Hacking Back Scammers - BSides Prishtina 2022

welcome to our talk hacking back schemers my name is maggie and this is ryan um alongside our teammates josh and jacob who couldn't make it here today we worked on this project for the last eight months and we are extremely excited to be here and represent our team so everything that we're going to be showing you today was gathered and the information is actually provided is 100 legal and if you do end up going and engaging with any scammers if they're illegal means you were doing so at your own risk awesome here we have some statistics of the most common scams scamming is an ever-growing epidemic and that affects the society in multiple ways and the more that it spreads in the

society the more it becomes sophisticated um the total loss reported in 2021 uh globally was 43.1 billion euros which is a very significant amount and unfortunately scams do not impact society only in a financial manner but also and they also cause a emotional mental and physical harm the way the channels the different channels through which these scans are delivered very through text message email emails as well as phone calls or fake websites we truly believe that the problem must be tackled in where it starts and in most cases is online the goal of this project is to gather actionable intelligence so that we can report these scammers the way we achieve this is by doing scam baiting and that

is the process of calling up scammers um acting to be a victim so that we can so that we can waste their times there's already a lot of individuals and communities that do this on their own free time on different platforms such as reddit youtube twitch or bob rtc but what makes us different well we've been using different techniques that go beyond scan baiting by using social engineering using phishing we and then as well as using open source intelligence for osin we've been getting a lot of information um on scammers as well as um initiating some investigations we've been investigating their identities websites phone numbers as well as tracking it down to specific individuals the overall goal is goal is obviously to

bring down these scammers now one of the main things that makes us different is um increasing and spreading awareness in the community such as this uh we coming to conferences like this gives us the opportunity to introduce the uh the concept of scam beating to individuals like you that with the potential that you may want to join the cause now before we actually are able to conduct any call we need to go through some preparation steps and if you want to in a previous talk we went into this topic a much more in depth at cactus con so if you'd like you can go online and visit that but here i'll be going over a

very brief overview of kind of how we prepare before going into a scam call so the very first step is to find what scam we want to go in and try to scam bait and we do do so through a variety of resources one of which is the subreddit r scam scam numbers which posts frequently active scammer numbers that you can call and try to engage with additionally there is scam baiting specific resources scammer.info and bob rtc in which additionally post information and phone numbers as well as additional information that we can use to assist in preparing for an actual scam once we've picked the actual scam that we want to do we can then go and start

to prepare our victim persona and at this stage it's really important to prepare information that is relevant and actually verifiable as anything that we create it's very easy for scammers to kind of verify any information or numbers that we give such as credit card or social security numbers now throughout this entire process we want to make sure that we ourselves as secure we are dealing with real bad actors who are actively committing crimes so we need to separate ourselves as far away as from these scammers as possible and we do so through the usage of a vpn and a vm the vpn allows us to separate ourselves geographically and the vm keeps us secure and for any online

interactions in a very in a nice sandboxed environment additionally if we are working with any scams that require a remote screen takeover we have a separate honeypots laptop dedicated just to this project so we don't have to worry about any malicious uh any malicious content being uploaded to our personal computers now at this point with everything prepared we're ready to actually make the call and where our team is unique is while there's only one person contacting the scammer at a time we have an entire team behind us that is actively researching and taking notes to make sure this process goes as smoothly as possible now that we have explained the setup and how that all works we're going to talk

about what kind of scans we target now we mainly focus on um scams with the small scale operations meaning that we don't go for the scams that are um that are causing millions of dollars in losses we're focusing on the small ones why because they don't get a lot of attention from government agencies because of the small amounts that they that they cause for example some scammers reach out to people asking for small amounts because that doesn't usually raise a lot of suspicion so they are successful with their scams although the amounts are small they are they're usually committing a lot of they're usually calling a lot of people so that they can make profits so this

most likely affects a lot of people um now yeah that is one of the motives for our project because these scams are just being let go the governments do not really pay attention to them some of the main scam types that we've been looking um that we've been focusing on recently are the ones that are trending which are crypto or forex scams sales and tech support my favorite part about dealing with tech support is that we get to deal with scammers that give us some answers that we know are wrong and we get to see what that looks like and kind of a demonstration we're going to play a recording from one of our uh scan

baiting sessions this is all the infection which is running inside here oh no that [Music]

