the victim and his relatives – completely unprepared. I’m talking about kidnapping.

Twice in my life I’ve been involved in helping the police track down and arrest gangs of kidnappers. The first case didn’t directly affect me or my family, but the second time a close friend of mine was kidnapped. And it turns out that our work in tackling cybercrime can also be useful to catch criminals who seem to have little connection with high-tech wrong-doing. The Internet is not just a tool for cybercrime – it is also often used to communicate with the families and friends of kidnap victims, especially to demand a ransom. When this happens, our work can be vital: evidence collected on the Internet as well, as the errors made by criminals, can help to track them down, identifying their location via their IP address.

In some cases criminals use social networking sites – and my bitter experience proves that social networks are usually unwilling to help the law enforcement authorities and won’t disclose information about account holders, even at the request of the police or a prosecutor. I saw this myself after the prosecutor sent a request to one of the most popular social networks and got a reply stating it was impossible to provide the required data. This social network justified its refusal by the laws of the country where it is located and by the fact that from their point of view the kidnapped person was in no serious danger! Some kidnappers contact the victims’ families via mail services such as Gmail, which does not show the IP address in the properties of the email header. All this makes it much more difficult to uncover the IP address of the criminals. Fortunately, a number of very dangerous criminals, who otherwise would be almost impossible to catch, are not experts in information security. This is their Achilles heel.

In the case I was involved in, our methods enabled us to track down the criminals and arrest them right on the spot where they were using the Internet. I can’t disclose all details due to ongoing investigations, but in short, the tracker delivery was a mix of high social engineering combined with a specially prepared randomly changing GIF image. An embedded script reported User agent, OS version and IP address of anyone who clicked on it. I was able to make the criminals click on the specially prepared URL leading to the mentioned image, so we got all needed information. Local law enforcement was able to instantly get information about the owner of the IP address. The arrest was so quick that as I was chatting with the criminals, police arrested them with their hands on the keyboard. The victims returned home safe and sound. The rescue operation was a complete success!

Now it’s all over, I can confirm that we will continue to assist the police in catching any criminals. After all, in cases of kidnapping a person’s life may be at stake. The price is so much higher than a stolen credit card or a plundered bank account.

Using the Internet to Catch Traditional (non-cyber) Criminals

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox