Threat Management, Network Security, Threat Management, Vulnerability Management

Social networks: Criminal enterprise, Pt. 2

Publicly shared privacy settings cut both ways here; cybercriminals suffer the same penalty for their personal accounts as the rest of us – if they haven't enabled the strongest security settings you can easily observe what they write and what pictures they post.

Therefore it would seem, gaining a window into social networks which are dual-purposed for use by cybercriminals, would be a good idea. Are there drawbacks?

In a more traditional look at social networks and their impact within criminal enterprise, let's look at some wanna-be gangstas who dabbled in the highly lucrative world of J1 money mule operations.

Gary Warner's blog has a great example of what the new generation of social networks can reveal of criminals as they kick-start their cybercrime fiefdoms:

Also arrested with Codreanu was Lillian Adam, also known as Roman Kobilev.
Lillian is one of four individuals named in the same indictment – the others being:
his at least sometime girlfriend, Catalina Cortac, pictured here kissing Adam on top of the Empire State Building [see facebook images]

In regards to social media for suspected criminals, the Feds haven't lost any time over employing social media background investigating but they do it carefully.

One document recently obtained by the EFF under FOIA details the IRS rules of engagement which they use in researching online social network involvement in order to put someone away in Club Fed for tax fraud.

The FBI and Secret Service are all about putting the smackdown onto the bad guys through "carder forums"– PHP-based forums which provide a tight knit form of social network communication.

Additionally, the DoJ's "Obtaining and Using Evidence from Social Networking Sites" presentation provides clarity about how U.S. attorneys use the evidence gathered by investigators.

The force multiplier for these social media tactics are the specially designed software assets which help law enforcement put the pieces together quickly. These costly software packages work across multiple social media platforms, search engines and also hardware devices (PDAs, cell phones) which are used to enter the data.

Is cyberstalking suspects a good or bad idea?

Social media background investigation is a catchy 21st Century term. Many employee verification firms insist it is the next big thing. I've never recommended this as a course of action because of the personal nature of data turned up such as religious affiliation, national origin, well, you can guess that employment litigation becomes more of a concern.

That being said, it is a rare boss who won't Google their prospective employee's name prior to an interview, particularly if they're on a short list of applicants.

One useful tactic for tracking criminals through their social networks – if the topic of your inquiry has joined a group, joining that same group will often increase your visibility into their profile.

In one instance, the blog post contributor for Gary Warner's article points out one [alleged] money mule's habit of posing next to banks in her Facebook photos. Knowing the context of the indictable actions taken by the suspect, these images seem to be very easy – pictures, not text, are old school spycraft to pass messages.

As Gary Warner's article demonstrated, joining the same social networks within Facebook obtained the inside track he needed to get the screen shots of the suspect's not-so-personal pages.

Word of caution: this works both ways

Joining a social media group may allow everyone access into your profile. Prevent this with the use of a cut-out social network account – just don't ever create your cut-out based on any real person which could be considered identity theft.

The example here would be that Company A has alerted the three-letter-agency of your choice about a cyber intrusion. The IT manager has continued their independent investigation and discovered a potential suspect's name, which a cursory glance at Google shows has several social network sites associated with it.

In our scenario, going further at this point and diving into those sites could alert the suspect and the IT manager should be aware of what this may result in – the suspect going kinetic in the physical realm. Is this a potential risk which is often overlooked?

If you happen to be writing about cybercrime and have had DDoS attacks against your website (such as Brian Krebs has recently experienced) then surfing potential cybercriminal profiles without the use of a cut-out could raise your personal threat threshold.

Sniffing out a social network does not mean that all the information displayed is completely accurate. Establishing multiple sources of information can enable an investigator/cyber-sleuth to filter out the BS and determine how well a potential social network resource can be graded.

Depending on the level of compromise, it may be worth the cost to retain investigative specialists.

Spy vs spy: Honeypots

Intrepid IT investigators should be careful that a social network profile of interest hasn't been created simply to Watch the Watchers and been set up as a cut-out for the purpose of an early warning indicator.

The term honeypot didn't originate with cybersecurity, it originated with espionage. It describes intentionally exploiting a false emotional or physical attachment with an insider. This is human nature and as such, it never gets old.