[Music] and that is something is really critical uh oh okay what uh so what's the name of this malware [Music] the malware

and on top of that i don't know if you're able to see but the malicious attackers that were attacking our system was the windows event logger so now you've seen a little bit of the kind of the kind of scammers that we're interacting with let's talk about how we can actually manipulate them into giving us the information that we want now the big the easiest way to keep scammers trick scammers and giving us information is just to keep them talking the more they talk the more likely they're going to share something that we can use to trace them individually or the scammer operation as a whole however keeping them talking isn't enough we also need

to keep them engaged and one of the best ways that we've found to do this is by not making them angry a method often used by other scam beaters is to try their best to make them angry as they will lose track of time and waste a whole lot of it but for our goal of keeping the and for of trying to get as much information out as we can once we reveal that we're not a legitimate victim we lose the opportunity to use that to our advantage so trying to keep them as happy and calm as possible really is the best way for us to do it additionally making sure that we do our best to act like a real

victim likely if you've ever engaged with the scammer it wasn't a pleasant experience whether you were annoyed unhappy or angry using those negative emotions as an acting practice against these scammers make us less suspicious and makes us more believable as an actual victim now like i was mentioning earlier all the information that we provide credit card number social security numbers it's very easy for scammers to pull up a quick online tool that verifies this information so we need to make sure that anything we provide them is 100 verifiable so we can get as far into the scam as possible and learn as much about the operation as we can now while a lot of what i'm saying is

talking about making sure we're planning and preparing in advance another key skill set to have is improvising there's always going to be something that you're not able to prepare for or a question that you didn't think to prepare for so making sure that you can have the skill of using it to your advantage as it comes up is very very helpful and to kind of emphasize this we're going to show you a clip of what happens oftentimes one of our teammates is mistaken for having a girl's voice so instead of taking the time to explain and try to correct the scammer we try to use it to our advantage and trick them into giving us some

information how can i help you um hey my name is sophia and um i got an email about uh 299 and 88 charge for a anti-virus okay man as you can see here the order has been placed this morning at colorado so is that you who make that order um no you're in california i've always wanted to go to california i'm in texas just call me what's your number because like we can take this uh offline okay hold on and i'm just giving you my personal number okay came back into like when you will be going to california i just call you on that number i'll be there to help you out and i'll be your guide okay

okay it's 8-2-0

three three nine three i'm gonna save this right now if you want to be friends and i can let you fan

all right so one of the main uh one of the main goals of social engineering is to kind of get some kind of some kind of information from the scammers uh ideally some kind of contact phone number or email address so that we can create that point of contact with them in case we need to send them a malicious link to obtain information from them in this case we've been using grabifyip logger to craft some uh to craft the link and send that to the scammers the goal is for them to click on it so that we can get more information we've been redirecting them to a completely normal looking website and once they click on it they will get

to the normal website without suspecting that we're stealing any information from them but once they click on it this is what we look on the next what this is what we see on the next screen the advanced log shows a lot of information such as ip address operating system machine location time zone and a bunch of other information now all of this is very useful because it gives us the opportunity to get a lot of pivot points so that we can continue on with our investigations um also here's another demonstration so it will cost you uh 249.99 for one year two hundred and forty dollars yeah yeah with unlimited device login okay how do i make that payment

thanks from being wholesale i really appreciate your time and patience yes sir i was activating it you know i wasn't completing a billing statement here it's showing me an error please confirm the details again sir uh your card number is

one 536-8759-080617 two nine nine correct yep yeah that's my card number um okay allow me movement our blink team will connect with you they'll take out the link and everything just uh tell them the whole issue okay they'll correct you within the next five minutes okay okay thank you so much hi so this is james calling from the billing department of hugo how are you doing today right so now comes the payment part so uh we tried to process the payment with the car details you gave us sir but somehow it's getting declined so did you like receive any uh notification from your bank to approve the payment service yeah so what do you want from my uh so

my bank portal gives me a link let me um i can i can spell out the link for you it's uh https let me try and enter it so the link did not work it took me you to uh oh a bad website i could say yeah it took me to a dating website so so like maggie said we can choose any site that this link redirects to so what did the scammers see when they clicked on the bad website farmers only dot com a dating site for farmers so while we do really have a lot of fun with this we need to remember our primary goal here of gathering actionable intelligence on these scammer

operations on the phone it's very hard to gather that level of intelligence and oftentimes the information that we gather is only able to allow us to figure out if the scam is real or not if they are in fact committing an illegal crime and if the scam is worth our time and resources as university students in investigating now the reason that we bring up this actionable intelligence and keep reiterating it is because like maggie was saying earlier businesses and government agencies really don't have the time and resources to focus on something that's more small scale like this so if we are going to be investigating on their behalf and then submitting them information it needs to

be something that is verifiable accurate and information they can that they can immediately use to go and try and take down these scammers and this kind of information can take all different types of form depending on which scam it is it can be websites it can be names it can be locations and it's very hard to kind of figure out until we begin an in-depth investigation but to show just how bad this information can be against the scammers operation we're going to show you another clip where we were lucky enough to find the information early on and actually confront a scammer with it to see their reaction hi my name is also warranty so there

would be a one-time technician fee okay because you don't have warranty just to make sure you said your name was aditya singh on 60th feet road in delhi india [Music]

