2. About Us (⌐■_■)--︻╦╤─ - - -
● Allison Nixon (@nixonnixoff)
○ Incident Response & Pentesting at Integralis
○ GCIA
○ Independent Security Researcher focused on
malicious services
● Brandon Levene (@seraphimdomain)
○ Incident Handler for large cloud provider
○ GCIH, GCIA, GPEN
○ Independent Security Researcher focused on Exploit
Kits and associated Malware
3. Why are we interested?
There are bad people on the
internet.
They are also dumb.
4. ● Actions taken to ensure
information leakage doesn’t
haunt you
● Proactive Paranoia
● Appropriate Compartmentation
tldr: STFU
(╯°□°)╯︵ ┻━┻
Working Definition: “OpSec”
For More (from the Grugq):
https://www.anti-
forensics.com/operational-
security-for-hackers/
5. Common Actor Traits
● Male
● 14-22
● Middle(ish) Class
● Live with parents
○ Limited/no income
○ Most income goes towards hobbies
● Social interaction predominantly online
○ Not necessarily “anti-social”
6. Warning
● You are playing with fire!
○ Playing with fire is fun
● Identity is hard to find from online aliases
○ Account sharing
○ Hacked accounts
○ Fake accounts
● False accusations are bad. And easy
○ Hurts your reputation
○ Hurts the reputation of innocent bystanders
● No vigilantism
○ Don’t harass people you find
7. Scoping
● What do you look for?
○ Bannings
○ Complaints (generally scamming)
■ Infractions
○ Vouches
○ Purchased Reputation
○ Multi-community membership/participation
○ Technical questions related to a service
● Who do you look for?
○ Premium or Sponsored Sellers
○ Authors of stickied threads (Forums)
○ Primary sellers
○ Vouches/Reputation given/received
8. So I’ve identified a bad, what next?
● Tools
○ Google
■ Always check cached results if a link appears
dead
○ Spokeo
○ checkusernames.com
■ Username reuse
○ Reverse Image Searches
○ Maltego
● Get as much information as possible, then
sift through for overlaps and relationships
(HUMINT) For more resources: http://www.irongeek.com/i.php?page=security/doxing-
footprinting-cyberstalking
9. Youtube Fail
On his Youtube account, out of all his videos, one second in one video had his name in focus.
10. Technical Recon
● Maltego
○ Consolidates Serversniffing, Whois, Dig, Registrant
searches
○ Still useful to doublecheck!
● Manual inspection
○ Google Dorking (site:evil.com)
○ Tamperdata
○ Burp Proxy
○ Whatweb
● Cloud DDoS Solutions
○ Are they a dead end?
○ Nope, nocloudallowed
11. NoCloudAllowed(and other DDOS
protection bypasses)
● A scanner to check every server for the
existence of the hidden web site
● Many sites hide behind DDOS protection
○ (mostly Cloudflare, a few other companies)
● Bypass by contacting the origin directly
● Finding the origin is easy
○ Outbound connections
○ Outbound e-mail
○ Old DNS records
○ Server specific information leakage
● Nocloudallowed.com for details
12. Tracking
● Weaving a tangled web
● Finding e-mails
○ Whois info
○ Paypal accounts
■ Even Paypal pages that conceal the e-mail
○ Gleaming mails from ads
■ “Selling stolen credit cards! Contact
evil@gmail.com”
○ E-mail contacts in their profile pages
● Database dumps are your friend
13. Honing in on Bads
● In order to sell, one must advertise
○ Find the ads!
○ Look for affiliates
● Social Media is an invaluable intelligence
tool
○ Look for OOB contact methods
■ MSN, ICQ, Email(various), AIM, Skype, Twitter
■ Be wary of hacked/stolen accounts
● The longer an account has been used in similar context, the
less likely its been newly compromised
■ Twitter is easy to search
■ Email <-> Facebook is trivial
14. Honing in on Bads, pt. II
● Read
○ Forum Posts (and PMs)
○ Social Media
○ Really, anything that can be attributed to the target
○ Read everything
● Watch
○ Youtube (Take screenshots!)
■ Huge vector of information leakage
○ Twitter feeds
○ Current v. Historical posting trends
○ AOL Lifestream
15. Identification
● Find data overlaps
○ Use the data a target is forced to present to the
community
○ Compare against samples from multiple sources
● Utilize multiple sources to verify
○ Don’t rely on one search engine or tool for data
● Reconcile target personas
○ Utilize data overlaps/leakage to link online ID to physical
person
● Document, Document, Document!
○ Its extremely likely someone else is going to need to
follow your logic. Make sure its sound.
● Identity VS Reputation
16.
17. Results!
“We are taking proactive steps to prevent DDoS
(Distributed Denial of Service) for hire services from using
PayPal to facilitate/fund illegal activities. PayPal's
Acceptable Use Policy (AUP) states that our customers
may not use PayPal's service relating to transactions that
encourage illegal activities. Our goal is to provide a safe
payments service that buyers and sellers around the world
can use every day.”
-Paypal