One example of the classic intel honeytrap or honeypots of yesteryear is the 1980s Moscow Embassy Lonetree compromise, a fictional example is of the compromised travel agent in Duplicity.

Be aware that setting up a social network with opt-in monitoring (such as LinkedIn Premium) can easily reveal who is surfing the profile.

Result: early warning part of a cut-out social network profile which, under certain circumstances, could be devastating to an investigation.

Watching the detectives

Paying a private sector resource will often lead to evidence which can support grand jury indictment or at least provide a gift-wrapped case to the triple-letter-agencies, significantly increasing the chances of successful prosecution.

The significance of this strategy is that while not acting as agents of law enforcement, private sector investigative specialists have much stronger investigative powers which will not jeopardize investigations by rule of Fourth Amendment protection.

On the other hand, you get what you pay for, and having to deal with the law-changing antics of HP and Action Research Group's cautionary tale of woe is the penalty for choosing private sector folks who aren't ethical enough. Tread carefully and vet your resources.

Know your enemy: 007 or Felony Stupid?

Weigh the risks of alerting a smart opponent rather than the status quo of Felony Stupid. And here's the tougher part – computer crime used to mean the criminal was above average in intelligence.

Not anymore! Crimeware has really dumbed that user level down and brought white collar fraud into the ranks of the previously violent and psychotic offenders such as prior bank robbers, another reason I always urge CIOs and IT managers to work with human resources to ensure their entire corporate staff top-down, bottom-up has adequate physical security training.


I always urge caution at the decision point of whether to go active or not because I've never been surprised at the level of mayhem a panicking suspect can cause.

In my past nine lives the one as an aerial anti-submarine warfare operator has the best analogy. We measured the risks in counter-detection of our efforts to find a submarine by referring to the sonar term, GOING ACTIVE.

Here is a comparison of active and passive tactics from Wikipedia:

Active sonar creates a pulse of sound, often called a "ping," and then listens for reflections (echo) of the pulse. Active sonar is used when the platform commander determines that it is more important to determine the position of a possible threat submarine than it is to conceal his own position.

Active sonar is similar to radar in that, while it allows detection of targets at a certain range, it also enables the emitter to be detected at a far greater range, which is undesirable.

Passive sonar is stealthy and very useful. Passive buoys may also be deployed on the surface in patterns to allow relatively precise location by triangulation.

Those same principles apply easily to intelligence analysis and private investigation – along with determining if source information is reliable, asking confirming resource, and finally, what is the risk of counter-detection.

If you think there's a risk of counter-detection and the other person could feel threatened enough by your actions to go kinetic, clear thinking should prevail: if they're within your reach they're also close enough to reach out and touch someone physically.

This also leads back to a core benefit of hiring a private sector investigator: in most states licensing typically requires experience .

The thin red line or thin blue line of prior service typically keeps bad guys from pushing their luck. Having the physical security liability leading back to a trained professional, preferably with law enforcement or military training, keeps even the most psychotic of crimeware users from retaliating.

Any corporate executive should value the decrease of liability in a dark parking garage after hours. In this instance, outsourcing = priceless peace of mind.

Analysis: Call cops or outsource

  1. Don't get detected / don't get caught sniffing out a potential cybercriminal's real identity. Blundering around any social media sites with your LinkedIn or Facebook logged in is a great way to tip off the subject of your online inquiries and won't make friends or influence the right people. Instead, take the extra step use a sanitized browser like incognito mode in Google Chrome.
  2. Don't get overconfident and think the online information is legit without constant corroboration. While most crimeware has put high-tech crimes in the reach of the felony stupid, there are some sophisticated players out there and they'll see you coming.
  3. Don't impersonate a real person's identity through a social media site. This is considered identity theft in California's Section 502, and many other jurisdictions.
  4. Avoid risk: consider hiring out to experienced and high quality private sector resources like investigators. The best solution if a crime has been committed is to involve law enforcement; however, they do operate on a different timetable and with the priority of prosecutable crimes. If you can't wait for law enforcement, private sector resources like investigators can take the risk. Let them proceed with caution, and sleep well at night, not to mention walking back to your car daily with relative peace of mind.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.