I built a system consisting of Maltego visual link analysis tool powered by DomainTools and third party bitcoin intelligence database as data providers. Maltego was connected to bitcoin intelligence data to combine it with domaintools data for powerful, interactive visual link anlysis.
Such solution allows to visually discover necessary bits and pieces of information and put things together to discover real identity of a person who otherwise went to great efforts to remain anonymous hiding behind bitcoins and proxies.
When all data is available with a click of a mouse – analyst can connect together multiple data sources to perform investigations and visually discover hidden relationships, connections and find patterns that otherwise would remain undetected.
Availability of tools like Maltego and Splunk and rich data repositories like Domaintools makes job of law enforcement much easier to track and stop criminals.
DDOS – Distributed Denial of Service attacks gained popularity among spammers, hackers and miscreants due to it’s damaging effects toward websites and online businesses. With little effort, some skills and set of hacking tools it becomes possible to launch such attack from anywhere around the globe targeting any online enterprise.
And then DDOS becomes “dark business” where attacker demands ransom from the target to either stop the attack or for promise not to attack the target at a sensitive time.
With spreading popularity of anonymous payments such as Bitcoin – the attacker usually demands that ransom to be paid in bitcoins.
DDOS attacks proven to be quite damaging and immediately attracted attention of international law enforcement community. In one of the recent successful operations US Secret Service, FBI, Europol and law enforcement teams from other countries dismantled DDOS-for-bitcoin group named DD4BC. Suspect who demanded ransom payments in Bitcoins was arrested in Bosnia and Herzegovina after law enforcement teams were able to trace bitcoin ransom payments to his identity and arrest the suspect.
Nevertheless – the dark business model of selling DDOS attacks as a service – where payment is typically made in bitcoins is gaining popularity.
Criminals would anonymously register and setup a website where they advertise DDOS services and anyone can order the DDOS attack toward any target by sending a bitcoin payment to criminal.
Bitcoin as a payment method helps an attacker to remain anonymous. With that said – let see if we can track the owner of one such service to his real identity.
Searching google for online ddos service returns few results with one such service being: onlineddos.com
onlineddos.com advertises capabilities to launch 286 GBps attacks via multiple means to “take down websites or competitors”. Payment is in bitcoins. Attacker also claims to utilize botnet to launch attacks and claimed it being tested on multiple hosting services.
I used Maltego classic and commercial subscription to Domaintools database. Domaintools database allows search across worldwide domain registration info by IP, domain name, nameserver info, email address and many other elements. You may also search the whole database by keyword. Data about historical registrations is available as well making it really powerful information source.
I started investigation by launching Maltego, dragging empty “domain” entity to blank graph and setting it’s value to “onlineddos.com”. With the right click I pulled all available data from domaintools. I got historical and current IP’s, historical and current registrars and registrants info. As expected – onlineddos.com was registered anonymously via godaddy. No information about current registrant is seen. Within one historical records i found an email: firstname.lastname@example.org. Another right click – and domaintools shows all domains that were ever been registered by this registrant: rsgeld.de and buyrsmills.com. This is historical info and none of these websites seems to be related to the current activity of onlineddos.com. Upon further investigation i saw that email@example.com was more involved into gaming world vs. more serious DDOS-for-bitcoins attacks. So the tracks seems to end here.
Even if domaintools would know real identity behind the proxy registrations – it is likely to be the fake data and payment for domain name was likely made by bitcoins as well.
Back to Maltego. Another right click – this time invoking CrimeTrace data. Crimetrace returns extra valuable pieces of context:
- Number of bitcoin addresses found to be associated with onlineddos.com
- 1 IP address found to be associated with that site: 184.108.40.206.
- Number of new email addresses – in particular firstname.lastname@example.org.
CrimeTrace is a stealthy startup in the heart of California Silicon Valley providing assistance to law enforcement in tracking bitcoin addresses, tracing and attributing bitcoin transactions to discover real identities, sites, IP and shipping addresses, specific products and more.
