A Visual Representation of Today's Modern Cybercrime Ecosystem - A Cybercrime-Friendly Forum Communities Screenshots Compilation - An Analysis

I've recently took the time and effort and process a huge number of cybercrime-friendly forum communities by using my employer WhoisXML API's Web Site Screenshot generating API in bulk and here are the results. Enjoy!

Stay tuned!

Continue reading →

Upcoming Personal Memoir - Official Announcement!

Dear blog readers,

Big news. I've recently decided to convert my personal blog into a pre-order landing page for my 756 pages long upcoming personal memoir in the world of hacking and security circa the 90's up to present day including an elaboration on my security blogging cybercrime research and threat intelligence gathering including OSINT and independent contractor analysis expertise and experience for the purpose of lauching my personal memoir and making it publicly accessible in December, 2021 both in print and in multiple E-book formats for the general public or basically anyone who drops me a line at dancho.danchev@hush.com in terms of possible pre-order where the print version is priced at $35 and the E-book version is priced at $20.

What you can do in order to obtain access to my upcoming memoir? Drop me a line at dancho.danchev@hush.com in terms of possible pre-order including to participate in my pre-order newsletter where I will send you a direct message once the memoir is ready to be released with the official release date scheduled for December, 2021.

Some sample content includes:

The Real Story Behind the Scene Circa the 90's - I will do my best to elaborate more on my teenage hacker experience and contributions and actual involvement in the Scene during the infamous hacker spree circa the 90's

An In-Depth Personal Account of a Teenage Hacker Experience - 

The True Story Behind the Rise of Trojan Horse -  

Astalavista.com - The Underground Repositioned - 

What It's Like to Run the Security Industry's Most Popular Publication - 

My Involvement in the Top Secret GCHQ Program Known as "Lovely Horse" - 

The Koobface Botnet Exposed - 

Stay tuned!

Continue reading →

Call for Interest - Establishing the Foundations for a Part-Time Project-Based Cybercrime Project Task Force

Dear blog readers,

I wanted to let everyone know that I'm currently busy a temporary part-time project-based task force and I might need your input in terms of a possible Task Force participation in the following categories:

• Social Network Analysis
• Technical Collection
• OSINT Enrichment
• Sentiment Analysis
• Statistical Output Based Demographics Research
• OSINT Visualization

The project is vetted and invite-only therefore it would be great if you approach me with a brief message at dancho.danchev@hush.com signifying your will and capability to participate in the project with a brief introduction of your background and how you think you might be capable of helping.

Looking forward to begin working with you.

Stay tuned! Continue reading →

Dancho Danchev's Blog - Soliciting Contributing Writers and Guest Bloggers

Dear blog readers,

As many of you noticed I've recently expanded my blog to include and feature a diverse set of personal research portfolio including additional coverage in a variety of areas and I wanted to let everyone know that I'm currently busy working on an additional set of research articles and new products that I'll publish anytime soon.

I wanted to let everyone know that I'm currently busy soliciting an Open Call for Contributing Writers and Guest Bloggers on one of the industry's leading Security publications - Dancho Danchev's Blog - Mind Streams of Information Security Knowledge on my way to harness the best security and cybercrime researchers including threat intelligence analysts from across the Security Industry who might be interested in a diverse and high-profile set of audience in terms of publishing their opinion thought and general and never-published before security and cybercrime including threat intelligence research.

Who can participate? - Basically everything who can write security articles and security blog posts on various topics including malicious software botnets OSINT methodologies and general cybercrime research including Threat Intelligence analysis.

Looking forward to receiving your response - disruptive.individuals@gmail.com

Stay tuned and I look forward to continue working with you! Continue reading →

Historical OSINT - The Koobface Gang Mixing Social Engineering Vectors

It's the Facebook message that came from one of your infected friends pointing you to an on purposely created bogus Bloglines blog serving fake YouTube video window, that I have in mind. The Koobface gang has been mixing social engineering vectors by taking the potential victim on a walk through legitimate services in order to have them infected without using any client-side vulnerabilities.

For instance, this bogus Bloglines account (bloglines .com/blog/Youtubeforbiddenvideo) has attracted over 150 unique visitors already, part of Koobface's Hi5 spreading campaign (catshof .com/go/hi5.php). The domain is parked at the very same IP that the rest of the central redirection ones in all of Koobface's campaigns are - 58.241.255.37.

Interestingly, since underground multitasking is becoming a rather common practice, the bogus blog has also been advertised within a blackhat SEO farm using the following blogs, currently linking to several hundred bogus Google Groups accounts :

bloglines .com/blog/gillehuxeda
bloglines .com/blog/chaneyok
bloglines .com/blog/ramosimeco
bloglines .com/blog/antwanuvfa
bloglines .com/blog/tamaraaqo
bloglines .com/blog/josephyhti
bloglines .com/blog/whiteqivaju
bloglines .com/blog/hayleyem
bloglines .com/blog/tateigyamor
bloglines .com/blog/burnsseuhaqe
bloglines .com/blog/jennaup

