Part 11 (2/2)
These mechanisms exist today in the Russian cyber underground and are available at a very affordable price.
Owning social network users for a small budget of $300$1,300.
The following scenario may be fully automated: Find valid user account/IDs.
Register thousands of new accounts, with random data, organizing newly created profiles in groups.
Create new groups with hot topics, generating traffic to these new artificial groups.
Invite new members, either through ma.s.s-sent or targeted-search messages, to partic.i.p.ate in the artificial groups.
Hook some form of exploitation mechanism to the visitors.
The following applications are available for purchase using the anonymous payment system known as WebMoney: ID grabberI Iterates through valid IDs, finding new user IDs that become active on the system through scenarios or custom search parameters.
Price: 44 WebMoney dollars Automated registration Automatically registers multiple account in the social network with custom profiles with granular detail capability, starts services, uploads random photos, fills out the ”user's” interests, and connects them to random places of work and study.
Price: 55 WebMoney dollars Automated searcher Searches for specific accounts, inviting them to the automated, custom-created groups.
Price: 50 WebMoney dollars Automated group creator Creates groups by interest, by location, by age, and so on.
Price: 44 WebMoney Dollars Buying/integrating XSS exploit Creates a cross-site scripting exploit for the social network and embeds it into the newly created pages.
Price: 1001,000 WebMoney dollars Once the user is trapped inside this virtual circle of automated ”friends,” it is very hard not to follow through and not to accept friends.h.i.+p from at least one of the zombies peacefully trying to make contact under the guise of someone you might have worked with years ago.
Bringing down a social network from the inside.
So aside from exploiting the users, stealing their private data, and trust and relations.h.i.+p mapping to other legitimate users, what else could be on the attacker's mind?
How about a reverse denial of service on the server itself?
If one account in Vkontakte.ru can have a maximum of 2,500 ”friends” in his social network, and the attacker is able to create an unlimited number of accounts by utilizing proxies and linking them to other users or to each other, what would it take to create an automated script to initiate ma.s.sive traffic among those zombied accounts without the use of any external ent.i.ty or owning a powerful external botnet?
The answer is not much, really. Depending on what logic is being put behind the attack, only one remote login with the proper command initiation can trigger a chain reaction that can bring down the network from the inside.
The problem is not isolated to Russian social networking sites; it's just that the local underground is currently more interested in testing where things may go until the path is verified for making some form of guaranteed profit.
Also, it's much easier to converse in your own language and within your own culture, and use social engineering techniques for exploitation. However, all of that can be overcome if there is enough money to be made.
Chapter 7. Follow the Money.
Cybers.p.a.ce as a domain for modern warfare creates a lot of complexities that don't exist in other types of conflicts. You cannot visually identify the enemy, nor be sure what his nationality is. The one thing that you can count on is that someone has to pay for the necessities of virtual combat. Therefore, one sound strategy in any cyber investigation is to follow the money trail created by the necessary logistics of organizing a cyber attack-domain registration, hosting services, acquisition of software, bandwidth, and so on.
False Ident.i.ties.
One of the main reasons why malicious activities can prosper online is due to lax verification of domain registration data, also known as WHOIS information. Starting with Internet Corporation for a.s.signed Names and Numbers (ICANN) and continuing with hosting companies and accredited domain registrars of all sizes, verification is not universally enforced.
Fortunately, one of the forensic methods that can crack false ident.i.ty data is the global trend toward social computing. In the digital world of the Internet, as in physical s.p.a.ce, you leave evidence of where you've been.
If you're an ardent social computing fan who is active in Facebook, Mys.p.a.ce, LiveJournal, or Twitter, your virtual footprint will be very extensive. If you make your living on the Internet as a web service provider or forum administrator, your footprint will be even larger.
The IDC is an organization that studies how much data is generated by individuals and businesses each year (Figure 7-1). According to the IDC whitepaper ”The Diverse and Exploding Digital Universe” (March 2008), ”the digital universe contained 281,000,000,000 gigabytes, which works out to about 45 gigabytes per person on the planet.” Of that, half is due to an individual's actions online. The other half is what the IDC refers to as your digital shadow-ambient content created by others about you (video on traffic cameras or at ATMs, credit card transactions, medical records, etc.).
Figure 7-1. The expanding digital universe Now imagine that you want to create a forum to recruit, train, and launch cyber attacks against state networks or websites. You won't use your real name or known alias for fear of reprisals. Instead you'll create a fict.i.tious name for your domain registration and/or server hosting plan that cannot be traced back to you.
This is not as easy as it sounds, because some domain registrars will attempt to verify the authenticity of the information that you provide. Your name and address may also have to match those attached to the credit card that you use to make the purchase. This poses a serious problem for those individuals who want to act surrept.i.tiously.
Because of that, members of the cyber underground have identified which hosting providers and domain registrars have lax verification and payment policies, and patronize them exclusively. The Russian Business Network (RBN) is a prime example. Although the RBN went dark in November 2007 after an increasing amount of attention was being paid to its operations, some of the IP blocks a.s.sociated with it are still active.
The genius of the RBN was that it built a bulletproof loop that guaranteed its online businesses uninterrupted service, regardless of how many complaints were filed against its various websites.
Like the RBN, the StopGeorgia.ru forum is part of a network that's been bulletproofed. The rest of this chapter walks you through the intricate relations.h.i.+ps, aliases, and sh.e.l.l companies that were created to serve that purpose. Before getting to the specifics of the StopGeorgia.ru network, let's begin with an introduction to how bulletproofing works.
Components of a Bulletproof Network.
A bulletproof network refers to a series of business relations.h.i.+ps that make it extremely difficult for authorities to shut down web enterprises engaged in criminal activities.
<script>