Having said that – Crimetrace gathers it’s rich data feeds from multiple sources in completely unstructured formats. Lots of valuable data related to synthetic drugs sales, counterfeit identities distribution, hacking tools and other questionable goods comes in as a mess of garbled mix of letters and numbers.
Here’s where Splunk comes to play. CrimeTrace utilizes Splunk on the backend to index this data, add structure to the content and to make everything wihin it’s database easily and quickly searchable. Crimetrace allows searching of it’s DB directly via Splunk interface as well as do visual investigations within Maltego via it’s CrimeTrace transform. Maltego “transform” is essentially custom script that connect Maltego visual link analysis tool with any outside source of data.
By searching CrimeTrace via Splunk directly I found more of extremely valuable pieces of information:
- Another IP address that is associated with onlineddos.com: 220.127.116.11.
- Likely geographic origin of a person who administers onlineddos.com domain: Turkey.
Here’s how updated Maltego graph now looks like:
Domaintools did not give any data regarding email@example.com email within it’s domain database but here’s something not to forget for any investigator: Google is your friend!
Searching google for that email returned 2 results: twitter account posts and Google Plus page.
Within twitter account we can see two posts mentioning that email address. Running translation on some of that twitter data – gives us another valuable element – the language used is Turkish. This is clear match to CrimeTrace’s data of origins of domain owner.
Searching Google Plus profile – we can see more valuable pieces of information: promotional post for camzu.com domain:
Within that Google Plus profile we can discover the contact email address of an owner of this profile: firstname.lastname@example.org:
Now we can update Maltego investigation graph with this data. Back to domain tools – we have another piece of information to gather data from: camzu.com domain. This brings us more IP addresses, more name servers to find links with, more email addresses and some cleartext data about current and historical registrants.
Domaintools is a great tool to get list of all domain names hosted at the same IP address or using same name servers. These are all valuable pieces of data to discover links and correlations.
While registrant name information for camzu.com is hidden – the data shows the address and location of registrant to be Turkey again.
Although I have more links and nodes on the graph – none of the cleartext information is directly linked to onlineddos.com.
Back to CrimeTrace Splunk interface. I want to search and see if there is anything there related to camzu.com
In a lucky guess, instead of searching for camzu.com I’ve made a search for “camzu”. And here’s the result:
A few pieces of data shows direct link to very interesting subdomain: onlineddos9900.camzu.net !
Loading onlineddos9900.camzu.net in browser shows the same content (minus stylesheets) as onlineddos.com!
“Contact” and other links at onlineddos9900.camzu.net are directly pointing to onlineddos.com.
Clearly – whoever owns camzu.net has full control over onlineddos.com
Now we have another interesting piece: camzu.net domain to dig into.
Here is what domaintools returns as a direct hit with multiple matches:
- IP address of camzu.net is the same as IP address retrieved by CrimeTools: 18.104.22.168
- Registrant’s name of camzu.net is listed in clear text.
- Registrant’s address is Turkey.
- Registrant’s email is: email@example.com who also (thanks for domaintools data) is listed as an owner of another 72 domains
- Upon further correlation using domaintools info – we can link the guy to a number of other websites sharing the same IP address, name, email or nameservers.
Two more pieces of information from domaintools links camzu.net, camzu.com and camzu.gen.tr to the same owner:
Here is how completed investigation link graph looks like:
With available customizable link analysis tools it is possible to quickly deliver crime investigation, research and analytical system without major investment into super expensive products or consulting services.
Most of the above investigation was essentially driven by the mouse clicks and some rather minor searches on Google.
The quick progress of above research and it’s efficiency was of course the result of a prior work to integrate interactive visual link analysis product with sources of an outside intelligence data feeds.
Number of necessary pieces of puzzle was possible to uncover thanks to the power of Splunk to ingest unstructured data, index it and make it available for quick searching and integrating with other systems.
All Suspects Are Innocent Until Proven Guilty in a Court of Law