bloglines .com/blog/jermainedus
bloglines .com/blog/floydwopew55
bloglines .com/blog/arielehy
bloglines .com/blog/onealqypsu
bloglines .com/blog/mackirma
bloglines.com/blog/breonnazox
bloglines .com/blog/sabrinaxycit
bloglines .com/blog/gloverqy
bloglines .com/blog/lisaurja
bloglines .com/blog/greenefayg18
bloglines .com/blog/craigxiw36
bloglines .com/blog/parsonsdos
bloglines .com/blog/martinsutuz
bloglines .com/blog/deandreefe
bloglines .com/blog/briannetu
bloglines .com/blog/kierailpe
bloglines .com/blog/fordyfo27
bloglines .com/blog/litzyracnuj
bloglines.com/blog/darwinupi57
bloglines .com/blog/bonillavaok
bloglines .com/blog/jennyuxe85
bloglines .com/blog/wilkersonin
bloglines .com/blog/nicolasqydby
bloglines .com/blog/darbyeve
bloglines .com/blog/izaiahro83
bloglines .com/blog/parsonsdos
bloglines .com/blog/fullerjeb81

Abusing legitimate services may indeed get more attention in the upcoming year, following their interest in the practice from the last quarter.
Continue reading →

Real-Time OSINT vs Historical OSINT in Russia/Georgia Cyberattacks

The original real-time OSINT analysis of the Russian cyberattacks against Georgia conducted on the 11th of August, not only closed the Russia vs Georgia cyberwar case for me personally, but also, once again proved that real-time OSINT is invaluable compared to historical OSINT using a commercial social network visualization/data mining tool which cannot and will never be able to access the Dark Web, accessible only through real-time CYBERINT practices.

The value of real-time OSINT in such people's information warfare cyberattacks -- with Chinese hacktivists perfectly aware of the meaning of the phrase -- relies on the relatively lower operational security (OPSEC) the initiators of a particular campaign apply at the beginning, so that it would scale faster and attract more participants. What the Russian government was doing is fueling the (cyber) fire - literally, since all it takes for a collectivist socienty's cyber militia to organize, is a "call for action" which was taking place at the majority of forums, with the posters of these messages apparently using a spamming application to achieve better efficiency.

The results from 56 days of Project Grey Goose in action got published last week, a project I discussed back in August, point out to the bottom of the food chain in the entire campaign - stopgeorgia.ru :

"Furthermore, coming up with Social Network analysis of the cyberattacks would produce nothing more but a few fancy graphs of over enthusiastic Russian netizen's distributing the static list of the targets. The real conversations, as always, are happening in the "Dark Web" limiting the possibilities for open source intelligence using a data mining software. Things changed, OPSEC is slowly emerging as a concept among malicious parties, whenever some of the "calls for action" in the DDoS attacks were posted at mainstream forums, they were immediately removed so that they don't show up in such academic initiatives"

So what's the bottom line? Nothing that I haven't already pointed out back in August : "Report: Russian Hacker Forums Fueled Georgia Cyber Attacks" :

"But experts say evidence suggests that Russian officials did little to discourage the online assault, which was coordinated through a Russian online forum that appeared to have been prepped with target lists and details about Georgian Web site vulnerabilities well before the two countries engaged in a brief but deadly ground, sea and air war."

Some more comments :

"Just because there was no smoking gun doesn't mean there's no connection," said Jeff Carr, the principal investigator of Project Grey Goose, a group of around 15 computer security, technology and intelligence experts that investigated the August attacks against Georgia. "I can't imagine that this came together sporadically," he said. "I don't think that a disorganized group can coalesce in 24 hours with its own processes in place. That just doesn't make sense."

It wouldn't make sense if this was the first time Russian hacktivists are maintaining the same rhythm as real-life events - which of course isn't.

Moreover, exactly what would have constituted a "smoking gun" proving that the Russian government was involved in the campaign, remains unknown -- I'm still sticking to my comment regarding the web site defacement creative. If they truly wanted to compromise themselves, they would have cut Georgia off the Internet, at least from the perspective offered by this graph courtesy of the Packet Clearing House speaking for their dependability on Russian ISPs.

As for the script kiddies at stopgeorgia.ru, they were informed enough to feature my research into their "negative public comments section". To sum up - the "DoS battle stations operational in the name of the "Please, input your cause" mentality is always going to be there.
Continue reading →

The DDoS Attack Against Bobbear.co.uk

When you get the "privilege" of getting DDoS-ed by a high profile DDoS for hire service used primarily by cybercriminals attacking other cybercriminals, you're officially doing hell of a good job exposing money laundering scams.

The attached screenshot demonstrates how even the relatively more sophisticated counter surveillance approaches taken by a high profile DDoS for hire service can be, and were in fact bypassed, ending up in a real-time peek at how they've dedicated 4 out of their 10 BlackEnergy botnets to Bobbear exclusively.

Perhaps for the first time ever, I come across a related DoS service offered by the very same vendor - insider sabotage on demand given they have their own people in a particular company/ISP in question. Makes you think twice before considering a minor network glitch what could easily turn into a coordinated insider attack requested by a third-party. Moreover, now that I've also established the connection between this DDoS for hire service and one of the command and control locations (all active and online) of one of the botnets used in the Russia vs Georgia cyberattack, the concept of engineering cyber warfare tensions once again proves to be a fully realistic one.

Related posts:
A U.S military botnet in the works
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
Botnet on Demand Service
OSINT Through Botnets
Corporate Espionage Through Botnets
The DDoS Attack Against CNN.com
A New DDoS Malware Kit in the Wild
Electronic Jihad v3.0 - What Cyber Jihad Isn't Continue reading →