Ask the Internet Abuse/Fraud Investigator

[ComeToTheDarkSideWeHaveCookies]

catsix:

Can you give any recommendations to a geek (computer engineer with a pretty strong background in Unix, networking, hardware and digital logic) any ideas on how to move from teaching all of this stuff into a more computer crime, or computer forensics kind of field?

If you aren’t already doing so, I’d recommend lurking on NANAE (news.admin.net-abuse.email), also news.admin.net-abuse.sightings. You’ll probably be able to find a few white-hat folks to network with, perhaps offer to volunteer to help crunch/gather data or maybe offer to monitor a trap mailbox or two.

There’s a lot of good exposure to the “industry” just parsing the headers of your spam and reporting it to all of the various networks implicated in the sending. Using a site like Sam Spade.org, (or the handy hardwired linux commands: host, whois, traceroute, etc) you can start sniffing into the sites that are advertised in your spam, assumedly collecting responses or banner-ad clicks produced by spam. The same approach can be used for combing through your firewall logs, sorting out the logs of network unfriendly traffic, and reporting it all to the network(s) of origin.

Pour over any responses and feedback that you get from your reports. Crawl through whatever sites they recommend or refer you to.

You might find it interesting to volunteer to admin or mod at some of your favorite online haunts. You will inevitably have something messy and “investigatable” drop into your lap. The other important skill you’ll pick up is being able to navigate a conversation with your average woefully ignorant complaining party. They’ll either want to talk your ear off, or chew you a new asshole, and all you really want to get from them is a “brief summary” and perhaps some logs for evidence.

The people I work with come from an endless variety of backgrounds, most of them not from the traditional “IT” or “Security” realms, though certainly some are. The common denominator is a willingness/eagerness to squint through thousands of lines of headers or logs, dig, do research, whatever it takes to understand the motivations of both the perps and the victims of each network unfriendly incident that you come in contact with…always trying to think of ways to lock down the exploits as they’re discovered.

We’re all basically playing chess with the perps, a never ending game of moves and counter-moves.

My background is Zoology. I’ve never taken any sort of IT classes or training. I hold no certifications. Some people who I work with every day have that background, but we all manage to collaborate and feed off of eachother just fine.

[catsix]

honeydewgrrl said:
If you aren’t already doing so, I’d recommend lurking on NANAE (news.admin.net-abuse.email), also news.admin.net-abuse.sightings. You’ll probably be able to find a few white-hat folks to network with, perhaps offer to volunteer to help crunch/gather data or maybe offer to monitor a trap mailbox or two.

These are very good suggestions which I haven’t tried yet. I’ve been doing the Usenet thing for a long time, but it seemed most of my work with the white-hat types has been in other venues.

There’s a lot of good exposure to the “industry” just parsing the headers of your spam and reporting it to all of the various networks implicated in the sending. Using a site like Sam Spade.org, (or the handy hardwired linux commands: host, whois, traceroute, etc) you can start sniffing into the sites that are advertised in your spam, assumedly collecting responses or banner-ad clicks produced by spam. The same approach can be used for combing through your firewall logs, sorting out the logs of network unfriendly traffic, and reporting it all to the network(s) of origin.

This is something that I do quite a lot both at work where I have a large hand in adminning our systems because the official admin doesn’t know what tracert does and at home where my ISP doesn’t seem to understand the value of knowing who is systematically attempting to attack users. Then again, I think that’s what I have to expect from an ISP that has to be called and told and argued with for 20 minutes before they will believe that yes, their nameserver really is offline.

You might find it interesting to volunteer to admin or mod at some of your favorite online haunts. You will inevitably have something messy and “investigatable” drop into your lap. The other important skill you’ll pick up is being able to navigate a conversation with your average woefully ignorant complaining party. They’ll either want to talk your ear off, or chew you a new asshole, and all you really want to get from them is a “brief summary” and perhaps some logs for evidence.

For the past five years I’ve been an admin of a web forum (obviously not this one), and for even longer than that (since 1993) I’ve been an oper on some IRC channels where we attempt to help users with all kinds of problems, from hack attacks to trojans to viruses.

You’re right about the asshole chewing.

I used to be really into trying to find exploits in other people’s computers, whether they wanted me to or not, but have since calmed my activities down to only breaking boxes of people who want me to because the, er, legal ramifications are much different than they were in the mid eighties.

I guess i’m really asking about attempting a career change, and wondering where to focus my efforts on that. General terms, like whether ISPs would be a good avenue or if you know what the market for these skills is in areas like law enforcement.

I kind of feel like I’m wasting skills, and I don’t want to lose them by not using them often enough (which is why the extensive ‘hobby’).

[ComeToTheDarkSideWeHaveCookies]

catsix:

I guess i’m really asking about attempting a career change, and wondering where to focus my efforts on that. General terms, like whether ISPs would be a good avenue or if you know what the market for these skills is in areas like law enforcement.

ISP’s do certainly have slots for those interested in forensics. Companies who provide anti-virus and anti-spam services should be a target-rich environment as well. ISPs do partner with such companies even if they have in-house employees dedicated to those problems, as a layered approach to a better overall customer experience.

In the area of Fraud, we’re in the middle of a small boom in the risk monitoring/management area. Companies like Cyveillance, NameProtect, Envisional, and BrandIntelligence are scrambling to cater to financial institutions, large online merchants, etc…or just basically anyone who has invested in the migration of their customer base to the internet…who are also interested in keeping their customer base online with the least amount of risk, liability, or damage to their brand/image.

[ComeToTheDarkSideWeHaveCookies]

w00t! Phisher phelon phaces phour…years

An Internet scammer who used e-mail and a fraudulent Web site to steal hundreds of credit card numbers was sentenced to almost four years in jail Tuesday, one of the stiffest-ever penalties handed down for online fraud.

And in “long row to hoe” news:

Reports of phishing scams skyrocket in April

[ComeToTheDarkSideWeHaveCookies]

And so if finally ends…

Howard Carmack will serve 3-1/2 to seven years in prison.

Howard Carmack, known as the “Buffalo Spammer,” received the maximum sentence for 14 counts of identity theft and forgery, a spokesman for New York Attorney General Eliot Spitzer said.

<snip>

The forgery conviction fetched the longest sentence, while the other convictions drew shorter sentences of one year to four years. All will be served concurrently, Spitzer spokesman Brad Maione said.

[B.Serum]

Great Daily Show interview of a Spammer. (Hope the link works.)

[ComeToTheDarkSideWeHaveCookies]

Spoofstick was recently released, an article can be read here.

Ebay also has anti-phishing features in its’ toolbar, but it only helps to protect you from the fraudsters targeting Ebay/PayPal.

[ComeToTheDarkSideWeHaveCookies]

http://www.iht.com/articles/525400.html

Geeks after my own heart…

On a related note, is this sort of bumping at all frowned upon? I’m just curious, don’t want to irk anyone. I’ll probably irk them all soon enough out on the boards.

I try and only do it when I have a good topic releted link…0:-)