Jul 27, 2019
Part 1: How attacker hide their identity for making anonymous transactions.
** The below information provided is just for educational purpose **
The most important thing that an attacker is worried about is its SAFETY, they make sure that they hide their identity. Why? Because if they get caught no matter how much money or information they have they will end up behind the bars, so they try to behave like the owner of the CC (Credit Card) and hide their own identity as much as possible to trick everyone in the process.
For this purpose they use a burner laptop if they don’t have a burner laptop then any OS in a VM (Virtual Machine) after hard formatting their normal laptop.
- Attacker generally uses Win 7 as it doesn’t have much security as Win 10.
- Few attackers also uses portable OS on a USB drive, it helps them hide their evidence by just hiding a USB drive if someone knock on their door.
- Now a day’s installing an OS on a VM or making a bootable USB drive is just like a walk in a park.
- Next step attacker do is change Serial of their HDD (XBoxHardDrive) why? To hide their original HDD serial number.
- Ccleaner — Tool to clear cookies and temporary data generated during multiple sessions.
- TMAC — Titanium MAC Address Changer as the name suggests this tool is used to change MAC address of the system.
Next step is to flush DNS before going further –
For this purpose the below commands on cmd are performed.
#ipconfig/release
#Ipconfig/renew
#Ipconfig/flushdns
Now attackers install a VPN (Virtual private network) or buy a RDP (Remote desktop protocol). They generally don’t go with free stuff at this stage because few Rupees can cost them their freedom they usually choose such VPN which doesn’t log their activity and accepts Bitcoin as both are good for maintaining anonymity of the attacker.
Socks5 proxy this is used to change the location of the attacker and add an additional layer of protection, if RDP or VPN’s location is as same as victim’s mentioned address then they don’t use it else this is very important to match the address location, it also helps in not raising red flag for the bank.
So far attacker’s setup look like this –
After initial setup attacker downloads some more tools on system before making any transaction.
1. Mozilla Firefox
2. User Agent
3. Canvas Fingerprint Blocker
4. Proxifier
5. Ccleaner
6. BombItUp
Now they configure all the tools together that they have gathered so far -
- Firefox — On address bar type — about:config
In search box : media.peerconnection.enabled and they change the value to FALSE — WHY? To disable WebRTC that can leak attacker’s real IP. (because that’s bad when someone is trying to fake their location into the one of socks5)
Next: privacy.donottrack and they set it to TRUE –
WHY? So that websites won’t track attacker’s traffic at all.
2. User Agent Switcher –This plays a major role in changing identity of the attacker by faking user agent, it enables attacker to switch between multiple user agents without actually changing them (it tells website which user agent and version attacker is using by changing user agent in packet header).
3. Canvas Fingerprint Blocker — This Firefox add-on allows attacker to prevent websites from using Javascript APIs to fingerprint them. Attacker choose to block the APIs entirely on websites or fake its fingerprinting-friendly readout API.
4. Proxifier — This tool helps attacker to setup SOCKS5 proxy. SOCKS5 is an internet protocol which routes packets between a server and a client using a proxy server, this is used by attacker to fake their location to a close one to the Card Holders Billing Address, so that at the time of transaction bank observe attacker’s location close to the real address.
There are multiple online stores from where attackers buy these socks5 proxies few example are listed below –
- luxsocks
- truesocks
- premsocks
Also attackers make sure that they match the time zone of their local system to that of peroxided location few websites match time zone as well before passing any transaction.
Attackers first check their IP with anti-fraud software which has at least 3 important features -
1. Is it blacklisted on the spam databases?
2. Does it have a high proxy score?
3. Does it have a high risk score?
Tools like — xdedic.biz which is blocked now by FBI, getipintel.net etc
After attacker’s setup is done, attacker performs a last check on its anonymity by going to various websites one example is whoer.net which tells them about their anonymity level.
After checking the last check for 100% anonymity.
Attackers are good to go and perform any malicious activity.
In the next article we will discuss about how attacker retrieve CC (Credit card) information and various new techniques to cash out a CC.
PART 2:Techniques used by Black hats to make anonymous transaction.
If you enjoyed this post, comment down or press the like button. Contact @Arvind.
