Secret Service, FBI and Europol target DDOS for bitcoins criminals
DDOS attacks proven to be quite damaging and immediately attracted attention of international law enforcement community. In one of the recent successful operations US Secret Service, FBI, Europol and law enforcement teams from other countries dismantled DDOS-for-bitcoin group named DD4BC. Suspect who demanded ransom payments in Bitcoins was arrested in Bosnia and Herzegovina after law enforcement teams were able to trace bitcoin ransom payments to his identity and arrest the suspect.
See: Internation Action against DD4BC cybercrime group.
Nevertheless – the dark business model of selling DDOS attacks as a service – where payment is typically made in bitcoins is gaining popularity.
Criminals would anonymously register and setup a website where they advertise DDOS services and anyone can order the DDOS attack toward any target by sending a bitcoin payment to criminal.
Bitcoin as a payment method helps an attacker to remain anonymous. With that said – let see if we can track the owner of one such service to his real identity.
Searching google for online ddos service returns few results with one such service being: onlineddos.com
onlineddos.com advertises capabilities to launch 286 GBps attacks via multiple means to “take down websites or competitors”. Payment is in bitcoins. Attacker also claims to utilize botnet to launch attacks and claimed it being tested on multiple hosting services.
I used Maltego classic and commercial subscription to Domaintools database. Domaintools database allows search across worldwide domain registration info by IP, domain name, nameserver info, email address and many other elements. You may also search the whole database by keyword. Data about historical registrations is available as well making it really powerful information source.
I started investigation by launching Maltego, dragging empty “domain” entity to blank graph and setting it’s value to “onlineddos.com”. With the right click I pulled all available data from domaintools. I got historical and current IP’s, historical and current registrars and registrants info. As expected – onlineddos.com was registered anonymously via godaddy. No information about current registrant is seen. Within one historical records i found an email: firstname.lastname@example.org. Another right click – and domaintools shows all domains that were ever been registered by this registrant: rsgeld.de and buyrsmills.com. This is historical info and none of these websites seems to be related to the current activity of onlineddos.com. Upon further investigation i saw that email@example.com was more involved into gaming world vs. more serious DDOS-for-bitcoins attacks. So the tracks seems to end here.
Even if domaintools would know real identity behind the proxy registrations – it is likely to be the fake data and payment for domain name was likely made by bitcoins as well.
Maltego link analysis tool with data retrieved from domaintools.com database
Back to Maltego. Another right click – this time invoking CrimeTrace data. Crimetrace returns extra valuable pieces of context:
- Number of bitcoin addresses found to be associated with onlineddos.com
- 1 IP address found to be associated with that site: 18.104.22.168.
- Number of new email addresses – in particular firstname.lastname@example.org.
Adding context from CrimeTrace database
CrimeTrace is a stealthy startup in the heart of California Silicon Valley providing assistance to law enforcement in tracking bitcoin addresses, tracing and attributing bitcoin transactions to discover real identities, sites, IP and shipping addresses, specific products and more.
Having said that – Crimetrace gathers it’s rich data feeds from multiple sources in completely unstructured formats. Lots of valuable data related to synthetic drugs sales, counterfeit identities distribution, hacking tools and other questionable goods comes in as a mess of garbled mix of letters and numbers.
Here’s where Splunk comes to play. CrimeTrace utilizes Splunk on the backend to index this data, add structure to the content and to make everything wihin it’s database easily and quickly searchable. Crimetrace allows searching of it’s DB directly via Splunk interface as well as do visual investigations within Maltego via it’s CrimeTrace transform. Maltego “transform” is essentially custom script that connect Maltego visual link analysis tool with any outside source of data.
By searching CrimeTrace via Splunk directly I found more of extremely valuable pieces of information:
- Another IP address that is associated with onlineddos.com: 22.214.171.124.
- Likely geographic origin of a person who administers onlineddos.com domain: Turkey.