not on the notebook just write down here what do you name what name you say um yeah i mean the person you know is aditya singh um on 16th yeah yeah go ahead and write down the address sure i mean you should know it no ma'am we don't have anybody navigate this name ma'am um are you sure that because this is the email that i have flypepper.hi gmail and um isn't your phone number i am in california ma'am [Laughter] but the thing is your address doesn't exist in california you know because i said that we cannot fix this you have to go to that store and why are you giving me this address in ballet

i just checked on internet i found that that is not in us it's in uh india i am fully aware of that sean as we see here the name that they gave us is different from the name that we asked them in double checked because we found that through different ways and not from what they told us while calling them wasting their time and getting more information is a very great start we uh to make an actual difference we need to um conduct an investigation one of the most recent investigations was a crypto or forex scam that we um recently researched it actually started back in january of this year where we found through instagram

actually we saw some different accounts posting very similar posts advertising and say claiming that their personal um personal advisor was guaranteeing a 1 000 return on investment on any amount with a minimum of 500 uh dollar investment so it's a very large amount um for for crypto now on top of that they were saying that the only cost was a 10 uh 10 fee that they would have to pay and then uh they would get that within 24 hours it is definitely too good to be true and as we all know not only that um crypto and forex are not guaranteed or a return on investment of any uh of any amount but also um that

is very fast in a large amount that is not always guaranteed so we um we immediately found uh that that was a scam we found only two uh so far accounts that were related to the scam katie official 12 and katie official backup page um any time that we interacted with these accounts we created some um sock puppet accounts um just to stay anonymous at all times the these scammers are targeting um middle-aged or young adults that are not very familiar with the technology they do not know how crypto and forex works very well um now one of the other things that they're doing one of their techniques is that they take over the accounts of the victims after

they have gotten money from them they hack those accounts and they start posting on their behalf so that their um their network starts finding out and investing as well after that they rename the accounts which we suspect is for identifying purposes um for each account that they hack moving on to the next one on the investigation in addition to committing financial fraud hacking instagram accounts this person is also committing identity theft why because once we carefully saw their profile there's this picture that they posted that has a tag a location tag in miami florida but looking carefully in the background we see a poster that is not in english so we researched that a little further and looked it up and it

was related to a event happening in rotterdam netherlands so that was the first mismatch in the first discrepancy that we found next the date of the uh that the picture was posted and the date of the event were completely different so that was the second indicator that this is a scam of course the main the main purpose is to find the scam and report them however we wanted to also make sure to find the identity that victim and let them know we started doing some further investigation and some reverse image searching and we found an exact match of pictures that the scammer was using to another account with a lot of followers that is running

a legit business we made sure to contact her and let her know that somebody's using her content and pictures without her permission so that that went pretty well um and then in addition to that we also condense all these findings um into a report and submit it to the fbi cyber crime unit so another scam that we took the time to investigate that's very different from the previous one is a sales scam so the way that this scam worked was initially a user would be sent a text message from a random number that has a website link in there as you can see in the top left if you click on this link it would

redirect you to a promotional website that would be either explaining a product that doesn't actually exist or providing you with a free prize that you have now won as you can kind of see over here now if you click anywhere on that site it will redirect you to a third and final site which will ask you for your address to ship the product to and your credit card information to pay for the very small shipping fee for your pre free product as can be seen down here now this is actually the biggest scam that we've investigated it's it covers over 60 different websites and over a dozen different phone numbers so all the information here that we need is very

hard to keep track of and we needed to make sure that we had a tool that was able to keep track of everything and keep it up to the same level of integrity that we're using in the previous kind of smaller investigations so the tool that we used is something called multego and if you're not familiar with it multego is a data visualization tool used for investigations that allows you to map out different pieces of information and link them together explaining how everything is connected and as you can see in the bottom left that is the end result of our multego graph of the entire scammer operation which eats with each one of those circles

representing some kind of piece of information whether it be a website an email or phone number and if you zoom in on any part of this graph you get something that looks like this where you have a lot more detail showing any notes or files that we've attached additionally showing specifically what these what is the link between all these different connections now being that there's so much information here we took the time to go through and use a bunch of tools online such as who is searching and reverse dns lookups as well as doing a forensics investigation into the html and javascript on all of these websites and what we were able to find is a whole lot

of information biggest one of which was an api key for a custom api tool that the scanners are using across most of these websites in order to make everything run a lot simpler and we worked on abusing that as well as in one of the whois searches we were actually able to catch one of their slip-ups where they forgot to mark a privacy setting in the who is registry so we have an actual name address and contact information of someone who we believe to be heavily involved in the scammer operation now currently we're still working on the report for this with uh for this specific investigation but in the meantime every single website that comes up we are reporting to search

engines such as google in order to block these websites and eventually take them down so that further victims are not stolen do not get their money stolen and that's a wrap thank you everyone [Applause] we do have a website up uh we have scammers.github.io we try to keep up with the uh blog post so if you're interested in staying up to date with what we're up to feel free to check us out and in the meantime what questions do you have for us