Retrieving geo location of possible suspect from CrimeTrace database
Here’s how updated Maltego graph now looks like:
Updated Link Analysis graph with geo location data from CrimeTrace and Domaintools
Domaintools did not give any data regarding email@example.com email within it’s domain database but here’s something not to forget for any investigator: Google is your friend!
Searching google for that email returned 2 results: twitter account posts and Google Plus page.
Google search for email address
Within twitter account we can see two posts mentioning that email address. Running translation on some of that twitter data – gives us another valuable element – the language used is Turkish. This is clear match to CrimeTrace’s data of origins of domain owner.
Discovery on Twitter
Searching Google Plus profile – we can see more valuable pieces of information: promotional post for camzu.com domain:
Discovered google plus profile
Within that Google Plus profile we can discover the contact email address of an owner of this profile: firstname.lastname@example.org:
Google plus profile linking camzu.com domain with email@example.com
Now we can update Maltego investigation graph with this data. Back to domain tools – we have another piece of information to gather data from: camzu.com domain. This brings us more IP addresses, more name servers to find links with, more email addresses and some cleartext data about current and historical registrants.
Domaintools is a great tool to get list of all domain names hosted at the same IP address or using same name servers. These are all valuable pieces of data to discover links and correlations.
Investigating camzu.com with Maltego and Domaintools
While registrant name information for camzu.com is hidden – the data shows the address and location of registrant to be Turkey again.
Although I have more links and nodes on the graph – none of the cleartext information is directly linked to onlineddos.com.
Back to CrimeTrace Splunk interface. I want to search and see if there is anything there related to camzu.com
In a lucky guess, instead of searching for camzu.com I’ve made a search for “camzu”. And here’s the result:
Searching CrimeTrace database for arbitrary keyword via Splunk interface
A few pieces of data shows direct link to very interesting subdomain: onlineddos9900.camzu.net !
Loading onlineddos9900.camzu.net in browser shows the same content (minus stylesheets) as onlineddos.com!
“Contact” and other links at onlineddos9900.camzu.net are directly pointing to onlineddos.com.
Clearly – whoever owns camzu.net has full control over onlineddos.com
Match between onlineddos.com and onlineddos9900.camzu.net subdomain
Now we have another interesting piece: camzu.net domain to dig into.
Here is what domaintools returns as a direct hit with multiple matches:
- IP address of camzu.net is the same as IP address retrieved by CrimeTools: 126.96.36.199
- Registrant’s name of camzu.net is listed in clear text.
- Registrant’s address is Turkey.
- Registrant’s email is: firstname.lastname@example.org who also (thanks for domaintools data) is listed as an owner of another 72 domains
- Upon further correlation using domaintools info – we can link the guy to a number of other websites sharing the same IP address, name, email or nameservers.
Investigating possible suspect’s camzu.net domain with Maltego and Domaintools
Other websites owned by discovered email address
Two more pieces of information from domaintools links camzu.net, camzu.com and camzu.gen.tr to the same owner:
Domaintools linking “camzu” domains together
Here is how completed investigation link graph looks like:
Final graph showing links from anonymous online DDOS attack site to the name of specific person, location, IP and email address
With available customizable link analysis tools it is possible to quickly deliver crime investigation, research and analytical system without major investment into super expensive products or consulting services.
Most of the above investigation was essentially driven by the mouse clicks and some rather minor searches on Google.
The quick progress of above research and it’s efficiency was of course the result of a prior work to integrate interactive visual link analysis product with sources of an outside intelligence data feeds.
Combining tools such as Maltego with quality data sources from Domaintools and others allows to discover tiny needles in large haystacks of data within very short period of time.
Number of necessary pieces of puzzle was possible to uncover thanks to the power of Splunk to ingest unstructured data, index it and make it available for quick searching and integrating with other systems.
All Suspects Are Innocent Until Proven Guilty in a Court of Law
Connect with me on LinkedIn
Gleb Esman is currently working as Senior Product Manager for Security/Anti-fraud solutions at Splunk leading efforts to build next generation security products covering advanced fraud cases across multiple industry verticals.
Contact Gleb Esman.